From kevin at atomicgears.com Sat Jun 1 04:14:56 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Fri, 31 May 2002 11:14:56 -0700 Subject: privsep patch, Please test (take 2) In-Reply-To: References: Message-ID: <20020531181456.GB1707@jenny.crlsca.adelphia.net> can we use Ralf Engelschall's mm library here? it sure seems like we're reinventing all the portable work that's gone into that. if it could be used upstream, life would be much easier. From austin at coremetrics.com Sat Jun 1 04:51:00 2002 From: austin at coremetrics.com (Austin Gonyou) Date: 31 May 2002 13:51:00 -0500 Subject: (no subject) In-Reply-To: <2BB73D0BED687449BA36B05B1C5FA9F4392332@exchange2000.dts.intra> References: <2BB73D0BED687449BA36B05B1C5FA9F4392332@exchange2000.dts.intra> Message-ID: <1022871060.13701.2.camel@UberGeek> so does ssh -X hostname work, and allow forward? On Fri, 2002-05-31 at 07:07, Kerl, Andreas wrote: > Hello, > I've got the Problem that the Display Variable is not set when I > connect > to sshd. > X-Forward is active. > I think I tested all Configurations but it doesn't work. > Sorry :-) > Solaris 8 openssh 3.2.3 > > > Andreas Kerl > > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Austin Gonyou Systems Architect, CCNA Coremetrics, Inc. Phone: 512-698-7250 email: austin at coremetrics.com "One ought never to turn one's back on a threatened danger and try to run away from it. If you do that, you will double the danger. But if you meet it promptly and without flinching, you will reduce the danger by half." Sir Winston Churchill -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020531/6789b0ca/attachment.bin From mouring at etoh.eviladmin.org Sat Jun 1 05:08:59 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 31 May 2002 14:08:59 -0500 (CDT) Subject: privsep patch, Please test (take 2) In-Reply-To: <20020531181456.GB1707@jenny.crlsca.adelphia.net> Message-ID: Not sure who Ralf Engelschall is. And not sure if a mm library will improve the fact that we still have to detect bad mmap(). - Ben On Fri, 31 May 2002, Kevin Steves wrote: > can we use Ralf Engelschall's mm library here? it sure seems like > we're reinventing all the portable work that's gone into that. if it > could be used upstream, life would be much easier. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From jmknoble at pobox.com Sat Jun 1 05:48:23 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 31 May 2002 15:48:23 -0400 Subject: privsep patch, Please test (take 2) In-Reply-To: ; from mouring@etoh.eviladmin.org on Fri, May 31, 2002 at 02:08:59PM -0500 References: <20020531181456.GB1707@jenny.crlsca.adelphia.net> Message-ID: <20020531154823.K14977@zax.half.pint-stowp.cx> Circa 2002-May-31 14:08:59 -0500 dixit Ben Lindstrom: : : Not sure who Ralf Engelschall is. http://www.engelschall.com/ho/rse/ : And not sure if a mm library will improve the fact that we still : have to detect bad mmap(). http://www.engelschall.com/sw/mm/ Apache/mod_ssl uses libmm to do shared memory stuff. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020531/a6a8d4f7/attachment.bin From mouring at etoh.eviladmin.org Sat Jun 1 06:30:31 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 31 May 2002 15:30:31 -0500 (CDT) Subject: privsep patch, Please test (take 2) In-Reply-To: <20020531154823.K14977@zax.half.pint-stowp.cx> Message-ID: On Fri, 31 May 2002, Jim Knoble wrote: > Circa 2002-May-31 14:08:59 -0500 dixit Ben Lindstrom: > > : > : Not sure who Ralf Engelschall is. > > http://www.engelschall.com/ho/rse/ > Found his website and remember who it was. > : And not sure if a mm library will improve the fact that we still > : have to detect bad mmap(). > > http://www.engelschall.com/sw/mm/ > > Apache/mod_ssl uses libmm to do shared memory stuff. > IIRC his mm code was embeded in Apache 2.0. Something I don't think we want to do. So I'm not sure how useful it will be to us. People complain already that they have to get OpenSSL and libz. - Ben From info at ninosdepapel.org Sat Jun 1 06:53:33 2002 From: info at ninosdepapel.org (info at ninosdepapel.org) Date: 31 May 2002 15:53:33 -0500 Subject: =?ISO-8859-1?B?Q2FydGFnZW5hIHRpZW5lIHN1cyBwcm9waWFzIERlbGljaWFzIGNvbiB1biBQcm9w83NpdG8=?= Message-ID: <200205311657609.SM00179@ninosdepapel.org> -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- (This safeguard is not inserted when using the registered version) -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- (This safeguard is not inserted when using the registered version) -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020531/a6ace9d6/attachment.html From andreas.kerl at dts.de Sat Jun 1 08:05:39 2002 From: andreas.kerl at dts.de (Kerl, Andreas) Date: Sat, 1 Jun 2002 00:05:39 +0200 Subject: (no subject)X-forward Message-ID: <2BB73D0BED687449BA36B05B1C5FA9F4392334@exchange2000.dts.intra> No "ssh -X hostname" doesn't work. But when you "export DISPLAY=..." it works!? I set the the Display Hack so that I can see my IP with "env" or "echo SSH_CLIENT" when I'm connect via VPN-Tunnel and I don't know my IP in the Net I'm connected through. Andreas Kerl ----------------------------------------- DTS Medien GmbH Heidestrasse 38 32051 Herford Tel: +49-5221-1011082 Fax: +49-5221-1012001 mailto: andreas.kerl at dts.de pgp-id:0xCE58889B web: www.dts.de ----------------------------------------- -----Original Message----- From: Austin Gonyou [mailto:austin at coremetrics.com] Sent: Friday, May 31, 2002 8:51 PM To: Kerl, Andreas Cc: openssh-unix-dev at mindrot.org Subject: Re: (no subject) so does ssh -X hostname work, and allow forward? On Fri, 2002-05-31 at 07:07, Kerl, Andreas wrote: > Hello, > I've got the Problem that the Display Variable is not set when I > connect to sshd. > X-Forward is active. > I think I tested all Configurations but it doesn't work. > Sorry :-) > Solaris 8 openssh 3.2.3 > > > Andreas Kerl > > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Austin Gonyou Systems Architect, CCNA Coremetrics, Inc. Phone: 512-698-7250 email: austin at coremetrics.com "One ought never to turn one's back on a threatened danger and try to run away from it. If you do that, you will double the danger. But if you meet it promptly and without flinching, you will reduce the danger by half." Sir Winston Churchill From jos at catnook.com Sat Jun 1 09:23:38 2002 From: jos at catnook.com (Jos Backus) Date: Fri, 31 May 2002 16:22:38 -0701 Subject: Updated ssh-agent authentication retry patch available Message-ID: <20020531232300.GB97603@lizzy.catnook.com> This patch against OpenSSH 3.2.3p1 implements an ssh-agent authentication retry mechanism which is useful when starting many ssh clients in a short period of time. The number of retries and the maximum delay between retries is runtime-configurable using AuthMaxRetries AuthRetryDelay The patch is available at: http://www.catnook.com/patches/openssh-3.2.3p1-auth-retry.patch While I have no hopes of this being merged into the main OpenSSH distribution, perhaps other people may find it useful. Comments welcome. -- Jos Backus _/ _/_/_/ Santa Clara, CA _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ jos at catnook.com _/_/ _/_/_/ use Std::Disclaimer; From austin at coremetrics.com Sun Jun 2 06:16:49 2002 From: austin at coremetrics.com (Austin Gonyou) Date: 01 Jun 2002 15:16:49 -0500 Subject: (no subject)X-forward In-Reply-To: <2BB73D0BED687449BA36B05B1C5FA9F4392334@exchange2000.dts.intra> References: <2BB73D0BED687449BA36B05B1C5FA9F4392334@exchange2000.dts.intra> Message-ID: <1022962609.18511.16.camel@UberGeek> From andreas.kerl at dts.de Sun Jun 2 06:44:58 2002 From: andreas.kerl at dts.de (Kerl, Andreas) Date: Sat, 1 Jun 2002 22:44:58 +0200 Subject: (no subject)X-forward Message-ID: <2BB73D0BED687449BA36B05B1C5FA9F4392337@exchange2000.dts.intra> To get my IP is not the problem. The Problem is the sshd ,I build it (Solaris8)and x-forward is enabled but the DISPLAY variable is not set when connecting to it (with "ssh -X hostname"). When yot set it manually, X is working. Andreas Kerl ----------------------------------------- DTS Medien GmbH Heidestrasse 38 32051 Herford Tel: +49-5221-1011082 Fax: +49-5221-1012001 mailto: andreas.kerl at dts.de pgp-id:0xCE58889B web: www.dts.de ----------------------------------------- -----Original Message----- From: Austin Gonyou [mailto:austin at coremetrics.com] Sent: Saturday, June 01, 2002 10:17 PM To: Kerl, Andreas Cc: openssh-unix-dev at mindrot.org Subject: RE: (no subject)X-forward From rdawes at mweb.co.za Mon Jun 3 02:54:12 2002 From: rdawes at mweb.co.za (Rogan Dawes) Date: Sun, 2 Jun 2002 18:54:12 +0200 Subject: (no subject)X-forward References: <2BB73D0BED687449BA36B05B1C5FA9F4392337@exchange2000.dts.intra> Message-ID: <001601c20a56$2a6c48c0$627f1ec4@rampage> First question for me is: Is your DISPLAY set on your client session? i.e. echo Local display is $DISPLAY ssh -X Sol8box echo Remote display is $DISPLAY If you don't have a DISPLAY set before connecting, even if you tell ssh to set it, it doesn't know what to set it to! The first echo should show something like: Local display is :0.0 The second echo should show something like: Remote display is 127.0.0.1:10.0 and a netstat -na should show something listening on port localhost:6010, or thereabouts Hope that helps. Rogan ----- Original Message ----- From: "Kerl, Andreas" To: Cc: "Austin Gonyou" Sent: Saturday, June 01, 2002 10:44 PM Subject: RE: (no subject)X-forward To get my IP is not the problem. The Problem is the sshd ,I build it (Solaris8)and x-forward is enabled but the DISPLAY variable is not set when connecting to it (with "ssh -X hostname"). When yot set it manually, X is working. Andreas Kerl ----------------------------------------- DTS Medien GmbH Heidestrasse 38 32051 Herford Tel: +49-5221-1011082 Fax: +49-5221-1012001 mailto: andreas.kerl at dts.de pgp-id:0xCE58889B web: www.dts.de ----------------------------------------- -----Original Message----- From: Austin Gonyou [mailto:austin at coremetrics.com] Sent: Saturday, June 01, 2002 10:17 PM To: Kerl, Andreas Cc: openssh-unix-dev at mindrot.org Subject: RE: (no subject)X-forward From mhw at wittsend.com Mon Jun 3 07:39:47 2002 From: mhw at wittsend.com (Michael H. Warfield) Date: Sun, 2 Jun 2002 17:39:47 -0400 Subject: How do I find the client key? Message-ID: <20020602213947.GA30201@alcove.wittsend.com> All, This may be a simple question, but I can't find the answer... The situation... Clint "C" connects to server "S". On server "S" I can find the client IP (IPv6) address in the SSH_CLIENT environment variable. I also need the client public key. On the client side, the public key ends up added to .ssh/known_hosts but what happens on the server side? I need to retrieve this key to validate the entry of a host name against a table of hosts which have previously contacted me (on possibly other IP addresses) so I can reject requests for names from keys which have changed. I'm trying to deal with some dynamic address problems. I might deal with this through SSL (stunnel) and use certificates instead of SSH, but thought that SSH would save me some app coding and the clients would then already exist (I don't want to have to create and distribute and support a custom client app on all platforms). A GROSS solution would be to "ssh" back to the client and abort the connection after getting the key, but that's a butt-ugly hack that won't work across firewalls and won't work with client-only systems (Windows) and I figure there has got to be some better way. Anyone with some thoughts? Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From stuge at cdy.org Mon Jun 3 09:11:45 2002 From: stuge at cdy.org (Peter Stuge) Date: Mon, 3 Jun 2002 01:11:45 +0200 Subject: How do I find the client key? In-Reply-To: <20020602213947.GA30201@alcove.wittsend.com>; from mhw@wittsend.com on Sun, Jun 02, 2002 at 05:39:47PM -0400 References: <20020602213947.GA30201@alcove.wittsend.com> Message-ID: <20020603011145.B20647@foo.birdnet.se> On Sun, Jun 02, 2002 at 05:39:47PM -0400, Michael H. Warfield wrote: > On server "S" I can find the client IP (IPv6) address in the > SSH_CLIENT environment variable. I also need the client public key. > On the client side, the public key ends up added to .ssh/known_hosts > but what happens on the server side? I need to retrieve this key > to validate the entry of a host name against a table of hosts which > have previously contacted me (on possibly other IP addresses) so I > can reject requests for names from keys which have changed. I'm > trying to deal with some dynamic address problems. Try to set it up so that you already have the public key and use that for authorization? That way you won't have to worry about addresses. Keys identify hosts, not IP(v*) addresses. And public keys are just that, public. Even if it feels a bit awkward, you're really supposed to distribute your public key as much as possible. If you can't distribute keys in advance I guess you're out of luck, but then the system won't be quite as secure either.. Just some .02.. //Peter From mhw at wittsend.com Mon Jun 3 10:52:41 2002 From: mhw at wittsend.com (Michael H. Warfield) Date: Sun, 2 Jun 2002 20:52:41 -0400 Subject: How do I find the client key? In-Reply-To: <20020603011145.B20647@foo.birdnet.se> References: <20020602213947.GA30201@alcove.wittsend.com> <20020603011145.B20647@foo.birdnet.se> Message-ID: <20020603005241.GA8151@alcove.wittsend.com> On Mon, Jun 03, 2002 at 01:11:45AM +0200, Peter Stuge wrote: > On Sun, Jun 02, 2002 at 05:39:47PM -0400, Michael H. Warfield wrote: > > On server "S" I can find the client IP (IPv6) address in the > > SSH_CLIENT environment variable. I also need the client public key. > > On the client side, the public key ends up added to .ssh/known_hosts > > but what happens on the server side? I need to retrieve this key > > to validate the entry of a host name against a table of hosts which > > have previously contacted me (on possibly other IP addresses) so I > > can reject requests for names from keys which have changed. I'm > > trying to deal with some dynamic address problems. > Try to set it up so that you already have the public key and use that for > authorization? That way you won't have to worry about addresses. > Keys identify hosts, not IP(v*) addresses. And public keys are just that, > public. Even if it feels a bit awkward, you're really supposed to > distribute your public key as much as possible. Ok... I guess I need to explain myself a little better. This is my point. This is where I'm trying to get to. I'm trying to set up a "Site Local" service for managing IPv6 DNS. I want a system to connect in on a "Site Local" (fce0::/48) address (and ONLY a SITE LOCAL address, Link Local and Global Scope prohibited) and allow him to enter his host name. I crack the SLA and EUI out of the site local address and confirm his "name" (simple host name) against a table of known host names I have stored. If he enters a name and I have that name with a different key, I want to send him to a system administrator. If I don't have that name, or if the name matches the key, I want to dynamically update the IPv6 global domain (I already have the TLA/NLA for that) and the Site local domain and the ip6.int reverse domain based on the synthesized global address. The key is the correlation between an entered name and that public key. As long as I know that name and key, I can accept those updates. Since the EUI is connected to the MAC address changes will be mostly moving between subnets (change in SLA - think laptops) or replacement of the ethernet card (change in EUI - hmmm - also think laptops). > If you can't distribute keys in advance I guess you're out of luck, but then > the system won't be quite as secure either.. It's not a security issue other than trying to correlate collisions in namespace for an IPv6 zone. It's strictly a management thing. I want people to be able to register IPv6 systems and be able to tell them "I have that name registered and you don't have the key, so go talk to somebody" and reduce the chances of some ta-da-ta-da clobbering someone else's registration. As they say... Da key is da key. That's why I want to get to the key independent of the IP(v6) address he's connecting from. I might even take it one step further and add that key to the DNS itself in a key resource record, but I'm abivalent about if I want to go down that road. I also realize I have to deal with dsa/rsa/rsa1 ambiguities. Ok, he registered with a DSA key and now wants to update with an RSA key key. Now what do I do. Answer... Punt. Punt means talk to a sysadmin. If that only happens 1 out of 100 times, that's 99 times the sysadmin doesn't have to worry about screwing with the IPv6 DNS. That's all I'm caring about right now. Setting up a semi-automated DNS updater for IPv6 to eliminate a lot of error prone manual entry. Oh... The way it's set up now, I can also change the TLA/NLA (change providers) and update the DNS with a single command (other than setting up a new reverse zone - but there's no way around that). The routers will handle the renumbering of the hosts. DNS is still the ugly part. > Just some .02.. > //Peter > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From zacheiss at MIT.EDU Mon Jun 3 13:57:26 2002 From: zacheiss at MIT.EDU (Garry Zacheiss) Date: Sun, 02 Jun 2002 23:57:26 -0400 Subject: [PATCH] Add config option disabling drop_connection() behavior Message-ID: <200206030357.XAA17522@riff-raff.mit.edu> >> I'd rather see the following applied before yours. Mainly because >> I don't want 'Yet another Fine Option' floating arounding. Plus >> it touchs less code and acts the way 90% of what people expect. >> >> The more options you provide the more chances someone will fuck up. >> Besides this follows the KISS concept. =) >> >> - Ben The patch you propose would be fine with me; I'm not particularly wedded to the way I implemented it as much as I want the functionality, and would prefer to have it in OpenSSH rather than keeping it as a local modification. Can we expect to see your proposed patch applied to the openssh tree? Garry From bugzilla-daemon at mindrot.org Mon Jun 3 15:21:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 3 Jun 2002 15:21:56 +1000 (EST) Subject: [Bug 262] New: ssh fails when run by cron. Message-ID: <20020603052156.CF5C0E924@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=262 Summary: ssh fails when run by cron. Product: Portable OpenSSH Version: 3.0.2p1 Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: glen.lapham at ncr.com I'm running OpenSSH v3.0.2 on MP-RAS. I am having problems running ssh by cron. I can run a script from the command line which executes ssh and does a simple 'who' on the remote system (running OpenSSH v3.1). The script is: /usr/local/bin/ssh "who" When I run it from cron, I get the error: select: No such device or address I turn DEBUG3 on and get the following just before the above error: debug3: channel_close_fds: channel 0: r 6 w 7 e 8 debug1: fd 0 clearing O_NONBLOCK debug1: fd 1 clearing O_NONBLOCK debug2: fd 2 is not O_NONBLOCK It seems to be a file descriptor problem when it is freeing fds. In the crontab, I have tried /usr/bin/ksh and /usr/bin/-ksh. Same thing happens. Have also tried v3.2.2 and used the -T option. No luck. Has anyone encountered this before on any OS? Glen ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From joachim.falk at gmx.de Mon Jun 3 15:45:22 2002 From: joachim.falk at gmx.de (Joachim Falk) Date: Mon, 3 Jun 2002 07:45:22 +0200 (CEST) Subject: [PATCH] forwarding environment vars ala RFC2026 Message-ID: I have coded a patch witch allows to forward environment variables from the client to the server. To specify forwarding in your ssh client add the option ForwardEnv varname # forward varname with value # as in environment of the # ssh client. If variable is # not defined in the environment # of the ssh client nothing will # be forwarded. ForwardEnv varname=value # forward varname with value UnforwardEnv varname # override ForwardEnv in # /etc/ssh/ssh_config to your ssh_config file. The patch must be applied on top of the openssh-3.2.3p1-gssapi-20020527.diff patch. Location is http://home.t-online.de/home/joachim_falk/openssh-3.2.3p1-forwardenv.diff WARNING: This patch has only been tested on my linux system. Best regards Joachim Falk -- From stuge at cdy.org Mon Jun 3 22:52:13 2002 From: stuge at cdy.org (Peter Stuge) Date: Mon, 3 Jun 2002 14:52:13 +0200 Subject: How do I find the client key? In-Reply-To: <20020603005241.GA8151@alcove.wittsend.com>; from mhw@wittsend.com on Sun, Jun 02, 2002 at 08:52:41PM -0400 References: <20020602213947.GA30201@alcove.wittsend.com> <20020603011145.B20647@foo.birdnet.se> <20020603005241.GA8151@alcove.wittsend.com> Message-ID: <20020603145212.A24508@foo.birdnet.se> On Sun, Jun 02, 2002 at 08:52:41PM -0400, Michael H. Warfield wrote: > > > On server "S" I can find the client IP (IPv6) address in the > > > SSH_CLIENT environment variable. I also need the client public key. > > > Try to set it up so that you already have the public key and use that for > > authorization? That way you won't have to worry about addresses. > > Ok... I guess I need to explain myself a little better. Aha! I had a feeling that you were doing something a lot more complicated than I thought. :) It is a very cool idea but unfortunately I suck at IPv6 so I'm not of any help. Maybe some of the other people on this list have some good ideas.. //Peter From austin at coremetrics.com Tue Jun 4 02:31:44 2002 From: austin at coremetrics.com (Austin Gonyou) Date: 03 Jun 2002 11:31:44 -0500 Subject: (no subject)X-forward In-Reply-To: <2BB73D0BED687449BA36B05B1C5FA9F4392337@exchange2000.dts.intra> References: <2BB73D0BED687449BA36B05B1C5FA9F4392337@exchange2000.dts.intra> Message-ID: <1023121904.31693.7.camel@UberGeek> Well..you should *never* have to set the DISPLAY variable, because it *is* populated as something like :10 or so. exporting the DISPLAY variable is *not* tunneling X. On Sat, 2002-06-01 at 15:44, Kerl, Andreas wrote: > To get my IP is not the problem. > The Problem is the sshd ,I build it (Solaris8)and x-forward is > enabled > but the DISPLAY variable is not set when connecting to it (with "ssh > -X > hostname"). > When yot set it manually, X is working. > > > Andreas Kerl > > ----------------------------------------- > DTS Medien GmbH > Heidestrasse 38 > 32051 Herford > > Tel: +49-5221-1011082 > Fax: +49-5221-1012001 > > mailto: andreas.kerl at dts.de > pgp-id:0xCE58889B > web: www.dts.de > ----------------------------------------- > > > -----Original Message----- > From: Austin Gonyou [mailto:austin at coremetrics.com] > Sent: Saturday, June 01, 2002 10:17 PM > To: Kerl, Andreas > Cc: openssh-unix-dev at mindrot.org > Subject: RE: (no subject)X-forward > > > From the sounds of it, the remote sshd may not have any support for > X > forwarding at all, or it's been turned off in /etc/ssh/sshd_config. > > To find out you're IP that you're coming from, use > www.whatismyip.com it > will tell you what you're IP is. Either that or who -l should show > you > as well, when you're ssh'd into the system.(the one that the VPN is > talking to) > > > > On Fri, 2002-05-31 at 17:05, Kerl, Andreas wrote: > > No "ssh -X hostname" doesn't work. > > > > But when you "export DISPLAY=..." it works!? > > > > I set the the Display Hack so that I can see my IP with "env" or > "echo > > SSH_CLIENT" when I'm connect via VPN-Tunnel and I don't know my IP > > in > > the Net I'm connected through. > > > > > > > > Andreas Kerl > > > > ----------------------------------------- > > DTS Medien GmbH > > Heidestrasse 38 > > 32051 Herford > > > > Tel: +49-5221-1011082 > > Fax: +49-5221-1012001 > > > > mailto: andreas.kerl at dts.de > > pgp-id:0xCE58889B > > web: www.dts.de > > ----------------------------------------- > > > > > > -----Original Message----- > > From: Austin Gonyou [mailto:austin at coremetrics.com] > > Sent: Friday, May 31, 2002 8:51 PM > > To: Kerl, Andreas > > Cc: openssh-unix-dev at mindrot.org > > Subject: Re: (no subject) > > > > > > so does ssh -X hostname work, and allow forward? > > > > > > > > On Fri, 2002-05-31 at 07:07, Kerl, Andreas wrote: > > > Hello, > > > I've got the Problem that the Display Variable is not set when I > > > connect to sshd. > > > X-Forward is active. > > > I think I tested all Configurations but it doesn't work. > > > Sorry :-) > > > Solaris 8 openssh 3.2.3 > > > > > > > > > Andreas Kerl > > > > > > > > > > > > > > > _______________________________________________ > > > openssh-unix-dev at mindrot.org mailing list > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- > > Austin Gonyou > > Systems Architect, CCNA > > Coremetrics, Inc. > > Phone: 512-698-7250 > > email: austin at coremetrics.com > > > > "One ought never to turn one's back on a threatened danger and > > try to run away from it. If you do that, you will double the > danger. > > But if you meet it promptly and without flinching, you will > > reduce the danger by half." > > Sir Winston Churchill > -- > Austin Gonyou > Systems Architect, CCNA > Coremetrics, Inc. > Phone: 512-698-7250 > email: austin at coremetrics.com > > "One ought never to turn one's back on a threatened danger and > try to run away from it. If you do that, you will double the danger. > But if you meet it promptly and without flinching, you will > reduce the danger by half." > Sir Winston Churchill -- Austin Gonyou Systems Architect, CCNA Coremetrics, Inc. Phone: 512-698-7250 email: austin at coremetrics.com "One ought never to turn one's back on a threatened danger and try to run away from it. If you do that, you will double the danger. But if you meet it promptly and without flinching, you will reduce the danger by half." Sir Winston Churchill -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020603/8dbd2b6e/attachment.bin From Nicolas.Williams at ubsw.com Tue Jun 4 03:07:08 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Mon, 3 Jun 2002 13:07:08 -0400 Subject: (no subject)X-forward Message-ID: <9403F8EE868566448AA1B70D8F783C95334F67@NSTMC004PEX1.ubsgs.ubsgroup.net> The OpenSSH client needs to know the LOCAL display name in order to accept X11 forwarding requests from the remote SSH end and to know where to relay X11 traffic to. That's why the DISPLAY variable MUST be set on the client side for X11 forwarding to work. Nico -- > -----Original Message----- > From: Austin Gonyou [mailto:austin at coremetrics.com] > Sent: Monday, June 03, 2002 12:32 PM > To: Kerl, Andreas > Cc: openssh-unix-dev at mindrot.org > Subject: RE: (no subject)X-forward > > > > Well..you should *never* have to set the DISPLAY variable, because it > *is* populated as something like :10 or so. exporting the DISPLAY > variable is *not* tunneling X. > > On Sat, 2002-06-01 at 15:44, Kerl, Andreas wrote: > > To get my IP is not the problem. > > The Problem is the sshd ,I build it (Solaris8)and x-forward is > > enabled > > but the DISPLAY variable is not set when connecting to it (with "ssh > > -X > > hostname"). > > When yot set it manually, X is working. > > > > > > Andreas Kerl > > > > ----------------------------------------- > > DTS Medien GmbH > > Heidestrasse 38 > > 32051 Herford > > > > Tel: +49-5221-1011082 > > Fax: +49-5221-1012001 > > > > mailto: andreas.kerl at dts.de > > pgp-id:0xCE58889B > > web: www.dts.de > > ----------------------------------------- > > > > > > -----Original Message----- > > From: Austin Gonyou [mailto:austin at coremetrics.com] > > Sent: Saturday, June 01, 2002 10:17 PM > > To: Kerl, Andreas > > Cc: openssh-unix-dev at mindrot.org > > Subject: RE: (no subject)X-forward > > > > > > From the sounds of it, the remote sshd may not have any support for > > X > > forwarding at all, or it's been turned off in /etc/ssh/sshd_config. > > > > To find out you're IP that you're coming from, use > > www.whatismyip.com it > > will tell you what you're IP is. Either that or who -l should show > > you > > as well, when you're ssh'd into the system.(the one that the VPN is > > talking to) > > > > > > > > On Fri, 2002-05-31 at 17:05, Kerl, Andreas wrote: > > > No "ssh -X hostname" doesn't work. > > > > > > But when you "export DISPLAY=..." it works!? > > > > > > I set the the Display Hack so that I can see my IP with "env" or > > "echo > > > SSH_CLIENT" when I'm connect via VPN-Tunnel and I don't know my IP > > > in > > > the Net I'm connected through. > > > > > > > > > > > > Andreas Kerl > > > > > > ----------------------------------------- > > > DTS Medien GmbH > > > Heidestrasse 38 > > > 32051 Herford > > > > > > Tel: +49-5221-1011082 > > > Fax: +49-5221-1012001 > > > > > > mailto: andreas.kerl at dts.de > > > pgp-id:0xCE58889B > > > web: www.dts.de > > > ----------------------------------------- > > > > > > > > > -----Original Message----- > > > From: Austin Gonyou [mailto:austin at coremetrics.com] > > > Sent: Friday, May 31, 2002 8:51 PM > > > To: Kerl, Andreas > > > Cc: openssh-unix-dev at mindrot.org > > > Subject: Re: (no subject) > > > > > > > > > so does ssh -X hostname work, and allow forward? > > > > > > > > > > > > On Fri, 2002-05-31 at 07:07, Kerl, Andreas wrote: > > > > Hello, > > > > I've got the Problem that the Display Variable is not set when I > > > > connect to sshd. > > > > X-Forward is active. > > > > I think I tested all Configurations but it doesn't work. > > > > Sorry :-) > > > > Solaris 8 openssh 3.2.3 > > > > > > > > > > > > Andreas Kerl > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > openssh-unix-dev at mindrot.org mailing list > > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > -- > > > Austin Gonyou > > > Systems Architect, CCNA > > > Coremetrics, Inc. > > > Phone: 512-698-7250 > > > email: austin at coremetrics.com > > > > > > "One ought never to turn one's back on a threatened danger and > > > try to run away from it. If you do that, you will double the > > danger. > > > But if you meet it promptly and without flinching, you will > > > reduce the danger by half." > > > Sir Winston Churchill > > -- > > Austin Gonyou > > Systems Architect, CCNA > > Coremetrics, Inc. > > Phone: 512-698-7250 > > email: austin at coremetrics.com > > > > "One ought never to turn one's back on a threatened danger and > > try to run away from it. If you do that, you will double the danger. > > But if you meet it promptly and without flinching, you will > > reduce the danger by half." > > Sir Winston Churchill > -- > Austin Gonyou > Systems Architect, CCNA > Coremetrics, Inc. > Phone: 512-698-7250 > email: austin at coremetrics.com > > "One ought never to turn one's back on a threatened danger and > try to run away from it. If you do that, you will double the danger. > But if you meet it promptly and without flinching, you will > reduce the danger by half." > Sir Winston Churchill > Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From bugzilla-daemon at mindrot.org Tue Jun 4 05:46:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 4 Jun 2002 05:46:44 +1000 (EST) Subject: [Bug 188] pam_chauthtok() is called too late Message-ID: <20020603194644.8003CE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From stevesk at pobox.com 2002-06-04 05:46 ------- 20020426 - (djm) Disable PAM password expiry until a complete fix for bug #188 exists ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Darren.Moffat at Sun.COM Tue Jun 4 06:38:28 2002 From: Darren.Moffat at Sun.COM (Darren Moffat) Date: Mon, 3 Jun 2002 13:38:28 -0700 (PDT) Subject: Openssh still logs in while passwd is locked Message-ID: <200206032039.g53KdP6U915817@jurassic.eng.sun.com> >What else is special besides "*LK*" (I'm wondering about "NP")? *LK* is explicitly checked for in pam_unix_account in S9. NP is used for some of the default accounts - I need to work out why (I think it is just history) they use NP rather than *LK*. >How exactly does ``passwd -sa'' determine LK status? Are there >issues with/without /etc/shadow (I see pwconv(1M) for example)? I've just discovered that passwd -sa is a tad broken - I'll log a bug and get it fixed. If there is no password it prints NP else if password filed is non zero but less than 13 print LK else print PS (meaning there is a password). -- Darren J Moffat From andreas.kerl at dts.de Tue Jun 4 17:45:58 2002 From: andreas.kerl at dts.de (Kerl, Andreas) Date: Tue, 4 Jun 2002 09:45:58 +0200 Subject: (no subject)X-forward Message-ID: <2BB73D0BED687449BA36B05B1C5FA9F4392338@exchange2000.dts.intra> Hello, I think I must tell you the problem more clearly. ssh -X Linuxhost_xy - there is an older sshd version I didn't build 2.9.9p1, works! ssh -X Solarishost - doesn't work (it's a 3.2.3p1 I build myself) because the $DISPLAY is not automatically set when I connect to it. the problem is not the X-Forwarding and how to get it working,the problem is the new ssh version on Solaris8 that will not set $DISPLAY! I tested all options in sshd_config but nothing happend. regards, Andreas Kerl From kevin at atomicgears.com Wed Jun 5 00:12:09 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Tue, 4 Jun 2002 07:12:09 -0700 Subject: (no subject)X-forward In-Reply-To: <2BB73D0BED687449BA36B05B1C5FA9F4392338@exchange2000.dts.intra> References: <2BB73D0BED687449BA36B05B1C5FA9F4392338@exchange2000.dts.intra> Message-ID: <20020604141209.GA1596@jenny.crlsca.adelphia.net> On Tue, Jun 04, 2002 at 09:45:58AM +0200, Kerl, Andreas wrote: > I think I must tell you the problem more clearly. > ssh -X Linuxhost_xy - there is an older sshd version I didn't build > 2.9.9p1, works! > ssh -X Solarishost - doesn't work (it's a 3.2.3p1 I build myself) > because the $DISPLAY is not automatically set when I connect to it. > > the problem is not the X-Forwarding and how to get it working,the > problem is the new ssh version on Solaris8 that will not set $DISPLAY! > I tested all options in sshd_config but nothing happend. Run sshd -d on sun, then ssh -v to sun host. I will guess the xauth program is not found. From andreas.kerl at dts.de Wed Jun 5 01:44:16 2002 From: andreas.kerl at dts.de (Kerl, Andreas) Date: Tue, 4 Jun 2002 17:44:16 +0200 Subject: (no subject)X-forward Message-ID: <2BB73D0BED687449BA36B05B1C5FA9F4392339@exchange2000.dts.intra> Yeah that's it, compiled with --with-xauth=... and it works Thank you very much. Andreas Kerl -----Original Message----- From: Kevin Steves [mailto:kevin at atomicgears.com] Sent: Tuesday, June 04, 2002 4:12 PM To: Kerl, Andreas Cc: Nicolas.Williams at ubsw.com; Austin Gonyou; openssh-unix-dev at mindrot.org; stevesk at pobox.com Subject: Re: (no subject)X-forward On Tue, Jun 04, 2002 at 09:45:58AM +0200, Kerl, Andreas wrote: > I think I must tell you the problem more clearly. > ssh -X Linuxhost_xy - there is an older sshd version I didn't build > 2.9.9p1, works! > ssh -X Solarishost - doesn't work (it's a 3.2.3p1 I build myself) > because the $DISPLAY is not automatically set when I connect to it. > > the problem is not the X-Forwarding and how to get it working,the > problem is the new ssh version on Solaris8 that will not set $DISPLAY! > I tested all options in sshd_config but nothing happend. Run sshd -d on sun, then ssh -v to sun host. I will guess the xauth program is not found. From kevin at atomicgears.com Wed Jun 5 01:47:55 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Tue, 4 Jun 2002 08:47:55 -0700 Subject: (no subject)X-forward In-Reply-To: <2BB73D0BED687449BA36B05B1C5FA9F4392339@exchange2000.dts.intra> References: <2BB73D0BED687449BA36B05B1C5FA9F4392339@exchange2000.dts.intra> Message-ID: <20020604154755.GB1596@jenny.crlsca.adelphia.net> On Tue, Jun 04, 2002 at 05:44:16PM +0200, Kerl, Andreas wrote: > Yeah that's it, > compiled with --with-xauth=... > and it works ok, great. configure detection for an xauth program is broken post 3.1 on solaris (for me it does not work on solaris 8), but i'm not sure why. can someone look into this? From tim at multitalents.net Wed Jun 5 02:24:12 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 4 Jun 2002 09:24:12 -0700 (PDT) Subject: (no subject)X-forward In-Reply-To: <20020604154755.GB1596@jenny.crlsca.adelphia.net> Message-ID: On Tue, 4 Jun 2002, Kevin Steves wrote: > On Tue, Jun 04, 2002 at 05:44:16PM +0200, Kerl, Andreas wrote: > > Yeah that's it, > > compiled with --with-xauth=... > > and it works > > ok, great. configure detection for an xauth program is broken post > 3.1 on solaris (for me it does not work on solaris 8), but i'm not > sure why. > > can someone look into this? Hmm, works here. ... tim at sun1 1% echo $DISPLAY localhost:10.0 tim at sun1 2% uname -a SunOS sun1 5.8 Generic_108528-14 sun4m sparc SUNW,SPARCstation-5 tim at sun1 3% env | grep SSH SSH_CLIENT=192.168.34.65 34565 22 SSH_TTY=/dev/pts/3 ... Andreas, rerun configure without using the --with-xauth option and tell me what "grep xauth config.log" says. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From andreas.kerl at dts.de Wed Jun 5 03:11:23 2002 From: andreas.kerl at dts.de (Kerl, Andreas) Date: Tue, 4 Jun 2002 19:11:23 +0200 Subject: (no subject)X-forward Message-ID: <2BB73D0BED687449BA36B05B1C5FA9F439233B@exchange2000.dts.intra> My System: # uname -a SunOS testsun 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10 Configured without "--with-xauth": # grep xauth config.log configure:15449: checking for xauth Andreas Kerl -----Original Message----- From: Tim Rice [mailto:tim at multitalents.net] Sent: Tuesday, June 04, 2002 6:24 PM To: Kevin Steves Cc: Kerl, Andreas; openssh-unix-dev at mindrot.org; stevesk at pobox.com Subject: Re: (no subject)X-forward On Tue, 4 Jun 2002, Kevin Steves wrote: > On Tue, Jun 04, 2002 at 05:44:16PM +0200, Kerl, Andreas wrote: > > Yeah that's it, > > compiled with --with-xauth=... > > and it works > > ok, great. configure detection for an xauth program is broken post > 3.1 on solaris (for me it does not work on solaris 8), but i'm not > sure why. > > can someone look into this? Hmm, works here. ... tim at sun1 1% echo $DISPLAY localhost:10.0 tim at sun1 2% uname -a SunOS sun1 5.8 Generic_108528-14 sun4m sparc SUNW,SPARCstation-5 tim at sun1 3% env | grep SSH SSH_CLIENT=192.168.34.65 34565 22 SSH_TTY=/dev/pts/3 ... Andreas, rerun configure without using the --with-xauth option and tell me what "grep xauth config.log" says. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From tim at multitalents.net Wed Jun 5 03:18:32 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 4 Jun 2002 10:18:32 -0700 (PDT) Subject: (no subject)X-forward In-Reply-To: <2BB73D0BED687449BA36B05B1C5FA9F439233B@exchange2000.dts.intra> Message-ID: On Tue, 4 Jun 2002, Kerl, Andreas wrote: > My System: > > # uname -a > SunOS testsun 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10 > > Configured without "--with-xauth": > > # grep xauth config.log > configure:15449: checking for xauth > > Andreas Kerl Are you generating your own configure with autoconf or are you using a configure from a tarball? Look in config.log an see if you can see what is going wrong. > > > -----Original Message----- > From: Tim Rice [mailto:tim at multitalents.net] > Sent: Tuesday, June 04, 2002 6:24 PM > To: Kevin Steves > Cc: Kerl, Andreas; openssh-unix-dev at mindrot.org; stevesk at pobox.com > Subject: Re: (no subject)X-forward > > > On Tue, 4 Jun 2002, Kevin Steves wrote: > > > On Tue, Jun 04, 2002 at 05:44:16PM +0200, Kerl, Andreas wrote: > > > Yeah that's it, > > > compiled with --with-xauth=... > > > and it works > > > > ok, great. configure detection for an xauth program is broken post > > 3.1 on solaris (for me it does not work on solaris 8), but i'm not > > sure why. > > > > can someone look into this? > > Hmm, works here. > ... > tim at sun1 1% echo $DISPLAY > localhost:10.0 > tim at sun1 2% uname -a > SunOS sun1 5.8 Generic_108528-14 sun4m sparc SUNW,SPARCstation-5 > tim at sun1 3% env | grep SSH SSH_CLIENT=192.168.34.65 34565 22 > SSH_TTY=/dev/pts/3 ... > > Andreas, rerun configure without using the --with-xauth option and tell > me what "grep xauth config.log" says. > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From andreas.kerl at dts.de Wed Jun 5 03:27:45 2002 From: andreas.kerl at dts.de (Kerl, Andreas) Date: Tue, 4 Jun 2002 19:27:45 +0200 Subject: (no subject)X-forward Message-ID: <2BB73D0BED687449BA36B05B1C5FA9F439233C@exchange2000.dts.intra> I use autoconf. Before configure I make clean. Config-log: configure:15449: checking for xauth configure:15482: result: no But xauth is in /usr/openwin/bin Andreas Kerl -----Original Message----- From: Tim Rice [mailto:tim at multitalents.net] Sent: Tuesday, June 04, 2002 7:19 PM To: Kerl, Andreas Cc: openssh-unix-dev at mindrot.org Subject: RE: (no subject)X-forward On Tue, 4 Jun 2002, Kerl, Andreas wrote: > My System: > > # uname -a > SunOS testsun 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10 > > Configured without "--with-xauth": > > # grep xauth config.log > configure:15449: checking for xauth > > Andreas Kerl Are you generating your own configure with autoconf or are you using a configure from a tarball? Look in config.log an see if you can see what is going wrong. > > > -----Original Message----- > From: Tim Rice [mailto:tim at multitalents.net] > Sent: Tuesday, June 04, 2002 6:24 PM > To: Kevin Steves > Cc: Kerl, Andreas; openssh-unix-dev at mindrot.org; stevesk at pobox.com > Subject: Re: (no subject)X-forward > > > On Tue, 4 Jun 2002, Kevin Steves wrote: > > > On Tue, Jun 04, 2002 at 05:44:16PM +0200, Kerl, Andreas wrote: > > > Yeah that's it, > > > compiled with --with-xauth=... > > > and it works > > > > ok, great. configure detection for an xauth program is broken post > > 3.1 on solaris (for me it does not work on solaris 8), but i'm not > > sure why. > > > > can someone look into this? > > Hmm, works here. > ... > tim at sun1 1% echo $DISPLAY > localhost:10.0 > tim at sun1 2% uname -a > SunOS sun1 5.8 Generic_108528-14 sun4m sparc SUNW,SPARCstation-5 > tim at sun1 3% env | grep SSH SSH_CLIENT=192.168.34.65 34565 22 > SSH_TTY=/dev/pts/3 ... > > Andreas, rerun configure without using the --with-xauth option and > tell me what "grep xauth config.log" says. > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From tim at multitalents.net Wed Jun 5 03:31:13 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 4 Jun 2002 10:31:13 -0700 (PDT) Subject: (no subject)X-forward In-Reply-To: <2BB73D0BED687449BA36B05B1C5FA9F439233C@exchange2000.dts.intra> Message-ID: On Tue, 4 Jun 2002, Kerl, Andreas wrote: > I use autoconf. What version? > Before configure I make clean. > > Config-log: > > configure:15449: checking for xauth > configure:15482: result: no Maybe lines 15449 to 15482 of your configure will give you a clue as to what is going wrong. > > But xauth is in /usr/openwin/bin > > > Andreas Kerl -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From andreas.kerl at dts.de Wed Jun 5 03:50:25 2002 From: andreas.kerl at dts.de (Kerl, Andreas) Date: Tue, 4 Jun 2002 19:50:25 +0200 Subject: (no subject)X-forward Message-ID: <2BB73D0BED687449BA36B05B1C5FA9F439233D@exchange2000.dts.intra> Oh I think I'm wrong. I thought autoconf is automatically used when I run ./configure # autoconf -V autoconf (GNU Autoconf) 2.52 Written by David J. MacKenzie. I use the tar.gz from the offical openssh site. Here the lines from configure: # Check whether --with-xauth or --without-xauth was given. if test "${with_xauth+set}" = set; then withval="$with_xauth" if test "x$withval" != "xno" ; then xauth_path=$withval fi else _________________________________________________________________ 15449: # Extract the first word of "xauth", so it can be a program name with args. set dummy xauth; ac_word=$2 echo "$as_me:$LINENO: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_xauth_path+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else case $xauth_path in [\\/]* | ?:[\\/]*) ac_cv_path_xauth_path="$xauth_path" # Let the user override the test with a pa th. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH:/usr/X/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/openwin/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_xauth_path="$as_dir/$ac_word$ac_exec_ext" echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi Done done ;; esac fi xauth_path=$ac_cv_path_xauth_path if test -n "$xauth_path"; then echo "$as_me:$LINENO: result: $xauth_path" >&5 15482: echo "${ECHO_T}$xauth_path" >&6 __________________________________________________________________ else echo "$as_me:$LINENO: result: no" >&5 echo "${ECHO_T}no" >&6 fi Andreas Kerl -----Original Message----- From: Tim Rice [mailto:tim at multitalents.net] Sent: Tuesday, June 04, 2002 7:31 PM To: Kerl, Andreas Cc: openssh-unix-dev at mindrot.org Subject: RE: (no subject)X-forward On Tue, 4 Jun 2002, Kerl, Andreas wrote: > I use autoconf. What version? > Before configure I make clean. > > Config-log: > > configure:15449: checking for xauth > configure:15482: result: no Maybe lines 15449 to 15482 of your configure will give you a clue as to what is going wrong. > > But xauth is in /usr/openwin/bin > > > Andreas Kerl -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From andreas.kerl at dts.de Wed Jun 5 04:11:11 2002 From: andreas.kerl at dts.de (Kerl, Andreas) Date: Tue, 4 Jun 2002 20:11:11 +0200 Subject: (no subject)X-forward Message-ID: <2BB73D0BED687449BA36B05B1C5FA9F439233E@exchange2000.dts.intra> Sorry I'm not a programmer :-) , I didn't used autoconf. I used the offical configure. Andreas Kerl From tim at multitalents.net Wed Jun 5 04:39:47 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 4 Jun 2002 11:39:47 -0700 (PDT) Subject: (no subject)X-forward In-Reply-To: <2BB73D0BED687449BA36B05B1C5FA9F439233D@exchange2000.dts.intra> Message-ID: On Tue, 4 Jun 2002, Kerl, Andreas wrote: > Oh I think I'm wrong. > I thought autoconf is automatically used when I run > ./configure > > # autoconf -V > autoconf (GNU Autoconf) 2.52 > Written by David J. MacKenzie. Try renaming configure (mv configure configure.sav) and run autoconf. Try the configure your autoconf builds. > > I use the tar.gz from the offical openssh site. > > Here the lines from configure: [snip] > > On Tue, 4 Jun 2002, Kerl, Andreas wrote: > > > I use autoconf. > > What version? > > > Before configure I make clean. > > > > Config-log: > > > > configure:15449: checking for xauth > > configure:15482: result: no > > Maybe lines 15449 to 15482 of your configure will give you a clue as to > what is going wrong. > > > > > But xauth is in /usr/openwin/bin > > > > > > Andreas Kerl > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From andreas.kerl at dts.de Wed Jun 5 04:49:51 2002 From: andreas.kerl at dts.de (Kerl, Andreas) Date: Tue, 4 Jun 2002 20:49:51 +0200 Subject: (no subject)X-forward Message-ID: <2BB73D0BED687449BA36B05B1C5FA9F439233F@exchange2000.dts.intra> Yes,that worked. xauth was found. Andreas Kerl -----Original Message----- From: Tim Rice [mailto:tim at multitalents.net] Sent: Tuesday, June 04, 2002 8:40 PM To: Kerl, Andreas Cc: openssh-unix-dev at mindrot.org Subject: RE: (no subject)X-forward On Tue, 4 Jun 2002, Kerl, Andreas wrote: > Oh I think I'm wrong. > I thought autoconf is automatically used when I run ./configure > > # autoconf -V > autoconf (GNU Autoconf) 2.52 > Written by David J. MacKenzie. Try renaming configure (mv configure configure.sav) and run autoconf. Try the configure your autoconf builds. > > I use the tar.gz from the offical openssh site. > > Here the lines from configure: [snip] > > On Tue, 4 Jun 2002, Kerl, Andreas wrote: > > > I use autoconf. > > What version? > > > Before configure I make clean. > > > > Config-log: > > > > configure:15449: checking for xauth > > configure:15482: result: no > > Maybe lines 15449 to 15482 of your configure will give you a clue as > to what is going wrong. > > > > > But xauth is in /usr/openwin/bin > > > > > > Andreas Kerl > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From kevin at atomicgears.com Wed Jun 5 05:31:48 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Tue, 4 Jun 2002 12:31:48 -0700 Subject: (no subject)X-forward In-Reply-To: <2BB73D0BED687449BA36B05B1C5FA9F439233F@exchange2000.dts.intra> References: <2BB73D0BED687449BA36B05B1C5FA9F439233F@exchange2000.dts.intra> Message-ID: <20020604193148.GB2369@jenny.crlsca.adelphia.net> it's an autoconf 2.53 triggered problem, which is what djm used to build configure for the release. i think it may be solaris /bin/sh related, and a result of some changes to the way the for loop and IFS munging is done. with 2.53 the pathlist is not fully split. works correctly with /bin/ksh. From bugzilla-daemon at mindrot.org Wed Jun 5 06:18:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 5 Jun 2002 06:18:19 +1000 (EST) Subject: [Bug 263] New: sftp problems Message-ID: <20020604201819.4FE87E916@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=263 Summary: sftp problems Product: Portable OpenSSH Version: 3.1p1 Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: sftp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dvissotto at ufpr.br When i log in a machine using sftp, passing my pass-phrase, the program interrupt sending the information: Received message too long "number". If I use ssh I can connect the machine with no problems. My pass-phrase have no numbers. Where is the problem? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Wed Jun 5 06:22:38 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 4 Jun 2002 13:22:38 -0700 (PDT) Subject: (no subject)X-forward In-Reply-To: <20020604193148.GB2369@jenny.crlsca.adelphia.net> Message-ID: On Tue, 4 Jun 2002, Kevin Steves wrote: > it's an autoconf 2.53 triggered problem, which is what djm used to > build configure for the release. i think it may be solaris /bin/sh > related, and a result of some changes to the way the for loop and IFS > munging is done. with 2.53 the pathlist is not fully split. works > correctly with /bin/ksh. I guess I should have grabbed a tarball and looked. If I had known it was built with autoconf 2.53 I would have guessed right away that was the problem. I've had lots of problems with configure scripts built with 2.53. > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Wed Jun 5 06:54:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 5 Jun 2002 06:54:51 +1000 (EST) Subject: [Bug 164] X-forwarding when connecting to an IPv6-enabled host doesn't work. Message-ID: <20020604205451.CF0AEE916@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=164 ------- Additional Comments From stevesk at pobox.com 2002-06-05 06:54 ------- commited IPV6_V6ONLY solution: - (stevesk) [channels.c] bug #164 patch from YOSHIFUJI Hideaki (changed setsockopt from debug to error for now). can linux users try this? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 5 07:04:40 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 5 Jun 2002 07:04:40 +1000 (EST) Subject: [Bug 264] New: sshd leaves around temporary directories in /tmp Message-ID: <20020604210440.7182EE91B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=264 Summary: sshd leaves around temporary directories in /tmp Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: robertlaferla at attbi.com ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 5 07:07:17 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 5 Jun 2002 07:07:17 +1000 (EST) Subject: [Bug 264] sshd leaves around temporary directories in /tmp Message-ID: <20020604210717.1AA9FE939@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=264 ------- Additional Comments From robertlaferla at attbi.com 2002-06-05 07:07 ------- sshd leaves files of the form "ssh-XX*" in /tmp. it should clean these up on shutdown or startup. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 5 08:02:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 5 Jun 2002 08:02:07 +1000 (EST) Subject: [Bug 264] sshd leaves around temporary directories in /tmp Message-ID: <20020604220207.A1A27E91B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=264 ------- Additional Comments From markus at openbsd.org 2002-06-05 08:02 ------- for example? did you kill sshd with -9? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 5 08:20:01 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 5 Jun 2002 08:20:01 +1000 (EST) Subject: [Bug 263] sftp problems Message-ID: <20020604222001.59FE6E91B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=263 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From markus at openbsd.org 2002-06-05 08:19 ------- http://www.openssh.com/faq.html#2.9 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From openssh-unix-dev at thewrittenword.com Wed Jun 5 09:37:46 2002 From: openssh-unix-dev at thewrittenword.com (Albert Chin) Date: Tue, 4 Jun 2002 18:37:46 -0500 Subject: Build problems with 3.2.3p1 under AIX 4.3.2 Message-ID: <20020604183746.A28411@oolong.il.thewrittenword.com> xlc -O2 -qmaxmem=-1 -qarch=com -I/opt/TWWfsw/tcpwrap/include -I. -I.. -I. -I./.. -I/opt/TWWfsw/libopenssl09s/include -I/opt/TWWfsw/zlib11s/include -DHAVE_CONFIG_H -c glob.c "glob.c", line 100.9: 1506-213 (S) Macro name TILDE cannot be redefined. "glob.c", line 100.9: 1506-358 (I) "TILDE" is defined on line 250 of /usr/include/sys/ioctl.h. gmake[1]: *** [glob.o] Error 1 From openssh-unix-dev at thewrittenword.com Wed Jun 5 10:00:48 2002 From: openssh-unix-dev at thewrittenword.com (Albert Chin) Date: Tue, 4 Jun 2002 19:00:48 -0500 Subject: Trailing comma in enum for 3.2.3p1 Message-ID: <20020604190048.A28675@oolong.il.thewrittenword.com> A trailing comma in an enum generates an error with the IBM C compiler, xlc, on AIX 4.3.2: $ gmake ... xlc -O2 -qmaxmem=-1 -qarch=com -I/opt/TWWfsw/tcpwrap/include -I. -I. -I/opt/TWWfsw/libopenssl09s/include -I/opt/TWWfsw/zlib11s/include -DSSHDIR=\"/etc/opt/TWWfsw/openssh323\" -D_PATH_SSH_PROGRAM=\"/opt/TWWfsw/openssh323/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/TWWfsw/openssh323/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/opt/TWWfsw/openssh323/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/etc\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/opt/TWWfsw/openssh323/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c kex.c "monitor.h", line 53.25: 1506-275 (S) Unexpected text ',' encountered. gmake: *** [kex.o] Error 1 The patch below fixes this. -- albert chin (china at thewrittenword.com) -- snip snip --- monitor.h.orig Tue Jun 4 18:49:51 2002 +++ monitor.h Tue Jun 4 18:49:58 2002 @@ -50,7 +50,7 @@ MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, MONITOR_REQ_PAM_START, - MONITOR_REQ_TERM, + MONITOR_REQ_TERM }; struct mm_master; --- log.h.orig Tue Jun 4 17:51:55 2002 +++ log.h Tue Jun 4 17:52:03 2002 @@ -33,7 +33,7 @@ SYSLOG_FACILITY_LOCAL5, SYSLOG_FACILITY_LOCAL6, SYSLOG_FACILITY_LOCAL7, - SYSLOG_FACILITY_NOT_SET = -1, + SYSLOG_FACILITY_NOT_SET = -1 } SyslogFacility; typedef enum { @@ -45,7 +45,7 @@ SYSLOG_LEVEL_DEBUG1, SYSLOG_LEVEL_DEBUG2, SYSLOG_LEVEL_DEBUG3, - SYSLOG_LEVEL_NOT_SET = -1, + SYSLOG_LEVEL_NOT_SET = -1 } LogLevel; void log_init(char *, LogLevel, SyslogFacility, int); From openssh-unix-dev at thewrittenword.com Wed Jun 5 10:02:23 2002 From: openssh-unix-dev at thewrittenword.com (Albert Chin) Date: Tue, 4 Jun 2002 19:02:23 -0500 Subject: Build problems with 3.2.3p1 under Tru64 UNIX 4.0D Message-ID: <20020604190223.B28675@oolong.il.thewrittenword.com> Tru64 UNIX 4.0D, with the DTK (Desktop Toolkit), includes int64_t in /usr/include.dtk/stdint.h. $ gmake ... (cd openbsd-compat && gmake) gmake[1]: Entering directory `/opt/build/openssh-3.2.3p1/openbsd-compat' cc -O2 -std -I/opt/TWWfsw/tcpwrap/include -I. -I.. -I. -I./.. -I/opt/TWWfsw/libopenssl09s/include -I/opt/TWWfsw/zlib11s/include -DHAVE_CONFIG_H -c bsd-arc4random.c cc: Error: ../defines.h, line 151: In this declaration, "uint8_t" appears to be used as if it named a type, but there is no declared type of that name visible. (typedefnotdef) typedef uint8_t u_int8_t; --------^ cc: Error: ../defines.h, line 152: In this declaration, "uint16_t" appears to be used as if it named a type, but there is no declared type of that name visible. (typedefnotdef) typedef uint16_t u_int16_t; --------^ The patch below fixes this. This patch was inspired by one from Tim Mooney: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=99842334021906&w=2 -- albert chin (china at thewrittenword.com) -- snip snip --- configure.ac.orig Wed May 29 17:51:40 2002 +++ configure.ac Tue Jun 4 18:02:20 2002 @@ -1045,7 +1024,20 @@ AC_DEFINE(HAVE_INT64_T) have_int64_t=1 fi - + +if test -z "$have_int64_t" ; then + AC_MSG_CHECKING([for int64_t type in stdint.h]) + AC_TRY_COMPILE( + [ #include ], + [ int64_t a; a = 1], + [ + AC_DEFINE(HAVE_INT64_T) + AC_MSG_RESULT(yes) + ], + [ AC_MSG_RESULT(no) ] + ) +fi + if test -z "$have_int64_t" ; then AC_MSG_CHECKING([for int64_t type in sys/socket.h]) AC_TRY_COMPILE( --- includes.h.orig Tue Jun 4 18:38:48 2002 +++ includes.h Tue Jun 4 18:39:02 2002 @@ -115,6 +115,9 @@ #ifdef HAVE_SYS_UN_H # include /* For sockaddr_un */ #endif +#ifdef HAVE_STDINT_H +# include +#endif #ifdef HAVE_SYS_BITYPES_H # include /* For u_intXX_t */ #endif From fcusack at fcusack.com Wed Jun 5 13:17:07 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Tue, 4 Jun 2002 20:17:07 -0700 Subject: hang on exit In-Reply-To: <20020213222129.GD10765@faui02>; from markus@openbsd.org on Wed, Feb 13, 2002 at 11:21:29PM +0100 References: <20020103172818.A15928@faui02> <20020104091526.B1025@foo.birdnet.se> <20020104093229.B20222@wdr.com> <20020104184505.H9973@zax.half.pint-stowp.cx> <20020105113623.A19062@folly> <20020204193226.GA19980@faui02> <20020213131541.D18854@google.com> <20020213213007.GB7731@faui02> <20020213135153.E18854@google.com> <20020213222129.GD10765@faui02> Message-ID: <20020604201707.A5809@google.com> On Wed, Feb 13, 2002 at 11:21:29PM +0100, Markus Friedl wrote: > On Wed, Feb 13, 2002 at 01:51:53PM -0800, Frank Cusack wrote: > > > all other patches did discard data for the non-pty case, too, and this > > > is not acceptible. > > > > Ahh, that is a notable distinction. What does openbsd do for the non-pty > > case? > > for the non-pty case ssh blocks (on OpenBSD, too), like rsh does. > > > Neither do I. I just rewrote a bunch of scripts used locally to explicitly > > redirect /dev/null for fd {0,1,2}, which seems more correct, IMHO. I'll > > put this patch into production and give some feedback in a month or so. The patch earlier in this thread has been working very well, I think it should go into cvs. I still have a problem with buggy programs that fork and leave open fd's so I am forced to be more aggressive, but I don't think that should be in the distro. /fc From dm_bradford at hotmail.com Wed Jun 5 13:27:11 2002 From: dm_bradford at hotmail.com (David Bradford) Date: Tue, 04 Jun 2002 23:27:11 -0400 Subject: I have implemented reget and reput in sftp. Message-ID: is there any interest in this, and if so, how do I submit it? Thanks, David Bradford _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. From dmanton at emea.att.com Wed Jun 5 17:18:03 2002 From: dmanton at emea.att.com (Manton, Doug) Date: Wed, 5 Jun 2002 08:18:03 +0100 Subject: Build problems with 3.2.3p1 under AIX 4.3.2 Message-ID: Jave you tried adding "-qlanglvl=extended" to your CFLAGS. With this flag, I can successfully build 3.2.3p1 using xlC v5 under AIX 4.3.3 ML9. Best wishes, Doug Manton, AT&T Business Commercial Security ---------------------------------------------- -----Original Message----- From: Albert Chin [mailto:openssh-unix-dev at thewrittenword.com] Sent: 05 June 2002 00:38 To: openssh-unix-dev at mindrot.org Subject: Build problems with 3.2.3p1 under AIX 4.3.2 xlc -O2 -qmaxmem=-1 -qarch=com -I/opt/TWWfsw/tcpwrap/include -I. -I.. -I. -I./.. -I/opt/TWWfsw/libopenssl09s/include -I/opt/TWWfsw/zlib11s/include -DHAVE_CONFIG_H -c glob.c "glob.c", line 100.9: 1506-213 (S) Macro name TILDE cannot be redefined. "glob.c", line 100.9: 1506-358 (I) "TILDE" is defined on line 250 of /usr/include/sys/ioctl.h. gmake[1]: *** [glob.o] Error 1 From bugzilla-daemon at mindrot.org Wed Jun 5 17:40:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 5 Jun 2002 17:40:38 +1000 (EST) Subject: [Bug 164] X-forwarding when connecting to an IPv6-enabled host doesn't work. Message-ID: <20020605074038.60327E91B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=164 ------- Additional Comments From pekkas at netcore.fi 2002-06-05 17:40 ------- This works for me nicely for non-IPV6_V6ONLY case. Applications that previously didn't work are now ok. This also seems to work on systems that don't have IPv6-enabled. The problem of changing debug -> error may be that OpenSSH compiled with a version which has IPV6_V6ONLY support may cease to work on an older socket library.. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From joachim.falk at gmx.de Wed Jun 5 19:19:58 2002 From: joachim.falk at gmx.de (Joachim Falk) Date: Wed, 5 Jun 2002 11:19:58 +0200 (CEST) Subject: [PATCH] forwarding environment vars In-Reply-To: Message-ID: I have updated the patch to include documentation for environment forwarding in the manpages ssh(1) sshd(8) . If there is interest for the patch on plain vanilla OpenSSH-3.2.3p1 i will adapt the patch. Interested people should mail me ! The patch is located at http://home.t-online.de/home/joachim_falk/patches/index.html Best regards Joachim Falk From markus at openbsd.org Wed Jun 5 19:27:27 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 5 Jun 2002 11:27:27 +0200 Subject: [PATCH] forwarding environment vars ala RFC2026 In-Reply-To: References: Message-ID: <20020605092727.GB28746@faui02> how is this related to RFC2026? From joachim.falk at gmx.de Wed Jun 5 19:55:02 2002 From: joachim.falk at gmx.de (Joachim Falk) Date: Wed, 5 Jun 2002 11:55:02 +0200 (CEST) Subject: [PATCH] forwarding environment vars ala RFC2026 In-Reply-To: <20020605092727.GB28746@faui02> Message-ID: On Wed, 5 Jun 2002, Markus Friedl wrote: > how is this related to RFC2026? > Red Face time. You are right i have looked only for a RFC number in the draft-ietf-secsh-connect-15.txt. The environment forwarding is specified in this draft. Relevant sections included. [DRAFT snippet] Network Working Group T. Ylonen Internet-Draft T. Kivinen Expires: August 1, 2002 SSH Communications Security Corp M. Saarinen University of Jyvaskyla T. Rinne S. Lehtinen SSH Communications Security Corp January 31, 2002 SSH Connection Protocol draft-ietf-secsh-connect-15.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. [snipped much text] 4.4 Environment Variable Passing Environment variables may be passed to the shell/command to be started later. Uncontrolled setting of environment variables in a privileged process can be a security hazard. It is recommended that implementations either maintain a list of allowable variable names or only set environment variables after the server process has dropped sufficient privileges. byte SSH_MSG_CHANNEL_REQUEST uint32 recipient channel string "env" boolean want reply string variable name string variable value [snipped much text] [END DRAFT] Best Regards Joachim Falk -- From dave at ugc.org.uk Wed Jun 5 20:07:38 2002 From: dave at ugc.org.uk (Dave Ryan) Date: Wed, 5 Jun 2002 11:07:38 +0100 Subject: ssh-add: local private keys added to forwarded agents Message-ID: <20020605110738.A31554@chimmi.ugc.org.uk> Hi, This may or may not cause concern for some people (considering a lot of people store all of their keys on a single client system). Snippet from draft-ietf-secsh-agent-00.txt: 2. Security Considerations This protocol is designed only to run as a channel of the SSH protocol. The goal of this extension is to ensure that the users private keys never leave the machine they are physically at. Ideally the private keys should be stored on a password protected removable media such as a smartcard. I noticed that ssh-add will add a private key to a forwarded agent, if there are no local agents started by that user - this breaks the draft specification as private keys on a local host are added to an agent running on a remote host. For example, USERA starts ssh-agent on HOSTA. USERA then ssh's to HOSTB, USERA then runs ssh-add on HOSTB, the private keys from HOSTB are then added to the ssh-agent on HOSTA. If USERA had started ssh-agent on HOSTB and then ran ssh-add, the keys would have remained on local to the system. I also noticed that if there are no local agents running a remote agent socket will show up in /tmp/ssh-XXXXXXXX/ as agent.$PID= whereas if a local agent IS running the "=" is dropped. I'm not sure if it is appropriate to apply mechanisms to ssh-add to prevent it adding local keys to a forwarded agent or if a quick addition to the man pages will suffice. If this has been discussed before I apologise, couldn't find any references to anything similar. Cheers, Dave. -- ugc Security Research http://www.ugc.org.uk/~dave From markus at openbsd.org Wed Jun 5 20:20:56 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 5 Jun 2002 12:20:56 +0200 Subject: ssh-add: local private keys added to forwarded agents In-Reply-To: <20020605110738.A31554@chimmi.ugc.org.uk> References: <20020605110738.A31554@chimmi.ugc.org.uk> Message-ID: <20020605102056.GB23376@faui02> i'm not sure what you want, but the ssh-add manpage is missing a reference to SSH_AUTH_SOCK Identifies the path of a unix-domain socket used to communicate with the agent. -m On Wed, Jun 05, 2002 at 11:07:38AM +0100, Dave Ryan wrote: > Hi, > > This may or may not cause concern for some people (considering a lot of > people store all of their keys on a single client system). > > Snippet from draft-ietf-secsh-agent-00.txt: > > 2. Security Considerations > > This protocol is designed only to run as a channel of the SSH > protocol. > > The goal of this extension is to ensure that the users private keys > never leave the machine they are physically at. Ideally the private > keys should be stored on a password protected removable media such as > a smartcard. > > I noticed that ssh-add will add a private key to a forwarded agent, if > there are no local agents started by that user - this breaks the draft > specification as private keys on a local host are added to an agent > running on a remote host. > > For example, > > USERA starts ssh-agent on HOSTA. USERA then ssh's to HOSTB, USERA then > runs ssh-add on HOSTB, the private keys from HOSTB are then added to the > ssh-agent on HOSTA. > > If USERA had started ssh-agent on HOSTB and then ran ssh-add, the keys > would have remained on local to the system. > > I also noticed that if there are no local agents running a remote agent > socket will show up in /tmp/ssh-XXXXXXXX/ as agent.$PID= whereas if a > local agent IS running the "=" is dropped. > > I'm not sure if it is appropriate to apply mechanisms to ssh-add to > prevent it adding local keys to a forwarded agent or if a quick > addition to the man pages will suffice. > > If this has been discussed before I apologise, couldn't find any > references to anything similar. > > Cheers, > Dave. > > -- > ugc Security Research > http://www.ugc.org.uk/~dave > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From Jason.Lacoss-Arnold at AGEDWARDS.com Wed Jun 5 22:58:48 2002 From: Jason.Lacoss-Arnold at AGEDWARDS.com (Lacoss-Arnold, Jason) Date: Wed, 5 Jun 2002 07:58:48 -0500 Subject: new problem with shell closing as soon as its launched under HP-U X 10.20 Message-ID: <6808DCE827EBD5119DFB0002A58EF4DA57EA7B@hqempn06.agedwards.com> Our admins recently rebuilt a server and put the Dec. 2001 HP patch bundle on it. The ssh software was installed from a software depot, so it is the same as was previously on the server and as is on other, functional servers. Upon such time, when sshd comes up, it will accept connections, authenticate users as normal, but their shell appears to die during connection. The only output a user will get after authentication is: Last login: Wed Jun 5 07:12:49 2002 from somehost and it disconnects. Following is partial output from sshd -d -d -d. I'm most interested in the SIGCHILD, but not sure if I'm barking up the wrong tree. Any ideas? Anyone seen this before? Accepted password for baertr from 10.55.40.33 port 33250 ssh2 debug1: Entering interactive session for SSH2. debug1: fd 3 setting O_NONBLOCK debug1: fd 4 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 32768 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/pts/0 debug3: tty_parse_modes: SSH2 n_bytes 266 debug3: tty_parse_modes: ospeed 9600 debug3: tty_parse_modes: ispeed 0 debug3: tty_parse_modes: 1 3 debug3: tty_parse_modes: 2 28 debug3: tty_parse_modes: 3 8 debug3: tty_parse_modes: 4 21 debug3: tty_parse_modes: 5 4 debug3: tty_parse_modes: 6 0 debug3: tty_parse_modes: 7 0 debug3: tty_parse_modes: 8 17 debug3: tty_parse_modes: 9 19 debug3: tty_parse_modes: 10 26 debug3: tty_parse_modes: 11 25 debug1: Ignoring unsupported tty mode opcode 12 (0xc) debug3: tty_parse_modes: 13 23 debug3: tty_parse_modes: 14 22 debug3: tty_parse_modes: 16 0 debug1: Ignoring unsupported tty mode opcode 18 (0x12) debug3: tty_parse_modes: 30 0 debug3: tty_parse_modes: 31 0 debug3: tty_parse_modes: 32 0 debug3: tty_parse_modes: 33 0 debug3: tty_parse_modes: 34 0 debug3: tty_parse_modes: 35 0 debug3: tty_parse_modes: 36 1 debug3: tty_parse_modes: 37 0 debug3: tty_parse_modes: 38 1 debug3: tty_parse_modes: 39 0 debug3: tty_parse_modes: 40 1 debug3: tty_parse_modes: 41 0 debug3: tty_parse_modes: 50 1 debug3: tty_parse_modes: 51 1 debug3: tty_parse_modes: 52 0 debug3: tty_parse_modes: 53 1 debug3: tty_parse_modes: 54 1 debug3: tty_parse_modes: 55 1 debug3: tty_parse_modes: 56 0 debug3: tty_parse_modes: 57 0 debug3: tty_parse_modes: 58 0 debug3: tty_parse_modes: 59 1 debug3: tty_parse_modes: 60 1 debug3: tty_parse_modes: 61 1 debug3: tty_parse_modes: 62 0 debug3: tty_parse_modes: 70 1 debug3: tty_parse_modes: 71 0 debug3: tty_parse_modes: 72 1 debug3: tty_parse_modes: 73 0 debug3: tty_parse_modes: 74 0 debug3: tty_parse_modes: 75 0 debug3: tty_parse_modes: 90 1 debug3: tty_parse_modes: 91 1 debug3: tty_parse_modes: 92 0 debug3: tty_parse_modes: 93 1 debug1: server_input_channel_req: channel 0 request x11-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req x11-req debug1: fd 10 setting O_NONBLOCK debug2: fd 10 is O_NONBLOCK debug1: channel 1: new [X11 inet listener] debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: Received SIGCHLD. debug1: fd 5 setting TCP_NODELAY debug1: fd 9 setting O_NONBLOCK debug2: fd 8 is O_NONBLOCK debug3: tvp!=NULL kid 1 mili 100 debug2: notify_done: reading debug1: session_by_pid: pid 19044 debug1: session_exit_message: session 0 channel 0 pid 19044 debug1: channel request 0: exit-status debug1: session_exit_message: release channel 0 debug1: channel 0: write failed debug1: channel 0: close_write debug1: channel 0: output open -> closed debug1: session_close: session 0 pid 19044 debug1: session_pty_cleanup: session 0 release /dev/pts/0 debug1: channel 0: read<=0 rfd 9 len 0 debug1: channel 0: read failed debug1: channel 0: close_read debug1: channel 0: input open -> drain debug1: channel 0: ibuf empty debug1: channel 0: send eof debug1: channel 0: input drain -> closed debug1: channel 0: send close debug3: channel 0: will not send data after close debug1: channel 0: rcvd close debug3: channel 0: will not send data after close debug1: channel 0: is dead debug1: channel 0: garbage collecting Thanks, Jason Lacoss-Arnold TS/Unix Architecture 314-955-8501 *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ From Nicolas.Williams at ubsw.com Thu Jun 6 00:58:37 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Wed, 5 Jun 2002 10:58:37 -0400 Subject: ssh-add: local private keys added to forwarded agents Message-ID: <9403F8EE868566448AA1B70D8F783C95334F70@NSTMC004PEX1.ubsgs.ubsgroup.net> The behaviour you describe does not violate the [draft] specification. Clearly, many (most!) SSH users do not store keys in smartcards or any other kind of removable media, and noone claims such behaviour to be in violation of the [draft] spec. Note the word "ideally" in the spec text you quote. Also, your statement about the agent socket names is incorrect. It is "ls -F" that is adding that '=' to the end of the socket name. Having said this, I would second any proposal that ssh-add require an additional argument to force the addition of keys to forwarded agents; this would require a mechanism to tell the difference between local and forwarded agents and, in practice, I imagine either a socket naming pattern or an environment variable's setting would be used to tell the difference, though neither approach would be foolproof. But I am not making such a proposal. I'm big enough to keep track of and know which sessions are which and which sessions have forwarded agents and which don't. Nico -- > -----Original Message----- > From: Dave Ryan [mailto:dave at ugc.org.uk] > Sent: Wednesday, June 05, 2002 6:08 AM > To: openssh-unix-dev at mindrot.org > Subject: ssh-add: local private keys added to forwarded agents > > > Hi, > > This may or may not cause concern for some people > (considering a lot of > people store all of their keys on a single client system). > > Snippet from draft-ietf-secsh-agent-00.txt: > > 2. Security Considerations > > This protocol is designed only to run as a channel of the SSH > protocol. > > The goal of this extension is to ensure that the users private keys > never leave the machine they are physically at. Ideally > the private > keys should be stored on a password protected removable > media such as > a smartcard. > > I noticed that ssh-add will add a private key to a forwarded agent, if > there are no local agents started by that user - this breaks the draft > specification as private keys on a local host are added to an agent > running on a remote host. > > For example, > > USERA starts ssh-agent on HOSTA. USERA then ssh's to HOSTB, USERA then > runs ssh-add on HOSTB, the private keys from HOSTB are then > added to the > ssh-agent on HOSTA. > > If USERA had started ssh-agent on HOSTB and then ran ssh-add, > the keys > would have remained on local to the system. > > I also noticed that if there are no local agents running a > remote agent > socket will show up in /tmp/ssh-XXXXXXXX/ as agent.$PID= whereas if a > local agent IS running the "=" is dropped. > > I'm not sure if it is appropriate to apply mechanisms to ssh-add to > prevent it adding local keys to a forwarded agent or if a quick > addition to the man pages will suffice. > > If this has been discussed before I apologise, couldn't find any > references to anything similar. > > Cheers, > Dave. > > -- > ugc Security Research > http://www.ugc.org.uk/~dave > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From dave at ugc.org.uk Thu Jun 6 01:25:59 2002 From: dave at ugc.org.uk (Dave Ryan) Date: Wed, 5 Jun 2002 16:25:59 +0100 Subject: ssh-add: local private keys added to forwarded agents In-Reply-To: <9403F8EE868566448AA1B70D8F783C95334F70@NSTMC004PEX1.ubsgs.ubsgroup.net>; from Nicolas.Williams@ubsw.com on Wed, Jun 05, 2002 at 10:58:37AM -0400 References: <9403F8EE868566448AA1B70D8F783C95334F70@NSTMC004PEX1.ubsgs.ubsgroup.net> Message-ID: <20020605162559.A25786@chimmi.ugc.org.uk> [ I am on the list, would you mind removing me from future replies? thanks. ] Nicolas.Williams at ubsw.com said the following on Wed, Jun 05, 2002 at 10:58:37AM -0400, > > The behaviour you describe does not violate the [draft] specification. Clearly, many (most!) SSH users do not store keys in smartcards or any other kind of removable media, and noone claims such behaviour to be in violation of the [draft] spec. Note the word "ideally" in the spec text you quote. Ok, I think you are confused, I was not referring to storage on smartcards (I should probably have cut the kruft out). I was pointing out: The goal of this extension is to ensure that the users private keys never leave the machine they are physically at. Which (as you qualified yourself) is something that might be worth protecting against. > Also, your statement about the agent socket names is incorrect. It is "ls -F" that is adding that '=' to the end of the socket name. Correct, I forgot I had -F aliased in my .profile. Thanks for pointing this out. > But I am not making such a proposal. I'm big enough to keep track of and > know which sessions are which and which sessions have forwarded agents and > which don't. Like I said an addition to the man page would probably be sufficient, surely its wrong to assume everyone is as big as you? Thanks. -- ugc Security Research http://www.ugc.org.uk/~dave From Darren.Moffat at Sun.COM Thu Jun 6 01:55:42 2002 From: Darren.Moffat at Sun.COM (Darren Moffat) Date: Wed, 5 Jun 2002 08:55:42 -0700 (PDT) Subject: ssh-add: local private keys added to forwarded agents Message-ID: <200206051555.g55FtkAw423500@jurassic.eng.sun.com> >Snippet from draft-ietf-secsh-agent-00.txt: > >2. Security Considerations > > This protocol is designed only to run as a channel of the SSH > protocol. > > The goal of this extension is to ensure that the users private keys > never leave the machine they are physically at. Ideally the private > keys should be stored on a password protected removable media such as > a smartcard. > >I noticed that ssh-add will add a private key to a forwarded agent, if >there are no local agents started by that user - this breaks the draft >specification as private keys on a local host are added to an agent >running on a remote host. Since that draft is very much a work in progress and OpenSSH doesn't claim complaince with it - I don't think it is fair to hold them to it. The draft at this point is a very rough cut of thoughts in my head, you will also note that as far as technical details it is completely content free in revision -00.txt. Note also that it does say Ideally not MUST or SHOULD or any other RFC2026 keywords. -- Darren J Moffat From Nicolas.Williams at ubsw.com Thu Jun 6 02:03:30 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Wed, 5 Jun 2002 12:03:30 -0400 Subject: ssh-add: local private keys added to forwarded agents In-Reply-To: <20020605162559.A25786@chimmi.ugc.org.uk>; from dave@ugc.org.uk on Wed, Jun 05, 2002 at 04:25:59PM +0100 References: <9403F8EE868566448AA1B70D8F783C95334F70@NSTMC004PEX1.ubsgs.ubsgroup.net> <20020605162559.A25786@chimmi.ugc.org.uk> Message-ID: <20020605120330.A266@W0594878> On Wed, Jun 05, 2002 at 04:25:59PM +0100, Dave Ryan wrote: > [ I am on the list, would you mind removing me from future replies? thanks. ] Sure. It's a bad habit of mine to respond to all rather than just the list, a bad habit partly borne out of being used to duplicate filtering. You should try it :) :) > Nicolas.Williams at ubsw.com said the following on Wed, Jun 05, 2002 at 10:58:37AM -0400, > > > > The behaviour you describe does not violate the [draft] specification. Clearly, many (most!) SSH users do not store keys in smartcards or any other kind of removable media, and noone claims such behaviour to be in violation of the [draft] spec. Note the word "ideally" in the spec text you quote. > > Ok, I think you are confused, I was not referring to storage on smartcards (I > should probably have cut the kruft out). Ah, yes. Still, "goal" is not "MUST"; to be a requirement the text must use a "MUST" or "MUST NOT" or so on (is that a "legal" idiom?) (see RFC3160). > > But I am not making such a proposal. I'm big enough to keep track of and > > know which sessions are which and which sessions have forwarded agents and > > which don't. > > Like I said an addition to the man page would probably be sufficient, > surely its wrong to assume everyone is as big as you? Indeed. I'm sure that if you open a bug in the bugzilla db for OpenSSH the OpenSSH folk will consider it. > Thanks. > > -- > ugc Security Research > http://www.ugc.org.uk/~dave Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From ed at UDel.Edu Thu Jun 6 02:05:07 2002 From: ed at UDel.Edu (Ed Phillips) Date: Wed, 5 Jun 2002 12:05:07 -0400 (EDT) Subject: ssh-add: local private keys added to forwarded agents In-Reply-To: <200206051555.g55FtkAw423500@jurassic.eng.sun.com> Message-ID: On Wed, 5 Jun 2002, Darren Moffat wrote: > Date: Wed, 5 Jun 2002 08:55:42 -0700 (PDT) > From: Darren Moffat > To: dave at ugc.org.uk > Cc: openssh-unix-dev at mindrot.org > Subject: Re: ssh-add: local private keys added to forwarded agents > > >Snippet from draft-ietf-secsh-agent-00.txt: > > > >2. Security Considerations > > > > This protocol is designed only to run as a channel of the SSH > > protocol. > > > > The goal of this extension is to ensure that the users private keys > > never leave the machine they are physically at. Ideally the private > > keys should be stored on a password protected removable media such as ^^^^^^ |||||| Maybe you should change this word to "could" or "would" or something else... Ed > > a smartcard. > > > >I noticed that ssh-add will add a private key to a forwarded agent, if > >there are no local agents started by that user - this breaks the draft > >specification as private keys on a local host are added to an agent > >running on a remote host. > > Since that draft is very much a work in progress and OpenSSH doesn't > claim complaince with it - I don't think it is fair to hold them to it. > > The draft at this point is a very rough cut of thoughts in my head, you > will also note that as far as technical details it is completely content > free in revision -00.txt. > > Note also that it does say Ideally not MUST or SHOULD or any other RFC2026 > keywords. > > -- > Darren J Moffat > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From kevin at kevindegraaf.net Thu Jun 6 03:57:27 2002 From: kevin at kevindegraaf.net (Kevin DeGraaf) Date: Wed, 5 Jun 2002 13:57:27 -0400 (EDT) Subject: Per-port hostkeys Message-ID: My apologies if this has been covered already. My search of the archives was unfruitful. OpenSSH seems to be lacking a certain capability present in ssh.com's client; namely, the ability to store remote hostkeys on a per-port basis. I have various machines that, due to iptables port-forwarding, appear to be running copies of (open)sshd on multiple ports. "Commercial" ssh stores hostkeys in files named "key__host.pub"; this is useful, because it allows for recording the keys of multiple sshd's on the same IP address. OpenSSH, on the other hand, doesn't appear to offer this functionality; connecting to any sshd port on a machine will cache that hostkey, and subsequent connections to sshd's on other ports of that machine will fail with hostkey-checking violations. -- Kevin DeGraaf From dave at ugc.org.uk Thu Jun 6 04:18:43 2002 From: dave at ugc.org.uk (Dave Ryan) Date: Wed, 5 Jun 2002 19:18:43 +0100 Subject: ssh-add: local private keys added to forwarded agents In-Reply-To: <200206051555.g55FtkAw423500@jurassic.eng.sun.com>; from Darren.Moffat@Sun.COM on Wed, Jun 05, 2002 at 08:55:42AM -0700 References: <200206051555.g55FtkAw423500@jurassic.eng.sun.com> Message-ID: <20020605191843.C25786@chimmi.ugc.org.uk> Darren Moffat said the following on Wed, Jun 05, 2002 at 08:55:42AM -0700, > >Snippet from draft-ietf-secsh-agent-00.txt: > > > >2. Security Considerations > > > > This protocol is designed only to run as a channel of the SSH > > protocol. > > > > The goal of this extension is to ensure that the users private keys > > never leave the machine they are physically at. Ideally the private > > keys should be stored on a password protected removable media such as > > a smartcard. > > > >I noticed that ssh-add will add a private key to a forwarded agent, if > >there are no local agents started by that user - this breaks the draft > >specification as private keys on a local host are added to an agent > >running on a remote host. > > Since that draft is very much a work in progress and OpenSSH doesn't > claim complaince with it - I don't think it is fair to hold them to it. I brought it up because I agree with what you have documented, i.e.: The goal of this extension is to ensure that the users private keys never leave the machine they are physically at. As I said, this may or may not be cause for concern with most people, I just thought it was strange to have local keys added to a forwarded agent, noticed you had documented the same in the draft, so I brought it to the list as a suggestion that the draft might be worth following in this instance. But as you said, OpenSSH doesn't claim compliance so maybe I should have suggested it as a feature request (that this cannot happen) rather than a half-assed bug report. > The draft at this point is a very rough cut of thoughts in my head, you > will also note that as far as technical details it is completely content > free in revision -00.txt. Ok. I wouldn't remove the statement though, imho it is preferable to ensure that private keys remain on the physical host. > Note also that it does say Ideally not MUST or SHOULD or any other RFC2026 > keywords. I didn't comment on the "Ideally..." section. Thanks for providing some clarity on the situation. Cheers. -- ugc Security Research http://www.ugc.org.uk/~dave From mouring at etoh.eviladmin.org Thu Jun 6 05:04:20 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 5 Jun 2002 14:04:20 -0500 (CDT) Subject: Per-port hostkeys In-Reply-To: Message-ID: man ssh look for 'HostKeyAlias' - Ben On Wed, 5 Jun 2002, Kevin DeGraaf wrote: > My apologies if this has been covered already. My search of the archives > was unfruitful. > > OpenSSH seems to be lacking a certain capability present in ssh.com's > client; namely, the ability to store remote hostkeys on a per-port basis. > > I have various machines that, due to iptables port-forwarding, appear to > be running copies of (open)sshd on multiple ports. "Commercial" ssh > stores hostkeys in files named "key__host.pub"; this is useful, > because it allows for recording the keys of multiple sshd's on the same IP > address. > > OpenSSH, on the other hand, doesn't appear to offer this functionality; > connecting to any sshd port on a machine will cache that hostkey, and > subsequent connections to sshd's on other ports of that machine will fail > with hostkey-checking violations. > > -- > Kevin DeGraaf > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Thu Jun 6 07:56:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 6 Jun 2002 07:56:19 +1000 (EST) Subject: [Bug 164] X-forwarding when connecting to an IPv6-enabled host doesn't work. Message-ID: <20020605215619.A1309E923@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=164 ------- Additional Comments From stevesk at pobox.com 2002-06-06 07:56 ------- error() will just ensure the message is logged, and will not cause an exit. i wanted to see setsockopt failures for now. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Thu Jun 6 11:22:39 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 5 Jun 2002 18:22:39 -0700 (PDT) Subject: privsep patch, Please test (take 3) In-Reply-To: Message-ID: Here is the version I'll commit to CVS if there are no objections. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- openssh/acconfig.h.old Sun May 12 20:25:01 2002 +++ openssh/acconfig.h Mon Jun 3 19:53:46 2002 @@ -355,6 +355,18 @@ /* Path that unprivileged child will chroot() to in privep mode */ #undef PRIVSEP_PATH +/* Define if you have the `mmap' function that supports MAP_ANON|SHARED */ +#undef HAVE_MMAP_ANON_SHARED + +/* Define if you have the `mmap' function that supports MAP_ANON|PRIVATE */ +#undef HAVE_MMAP_ANON_PRIVATE + +/* Define if you have the `mmap' function that supports /dev/zero SHARED */ +#undef HAVE_MMAP_DEV_ZERO_SHARED + +/* Define if you have the `mmap' function that supports /dev/zero PRIVATE */ +#undef HAVE_MMAP_DEV_ZERO_PRIVATE + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ --- openssh/configure.ac.old Mon May 27 17:37:33 2002 +++ openssh/configure.ac Mon Jun 3 21:07:29 2002 @@ -576,6 +576,92 @@ strlcat strlcpy strmode strsep sysconf tcgetpgrp truncate utimes \ vhangup vsnprintf waitpid __b64_ntop _getpty) +if test $ac_cv_func_mmap = yes ; then +AC_MSG_CHECKING([for mmap anon shared]) +AC_TRY_RUN( + [ +#include +#include +#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS) +#define MAP_ANON MAP_ANONYMOUS +#endif +main() { char *p; +p = (char *) mmap(NULL, 10, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); +if (p == (char *)-1) + exit(1); +exit(0); +} + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_MMAP_ANON_SHARED) + ], + [ AC_MSG_RESULT(no) ] +) +AC_MSG_CHECKING([for mmap anon private]) +AC_TRY_RUN( + [ +#include +#include +#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS) +#define MAP_ANON MAP_ANONYMOUS +#endif +main() { char *p; +p = (char *) mmap(NULL, 10, PROT_WRITE|PROT_READ, MAP_ANON|MAP_PRIVATE, -1, 0); +if (p == (char *)-1) + exit(1); +exit(0); +} + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_MMAP_ANON_PRIVATE) + ], + [ AC_MSG_RESULT(no) ] +) +AC_MSG_CHECKING([for mmap /dev/zero shared]) +AC_TRY_RUN( + [ +#include +#include +#include +main() { char *p = (char *) mmap(NULL, 10, PROT_WRITE|PROT_READ, MAP_SHARED, + open("/dev/zero", O_RDWR), 0); +if (p == (char *)-1) + exit(1); +exit(0); +} + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_MMAP_DEV_ZERO_SHARED) + ], + [ AC_MSG_RESULT(no) ] +) +AC_MSG_CHECKING([for mmap /dev/zero private]) +AC_TRY_RUN( + [ +#include +#include +#include +#ifndef MAP_FAILED +# define MAP_FAILED ((void *)-1) +#endif +main() { char *p = (char *) mmap(NULL, 10, PROT_WRITE|PROT_READ, MAP_PRIVATE, + open("/dev/zero", O_RDWR), 0); +if (p == (char *)-1) + exit(1); +exit(0); +} + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_MMAP_DEV_ZERO_PRIVATE) + ], + [ AC_MSG_RESULT(no) ] +) +fi + dnl IRIX and Solaris 2.5.1 have dirname() in libgen AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[ AC_CHECK_LIB(gen, dirname,[ --- openssh/monitor_mm.c.old Fri Apr 12 17:49:51 2002 +++ openssh/monitor_mm.c Mon Jun 3 19:59:54 2002 @@ -84,9 +84,20 @@ */ mm->mmalloc = mmalloc; -#if defined(HAVE_MMAP) && defined(MAP_ANON) +#ifdef HAVE_MMAP +#ifdef HAVE_MMAP_ANON_SHARED address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); +#elif defined(HAVE_MMAP_DEV_ZERO_SHARED) + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED, + open("/dev/zero", O_RDWR), 0); +#elif defined(HAVE_MMAP_ANON_PRIVATE) + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_PRIVATE, + -1, 0); +#elif defined(HAVE_MMAP_DEV_ZERO_PRIVATE) + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_PRIVATE, + open("/dev/zero", O_RDWR), 0); +#endif if (address == MAP_FAILED) fatal("mmap(%lu)", (u_long)size); #else --- openssh/session.c.old Sun May 12 20:25:02 2002 +++ openssh/session.c Wed May 29 07:39:22 2002 @@ -1089,10 +1089,11 @@ exit(1); } /* Initialize the group list. */ - if (initgroups(pw->pw_name, pw->pw_gid) < 0) { - perror("initgroups"); - exit(1); - } + if (strcmp(pw->pw_name, SSH_PRIVSEP_USER)) + if (initgroups(pw->pw_name, pw->pw_gid) < 0) { + perror("initgroups"); + exit(1); + } endgrent(); # ifdef USE_PAM /* From mrq1 at gmx.net Thu Jun 6 20:43:21 2002 From: mrq1 at gmx.net (Hermann Gausterer) Date: Thu, 6 Jun 2002 12:43:21 +0200 (MEST) Subject: X11 forwarding problem Message-ID: <1665.1023360201@www23.gmx.net> hi i have problems with the X11 forwarding, TCP port forwarding works fine: the tcp ports bind to ipv4 and ipv6 localhost, but the X11 port (6010) binds ONLY to the ipv6 localhost, which does not work with the normal ipv4 programs :-( is this a bug, or is this an hidden feature mfg hermann redhat 7.1: openSSH 3.2.2: [mrq1 at xxxx mrq1]$ ssh -X -L 10000:localhost:22 localhost Last login: Thu Jun 6 06:39:55 2002 from xxxx [mrq1 at xxxx mrq1]$ set |grep DISPL DISPLAY=localhost:10.0 [mrq1 at xxxx mrq1]$ netstat -tan | grep -e 6010 -e 10000 tcp 0 0 127.0.0.1:10000 0.0.0.0:* LISTEN tcp 0 0 ::1:10000 :::* LISTEN tcp 0 0 ::1:6010 :::* LISTEN [mrq1 at xxxx mrq1]$ ssh -V OpenSSH_3.2.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f the same with 3.2.3: [mrq1 at mrqserv2 mrq1]$ uname -a Linux mrqserv2 2.4.18-xfs #6 SMP Wed May 15 16:56:46 CEST 2002 i686 unknown [mrq1 at mrqserv2 .ssh]$ ssh -X -L 10000:localhost:22 localhost [mrq1 at mrqserv2 mrq1]$ netstat -tan | grep -e 6010 -e 10000 tcp 0 0 127.0.0.1:10000 0.0.0.0:* LISTEN tcp 0 0 ::1:10000 :::* LISTEN tcp 0 0 ::1:6010 :::* LISTEN [mrq1 at mrqserv2 mrq1]$ ssh -V OpenSSH_3.2.3p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debugoutput: debug1: Connections to local port 10000 forwarded to remote address localhost:22 debug1: Local forwarding listening on ::1 port 10000. debug1: fd 4 setting O_NONBLOCK debug1: channel 0: new [port listener] debug1: Local forwarding listening on 127.0.0.1 port 10000. debug1: fd 5 setting O_NONBLOCK debug1: channel 1: new [port listener] debug1: channel 2: new [client-session] debug1: send channel open 2 debug1: Entering interactive session. debug1: ssh_session2_setup: id 2 debug1: channel request 2: pty-req debug1: Requesting X11 forwarding with authentication spoofing. debug1: channel request 2: x11-req debug1: channel request 2: shell debug1: fd 3 setting TCP_NODELAY -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net From yoshfuji at wide.ad.jp Thu Jun 6 20:50:42 2002 From: yoshfuji at wide.ad.jp (YOSHIFUJI Hideaki) Date: Thu, 06 Jun 2002 19:50:42 +0900 (JST) Subject: X11 forwarding problem In-Reply-To: <1665.1023360201@www23.gmx.net> References: <1665.1023360201@www23.gmx.net> Message-ID: <20020606.195042.25621855.yoshfuji@wide.ad.jp> Please try . In article <1665.1023360201 at www23.gmx.net> (at Thu, 6 Jun 2002 12:43:21 +0200 (MEST)), Hermann Gausterer says: > the tcp ports bind to ipv4 and ipv6 localhost, > but the X11 port (6010) binds ONLY to the > ipv6 localhost, which does not work with > the normal ipv4 programs :-( -- Hideaki YOSHIFUJI @ USAGI Project GPG FP: 9022 65EB 1ECF 3AD1 0BDF 80D8 4807 F894 E062 0EEA From bugzilla-daemon at mindrot.org Thu Jun 6 21:22:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 6 Jun 2002 21:22:06 +1000 (EST) Subject: [Bug 261] AIX capabilities + port-aix.c cleanup Message-ID: <20020606112206.6C29CE939@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=261 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OS/Version|other |AIX ------- Additional Comments From dtucker at zip.com.au 2002-06-06 21:22 ------- I finally got a chance to try this. I got compile errors with gcc on AIX 4.2.1 and 4.3.3. gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I/usr/local/include -DHAVE_CONFIG_H -c port-aix.c port-aix.c: In function `set_limits_from_userattr': port-aix.c:35: too few arguments to function `setpcred' port-aix.c:36: too few arguments to function `setpenv' The following patch works for me. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jun 6 21:26:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 6 Jun 2002 21:26:00 +1000 (EST) Subject: [Bug 261] AIX capabilities + port-aix.c cleanup Message-ID: <20020606112600.B47AAE957@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=261 ------- Additional Comments From dtucker at zip.com.au 2002-06-06 21:25 ------- Created an attachment (id=107) Add extra params to setpcred and setpenv ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From binder at arago.de Thu Jun 6 23:59:17 2002 From: binder at arago.de (Thomas Binder) Date: Thu, 6 Jun 2002 15:59:17 +0200 Subject: Patches for compiling / using portable OpenSSH on FreeMiNT? Message-ID: <20020606155916.B3141510@ohm.arago.de> Hi! I'm the current maintainer of the OpenSSH RPM for SpareMiNT (a collection of RPMs for the FreeMiNT operating system for Atari TOS based machines, see http://www.freemint.de/) and wondered if there's any interest in including the patches necessary to compile and run portable OpenSSH 3.2.3p1 under this operating system. If so, I'll "post" them here, including comments on what they do and why. Ciao Thomas From mouring at etoh.eviladmin.org Fri Jun 7 00:27:33 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 6 Jun 2002 09:27:33 -0500 (CDT) Subject: Patches for compiling / using portable OpenSSH on FreeMiNT? In-Reply-To: <20020606155916.B3141510@ohm.arago.de> Message-ID: Post them, people will comment. If they are correct and acceptable. We will merge them. Otherwise we won't. =) - Ben On Thu, 6 Jun 2002, Thomas Binder wrote: > Hi! > > I'm the current maintainer of the OpenSSH RPM for SpareMiNT (a > collection of RPMs for the FreeMiNT operating system for Atari TOS > based machines, see http://www.freemint.de/) and wondered if > there's any interest in including the patches necessary to compile > and run portable OpenSSH 3.2.3p1 under this operating system. > > If so, I'll "post" them here, including comments on what they do > and why. > > > Ciao > > Thomas > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From openssh-unix-dev at thewrittenword.com Fri Jun 7 03:19:14 2002 From: openssh-unix-dev at thewrittenword.com (Albert Chin) Date: Thu, 6 Jun 2002 12:19:14 -0500 Subject: Build problems with 3.2.3p1 under AIX 4.3.2 In-Reply-To: ; from dmanton@emea.att.com on Wed, Jun 05, 2002 at 08:18:03AM +0100 References: Message-ID: <20020606121914.A74925@oolong.il.thewrittenword.com> On Wed, Jun 05, 2002 at 08:18:03AM +0100, Manton, Doug wrote: > Jave you tried adding "-qlanglvl=extended" to your CFLAGS. With this > flag, I can successfully build 3.2.3p1 using xlC v5 under AIX 4.3.3 ML9. Seems icky. > Best wishes, > Doug Manton, AT&T Business Commercial Security > ---------------------------------------------- > > -----Original Message----- > From: Albert Chin [mailto:openssh-unix-dev at thewrittenword.com] > Sent: 05 June 2002 00:38 > To: openssh-unix-dev at mindrot.org > Subject: Build problems with 3.2.3p1 under AIX 4.3.2 > > > xlc -O2 -qmaxmem=-1 -qarch=com -I/opt/TWWfsw/tcpwrap/include -I. -I.. > -I. -I./.. -I/opt/TWWfsw/libopenssl09s/include > -I/opt/TWWfsw/zlib11s/include -DHAVE_CONFIG_H -c glob.c > "glob.c", line 100.9: 1506-213 (S) Macro name TILDE cannot be redefined. > "glob.c", line 100.9: 1506-358 (I) "TILDE" is defined on line 250 of > /usr/include/sys/ioctl.h. > gmake[1]: *** [glob.o] Error 1 > > From /usr/include/sys/ioctl.h: > #define TILDE 0x00080000 /* hazeltine tilde > kludge */ > > The patch below fixes this. > > -- > albert chin (china at thewrittenword.com) > > -- snip snip > --- openbsd-compat/glob.c.orig Tue Jun 4 18:34:34 2002 > +++ openbsd-compat/glob.c Tue Jun 4 18:34:56 2002 > @@ -97,7 +97,7 @@ > #define RBRACKET ']' > #define SEP '/' > #define STAR '*' > -#define TILDE '~' > +#define TILDE_CHAR '~' > #define UNDERSCORE '_' > #define LBRACE '{' > #define RBRACE '}' > @@ -354,7 +354,7 @@ > const Char *p; > Char *b, *eb; > > - if (*pattern != TILDE || !(pglob->gl_flags & GLOB_TILDE)) > + if (*pattern != TILDE_CHAR || !(pglob->gl_flags & GLOB_TILDE)) > return pattern; > > /* Copy up to the end of the string or / */ > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- albert chin (china at thewrittenword.com) From bugzilla-daemon at mindrot.org Fri Jun 7 03:25:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 7 Jun 2002 03:25:23 +1000 (EST) Subject: [Bug 265] New: Build problems with 3.2.3p1 under AIX 4.3.2 Message-ID: <20020606172523.1091CE906@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=265 Summary: Build problems with 3.2.3p1 under AIX 4.3.2 Product: Portable OpenSSH Version: -current Platform: PPC URL: ftp://ftp.thewrittenword.com/outgoing/pub/openssh- 3.2.3p1-1.patch OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: bugzilla-openssh at thewrittenword.com xlc -O2 -qmaxmem=-1 -qarch=com -I/opt/TWWfsw/tcpwrap/include -I. -I.. -I. -I./.. -I/opt/TWWfsw/libopenssl09s/include -I/opt/TWWfsw/zlib11s/include -DHAVE_CONFIG_H -c glob.c "glob.c", line 100.9: 1506-213 (S) Macro name TILDE cannot be redefined. "glob.c", line 100.9: 1506-358 (I) "TILDE" is defined on line 250 of /usr/include/sys/ioctl.h. gmake[1]: *** [glob.o] Error 1 From bugzilla-daemon at mindrot.org Fri Jun 7 03:27:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 7 Jun 2002 03:27:30 +1000 (EST) Subject: [Bug 266] New: Trailing comma in enum for 3.2.3p1 Message-ID: <20020606172730.011E5E929@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=266 Summary: Trailing comma in enum for 3.2.3p1 Product: Portable OpenSSH Version: -current Platform: PPC URL: ftp://ftp.thewrittenword.com/outgoing/pub/openssh- 3.2.3p1-2.patch OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: bugzilla-openssh at thewrittenword.com A trailing comma in an enum generates an error with the IBM C compiler, xlc, on AIX 4.3.2: $ gmake ... xlc -O2 -qmaxmem=-1 -qarch=com -I/opt/TWWfsw/tcpwrap/include -I. -I. -I/opt/TWWfsw/libopenssl09s/include -I/opt/TWWfsw/zlib11s/include -DSSHDIR=\"/etc/opt/TWWfsw/openssh323\" -D_PATH_SSH_PROGRAM=\"/opt/TWWfsw/openssh323/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/TWWfsw/openssh323/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/opt/TWWfsw/openssh323/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/etc\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/opt/TWWfsw/openssh323/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c kex.c "monitor.h", line 53.25: 1506-275 (S) Unexpected text ',' encountered. gmake: *** [kex.o] Error 1 A patch is available at: ftp://ftp.thewrittenword.com/outgoing/pub/openssh-3.2.3p1-2.patch ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 7 03:29:18 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 7 Jun 2002 03:29:18 +1000 (EST) Subject: [Bug 267] New: Build problems with 3.2.3p1 under Tru64 UNIX 4.0D Message-ID: <20020606172918.04F6EE906@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=267 Summary: Build problems with 3.2.3p1 under Tru64 UNIX 4.0D Product: Portable OpenSSH Version: -current Platform: Alpha URL: ftp://ftp.thewrittenword.com/outgoing/pub/openssh- 3.2.3p1-3.patch OS/Version: OSF/1 Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: bugzilla-openssh at thewrittenword.com Tru64 UNIX 4.0D, with the DTK (Desktop Toolkit), includes int64_t in /usr/include.dtk/stdint.h. $ gmake ... (cd openbsd-compat && gmake) gmake[1]: Entering directory `/opt/build/openssh-3.2.3p1/openbsd-compat' cc -O2 -std -I/opt/TWWfsw/tcpwrap/include -I. -I.. -I. -I./.. -I/opt/TWWfsw/libopenssl09s/include -I/opt/TWWfsw/zlib11s/include -DHAVE_CONFIG_H -c bsd-arc4random.c cc: Error: ../defines.h, line 151: In this declaration, "uint8_t" appears to be used as if it named a type, but there is no declared type of that name visible. (typedefnotdef) typedef uint8_t u_int8_t; --------^ cc: Error: ../defines.h, line 152: In this declaration, "uint16_t" appears to be used as if it named a type, but there is no declared type of that name visible. (typedefnotdef) typedef uint16_t u_int16_t; --------^ The patch below fixes this. This patch was inspired by one from Tim Mooney: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=99842334021906&w=2 ftp://ftp.thewrittenword.com/outgoing/pub/openssh-3.2.3p1-3.patch ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kevin at atomicgears.com Fri Jun 7 03:36:37 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 6 Jun 2002 10:36:37 -0700 Subject: Trailing comma in enum for 3.2.3p1 In-Reply-To: <20020604190048.A28675@oolong.il.thewrittenword.com> References: <20020604190048.A28675@oolong.il.thewrittenword.com> Message-ID: <20020606173637.GC1669@jenny.crlsca.adelphia.net> On Tue, Jun 04, 2002 at 07:00:48PM -0500, Albert Chin wrote: > A trailing comma in an enum generates an error with the IBM C > compiler, xlc, on AIX 4.3.2: fixed in openbsd CVS. From bugzilla-daemon at mindrot.org Fri Jun 7 03:48:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 7 Jun 2002 03:48:48 +1000 (EST) Subject: [Bug 266] Trailing comma in enum for 3.2.3p1 Message-ID: <20020606174848.80325E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=266 ------- Additional Comments From markus at openbsd.org 2002-06-07 03:48 ------- fixed in openbsd-current ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 7 07:30:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 7 Jun 2002 07:30:08 +1000 (EST) Subject: [Bug 262] ssh fails when run by cron. Message-ID: <20020606213008.2DCBDE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=262 ------- Additional Comments From markus at openbsd.org 2002-06-07 07:30 ------- i cannot reproduce this. does it work if you redirect the output? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Fri Jun 7 07:55:28 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 6 Jun 2002 16:55:28 -0500 (CDT) Subject: For those following the CVS tree.. Message-ID: I just commited 35 of the 36 patches to bring up in sync with the OpenBSD tree. The patch for BSD_AUTH to auth-passwd.c from stevesk@ has not been applied because the portable tree code is so horrible.. EXTREMELY HORRIBLE that I can't safely pick my way through that mine field. So I'll get it appled as soon as I clean up that section of code. Things to be mindful: 1. PrivSep is turn on by default. 2. ssh-keysign is new. It may not install in the right place (no autoconf section yet) 3. One needs to hand the autoconf part of the __FUNCTION__ clean up (looked simple, just did not touch it yet). It HAS not been compiled. =) I have to scram from work and will be offline until late evening. I'll get around to fixing issues when I'm done grilling out. - Ben From GILBERT.R.LOOMIS at saic.com Fri Jun 7 08:11:33 2002 From: GILBERT.R.LOOMIS at saic.com (Loomis, Rip) Date: Thu, 6 Jun 2002 18:11:33 -0400 Subject: For those following the CVS tree.. Message-ID: <3C1E3607B37295439F7C409EFBA08E680E2BAE@US-Columbia-CIST.mail.saic.com> Ben Lindstrom said: > I'll get around to fixing issues when I'm done grilling out. I detect someone having a Life. Tsk Tsk. --Rip (who's looking forward to beating on the newly patched code.) From josh-openssh at untruth.org Fri Jun 7 09:02:38 2002 From: josh-openssh at untruth.org (Joshua Hill) Date: Thu, 6 Jun 2002 16:02:38 -0700 Subject: privsep patch, Please test (take 3) In-Reply-To: ; from tim@multitalents.net on Wed, Jun 05, 2002 at 06:22:39PM -0700 References: Message-ID: <20020606160238.A21153@delusion.private.untruth.org> On Wed, Jun 05, 2002 at 06:22:39PM -0700, Tim Rice wrote: > Here is the version I'll commit to CVS if there are no objections. Just a quick heads up; I get a segfault when I run the daemon with PrivilegeSeparation. The last few lines of the strace output is ---snip--- write(2, "debug1: Client protocol version "..., 78debug1: Client protocol version 2.0; client software version OpenSSH_2.5.2p2^M ) = 78 write(2, "debug1: match: OpenSSH_2.5.2p2 p"..., 81debug1: match: OpenSSH_2.5.2p2 pat OpenSSH_2.5.0*,OpenSSH_2.5.1*,OpenSSH_2.5.2*^M ) = 81 write(2, "Enabling compatibility mode for "..., 46Enabling compatibility mode for protocol 2.0^M ) = 46 write(2, "debug1: Local version string SSH"..., 55debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1^M ) = 55 fcntl(4, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 socketpair(PF_UNIX, SOCK_STREAM, 0, [3, 7]) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ ---snip--- The stack trace for the process (just after the segfault) is: #0 memset (dstpp=0x2, c=208, len=128) at ../sysdeps/i386/memset.c:57 #1 0x805980e in mm_malloc (mm=0x808f1e8, size=28) at monitor_mm.c:190 #2 0x8059781 in mm_xmalloc (mm=0x808f1e8, size=28) at monitor_mm.c:162 #3 0x8059679 in mm_create (mmalloc=0x808f1e8, size=1310720) at monitor_mm.c:78 #4 0x805b9fd in monitor_init () at monitor.c:1486 #5 0x804c636 in privsep_preauth () at sshd.c:569 #6 0x804dba4 in main (ac=9, av=0xbffffab4) at sshd.c:1450 This is on a RedHat Linux 6.2 box, with glibc 2.1.3 and kernel 2.2.19. I'll look into this more this evening... Josh From kevin at atomicgears.com Fri Jun 7 10:05:57 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 6 Jun 2002 17:05:57 -0700 Subject: privsep patch, Please test (take 3) In-Reply-To: References: Message-ID: <20020607000557.GA2529@jenny.crlsca.adelphia.net> On Wed, Jun 05, 2002 at 06:22:39PM -0700, Tim Rice wrote: > -#if defined(HAVE_MMAP) && defined(MAP_ANON) > +#ifdef HAVE_MMAP > +#ifdef HAVE_MMAP_ANON_SHARED > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, > -1, 0); > +#elif defined(HAVE_MMAP_DEV_ZERO_SHARED) > + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED, > + open("/dev/zero", O_RDWR), 0); > +#elif defined(HAVE_MMAP_ANON_PRIVATE) > + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_PRIVATE, > + -1, 0); > +#elif defined(HAVE_MMAP_DEV_ZERO_PRIVATE) > + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_PRIVATE, > + open("/dev/zero", O_RDWR), 0); > +#endif > if (address == MAP_FAILED) > fatal("mmap(%lu)", (u_long)size); > #else hmm, more ifdefs. can there be xmmap() so there's one line of diff between openbsd? and again, i think we should use mm if possible. > --- openssh/session.c.old Sun May 12 20:25:02 2002 > +++ openssh/session.c Wed May 29 07:39:22 2002 > @@ -1089,10 +1089,11 @@ > exit(1); > } > /* Initialize the group list. */ > - if (initgroups(pw->pw_name, pw->pw_gid) < 0) { > - perror("initgroups"); > - exit(1); > - } > + if (strcmp(pw->pw_name, SSH_PRIVSEP_USER)) > + if (initgroups(pw->pw_name, pw->pw_gid) < 0) { > + perror("initgroups"); > + exit(1); > + } why are we doing this? From tim at multitalents.net Fri Jun 7 10:49:13 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 6 Jun 2002 17:49:13 -0700 (PDT) Subject: privsep patch, Please test (take 3) In-Reply-To: <20020607000557.GA2529@jenny.crlsca.adelphia.net> Message-ID: On Thu, 6 Jun 2002, Kevin Steves wrote: > On Wed, Jun 05, 2002 at 06:22:39PM -0700, Tim Rice wrote: [snip] > > +#elif defined(HAVE_MMAP_DEV_ZERO_PRIVATE) > > + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_PRIVATE, > > + open("/dev/zero", O_RDWR), 0); > > +#endif > > if (address == MAP_FAILED) > > fatal("mmap(%lu)", (u_long)size); > > #else > > hmm, more ifdefs. can there be xmmap() so there's one line of diff > between openbsd? and again, i think we should use mm if possible. Privsep may be important enough to introduce another library dependency. It seems like it may address the platforms that have no mmap. Ben said he didn't like the idea of requiring another library. We haven't heard from Damien yet. > > > --- openssh/session.c.old Sun May 12 20:25:02 2002 > > +++ openssh/session.c Wed May 29 07:39:22 2002 > > @@ -1089,10 +1089,11 @@ > > exit(1); > > } > > /* Initialize the group list. */ > > - if (initgroups(pw->pw_name, pw->pw_gid) < 0) { > > - perror("initgroups"); > > - exit(1); > > - } > > + if (strcmp(pw->pw_name, SSH_PRIVSEP_USER)) > > + if (initgroups(pw->pw_name, pw->pw_gid) < 0) { > > + perror("initgroups"); > > + exit(1); > > + } > > why are we doing this? On some platforms initgroups() fails in the chroot child. As initgroups is unnecessary for the sshd user, this fixes that problem. I'm open to any better ways. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Fri Jun 7 11:12:04 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 6 Jun 2002 20:12:04 -0500 (CDT) Subject: privsep patch, Please test (take 3) In-Reply-To: Message-ID: On Thu, 6 Jun 2002, Tim Rice wrote: > On Thu, 6 Jun 2002, Kevin Steves wrote: > > > On Wed, Jun 05, 2002 at 06:22:39PM -0700, Tim Rice wrote: > [snip] > > > +#elif defined(HAVE_MMAP_DEV_ZERO_PRIVATE) > > > + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_PRIVATE, > > > + open("/dev/zero", O_RDWR), 0); > > > +#endif > > > if (address == MAP_FAILED) > > > fatal("mmap(%lu)", (u_long)size); > > > #else > > > > hmm, more ifdefs. can there be xmmap() so there's one line of diff > > between openbsd? and again, i think we should use mm if possible. > > Privsep may be important enough to introduce another library dependency. > It seems like it may address the platforms that have no mmap. > Ben said he didn't like the idea of requiring another library. > We haven't heard from Damien yet. > Not extactly what I said. I said I would perfer to use the native mmap *IF* it will work. I have no problems falling back to mm if there is no usable mmap(). Personally I could care less if we do xmmap() that defaults to mmap() if it works with anonymous.. Otherwise fail over to mm library. I just think for the 80% of the population that will be using OpenSSH on reasonable OSes to be punished into installing yet another library. I've spent way too many hours tracking down software dependancies lately while building a video editing platform that drive this point home. BTW, I still don't think we can use MAP_PRIVATE. Do we have a platform where we can prove that MAP_PRIVATE w/ /dev/zero and compression all work correctly together? - Ben From mouring at etoh.eviladmin.org Fri Jun 7 11:12:44 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 6 Jun 2002 20:12:44 -0500 (CDT) Subject: For those following the CVS tree.. In-Reply-To: <3C1E3607B37295439F7C409EFBA08E680E2BAE@US-Columbia-CIST.mail.saic.com> Message-ID: On Thu, 6 Jun 2002, Loomis, Rip wrote: > > Ben Lindstrom said: > > I'll get around to fixing issues when I'm done grilling out. > > I detect someone having a Life. Tsk Tsk. > Must not.. I'm watching UHF with two friends of mine while on my laptop. =P - Ben From tim at multitalents.net Fri Jun 7 12:02:19 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 6 Jun 2002 19:02:19 -0700 (PDT) Subject: privsep patch, Please test (take 3) In-Reply-To: Message-ID: On Thu, 6 Jun 2002, Ben Lindstrom wrote: > On Thu, 6 Jun 2002, Tim Rice wrote: > > > On Thu, 6 Jun 2002, Kevin Steves wrote: > > > > > On Wed, Jun 05, 2002 at 06:22:39PM -0700, Tim Rice wrote: > > [snip] > > > > +#elif defined(HAVE_MMAP_DEV_ZERO_PRIVATE) > > > > + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_PRIVATE, > > > > + open("/dev/zero", O_RDWR), 0); > > > > +#endif > > > > if (address == MAP_FAILED) > > > > fatal("mmap(%lu)", (u_long)size); > > > > #else > > > > > > hmm, more ifdefs. can there be xmmap() so there's one line of diff > > > between openbsd? and again, i think we should use mm if possible. > > > > Privsep may be important enough to introduce another library dependency. > > It seems like it may address the platforms that have no mmap. > > Ben said he didn't like the idea of requiring another library. > > We haven't heard from Damien yet. > > > > Not extactly what I said. I said I would perfer to use the native mmap > *IF* it will work. I have no problems falling back to mm if there is no > usable mmap(). Thanks for the clarification. > > Personally I could care less if we do xmmap() that defaults to mmap() if > it works with anonymous.. Otherwise fail over to mm library. I'm in the middle of some projects right now and probably won't have time for a couple of weeks. It would be great if someone would take the patch and run with it. > > I just think for the 80% of the population that will be using OpenSSH on > reasonable OSes to be punished into installing yet another library. > > I've spent way too many hours tracking down software dependancies lately > while building a video editing platform that drive this point home. > > > BTW, I still don't think we can use MAP_PRIVATE. Do we have a platform > where we can prove that MAP_PRIVATE w/ /dev/zero and compression all work > correctly together? No. It's just there in case there is a platform that doesn't have MAP_ANON and has a broken MAP_SHARED like Linux 2.2.x Like on Linux 2.2.x you could have privsep without compression. > - Ben > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bryanh at giraffe-data.com Fri Jun 7 12:34:12 2002 From: bryanh at giraffe-data.com (Bryan Henderson) Date: Fri, 07 Jun 2002 02:34:12 +0000 Subject: warning about keys too small Message-ID: I suggest a warning be added to the ssh-keygen documentation, if not ssh-keygen output, that using the -b option to select fewer than 768 bits will generate a key that can't be used as a host key. Actually, I don't know whose requirement the 768 minimum is, but Openssh's 'ssh' program is coded to reject keys shorter than that. I had availed myself of the the ssh-keygen -b option to make a 512 bit key because I have a low security requirement and thought it might speed things up. Also: I appreciate the error message from Ssh telling me that the host key is too short and that it is 512 bits, but it would be better still if the message would tell me what wouldn't be too short. Reading source code, I see it's 768 bits. If the message went on to explain that the host needs a new host key before a connection will be possible, that would make the failure even less frustrating. -- Bryan Henderson Phone 408-621-2000 San Jose, California From bryanh at giraffe-data.com Fri Jun 7 12:37:40 2002 From: bryanh at giraffe-data.com (Bryan Henderson) Date: Fri, 07 Jun 2002 02:37:40 +0000 Subject: StrictHostKeyChecking ask Message-ID: How come "StrictHostKeyChecking ask" doesn't cause Ssh to ask me if I'm OK with a host key having changed and, assuming I say yes, go ahead and update known_hosts? It looks like the program gratuitously runs me through the exercise of editing known_hosts and starting over. Kudos for having the message tell me exactly what I have to delete, though. -- Bryan Henderson Phone 408-621-2000 San Jose, California From bugzilla-daemon at mindrot.org Fri Jun 7 17:26:13 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 7 Jun 2002 17:26:13 +1000 (EST) Subject: [Bug 268] New: ssh-keysign build failure on AIX with gcc Message-ID: <20020607072613.591C3E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=268 Summary: ssh-keysign build failure on AIX with gcc Product: Portable OpenSSH Version: -current Platform: Other OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dtucker at zip.com.au $ gcc -o ssh-keysign ssh-keysign.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -L/usr/local/lib -lssh -lopenbsd-compat -lz -lcrypto ld: 0711-317 ERROR: Undefined symbol: __progname ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. collect2: ld returned 8 exit status Following patch conditionally defines __progname (stolen directly from ssh.c). Any reason it shouldn't be in a .h file once rather than 11 .c files? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 7 17:34:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 7 Jun 2002 17:34:55 +1000 (EST) Subject: [Bug 268] ssh-keysign build failure on AIX with gcc Message-ID: <20020607073455.6D3F4E974@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=268 ------- Additional Comments From dtucker at zip.com.au 2002-06-07 17:34 ------- Created an attachment (id=108) Conditionally define __progname in ssh-keysign.c ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 7 17:55:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 7 Jun 2002 17:55:31 +1000 (EST) Subject: [Bug 261] AIX capabilities + port-aix.c cleanup Message-ID: <20020607075531.084F9E980@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=261 ------- Additional Comments From dtucker at zip.com.au 2002-06-07 17:55 ------- Created an attachment (id=109) Merge three previous patches. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 7 18:51:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 7 Jun 2002 18:51:32 +1000 (EST) Subject: [Bug 164] X-forwarding when connecting to an IPv6-enabled host doesn't work. Message-ID: <20020607085132.2F963E960@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=164 ------- Additional Comments From carljohan at kjellander.com 2002-06-07 18:51 ------- Kevin, I applied your patch to the openssh-rpms for Red Hat 7.3 (openssh-3.1p1-3) and it works out just fine! [ipv6host]# netstat -l -n | grep 6010 tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN tcp 0 0 ::1:6010 :::* LISTEN ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 7 19:00:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 7 Jun 2002 19:00:33 +1000 (EST) Subject: [Bug 164] X-forwarding when connecting to an IPv6-enabled host doesn't work. Message-ID: <20020607090033.DAA33E984@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=164 ------- Additional Comments From carljohan at kjellander.com 2002-06-07 19:00 ------- Oops. I applied YOSHIFUJI Hideaki's patch of course. And it worked. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 7 19:53:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 7 Jun 2002 19:53:58 +1000 (EST) Subject: [Bug 261] AIX capabilities + port-aix.c cleanup Message-ID: <20020607095358.D0A1EE987@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=261 ------- Additional Comments From janfrode at parallab.uib.no 2002-06-07 19:53 ------- Created an attachment (id=110) removed setpenv call ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 7 19:55:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 7 Jun 2002 19:55:30 +1000 (EST) Subject: [Bug 261] AIX capabilities + port-aix.c cleanup Message-ID: <20020607095530.CC1DAE98B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=261 ------- Additional Comments From janfrode at parallab.uib.no 2002-06-07 19:55 ------- Two things... We should probably fail if it fails: if (setpcred (user, NULL)) fatal("Failed to set AIX process credentials."); and I'm a bit uncertain about the call to setpenv(). I think it does a bit too much, and with the PENV_INIT it breaks sftp and it doesn't manage to set the TERM correctly . The effect of calling setpenv() is that various user environment variables are set up _and_ the user is given his shell. I think we should just remove the call to setpenv(). Fixed patch attachment above this message.. -jf ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From maniac at maniac.nl Fri Jun 7 19:59:01 2002 From: maniac at maniac.nl (Mark Janssen) Date: 07 Jun 2002 11:59:01 +0200 Subject: Setproctitle && HPUX, patch/fix included Message-ID: <1023443942.794.15.camel@ninja> Hello, I've asked this on the openssh (regular) list before, but was directed here. I've been trying to get the 'setproctitle' part working on HPUX systems (11.00). I've figured out that on HP setproctitle requires sys/pstat.h and some other settings. I can locate sys/pstat.h on my system, but the ./configure won't find it (it's in /usr/include/sys/pstat.h). When I force HAVE_SYS_PSTAT_H on config.h it will still not work, since setproctitle.c has a check for defined HAVE_PSTAT && defined PSTAT_SETCMD. Shouldn't this be ( defined HAVE_PSTAT || defined HAVE_SYS_PSTAT_H ) && def PSTAT_SETCMD (Pardon my preprocessor logic, this is probably wrong, but you get the idea. Using #define HAVE_SYS_PSTAT_H in setproctitle.c will fix my problem. -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl From maccy at maccomms.co.uk Fri Jun 7 22:01:03 2002 From: maccy at maccomms.co.uk (Maccy) Date: Fri, 7 Jun 2002 12:01:03 +0000 (GMT) Subject: ssh help Message-ID: Hi chaps, I now have host based authentication working in my openssh config.....I don't have to put in a password when connecting to another machine usingt he same username. I need to be able to do the same thing using root, but it prompts me for a password, no matter what I try. What do I need to change/look for? Can this be changed in the config files? Many thanks for your assistance, Maccy From bugzilla-daemon at mindrot.org Sat Jun 8 00:37:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 8 Jun 2002 00:37:59 +1000 (EST) Subject: [Bug 268] ssh-keysign build failure on AIX with gcc Message-ID: <20020607143759.C2040E904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=268 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-06-08 00:37 ------- Ermm.. Must have fat-figured the grep for it. It's applied. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 8 00:51:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 8 Jun 2002 00:51:59 +1000 (EST) Subject: [Bug 261] AIX capabilities + port-aix.c cleanup Message-ID: <20020607145159.2F991E93B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=261 ------- Additional Comments From mouring at eviladmin.org 2002-06-08 00:51 ------- I'd like to make a single commit to resolve this. Can someone at IBM or someone verify this is the correct way to resolve the code? - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dgk at research.att.com Sat Jun 8 01:09:39 2002 From: dgk at research.att.com (David Korn) Date: Fri, 7 Jun 2002 11:09:39 -0400 (EDT) Subject: openssh for UWIN Message-ID: <200206071509.LAA97760@raptor.research.att.com> I am enclosing a context diff of the changes that I made to get openssh working on UWIN. UWIN is a UNIX operating system layer that runs on Win32 systems. For more information on UWIN go to http://www.research.att.com/sw/tools/uwin/. I also ran configure using -with-cppflags=-D_BSDCOMP=2. I don't know where that information would go with the source code. Let me know if you need more information. =====================cut here================== *** auth-passwd.c.orig Mon Mar 04 20:45:57 2002 --- auth-passwd.c Fri Jun 07 10:37:59 2002 *************** *** 44,49 **** --- 44,52 ---- #include "log.h" #include "servconf.h" #include "auth.h" + #ifdef _UWIN + # include + #endif #ifdef HAVE_CRYPT_H # include *************** *** 114,119 **** --- 117,125 ---- /* deny if no user. */ if (pw == NULL) return 0; + #ifdef _UWIN + return(uwin_mktoken(pw->pw_name,password,UWIN_TOKCLOSE)!=0); + #endif #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) return 0; *** readconf.c.orig Mon Feb 04 20:26:35 2002 --- readconf.c Thu May 30 16:55:00 2002 *************** *** 200,206 **** u_short host_port) { Forward *fwd; ! #ifndef HAVE_CYGWIN extern uid_t original_real_uid; if (port < IPPORT_RESERVED && original_real_uid != 0) fatal("Privileged ports can only be forwarded by root."); --- 200,206 ---- u_short host_port) { Forward *fwd; ! #if !defined(HAVE_CYGWIN) && !defined(_UWIN) extern uid_t original_real_uid; if (port < IPPORT_RESERVED && original_real_uid != 0) fatal("Privileged ports can only be forwarded by root."); *** ssh.c.orig Mon Feb 18 23:20:58 2002 --- ssh.c Thu May 30 16:40:07 2002 *************** *** 640,646 **** host = options.hostname; /* Disable rhosts authentication if not running as root. */ ! #ifdef HAVE_CYGWIN /* Ignore uid if running under Windows */ if (!options.use_privileged_port) { #else --- 640,646 ---- host = options.hostname; /* Disable rhosts authentication if not running as root. */ ! #if define(HAVE_CYGWIN) || defined(_UWIN) /* Ignore uid if running under Windows */ if (!options.use_privileged_port) { #else *** sshpty.c.orig Thu Dec 20 22:45:52 2001 --- sshpty.c Thu May 30 16:37:50 2002 *************** *** 124,130 **** close(*ptyfd); return 0; } ! #ifndef HAVE_CYGWIN /* * Push the appropriate streams modules, as described in Solaris pts(7). * HP-UX pts(7) doesn't have ttcompat module. --- 124,130 ---- close(*ptyfd); return 0; } ! #if !defined(HAVE_CYGWIN) && !defined(_UWIN) /* * Push the appropriate streams modules, as described in Solaris pts(7). * HP-UX pts(7) doesn't have ttcompat module. *** uidswap.c.orig Thu Dec 20 22:45:52 2001 --- uidswap.c Thu May 30 16:36:30 2002 *************** *** 80,86 **** if (user_groupslen < 0) fatal("getgroups: %.100s", strerror(errno)); } ! #ifndef HAVE_CYGWIN /* Set the effective uid to the given (unprivileged) uid. */ if (setgroups(user_groupslen, user_groups) < 0) fatal("setgroups: %.100s", strerror(errno)); --- 80,86 ---- if (user_groupslen < 0) fatal("getgroups: %.100s", strerror(errno)); } ! #if !defined(HAVE_CYGWIN) && !defined(_UWIN) /* Set the effective uid to the given (unprivileged) uid. */ if (setgroups(user_groupslen, user_groups) < 0) fatal("setgroups: %.100s", strerror(errno)); *************** *** 131,137 **** setgid(getgid()); #endif /* SAVED_IDS_WORK_WITH_SETEUID */ ! #ifndef HAVE_CYGWIN if (setgroups(saved_egroupslen, saved_egroups) < 0) fatal("setgroups: %.100s", strerror(errno)); #endif /* !HAVE_CYGWIN */ --- 131,137 ---- setgid(getgid()); #endif /* SAVED_IDS_WORK_WITH_SETEUID */ ! #if !defined(HAVE_CYGWIN) && !defined(_UWIN) if (setgroups(saved_egroupslen, saved_egroups) < 0) fatal("setgroups: %.100s", strerror(errno)); #endif /* !HAVE_CYGWIN */ =====================cut here================== David Korn research!dgk dgk at research.att.com From dgk at research.att.com Sat Jun 8 02:38:54 2002 From: dgk at research.att.com (David Korn) Date: Fri, 7 Jun 2002 12:38:54 -0400 (EDT) Subject: openssh for UWIN Message-ID: <200206071638.MAA96191@raptor.research.att.com> I am enclosing a context diff of the changes that I made to get openssh working on UWIN. UWIN is a UNIX operating system layer that runs on Win32 systems. For more information on UWIN go to http://www.research.att.com/sw/tools/uwin/. Let me know if you need more information. +++++++++++++++++cut here+++++++++++++++++++++ *** auth-passwd.c.orig Mon Mar 04 20:45:57 2002 --- auth-passwd.c Fri Jun 07 10:37:59 2002 *************** *** 44,49 **** --- 44,52 ---- #include "log.h" #include "servconf.h" #include "auth.h" + #ifdef _UWIN + # include + #endif #ifdef HAVE_CRYPT_H # include *************** *** 114,119 **** --- 117,125 ---- /* deny if no user. */ if (pw == NULL) return 0; + #ifdef _UWIN + return(uwin_mktoken(pw->pw_name,password,UWIN_TOKCLOSE)!=0); + #endif #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) return 0; *** readconf.c.orig Mon Feb 04 20:26:35 2002 --- readconf.c Thu May 30 16:55:00 2002 *************** *** 200,206 **** u_short host_port) { Forward *fwd; ! #ifndef HAVE_CYGWIN extern uid_t original_real_uid; if (port < IPPORT_RESERVED && original_real_uid != 0) fatal("Privileged ports can only be forwarded by root."); --- 200,206 ---- u_short host_port) { Forward *fwd; ! #if !defined(HAVE_CYGWIN) && !defined(_UWIN) extern uid_t original_real_uid; if (port < IPPORT_RESERVED && original_real_uid != 0) fatal("Privileged ports can only be forwarded by root."); *** ssh.c.orig Mon Feb 18 23:20:58 2002 --- ssh.c Thu May 30 16:40:07 2002 *************** *** 640,646 **** host = options.hostname; /* Disable rhosts authentication if not running as root. */ ! #ifdef HAVE_CYGWIN /* Ignore uid if running under Windows */ if (!options.use_privileged_port) { #else --- 640,646 ---- host = options.hostname; /* Disable rhosts authentication if not running as root. */ ! #if define(HAVE_CYGWIN) || defined(_UWIN) /* Ignore uid if running under Windows */ if (!options.use_privileged_port) { #else *** sshpty.c.orig Thu Dec 20 22:45:52 2001 --- sshpty.c Thu May 30 16:37:50 2002 *************** *** 124,130 **** close(*ptyfd); return 0; } ! #ifndef HAVE_CYGWIN /* * Push the appropriate streams modules, as described in Solaris pts(7). * HP-UX pts(7) doesn't have ttcompat module. --- 124,130 ---- close(*ptyfd); return 0; } ! #if !defined(HAVE_CYGWIN) && !defined(_UWIN) /* * Push the appropriate streams modules, as described in Solaris pts(7). * HP-UX pts(7) doesn't have ttcompat module. *** uidswap.c.orig Thu Dec 20 22:45:52 2001 --- uidswap.c Thu May 30 16:36:30 2002 *************** *** 80,86 **** if (user_groupslen < 0) fatal("getgroups: %.100s", strerror(errno)); } ! #ifndef HAVE_CYGWIN /* Set the effective uid to the given (unprivileged) uid. */ if (setgroups(user_groupslen, user_groups) < 0) fatal("setgroups: %.100s", strerror(errno)); --- 80,86 ---- if (user_groupslen < 0) fatal("getgroups: %.100s", strerror(errno)); } ! #if !defined(HAVE_CYGWIN) && !defined(_UWIN) /* Set the effective uid to the given (unprivileged) uid. */ if (setgroups(user_groupslen, user_groups) < 0) fatal("setgroups: %.100s", strerror(errno)); *************** *** 131,137 **** setgid(getgid()); #endif /* SAVED_IDS_WORK_WITH_SETEUID */ ! #ifndef HAVE_CYGWIN if (setgroups(saved_egroupslen, saved_egroups) < 0) fatal("setgroups: %.100s", strerror(errno)); #endif /* !HAVE_CYGWIN */ --- 131,137 ---- setgid(getgid()); #endif /* SAVED_IDS_WORK_WITH_SETEUID */ ! #if !defined(HAVE_CYGWIN) && !defined(_UWIN) if (setgroups(saved_egroupslen, saved_egroups) < 0) fatal("setgroups: %.100s", strerror(errno)); #endif /* !HAVE_CYGWIN */ +++++++++++++++++cut here+++++++++++++++++++++ David Korn research!dgk dgk at research.att.com From vinschen at redhat.com Sat Jun 8 02:39:21 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 7 Jun 2002 18:39:21 +0200 Subject: openssh for UWIN In-Reply-To: <200206071509.LAA97760@raptor.research.att.com> References: <200206071509.LAA97760@raptor.research.att.com> Message-ID: <20020607183921.S30892@cygbert.vinschen.de> On Fri, Jun 07, 2002 at 11:09:39AM -0400, David Korn wrote: > I also ran configure using -with-cppflags=-D_BSDCOMP=2. I don't > know where that information would go with the source code. AFAICS, this should go into configure.ac. Line 55 contains the `case $host' statement. The first entry (for AIX) already contains the example how to set the preprocessor flags: *-*-aix*) AFS_LIBS="-lld" CPPFLAGS="$CPPFLAGS -I/usr/local/include" [...] Hope that helps, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From kevin at atomicgears.com Sat Jun 8 02:44:54 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Fri, 7 Jun 2002 09:44:54 -0700 Subject: Setproctitle && HPUX, patch/fix included In-Reply-To: <1023443942.794.15.camel@ninja> References: <1023443942.794.15.camel@ninja> Message-ID: <20020607164454.GD1836@jenny.crlsca.adelphia.net> On Fri, Jun 07, 2002 at 11:59:01AM +0200, Mark Janssen wrote: > I can locate sys/pstat.h on my system, but the ./configure won't find it > (it's in /usr/include/sys/pstat.h). When I force HAVE_SYS_PSTAT_H on > config.h it will still not work, since setproctitle.c has a check for > defined HAVE_PSTAT && defined PSTAT_SETCMD. > > Shouldn't this be > > ( defined HAVE_PSTAT || defined HAVE_SYS_PSTAT_H ) && def PSTAT_SETCMD > > (Pardon my preprocessor logic, this is probably wrong, but you get the > idea. > > Using #define HAVE_SYS_PSTAT_H in setproctitle.c will fix my problem. are you referring to: http://bugzilla.mindrot.org/show_bug.cgi?id=236 that needs to be reviewed. the current setproctitle.c does work for HP-UX 11. From epa98 at doc.ic.ac.uk Sat Jun 8 02:54:16 2002 From: epa98 at doc.ic.ac.uk (Edward Avis) Date: Fri, 7 Jun 2002 17:54:16 +0100 (BST) Subject: openssh for UWIN In-Reply-To: <200206071638.MAA96191@raptor.research.att.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 7 Jun 2002, David Korn wrote: >I am enclosing a context diff of the changes that I made to get >openssh working on UWIN. All but two of these diffs involve changing #ifndef HAVE_CYGWIN to #if !defined(HAVE_CYGWIN) && !defined(_UWIN) or something similar. Maybe there is some cleaner way to do this but I don't know what the maintainers consider most tasteful. But you should definitely fix the corresponding #endif /* !HAVE_CYGWIN */ lines as well. - -- Ed Avis Finger for PGP key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9AOU8IMp73jhGogoRAo4HAJ4z5s398bn6hWB9NT8iZEYH8sP9gACfdXr4 hrWNrek84Ll5LWWKffZc1xE= =wgzM -----END PGP SIGNATURE----- From kevin at atomicgears.com Sat Jun 8 03:58:02 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Fri, 7 Jun 2002 10:58:02 -0700 Subject: privsep patch, Please test (take 3) In-Reply-To: References: <20020607000557.GA2529@jenny.crlsca.adelphia.net> Message-ID: <20020607175802.GE1836@jenny.crlsca.adelphia.net> On Thu, Jun 06, 2002 at 05:49:13PM -0700, Tim Rice wrote: > > > --- openssh/session.c.old Sun May 12 20:25:02 2002 > > > +++ openssh/session.c Wed May 29 07:39:22 2002 > > > @@ -1089,10 +1089,11 @@ > > > exit(1); > > > } > > > /* Initialize the group list. */ > > > - if (initgroups(pw->pw_name, pw->pw_gid) < 0) { > > > - perror("initgroups"); > > > - exit(1); > > > - } > > > + if (strcmp(pw->pw_name, SSH_PRIVSEP_USER)) > > > + if (initgroups(pw->pw_name, pw->pw_gid) < 0) { > > > + perror("initgroups"); > > > + exit(1); > > > + } > > > > why are we doing this? > > On some platforms initgroups() fails in the chroot child. As initgroups > is unnecessary for the sshd user, this fixes that problem. I'm open > to any better ways. i think if we don't call initgroups (or setgroups) the unprivileged process will retain root's supplementary groups. From tim at multitalents.net Sat Jun 8 04:18:59 2002 From: tim at multitalents.net (Tim Rice) Date: Fri, 7 Jun 2002 11:18:59 -0700 (PDT) Subject: privsep patch, Please test (take 3) In-Reply-To: <20020607175802.GE1836@jenny.crlsca.adelphia.net> Message-ID: On Fri, 7 Jun 2002, Kevin Steves wrote: > On Thu, Jun 06, 2002 at 05:49:13PM -0700, Tim Rice wrote: > > > > --- openssh/session.c.old Sun May 12 20:25:02 2002 > > > > +++ openssh/session.c Wed May 29 07:39:22 2002 > > > > @@ -1089,10 +1089,11 @@ > > > > exit(1); > > > > } > > > > /* Initialize the group list. */ > > > > - if (initgroups(pw->pw_name, pw->pw_gid) < 0) { > > > > - perror("initgroups"); > > > > - exit(1); > > > > - } > > > > + if (strcmp(pw->pw_name, SSH_PRIVSEP_USER)) > > > > + if (initgroups(pw->pw_name, pw->pw_gid) < 0) { > > > > + perror("initgroups"); > > > > + exit(1); > > > > + } > > > > > > why are we doing this? > > > > On some platforms initgroups() fails in the chroot child. As initgroups > > is unnecessary for the sshd user, this fixes that problem. I'm open > > to any better ways. > > i think if we don't call initgroups (or setgroups) the unprivileged > process will retain root's supplementary groups. > We do call setgroups early on in main() /* * Clear out any supplemental groups we may have inherited. This * prevents inadvertent creation of files with bad modes (in the * portable version at least, it's certainly possible for PAM * to create a file, and we can't control the code in every * module which might be used). */ if (setgroups(0, NULL) < 0) debug("setgroups() failed: %.200s", strerror(errno)); -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From kevin at atomicgears.com Sat Jun 8 05:18:45 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Fri, 7 Jun 2002 12:18:45 -0700 Subject: privsep patch, Please test (take 3) In-Reply-To: References: <20020607175802.GE1836@jenny.crlsca.adelphia.net> Message-ID: <20020607191845.GF1836@jenny.crlsca.adelphia.net> On Fri, Jun 07, 2002 at 11:18:59AM -0700, Tim Rice wrote: > > i think if we don't call initgroups (or setgroups) the unprivileged > > process will retain root's supplementary groups. > > > > We do call setgroups early on in main() > /* > * Clear out any supplemental groups we may have inherited. This > * prevents inadvertent creation of files with bad modes (in the > * portable version at least, it's certainly possible for PAM > * to create a file, and we can't control the code in every > * module which might be used). > */ > if (setgroups(0, NULL) < 0) > debug("setgroups() failed: %.200s", strerror(errno)); hmm, i was looking at openbsd, with the goal of syncing where possible. that is in portable only. these diffs for key things are becoming impossible to keep track of. From mouring at etoh.eviladmin.org Sat Jun 8 05:28:13 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 7 Jun 2002 14:28:13 -0500 (CDT) Subject: privsep patch, Please test (take 3) In-Reply-To: <20020607191845.GF1836@jenny.crlsca.adelphia.net> Message-ID: On Fri, 7 Jun 2002, Kevin Steves wrote: > On Fri, Jun 07, 2002 at 11:18:59AM -0700, Tim Rice wrote: > > > i think if we don't call initgroups (or setgroups) the unprivileged > > > process will retain root's supplementary groups. > > > > > > > We do call setgroups early on in main() > > /* > > * Clear out any supplemental groups we may have inherited. This > > * prevents inadvertent creation of files with bad modes (in the > > * portable version at least, it's certainly possible for PAM > > * to create a file, and we can't control the code in every > > * module which might be used). > > */ > > if (setgroups(0, NULL) < 0) > > debug("setgroups() failed: %.200s", strerror(errno)); > > hmm, i was looking at openbsd, with the goal of syncing where > possible. that is in portable only. these diffs for key things are > becoming impossible to keep track of. Agreed.. portable tree is looking more like a fork than branch. And I'm not dead sure how to coop with some of it without some how being able to take a 10,000ft view which is.. ermm.. ugly. - Ben From Nicolas.Williams at ubsw.com Sat Jun 8 05:55:59 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Fri, 7 Jun 2002 15:55:59 -0400 Subject: SIGCHLD may be inherited blocked Message-ID: <20020607155559.A308@W0594878> So, we just found some ugly behaviour of OpenSSH on Solaris. Sometimes, it seems, sshd gets started with SIGCHLD blocked, this, apparently, being the setting of sshd's parent (a shell no doubt); signal blocking is inherited across exec*(). I don't know exactly which shell, or what really is at fault, but it happens. The problem is that the code in collect_children() first blocks SIGCHLD (SIGCLD) and then resets the signal block mask to whatever it was before, so if SIGCHLD was blocked to begin with, then it never gets unblocked in sshd. The resulting behaviour is that SSHv2 connections may hang. The Solaris proc tools, specifically /usr/proc/bin/psig, along with truss/strace, show the bug in action quite nicely. As much as this behaviour may not be a bug in OpenSSH, it may nonetheless be desirable to add a couple of calls to sigprocmask() in sshd.c:main() to make sure that SIGCHLD is not blocked. While looking at this I noticed that the compatibility shim in openbsd-compat/sigact.c for sigprocmask() has a bug: the second argument may be NULL but the shim does not check for this. A patch to openbsd-compatc/sigact.c:sigprocmask() and sshd.c:main() is attached. Thoughts? Should I file a bug report in bugzilla? Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- -------------- next part -------------- Index: 3_0_2p1_w_gssk5_ubsw_prod.2/openbsd-compat/sigact.c --- 3_0_2p1_w_gssk5_ubsw_prod.2/openbsd-compat/sigact.c Wed, 21 Nov 2001 10:38:46 -0500 +++ 3_0_2p1_w_gssk5_ubsw_prod.2(w)/openbsd-compat/sigact.c Fri, 07 Jun 2002 15:42:50 -0400 @@ -61,6 +61,7 @@ sigset_t current = sigsetmask(0); if (omask) *omask = current; + if (!mask) return 0; if (mode==SIG_BLOCK) current |= *mask; Index: 3_0_2p1_w_gssk5_ubsw_prod.2/sshd.c --- 3_0_2p1_w_gssk5_ubsw_prod.2/sshd.c Thu, 17 Jan 2002 17:53:49 -0500 +++ 3_0_2p1_w_gssk5_ubsw_prod.2(w)/sshd.c Fri, 07 Jun 2002 15:53:22 -0400 @@ -556,6 +556,11 @@ int startups = 0; Key *key; int ret, key_used = 0; + sigset_t curr_mask; + + sigprocmask(0, NULL, &curr_mask); + sigdelset(¤t_mask, SIGCHLD); + sigprocmask(SIG_SETMASK, &curr_mask, NULL); __progname = get_progname(av[0]); init_rng(); -------------- next part -------------- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From cmadams at hiwaay.net Sat Jun 8 06:40:28 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 7 Jun 2002 15:40:28 -0500 Subject: SIGCHLD may be inherited blocked In-Reply-To: <20020607155559.A308@W0594878>; from Nicolas.Williams@ubsw.com on Fri, Jun 07, 2002 at 03:55:59PM -0400 References: <20020607155559.A308@W0594878> Message-ID: <20020607154028.B296815@hiwaay.net> Once upon a time, Nicolas Williams said: > Sometimes, it seems, sshd gets started with SIGCHLD blocked, this, > apparently, being the setting of sshd's parent (a shell no doubt); > signal blocking is inherited across exec*(). I don't know exactly which > shell, or what really is at fault, but it happens. Funny; I just ran into a case of sshd running with SIGALRM blocked on Linux (caused problems because I restarted sendmail from an ssh login, and it would never time out connections because SIGALRM was always blocked). Would it be a problem for sshd to clear the blocked signals at start? Is there a valid case for it to inherit blocked signals? -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From markus at openbsd.org Sat Jun 8 06:52:48 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 7 Jun 2002 22:52:48 +0200 Subject: openssh for UWIN In-Reply-To: <200206071509.LAA97760@raptor.research.att.com> References: <200206071509.LAA97760@raptor.research.att.com> Message-ID: <20020607205247.GC27653@folly> On Fri, Jun 07, 2002 at 11:09:39AM -0400, David Korn wrote: > ! #if !defined(HAVE_CYGWIN) && !defined(_UWIN) > extern uid_t original_real_uid; > if (port < IPPORT_RESERVED && original_real_uid != 0) i think these should be turned into a #ifndef HAVE_IPPORT_RESERVED_CONCEPT ... #endif From Nicolas.Williams at ubsw.com Sat Jun 8 07:11:31 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Fri, 7 Jun 2002 17:11:31 -0400 Subject: SIGCHLD may be inherited blocked In-Reply-To: <20020607154028.B296815@hiwaay.net>; from cmadams@hiwaay.net on Fri, Jun 07, 2002 at 03:40:28PM -0500 References: <20020607155559.A308@W0594878> <20020607154028.B296815@hiwaay.net> Message-ID: <20020607171131.A370@W0594878> On Fri, Jun 07, 2002 at 03:40:28PM -0500, Chris Adams wrote: > Funny; I just ran into a case of sshd running with SIGALRM blocked on > Linux (caused problems because I restarted sendmail from an ssh login, > and it would never time out connections because SIGALRM was always > blocked). > > Would it be a problem for sshd to clear the blocked signals at start? > Is there a valid case for it to inherit blocked signals? Doing a quick search I see that POSIX requires signal masks to be inherited across exec*(). It seems that there may be or have been some question as to whether its the signal-blocking-during-delivery mask or the signal block mask that should be inherited. I think sshd should, in fact, clear at least SIGCHLD's blocking, and maybe [all] others as well. But then, sshd does not bother closing extraneous file descriptors (nor do I think it should), so how best to put the argument that sshd should initialize the signal blocking masks? Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From vinschen at redhat.com Sat Jun 8 07:24:33 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 7 Jun 2002 23:24:33 +0200 Subject: openssh for UWIN In-Reply-To: <20020607205247.GC27653@folly> References: <200206071509.LAA97760@raptor.research.att.com> <20020607205247.GC27653@folly> Message-ID: <20020607232433.B30892@cygbert.vinschen.de> On Fri, Jun 07, 2002 at 10:52:48PM +0200, Markus Friedl wrote: > On Fri, Jun 07, 2002 at 11:09:39AM -0400, David Korn wrote: > > ! #if !defined(HAVE_CYGWIN) && !defined(_UWIN) > > extern uid_t original_real_uid; > > if (port < IPPORT_RESERVED && original_real_uid != 0) > > i think these should be turned into a > > #ifndef HAVE_IPPORT_RESERVED_CONCEPT > ... > #endif Ahem, do you mean #ifndef NO_IPPORT_RESERVED_CONCEPT ? Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From vinschen at redhat.com Sat Jun 8 07:41:23 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 7 Jun 2002 23:41:23 +0200 Subject: openssh for UWIN In-Reply-To: <20020607232433.B30892@cygbert.vinschen.de> References: <200206071509.LAA97760@raptor.research.att.com> <20020607205247.GC27653@folly> <20020607232433.B30892@cygbert.vinschen.de> Message-ID: <20020607234123.C30892@cygbert.vinschen.de> On Fri, Jun 07, 2002 at 11:24:33PM +0200, Corinna Vinschen wrote: > On Fri, Jun 07, 2002 at 10:52:48PM +0200, Markus Friedl wrote: > > On Fri, Jun 07, 2002 at 11:09:39AM -0400, David Korn wrote: > > > ! #if !defined(HAVE_CYGWIN) && !defined(_UWIN) > > > extern uid_t original_real_uid; > > > if (port < IPPORT_RESERVED && original_real_uid != 0) > > > > i think these should be turned into a > > > > #ifndef HAVE_IPPORT_RESERVED_CONCEPT > > ... > > #endif > > Ahem, do you mean > > #ifndef NO_IPPORT_RESERVED_CONCEPT > > ? Is the following patch acceptable? The patch to serverloop.c is completely new. I've just seen that we missed that so far. Corinna Index: acconfig.h =================================================================== RCS file: /cvs/openssh_cvs/acconfig.h,v retrieving revision 1.137 diff -u -p -r1.137 acconfig.h --- acconfig.h 13 May 2002 03:15:43 -0000 1.137 +++ acconfig.h 7 Jun 2002 21:42:12 -0000 @@ -310,6 +310,9 @@ /* Define if X11 doesn't support AF_UNIX sockets on that system */ #undef NO_X11_UNIX_SOCKETS +/* Define if the concept of ports only accessible to superusers isn't known */ +#undef NO_IPPORT_RESERVED_CONCEPT + /* Needed for SCO and NeXT */ #undef BROKEN_SAVED_UIDS Index: configure.ac =================================================================== RCS file: /cvs/openssh_cvs/configure.ac,v retrieving revision 1.65 diff -u -p -r1.65 configure.ac --- configure.ac 7 Jun 2002 14:37:00 -0000 1.65 +++ configure.ac 7 Jun 2002 21:42:13 -0000 @@ -85,6 +85,7 @@ case "$host" in AC_DEFINE(IPV4_DEFAULT) AC_DEFINE(IP_TOS_IS_BROKEN) AC_DEFINE(NO_X11_UNIX_SOCKETS) + AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) ;; *-*-dgux*) AC_DEFINE(IP_TOS_IS_BROKEN) Index: readconf.c =================================================================== RCS file: /cvs/openssh_cvs/readconf.c,v retrieving revision 1.70 diff -u -p -r1.70 readconf.c --- readconf.c 5 Feb 2002 01:26:35 -0000 1.70 +++ readconf.c 7 Jun 2002 21:42:15 -0000 @@ -200,7 +200,7 @@ add_local_forward(Options *options, u_sh u_short host_port) { Forward *fwd; -#ifndef HAVE_CYGWIN +#ifndef NO_IPPORT_RESERVED_CONCEPT extern uid_t original_real_uid; if (port < IPPORT_RESERVED && original_real_uid != 0) fatal("Privileged ports can only be forwarded by root."); Index: serverloop.c =================================================================== RCS file: /cvs/openssh_cvs/serverloop.c,v retrieving revision 1.100 diff -u -p -r1.100 serverloop.c --- serverloop.c 2 Apr 2002 20:48:20 -0000 1.100 +++ serverloop.c 7 Jun 2002 21:42:16 -0000 @@ -974,8 +974,11 @@ server_input_global_request(int type, u_ /* check permissions */ if (!options.allow_tcp_forwarding || - no_port_forwarding_flag || - (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) { + no_port_forwarding_flag +#ifndef NO_IPPORT_RESERVED_CONCEPT + || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) +#endif + ) { success = 0; packet_send_debug("Server has disabled port forwarding."); } else { From dveeravalli at telica.com Sat Jun 8 07:49:50 2002 From: dveeravalli at telica.com (Deepa Nemmili Veeravalli) Date: Fri, 7 Jun 2002 17:49:50 -0400 Subject: Pls unsubscriber me Message-ID: <2415C206C515244DBFB12EC0C064A4482EA5C6@wench> Deepa N V Technical Support Engineer Telica Inc Marlborough,MA (W)508-804-8197 From vinschen at redhat.com Sat Jun 8 08:02:41 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Sat, 8 Jun 2002 00:02:41 +0200 Subject: [PATCH]: Eliminate HAVE_CYGWIN (and _UWIN) around calls to setgroups() [was Re: openssh for UWIN] In-Reply-To: <20020607234123.C30892@cygbert.vinschen.de> References: <200206071509.LAA97760@raptor.research.att.com> <20020607205247.GC27653@folly> <20020607232433.B30892@cygbert.vinschen.de> <20020607234123.C30892@cygbert.vinschen.de> Message-ID: <20020608000241.D30892@cygbert.vinschen.de> Ok, this patch eliminates some of the Cygwin dependencies in the code. It contains a new file openbsd/fake-setgroups.c and a few patches. The NO_IPPORT_RESERVED_CONCEPT patch is included, too, so that stuff could be applied in one go. As sideeffect, David can rearrange his UWIN patches so that most of the stuff can be sourced out to configure.ac. Hope that helps, Corinna -------------- next part -------------- /* * fake library for ssh * * This file includes a fake setgroups(). */ #include "includes.h" #ifndef HAVE_SETGROUPS int setgroups (size_t size, const gid_t *list) { return 0; } #endif -------------- next part -------------- ? openbsd-compat/fake-setgroups.c Index: acconfig.h =================================================================== RCS file: /cvs/openssh_cvs/acconfig.h,v retrieving revision 1.137 diff -u -p -r1.137 acconfig.h --- acconfig.h 13 May 2002 03:15:43 -0000 1.137 +++ acconfig.h 7 Jun 2002 22:01:35 -0000 @@ -310,6 +310,9 @@ /* Define if X11 doesn't support AF_UNIX sockets on that system */ #undef NO_X11_UNIX_SOCKETS +/* Define if the concept of ports only accessible to superusers isn't known */ +#undef NO_IPPORT_RESERVED_CONCEPT + /* Needed for SCO and NeXT */ #undef BROKEN_SAVED_UIDS Index: configure.ac =================================================================== RCS file: /cvs/openssh_cvs/configure.ac,v retrieving revision 1.65 diff -u -p -r1.65 configure.ac --- configure.ac 7 Jun 2002 14:37:00 -0000 1.65 +++ configure.ac 7 Jun 2002 22:01:36 -0000 @@ -85,6 +85,7 @@ case "$host" in AC_DEFINE(IPV4_DEFAULT) AC_DEFINE(IP_TOS_IS_BROKEN) AC_DEFINE(NO_X11_UNIX_SOCKETS) + AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) ;; *-*-dgux*) AC_DEFINE(IP_TOS_IS_BROKEN) @@ -569,8 +570,8 @@ AC_CHECK_FUNCS(arc4random b64_ntop bcopy inet_ntop innetgr login_getcapbool md5_crypt memmove \ mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \ realpath recvmsg rresvport_af sendmsg setdtablesize setegid \ - setenv seteuid setlogin setproctitle setresgid setreuid setrlimit \ - setsid setvbuf sigaction sigvec snprintf socketpair strerror \ + setenv seteuid setgroups setlogin setproctitle setresgid setreuid \ + setrlimit setsid setvbuf sigaction sigvec snprintf socketpair strerror \ strlcat strlcpy strmode strsep sysconf tcgetpgrp truncate utimes \ vhangup vsnprintf waitpid __b64_ntop _getpty) Index: readconf.c =================================================================== RCS file: /cvs/openssh_cvs/readconf.c,v retrieving revision 1.70 diff -u -p -r1.70 readconf.c --- readconf.c 5 Feb 2002 01:26:35 -0000 1.70 +++ readconf.c 7 Jun 2002 22:01:38 -0000 @@ -200,7 +200,7 @@ add_local_forward(Options *options, u_sh u_short host_port) { Forward *fwd; -#ifndef HAVE_CYGWIN +#ifndef NO_IPPORT_RESERVED_CONCEPT extern uid_t original_real_uid; if (port < IPPORT_RESERVED && original_real_uid != 0) fatal("Privileged ports can only be forwarded by root."); Index: serverloop.c =================================================================== RCS file: /cvs/openssh_cvs/serverloop.c,v retrieving revision 1.100 diff -u -p -r1.100 serverloop.c --- serverloop.c 2 Apr 2002 20:48:20 -0000 1.100 +++ serverloop.c 7 Jun 2002 22:01:40 -0000 @@ -974,8 +974,11 @@ server_input_global_request(int type, u_ /* check permissions */ if (!options.allow_tcp_forwarding || - no_port_forwarding_flag || - (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) { + no_port_forwarding_flag +#ifndef NO_IPPORT_RESERVED_CONCEPT + || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) +#endif + ) { success = 0; packet_send_debug("Server has disabled port forwarding."); } else { Index: sshd.c =================================================================== RCS file: /cvs/openssh_cvs/sshd.c,v retrieving revision 1.209 diff -u -p -r1.209 sshd.c --- sshd.c 6 Jun 2002 20:46:26 -0000 1.209 +++ sshd.c 7 Jun 2002 22:01:40 -0000 @@ -1018,7 +1018,6 @@ main(int ac, char **av) if (test_flag) exit(0); -#ifndef HAVE_CYGWIN /* * Clear out any supplemental groups we may have inherited. This * prevents inadvertent creation of files with bad modes (in the @@ -1028,7 +1027,6 @@ main(int ac, char **av) */ if (setgroups(0, NULL) < 0) debug("setgroups() failed: %.200s", strerror(errno)); -#endif /* !HAVE_CYGWIN */ /* Initialize the log (it is reinitialized below in case we forked). */ if (debug_flag && !inetd_flag) Index: uidswap.c =================================================================== RCS file: /cvs/openssh_cvs/uidswap.c,v retrieving revision 1.32 diff -u -p -r1.32 uidswap.c --- uidswap.c 6 Jun 2002 20:44:06 -0000 1.32 +++ uidswap.c 7 Jun 2002 22:01:40 -0000 @@ -80,11 +80,9 @@ temporarily_use_uid(struct passwd *pw) if (user_groupslen < 0) fatal("getgroups: %.100s", strerror(errno)); } -#ifndef HAVE_CYGWIN /* Set the effective uid to the given (unprivileged) uid. */ if (setgroups(user_groupslen, user_groups) < 0) fatal("setgroups: %.100s", strerror(errno)); -#endif /* !HAVE_CYGWIN */ #ifndef SAVED_IDS_WORK_WITH_SETEUID /* Propagate the privileged gid to all of our gids. */ if (setgid(getegid()) < 0) @@ -130,10 +128,8 @@ restore_uid(void) setgid(getgid()); #endif /* SAVED_IDS_WORK_WITH_SETEUID */ -#ifndef HAVE_CYGWIN if (setgroups(saved_egroupslen, saved_egroups) < 0) fatal("setgroups: %.100s", strerror(errno)); -#endif /* !HAVE_CYGWIN */ temporarily_use_uid_effective = 0; } Index: openbsd-compat/Makefile.in =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/Makefile.in,v retrieving revision 1.21 diff -u -p -r1.21 Makefile.in --- openbsd-compat/Makefile.in 19 Feb 2002 20:27:57 -0000 1.21 +++ openbsd-compat/Makefile.in 7 Jun 2002 22:01:40 -0000 @@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@ OPENBSD=base64.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o -COMPAT=bsd-arc4random.o bsd-cray.o bsd-cygwin_util.o bsd-misc.o bsd-nextstep.o bsd-snprintf.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o +COMPAT=bsd-arc4random.o bsd-cray.o bsd-cygwin_util.o bsd-misc.o bsd-nextstep.o bsd-snprintf.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o fake-setgroups.o PORTS=port-irix.o port-aix.o From Nicolas.Williams at ubsw.com Sat Jun 8 08:16:48 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Fri, 7 Jun 2002 18:16:48 -0400 Subject: SIGCHLD may be inherited blocked Message-ID: <9403F8EE868566448AA1B70D8F783C9533575C@NSTMC004PEX1.ubsgs.ubsgroup.net> Looking further into this, yes, it's clear that POSIX requires signal masks to be inherited across exec. This kinda sucks and the standard says as much and puts the burden of making sure to unblock signals on the programs themselves, both parents and children, though the emphasis appears to be on the parents on account of many programs lacking knowledge of signal masks. In other words, programs, such as shells, which generally create new processes ought to ensure that signal masks are cleared before calling exec*(). I would dare say that this applies to sshd as well and that it does so for all signals, not just SIGCHLD. Anyways, that is my interpretation of the text quoted below. See: http://www.opengroup.org/onlinepubs/007904975/functions/exec.html Specifically: " This volume of IEEE Std 1003.1-2001 specifies that signals set to SIG_IGN remain set to SIG_IGN, and that the process signal mask be unchanged across an exec. This is consistent with historical implementations, and it permits some useful functionality, such as the nohup command. However, it should be noted that many existing applications wrongly assume that they start with certain signals set to the default action and/or unblocked. In particular, applications written with a simpler signal model that does not include blocking of signals, such as the one in the ISO C standard, may not behave properly if invoked with some signals blocked. Therefore, it is best not to block or ignore signals across execs without explicit reason to do so, and especially not to block signals across execs of arbitrary (not closely co-operating) programs. " Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From mouring at etoh.eviladmin.org Sat Jun 8 09:10:58 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 7 Jun 2002 18:10:58 -0500 (CDT) Subject: openssh for UWIN In-Reply-To: <20020607205247.GC27653@folly> Message-ID: Ermm.. would it not be better just to redefine IPPORT_RESERVED to 0 for platforms that don't honor the idea? - Ben On Fri, 7 Jun 2002, Markus Friedl wrote: > On Fri, Jun 07, 2002 at 11:09:39AM -0400, David Korn wrote: > > ! #if !defined(HAVE_CYGWIN) && !defined(_UWIN) > > extern uid_t original_real_uid; > > if (port < IPPORT_RESERVED && original_real_uid != 0) > > i think these should be turned into a > > #ifndef HAVE_IPPORT_RESERVED_CONCEPT > ... > #endif > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From vinschen at redhat.com Sat Jun 8 18:40:18 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Sat, 8 Jun 2002 10:40:18 +0200 Subject: openssh for UWIN In-Reply-To: References: <20020607205247.GC27653@folly> Message-ID: <20020608104018.F30892@cygbert.vinschen.de> On Fri, Jun 07, 2002 at 06:10:58PM -0500, Ben Lindstrom wrote: > > Ermm.. would it not be better just to redefine IPPORT_RESERVED to 0 for > platforms that don't honor the idea? I'm not sure if that works. IPPORT_RESERVED still exists and has a meaning for other machines which connect to a Windows machine or vice versa. So the concept of reserved ports is known (e. g. functions like rresvport() exist) and important for connections with non-Windows machines. They just aren't restricted to super users locally. Which means, only conditionals as if (port < IPPORT_RESERVED && original_real_uid != 0) have no meaning. Besides that, it's still a flaw in OpenSSH, IMHO, that the uid 0 is treated as super user implicitely instead of having a (OS dependent) function call like is_superuser() or similiar. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From kevin at atomicgears.com Sun Jun 9 01:59:11 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Sat, 8 Jun 2002 08:59:11 -0700 Subject: [PATCH]: Eliminate HAVE_CYGWIN (and _UWIN) around calls to setgroups() [was Re: openssh for UWIN] In-Reply-To: <20020608000241.D30892@cygbert.vinschen.de> References: <200206071509.LAA97760@raptor.research.att.com> <20020607205247.GC27653@folly> <20020607232433.B30892@cygbert.vinschen.de> <20020607234123.C30892@cygbert.vinschen.de> <20020608000241.D30892@cygbert.vinschen.de> Message-ID: <20020608155911.GB1643@jenny.crlsca.adelphia.net> On Sat, Jun 08, 2002 at 12:02:41AM +0200, Corinna Vinschen wrote: > /* > * fake library for ssh > * > * This file includes a fake setgroups(). > */ > > #include "includes.h" > > #ifndef HAVE_SETGROUPS > int setgroups (size_t size, const gid_t *list) int setgroups(int ngroups, const gid_t *gidset) > { > return 0; > } > #endif > ? openbsd-compat/fake-setgroups.c bsd-misc.c is the best place for that i think. there's a noop setlogin() wrapper there too for example. is there a reason cygwin has initgroups but not setgroups? From bugzilla-daemon at mindrot.org Sun Jun 9 06:24:04 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 9 Jun 2002 06:24:04 +1000 (EST) Subject: [Bug 269] New: OpenSSH doesn't compile with dynamic OpenSSL libraries Message-ID: <20020608202404.E6C7BE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=269 Summary: OpenSSH doesn't compile with dynamic OpenSSL libraries Product: Portable OpenSSH Version: -current Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: list_7531 at hotmail.com Hi, I'm trying to compile OpenSSH snapshot 20020603 with the dynamic libraries compiled from OpenSSL 0.9.6d. Using the "shared" option I can compile the OpenSSL source files to produce libssl.so and libcrypto.so (and libssl.a and libcrypto.a). When I run the OpenSSH configure script, I get "cannot find OpenSSL libraries" if I specify the dynamically compiled OpenSSL libraries in "--with-ssl-dir=..." When I use the statically compiled SSL libraries, SSH compiles and installs correctly. System notes: Statically compiled OpenSSL files in /opt/openssl-0.9.6d-stat gmake clean;./configure --prefix=/opt/openssh323p1 --with-ssl-dir=/opt/openssl- 0.9.6d-stat --with-zlib=/opt/zlib --with-pam Generates Makefile then compiles and installs. Dynamically compiled OpenSSL files in /opt/openssl-0.9.6d-sh gmake clean;./configure --prefix=/opt/openssh323p1 --with-ssl-dir=/opt/openssl- 0.9.6d-sh --with-zlib=/opt/zlib --with-pam checking for pam_set_item in -lpam... yes checking for pam_getenvlist... yes checking whether pam_strerror takes only one argument... no configure: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) *** Here are the last 8 lines from config.log: #define HAVE_INTTYPES_H 1 #define HAVE_UNISTD_H 1 #define GETPGRP_VOID 1 #define HAVE_LIBDL 1 #define HAVE_LIBPAM 1 #define HAVE_PAM_GETENVLIST 1 #define USE_PAM 1 configure: exit 1 This issue is reproducible with OpenSSL 0.9.6c and OpenSSH 3.2.3p1 This issue is important because system security updates are a lot more difficult if I have to keep track of statically linked binaries, which have to be updated every time a component from a different package is patched. This issue is also a matter of concern as the "--with-zlib=/opt/zlib" option is correctly processed to use the dynamic library /opt/zlib/lib/libz.so. Please let me know if you are able to fix this. Thanks, Adrian ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From vinschen at redhat.com Sun Jun 9 06:51:37 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Sat, 8 Jun 2002 22:51:37 +0200 Subject: [PATCH]: Eliminate HAVE_CYGWIN (and _UWIN) around calls to setgroups() [was Re: openssh for UWIN] In-Reply-To: <20020608155911.GB1643@jenny.crlsca.adelphia.net> References: <200206071509.LAA97760@raptor.research.att.com> <20020607205247.GC27653@folly> <20020607232433.B30892@cygbert.vinschen.de> <20020607234123.C30892@cygbert.vinschen.de> <20020608000241.D30892@cygbert.vinschen.de> <20020608155911.GB1643@jenny.crlsca.adelphia.net> Message-ID: <20020608225137.O30892@cygbert.vinschen.de> On Sat, Jun 08, 2002 at 08:59:11AM -0700, Kevin Steves wrote: > On Sat, Jun 08, 2002 at 12:02:41AM +0200, Corinna Vinschen wrote: > > ? openbsd-compat/fake-setgroups.c > > bsd-misc.c is the best place for that i think. there's a noop > setlogin() wrapper there too for example. AFAIK the bsd-XXXX files will be renamed, isn't it? Will bsd-misc.c be renamed to fake-misc.c then? > is there a reason cygwin has initgroups but not setgroups? It's not implemented so far. It will be a fake as initgroups, though. Anyway, even if we implement it in future, that won't help for older Cygwin versions. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From bugzilla-daemon at mindrot.org Sun Jun 9 15:31:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 9 Jun 2002 15:31:51 +1000 (EST) Subject: [Bug 269] OpenSSH doesn't compile with dynamic OpenSSL libraries Message-ID: <20020609053151.51C07E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=269 ------- Additional Comments From dtucker at zip.com.au 2002-06-09 15:31 ------- First of all, are you sure you want to do that? The OpenSSL INSTALL file says: "Shared library is currently an experimental feature. The only reason to have them would be to conserve memory on systems where several program are using OpenSSL. Binary backward compatibility can't be guaranteed before OpenSSL version 1.0." If you update your OpenSSL shared library, you're likely to break ssh. This is a pain, particularly if the system is some remote place. If you still want to do this, you'll need to provide more info: What compiler? Which version of Solaris? Do you have OpenSSL libraries or headers installed anywhere else in the link/include paths ("find / -name 'libcrypto.[a|so]' -print -o -name opensslv.h -print")? What's the rest of config.log say? (Add it as an attachment to this bug report). If you're using gcc then there is a bug in 2.95.2 (and possibly others) that caused the -L link paths to be searched last, so if you've got an older libcrypto somewhere (eg /usr/local/lib) it'll pick that up. See: http://gcc.gnu.org/cgi-bin/gnatsweb.pl?cmd=view%20audit-trail&database=gcc&pr=32 6 If that's your problem you can override -L by setting you LIBRARY_PATH environment variable. For what it's worth, what you're doing works on my Sol8/gcc-3.1 box: $ ./configure --with-ssl-dir=/opt/src/openssl-0.9.6d && make ssh [snip] $ ldd ssh [snip] libcrypto.so.0.9.6 => /opt/src/openssl-0.9.6d/libcrypto.so.0.9.6 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Lutz.Jaenicke at aet.TU-Cottbus.DE Sun Jun 9 17:58:31 2002 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Sun, 9 Jun 2002 09:58:31 +0200 Subject: [Bug 269] New: OpenSSH doesn't compile with dynamic OpenSSL libraries In-Reply-To: <20020608202404.E6C7BE881@shitei.mindrot.org> References: <20020608202404.E6C7BE881@shitei.mindrot.org> Message-ID: <20020609075830.GA6091@serv01.aet.tu-cottbus.de> On Sun, Jun 09, 2002 at 06:24:04AM +1000, bugzilla-daemon at mindrot.org wrote: > Dynamically compiled OpenSSL files in /opt/openssl-0.9.6d-sh > gmake clean;./configure --prefix=/opt/openssh323p1 --with-ssl-dir=/opt/openssl- > 0.9.6d-sh --with-zlib=/opt/zlib --with-pam > > checking for pam_set_item in -lpam... yes > checking for pam_getenvlist... yes > checking whether pam_strerror takes only one argument... no > configure: error: *** Can't find recent OpenSSL libcrypto (see config.log for > details) *** > > Here are the last 8 lines from config.log: > #define HAVE_INTTYPES_H 1 > #define HAVE_UNISTD_H 1 > #define GETPGRP_VOID 1 > #define HAVE_LIBDL 1 > #define HAVE_LIBPAM 1 > #define HAVE_PAM_GETENVLIST 1 > #define USE_PAM 1 > configure: exit 1 This information is not sufficient. It does not tell, why the detection of the OpenSSL libraries failed. You must further examine config.log for locations where "-lcrypto" is tested. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From bugzilla-daemon at mindrot.org Sun Jun 9 19:57:17 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 9 Jun 2002 19:57:17 +1000 (EST) Subject: [Bug 270] New: PrivSep breaks sshd on AIX for non-root users Message-ID: <20020609095717.BC918E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=270 Summary: PrivSep breaks sshd on AIX for non-root users Product: Portable OpenSSH Version: -current Platform: PPC OS/Version: AIX Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dtucker at zip.com.au I started testing PrivSep on AIX. It doesn't work for a non-root user. Environment: AIX 4.3.3 maintenance level 0, gcc-3.1. Does the same thing on ML9. Not sure about 4.2.1 yet. $ ./sshd -d -d -d -o 'UsePrivilegeSeparation yes' -o 'Port 3022' [snip] debug1: session_input_channel_req: session 0 req shell setsid: Not owner debug1: Received SIGCHLD. [goes pear-shaped from here] Full log in following attachment. Since the next version will ship with PrivSep defaulting to on I set the severity to major. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Jun 9 19:59:05 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 9 Jun 2002 19:59:05 +1000 (EST) Subject: [Bug 270] PrivSep breaks sshd on AIX for non-root users Message-ID: <20020609095905.AB26BE938@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=270 ------- Additional Comments From dtucker at zip.com.au 2002-06-09 19:59 ------- Created an attachment (id=111) sshd output on AIX w/PrivSep ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Jun 9 19:59:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 9 Jun 2002 19:59:20 +1000 (EST) Subject: [Bug 270] PrivSep breaks sshd on AIX for non-root users Message-ID: <20020609095920.18E0DE938@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=270 ------- Additional Comments From dtucker at zip.com.au 2002-06-09 19:59 ------- Created an attachment (id=112) sshd output on AIX w/PrivSep ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kevin at atomicgears.com Mon Jun 10 05:41:59 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Sun, 9 Jun 2002 12:41:59 -0700 Subject: [PATCH]: Eliminate HAVE_CYGWIN (and _UWIN) around calls to setgroups() [was Re: openssh for UWIN] In-Reply-To: <20020608225137.O30892@cygbert.vinschen.de> References: <200206071509.LAA97760@raptor.research.att.com> <20020607205247.GC27653@folly> <20020607232433.B30892@cygbert.vinschen.de> <20020607234123.C30892@cygbert.vinschen.de> <20020608000241.D30892@cygbert.vinschen.de> <20020608155911.GB1643@jenny.crlsca.adelphia.net> <20020608225137.O30892@cygbert.vinschen.de> Message-ID: <20020609194159.GC1822@jenny.crlsca.adelphia.net> On Sat, Jun 08, 2002 at 10:51:37PM +0200, Corinna Vinschen wrote: > > bsd-misc.c is the best place for that i think. there's a noop > > setlogin() wrapper there too for example. > > AFAIK the bsd-XXXX files will be renamed, isn't it? Will bsd-misc.c > be renamed to fake-misc.c then? i think we wanted to move away from "fake-". for now bsd-misc.c makes sense, or perhaps i forgot some discussion on this. From mouring at etoh.eviladmin.org Mon Jun 10 05:41:25 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 9 Jun 2002 14:41:25 -0500 (CDT) Subject: [PATCH]: Eliminate HAVE_CYGWIN (and _UWIN) around calls to setgroups() [was Re: openssh for UWIN] In-Reply-To: <20020609194159.GC1822@jenny.crlsca.adelphia.net> Message-ID: On Sun, 9 Jun 2002, Kevin Steves wrote: > On Sat, Jun 08, 2002 at 10:51:37PM +0200, Corinna Vinschen wrote: > > > bsd-misc.c is the best place for that i think. there's a noop > > > setlogin() wrapper there too for example. > > > > AFAIK the bsd-XXXX files will be renamed, isn't it? Will bsd-misc.c > > be renamed to fake-misc.c then? > > i think we wanted to move away from "fake-". for now bsd-misc.c > makes sense, or perhaps i forgot some discussion on this. I'd like to see (and I think Damien also mirrors this belief): bsd-*.c -- Should implement useable correct code. fake-*.c -- Should implement faked version for platforms that don't need the feature, but used to keep the code clean port-*.c -- Should be platform specific code. - Ben From mouring at etoh.eviladmin.org Mon Jun 10 05:47:50 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 9 Jun 2002 14:47:50 -0500 (CDT) Subject: [Bug 270] PrivSep breaks sshd on AIX for non-root users In-Reply-To: <20020609095920.18E0DE938@shitei.mindrot.org> Message-ID: I'll close this out when bugzilla will accept my login. =) But PrivSep can't be ran by a non-root user. 1. All network code runs a non-prived user.. ALA 'sshd' user. 2. chroot() can not be done by a normal user. - Ben On Sun, 9 Jun 2002 bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=270 > > > > > > ------- Additional Comments From dtucker at zip.com.au 2002-06-09 19:59 ------- > Created an attachment (id=112) > sshd output on AIX w/PrivSep > > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From gert at greenie.muc.de Mon Jun 10 06:07:51 2002 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 9 Jun 2002 22:07:51 +0200 Subject: [Bug 270] PrivSep breaks sshd on AIX for non-root users In-Reply-To: ; from mouring@etoh.eviladmin.org on Sun, Jun 09, 2002 at 02:47:50PM -0500 References: <20020609095920.18E0DE938@shitei.mindrot.org> Message-ID: <20020609220750.F28276@greenie.muc.de> Hi, On Sun, Jun 09, 2002 at 02:47:50PM -0500, Ben Lindstrom wrote: > I'll close this out when bugzilla will accept my login. =) But PrivSep > can't be ran by a non-root user. > > 1. All network code runs a non-prived user.. ALA 'sshd' user. > 2. chroot() can not be done by a normal user. May I suggest some startup messages to that extent? if (privsep && user not root) fatal("must be root to use privsep"); if (privsep && getpwnam("sshd") == NULL ) fatal("no user sshd, can't use privsep"); if (privsep && stat("/var/empty") < 0 ) fatal("no /var/empty directory, can't use privsep"); It's so much easier if programs tell you that they aren't going to work right at startup, instead of "startup works fine, first connect comes in, boom" and "log file reading time". I'm not really sure where such code would have to go to, somewhere in the vicinity of the "can't bind() port? -> fatal()" section, propably... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From dtucker at zip.com.au Mon Jun 10 11:17:29 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 10 Jun 2002 11:17:29 +1000 Subject: [Bug 270] PrivSep breaks sshd on AIX for non-root users References: Message-ID: <3D03FE29.6E43F5ED@zip.com.au> Ben Lindstrom wrote: > I'll close this out when bugzilla will accept my login. =) But PrivSep > can't be ran by a non-root user. > > 1. All network code runs a non-prived user.. ALA 'sshd' user. > 2. chroot() can not be done by a normal user. > > - Ben I think you misunderstood me. With PrivSep enabled, root is the only account that can log in (assuming "PermitRootLogin yes"). Normal accounts disconnect immediately after authentication. -Daz. root at devaix43> whoami root root at devaix43> /usr/local/sbin/sshd -o 'UsePrivilegeSeparation yes' root at devaix43> ssh -l dtucker localhost dtucker at localhost's password: Connection to localhost closed by remote host. Connection to localhost closed. root at devaix43> ssh -l root localhost root at localhost's password: Last unsuccessful login: Fri May 3 14:06:40 2002 on /dev/tty0 Last login: Mon Jun 10 10:58:09 2002 on ssh from localhost # exit Connection to localhost closed. From dan at doxpara.com Mon Jun 10 16:43:46 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Sun, 9 Jun 2002 23:43:46 -0700 Subject: [Bug 270] PrivSep breaks sshd on AIX for non-root users References: Message-ID: <000b01c2104a$2bd63c80$1701000a@effugas> > I'll close this out when bugzilla will accept my login. =) But PrivSep > can't be ran by a non-root user. > > 1. All network code runs a non-prived user.. ALA 'sshd' user. > 2. chroot() can not be done by a normal user. I would be very unhappy if I was required to expose *any* root functionality to sshd. I quite like the ability to spawn an SSHD tied to a specific account. --Dan From binder at arago.de Mon Jun 10 19:40:00 2002 From: binder at arago.de (Thomas Binder) Date: Mon, 10 Jun 2002 11:40:00 +0200 Subject: Patches for compiling / using portable OpenSSH on FreeMiNT? In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, Jun 06, 2002 at 09:27:33AM -0500 References: <20020606155916.B3141510@ohm.arago.de> Message-ID: <20020610113959.A4432383@ohm.arago.de> Hi! On Thu, Jun 06, 2002 at 09:27:33AM -0500, Ben Lindstrom wrote: > Post them, people will comment. If they are correct and > acceptable. We will merge them. Otherwise we won't. =) OK, here we go. Attached are 12 patch files: 1. openssh-3.2.3p1-AF_UNIX.patch This is necessary because FreeMiNT expects 0-terminated path names in sun_path and does a sanity check on namelen passed to bind(). This sanity check rejects namelen >= sizeof(struct sockaddr_un), because namelen should not include the trailing 0 of the path name. I've solved this by defining AF_UNIX_ADDRLEN in defines.h, to sizeof(struct sockaddr_un) for all systems expect FreeMiNT, which will get (sizeof(struct sockaddr_un) - 1) In the code, connect() and bind() for AF_UNIX sockets will then pass AF_UNIX_ADDRLEN. 2. openssh-3.2.3p1-configure.patch FreeMiNT needs USE_PIPES defined, so this patch adds it to both configure and configure.ac 3. openssh-3.2.3p1-environment.patch Because FreeMiNT is a hybrid system (it runs TOS software as well as ported UNIX stuff) that internally works with DOS-style pathnames, the C library evaluates two environment variables which control some function's behaviour (UNIXMODE and PCONVERT). These two need to be passed to sshd's children, this is what the patch adds. 4. openssh-3.2.3p1-getopt.patch For some reason, GNU ld chokes on optind being multiply defined, thus this patch prefixes all global variables in openbsd-compat/getopt.c with BSD and adds corresponding macros to defines.h 5. openssh-3.2.3p1-inet_ntop.patch This patch will most probably no longer be necessary with the next version of FreeMiNT's C library. The problem is that the header files define inet_ntop(), but the library is actually missing the function. Thus, configure correctly does not define HAVE_INET_NTOP, but the system header's prototype for inet_ntop() does not match the one in openbsd-compat/inet_ntop.[ch] 6. openssh-3.2.3p1-Makefile.patch As FreeMiNT needs to maitain TOS compatibility, a program's stack size needs to be set at runtime. The default stack size created by the linker is too small for the recursion level of some of OpenSSH's binaries (especially ssh-keygen), thus one needs to "inject" a larger default stack size into the binaries using a special binary utility. This patch adds the necessary calls to this utility, but unfortunately, I've no idea on how to add these lines to Makefile.in in a way that configure will only include them into the final Makefile for FreeMiNT, not for other systems. 7. openssh-3.2.3p1-ONLCR.patch FreeMiNT (and it's library) do not know about ONLCR, thus I've added an additional #ifdef around the section in ttymodes.h that uses it. 8. openssh-3.2.3p1-path_to_login.patch Not a really important patch, but nonetheless I think it's better to assume /bin/login instead of /usr/bin/login if none is found a configure time. 9. openssh-3.2.3p1-scp.patch FreeMiNT cannot open() directories, thus this patch will fall back to stat() if open() fails with EISDIR. Without that, recursive copying won't work with FreeMiNT. 10. openssh-3.2.3p1-setrlimit.patch FreeMiNT cannot dump core, thus setrlimit(RLIMIT_CORE) correctly (IMO) fails with EINVAL ("An invalid resource was specified"). This patch therefore allows setrlimit(RLIMIT_CORE) to fail with EINVAL (but not with other error codes). 11. openssh-3.2.3p1-ssh_keyscan.patch When using non-blocking sockets, FreeMiNT sometimes returns non-ready sockets in select(), causing ssh_keyscan to fail almost always. This patch adds a special #ifdef'ed workaround for that. 12. openssh-3.2.3p1-xkeys.patch FreeMiNT treats cursor and function keys specially. They only return ANSI codes (or whatever you set via a special ioctl() on the TTY) when IEXTEN is set. As enter_raw_mode() unsets IEXTEN, the cursor and function keys don't work in outgoing ssh connections. This patch therefore does not unset IEXTEN if sshtty.c is built for FreeMiNT. It also adds a check whether _in_raw_mode is already set when enter_raw_mode() is called. This is not necessary at all, I just thought it might be a good idea (but maybe it isn't, then simply ignore it). OK, that's all :) I hope some of these patches can be included into the main distribution (and the logics/reasons behind them respected for future versions), to be able to compile a working OpenSSH for FreeMiNT right off the box. Thanks for your attention! Ciao Thomas -------------- next part -------------- diff -u -r openssh-3.2.3p1.orig/authfd.c openssh-3.2.3p1/authfd.c --- openssh-3.2.3p1.orig/authfd.c Fri Mar 22 04:51:06 2002 +++ openssh-3.2.3p1/authfd.c Sun Jun 9 00:04:32 2002 @@ -86,7 +86,7 @@ close(sock); return -1; } - if (connect(sock, (struct sockaddr *) &sunaddr, sizeof sunaddr) < 0) { + if (connect(sock, (struct sockaddr *) &sunaddr, AF_UNIX_ADDRLEN) < 0) { close(sock); return -1; } diff -u -r openssh-3.2.3p1.orig/channels.c openssh-3.2.3p1/channels.c --- openssh-3.2.3p1.orig/channels.c Tue Apr 23 13:09:46 2002 +++ openssh-3.2.3p1/channels.c Sun Jun 9 00:04:42 2002 @@ -2439,7 +2439,7 @@ memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; snprintf(addr.sun_path, sizeof addr.sun_path, _PATH_UNIX_X, dnr); - if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0) + if (connect(sock, (struct sockaddr *) & addr, AF_UNIX_ADDRLEN) == 0) return sock; close(sock); error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); @@ -2772,7 +2772,7 @@ sunaddr.sun_family = AF_UNIX; strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path)); - if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0) + if (bind(sock, (struct sockaddr *) & sunaddr, AF_UNIX_ADDRLEN) < 0) packet_disconnect("bind: %.100s", strerror(errno)); /* Restore the privileged uid. */ diff -u -r openssh-3.2.3p1.orig/defines.h openssh-3.2.3p1/defines.h --- openssh-3.2.3p1.orig/defines.h Thu Apr 25 19:56:06 2002 +++ openssh-3.2.3p1/defines.h Sun Jun 9 00:06:06 2002 @@ -262,6 +262,12 @@ }; #endif /* HAVE_SYS_UN_H */ +#ifndef __MINT__ +# define AF_UNIX_ADDRLEN sizeof(struct sockaddr_un) +#else +# define AF_UNIX_ADDRLEN (sizeof(struct sockaddr_un) - 1) +#endif /* __MINT__ */ + #if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE) #define _STRUCT_WINSIZE struct winsize { diff -u -r openssh-3.2.3p1.orig/ssh-agent.c openssh-3.2.3p1/ssh-agent.c --- openssh-3.2.3p1.orig/ssh-agent.c Fri Apr 5 22:23:36 2002 +++ openssh-3.2.3p1/ssh-agent.c Sun Jun 9 00:03:44 2002 @@ -916,7 +916,7 @@ #ifdef HAVE_CYGWIN prev_mask = umask(0177); #endif - if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0) { + if (bind(sock, (struct sockaddr *) & sunaddr, AF_UNIX_ADDRLEN) < 0) { perror("bind"); #ifdef HAVE_CYGWIN umask(prev_mask); -------------- next part -------------- diff -u -r openssh-3.2.3p1.orig/Makefile.in openssh-3.2.3p1/Makefile.in --- openssh-3.2.3p1.orig/Makefile.in Mon May 13 06:12:04 2002 +++ openssh-3.2.3p1/Makefile.in Sun Jun 2 12:23:18 2002 @@ -109,33 +109,43 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + stack --size=256k $@ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) + stack --size=256k $@ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o $(LD) -o $@ scp.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + stack --size=256k $@ ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + stack --size=256k $@ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + stack --size=256k $@ ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + stack --size=256k $@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + stack --size=256k $@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o $(LD) -o $@ sftp-server.o sftp-common.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + stack --size=256k $@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-int.o sftp-common.o sftp-glob.o $(LD) -o $@ sftp.o sftp-client.o sftp-common.o sftp-int.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + stack --size=256k $@ ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + stack --size=256k $@ # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o -------------- next part -------------- diff -u -r openssh-3.2.3p1.orig/ttymodes.h openssh-3.2.3p1/ttymodes.h --- openssh-3.2.3p1.orig/ttymodes.h Tue Mar 5 02:53:04 2002 +++ openssh-3.2.3p1/ttymodes.h Sun Jun 2 12:23:20 2002 @@ -156,7 +156,9 @@ #if defined(OLCUC) TTYMODE(OLCUC, c_oflag, 71) #endif +#ifdef ONLCR TTYMODE(ONLCR, c_oflag, 72) +#endif #ifdef OCRNL TTYMODE(OCRNL, c_oflag, 73) #endif -------------- next part -------------- diff -u -r openssh-3.2.3p1.orig/configure openssh-3.2.3p1/configure --- openssh-3.2.3p1.orig/configure Wed May 22 07:11:22 2002 +++ openssh-3.2.3p1/configure Sun Jun 2 12:23:22 2002 @@ -3903,6 +3903,12 @@ inet6_default_4in6=yes ;; +*-*-mint*) + cat >>confdefs.h <<\_ACEOF +#define USE_PIPES +_ACEOF + + ;; mips-sony-bsd|mips-sony-newsos4) cat >>confdefs.h <<\_ACEOF #define HAVE_NEWS4 1 diff -u -r openssh-3.2.3p1.orig/configure.ac openssh-3.2.3p1/configure.ac --- openssh-3.2.3p1.orig/configure.ac Wed May 22 03:02:14 2002 +++ openssh-3.2.3p1/configure.ac Sun Jun 2 12:23:22 2002 @@ -159,6 +159,9 @@ AC_DEFINE(PAM_TTY_KLUDGE) inet6_default_4in6=yes ;; +*-*-mint*) + AC_DEFINE(USE_PIPES) + ;; mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(HAVE_NEWS4) SONY=1 -------------- next part -------------- diff -u -r openssh-3.2.3p1.orig/session.c openssh-3.2.3p1/session.c --- openssh-3.2.3p1.orig/session.c Mon May 13 02:48:58 2002 +++ openssh-3.2.3p1/session.c Sun Jun 2 12:23:22 2002 @@ -889,6 +889,12 @@ } if (getenv("TZ")) child_set_env(&env, &envsize, "TZ", getenv("TZ")); +#ifdef __MINT__ + if (getenv("UNIXMODE")) + child_set_env(&env, &envsize, "UNIXMODE", getenv("UNIXMODE")); + if (getenv("PCONVERT")) + child_set_env(&env, &envsize, "PCONVERT", getenv("PCONVERT")); +#endif /* Set custom environment options from RSA authentication. */ if (!options.use_login) { -------------- next part -------------- diff -u -r openssh-3.2.3p1.orig/defines.h openssh-3.2.3p1/defines.h --- openssh-3.2.3p1.orig/defines.h Thu Apr 25 19:56:06 2002 +++ openssh-3.2.3p1/defines.h Sun Jun 2 18:25:20 2002 @@ -417,7 +417,18 @@ #endif #ifndef HAVE_GETOPT_OPTRESET -#define getopt(ac, av, o) BSDgetopt(ac, av, o) +# undef getopt +# undef opterr +# undef optind +# undef optopt +# undef optreset +# undef optarg +# define getopt(ac, av, o) BSDgetopt(ac, av, o) +# define opterr BSDopterr +# define optind BSDoptind +# define optopt BSDoptopt +# define optreset BSDoptreset +# define optarg BSDoptarg #endif /* In older versions of libpam, pam_strerror takes a single argument */ diff -u -r openssh-3.2.3p1.orig/openbsd-compat/getopt.c openssh-3.2.3p1/openbsd-compat/getopt.c --- openssh-3.2.3p1.orig/openbsd-compat/getopt.c Mon Sep 17 23:34:34 2001 +++ openssh-3.2.3p1/openbsd-compat/getopt.c Sun Jun 2 17:37:10 2002 @@ -42,11 +42,11 @@ #include #include -int opterr = 1, /* if error message should be printed */ - optind = 1, /* index into parent argv vector */ - optopt, /* character checked for validity */ - optreset; /* reset getopt */ -char *optarg; /* argument associated with option */ +int BSDopterr = 1, /* if error message should be printed */ + BSDoptind = 1, /* index into parent argv vector */ + BSDoptopt, /* character checked for validity */ + BSDoptreset; /* reset getopt */ +char *BSDoptarg; /* argument associated with option */ #define BADCH (int)'?' #define BADARG (int)':' @@ -66,57 +66,57 @@ static char *place = EMSG; /* option letter processing */ char *oli; /* option letter list index */ - if (optreset || !*place) { /* update scanning pointer */ - optreset = 0; - if (optind >= nargc || *(place = nargv[optind]) != '-') { + if (BSDoptreset || !*place) { /* update scanning pointer */ + BSDoptreset = 0; + if (BSDoptind >= nargc || *(place = nargv[BSDoptind]) != '-') { place = EMSG; return (-1); } if (place[1] && *++place == '-') { /* found "--" */ - ++optind; + ++BSDoptind; place = EMSG; return (-1); } } /* option letter okay? */ - if ((optopt = (int)*place++) == (int)':' || - !(oli = strchr(ostr, optopt))) { + if ((BSDoptopt = (int)*place++) == (int)':' || + !(oli = strchr(ostr, BSDoptopt))) { /* * if the user didn't specify '-' as an option, * assume it means -1. */ - if (optopt == (int)'-') + if (BSDoptopt == (int)'-') return (-1); if (!*place) - ++optind; - if (opterr && *ostr != ':') + ++BSDoptind; + if (BSDopterr && *ostr != ':') (void)fprintf(stderr, - "%s: illegal option -- %c\n", __progname, optopt); + "%s: illegal option -- %c\n", __progname, BSDoptopt); return (BADCH); } if (*++oli != ':') { /* don't need argument */ - optarg = NULL; + BSDoptarg = NULL; if (!*place) - ++optind; + ++BSDoptind; } else { /* need an argument */ if (*place) /* no white space */ - optarg = place; - else if (nargc <= ++optind) { /* no arg */ + BSDoptarg = place; + else if (nargc <= ++BSDoptind) { /* no arg */ place = EMSG; if (*ostr == ':') return (BADARG); - if (opterr) + if (BSDopterr) (void)fprintf(stderr, "%s: option requires an argument -- %c\n", - __progname, optopt); + __progname, BSDoptopt); return (BADCH); } else /* white space */ - optarg = nargv[optind]; + BSDoptarg = nargv[BSDoptind]; place = EMSG; - ++optind; + ++BSDoptind; } - return (optopt); /* dump back option letter */ + return (BSDoptopt); /* dump back option letter */ } #endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */ -------------- next part -------------- diff -u -r openssh-3.2.3p1.orig/openbsd-compat/inet_ntop.c openssh-3.2.3p1/openbsd-compat/inet_ntop.c --- openssh-3.2.3p1.orig/openbsd-compat/inet_ntop.c Tue Sep 25 14:21:52 2001 +++ openssh-3.2.3p1/openbsd-compat/inet_ntop.c Sun Jun 2 12:23:24 2002 @@ -54,8 +54,8 @@ * sizeof(int) < 4. sizeof(int) > 4 is fine; all the world's not a VAX. */ -static const char *inet_ntop4 __P((const u_char *src, char *dst, size_t size)); -static const char *inet_ntop6 __P((const u_char *src, char *dst, size_t size)); +static const char *inet_ntop4 __P((const u_char *src, char *dst, socklen_t size)); +static const char *inet_ntop6 __P((const u_char *src, char *dst, socklen_t size)); /* char * * inet_ntop(af, src, dst, size) @@ -70,7 +70,7 @@ int af; const void *src; char *dst; - size_t size; + socklen_t size; { switch (af) { case AF_INET: @@ -99,7 +99,7 @@ inet_ntop4(src, dst, size) const u_char *src; char *dst; - size_t size; + socklen_t size; { static const char fmt[] = "%u.%u.%u.%u"; char tmp[sizeof "255.255.255.255"]; @@ -123,7 +123,7 @@ inet_ntop6(src, dst, size) const u_char *src; char *dst; - size_t size; + socklen_t size; { /* * Note that int32_t and int16_t need only be "at least" large enough diff -u -r openssh-3.2.3p1.orig/openbsd-compat/inet_ntop.h openssh-3.2.3p1/openbsd-compat/inet_ntop.h --- openssh-3.2.3p1.orig/openbsd-compat/inet_ntop.h Thu Aug 9 02:56:52 2001 +++ openssh-3.2.3p1/openbsd-compat/inet_ntop.h Sun Jun 2 12:23:24 2002 @@ -7,7 +7,7 @@ #ifndef HAVE_INET_NTOP const char * -inet_ntop(int af, const void *src, char *dst, size_t size); +inet_ntop(int af, const void *src, char *dst, socklen_t size); #endif /* !HAVE_INET_NTOP */ #endif /* _BSD_INET_NTOP_H */ -------------- next part -------------- diff -u -r openssh-3.2.3p1.orig/pathnames.h openssh-3.2.3p1/pathnames.h --- openssh-3.2.3p1.orig/pathnames.h Mon May 13 05:15:42 2002 +++ openssh-3.2.3p1/pathnames.h Sun Jun 2 12:23:24 2002 @@ -154,7 +154,7 @@ # ifdef LOGIN_PROGRAM_FALLBACK # define LOGIN_PROGRAM LOGIN_PROGRAM_FALLBACK # else -# define LOGIN_PROGRAM "/usr/bin/login" +# define LOGIN_PROGRAM "/bin/login" # endif #endif /* LOGIN_PROGRAM */ -------------- next part -------------- diff -u -r openssh-3.2.3p1.orig/scp.c openssh-3.2.3p1/scp.c --- openssh-3.2.3p1.orig/scp.c Sat Apr 6 20:30:00 2002 +++ openssh-3.2.3p1/scp.c Sun Jun 2 12:23:24 2002 @@ -500,11 +500,15 @@ name); goto next; } - if ((fd = open(name, O_RDONLY, 0)) < 0) - goto syserr; - if (fstat(fd, &stb) < 0) { -syserr: run_err("%s: %s", name, strerror(errno)); - goto next; + if ((fd = open(name, O_RDONLY, 0)) < 0) { + if ((errno != EISDIR) || (stat(name, &stb) < 0)) + goto syserr; + } + else { + if (fstat(fd, &stb) < 0) { +syserr: run_err("%s: %s", name, strerror(errno)); + goto next; + } } switch (stb.st_mode & S_IFMT) { case S_IFREG: -------------- next part -------------- diff -u -r openssh-3.2.3p1.orig/ssh-agent.c openssh-3.2.3p1/ssh-agent.c --- openssh-3.2.3p1.orig/ssh-agent.c Fri Apr 5 22:23:36 2002 +++ openssh-3.2.3p1/ssh-agent.c Sun Jun 2 12:23:26 2002 @@ -985,7 +991,7 @@ #ifdef HAVE_SETRLIMIT /* deny core dumps, since memory contains unencrypted private keys */ rlim.rlim_cur = rlim.rlim_max = 0; - if (setrlimit(RLIMIT_CORE, &rlim) < 0) { + if (setrlimit(RLIMIT_CORE, &rlim) < 0 && errno != EINVAL) { error("setrlimit RLIMIT_CORE: %s", strerror(errno)); cleanup_exit(1); } diff -u -r openssh-3.2.3p1.orig/ssh.c openssh-3.2.3p1/ssh.c --- openssh-3.2.3p1.orig/ssh.c Tue Apr 23 13:09:46 2002 +++ openssh-3.2.3p1/ssh.c Sun Jun 2 12:23:24 2002 @@ -277,7 +277,7 @@ if (original_real_uid != original_effective_uid) { struct rlimit rlim; rlim.rlim_cur = rlim.rlim_max = 0; - if (setrlimit(RLIMIT_CORE, &rlim) < 0) + if (setrlimit(RLIMIT_CORE, &rlim) < 0 && errno != EINVAL) fatal("setrlimit failed: %.100s", strerror(errno)); } #endif -------------- next part -------------- diff -u -r openssh-3.2.3p1.orig/ssh-keyscan.c openssh-3.2.3p1/ssh-keyscan.c --- openssh-3.2.3p1.orig/ssh-keyscan.c Fri Apr 5 22:23:36 2002 +++ openssh-3.2.3p1/ssh-keyscan.c Sun Jun 2 12:23:26 2002 @@ -501,6 +501,13 @@ cp++; } if (n < 0) { +#ifdef __MINT__ + /* MiNT seems to return non-ready socket descriptors in + * select() when the corresponding socket is non-blocking + */ + if ((errno == EAGAIN) || (errno = ENOTCONN)) + return; +#endif if (errno != ECONNREFUSED) error("read (%s): %s", c->c_name, strerror(errno)); conrecycle(s); -------------- next part -------------- diff -u -r openssh-3.2.3p1.orig/sshtty.c openssh-3.2.3p1/sshtty.c --- openssh-3.2.3p1.orig/sshtty.c Tue Mar 5 02:53:04 2002 +++ openssh-3.2.3p1/sshtty.c Sun Jun 2 12:23:26 2002 @@ -73,6 +73,8 @@ { struct termios tio; + if (_in_raw_mode) + return; if (tcgetattr(fileno(stdin), &tio) == -1) { perror("tcgetattr"); return; @@ -81,7 +83,7 @@ tio.c_iflag |= IGNPAR; tio.c_iflag &= ~(ISTRIP | INLCR | IGNCR | ICRNL | IXON | IXANY | IXOFF); tio.c_lflag &= ~(ISIG | ICANON | ECHO | ECHOE | ECHOK | ECHONL); -#ifdef IEXTEN +#if defined(IEXTEN) && !defined(__MINT__) tio.c_lflag &= ~IEXTEN; #endif tio.c_oflag &= ~OPOST; From mouring at etoh.eviladmin.org Tue Jun 11 00:46:45 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 10 Jun 2002 09:46:45 -0500 (CDT) Subject: Patches for compiling / using portable OpenSSH on FreeMiNT? In-Reply-To: <20020610113959.A4432383@ohm.arago.de> Message-ID: On Mon, 10 Jun 2002, Thomas Binder wrote: > Hi! > > On Thu, Jun 06, 2002 at 09:27:33AM -0500, Ben Lindstrom wrote: > > Post them, people will comment. If they are correct and > > acceptable. We will merge them. Otherwise we won't. =) > > OK, here we go. Attached are 12 patch files: > [..] > > 4. openssh-3.2.3p1-getopt.patch > > For some reason, GNU ld chokes on optind being multiply defined, > thus this patch prefixes all global variables in > openbsd-compat/getopt.c with BSD and adds corresponding macros to > defines.h > I assume your staticly compiling? Others have had issues because of this since native getopt.c lacks 'optreset' concept, and sadly some misguided person put it in libc instead of it's own library or designing it a bit more intelligently. I'd like others to try this that are having static compile issues. This may solve their problem also. > 5. openssh-3.2.3p1-inet_ntop.patch > > This patch will most probably no longer be necessary with the next > version of FreeMiNT's C library. The problem is that the header > files define inet_ntop(), but the library is actually missing the > function. Thus, configure correctly does not define > HAVE_INET_NTOP, but the system header's prototype for inet_ntop() > does not match the one in openbsd-compat/inet_ntop.[ch] > const char * inet_ntop(int af, const void *src, char *dst, size_t size); Every platform around me that has inet_ntop defined is set that way. Unless there is a very good reason to change it. I'm inclined not to. > 6. openssh-3.2.3p1-Makefile.patch > > As FreeMiNT needs to maitain TOS compatibility, a program's stack > size needs to be set at runtime. The default stack size created by > the linker is too small for the recursion level of some of > OpenSSH's binaries (especially ssh-keygen), thus one needs to > "inject" a larger default stack size into the binaries using a > special binary utility. > > This patch adds the necessary calls to this utility, but > unfortunately, I've no idea on how to add these lines to > Makefile.in in a way that configure will only include them into > the final Makefile for FreeMiNT, not for other systems. > Make it a seperate target and follow how @NO_SFTP@ works. Only issue your going to run into is maintaining that list since we can and do miss things if we don't run the OSes ourselves. [..] > 8. openssh-3.2.3p1-path_to_login.patch > > Not a really important patch, but nonetheless I think it's better > to assume /bin/login instead of /usr/bin/login if none is found a > configure time. > Won't happen. Don't see a need in changing it. If configure.ac can't find a login program then no matter what default we use is wrong. Changing it does not improve anything. > 9. openssh-3.2.3p1-scp.patch > > FreeMiNT cannot open() directories, thus this patch will fall back > to stat() if open() fails with EISDIR. Without that, recursive > copying won't work with FreeMiNT. > > 10. openssh-3.2.3p1-setrlimit.patch > > FreeMiNT cannot dump core, thus setrlimit(RLIMIT_CORE) correctly > (IMO) fails with EINVAL ("An invalid resource was specified"). > This patch therefore allows setrlimit(RLIMIT_CORE) to fail with > EINVAL (but not with other error codes). > I need to let others comment on theses two. I'm not very fond on how they are implemented. - Ben From ja2morri at student.math.uwaterloo.ca Tue Jun 11 01:22:00 2002 From: ja2morri at student.math.uwaterloo.ca (James A Morrison) Date: Mon, 10 Jun 2002 11:22:00 -0400 (EDT) Subject: Patches for compiling / using portable OpenSSH on FreeMiNT? In-Reply-To: (message from Ben Lindstrom on Mon, 10 Jun 2002 09:46:45 -0500 (CDT)) References: Message-ID: <200206101522.LAA11168@rees.math.uwaterloo.ca> From: Ben Lindstrom Cc: OpenSSH Development , Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: openssh-unix-dev-admin at mindrot.org X-BeenThere: openssh-unix-dev at mindrot.org X-Mailman-Version: 2.0.8 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Development of portable OpenSSH List-Unsubscribe: , List-Archive: Date: Mon, 10 Jun 2002 09:46:45 -0500 (CDT) On Mon, 10 Jun 2002, Thomas Binder wrote: > Hi! > > On Thu, Jun 06, 2002 at 09:27:33AM -0500, Ben Lindstrom wrote: > > Post them, people will comment. If they are correct and > > acceptable. We will merge them. Otherwise we won't. =) > > OK, here we go. Attached are 12 patch files: > [..] > > 4. openssh-3.2.3p1-getopt.patch > > For some reason, GNU ld chokes on optind being multiply defined, > thus this patch prefixes all global variables in > openbsd-compat/getopt.c with BSD and adds corresponding macros to > defines.h > I assume your staticly compiling? Others have had issues because of this since native getopt.c lacks 'optreset' concept, and sadly some misguided person put it in libc instead of it's own library or designing it a bit more intelligently. I'd like others to try this that are having static compile issues. This may solve their problem also. > 5. openssh-3.2.3p1-inet_ntop.patch > > This patch will most probably no longer be necessary with the next > version of FreeMiNT's C library. The problem is that the header > files define inet_ntop(), but the library is actually missing the > function. Thus, configure correctly does not define > HAVE_INET_NTOP, but the system header's prototype for inet_ntop() > does not match the one in openbsd-compat/inet_ntop.[ch] > const char * inet_ntop(int af, const void *src, char *dst, size_t size); Every platform around me that has inet_ntop defined is set that way. Unless there is a very good reason to change it. I'm inclined not to. > 6. openssh-3.2.3p1-Makefile.patch > > As FreeMiNT needs to maitain TOS compatibility, a program's stack > size needs to be set at runtime. The default stack size created by > the linker is too small for the recursion level of some of > OpenSSH's binaries (especially ssh-keygen), thus one needs to > "inject" a larger default stack size into the binaries using a > special binary utility. > > This patch adds the necessary calls to this utility, but > unfortunately, I've no idea on how to add these lines to > Makefile.in in a way that configure will only include them into > the final Makefile for FreeMiNT, not for other systems. > Make it a seperate target and follow how @NO_SFTP@ works. Only issue your going to run into is maintaining that list since we can and do miss things if we don't run the OSes ourselves. [..] > 8. openssh-3.2.3p1-path_to_login.patch > > Not a really important patch, but nonetheless I think it's better > to assume /bin/login instead of /usr/bin/login if none is found a > configure time. > Won't happen. Don't see a need in changing it. If configure.ac can't find a login program then no matter what default we use is wrong. Changing it does not improve anything. > 9. openssh-3.2.3p1-scp.patch > > FreeMiNT cannot open() directories, thus this patch will fall back > to stat() if open() fails with EISDIR. Without that, recursive > copying won't work with FreeMiNT. > > 10. openssh-3.2.3p1-setrlimit.patch > > FreeMiNT cannot dump core, thus setrlimit(RLIMIT_CORE) correctly > (IMO) fails with EINVAL ("An invalid resource was specified"). > This patch therefore allows setrlimit(RLIMIT_CORE) to fail with > EINVAL (but not with other error codes). > I need to let others comment on theses two. I'm not very fond on how they are implemented. - Ben Looking at the error descriptions, in the glibc manual, it seems ENOTSUP would be a better error to return for setrlimit(RLIMIT_CORE). I think that ssh should work on systems that return ENOSYS or ENOTSUP, or those systems should be fixed so that setrlimit works. Usually EINVAL is used when programs pass invalid arguments to a function, so I don't think we should ever overlook a EINVAL error. Here are the descriptions. - Macro: int EINVAL Invalid argument. This is used to indicate various kinds of problems with passing the wrong argument to a library function. - Macro: int ENOTSUP Not supported. A function returns this error when certain parameter values are valid, but the functionality they request is not available. This can mean that the function does not implement a particular command or option value or flag bit at all. For functions that operate on some object given in a parameter, such as a file descriptor or a port, it might instead mean that only _that specific object_ (file descriptor, port, etc.) is unable to support the other parameters given; different file descriptors might support different ranges of parameter values. If the entire function is not available at all in the implementation, it returns `ENOSYS' instead. - Macro: int ENOSYS Function not implemented. This indicates that the function called is not implemented at all, either in the C library itself or in the operating system. When you get this error, you can be sure that this particular function will always fail with `ENOSYS' unless you install a new version of the C library or the operating system. From cmadams at hiwaay.net Tue Jun 11 01:31:27 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 10 Jun 2002 10:31:27 -0500 Subject: Patches for compiling / using portable OpenSSH on FreeMiNT? In-Reply-To: <200206101522.LAA11168@rees.math.uwaterloo.ca>; from ja2morri@student.math.uwaterloo.ca on Mon, Jun 10, 2002 at 11:22:00AM -0400 References: <200206101522.LAA11168@rees.math.uwaterloo.ca> Message-ID: <20020610103127.B175963@hiwaay.net> Once upon a time, James A Morrison said: > Looking at the error descriptions, in the glibc manual, it seems ENOTSUP would > be a better error to return for setrlimit(RLIMIT_CORE). I think that ssh > should work on systems that return ENOSYS or ENOTSUP, or those systems should > be fixed so that setrlimit works. Usually EINVAL is used when programs pass > invalid arguments to a function, so I don't think we should ever overlook a > EINVAL error. According to the Single Unix Specification: The getrlimit() and setrlimit() functions will fail if: [EINVAL] An invalid resource was specified; or in a setrlimit() call, the new rlim_cur exceeds the new rlim_max. [EPERM] The limit specified to setrlimit() would have raised the maximum limit value, and the calling process does not have appropriate privileges. The setrlimit() function may fail if: [EINVAL] The limit specified cannot be lowered because current usage is already higher than the limit. So, EINVAL is the correct error to return if an unsupported resource is specified. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From willi at sevenval.de Tue Jun 11 02:24:23 2002 From: willi at sevenval.de (Wilfried Goesgens) Date: Mon, 10 Jun 2002 18:24:23 +0200 Subject: debugging connection establishing Message-ID: <20020610162423.GF6687@torres> As I've experienced in the last days finding an error in your ssh authentication-phase is verry hard, since even trippple-debugging doesn't say any reason why an authentification-method fails just that it does. In my /etc/ssh/ssh_config was a line stating IdentityFile IdentityFile ~/.ssh/identity while protocol was set to 2 It didn't even notice me neither the file contained the key for the version2-authentication nor afterwards that this file didn't exist. And allso didn't the authentication-method fail tell me that there is no local key. I think your debug-output should target a bit more on errors caused by configuration-errors than general protocol output, which doesn't tell usual users much usefull information. Wilfried Goesgens If you have any additional questions, please CC me, because I'm not subscribed. From binder at arago.de Tue Jun 11 02:35:01 2002 From: binder at arago.de (Thomas Binder) Date: Mon, 10 Jun 2002 18:35:01 +0200 Subject: Patches for compiling / using portable OpenSSH on FreeMiNT? In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, Jun 10, 2002 at 09:46:45AM -0500 References: <20020610113959.A4432383@ohm.arago.de> Message-ID: <20020610183501.A4650927@ohm.arago.de> Hi! On Mon, Jun 10, 2002 at 09:46:45AM -0500, Ben Lindstrom wrote: > > 4. openssh-3.2.3p1-getopt.patch > > I assume your staticly compiling? Yes, as FreeMiNT currently has no support for real shared libraries. > > 5. openssh-3.2.3p1-inet_ntop.patch > > const char * > inet_ntop(int af, const void *src, char *dst, size_t size); > > Every platform around me that has inet_ntop defined is set that way. > Unless there is a very good reason to change it. I'm inclined not > to. As said, this has already been fixed in the C lib's CVS repository, so this patch isn't really something to worry about. > > 6. openssh-3.2.3p1-Makefile.patch > > Make it a seperate target and follow how @NO_SFTP@ works. Only > issue your going to run into is maintaining that list since we > can and do miss things if we don't run the OSes ourselves. I'll try to, but I have to admit I've never worked with the auto* collection of tools yet. Is there some helpful introduction on them somewhere? > > 8. openssh-3.2.3p1-path_to_login.patch > > Won't happen. Don't see a need in changing it. If configure.ac > can't find a login program then no matter what default we use is > wrong. Changing it does not improve anything. Well, I said it's not necessary at all. But configure not being able to find a specific file that is not directly needed for compiling does not mean it's not available at all. E.g., you can compile OpenSSH supplying --with-prngd-socket, even when there is no egd/prngd running on the build host at all. > > 9. openssh-3.2.3p1-scp.patch > > > > 10. openssh-3.2.3p1-setrlimit.patch > > I need to let others comment on theses two. I'm not very fond > on how they are implemented. Why is that? Ciao Thomas From cleber.junior at atl.com.br Tue Jun 11 08:43:51 2002 From: cleber.junior at atl.com.br (Jorge Cleber Teixeira de Almeida Junior) Date: Mon, 10 Jun 2002 19:43:51 -0300 Subject: OpenSSH with slow login Message-ID: Hi, I have installed Openssh on a HP-UX 11.00 and I am having a problem. It lasts 5 minutes to login, after I enter my login and password. I try to connect from a Windows machine having a Tera Term SSH client to the HP UX with the OpenSSH server ? Why does it take so long time (5 minutes) to establish a connection from a remote machine to this openssh server ? When I do Telnet to the same machine, it takes just 3 seconds !! I installed the following: - ZLIB 1.1.4 http://gatekeep.cs.utah.edu/ftp/hpux/Misc/zlib-1.1.4/zlib-1.1.4-sd-11.00.dep ot.gz - Openssl-0.9.6 http://gatekeep.cs.utah.edu/ftp/hpux/Languages/openssl-0.9.6/openssl-0.9.6-s d-11.00.depot.gz - Openssh 3.1p1 http://gatekeep.cs.utah.edu/ftp/hpux/Networking/Admin/openssh-3.1p1/openssh- 3.1p1-sd-11.00.depot.gz After this installation, I did the following steps: 1- cd /opt/openssh2/bin ; chmod 4711 ssh 2- cd /opt/openssh2/etc mv moduli.out moduli mv ssh_config.out ssh_config mv ssh_prng_cmds.out ssh_prng_cmds mv sshd_config.out sshd_config 3- Generate the keys : cd /opt/openssh2/bin ./ssh-keygen -t rsa1 -f /opt/openssh2/etc/ssh_host_key -N "" ./ssh-keygen -t dsa -f /opt/openssh2/etc/ssh_host_dsa_key -N "" ./ssh-keygen -t rsa -f /opt/openssh2/etc/ssh_host_rsa_key -N "" Can anyone help me ? regards, Jorge Cleber JUNIOR ==================================================================== O conte?do desta mensagem e todos os seus anexos s?o para uso restrito, confidencial e est?o protegidos legalmente, sendo endere?ado somente ao(s) destinat?rio(s) e n?o deve ser divulgado sem pr?via autoriza??o. Se voc? n?o ? o destinat?rio desta mensagem, ou o respons?vel pela entrega desta, voc? n?o est? autorizado a revelar, copiar, distribuir ou reter esta mensagem ou qualquer parte da mesma. O uso impr?prio ser? tratado conforme as normas da ATL - ALGAR TELECOM LESTE S/A. Opini?es, conclus?es, ou outras informa??es nesta mensagem que n?o se relacionam com a linha de neg?cios da ATL devem ser compreendidas como n?o sendo fornecidas e nem de responsabilidades desta empresa. ==================================================================== From dan at doxpara.com Tue Jun 11 09:50:56 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Mon, 10 Jun 2002 16:50:56 -0700 Subject: OpenSSH with slow login References: Message-ID: <000b01c210d9$a9f09860$1701000a@effugas> Last I checked, there are DNS dependancies that need to be scrubbed out with extreme prejudice. DNS lookups block. And no, we can't blame security, because we can't trust DNS for security decisions :-) --Dan ----- Original Message ----- From: "Jorge Cleber Teixeira de Almeida Junior" To: Sent: Monday, June 10, 2002 3:43 PM Subject: OpenSSH with slow login Hi, I have installed Openssh on a HP-UX 11.00 and I am having a problem. It lasts 5 minutes to login, after I enter my login and password. I try to connect from a Windows machine having a Tera Term SSH client to the HP UX with the OpenSSH server ? Why does it take so long time (5 minutes) to establish a connection from a remote machine to this openssh server ? When I do Telnet to the same machine, it takes just 3 seconds !! I installed the following: - ZLIB 1.1.4 http://gatekeep.cs.utah.edu/ftp/hpux/Misc/zlib-1.1.4/zlib-1.1.4-sd-11.00.dep ot.gz - Openssl-0.9.6 http://gatekeep.cs.utah.edu/ftp/hpux/Languages/openssl-0.9.6/openssl-0.9.6-s d-11.00.depot.gz - Openssh 3.1p1 http://gatekeep.cs.utah.edu/ftp/hpux/Networking/Admin/openssh-3.1p1/openssh- 3.1p1-sd-11.00.depot.gz After this installation, I did the following steps: 1- cd /opt/openssh2/bin ; chmod 4711 ssh 2- cd /opt/openssh2/etc mv moduli.out moduli mv ssh_config.out ssh_config mv ssh_prng_cmds.out ssh_prng_cmds mv sshd_config.out sshd_config 3- Generate the keys : cd /opt/openssh2/bin ./ssh-keygen -t rsa1 -f /opt/openssh2/etc/ssh_host_key -N "" ./ssh-keygen -t dsa -f /opt/openssh2/etc/ssh_host_dsa_key -N "" ./ssh-keygen -t rsa -f /opt/openssh2/etc/ssh_host_rsa_key -N "" Can anyone help me ? regards, Jorge Cleber JUNIOR ==================================================================== O conte?do desta mensagem e todos os seus anexos s?o para uso restrito, confidencial e est?o protegidos legalmente, sendo endere?ado somente ao(s) destinat?rio(s) e n?o deve ser divulgado sem pr?via autoriza??o. Se voc? n?o ? o destinat?rio desta mensagem, ou o respons?vel pela entrega desta, voc? n?o est? autorizado a revelar, copiar, distribuir ou reter esta mensagem ou qualquer parte da mesma. O uso impr?prio ser? tratado conforme as normas da ATL - ALGAR TELECOM LESTE S/A. Opini?es, conclus?es, ou outras informa??es nesta mensagem que n?o se relacionam com a linha de neg?cios da ATL devem ser compreendidas como n?o sendo fornecidas e nem de responsabilidades desta empresa. ==================================================================== _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From kevin at atomicgears.com Tue Jun 11 09:38:38 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Mon, 10 Jun 2002 16:38:38 -0700 Subject: OpenSSH with slow login In-Reply-To: References: Message-ID: <20020610233838.GC3249@jenny.crlsca.adelphia.net> On Mon, Jun 10, 2002 at 07:43:51PM -0300, Jorge Cleber Teixeira de Almeida Junior wrote: > I have installed Openssh on a HP-UX 11.00 and I am having a problem. It > lasts 5 minutes to login, after I enter my login and password. > I try to connect from a Windows machine having a Tera Term SSH client to the > HP UX with the OpenSSH server ? > > Why does it take so long time (5 minutes) to establish a connection from a > remote machine to this openssh server ? > When I do Telnet to the same machine, it takes just 3 seconds !! run sshd -ddd to see where it pauses. also look at the sshd -u option. my guess is DNS delays for reverse mapping. From markus at openbsd.org Tue Jun 11 11:47:56 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 11 Jun 2002 03:47:56 +0200 Subject: OpenSSH with slow login In-Reply-To: <000b01c210d9$a9f09860$1701000a@effugas> References: <000b01c210d9$a9f09860$1701000a@effugas> Message-ID: <20020611014756.GA2516@faui02> On Mon, Jun 10, 2002 at 04:50:56PM -0700, Dan Kaminsky wrote: > Last I checked, there are DNS dependancies that need to be scrubbed out with > extreme prejudice. DNS lookups block. where? are you using -u0? From tomh at po.crl.go.jp Tue Jun 11 16:23:57 2002 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Tue, 11 Jun 2002 15:23:57 +0900 (JST) Subject: compile failure on alpha In-Reply-To: Message-ID: 20020610 snapshot (possibly earlier ones too, I haven't checked in a while), Alpha, Redhat base, Linux 2.4.19-pre8 configure ; make ... sshconnect.c: In function `sockaddr_ntop': sshconnect.c:51: structure has no member named `sa_len' Perhaps it should be SA_LEN(moo) instead of moo->sa_len. From Frank.Beckmann at vodafone.de Tue Jun 11 22:09:51 2002 From: Frank.Beckmann at vodafone.de (Frank Beckmann) Date: Tue, 11 Jun 2002 14:09:51 +0200 Subject: SSH / PAM Problem Message-ID: <3D05E88F.10406@vodafone.de> Hallo da mein English nicht so gut ist und bei der ?bersetzung auch noch Missverst?ndnisse auftretten k?nnten, hier das Orginal :-) Das Problem ist, dass bei der Kombination openssh pam und ldap, die Verbindung zum Ldapserver so lange offen gehalten wird bis die ssh Session geschlossen wird. Das ist nur bei SSH so ! Alle andere Dienste sprechen den Server an und schliessen nach Best?ttigung des Passwortes die Session zum Ldapserver. Offene Sockets sind nicht so toll da irgendwann bei unserer User Anzahl keine freien Sockets mehr zur Verf?gung stehen w?rden. Gruss aus D?sseldorf Frank Beckmann -------- Urspr?ngliche Nachricht -------- Betreff: SSH / PAM Problem Datum: Tue, 11 Jun 2002 13:34:46 +0200 Von: Cengiz Tuztas Firma: Sun Microsystems GmbH An: Frank.Beckmann at vodafone.de, Stefan.Altgen at vodafone.de Hallo *, das Problem bei ssh und pam besteht darin, da? der sshd die pam anzieht aber erst wieder frei gibt, wenn der Benutzer die Sitzung beendet. Hierzu wird zuerst pam_start aufgerufen. Dies authentisiert basierend auf der pam.conf den Benutzer. Danach wird Accountmanagement durchgef?hrt. Zum Schlu? folgt session. Diese Stufen werden pam - Konform durchlaufen. Jedoch wird nachdem session durchgef?hrt wird nicht pam_end aufgerufen. pam_end ruft die cleanup - Callbacks der einzelnen Module auf. Da dies nicht aufgerufen wird, werden offene Filehandles gehalten und sockets nicht geschlossen. pam_end wird erst aufgerufen, wenn der Benutzer die Verbindung beendet. Ich hoffe, es ist nicht allzu konfus. Gru? Cengiz --------------------------------------------------------- This Mail has been checked for Viruses Attention: Encrypted mails can NOT be checked! ** Diese Mail wurde auf Viren geprueft Hinweis: Verschluesselte mails koennen NICHT auf Viren geprueft werden! --------------------------------------------------------- -- Frank Beckmann Abt. FBTU Tel: 0211 533-5758 Fax: 0211 533-1451 Mail Frank.Beckmann at vodafone.de -- Frank Beckmann Abt. FBTU Tel: 0211 533-5758 Fax: 0211 533-1451 Mail Frank.Beckmann at vodafone.de From hari at isofttechindia.com Tue Jun 11 23:08:35 2002 From: hari at isofttechindia.com (Hari) Date: Tue, 11 Jun 2002 18:38:35 +0530 Subject: ssh hang on wrong port - is it a bug ? Message-ID: Hi, ssh client program seems to hang when specified a wrong port no (port on which some other server, like telnetd is running). "netstat -an" shows the connection is established. I expect the ssh program to report invalid server msg and exit. Is this a bug or known behaviour ??? I have attached the -v -v -v output. Thanks, Hari [hari at linux ssh]$ /usr/bin/ssh -v -v -v -p 23 hari at 192.168.0.3 SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 502 geteuid 0 anon 0 debug: Connecting to 192.168.0.3 [192.168.0.3] port 23. debug: Allocated local port 1023. debug: Connection established. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020611/34ce1f9a/attachment.html From cleber.junior at atl.com.br Wed Jun 12 00:14:18 2002 From: cleber.junior at atl.com.br (Jorge Cleber Teixeira de Almeida Junior) Date: Tue, 11 Jun 2002 11:14:18 -0300 Subject: RES: OpenSSH with slow login Message-ID: I gueess it is not a DNS problem, because either using name or IP, I have always the problem. I guess the problem is that I am using ssh on inetd.conf (sshd -i), so It has to generate a key each time I start a session. What do you think ? -----Mensagem original----- De: Dan Kaminsky [mailto:dan at doxpara.com] Enviada em: segunda-feira, 10 de junho de 2002 20:51 Para: Jorge Cleber Teixeira de Almeida Junior; openssh-unix-dev at mindrot.org Assunto: Re: OpenSSH with slow login Last I checked, there are DNS dependancies that need to be scrubbed out with extreme prejudice. DNS lookups block. And no, we can't blame security, because we can't trust DNS for security decisions :-) --Dan ----- Original Message ----- From: "Jorge Cleber Teixeira de Almeida Junior" To: Sent: Monday, June 10, 2002 3:43 PM Subject: OpenSSH with slow login Hi, I have installed Openssh on a HP-UX 11.00 and I am having a problem. It lasts 5 minutes to login, after I enter my login and password. I try to connect from a Windows machine having a Tera Term SSH client to the HP UX with the OpenSSH server ? Why does it take so long time (5 minutes) to establish a connection from a remote machine to this openssh server ? When I do Telnet to the same machine, it takes just 3 seconds !! I installed the following: - ZLIB 1.1.4 http://gatekeep.cs.utah.edu/ftp/hpux/Misc/zlib-1.1.4/zlib-1.1.4-sd-11.00.dep ot.gz - Openssl-0.9.6 http://gatekeep.cs.utah.edu/ftp/hpux/Languages/openssl-0.9.6/openssl-0.9.6-s d-11.00.depot.gz - Openssh 3.1p1 http://gatekeep.cs.utah.edu/ftp/hpux/Networking/Admin/openssh-3.1p1/openssh- 3.1p1-sd-11.00.depot.gz After this installation, I did the following steps: 1- cd /opt/openssh2/bin ; chmod 4711 ssh 2- cd /opt/openssh2/etc mv moduli.out moduli mv ssh_config.out ssh_config mv ssh_prng_cmds.out ssh_prng_cmds mv sshd_config.out sshd_config 3- Generate the keys : cd /opt/openssh2/bin ./ssh-keygen -t rsa1 -f /opt/openssh2/etc/ssh_host_key -N "" ./ssh-keygen -t dsa -f /opt/openssh2/etc/ssh_host_dsa_key -N "" ./ssh-keygen -t rsa -f /opt/openssh2/etc/ssh_host_rsa_key -N "" Can anyone help me ? regards, Jorge Cleber JUNIOR ==================================================================== O conte?do desta mensagem e todos os seus anexos s?o para uso restrito, confidencial e est?o protegidos legalmente, sendo endere?ado somente ao(s) destinat?rio(s) e n?o deve ser divulgado sem pr?via autoriza??o. Se voc? n?o ? o destinat?rio desta mensagem, ou o respons?vel pela entrega desta, voc? n?o est? autorizado a revelar, copiar, distribuir ou reter esta mensagem ou qualquer parte da mesma. O uso impr?prio ser? tratado conforme as normas da ATL - ALGAR TELECOM LESTE S/A. Opini?es, conclus?es, ou outras informa??es nesta mensagem que n?o se relacionam com a linha de neg?cios da ATL devem ser compreendidas como n?o sendo fornecidas e nem de responsabilidades desta empresa. ==================================================================== _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev ==================================================================== O conte?do desta mensagem e todos os seus anexos s?o para uso restrito, confidencial e est?o protegidos legalmente, sendo endere?ado somente ao(s) destinat?rio(s) e n?o deve ser divulgado sem pr?via autoriza??o. Se voc? n?o ? o destinat?rio desta mensagem, ou o respons?vel pela entrega desta, voc? n?o est? autorizado a revelar, copiar, distribuir ou reter esta mensagem ou qualquer parte da mesma. O uso impr?prio ser? tratado conforme as normas da ATL - ALGAR TELECOM LESTE S/A. Opini?es, conclus?es, ou outras informa??es nesta mensagem que n?o se relacionam com a linha de neg?cios da ATL devem ser compreendidas como n?o sendo fornecidas e nem de responsabilidades desta empresa. ==================================================================== From cleber.junior at atl.com.br Wed Jun 12 00:17:44 2002 From: cleber.junior at atl.com.br (Jorge Cleber Teixeira de Almeida Junior) Date: Tue, 11 Jun 2002 11:17:44 -0300 Subject: RES: OpenSSH with slow login Message-ID: If it is a DNS problema, how can I solve this problem ? -----Mensagem original----- De: Kevin Steves [mailto:kevin at atomicgears.com] Enviada em: segunda-feira, 10 de junho de 2002 20:39 Para: Jorge Cleber Teixeira de Almeida Junior Cc: 'openssh-unix-dev at mindrot.org'; stevesk at pobox.com Assunto: Re: OpenSSH with slow login On Mon, Jun 10, 2002 at 07:43:51PM -0300, Jorge Cleber Teixeira de Almeida Junior wrote: > I have installed Openssh on a HP-UX 11.00 and I am having a problem. It > lasts 5 minutes to login, after I enter my login and password. > I try to connect from a Windows machine having a Tera Term SSH client to the > HP UX with the OpenSSH server ? > > Why does it take so long time (5 minutes) to establish a connection from a > remote machine to this openssh server ? > When I do Telnet to the same machine, it takes just 3 seconds !! run sshd -ddd to see where it pauses. also look at the sshd -u option. my guess is DNS delays for reverse mapping. ==================================================================== O conte?do desta mensagem e todos os seus anexos s?o para uso restrito, confidencial e est?o protegidos legalmente, sendo endere?ado somente ao(s) destinat?rio(s) e n?o deve ser divulgado sem pr?via autoriza??o. Se voc? n?o ? o destinat?rio desta mensagem, ou o respons?vel pela entrega desta, voc? n?o est? autorizado a revelar, copiar, distribuir ou reter esta mensagem ou qualquer parte da mesma. O uso impr?prio ser? tratado conforme as normas da ATL - ALGAR TELECOM LESTE S/A. Opini?es, conclus?es, ou outras informa??es nesta mensagem que n?o se relacionam com a linha de neg?cios da ATL devem ser compreendidas como n?o sendo fornecidas e nem de responsabilidades desta empresa. ==================================================================== From bugzilla-daemon at mindrot.org Wed Jun 12 00:21:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 12 Jun 2002 00:21:19 +1000 (EST) Subject: [Bug 200] readline support for sftp Message-ID: <20020611142119.222CCE940@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=200 ------- Additional Comments From dtucker at zip.com.au 2002-06-12 00:21 ------- I tried it on NetBSD/sparc 1.5.2. The first problem was obvious: gcc [flags] -c sftp-int.c sftp-int.c:32: readline/readline.h: No such file or directory sftp-int.c:33: readline/history.h: No such file or directory *** Error code 1 readline.h and history.h are in /usr/include/. Fixing that and moving on, I got gcc [flags] -c sftp-int.c sftp-int.c: In function `rl_remote_match': sftp-int.c:901: `rl_completion_append_character' undeclared (first use in this function) sftp-int.c:901: (Each undeclared identifier is reported only once sftp-int.c:901: for each function it appears in.) sftp-int.c: In function `rl_remote_list': sftp-int.c:930: warning: implicit declaration of function `rl_display_match_list' sftp-int.c:931: warning: implicit declaration of function `rl_forced_update_display' sftp-int.c: In function `glob_match': sftp-int.c:942: `rl_completion_display_matches_hook' undeclared (first use in this function) sftp-int.c:948: warning: implicit declaration of function `rl_filename_completion_function' sftp-int.c:948: warning: assignment makes pointer from integer without a cast sftp-int.c: In function `sftp_completion': sftp-int.c:986: warning: implicit declaration of function `rl_completion_matches' sftp-int.c:986: warning: assignment makes pointer from integer without a cast sftp-int.c: In function `interactive_loop': sftp-int.c:1080: warning: assignment from incompatible pointer type *** Error code 1 libedit doesn't seem to have either of rl_completion_append_character or rl_completion_display_matches_hook. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla-daemon at mindrot.org Wed Jun 12 00:43:13 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 12 Jun 2002 00:43:13 +1000 (EST) Subject: [Bug 271] New: SSHD should unblock SIGCHLD - POSIX signal blocks survive exec() Message-ID: <20020611144313.87295E937@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=271 Summary: SSHD should unblock SIGCHLD - POSIX signal blocks survive exec() Product: Portable OpenSSH Version: -current Platform: Other OS/Version: other Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: Nicolas.Williams at ubsw.com POSIX requires that signal block masks be inherited across exec() calls. As a result, any porgram that needs to use specific signal and which has no good reason to accept inheritance of blocking of such signals should explicitly unblock those signals. Furthermore, login-type programs should really unblock all signals, IMO (I have yet to find a scenario where I'd want my login shell to inherit and keep any non-empty signal mask). If sshd is started with SIGCHLD (SIGCLD) blocked then sshd ends up failing to notice the death of child processes, and therefore SSHv2 sessions hang on exit. Diagnosis is trivial on any OS that provides tools for inspecting the signal disposition of a process: if an sshd has at least one defunct process, sleeps in poll()/select() and has SIGCHLD blocked, and its SSHv2 client is hanging on exit, then the sshd must have been started with SIGCHLD blocked. Out of thousands of installations I have witnessed this behaviour on three systems. At the very least sshd should, early on, use sigprocmask() to retrieve the current mask, clear SIGCHLD from the mask and set the modified mask. Preferably, perhaps, sshd should set an empty signal mask before exec()ing any program on behalf of a client. Most shells (I've checked a few, including Bash) clear SIGCHLD from the signal mask, but generally don't clear all other signals from the mask. NOTE: sigprocmask() can have its new signal mask pointer argument given as NULL, in which case sigprocmask() should only retrieve the current mask and ignore its first argument, but the compatibility shim provided by portable OpenSSH does not support this mode of operation. This can be fixed with a one- liner. NOTE: This issue is relevant to all POSIX-compatible platforms. Thoughts? Nico ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Wed Jun 12 01:07:23 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 12 Jun 2002 01:07:23 +1000 Subject: ssh hang on wrong port - is it a bug ? References: Message-ID: <3D06122B.78CB9B83@zip.com.au> > Hari wrote: > ssh client program seems to hang when specified a wrong port no (port > on which some other server, like telnetd is running). Don't do that, then. > "netstat -an" shows the connection is established. > I expect the ssh program to report invalid server msg and exit. > Is this a bug or known behaviour ??? ssh probably waiting for the SSH server banner. telnetd is probably waiting for a response to telnet option negotiation. Stalemate. A quick experiment here shows the same behaviour for ftp & http servers. I expected it for http (it doesn't say anything when you connect so is indistinguishable from a slow ssh server) but I would have thought the ftp server banner would have caused ssh to abort (like sshd does). -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From binder at arago.de Wed Jun 12 01:12:00 2002 From: binder at arago.de (Thomas Binder) Date: Tue, 11 Jun 2002 17:12:00 +0200 Subject: OpenSSH with slow login In-Reply-To: ; from cleber.junior@atl.com.br on Tue, Jun 11, 2002 at 11:14:18AM -0300 References: Message-ID: <20020611171200.A5016986@ohm.arago.de> Hi! On Tue, Jun 11, 2002 at 11:14:18AM -0300, Jorge Cleber Teixeira de Almeida Junior wrote: > I gueess it is not a DNS problem, because either using name or > IP, I have always the problem. The problem is not on the client side, but on the server side. The server tries to reverse lookup the hostname for the IP that connects after a successful login, to write an utmp entry. Thus, it doesn't make a difference whether you use the server's IP address or hostname on the commandline. Instead, make sure that the server's got a correct resolv.conf (i.e. one that lists nameservers which are actually reachable) or disable DNS based host lookups completely by altering nsswitch.conf (if supported by your system) accordingly. As others have already pointed out, another method to just prevent sshd from using reverse DNS lookups is by passing -u0 on startup (see man sshd for details and restrictions). Maybe this should become an option for sshd_config? But nevertheless, you should check your server's resolv.conf for unreachable nameserver entries. Nameserver timeouts take forever ... Ciao Thomas From dan at doxpara.com Wed Jun 12 01:27:55 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 11 Jun 2002 08:27:55 -0700 Subject: OpenSSH with slow login References: Message-ID: <008001c2115c$8f2671c0$1701000a@effugas> Jorge-- The SSHD does a reverse lookup on your IP. If the lookup blocks, so does the attempt to log in. Big ol' problem whenever the network goes down and you're trying to SSH into some host on your subnet. This problem has been around forever... --Dan ----- Original Message ----- From: "Jorge Cleber Teixeira de Almeida Junior" To: Sent: Tuesday, June 11, 2002 7:14 AM Subject: RES: OpenSSH with slow login I gueess it is not a DNS problem, because either using name or IP, I have always the problem. I guess the problem is that I am using ssh on inetd.conf (sshd -i), so It has to generate a key each time I start a session. What do you think ? -----Mensagem original----- De: Dan Kaminsky [mailto:dan at doxpara.com] Enviada em: segunda-feira, 10 de junho de 2002 20:51 Para: Jorge Cleber Teixeira de Almeida Junior; openssh-unix-dev at mindrot.org Assunto: Re: OpenSSH with slow login Last I checked, there are DNS dependancies that need to be scrubbed out with extreme prejudice. DNS lookups block. And no, we can't blame security, because we can't trust DNS for security decisions :-) --Dan ----- Original Message ----- From: "Jorge Cleber Teixeira de Almeida Junior" To: Sent: Monday, June 10, 2002 3:43 PM Subject: OpenSSH with slow login Hi, I have installed Openssh on a HP-UX 11.00 and I am having a problem. It lasts 5 minutes to login, after I enter my login and password. I try to connect from a Windows machine having a Tera Term SSH client to the HP UX with the OpenSSH server ? Why does it take so long time (5 minutes) to establish a connection from a remote machine to this openssh server ? When I do Telnet to the same machine, it takes just 3 seconds !! I installed the following: - ZLIB 1.1.4 http://gatekeep.cs.utah.edu/ftp/hpux/Misc/zlib-1.1.4/zlib-1.1.4-sd-11.00.dep ot.gz - Openssl-0.9.6 http://gatekeep.cs.utah.edu/ftp/hpux/Languages/openssl-0.9.6/openssl-0.9.6-s d-11.00.depot.gz - Openssh 3.1p1 http://gatekeep.cs.utah.edu/ftp/hpux/Networking/Admin/openssh-3.1p1/openssh- 3.1p1-sd-11.00.depot.gz After this installation, I did the following steps: 1- cd /opt/openssh2/bin ; chmod 4711 ssh 2- cd /opt/openssh2/etc mv moduli.out moduli mv ssh_config.out ssh_config mv ssh_prng_cmds.out ssh_prng_cmds mv sshd_config.out sshd_config 3- Generate the keys : cd /opt/openssh2/bin ./ssh-keygen -t rsa1 -f /opt/openssh2/etc/ssh_host_key -N "" ./ssh-keygen -t dsa -f /opt/openssh2/etc/ssh_host_dsa_key -N "" ./ssh-keygen -t rsa -f /opt/openssh2/etc/ssh_host_rsa_key -N "" Can anyone help me ? regards, Jorge Cleber JUNIOR ==================================================================== O conte?do desta mensagem e todos os seus anexos s?o para uso restrito, confidencial e est?o protegidos legalmente, sendo endere?ado somente ao(s) destinat?rio(s) e n?o deve ser divulgado sem pr?via autoriza??o. Se voc? n?o ? o destinat?rio desta mensagem, ou o respons?vel pela entrega desta, voc? n?o est? autorizado a revelar, copiar, distribuir ou reter esta mensagem ou qualquer parte da mesma. O uso impr?prio ser? tratado conforme as normas da ATL - ALGAR TELECOM LESTE S/A. Opini?es, conclus?es, ou outras informa??es nesta mensagem que n?o se relacionam com a linha de neg?cios da ATL devem ser compreendidas como n?o sendo fornecidas e nem de responsabilidades desta empresa. ==================================================================== _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev ==================================================================== O conte?do desta mensagem e todos os seus anexos s?o para uso restrito, confidencial e est?o protegidos legalmente, sendo endere?ado somente ao(s) destinat?rio(s) e n?o deve ser divulgado sem pr?via autoriza??o. Se voc? n?o ? o destinat?rio desta mensagem, ou o respons?vel pela entrega desta, voc? n?o est? autorizado a revelar, copiar, distribuir ou reter esta mensagem ou qualquer parte da mesma. O uso impr?prio ser? tratado conforme as normas da ATL - ALGAR TELECOM LESTE S/A. Opini?es, conclus?es, ou outras informa??es nesta mensagem que n?o se relacionam com a linha de neg?cios da ATL devem ser compreendidas como n?o sendo fornecidas e nem de responsabilidades desta empresa. ==================================================================== _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From bugzilla-daemon at mindrot.org Wed Jun 12 01:19:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 12 Jun 2002 01:19:10 +1000 (EST) Subject: [Bug 200] readline support for sftp Message-ID: <20020611151910.797CAE965@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=200 ------- Additional Comments From mouring at eviladmin.org 2002-06-12 01:19 ------- NetBSD is wrong in not putting it in . Even their CVS tree admits to it: "Standard location of readline headers is /usr/include/readline/, so install them there. readline.h of libedit had to move to subdirectory 'readline', due to the way BSD makefiles work; this is better than potentially fragile Makefile hacks" Hmm.. From readline.h on NetBSD (cvs) extern int rl_completion_append_character; No history.h (looks like history.h and readline.h were merged.. BAD NetBSD, BAD). But rl_completion_display_matches_hook looks like it needs to be fleshed out in libedit unless someone can tell me a more portable way of handling glob_match() when switching between local, remote, and no globing support. I should grab the OpenBSD patch that was recently submited, but not commited yet. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From mouring at etoh.eviladmin.org Wed Jun 12 01:38:12 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 11 Jun 2002 10:38:12 -0500 (CDT) Subject: compile failure on alpha In-Reply-To: Message-ID: This should be fixed in the tree now: - itojun at cvs.openbsd.org 2002/06/09 22:17:21 [sshconnect.c] pass salen to sockaddr_ntop so that we are happy on linux/solaris Just commiting it now. On Tue, 11 Jun 2002, Tom Holroyd wrote: > 20020610 snapshot (possibly earlier ones too, I haven't checked in a > while), Alpha, Redhat base, Linux 2.4.19-pre8 > > configure ; make > ... > sshconnect.c: In function `sockaddr_ntop': > sshconnect.c:51: structure has no member named `sa_len' > > Perhaps it should be SA_LEN(moo) instead of moo->sa_len. > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From kevin at atomicgears.com Wed Jun 12 02:24:00 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Tue, 11 Jun 2002 09:24:00 -0700 Subject: SSH / PAM Problem In-Reply-To: <3D05E88F.10406@vodafone.de> References: <3D05E88F.10406@vodafone.de> Message-ID: <20020611162400.GA2291@jenny.crlsca.adelphia.net> can a PAM LDAP user comment on how the pam_ldap module is supposed to close the connection to the LDAP server after authentication is complete and before the user terminates the connection? we can assume the Sun module I suppose. On Tue, Jun 11, 2002 at 02:09:51PM +0200, Frank Beckmann wrote: > Hallo > > da mein English nicht so gut ist und bei der ?bersetzung auch noch > Missverst?ndnisse auftretten k?nnten, hier das Orginal :-) > > Das Problem ist, dass bei der Kombination openssh pam und ldap, die > Verbindung zum Ldapserver so lange offen gehalten wird bis die ssh > Session geschlossen wird. Das ist nur bei SSH so ! Alle andere Dienste > sprechen den Server an und schliessen nach Best?ttigung des Passwortes > die Session zum Ldapserver. Offene Sockets sind nicht so toll da > irgendwann bei unserer User Anzahl keine freien Sockets mehr zur > Verf?gung stehen w?rden. > > Gruss aus D?sseldorf > > Frank Beckmann > > -------- Urspr?ngliche Nachricht -------- > Betreff: SSH / PAM Problem > Datum: Tue, 11 Jun 2002 13:34:46 +0200 > Von: Cengiz Tuztas > Firma: Sun Microsystems GmbH > An: Frank.Beckmann at vodafone.de, Stefan.Altgen at vodafone.de > > Hallo *, > > das Problem bei ssh und pam besteht darin, da? der sshd die pam anzieht > aber erst wieder frei gibt, wenn der Benutzer die Sitzung beendet. > Hierzu wird zuerst pam_start aufgerufen. Dies authentisiert basierend > auf der pam.conf den Benutzer. Danach wird Accountmanagement > durchgef?hrt. Zum Schlu? folgt session. Diese Stufen werden pam - > Konform durchlaufen. Jedoch wird nachdem session durchgef?hrt wird nicht > pam_end aufgerufen. pam_end ruft die cleanup - Callbacks der einzelnen > Module auf. Da dies nicht aufgerufen wird, werden offene Filehandles > gehalten und sockets nicht geschlossen. pam_end wird erst aufgerufen, > wenn der Benutzer die Verbindung beendet. > > Ich hoffe, es ist nicht allzu konfus. > > Gru? > Cengiz > > > > --------------------------------------------------------- > This Mail has been checked for Viruses > Attention: Encrypted mails can NOT be checked! > > ** > > Diese Mail wurde auf Viren geprueft > Hinweis: Verschluesselte mails koennen NICHT auf Viren geprueft werden! > --------------------------------------------------------- > > > > -- > Frank Beckmann > Abt. FBTU > Tel: 0211 533-5758 > Fax: 0211 533-1451 > Mail Frank.Beckmann at vodafone.de > > > -- > Frank Beckmann > Abt. FBTU > Tel: 0211 533-5758 > Fax: 0211 533-1451 > Mail Frank.Beckmann at vodafone.de > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From mouring at etoh.eviladmin.org Wed Jun 12 02:30:42 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 11 Jun 2002 11:30:42 -0500 (CDT) Subject: ssh setuid changes. Message-ID: Ok, I'm doing a heads up here. I just applied: - markus at cvs.openbsd.org 2002/06/11 04:14:26 [ssh.c sshconnect.c sshconnect.h] no longer use uidswap.[ch] from the ssh client run less code with euid==0 if ssh is installed setuid root just switch the euid, don't switch the complete set of groups (this is only needed by sshd). ok provos@ A few comments about this.. 1. I bet dollars to donuts that platforms with problems recovering from set[e]uid() changes (NeXT,etc). 2. ssh_create_socket() changed slightly, which should only affect Cygwin. However, looking at the code I think it just needs a glance over by the porter to ensure no additional work is needed. sshconnect.c: @@ -297,26 +295,14 @@ host, ntop, strport); /* Create a socket for connecting. */ - sock = ssh_create_socket(pw, -#ifdef HAVE_CYGWIN - !anonymous, -#else - !anonymous && geteuid() == 0, -#endif + sock = ssh_create_socket(needpriv, ai->ai_family); If there is problems with having ssh setuid please speak up and preferable with a patch so I don't have to suffer at the hands of my poor 68k-25mhz box.=) - Ben From mouring at etoh.eviladmin.org Wed Jun 12 02:34:45 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 11 Jun 2002 11:34:45 -0500 (CDT) Subject: ssh setuid changes. In-Reply-To: Message-ID: On Tue, 11 Jun 2002, Ben Lindstrom wrote: > > Ok, I'm doing a heads up here. > > I just applied: > > - markus at cvs.openbsd.org 2002/06/11 04:14:26 > [ssh.c sshconnect.c sshconnect.h] > no longer use uidswap.[ch] from the ssh client > run less code with euid==0 if ssh is installed setuid root > just switch the euid, don't switch the complete set of groups > (this is only needed by sshd). ok provos@ > > > > A few comments about this.. > > 1. I bet dollars to donuts that platforms with problems recovering from > set[e]uid() changes (NeXT,etc). > Umm..I should continue with my ideas before hitting the next point.=) the bet is that it will require fix up.=) - Ben From vinschen at redhat.com Wed Jun 12 04:09:14 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 11 Jun 2002 20:09:14 +0200 Subject: ssh setuid changes. In-Reply-To: References: Message-ID: <20020611200914.E30892@cygbert.vinschen.de> On Tue, Jun 11, 2002 at 11:30:42AM -0500, Ben Lindstrom wrote: > 2. ssh_create_socket() changed slightly, which should only affect Cygwin. > However, looking at the code I think it just needs a glance over by the > porter to ensure no additional work is needed. > > sshconnect.c: > @@ -297,26 +295,14 @@ > host, ntop, strport); > > /* Create a socket for connecting. */ > - sock = ssh_create_socket(pw, > -#ifdef HAVE_CYGWIN > - !anonymous, > -#else > - !anonymous && geteuid() == 0, > -#endif > + sock = ssh_create_socket(needpriv, ai->ai_family); > > > If there is problems with having ssh setuid please speak up and > preferable with a patch so I don't have to suffer at the hands of my poor > 68k-25mhz box.=) You just moved the problem. Index: ssh.c =================================================================== RCS file: /cvs/openssh_cvs/ssh.c,v retrieving revision 1.152 diff -u -p -r1.152 ssh.c --- ssh.c 11 Jun 2002 16:37:52 -0000 1.152 +++ ssh.c 11 Jun 2002 18:07:15 -0000 @@ -615,7 +615,11 @@ again: cerr = ssh_connect(host, &hostaddr, options.port, IPv4or6, options.connection_attempts, +#ifdef HAVE_CYGWIN + options.use_privileged_port, +#else original_effective_uid == 0 && options.use_privileged_port, +#endif options.proxy_command); /* I'm still convinced that expressions as if (uid == 0) should be changed to a function call if (is_superuser (uid)) which would allow to write platform dependent code in port-XXX.c instead of having the need for #ifdef's. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From Darren.Moffat at Sun.COM Wed Jun 12 04:17:31 2002 From: Darren.Moffat at Sun.COM (Darren Moffat) Date: Tue, 11 Jun 2002 11:17:31 -0700 (PDT) Subject: ssh setuid changes. Message-ID: <200206111817.g5BIHVwU842777@jurassic.eng.sun.com> >I'm still convinced that expressions as > > if (uid == 0) > >should be changed to a function call > > if (is_superuser (uid)) > >which would allow to write platform dependent code in port-XXX.c >instead of having the need for #ifdef's. Taking it a step further the function could take an arugment that says why the check is being done (bind to priveleged port, read a file I don't own) and would setup the necessary privelege. This would allow systems that have fine grained privelege to use it, a subsequent call would be made to drop the privelege after it was no longer needed. -- Darren J Moffat From markus at openbsd.org Wed Jun 12 05:22:01 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 11 Jun 2002 21:22:01 +0200 Subject: ssh setuid changes. In-Reply-To: <200206111817.g5BIHVwU842777@jurassic.eng.sun.com> References: <200206111817.g5BIHVwU842777@jurassic.eng.sun.com> Message-ID: <20020611192201.GA31391@folly> well i don't think it's worth the trouble, since this code is only for rhosts-rsa. for hostbased auth ssh no longer needs to be setuid root. -m On Tue, Jun 11, 2002 at 11:17:31AM -0700, Darren Moffat wrote: > >I'm still convinced that expressions as > > > > if (uid == 0) > > > >should be changed to a function call > > > > if (is_superuser (uid)) > > > >which would allow to write platform dependent code in port-XXX.c > >instead of having the need for #ifdef's. > > Taking it a step further the function could take an arugment that says why the > check is being done (bind to priveleged port, read a file I don't own) and > would setup the necessary privelege. This would allow systems that have fine > grained privelege to use it, a subsequent call would be made to drop the > privelege after it was no longer needed. > > -- > Darren J Moffat > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From bugzilla-daemon at mindrot.org Wed Jun 12 05:25:11 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 12 Jun 2002 05:25:11 +1000 (EST) Subject: [Bug 272] New: Ctrl-C exits - Can not open TTY Message-ID: <20020611192511.36FD6E906@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=272 Summary: Ctrl-C exits - Can not open TTY Product: Portable OpenSSH Version: -current Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: john.carroll at usap.gov CC: john.carroll at usap.gov When I type Ctrl-C in any ssh shell, it exits the shell. I have tried this from PuTTy, as well as an older version of the OpenSSH client on another Sun Solaris system. It only seems to do this on the newest version of OpenSSH. I tried to ssh from the system to itself, and get a host key error. I checked the error logs, and I get an error every time it starts up an ssh seesion, shown below, that it couldn't open /dev/tty. I'm guessing this may have to do with the locations of various files, possibly those of OpenSSL (since I changed the locations of some things from the original), but I can't find anything in the documentation about this. It compiles, creates the keys, and installs fine. thanks, john # openssl version OpenSSL 0.9.6d 9 May 2002 # ssh -v OpenSSH_3.2.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f # ssh sunshine Host key verification failed. # tail /var/adm/messages (and /var/adm/auth_log) Jun 11 12:48:10 sunshine sshd[18645]: [ID 800047 auth.error] error: open /dev/tty failed - could not set controlling tty: No such device or address # ps -aef | grep ssh root 400 1 0 10:19:07 ? 0:02 /usr/local/sbin/sshd root 18682 400 1 13:02:31 pts/10 0:01 /usr/local/sbin/sshd # ls -al /dev/tty lrwxrwxrwx 1 root other 26 Jun 10 14:46 /dev/tty -> ../devices/pseudo/sy at 0:tty # ls -la /devices/pseudo/sy at 0:tty crw-rw-rw- 1 root tty 22, 0 Jun 10 14:46 /devices/pseudo/sy at 0:tty # ls /usr/local/src/*ssl* /usr/local/src/openssl-0.9.6d.tar.gz # ./config --prefix=/usr/local --openssldir=/usr/local # ls /usr/local/src/*ssh* /usr/local/src/openssh-3.2.2p1.tar.gz # ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc --with-pid- dir=/usr/local/etc --with-tcp-wrappers --with-egd-pool=/dev/egd-pool ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Darren.Moffat at Sun.COM Wed Jun 12 05:26:10 2002 From: Darren.Moffat at Sun.COM (Darren Moffat) Date: Tue, 11 Jun 2002 12:26:10 -0700 (PDT) Subject: ssh setuid changes. Message-ID: <200206111926.g5BJQAwU858563@jurassic.eng.sun.com> >well i don't think it's worth the trouble, >since this code is only for rhosts-rsa. > >for hostbased auth ssh no longer needs to >be setuid root. Fair enough. From bugzilla-daemon at mindrot.org Wed Jun 12 05:54:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 12 Jun 2002 05:54:38 +1000 (EST) Subject: [Bug 273] New: sshd hangs on shell exit if user spawned child with /bin/nohup Message-ID: <20020611195438.5DB40E902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=273 Summary: sshd hangs on shell exit if user spawned child with /bin/nohup Product: Portable OpenSSH Version: -current Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: kerry.schwab at wnco.com Basically, if during a remote session, the user starts something with "nohup", sshd hangs when they try to exit the shell. Running truss on sshd shows it running poll() on fd0,fd1,fd2. If I wrap nohup with something that closes stdin/out/err before it calls nohup, everything works fine. So, I suspect that for whatever reason, sshd doesn't get the SIGCHLD from the shell (ksh in this case), and the fd0/1/2 are open because the process spawned via nohup has them open. This problem exists in both 3.1p1 and 3.2.3p3. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gert at greenie.muc.de Wed Jun 12 06:25:50 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 11 Jun 2002 22:25:50 +0200 Subject: Problems with UsePrivilegeSeparation (was: port fwd as user != root? In-Reply-To: <32180000.1022665968@noisy.koerber.org>; from mathias@koerber.org on Wed, May 29, 2002 at 05:52:48PM +0800 References: <20020529064707.GB23615@folly> <32180000.1022665968@noisy.koerber.org> Message-ID: <20020611222550.A15881@greenie.muc.de> Hi, On Wed, May 29, 2002 at 05:52:48PM +0800, Mathias Koerber wrote: [..] > > but with privsep, the privileged process does not > > touch the network. the call to bind() will happen > > in the 'user' process. > That should help me.. Just verified this (in-house application that uses identd to find out which of the "normal unix users" is connecting to a web application - as long as the unix machine isn't rooted, identd is good enough), and it indeed solved *my* problem - the forwarded connections come from the user that I'm logged in as, and the application is now working nicely from remote (without doing uglies like "run netscape over remote $DISPLAY"). Thanks, good work! gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From bugzilla-daemon at mindrot.org Wed Jun 12 06:26:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 12 Jun 2002 06:26:35 +1000 (EST) Subject: [Bug 273] sshd hangs on shell exit if user spawned child with /bin/nohup Message-ID: <20020611202635.B5805E94D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=273 ------- Additional Comments From kerry.schwab at wnco.com 2002-06-12 06:26 ------- Debug output, with comments: Get this once i'm in: >>[some omitted for brevity] >>debug1: session_new: session 0 >>debug1: Allocating pty. >>debug1: session_pty_req: session 0 alloc /dev/pts/12 >>debug1: fd 4 setting TCP_NODELAY >>debug1: Entering interactive session. >>debug1: fd 7 setting O_NONBLOCK >>debug1: fd 10 setting O_NONBLOCK >>debug1: fd 11 setting O_NONBLOCK >>debug1: server_init_dispatch_13 >>debug1: server_init_dispatch_15 Now I start the "nohup job" with ./nohup somescript & I then try to exit the ksh shell. Ksh first tells you "You have running jobs" ( normal...) then I give the second exit. At that point, my ksh becomes a process (zombie). sshd apparently gets the SIGCHLD: >debug1: Received SIGCHLD. But, my ssh session is "hung". sshd itself is running poll() over and over on fd0,1,2. If I then kill the nohupped process ( from another session ), the session is closed: >>debug1: End of interactive session; stdin 20, stdout (read 584, sent 584), >>stderr 0 bytes. >>debug1: Command exited with status 0. >>debug1: Received exit confirmation. >>debug1: session_close: session 0 pid 24164 >>debug1: session_pty_cleanup: session 0 release /dev/pts/12 Please let me know if you need more detail. I'll be happy to help any way I can. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gert at greenie.muc.de Wed Jun 12 06:27:32 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 11 Jun 2002 22:27:32 +0200 Subject: ssh hang on wrong port - is it a bug ? In-Reply-To: <3D06122B.78CB9B83@zip.com.au>; from dtucker@zip.com.au on Wed, Jun 12, 2002 at 01:07:23AM +1000 References: <3D06122B.78CB9B83@zip.com.au> Message-ID: <20020611222732.B15881@greenie.muc.de> hi, On Wed, Jun 12, 2002 at 01:07:23AM +1000, Darren Tucker wrote: > > I expect the ssh program to report invalid server msg and exit. > > Is this a bug or known behaviour ??? > > ssh probably waiting for the SSH server banner. telnetd is probably > waiting for a response to telnet option negotiation. Stalemate. Shouldn't the client time out after a while? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From dtucker at zip.com.au Wed Jun 12 10:36:21 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 12 Jun 2002 10:36:21 +1000 Subject: ssh hang on wrong port - is it a bug ? References: <3D06122B.78CB9B83@zip.com.au> <20020611222732.B15881@greenie.muc.de> Message-ID: <3D069784.3EFB105E@zip.com.au> Gert Doering wrote: > Shouldn't the client time out after a while? Maybe, but then you'd run the risk of timing-out a slow but otherwise OK ssh server. -Daz. From bugzilla-daemon at mindrot.org Wed Jun 12 10:43:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 12 Jun 2002 10:43:06 +1000 (EST) Subject: [Bug 245] SSH can not log out under Solaris 2.6 Message-ID: <20020612004306.B0CF0E931@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=245 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |john.carroll at usap.gov ------- Additional Comments From dtucker at zip.com.au 2002-06-12 10:43 ------- *** Bug 272 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 12 10:42:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 12 Jun 2002 10:42:59 +1000 (EST) Subject: [Bug 272] Ctrl-C exits - Can not open TTY Message-ID: <20020612004259.C6E54E928@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=272 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From dtucker at zip.com.au 2002-06-12 10:42 ------- This is a know bug in 3.2.2p1. Upgrade to 3.2.3p1. See http://bugzilla.mindrot.org/show_bug.cgi?id=245 for details. *** This bug has been marked as a duplicate of 245 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 12 23:25:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 12 Jun 2002 23:25:09 +1000 (EST) Subject: [Bug 254] Problems building. Message-ID: <20020612132509.6C33BE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=254 ------- Additional Comments From dtucker at zip.com.au 2002-06-12 23:25 ------- What C compiler are you using? There's a bug in some versions of gcc that causes it to pick up -L link paths last, so it might be picking up libcrypto from /usr/lib and the headers from /usr/local/ssl/include. See: http://gcc.gnu.org/cgi-bin/gnatsweb.pl?cmd=view%20audit-trail&database=gcc&pr=326 Try this: $ LIBRARY_PATH=/usr/local/ssl/lib:/usr/lib:/usr/local/lib $ export LIBRARY_PATH $ ./configure [options] ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jun 13 01:35:01 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 13 Jun 2002 01:35:01 +1000 (EST) Subject: [Bug 274] New: scp fails if target account has echo "somestuff" as last line in .profile Message-ID: <20020612153501.8DB28E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=274 Summary: scp fails if target account has echo "somestuff" as last line in .profile Product: Portable OpenSSH Version: -current Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: scp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: tai at urd.spidernet.to Trying to scp from pscp (v 0.49) on windows and openssh 3.1p1 on linux 2.2.16 to openssh 3.2.3p1 on linux 2.4.17. Shell is /bin/bash. If last line of .profile in account echo's something 'echo "stuff"', scp fails. Removing the echo line, scp succeeds. This bug does not exist if the target machine is running openbsd 2.9 with the native version of ssh. Tried it with both /bin/sh and /bin/bash. -Tai ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Thu Jun 13 02:54:46 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 12 Jun 2002 11:54:46 -0500 (CDT) Subject: [PATCH]: Eliminate HAVE_CYGWIN (and _UWIN) around calls to setgroups() [was Re: openssh for UWIN] In-Reply-To: <20020608000241.D30892@cygbert.vinschen.de> Message-ID: there are three other IPPORT Reserved sections. One in serverloop.c and one in sshconnect.c and a two-fer in sshd.c As a result I've not applied that part of the patch. BTW.. I've applied a version of the setgroups. It requires SETGROUPS_NOOP to actually compile for safety, and put it in bsd-misc.[ch] for the time being. I the portable core needs to decided if we need to change how we handle openbsd-compat/ for policy. Until then.. We go on with business. - Ben On Sat, 8 Jun 2002, Corinna Vinschen wrote: > Ok, this patch eliminates some of the Cygwin dependencies in the > code. It contains a new file openbsd/fake-setgroups.c and a few > patches. The NO_IPPORT_RESERVED_CONCEPT patch is included, too, > so that stuff could be applied in one go. > > As sideeffect, David can rearrange his UWIN patches so that most > of the stuff can be sourced out to configure.ac. > > Hope that helps, > Corinna > From mouring at etoh.eviladmin.org Thu Jun 13 03:03:02 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 12 Jun 2002 12:03:02 -0500 (CDT) Subject: [Bug 270] PrivSep breaks sshd on AIX for non-root users In-Reply-To: <3D03FE29.6E43F5ED@zip.com.au> Message-ID: ermm.. Yes, I did misread it.. You using -cvs current or 3.2.3? And does it seem related to: http://bugzilla.mindrot.org/show_bug.cgi?id=245 - Ben On Mon, 10 Jun 2002, Darren Tucker wrote: > Ben Lindstrom wrote: > > I'll close this out when bugzilla will accept my login. =) But PrivSep > > can't be ran by a non-root user. > > > > 1. All network code runs a non-prived user.. ALA 'sshd' user. > > 2. chroot() can not be done by a normal user. > > > > - Ben > > I think you misunderstood me. With PrivSep enabled, root is the only > account that can log in (assuming "PermitRootLogin yes"). Normal > accounts disconnect immediately after authentication. > > -Daz. > > root at devaix43> whoami > root > root at devaix43> /usr/local/sbin/sshd -o 'UsePrivilegeSeparation yes' > root at devaix43> ssh -l dtucker localhost > dtucker at localhost's password: > Connection to localhost closed by remote host. > Connection to localhost closed. > > root at devaix43> ssh -l root localhost > root at localhost's password: > Last unsuccessful login: Fri May 3 14:06:40 2002 on /dev/tty0 > Last login: Mon Jun 10 10:58:09 2002 on ssh from localhost > > # exit > Connection to localhost closed. > From bugzilla-daemon at mindrot.org Thu Jun 13 04:21:21 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 13 Jun 2002 04:21:21 +1000 (EST) Subject: [Bug 274] scp fails if target account has echo "somestuff" as last line in .profile Message-ID: <20020612182121.02E1CE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=274 ------- Additional Comments From markus at openbsd.org 2002-06-13 04:21 ------- so your .profile is broken. you're not supposed to do this for non-interactive session. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jun 13 08:12:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 13 Jun 2002 08:12:31 +1000 (EST) Subject: [Bug 274] scp fails if target account has echo "somestuff" as last line in .profile Message-ID: <20020612221231.23CA8E949@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=274 ------- Additional Comments From jmknoble at pobox.com 2002-06-13 08:12 ------- It shouldn't matter if ~/.profile (or ~/.bash_profile) echos anything. That file should only be read for a login session. For scp, ~/.profile shouldn't be read, and scp should go on happily with life. Perhaps your setup reads ~/.profile from ~/.bashrc or ~/.kshrc? If a non-login session has shell startup files that print anything on stdout or stderr, then you create problems for scp. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Thu Jun 13 08:51:40 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 13 Jun 2002 08:51:40 +1000 Subject: [Bug 270] PrivSep breaks sshd on AIX for non-root users References: Message-ID: <3D07D07C.FFA39DFF@zip.com.au> Ben Lindstrom wrote: > ermm.. Yes, I did misread it.. You using -cvs current or 3.2.3? Originally seen with -cvs but I've since seen it with 3.2.3p1 as well. AIX 4.2.1 seems to behave the same way. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From fabricehalimi at aol.com Thu Jun 13 10:34:19 2002 From: fabricehalimi at aol.com (VOTRE SITE ...) Date: Thu, 13 Jun 2002 02:34:19 +0200 Subject: CIBLEZ ET DEMARCHEZ GRATUITEMENT VOS PROSPECTS PAR CENTAINES DE MILLIERS Message-ID: <20020613003510.C39E3E881@shitei.mindrot.org> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020613/1f22fa4d/attachment.html From amarpal.singh at ip-unity.com Thu Jun 13 14:32:46 2002 From: amarpal.singh at ip-unity.com (Amarpal Singh) Date: Wed, 12 Jun 2002 21:32:46 -0700 Subject: How to restrict OpenSSH to use SSH-1 or SSH-2 or fallback from SSH-2 to SSH-1 when need? Message-ID: <010501c21293$5edc17d0$25b4a8c0@COSMOS> Hi All, I am a newcomer to the SSH world. How do we restrict OpenSSH (3.1) to use SSH-1 or SSH-2 or fallback from SSH-2 to SSH-1 when need? Thanks Amarpal. From dtucker at zip.com.au Thu Jun 13 15:00:35 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 13 Jun 2002 15:00:35 +1000 Subject: How to restrict OpenSSH to use SSH-1 or SSH-2 or fallback from SSH-2 to SSH-1 when need? References: <010501c21293$5edc17d0$25b4a8c0@COSMOS> Message-ID: <3D0826F3.1FC39A60@zip.com.au> $ man ssh [snip] Protocol Specifies the protocol versions ssh should support in order of preference. The possible values are ``1'' and ``2''. Multiple versions must be comma-separated. The default is ``2,1''. This means that ssh tries version 2 and falls back to version 1 if version 2 is not available. [snip] Amarpal Singh wrote: > > Hi All, > > I am a newcomer to the SSH world. How do we restrict OpenSSH (3.1) to use > SSH-1 or SSH-2 or fallback from SSH-2 to SSH-1 when need? > > Thanks > Amarpal. > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From kumareshind at gmx.net Thu Jun 13 16:52:03 2002 From: kumareshind at gmx.net (kumar) Date: Thu, 13 Jun 2002 12:22:03 +0530 Subject: MaxConnections Message-ID: <005c01c212a6$e4b2cf30$390110ac@kovaiteam> Hello, I am using OpenSSH3.1p1 and for limiting the maximum number of simultaneous connections, if i add "MaxConnections " directive in sshd_config, it shows "Bad Configuration" error. How to set the maximun number of simultaneous connections that sshd will handle? regards Kumaresh. From kumareshind at gmx.net Thu Jun 13 17:26:24 2002 From: kumareshind at gmx.net (kumar) Date: Thu, 13 Jun 2002 12:56:24 +0530 Subject: MaxStartups Message-ID: <007f01c212ab$a2f83bc0$390110ac@kovaiteam> Hello, What is the effect of MaxStartups in the configuration file sshd_config? How this keyword effects the working of sshd? regards Kumaresh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020613/8306c832/attachment.html From markus at openbsd.org Thu Jun 13 20:46:44 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 13 Jun 2002 12:46:44 +0200 Subject: MaxStartups In-Reply-To: <007f01c212ab$a2f83bc0$390110ac@kovaiteam> References: <007f01c212ab$a2f83bc0$390110ac@kovaiteam> Message-ID: <20020613104644.GB13944@folly> it's in sshd(8) On Thu, Jun 13, 2002 at 12:56:24PM +0530, kumar wrote: > Hello, > > What is the effect of MaxStartups in the configuration file sshd_config? > > How this keyword effects the working of sshd? > > regards > Kumaresh > > From d-b at home.se Thu Jun 13 22:53:44 2002 From: d-b at home.se (Daniel Bergman) Date: Thu, 13 Jun 2002 14:53:44 +0200 Subject: OpenSSH_3.0.1p1 disconnects due to bad packet length and corrupted MAC on input. Message-ID: <1023972824.43b542a0d-b@home.se> Hi I'm having huge problems with OpenSSH 3.0.1p1, compiled with OpenSSL 0.9.6b 9 Jul 2001 and running with prngd_0.9.23, it disconnects unexpectedly during client session due to bad packet length and corrupted MAC on input, according to debug anyway. What can cause this kinds of errors? I've verified that both se9104/server and switch runs in 100 Mbit full duplex and switch statstictics show no collisions at all. I've attached output of several 'ssh -v -v -v se9104' commands that fails with either "Disconnecting: Bad packet length" or "Corrupted MAC on input". I've also attached client ssh config, server sshd config and server process list. Regards, Daniel ============== se9104 SERVER ============== $ uname -a SunOS se9104 5.8 Generic_108528-14 sun4u sparc SUNW,Ultra-80 $ cat /etc/release Solaris 8 1/01 s28s_u3wos_08 SPARC Copyright 2000 Sun Microsystems, Inc. All Rights Reserved. Assembled 28 November 2000 Solaris 8 Maintenance Update 6 applied ============= se2002 CLIENT ============= $ uname -a SunOS se2002 5.7 Generic sun4u sparc SUNW,Ultra-5_10 $ cat /etc/release Solaris 7 s998s_SunServer_21al2b SPARC Copyright 1998 Sun Microsystems, Inc. All Rights Reserved. Assembled 06 October 1998 Regards, Daniel Bergman MvH Daniel Bergman d-b at home.se 08 - 55066265 From bugzilla-daemon at mindrot.org Thu Jun 13 23:01:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 13 Jun 2002 23:01:15 +1000 (EST) Subject: [Bug 275] New: openssh 3.2.3p1 make fails Message-ID: <20020613130115.44028E963@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=275 Summary: openssh 3.2.3p1 make fails Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: SunOS Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: franz.a.riedl at infineon.com Making openssh 3.2.3.p1 fails under SunOs 4.1.4 on a Sparc 5 ./configure is ok ( ./configure --with-tcp-wrappers --with-ipv4-default --with-default- path=/bin:/usr/bin:/usr/local/bin -with-entropy-timeout=50 ) make fails gcc -o ssh-agent ssh-agent.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -lssh - lopenbsd-compat -lz -lcrypto collect2: ld returned 2 exit status ld: Undefined symbol _memmove *** Error code 1 make: Fatal error: Command failed for target `ssh-agent' Compiling under Solaris 2.8 is ok! I also tried to compile openssh 3.1p1 under SunOs 4.1.4. That 's ok ! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From koenigsf at de.alcove.com Fri Jun 14 00:32:12 2002 From: koenigsf at de.alcove.com (Arndt Koenigsfeld) Date: Thu, 13 Jun 2002 16:32:12 +0200 Subject: Feature Request: RSA and PasswordAuth subsequently Message-ID: <20020613143212.GA18331@fry.alcove-de> I want the server to require after a sucessful RSA authentication additional PasswordAuthentication. This feature is implemented in the ssh-server from ssh.com and there ist a need for it. Certainly i can buy the ssh.com version but i would rather prefer to use openssh. If nothing obvious militate against the attempt to implement this feature for openssh, i toy with the idea to do it myself. Unfortunately im not following this list long enough to assure that nobody else tried this before, so please hint me to the archive if someone did. -- Arndt Koenigsfeld * Senior System Engineer - http://www.alcove.com/de/ * ALCOVE Deutschland GmbH - Tel.: +49 (0)2 28 / 9 08 69 85 * Liberating Software - Fax: +49 (0)2 28 / 9 08 69 84 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020613/451a4b1c/attachment.bin From bugzilla-daemon at mindrot.org Fri Jun 14 02:35:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 14 Jun 2002 02:35:32 +1000 (EST) Subject: [Bug 269] OpenSSH doesn't compile with dynamic OpenSSL libraries Message-ID: <20020613163532.C9109E964@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=269 ------- Additional Comments From list_7531 at hotmail.com 2002-06-14 02:35 ------- Created an attachment (id=113) As requested, config.log(.gz), --with-ssl-dir meant to override /usr/local/ssl path ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 14 03:16:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 14 Jun 2002 03:16:50 +1000 (EST) Subject: [Bug 269] OpenSSH doesn't compile with dynamic OpenSSL libraries Message-ID: <20020613171650.320FDE90D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=269 ------- Additional Comments From list_7531 at hotmail.com 2002-06-14 03:16 ------- Further information: In response to the email from dtucker at zip.com.au: On my system: $ echo $LIBRARY_PATH /usr/local/lib:/usr/local/glib/lib:/usr/local/gtk/lib:/usr/lib:/usr/ucblib:/opt/gi mp/lib:/usr/local/kde/lib:/usr/local/qt230/lib:/usr/local/kde/lib:/usr/dt/lib:/usr /openwin/lib:/opt/gnome-1.4/lib /usr/local/ssl is a symlink to /opt/openssl096c-eng $ find /usr/local/ssl/lib -follow /usr/local/ssl/lib/libcrypto.a /usr/local/ssl/lib/libssl.a /usr/local/ssl/lib/libcrypto.so.0.9.6 /usr/local/ssl/lib/libssl.so.0.9.6 /usr/local/ssl/lib/libcrypto.so.0 /usr/local/ssl/lib/libcrypto.so /usr/local/ssl/lib/libssl.so.0 /usr/local/ssl/lib/libssl.so Adrian ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From vinschen at redhat.com Fri Jun 14 04:25:32 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 13 Jun 2002 20:25:32 +0200 Subject: [PATCH]: Eliminate HAVE_CYGWIN (and _UWIN) around calls to setgroups() [was Re: openssh for UWIN] In-Reply-To: References: <20020608000241.D30892@cygbert.vinschen.de> Message-ID: <20020613202532.W30892@cygbert.vinschen.de> On Wed, Jun 12, 2002 at 11:54:46AM -0500, Ben Lindstrom wrote: > there are three other IPPORT Reserved sections. > > One in serverloop.c and one in sshconnect.c and a two-fer in sshd.c The serverloop.c was already included in my patch from 2002-06-08, the other two are ok as they are. I resend the cleaned up patch relative to cvs HEAD Corinna Index: acconfig.h =================================================================== RCS file: /cvs/openssh_cvs/acconfig.h,v retrieving revision 1.138 diff -u -p -r1.138 acconfig.h --- acconfig.h 12 Jun 2002 16:57:15 -0000 1.138 +++ acconfig.h 13 Jun 2002 18:05:13 -0000 @@ -313,6 +313,9 @@ /* Define if X11 doesn't support AF_UNIX sockets on that system */ #undef NO_X11_UNIX_SOCKETS +/* Define if the concept of ports only accessible to superusers isn't known */ +#undef NO_IPPORT_RESERVED_CONCEPT + /* Needed for SCO and NeXT */ #undef BROKEN_SAVED_UIDS Index: channels.c =================================================================== RCS file: /cvs/openssh_cvs/channels.c,v retrieving revision 1.148 diff -u -p -r1.148 channels.c --- channels.c 11 Jun 2002 15:59:03 -0000 1.148 +++ channels.c 13 Jun 2002 18:05:25 -0000 @@ -2180,7 +2180,7 @@ channel_input_port_forward_request(int i hostname = packet_get_string(NULL); host_port = packet_get_int(); -#ifndef HAVE_CYGWIN +#ifndef NO_IPPORT_RESERVED_CONCEPT /* * Check that an unprivileged user is not trying to forward a * privileged port. Index: configure.ac =================================================================== RCS file: /cvs/openssh_cvs/configure.ac,v retrieving revision 1.66 diff -u -p -r1.66 configure.ac --- configure.ac 12 Jun 2002 16:57:15 -0000 1.66 +++ configure.ac 13 Jun 2002 18:05:31 -0000 @@ -85,6 +85,7 @@ case "$host" in AC_DEFINE(IPV4_DEFAULT) AC_DEFINE(IP_TOS_IS_BROKEN) AC_DEFINE(NO_X11_UNIX_SOCKETS) + AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) AC_DEFINE(SETGROUPS_NOOP) ;; *-*-dgux*) Index: readconf.c =================================================================== RCS file: /cvs/openssh_cvs/readconf.c,v retrieving revision 1.74 diff -u -p -r1.74 readconf.c --- readconf.c 11 Jun 2002 15:53:07 -0000 1.74 +++ readconf.c 13 Jun 2002 18:05:31 -0000 @@ -199,7 +199,7 @@ add_local_forward(Options *options, u_sh u_short host_port) { Forward *fwd; -#ifndef HAVE_CYGWIN +#ifndef NO_IPPORT_RESERVED_CONCEPT extern uid_t original_real_uid; if (port < IPPORT_RESERVED && original_real_uid != 0) fatal("Privileged ports can only be forwarded by root."); Index: serverloop.c =================================================================== RCS file: /cvs/openssh_cvs/serverloop.c,v retrieving revision 1.101 diff -u -p -r1.101 serverloop.c --- serverloop.c 11 Jun 2002 16:42:49 -0000 1.101 +++ serverloop.c 13 Jun 2002 18:05:33 -0000 @@ -974,8 +974,11 @@ server_input_global_request(int type, u_ /* check permissions */ if (!options.allow_tcp_forwarding || - no_port_forwarding_flag || - (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) { + no_port_forwarding_flag +#ifdef NO_IPPORT_RESERVED_CONCEPT + || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) +#endif + ) { success = 0; packet_send_debug("Server has disabled port forwarding."); } else { -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From binkertn at umich.edu Fri Jun 14 05:06:48 2002 From: binkertn at umich.edu (Nathan Binkert) Date: Thu, 13 Jun 2002 15:06:48 -0400 (EDT) Subject: portable openssh bug in tru64 v5.1 Message-ID: This is in openssh-2.3.2p1: Basically, getaddrinfo doesn't accept AF_UNSPEC on tru64 v5.1. I'm not sure how you want to fix it, but defining IPV4_DEFAULT seems to work. Nathan From todd at fries.net Fri Jun 14 05:21:40 2002 From: todd at fries.net (Todd T. Fries) Date: Thu, 13 Jun 2002 14:21:40 -0500 Subject: just curious Message-ID: <20020613192140.GB11350@fries.net> What is the expected behavior wrt ipv6 on Linux? My brother is trying to use sshd to bind to things and without '-6' on the commandline, it doesn't do any ipv6, even if 'ListenAddress ::' is listed in sshd_config. Also, with '-6', it receives ipv4 requests as well. This behavior is definately different from OpenBSD .. all addresses listed in sshd_config are used, and with none listed, it defaults to '0.0.0.0' and '::' .. the '-6' limits connections to ipv6 only. Thanks, -- Todd Fries .. todd at fries.net (last updated $ToddFries: signature.p,v 1.2 2002/03/19 15:10:18 todd Exp $) From bugzilla-daemon at mindrot.org Fri Jun 14 05:34:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 14 Jun 2002 05:34:15 +1000 (EST) Subject: [Bug 261] AIX capabilities + port-aix.c cleanup Message-ID: <20020613193415.DAFF0E975@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=261 ------- Additional Comments From genty at us.ibm.com 2002-06-14 05:34 ------- I investigated the use of setpcred(). This call is what should be used in port-aix.c. The setpenv() should not be used. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From pekkas at netcore.fi Fri Jun 14 05:43:28 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 13 Jun 2002 22:43:28 +0300 (EEST) Subject: just curious In-Reply-To: <20020613192140.GB11350@fries.net> Message-ID: On Thu, 13 Jun 2002, Todd T. Fries wrote: > What is the expected behavior wrt ipv6 on Linux? My brother is trying to > use sshd to bind to things and without '-6' on the commandline, it doesn't > do any ipv6, even if 'ListenAddress ::' is listed in sshd_config. Also, > with '-6', it receives ipv4 requests as well. > > This behavior is definately different from OpenBSD .. all addresses listed > in sshd_config are used, and with none listed, it defaults to > '0.0.0.0' and '::' .. the '-6' limits connections to ipv6 only. Compile OpenSSH without '--with-ipv4-default', and there is no need for '-6'. Linux, complying with the spec (but insecure in some respects), accepts IPv4 connections through mapped addresses on '::'. In some versions, this can be prevented by using IPV6_V6ONLY setsockopt. OpenBSD does do mapped addresses at all. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From bugzilla-daemon at mindrot.org Fri Jun 14 05:55:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 14 Jun 2002 05:55:44 +1000 (EST) Subject: [Bug 261] AIX capabilities + port-aix.c cleanup Message-ID: <20020613195544.4AA4DE975@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=261 ------- Additional Comments From mouring at eviladmin.org 2002-06-14 05:55 ------- Created an attachment (id=114) Would the following be acceptable version of this patch? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From vinschen at redhat.com Fri Jun 14 06:45:10 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 13 Jun 2002 22:45:10 +0200 Subject: [2.PATCH]: Eliminate typo in bsd-misc.* Message-ID: <20020613224510.Y30892@cygbert.vinschen.de> Hi, the following patch eliminates a typo in bsd-misc.* which disallows building for Cygwin. Corinna Index: openbsd-compat/bsd-misc.c =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-misc.c,v retrieving revision 1.7 diff -u -p -r1.7 bsd-misc.c --- openbsd-compat/bsd-misc.c 12 Jun 2002 16:57:15 -0000 1.7 +++ openbsd-compat/bsd-misc.c 13 Jun 2002 20:43:04 -0000 @@ -123,7 +123,7 @@ int truncate (const char *path, off_t le * Cygwin setgroups should be a noop. */ int -setgroups(size_t size, const git_t *list) +setgroups(size_t size, const gid_t *list) { return 0; } Index: openbsd-compat/bsd-misc.h =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-misc.h,v retrieving revision 1.5 diff -u -p -r1.5 bsd-misc.h --- openbsd-compat/bsd-misc.h 12 Jun 2002 16:57:15 -0000 1.5 +++ openbsd-compat/bsd-misc.h 13 Jun 2002 20:43:04 -0000 @@ -77,7 +77,7 @@ int truncate (const char *path, off_t le #endif /* HAVE_TRUNCATE */ #if !defined(HAVE_SETGROUPS) && defined(SETGROUPS_NOOP) -int setgroups(size_t size, const git_t *list); +int setgroups(size_t size, const gid_t *list); #endif -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From mouring at etoh.eviladmin.org Fri Jun 14 07:27:19 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 13 Jun 2002 16:27:19 -0500 (CDT) Subject: [2.PATCH]: Eliminate typo in bsd-misc.* In-Reply-To: <20020613224510.Y30892@cygbert.vinschen.de> Message-ID: Fixed. On Thu, 13 Jun 2002, Corinna Vinschen wrote: > Hi, > > the following patch eliminates a typo in bsd-misc.* which disallows > building for Cygwin. > > Corinna > > Index: openbsd-compat/bsd-misc.c > =================================================================== > RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-misc.c,v > retrieving revision 1.7 > diff -u -p -r1.7 bsd-misc.c > --- openbsd-compat/bsd-misc.c 12 Jun 2002 16:57:15 -0000 1.7 > +++ openbsd-compat/bsd-misc.c 13 Jun 2002 20:43:04 -0000 > @@ -123,7 +123,7 @@ int truncate (const char *path, off_t le > * Cygwin setgroups should be a noop. > */ > int > -setgroups(size_t size, const git_t *list) > +setgroups(size_t size, const gid_t *list) > { > return 0; > } > Index: openbsd-compat/bsd-misc.h > =================================================================== > RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-misc.h,v > retrieving revision 1.5 > diff -u -p -r1.5 bsd-misc.h > --- openbsd-compat/bsd-misc.h 12 Jun 2002 16:57:15 -0000 1.5 > +++ openbsd-compat/bsd-misc.h 13 Jun 2002 20:43:04 -0000 > @@ -77,7 +77,7 @@ int truncate (const char *path, off_t le > #endif /* HAVE_TRUNCATE */ > > #if !defined(HAVE_SETGROUPS) && defined(SETGROUPS_NOOP) > -int setgroups(size_t size, const git_t *list); > +int setgroups(size_t size, const gid_t *list); > #endif > > > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > From wmurray at transnexus.com Fri Jun 14 07:35:57 2002 From: wmurray at transnexus.com (William Murray) Date: Thu, 13 Jun 2002 17:35:57 -0400 Subject: please assist Message-ID: <030c01c21322$4dff7bc0$070210ac@mach5> Mr. Lindstrom, I am trying to upgrade from ssh1 to ssh2. I am getting the following error when I start sshd: Disabling protocol version 2. Could not load host key SSHD does start, however, ssh1 is functional, but ssh2 is not. Please advise, William 770-671-1888, ext-240 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020613/4c8f8ce3/attachment.html From mouring at etoh.eviladmin.org Fri Jun 14 07:44:36 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 13 Jun 2002 16:44:36 -0500 (CDT) Subject: please assist In-Reply-To: <030c01c21322$4dff7bc0$070210ac@mach5> Message-ID: On Thu, 13 Jun 2002, William Murray wrote: > Mr. Lindstrom, > > I am trying to upgrade from ssh1 to ssh2. I am getting the following error when I start sshd: > > Disabling protocol version 2. Could not load host key > > SSHD does start, however, ssh1 is functional, but ssh2 is not. > You need to create your ssh2 keys. refer to 'man sshd' and 'man ssh-keygen' - Ben From austyger at yahoo.com Fri Jun 14 07:54:47 2002 From: austyger at yahoo.com (Aus Tyger) Date: Thu, 13 Jun 2002 14:54:47 -0700 (PDT) Subject: question about temporarily_use_uid() Message-ID: <20020613215447.72940.qmail@web10607.mail.yahoo.com> hi.. can someone please explain to me what does the function temporarily_use_uid() in uidswap.c do? I'm trying to build ssh-3.1p1 for dgux. the compilation went fine. however, failed when trying to connect to the server. the reason is getgroups function in temporarily_use_uid() has a limit NGROUPS_MAX. this is defined to be 8 on dgux(limits.h) but for the group I belong to , there are more than 8 members. (and there are other groups on the system have more than 8 members). And when I ruduce the group member to 8. everything worked fine. the error message is getgroups: invalid argument. Can I safely skip the temporarily_use_uid() function, what would be the consequences of doing so.. thanks very much.. PS. i'm not on this list. please reply to my email address. thanks again. __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com From mike_huey at hp.com Fri Jun 14 08:03:54 2002 From: mike_huey at hp.com (HUEY,MIKE (HP-Cupertino,ex1)) Date: Thu, 13 Jun 2002 15:03:54 -0700 Subject: HP-UX announces binary Secure Shell product based on OpenSSH sou rce Message-ID: <155C6BB395577C4EA8F65A9ADA9F2104067E2CBB@xcup01.cup.hp.com> HP has taken OpenSSH version 3.1p1 and made a binary swinstall product for HP-UX customers to use. The source is bundled with the product and is slightly different than OpenSSH 3.1p1, but the changes made were just to make the OpenSSH features work on HP-UX 11.00 and 11i. HP-UX Secure Shell is a fully supported no charge product for HP-UX users with a current HP-UX support contract, and is available for all to use at no charge. For more details and download go to: www.software.hp.com and search for Secure Shell Mike Huey Enterprise UNIX Division Hewlett-Packard From bugzilla-daemon at mindrot.org Fri Jun 14 11:20:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 14 Jun 2002 11:20:42 +1000 (EST) Subject: [Bug 269] OpenSSH doesn't compile with dynamic OpenSSL libraries Message-ID: <20020614012042.1FF14E928@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=269 ------- Additional Comments From dtucker at zip.com.au 2002-06-14 11:20 ------- I think gcc is picking up a libcrypto from somewhere other than where you expect (maybe /usr/lib or /usr/local/lib). configure:8264: gcc -o conftest -O3 -Wall -Wpointer-arith -Wno-uninitialized -I/usr/local/ssl/include -I/opt/zlib/include -O3 -I/usr/local/include -L/usr/local/ssl/lib -R/usr/local/ssl/lib -L/opt/zlib/lib -R/opt/zlib/lib -L/usr/local/lib -R/usr/local/lib conftest.c -lpam -ldl -lz -lsocket -lnsl -lcrypto >&5 /var/tmp/ccikDouh.o: In function `main': /var/tmp/ccikDouh.o(.text+0x4): undefined reference to `RAND_add' collect2: ld returned 1 exit status Check for other libcrypto's: $ find / -name 'libcrypto.*' -print If any show up try: $ LIBRARY_PATH=/usr/local/ssl/lib:$LIBRARY_PATH $ export LIBRARY_PATH $ cd openssh-3.2.3p1 $ make distclean && ./configure ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dan at doxpara.com Fri Jun 14 08:08:15 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 13 Jun 2002 15:08:15 -0700 Subject: please assist References: <030c01c21322$4dff7bc0$070210ac@mach5> Message-ID: <002e01c21365$eaf821f0$1701000a@effugas> William: You need an SSH2 private key(for historical and technical reasons, ssh2's default key algorithm is not compatible with ssh1's). Find the directory containing your sshd_config (/etc/ssh on redhat, /usr/local/etc on a standard ./configure; make; make install), and run the following command in that directory as root: ssh-keygen -t dsa -f ssh_host_dsa_key Now start SSHD; it'll work fine. --Dan ----- Original Message ----- From: "William Murray" To: Sent: Thursday, June 13, 2002 2:35 PM Subject: please assist Mr. Lindstrom, I am trying to upgrade from ssh1 to ssh2. I am getting the following error when I start sshd: Disabling protocol version 2. Could not load host key SSHD does start, however, ssh1 is functional, but ssh2 is not. Please advise, William 770-671-1888, ext-240 From bugzilla-daemon at mindrot.org Fri Jun 14 18:11:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 14 Jun 2002 18:11:38 +1000 (EST) Subject: [Bug 276] New: openssh-3.2.3p1 does not compile on IRIX - SCM_RIGHTS undefined Message-ID: <20020614081138.2E44AE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=276 Summary: openssh-3.2.3p1 does not compile on IRIX - SCM_RIGHTS undefined Product: Portable OpenSSH Version: -current Platform: MIPS OS/Version: IRIX Status: NEW Severity: major Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: Al.Smith at gold.net SCM_RIGHTS not defined in monitor_fdpass.c. % uname -aR IRIX64 foo 6.5 6.5.16m 04101930 IP27 % gzip -dc openssh-3.2.3p1.tar.gz | tar xf - % cd openssh-3.2.3p1 % ./configure --with-ssl-dir=/usr/local [snip] checking for msg_accrights field in struct msghdr... yes checking for msg_control field in struct msghdr... yes [snip] % make [snip] gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/sys/inet/ssl/include -I/usr/local/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/usr/local/etc\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c monitor_fdpass.c monitor_fdpass.c: In function `mm_send_fd': monitor_fdpass.c:58: `SCM_RIGHTS' undeclared (first use in this function) monitor_fdpass.c:58: (Each undeclared identifier is reported only once monitor_fdpass.c:58: for each function it appears in.) monitor_fdpass.c: In function `mm_receive_fd': monitor_fdpass.c:117: `SCM_RIGHTS' undeclared (first use in this function) *** Error code 1 (bu21) % ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From vinschen at redhat.com Fri Jun 14 18:24:27 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 14 Jun 2002 10:24:27 +0200 Subject: [PATCH]: auth-passwd.c: Eliminate a Cygwin special case Message-ID: <20020614102427.A32371@cygbert.vinschen.de> Hi, as it turned out on the Cygwin mailing list, the special handling of empty password in auth-passwd.c when running under Windows NT results in problems. Cause: The authentication methode "none" calls auth_password() with an empty password. A piece of HAVE_CYGWIN code allows empty passwords even if PermitEmptyPasswords is set to "no". This in turn results in calling the Windows internal logon routine with an invalid password, just because the auth method "none" is enabled. Result: Since many NT systems are set so that a couple of invalid logons lock the account, accounts are suddenly locked, even if the user never logged on locally. Solution: Check for PermitEmptyPassword first also on NT systems. This has the additional advantage that we can drop a snippet of Cygwin special code. Fix below. Corinna Index: auth-passwd.c =================================================================== RCS file: /cvs/openssh_cvs/auth-passwd.c,v retrieving revision 1.45 diff -u -p -r1.45 auth-passwd.c --- auth-passwd.c 15 May 2002 15:59:17 -0000 1.45 +++ auth-passwd.c 14 Jun 2002 08:15:04 -0000 @@ -124,13 +124,6 @@ auth_password(Authctxt *authctxt, const if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) return 0; #endif -#ifdef HAVE_CYGWIN - /* - * Empty password is only possible on NT if the user has _really_ - * an empty password and authentication is done, though. - */ - if (!is_winnt) -#endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; #ifdef KRB5 -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From bugzilla-daemon at mindrot.org Sat Jun 15 01:31:04 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 15 Jun 2002 01:31:04 +1000 (EST) Subject: [Bug 277] New: X11 forwarding problem behind Router/NAT box Message-ID: <20020614153104.0A049E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=277 Summary: X11 forwarding problem behind Router/NAT box Product: Portable OpenSSH Version: 3.0.2p1 Platform: Sparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: ballen at uwm.edu CC: ballen at uwm.edu I have a DSL line at home, and want to use X11 forwarding to run X clients on a machine at work. The X11 forwarding works fine when the home laptop is connected directly to the DSL modem. However I use a router at home so that I can connect several machines to the net via the same DSL line. The X11 forwarding does NOT work when I try to connect to a solaris host from behind the router. The strange thing is that if I log into a different host (same version of sshd, but running under linux) then the X11 forwarding does work OK, even from behind the router. This router does Network Address Translation (and is set up to forward port 22 to my laptop, so that I can also log into the laptop at home from my machine at work) So here is a summary: without router: X11 forwarding from home laptop to linux box WORKS X11 forwarding from home laptop to solaris box WORKS with router X11 forwarding from home laptop to linux box WORKS X11 forwarding from home laptop to solaris box FAILS I made a transcript using ssh -vX comparing a connection to the solaris box with and without the router. The transcripts (apart from the dates and the phantom DISPLAY values) are identical. When I try to start an x client (say an xterm or xclock) the window freezes, and I can not use it any more. I have to kill the shell in which I invoked ssh on the laptop. I am enclosing below a transcript of a failed session. I'd be happy to do some additional diagnostic work, but don't know where to go from here, and need guidance. Thanks! Bruce Allen[ballen at dsl-65-187-169-17 /root]$ ssh -vX ballen at dirac.phys.uwm.edu OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 500 geteuid 500 anon 1 debug1: Connecting to dirac.phys.uwm.edu [129.89.57.19] port 22. debug1: temporarily_use_uid: 500/500 (e=500) debug1: restore_uid debug1: temporarily_use_uid: 500/500 (e=500) debug1: restore_uid debug1: Connection established. debug1: identity file /home/ballen/.ssh/identity type -1 debug1: identity file /home/ballen/.ssh/id_rsa type -1 debug1: identity file /home/ballen/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.0.2p1 debug1: match: OpenSSH_3.0.2p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.1p1 debug1: Credentials Expired debug1: proxy expired: run grid-proxy-init or wgpi first File=/tmp/x509up_u500 Function:proxy_init_cred debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 129/256 debug1: bits set: 1632/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'dirac.phys.uwm.edu' is known and matches the RSA host key. debug1: Found key in /home/ballen/.ssh/known_hosts2:14 debug1: bits set: 1629/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try privkey: /home/ballen/.ssh/identity debug1: try privkey: /home/ballen/.ssh/id_rsa debug1: try pubkey: /home/ballen/.ssh/id_dsa debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is keyboard-interactive debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is password ballen at dirac.phys.uwm.edu's password: debug1: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64) debug1: ssh-userauth2 successful: method password debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: ssh_session2_setup: id 0 debug1: channel request 0: pty-req debug1: Requesting X11 forwarding with authentication spoofing. debug1: channel request 0: x11-req debug1: channel request 0: shell debug1: fd 3 setting TCP_NODELAY debug1: channel 0: open confirm rwindow 0 rmax 16384 Last login: Fri Jun 14 00:33:29 2002 from dsl-65-187-169- Sun Microsystems Inc. SunOS 5.8 Generic February 2000 Sun Microsystems Inc. SunOS 5.8 Generic February 2000 You have mail. ballen at dirac> xterm & [1] 1617 ballen at dirac> debug1: client_input_channel_open: ctype x11 rchan 3 win 4096 max 2048 debug1: client_request_x11: request from 129.89.57.19 33305 debug1: fd 7 setting O_NONBLOCK debug1: channel 1: new [x11] debug1: confirm x11 This is where everything hangs. I've also printed out the environment on the machine after I have connected. Here it is: ballen at dirac> env USER=ballen LOGNAME=ballen HOME=/home/ballen PATH=/usr/ccs/bin:/usr/local/Office51/bin:/home/ballen/bin:/usr/openwin/bin:/opt/Acrobat4/bin:/usr/sbin:/usr/local/bin:/usr/dt/bin:/usr/openwin/bin:/opt/dt/bin:/opt/SUNWspro/bin:/opt/SUNWste/bin:/opt/SUNWneo/bin:/opt/SUNWste/bin:/opt/SUNWimap/bin:/opt/SUNWsmsjc/bin:/opt/SUNWicg/bin:/opt/SUNWvts/bin:/opt/SUNWsms/bin:/opt/SUNWcorba/bin:/opt/SUNWsymon/bin:/opt/SUNWrtvc/bin:/usr/local/X11/bin:.:/home/ballen:/bin:/usr/bin:/usr/ucb:/etc:.:/usr/ccs/bin:/usr/ccs/lib:/usr/local/mpi/bin:/usr/lib/lp/postscript:/home/ballen/rvplayer5.0:/opt/hpnp/bin MAIL=/var/mail//ballen SHELL=/bin/tcsh TZ=US/Central SSH_CLIENT=65.187.169.17 64439 22 SSH_TTY=/dev/pts/33 TERM=xterm DISPLAY=dirac:28.0 HOSTTYPE=sun4 VENDOR=sun OSTYPE=solaris MACHTYPE=sparc SHLVL=1 PWD=/home/ballen GROUP=uwmlsc HOST=dirac REMOTEHOST=dsl-65-187-169-17.telocity.com MOZILLA_HOME=/usr/local/netscape EDITOR=/usr/openwin/bin/textedit CVSROOT=/home/cvs/CVS_REPOSITORY/repository_GRASP NNTPSERVER=news.uwm.edu ENSCRIPT=-fTimes-Roman10 TG_HOME=/local/tgraph TG_HOST=dirac.phys.uwm.edu MANPATH=/usr/openwin/man:/opt/SUNWspro/man:/opt/SUNWste/license_tools/man:/usr/share/man:/usr/local/man:/usr/local/mpi/man:/opt/hpnp/man: INFOPATH=/usr/local/info TMPDIR=/tmp/ LD_LIBRARY_PATH=/usr/local/lib:/opt/hpnp/lib PRINTER=hp2200_1 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gwolosh at njit.edu Sat Jun 15 01:38:45 2002 From: gwolosh at njit.edu (Gedaliah Wolosh) Date: Fri, 14 Jun 2002 11:38:45 -0400 (EDT) Subject: AFS/kerberos build problems Message-ID: I am trying to build openssh-3.2.3p1 on solaris8 with support for afs token passing. I have the KTH-kerberos 4.1.1.1 libraries installed. The configure script generates the following warnings checking krb.h usability... no checking krb.h presence... yes configure: WARNING: krb.h: present but cannot be compiled configure: WARNING: krb.h: check for missing prerequisite headers? configure: WARNING: krb.h: proceeding with the preprocessor's result checking for krb.h... yes The build fails at this point -- "./auth.h", line 114: cannot find include file: "monitor_wrap.c", line 613: warning: argument #2 is incompatible with prototype: prototype: pointer to const char : "/usr/include/string.h", line 72 argument : pointer to unsigned char cc: acomp failed for monitor_wrap.c make: *** [monitor_wrap.o] Error 2 Any suggestions _________________________________________________________________ Gedaliah Wolosh, Ph.D. 973 596-5437 New Jersey Institute of Technology Fax 596-2306 323 King Blvd GITC 2203 gwolosh at njit.edu Newark, NJ 07102 From bugzilla-daemon at mindrot.org Sat Jun 15 04:35:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 15 Jun 2002 04:35:25 +1000 (EST) Subject: [Bug 278] New: ssh allows auto login even if account is locked Message-ID: <20020614183525.D937AE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=278 Summary: ssh allows auto login even if account is locked Product: Portable OpenSSH Version: 3.0.2p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: bryan_baughman at hotmail.com CC: bryan_baughman at hotmail.com Set up authorized_keys(2) file on the server. Verify that automated login works. lock the users account: passwd -l accountname ssh to the server, it will let you in. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 15 04:42:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 15 Jun 2002 04:42:56 +1000 (EST) Subject: [Bug 279] New: ssh-keyscan can't check for fingerprints Message-ID: <20020614184256.55F25E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=279 Summary: ssh-keyscan can't check for fingerprints Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: slot0k at pogox.org Would it be possible to add the ability to display key fingerprints from ssh-keyscan? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 15 04:56:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 15 Jun 2002 04:56:12 +1000 (EST) Subject: [Bug 278] ssh allows auto login even if account is locked Message-ID: <20020614185612.97D40E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=278 Darren.Moffat at Sun.COM changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From Darren.Moffat at Sun.COM 2002-06-15 04:56 ------- This happens because sshd with public-key login does not call pam_authenticate, but does call pam_acct_mgmt. In the pam_unix.so module that is shipped in Solaris 8 there is no explicity account locked check. This has been fixed in Solaris 9 and a fix for Solaris 8 is currently underway. OpenSSH is not broken in anyway, this is a Solaris bug that only appears when PAM applications call pam_acct_mgmt without having first called pam_authenticate. In the mean time a workaround would be to write a simple pam module that stacks above or below pam_unix that checks for the string *LK* in sp->spwdp for the user defined in PAM_USER. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From amarpal.singh at ip-unity.com Sat Jun 15 05:37:58 2002 From: amarpal.singh at ip-unity.com (Amarpal Singh) Date: Fri, 14 Jun 2002 12:37:58 -0700 Subject: Private key encryption by Passphrase Message-ID: <012201c213da$fdd554d0$25b4a8c0@COSMOS> Hi All, When ss-keygen creates a private key, I guess it stores it in the private key file after encrypting it with the passphrase. What kind of encryption does ssh-keygen use for OpenSSH, SSH1 and SSH2? Another question: OpenSSH doesn't support all the ciphers of either SSh-1 or SSH-2? So I assume it doesn't work exhaustively with the SSH1 or SSH2 clients? Can we consider OpenSH as a standard of its own? Thanks Amarpal. From bugzilla-daemon at mindrot.org Sat Jun 15 07:33:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 15 Jun 2002 07:33:57 +1000 (EST) Subject: [Bug 279] ssh-keyscan can't check for fingerprints Message-ID: <20020614213357.C67DAE8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=279 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From markus at openbsd.org 2002-06-15 07:33 ------- what's wrong with ssh-keyscan -f LIST > OUT ssh-keygen -lf OUT ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From cgelinas at acc.com Sat Jun 15 09:34:25 2002 From: cgelinas at acc.com (Charles Gelinas) Date: Fri, 14 Jun 2002 16:34:25 -0700 Subject: SCP2 implementation documentation? Message-ID: <013201c213fc$04da0ac0$8e3fc081@chuck> Hi, I'm about to incorporate scp2 support to our current SSH2 server implentation and I could't find any document (RFC, internet draft, etc) about the implementation scp or scp2. Does anyone know where I could find some ??? Thanks -- Charles Gelinas Software Engineering Ericsson Inc. Datacom Networking and IP Services Access Product Unit charles.gelinas at ericsson.com Ph: (805) 562-6594 1-800-444-7854 ext. 6594 fax: (805) 562-8085 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020614/3039cdb8/attachment.html From mouring at etoh.eviladmin.org Sat Jun 15 09:24:29 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 14 Jun 2002 18:24:29 -0500 (CDT) Subject: SCP2 implementation documentation? In-Reply-To: <013201c213fc$04da0ac0$8e3fc081@chuck> Message-ID: scp2 is just sftp On Fri, 14 Jun 2002, Charles Gelinas wrote: > Hi, > > I'm about to incorporate scp2 support to our current SSH2 server implentation and I > could't find any document (RFC, internet draft, etc) about the implementation scp > or scp2. Does anyone know where I could find some ??? > > Thanks > -- > Charles Gelinas > Software Engineering > Ericsson Inc. > Datacom Networking and IP Services > Access Product Unit > charles.gelinas at ericsson.com > Ph: (805) 562-6594 > 1-800-444-7854 ext. 6594 > fax: (805) 562-8085 > From markus at openbsd.org Sat Jun 15 09:36:27 2002 From: markus at openbsd.org (Markus Friedl) Date: Sat, 15 Jun 2002 01:36:27 +0200 Subject: SCP2 implementation documentation? In-Reply-To: <013201c213fc$04da0ac0$8e3fc081@chuck> References: <013201c213fc$04da0ac0$8e3fc081@chuck> Message-ID: <20020614233627.GA14956@faui02> it's the sftp protocol: check http://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt or reuse our code http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sftp-server.c?rev=1.35&content-type=text/x-cvsweb-markup On Fri, Jun 14, 2002 at 04:34:25PM -0700, Charles Gelinas wrote: > Hi, > > I'm about to incorporate scp2 support to our current SSH2 server implentation and I > could't find any document (RFC, internet draft, etc) about the implementation scp > or scp2. Does anyone know where I could find some ??? > > Thanks > -- > Charles Gelinas > Software Engineering > Ericsson Inc. > Datacom Networking and IP Services > Access Product Unit > charles.gelinas at ericsson.com > Ph: (805) 562-6594 > 1-800-444-7854 ext. 6594 > fax: (805) 562-8085 From dsa0000 at hotmail.com Sat Jun 15 11:53:49 2002 From: dsa0000 at hotmail.com (dsa main) Date: Sat, 15 Jun 2002 01:53:49 +0000 Subject: why compact.c needed ? Message-ID: Hi All, Why compact.c is needed ? All over the code I could find checks for "datafellows". Why is this needed ? Regards DSA _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. From bugzilla-daemon at mindrot.org Sat Jun 15 14:19:28 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 15 Jun 2002 14:19:28 +1000 (EST) Subject: [Bug 277] X11 forwarding problem behind Router/NAT box Message-ID: <20020615041928.4272CE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=277 ------- Additional Comments From stevesk at pobox.com 2002-06-15 14:19 ------- i don't know what this is: debug1: Credentials Expired debug1: proxy expired: run grid-proxy-init or wgpi first File=/tmp/x509up_u500 Function:proxy_init_cred i don't have any guesses now. would like to see sshd -ddd on solaris for the fail case. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 15 14:26:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 15 Jun 2002 14:26:50 +1000 (EST) Subject: [Bug 276] openssh-3.2.3p1 does not compile on IRIX - SCM_RIGHTS undefined Message-ID: <20020615042650.9D3A9E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=276 ------- Additional Comments From stevesk at pobox.com 2002-06-15 14:26 ------- this is what i asked in a message a while back; can an IRIX expert help here? "should we be using a UNIX95 (or whatever) namespace for IRIX? what happens with D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Sat Jun 15 16:15:06 2002 From: markus at openbsd.org (Markus Friedl) Date: Sat, 15 Jun 2002 08:15:06 +0200 Subject: Private key encryption by Passphrase In-Reply-To: <012201c213da$fdd554d0$25b4a8c0@COSMOS> References: <012201c213da$fdd554d0$25b4a8c0@COSMOS> Message-ID: <20020615061506.GA14412@folly> > What kind of encryption does ssh-keygen use for OpenSSH, SSH1 and SSH2? different modes of 3des, depending on the protocol. > Another question: OpenSSH doesn't support all the ciphers of either SSh-1 or > SSH-2? So I assume it doesn't work exhaustively with the SSH1 or SSH2 > clients? it supports all REQUIRED ciphers and many more From bugzilla-daemon at mindrot.org Sat Jun 15 16:24:54 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 15 Jun 2002 16:24:54 +1000 (EST) Subject: [Bug 276] openssh-3.2.3p1 does not compile on IRIX - SCM_RIGHTS undefined Message-ID: <20020615062454.722D4E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=276 ------- Additional Comments From Al.Smith at gold.net 2002-06-15 16:24 ------- SCM_RIGHTS is indeed protected (in sys/socket.h) by an #ifdef _XOPEN_SOURCE However, trying this results in a multitude of other problems: In file included from includes.h:94, from monitor_fdpass.c:26: /usr/include/lastlog.h:61: parse error before "ulong" In file included from includes.h:134, from monitor_fdpass.c:26: /usr/include/netinet/in_systm.h:34: parse error before "n_short" In file included from includes.h:136, from monitor_fdpass.c:26: /usr/include/netinet/ip.h:45: parse error before "u_char" /usr/include/netinet/ip.h:49: parse error before "ip_len" /usr/include/netinet/ip.h:50: parse error before "ip_id" /usr/include/netinet/ip.h:51: parse error before "ip_off" /usr/include/netinet/ip.h:55: parse error before "ip_ttl" /usr/include/netinet/ip.h:56: parse error before "ip_p" /usr/include/netinet/ip.h:57: parse error before "ip_sum" /usr/include/netinet/ip.h:59: parse error before '}' token /usr/include/netinet/ip.h:118: parse error before "u_char" /usr/include/netinet/ip.h:120: parse error before "ipt_ptr" /usr/include/netinet/ip.h:126: parse error before "ipt_oflw" /usr/include/netinet/ip.h:136: parse error before '}' token In file included from includes.h:137, from monitor_fdpass.c:26: /usr/include/netinet/tcp.h:38: parse error before "u_short" /usr/include/netinet/tcp.h:52: parse error before "th_off" /usr/include/netinet/tcp.h:62: parse error before "th_win" /usr/include/netinet/tcp.h:63: parse error before "th_sum" /usr/include/netinet/tcp.h:64: parse error before "th_urp" ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 15 20:07:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 15 Jun 2002 20:07:59 +1000 (EST) Subject: [Bug 277] X11 forwarding problem behind Router/NAT box Message-ID: <20020615100759.AB7C8E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=277 ------- Additional Comments From dtucker at zip.com.au 2002-06-15 20:07 ------- Here's an edited version from a previous (emailed) answer to this: Short answer: You probably have an MTU/fragmentation problem. For each network interface on both client and server set the MTU to 576, eg "ifconfig ethX mtu 576". If the problem goes away, read on. Long answer: At each routing hop, IP packets bigger than the outgoing interface's MTU get fragmented. Only the first fragment has TCP port numbers. Firewalls usually drop everything but the first fragment since it can't be matched against the rulebase. Some NAT configuration (eg many-to-one NAT or port address translation) can't match the fragments against their translation state tables. Logging in and using the shell will normally generate relatively small packets, however if you something that generates a lot of data (eg cat'ing a big file or starting an X app, you may generate a packet bigger than the MTU. Let's say it's a 1500 byte IP packet and the router has 2 different MTUs (say 1500 & 1484) and no firewall. When the router goes to forward it, the packet is too big for the interface MTU (1484), so the router breaks it into 2 fragments, 0 and 1. Fragment 0 contains the first 1484 bytes (including the TCP source and dest ports) and fragment 1 contains the remaining 16 bytes. Both fragments are sent on to their destinations. When the first fragment reaches its target, it's held by the IP stack until the remaining fragments arrive, at which time the IP packet is reassembled and passed up the stack to TCP. If all fragments are not received by the timeout, the entire IP packet is discarded and an ICMP "timeout during reassembly" error is sent back. Now add your firewall, which drops fragment 1. Your 1500 byte IP packet times out during reassembly and TCP retries, by sending another 1500 byte packet. Repeat. Eventually, TCP will time out and you'll get a connection termination. IP stack parameters (such as Path MTU Discovery) and external variable (such as the MTUs of all the hops between hosts) can also affect whether or not a given connection will be affected. Maybe I ought to submit this to the FAQ maintainer.... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 15 23:33:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 15 Jun 2002 23:33:35 +1000 (EST) Subject: [Bug 261] AIX capabilities + port-aix.c cleanup Message-ID: <20020615133335.78D20E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=261 ------- Additional Comments From dtucker at zip.com.au 2002-06-15 23:33 ------- Worked on my test box (AIX 4.3.3). Patch had HTML LT/GT mangling and missing line continuation in configure.ac which required fixing by hand. + setrlimit setsid setpcred setvbuf sigaction sigvec snprintf \ + socketpair strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp \ + truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 15 23:47:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 15 Jun 2002 23:47:48 +1000 (EST) Subject: [Bug 277] X11 forwarding problem behind Router/NAT box Message-ID: <20020615134748.C6683E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=277 ballen at uwm.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From ballen at uwm.edu 2002-06-15 23:47 ------- Darren -- you were correct -- it was fragmented packets not getting forwarded by the NAT box. I am closing out the bug report. Details follow. Thanks you! The following command on the Solaris box: ifconfig hme0 mtu 576 solved the problem. Unfortunately this Solaris box has some NFS mounted partitions. These small MTU values really clobber NFS performance so I'll probably need to reset the mtu value each time I want to to X11 forwarding. Sigh. I'll experiment to find the largest acceptable MTU value. I don't know where the packets are getting fragmented -- probably by my DSL provider. And I agree that you should add this to the FAQ -- I read the FAQ closely before posting my bug report so if I had seen your posting in the FAQ it would have saved everyone's time and bandwidth! Thanks again! I still can't believe how well the open-source model works when the developers are committed to their products. Bruce ****************************************** Kevin -- the thing that you didn't recognize is a (failed) certificate-based authentication attempt. This is there because I use some Globus Grid resources which use strictly certificate-based authentication. I don't know if this is part of the standard ssh client or if mine has been linked against some Globus-enhanced libraries. In any case, it's not the source of my problem, which Darren correctly identified. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Sun Jun 16 03:21:47 2002 From: markus at openbsd.org (Markus Friedl) Date: Sat, 15 Jun 2002 19:21:47 +0200 Subject: why compact.c needed ? In-Reply-To: References: Message-ID: <20020615172147.GA4270@folly> On Sat, Jun 15, 2002 at 01:53:49AM +0000, dsa main wrote: > Why compact.c is needed ? compat.c is used for bug-compatibility > All over the code I could find > checks for "datafellows". Why is this needed ? for bug-compatibility, it should be renamed. From bugzilla-daemon at mindrot.org Sun Jun 16 04:01:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 16 Jun 2002 04:01:08 +1000 (EST) Subject: [Bug 276] openssh-3.2.3p1 does not compile on IRIX - SCM_RIGHTS undefined Message-ID: <20020615180108.E2CA6E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=276 tim at multitalents.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From tim at multitalents.net 2002-06-16 04:01 ------- This was fix 4 days after the release of 3.2.3p1 20020527 - (tim) [configure.ac.orig monitor_fdpass.c] Enahnce msghdr tests to address build problem on Irix reported by Dave Love . Back out last monitor_fdpass.c changes that are no longer needed with new tests. Patch tested on Irix by Jan-Frode Myklebust Grab this configure http://www.multitalents.net/openssh/configure-msghdr-fix.gz ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Jun 16 04:18:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 16 Jun 2002 04:18:26 +1000 (EST) Subject: [Bug 276] openssh-3.2.3p1 does not compile on IRIX - SCM_RIGHTS undefined Message-ID: <20020615181826.E92C0E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=276 ------- Additional Comments From stevesk at pobox.com 2002-06-16 04:18 ------- i consider that a workaround vs. a fix for this IRIX issue. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Jun 16 04:30:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 16 Jun 2002 04:30:09 +1000 (EST) Subject: [Bug 276] openssh-3.2.3p1 does not compile on IRIX - SCM_RIGHTS undefined Message-ID: <20020615183009.74619E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=276 ------- Additional Comments From tim at multitalents.net 2002-06-16 04:30 ------- The problem is that OpenSSH is expecting systems to have ethier msg_accrights OR msg_control but not both. IRIX, UnixWare, and possibly others have backward/forward compatiblity defines that caused configure to report both. OpenSSH's code could not handle having both. After reviewing sys/socket.h on IRIX and UnixWare I enhanced the configure test to find the struct and reject the define. What am I missing here? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dsa0000 at hotmail.com Sun Jun 16 05:26:28 2002 From: dsa0000 at hotmail.com (dsa main) Date: Sat, 15 Jun 2002 19:26:28 +0000 Subject: why compact.c needed ? Message-ID: Hi Markus, Thank you for the reply. "bug-compatibility" - Whether it means taking care of the bugs in ssh clients (older openssh versions and other implementations) ? Regards dsa >From: Markus Friedl >To: dsa main >CC: openssh-unix-dev at mindrot.org >Subject: Re: why compact.c needed ? >Date: Sat, 15 Jun 2002 19:21:47 +0200 > >On Sat, Jun 15, 2002 at 01:53:49AM +0000, dsa main wrote: > > Why compact.c is needed ? > >compat.c is used for bug-compatibility > > > All over the code I could find > > checks for "datafellows". Why is this needed ? > >for bug-compatibility, it should be renamed. >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com From markus at openbsd.org Sun Jun 16 11:30:28 2002 From: markus at openbsd.org (Markus Friedl) Date: Sun, 16 Jun 2002 03:30:28 +0200 Subject: why compact.c needed ? In-Reply-To: References: Message-ID: <20020616013028.GA1046@faui02> On Sat, Jun 15, 2002 at 07:26:28PM +0000, dsa main wrote: > "bug-compatibility" - Whether it means taking care of the > bugs in ssh clients (older openssh versions and other implementations) ? yes, all kinds of bugs and old drafts of the protocol. From phil-openssh-unix-dev at ipal.net Mon Jun 17 01:24:28 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Sun, 16 Jun 2002 10:24:28 -0500 Subject: multiple definition of `optind' Message-ID: <20020616152428.GA7739@vega.ipal.net> Any ideas of the best way around this problem? Should I just hack the source code, or is there a magic switch somewhere I'm missing? I'm assuming I can't just dismiss that function as OpenSSH is probably based on the OpenBSD semantics. ============================================================================= gcc -g -O2 -Wall -Wno-uninitialized -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c clientloop.c gcc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o -static -L. -Lopenbsd-compat -lssh -lopenbsd-compat -lutil -lz -lnsl -lcrypto -lcrypt /usr/lib/libc.a(getopt.o): In function `store_args_and_env': /tmp/glibc-2.2.3/posix/getopt.c(.data+0x0): multiple definition of `optind' openbsd-compat/libopenbsd-compat.a(getopt.o)(.data+0x4):/home/root/src/openssh-3.2.3p1/tmp/openssh-3.2.3p1/openbsd-compat/getopt.c: first defined here /usr/lib/libc.a(getopt.o): In function `store_args_and_env': /tmp/glibc-2.2.3/posix/getopt.c:271: multiple definition of `opterr' openbsd-compat/libopenbsd-compat.a(getopt.o)(.data+0x0):/home/root/src/openssh-3.2.3p1/tmp/openssh-3.2.3p1/openbsd-compat/getopt.c: first defined here collect2: ld returned 1 exit status make: *** [ssh] Error 1 make failed ============================================================================= -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From mouring at etoh.eviladmin.org Mon Jun 17 03:17:15 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 16 Jun 2002 12:17:15 -0500 (CDT) Subject: multiple definition of `optind' In-Reply-To: <20020616152428.GA7739@vega.ipal.net> Message-ID: On Sun, 16 Jun 2002, Phil Howard wrote: > Any ideas of the best way around this problem? Should I just hack the > source code, or is there a magic switch somewhere I'm missing? I'm > assuming I can't just dismiss that function as OpenSSH is probably > based on the OpenBSD semantics. > No the issue is that your platform lacks a usable getopts with a optreset. Plus you are trying to compile staticly. Try the attach patch. Let me know if it fixes it. It was presented as part of the Mint platform patches. - Ben -------------- next part -------------- diff -u -r openssh-3.2.3p1.orig/defines.h openssh-3.2.3p1/defines.h --- openssh-3.2.3p1.orig/defines.h Thu Apr 25 19:56:06 2002 +++ openssh-3.2.3p1/defines.h Sun Jun 2 18:25:20 2002 @@ -417,7 +417,18 @@ #endif #ifndef HAVE_GETOPT_OPTRESET -#define getopt(ac, av, o) BSDgetopt(ac, av, o) +# undef getopt +# undef opterr +# undef optind +# undef optopt +# undef optreset +# undef optarg +# define getopt(ac, av, o) BSDgetopt(ac, av, o) +# define opterr BSDopterr +# define optind BSDoptind +# define optopt BSDoptopt +# define optreset BSDoptreset +# define optarg BSDoptarg #endif /* In older versions of libpam, pam_strerror takes a single argument */ diff -u -r openssh-3.2.3p1.orig/openbsd-compat/getopt.c openssh-3.2.3p1/openbsd-compat/getopt.c --- openssh-3.2.3p1.orig/openbsd-compat/getopt.c Mon Sep 17 23:34:34 2001 +++ openssh-3.2.3p1/openbsd-compat/getopt.c Sun Jun 2 17:37:10 2002 @@ -42,11 +42,11 @@ #include #include -int opterr = 1, /* if error message should be printed */ - optind = 1, /* index into parent argv vector */ - optopt, /* character checked for validity */ - optreset; /* reset getopt */ -char *optarg; /* argument associated with option */ +int BSDopterr = 1, /* if error message should be printed */ + BSDoptind = 1, /* index into parent argv vector */ + BSDoptopt, /* character checked for validity */ + BSDoptreset; /* reset getopt */ +char *BSDoptarg; /* argument associated with option */ #define BADCH (int)'?' #define BADARG (int)':' @@ -66,57 +66,57 @@ static char *place = EMSG; /* option letter processing */ char *oli; /* option letter list index */ - if (optreset || !*place) { /* update scanning pointer */ - optreset = 0; - if (optind >= nargc || *(place = nargv[optind]) != '-') { + if (BSDoptreset || !*place) { /* update scanning pointer */ + BSDoptreset = 0; + if (BSDoptind >= nargc || *(place = nargv[BSDoptind]) != '-') { place = EMSG; return (-1); } if (place[1] && *++place == '-') { /* found "--" */ - ++optind; + ++BSDoptind; place = EMSG; return (-1); } } /* option letter okay? */ - if ((optopt = (int)*place++) == (int)':' || - !(oli = strchr(ostr, optopt))) { + if ((BSDoptopt = (int)*place++) == (int)':' || + !(oli = strchr(ostr, BSDoptopt))) { /* * if the user didn't specify '-' as an option, * assume it means -1. */ - if (optopt == (int)'-') + if (BSDoptopt == (int)'-') return (-1); if (!*place) - ++optind; - if (opterr && *ostr != ':') + ++BSDoptind; + if (BSDopterr && *ostr != ':') (void)fprintf(stderr, - "%s: illegal option -- %c\n", __progname, optopt); + "%s: illegal option -- %c\n", __progname, BSDoptopt); return (BADCH); } if (*++oli != ':') { /* don't need argument */ - optarg = NULL; + BSDoptarg = NULL; if (!*place) - ++optind; + ++BSDoptind; } else { /* need an argument */ if (*place) /* no white space */ - optarg = place; - else if (nargc <= ++optind) { /* no arg */ + BSDoptarg = place; + else if (nargc <= ++BSDoptind) { /* no arg */ place = EMSG; if (*ostr == ':') return (BADARG); - if (opterr) + if (BSDopterr) (void)fprintf(stderr, "%s: option requires an argument -- %c\n", - __progname, optopt); + __progname, BSDoptopt); return (BADCH); } else /* white space */ - optarg = nargv[optind]; + BSDoptarg = nargv[BSDoptind]; place = EMSG; - ++optind; + ++BSDoptind; } - return (optopt); /* dump back option letter */ + return (BSDoptopt); /* dump back option letter */ } #endif /* !defined(HAVE_GETOPT) || !defined(HAVE_OPTRESET) */ From phil-openssh-unix-dev at ipal.net Mon Jun 17 10:16:40 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Sun, 16 Jun 2002 19:16:40 -0500 Subject: multiple definition of `optind' In-Reply-To: References: <20020616152428.GA7739@vega.ipal.net> Message-ID: <20020617001640.GB7739@vega.ipal.net> On Sun, Jun 16, 2002 at 12:17:15PM -0500, Ben Lindstrom wrote: | On Sun, 16 Jun 2002, Phil Howard wrote: | | > Any ideas of the best way around this problem? Should I just hack the | > source code, or is there a magic switch somewhere I'm missing? I'm | > assuming I can't just dismiss that function as OpenSSH is probably | > based on the OpenBSD semantics. | > | | No the issue is that your platform lacks a usable getopts with a optreset. I can believe that. It's got GNU libc ... very buggy. Got another libc for Linux that works better? | Plus you are trying to compile staticly. Yes. That's to get around problems with OpenSSL clobbering its own libraries every time it is installed because of the fact that the libraries it builds don't have distinguishing version numbers on them for the various "lettered versions" they release. So when installing "0.9.6d" it clobbers the library for "0.9.6c" because the actual built library was just "0.9.6". The fact that the installation program it uses opens, truncates, and writes the library ... as opposed to create a new file and rename it into place ... just makes it worse. Even with the strategy of having extra sshd processes listening on alternate ports so I still have a way into the machine when I kill off one to restart that port with the new version, it still does no good if the executeables (I can get around this by making copies) or libraries (no easy to maintain way around this that I can see) get clobbered. I've gotten around the executeables getting clobbered by manually making copies named distinct for each port (useful for using the killall command now). But the libraries getting clobbered is still an issue, and statically linking I believe will solve this and a few minor issues as well. | Try the attach patch. Let me know if it fixes it. It was presented as | part of the Mint platform patches. What is a "Mint platform"? The patch applies, compilation and linking work, and the "ssh" executeable now runs. Of course these are now fat executeables, but I now see the sweet words "not a dynamic executable" from ldd. Normally I would want that, but this is one of the cases where I don't. Having to run to the system console is very costly thing (miles away). -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From amarpal.singh at ip-unity.com Mon Jun 17 14:00:17 2002 From: amarpal.singh at ip-unity.com (Amarpal Singh) Date: Sun, 16 Jun 2002 21:00:17 -0700 Subject: Private key encryption by Passphrase In-Reply-To: <20020615061506.GA14412@folly> Message-ID: <012f01c215b3$7ec2cc60$25b4a8c0@COSMOS> Does this encryption need a symmetric key. Who provides that? Can that be chosen by the user? On page 92 of Barrettt & Richards book "SSH, The Secure Shell, The Definitive Guide" I see that OpenSSH doesn't support all the Ciphers. Do you have a list of Ciphers supported by OpenSSH3.1 for encryption? Thanks Amarpal. -----Original Message----- From: Markus Friedl [mailto:markus at openbsd.org] Sent: Friday, June 14, 2002 11:15 PM To: Amarpal Singh Cc: openssh-unix-dev at mindrot.org Subject: Re: Private key encryption by Passphrase > What kind of encryption does ssh-keygen use for OpenSSH, SSH1 and SSH2? different modes of 3des, depending on the protocol. > Another question: OpenSSH doesn't support all the ciphers of either SSh-1 or > SSH-2? So I assume it doesn't work exhaustively with the SSH1 or SSH2 > clients? it supports all REQUIRED ciphers and many more From mouring at etoh.eviladmin.org Mon Jun 17 16:23:19 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 17 Jun 2002 01:23:19 -0500 (CDT) Subject: multiple definition of `optind' In-Reply-To: <20020617001640.GB7739@vega.ipal.net> Message-ID: On Sun, 16 Jun 2002, Phil Howard wrote: > On Sun, Jun 16, 2002 at 12:17:15PM -0500, Ben Lindstrom wrote: > > | On Sun, 16 Jun 2002, Phil Howard wrote: > | > | > Any ideas of the best way around this problem? Should I just hack the > | > source code, or is there a magic switch somewhere I'm missing? I'm > | > assuming I can't just dismiss that function as OpenSSH is probably > | > based on the OpenBSD semantics. > | > > | > | No the issue is that your platform lacks a usable getopts with a optreset. > > I can believe that. It's got GNU libc ... very buggy. Got another > libc for Linux that works better? > Honestly if I could I would force the whole Linux community back to libc 5 and bring it down a standard BSD libc path. But that is here nor there. [..Removed OpenSSL rantings which is just preaching to the converted..] > | Try the attach patch. Let me know if it fixes it. It was presented as > | part of the Mint platform patches. > > What is a "Mint platform"? > Yet another OS. Never used it myself, and doubtful I ever will, but they lack dynamic linking according to the patch's author. > The patch applies, compilation and linking work, and the "ssh" executeable > now runs. Of course these are now fat executeables, but I now see the > sweet words "not a dynamic executable" from ldd. Normally I would want > that, but this is one of the cases where I don't. Having to run to the > system console is very costly thing (miles away). > Good. I'll put it on the list of patches to merge after I spend a bit more time looking at it to ensure correctness. - Ben From phil-openssh-unix-dev at ipal.net Mon Jun 17 16:57:28 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Mon, 17 Jun 2002 01:57:28 -0500 Subject: multiple definition of `optind' In-Reply-To: References: <20020617001640.GB7739@vega.ipal.net> Message-ID: <20020617065728.GA30884@vega.ipal.net> On Mon, Jun 17, 2002 at 01:23:19AM -0500, Ben Lindstrom wrote: | > The patch applies, compilation and linking work, and the "ssh" executeable | > now runs. Of course these are now fat executeables, but I now see the | > sweet words "not a dynamic executable" from ldd. Normally I would want | > that, but this is one of the cases where I don't. Having to run to the | > system console is very costly thing (miles away). | > | | Good. I'll put it on the list of patches to merge after I spend a bit | more time looking at it to ensure correctness. I'll be giving the compiled results a little more shakeout in the next 24 hours as I do the installs on a few machines (and take a road trip to recover the hosed box, which fortunately is still doing its thing, but without any SSH daemons). -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From hari at isofttechindia.com Mon Jun 17 20:34:14 2002 From: hari at isofttechindia.com (Hari) Date: Mon, 17 Jun 2002 16:04:14 +0530 Subject: ssh hang on wrong port - is it a bug ? In-Reply-To: <3D06122B.78CB9B83@zip.com.au> Message-ID: As seen below, telnet and ftp sessions do not hang on wrong port no. They just print the ssh banner and exit. Wouldn't this be expected for ssh too, to exit when they get connected to a wrong server. As for the client time out, can this be provided as a configurable option (with some low default values), so that ssh clients do not hang infinitely on a wrong port. For those with slow links, they could consider increasing the time-out. Thanks, Hari [hari at linux hari]$ telnet 192.168.0.32 22 Trying 192.168.0.32... Connected to netra (192.168.0.32). Escape character is '^]'. SSH-2.0-3.0.1 SSH Secure Shell (non-commercial) Connection closed by foreign host. [hari at linux hari]$ ftp 192.168.0.32 22 Connected to 192.168.0.32. SSH-2.0-3.0.1 SSH Secure Shell (non-commercial) ftp> pwd Not connected. ftp> > -----Original Message----- > From: Darren Tucker [mailto:dtucker at zip.com.au] > Sent: 11 June 2002 08:37 > To: hari at isofttechindia.com > Cc: openssh-unix-dev at mindrot.org > Subject: Re: ssh hang on wrong port - is it a bug ? > > > > Hari wrote: > > ssh client program seems to hang when specified a wrong port no (port > > on which some other server, like telnetd is running). > > Don't do that, then. > > > "netstat -an" shows the connection is established. > > I expect the ssh program to report invalid server msg and exit. > > Is this a bug or known behaviour ??? > > ssh probably waiting for the SSH server banner. telnetd is probably > waiting for a response to telnet option negotiation. Stalemate. > > A quick experiment here shows the same behaviour for ftp & http servers. > I expected it for http (it doesn't say anything when you connect so is > indistinguishable from a slow ssh server) but I would have thought the > ftp server banner would have caused ssh to abort (like sshd does). > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From phil-openssh-unix-dev at ipal.net Mon Jun 17 21:33:29 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Mon, 17 Jun 2002 06:33:29 -0500 Subject: ssh hang on wrong port - is it a bug ? In-Reply-To: References: <3D06122B.78CB9B83@zip.com.au> Message-ID: <20020617113329.GB9957@vega.ipal.net> On Mon, Jun 17, 2002 at 04:04:14PM +0530, Hari wrote: | As seen below, telnet and ftp sessions do not hang on wrong port no. | They just print the ssh banner and exit. They don't exit; they wait for user input. If everything were set up right, and you knew the protocol and could do the math in your head, you could type stuff in to telnet when it connects to port 22 and carry on the SSH protocol through the telnet client. If you could silence the other junk and had everything set up for 8-bit clean transmission, you could get SSH to make a connection to a port which would fire up telnet (you can do this in inetd, for example) to another port that really runs sshd, you could make them talk. | Wouldn't this be expected for ssh too, to exit when they get connected to a | wrong server. As the prior explanation mentioned, the mixed protocol negotiation sequence led to a deadlock. 1. ssh connects to port 23 2. telnetd sends some negotiation option (no CRLF) 3. ssh gets some data, but hasn't see CRLF yet, so keeps collecting 4. telnetd waits for response to negotiation option(s) 5. ssh waits for CRLF to finish banner before it parses it 6. goto 4 | As for the client time out, can this be provided as a configurable option | (with some low default values), so that ssh clients do not hang infinitely | on a wrong port. For those with slow links, they could consider increasing | the time-out. Presumably, it is unlikely a script (such as a cron job) would try to connect to the wrong port. If the script were coded in error in that regard, you kill the processes, fix the script, and try again. That leaves a human to accidentally type the wrong number. But the human can press Ctrl-C and try again. I made a connection with my OpenSSH 3.2.3p1 client to my FTP server with the time command, and let it sit a while. The server side did the timeout in 5 minutes. I see no problem here. ============================================================================= phil at antares:/home/phil 32> time ssh -p 21 -l phil vega.ipal.net ssh_exchange_identification: Connection closed by remote host 0.010u 0.000s 5:01.19 0.0% (0t+0ds 0avg 0max)k 0i+0o (345maj+85min)pf 0 swap phil at antares:/home/phil 33> ============================================================================= | [hari at linux hari]$ telnet 192.168.0.32 22 | Trying 192.168.0.32... | Connected to netra (192.168.0.32). | Escape character is '^]'. | SSH-2.0-3.0.1 SSH Secure Shell (non-commercial) It's in the nature of the telnet client to output whatever is sent to it. So it does that and waits. | Connection closed by foreign host. | [hari at linux hari]$ ftp 192.168.0.32 22 | Connected to 192.168.0.32. | SSH-2.0-3.0.1 SSH Secure Shell (non-commercial) | ftp> pwd | Not connected. | ftp> It's in the nature of most FTP clients to output the banner they receive, and maybe even all responses on the control connection, which is a text-line-oriented protocol. Since it got what looks like a banner from sshd (thinking it was from ftpd), it outputs it like it's supposed to. Then when it sends something else, sshd disconnects abruptly (not conforming to the FTP protocol) and the ftp client reports the lack of connection. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From dtucker at zip.com.au Mon Jun 17 21:43:43 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 17 Jun 2002 21:43:43 +1000 Subject: ssh hang on wrong port - is it a bug ? References: Message-ID: <3D0DCB6F.4847A188@zip.com.au> Hari wrote: > As seen below, telnet and ftp sessions do not hang on wrong port no. > They just print the ssh banner and exit. Actually, telnet *will* hang after printing the SSH banner. sshd only disconnects you if you press enter (and thus violate the SSH protocol). Telnetting into an FTP server prints the banner and hangs. FTPing into a telnet server fails to log in but keeps the connection open. So what? > Wouldn't this be expected for ssh too, to exit when they get connected to a > wrong server. I don't see why this is a big deal. You have to manually override the default or willfully misconfigure it in order to see this behaviour. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From gem at rellim.com Tue Jun 18 04:05:27 2002 From: gem at rellim.com (Gary E. Miller) Date: Mon, 17 Jun 2002 11:05:27 -0700 (PDT) Subject: ssh hang on wrong port - is it a bug ? In-Reply-To: <3D0DCB6F.4847A188@zip.com.au> Message-ID: Yo Darren! On Mon, 17 Jun 2002, Darren Tucker wrote: > Telnetting into an FTP server prints the banner and hangs. Uh no. I have many times telneted in to an FTP server for debugging. FTP is just looking for ASCII commands. If you type the right things then it will just work. root at ratbert:~# telnet localhost ftp Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 ProFTPD 1.2.4 Server (ProFTPD Default Installation) [ratbert.rellim.com] USER gem 331 Password required for gem. PASS !Kimmy7 230 User gem logged in. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From Nicolas.Williams at ubsw.com Tue Jun 18 04:45:38 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Mon, 17 Jun 2002 14:45:38 -0400 Subject: ssh hang on wrong port - is it a bug ? Message-ID: <17D3D857B26112409EA372EB0AFE39DD125EB3@NSTMC005PEX1.ubsgs.ubsgroup.net> % telnet localhost ftp Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 foobar FTP server (Version 5.60) ready. ^]quit Like Darren Tucker claims, FTPD prints the FTP banner and waits, so of course, the telnet client "hangs;" it hangs waiting for you, the user, to do something. I chose to quit the session, as you can see. You chose to log in. Nico -- > -----Original Message----- > From: Gary E. Miller [mailto:gem at rellim.com] > Sent: Monday, June 17, 2002 2:05 PM > To: Darren Tucker > Cc: openssh-unix-dev at mindrot.org > Subject: Re: ssh hang on wrong port - is it a bug ? > > > Yo Darren! > > On Mon, 17 Jun 2002, Darren Tucker wrote: > > > Telnetting into an FTP server prints the banner and hangs. > > Uh no. I have many times telneted in to an FTP server for debugging. > > FTP is just looking for ASCII commands. If you type the > right things then > it will just work. > > root at ratbert:~# telnet localhost ftp > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 220 ProFTPD 1.2.4 Server (ProFTPD Default Installation) > [ratbert.rellim.com] > USER gem > 331 Password required for gem. > PASS !Kimmy7 > 230 User gem logged in. > > RGDS > GARY > -------------------------------------------------------------- > ------------- > Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 > gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From dtucker at zip.com.au Tue Jun 18 10:38:46 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 18 Jun 2002 10:38:46 +1000 Subject: ssh hang on wrong port - is it a bug ? References: Message-ID: <3D0E8116.30B0411A@zip.com.au> "Gary E. Miller" wrote: > On Mon, 17 Jun 2002, Darren Tucker wrote: > > Telnetting into an FTP server prints the banner and hangs. > > Uh no. I have many times telneted in to an FTP server for debugging. That's because you know the FTP protocol. What I was getting that is to a user who doesn't, the telnet session "hangs" (ie no "login:" prompt). Telnet didn't disconnect just because it didn't find a telnet server. > FTP is just looking for ASCII commands. If you type the right things then > it will just work. OK, let's see you do an active-mode file transfer using only telnet :-) My original point? ssh's behaviour is consistent with clients of other protocols. FWIW, I don't think it's worth protecting a user who deliberately misconfigures ssh from having to hit CTRL-C if it means providing another failure mode for a slow but otherwise valid connection. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From gem at rellim.com Tue Jun 18 10:52:22 2002 From: gem at rellim.com (Gary E. Miller) Date: Mon, 17 Jun 2002 17:52:22 -0700 (PDT) Subject: ssh hang on wrong port - is it a bug ? In-Reply-To: <3D0E8116.30B0411A@zip.com.au> Message-ID: Yo Darren! On Tue, 18 Jun 2002, Darren Tucker wrote: > That's because you know the FTP protocol. What I was getting that is to > a user who doesn't, the telnet session "hangs" (ie no "login:" prompt). > Telnet didn't disconnect just because it didn't find a telnet server. If telnet gets an RST on connect (a subset of not finding a server) then it does disconnect. If telnet does not get a SYN-ACK in a short while (a subset of not finding a server) then it does disconnect. This is usually about 2 minutes. > OK, let's see you do an active-mode file transfer using only telnet :-) Trivial, if you really know FTP In session one: hobbes:/usr/local/netsaint/var# telnet ratbert ftp Trying 216.228.186.178... Connected to ratbert.rellim.com. Escape character is '^]'. USER ge220 ProFTPD 1.2.4 Server (ProFTPD Default Installation) [ratbert.rellim.com] m 331 Password required for gem. PASS ******** 230 User gem logged in. PASV 227 Entering Passive Mode (216,228,186,178,222,152). RETR /etc/issue 150 Opening ASCII mode data connection for /etc/issue (24 bytes). 226 Transfer complete. In session 2: hobbes:/usr/local/src/OpenOffice# telnet ratbert 56984 Trying 216.228.186.178... Connected to ratbert.rellim.com. Escape character is '^]'. Welcome to \s \r (\l) Connection closed by foreign host. > My original point? ssh's behaviour is consistent with clients of other > protocols. Agreed. > FWIW, I don't think it's worth protecting a user who deliberately > misconfigures ssh from having to hit CTRL-C if it means providing > another failure mode for a slow but otherwise valid connection. Agreed. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From dtucker at zip.com.au Tue Jun 18 11:08:45 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 18 Jun 2002 11:08:45 +1000 Subject: ssh hang on wrong port - is it a bug ? References: Message-ID: <3D0E881D.A98EEAC2@zip.com.au> "Gary E. Miller" wrote: [snip] > > OK, let's see you do an active-mode file transfer using only telnet :-) > > Trivial, if you really know FTP You used passive mode. I specified active mode. Care to try again? [snip example] -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Tue Jun 18 11:17:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 18 Jun 2002 11:17:59 +1000 (EST) Subject: [Bug 254] Problems building. Message-ID: <20020618011759.4F48CE8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=254 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From dtucker at zip.com.au 2002-06-18 11:17 ------- After many emails, there turned out to be two problems: 1) Symlinks to libcrypto.so in /lib but no symlink to openssl include files, causing compile failure of configure test. 2) Different versions of shared and static libraries in /usr/local/ssl/lib. The shared libraried were older, so when they got linked in there was an ssl version mismatch. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Tue Jun 18 12:47:31 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 17 Jun 2002 21:47:31 -0500 (CDT) Subject: ssh hang on wrong port - is it a bug ? In-Reply-To: <3D0E881D.A98EEAC2@zip.com.au> Message-ID: Can I put this bluntly without hurting people's feeling? WHO THE FUCK CARES! =) - Ben On Tue, 18 Jun 2002, Darren Tucker wrote: > "Gary E. Miller" wrote: > [snip] > > > OK, let's see you do an active-mode file transfer using only telnet :-) > > > > Trivial, if you really know FTP > > You used passive mode. I specified active mode. Care to try again? > > [snip example] > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From gert at greenie.muc.de Tue Jun 18 15:55:09 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 18 Jun 2002 07:55:09 +0200 Subject: ssh hang on wrong port - is it a bug ? In-Reply-To: <3D0E8116.30B0411A@zip.com.au>; from dtucker@zip.com.au on Tue, Jun 18, 2002 at 10:38:46AM +1000 References: <3D0E8116.30B0411A@zip.com.au> Message-ID: <20020618075508.M18764@greenie.muc.de> Hi, On Tue, Jun 18, 2002 at 10:38:46AM +1000, Darren Tucker wrote: > "Gary E. Miller" wrote: > > On Mon, 17 Jun 2002, Darren Tucker wrote: > > > Telnetting into an FTP server prints the banner and hangs. > > > > Uh no. I have many times telneted in to an FTP server for debugging. > > That's because you know the FTP protocol. What I was getting that is to > a user who doesn't, the telnet session "hangs" (ie no "login:" prompt). > Telnet didn't disconnect just because it didn't find a telnet server. There's a small but significant difference: telnet can be used to talk to the FTP server, or send out an e-mail over SMTP, or whatever. And if you type "quit" at the FTP server prompt, it will disconnect you properly. SSH doesn't do that, it will just hang. > > FTP is just looking for ASCII commands. If you type the right things then > > it will just work. > OK, let's see you do an active-mode file transfer using only telnet :-) With telnet and netcat (for the data connection) it's well possible. > My original point? ssh's behaviour is consistent with clients of other > protocols. It isn't. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From vinschen at redhat.com Tue Jun 18 16:50:16 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 18 Jun 2002 08:50:16 +0200 Subject: [PATCH]: auth-passwd.c: Eliminate a Cygwin special case In-Reply-To: <20020614102427.A32371@cygbert.vinschen.de> References: <20020614102427.A32371@cygbert.vinschen.de> Message-ID: <20020618085016.I30892@cygbert.vinschen.de> Hi, did anybody of the folks with checkin privileges have a look into this? Thanks, Corinna On Fri, Jun 14, 2002 at 10:24:27AM +0200, Corinna Vinschen wrote: > Hi, > > as it turned out on the Cygwin mailing list, the special handling > of empty password in auth-passwd.c when running under Windows NT > results in problems. > > Cause: The authentication methode "none" calls auth_password() > with an empty password. A piece of HAVE_CYGWIN code allows empty > passwords even if PermitEmptyPasswords is set to "no". This in > turn results in calling the Windows internal logon routine with > an invalid password, just because the auth method "none" is > enabled. > > Result: Since many NT systems are set so that a couple of invalid > logons lock the account, accounts are suddenly locked, even if the > user never logged on locally. > > Solution: Check for PermitEmptyPassword first also on NT systems. > > This has the additional advantage that we can drop a snippet of > Cygwin special code. Fix below. > > Corinna > > Index: auth-passwd.c > =================================================================== > RCS file: /cvs/openssh_cvs/auth-passwd.c,v > retrieving revision 1.45 > diff -u -p -r1.45 auth-passwd.c > --- auth-passwd.c 15 May 2002 15:59:17 -0000 1.45 > +++ auth-passwd.c 14 Jun 2002 08:15:04 -0000 > @@ -124,13 +124,6 @@ auth_password(Authctxt *authctxt, const > if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) > return 0; > #endif > -#ifdef HAVE_CYGWIN > - /* > - * Empty password is only possible on NT if the user has _really_ > - * an empty password and authentication is done, though. > - */ > - if (!is_winnt) > -#endif > if (*password == '\0' && options.permit_empty_passwd == 0) > return 0; > #ifdef KRB5 > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From markus at openbsd.org Tue Jun 18 18:57:04 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 18 Jun 2002 10:57:04 +0200 Subject: Private key encryption by Passphrase In-Reply-To: <012f01c215b3$7ec2cc60$25b4a8c0@COSMOS> References: <20020615061506.GA14412@folly> <012f01c215b3$7ec2cc60$25b4a8c0@COSMOS> Message-ID: <20020618085704.GA6098@folly> On Sun, Jun 16, 2002 at 09:00:17PM -0700, Amarpal Singh wrote: > Does this encryption need a symmetric key. yes. > Who provides that? the user. > Can that be > chosen by the user? yes. > On page 92 of Barrettt & Richards book "SSH, The Secure Shell, The > Definitive Guide" I see that OpenSSH doesn't support all the Ciphers. Do you > have a list of Ciphers supported by OpenSSH3.1 for encryption? ? From d-b at home.se Tue Jun 18 20:35:54 2002 From: d-b at home.se (Daniel Bergman) Date: Tue, 18 Jun 2002 12:35:54 +0200 Subject: NEW: Urgent: OpenSSH_3.0.1p1 disconnects due to bad packet length and corrupted MAC on input. Message-ID: <1024396554.45c662c0d-b@home.se> NEW message w/ URL to zip archive containing debug output. Hi I'm having huge problems with OpenSSH 3.0.1p1, compiled with OpenSSL 0.9.6b 9 Jul 2001 and running with prngd_0.9.23, it disconnects unexpectedly during client session due to bad packet length and corruped MAC on input, according to debug anyway. What can cause this kinds of errors? I've verified that both se9104/server and switch runs in 100 Mbit full duplex and switch statstictics show no collisions at all. I've created a zip archive containing output of several 'ssh -v -v -v se9104' commands that fails with either "Disconnecting: Bad packet length" or "Corrupted MAC on input", client ssh config, server sshd config and server process list. You can download the archive from http://www.pricken.com/temp/OpenSSH-problem.zip Regards, Daniel ============== se9104 SERVER ============== $ uname -a SunOS se9104 5.8 Generic_108528-14 sun4u sparc SUNW,Ultra-80 $ cat /etc/release Solaris 8 1/01 s28s_u3wos_08 SPARC Copyright 2000 Sun Microsystems, Inc. All Rights Reserved. Assembled 28 November 2000 Solaris 8 Maintenance Update 6 applied ============= se2002 CLIENT ============= $ uname -a SunOS se2002 5.7 Generic sun4u sparc SUNW,Ultra-5_10 $ cat /etc/release Solaris 7 s998s_SunServer_21al2b SPARC Copyright 1998 Sun Microsystems, Inc. All Rights Reserved. Assembled 06 October 1998 Regards, Daniel From d-b at home.se Tue Jun 18 20:52:20 2002 From: d-b at home.se (Daniel Bergman) Date: Tue, 18 Jun 2002 12:52:20 +0200 Subject: NEW: Urgent: OpenSSH_3.0.1p1 disconnects due to bad packet length and corrupted MAC on input. Message-ID: <1024397540.456d3600d-b@home.se> !!!NEW message w/ URL to zip archive with debug output Hi I'm having huge problems with OpenSSH 3.0.1p1, compiled with OpenSSL 0.9.6b 9 Jul 2001 and running with prngd_0.9.23, it disconnects unexpectedly during client session due to bad packet length and corruped MAC on input, according to debug anyway. What can cause this kinds of errors? I've verified that both se9104/server and switch runs in 100 Mbit full duplex and switch statstictics show no collisions at all. I've created a zip archive containing output of several 'ssh -v -v -v se9104' commands that fails with either "Disconnecting: Bad packet length" or "Corrupted MAC on input", client ssh config, server sshd config and server process list. Please download the archive and look at the debug messages: http://www.pricken.com/temp/OpenSSH-problem.zip Regards, Daniel ============== se9104 SERVER ============== $ uname -a SunOS se9104 5.8 Generic_108528-14 sun4u sparc SUNW,Ultra-80 $ cat /etc/release Solaris 8 1/01 s28s_u3wos_08 SPARC Copyright 2000 Sun Microsystems, Inc. All Rights Reserved. Assembled 28 November 2000 Solaris 8 Maintenance Update 6 applied ============= se2002 CLIENT ============= $ uname -a SunOS se2002 5.7 Generic sun4u sparc SUNW,Ultra-5_10 $ cat /etc/release Solaris 7 s998s_SunServer_21al2b SPARC Copyright 1998 Sun Microsystems, Inc. All Rights Reserved. Assembled 06 October 1998 -- Daniel Bergman +46 8 639 30 39 SEB IT Service +46 70 289 30 39 Internet Related Technical Services daniel.bergman at seb.se From hari at isofttechindia.com Tue Jun 18 23:51:25 2002 From: hari at isofttechindia.com (Hari) Date: Tue, 18 Jun 2002 19:21:25 +0530 Subject: ssh-keygen hangs with empty prngd.conf - bug ? Message-ID: Hi, I use openssh-2.9p2 on an i386 LynxOS system. Since LynxOS does not have support for /dev/[u]random, I installed openssh with prngd support. It so happened by accident on installation that prngd.conf got truncated to zero size. With prngd running as such, ssh-keygen just hangs. I notice similar case with sshd, ssh, ... as all these depend on prngd for random number. SMMEstack# /usr/sbin/sshd -d -d -d debug1: Seeding random number generator < hang > The hang because of ssh-keygen is important, because the rc boot scripts generate ssh host keys if they are not present. Under such cases, (the first time the system boots), the system boot just hangs on ssh-keygen which should not happen. Isn't this serious? I expect the applications to print an error (report random number not available or timeout) and exit. One other interesting thing to notice is that, prngd consumes extra-ordinary cpu resource with empty prngd.conf (bug in prngd ???). PID USERNAME TID PRI TEXT STK DATA STATE TIME CPU COMMAND 78 root 66 17 132K 28K 56K ready 5:32 97.69% prngd Thanks, Hari From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Jun 19 00:06:54 2002 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 18 Jun 2002 16:06:54 +0200 Subject: ssh-keygen hangs with empty prngd.conf - bug ? In-Reply-To: References: Message-ID: <20020618140654.GA28017@serv01.aet.tu-cottbus.de> On Tue, Jun 18, 2002 at 07:21:25PM +0530, Hari wrote: > I use openssh-2.9p2 on an i386 LynxOS system. > Since LynxOS does not have support for /dev/[u]random, I installed openssh > with prngd support. > It so happened by accident on installation that prngd.conf got truncated to > zero size. > With prngd running as such, ssh-keygen just hangs. > I notice similar case with sshd, ssh, ... as all these depend on prngd for > random number. > > SMMEstack# /usr/sbin/sshd -d -d -d > debug1: Seeding random number generator > > < hang > > > The hang because of ssh-keygen is important, because the rc boot scripts > generate ssh host keys if they are not present. Under such cases, (the first > time the system boots), the system boot just hangs on ssh-keygen which > should not happen. Isn't this serious? I expect the applications to print an > error (report random number not available or timeout) and exit. > > One other interesting thing to notice is that, prngd consumes extra-ordinary > cpu resource with empty prngd.conf (bug in prngd ???). > > > PID USERNAME TID PRI TEXT STK DATA STATE TIME CPU COMMAND > 78 root 66 17 132K 28K 56K ready 5:32 97.69% prngd Just a shot into the dark: When starting PRNGD, it reads the configuration of external gatherers. (The list is empty, but I don't remember having caught this condition.) After startup, PRNGD will query external gatherers in a tight loop, until enough entropy was collected. As no external gatherers are defined, it will stay running in the tight loop... I'll have to think about how to catch this special condition: should prngd stop immediatly, if no gatherers were configured? Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From mouring at etoh.eviladmin.org Wed Jun 19 00:02:17 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 18 Jun 2002 09:02:17 -0500 (CDT) Subject: [PATCH]: auth-passwd.c: Eliminate a Cygwin special case In-Reply-To: <20020618085016.I30892@cygbert.vinschen.de> Message-ID: It's in my mailbox. I'm rewriting part of the auth-passwd.c code to make the #ifdef less hellish. I was waiting for negative feedback on my patch before committing my changes and then yours. - Ben On Tue, 18 Jun 2002, Corinna Vinschen wrote: > Hi, > > did anybody of the folks with checkin privileges have a look into this? > > Thanks, > Corinna > > On Fri, Jun 14, 2002 at 10:24:27AM +0200, Corinna Vinschen wrote: > > Hi, > > > > as it turned out on the Cygwin mailing list, the special handling > > of empty password in auth-passwd.c when running under Windows NT > > results in problems. > > > > Cause: The authentication methode "none" calls auth_password() > > with an empty password. A piece of HAVE_CYGWIN code allows empty > > passwords even if PermitEmptyPasswords is set to "no". This in > > turn results in calling the Windows internal logon routine with > > an invalid password, just because the auth method "none" is > > enabled. > > > > Result: Since many NT systems are set so that a couple of invalid > > logons lock the account, accounts are suddenly locked, even if the > > user never logged on locally. > > > > Solution: Check for PermitEmptyPassword first also on NT systems. > > > > This has the additional advantage that we can drop a snippet of > > Cygwin special code. Fix below. > > > > Corinna > > > > Index: auth-passwd.c > > =================================================================== > > RCS file: /cvs/openssh_cvs/auth-passwd.c,v > > retrieving revision 1.45 > > diff -u -p -r1.45 auth-passwd.c > > --- auth-passwd.c 15 May 2002 15:59:17 -0000 1.45 > > +++ auth-passwd.c 14 Jun 2002 08:15:04 -0000 > > @@ -124,13 +124,6 @@ auth_password(Authctxt *authctxt, const > > if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) > > return 0; > > #endif > > -#ifdef HAVE_CYGWIN > > - /* > > - * Empty password is only possible on NT if the user has _really_ > > - * an empty password and authentication is done, though. > > - */ > > - if (!is_winnt) > > -#endif > > if (*password == '\0' && options.permit_empty_passwd == 0) > > return 0; > > #ifdef KRB5 > > > > -- > > Corinna Vinschen > > Cygwin Developer > > Red Hat, Inc. > > mailto:vinschen at redhat.com > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From a.rother at gmx.de Wed Jun 19 04:11:59 2002 From: a.rother at gmx.de (Andreas Rother) Date: Tue, 18 Jun 2002 20:11:59 +0200 (MEST) Subject: OpenSSH on NetBSD/sparc broken? Message-ID: <3917.1024423919@www52.gmx.net> Hi all! I try to build the latest openssh-3.2.3.1 package and get the following errors: bash-2.05# make ===> Configuring for openssh-3.2.3.1 configure: WARNING: If you wanted to set the --build type, don't use --host. If a cross compiler is detected then cross compile mode will be used. checking for sparc--netbsd-gcc... cc cat: stdout: Input/output error checking for C compiler default output... cat: conftest.c: Is a directory configure: error: C compiler cannot create executables *** Error code 77 Stop. *** Error code 1 Stop. When I try to compile the source from scratch, I get the same errors with ./configure I run NetBSD 1.5.2 on a SparcStation IPX (sun4c) with a selfcompiled kernel. The dependencies are ok. Is there anything wrong with the Makefile? Kind regards, Andreas -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net From mjs at ams.org Wed Jun 19 04:24:42 2002 From: mjs at ams.org (Matt Studley) Date: Tue, 18 Jun 2002 14:24:42 -0400 (EDT) Subject: OpenSSH and Solaris groups Message-ID: I have an odd problem and I was wondering if anyone has ever run into this before. I have a machine running solaris 8, OpenSSH 3.1p1 and OpenSSL 0.9.6c and it has been working fine for quite some time (ssh that is). Today, /etc/system was updated to increase the maximum number of groups from 16 to 32. After the system was rebooted, things seemed to be working as expected, however one of our users who is a member of 21 groups (don't ask) is now unable to log in. Previously the extra groups over 16 were ignored and things were fine, but it seems like now that the system is recognizing membership to these groups ssh is failing. The error that appears in the log file and when connecting to a port running a debugging server reports that getgroups failed with an invalid argument. This is happening from all machines... except one which is the strange thing. If the user connects via ssh from one certain machine, the error still appears in the log file, however the login is successful. Has anyone ever run into something like this before? Any and all advice would be greatly appreciated. Thanks. sshd[847]: [ID 800047 auth.crit] fatal: getgroups: Invalid argument Matt Studley American Mathematical Society UNIX Sys Admin "Quantum Mechanics - mjs at ams.org The dreams that stuff is made of" From ed at UDel.Edu Wed Jun 19 04:55:27 2002 From: ed at UDel.Edu (Ed Phillips) Date: Tue, 18 Jun 2002 14:55:27 -0400 (EDT) Subject: OpenSSH and Solaris groups In-Reply-To: Message-ID: NGROUPS_MAX is 16 in /usr/include/limits.h. OpenSSH uses this in it's call to getgroups() so EINVAL is the proper error for it to return according to "man getgroups". I have no idea why it works for one machine. You might try changing NGROUPS_MAX to MY_NGROUPS_MAX in the code, and set it to 32 or some larger number. By the way, how did you change the maximum number of groups in /etc/system? Is this a "documented" feature? It seems like a good number of things would break... scary... ;-) I feel your pain tho'... we have at least one user with a list of 40+ groups that fluctuates and we occasionally get complaints that the ones he wants to have aren't in the 16 he gets... ;-) Thanks, Ed On Tue, 18 Jun 2002, Matt Studley wrote: > Date: Tue, 18 Jun 2002 14:24:42 -0400 (EDT) > From: Matt Studley > To: openssh-unix-dev at mindrot.org > Subject: OpenSSH and Solaris groups > > > I have an odd problem and I was wondering if anyone has ever run into this > before. I have a machine running solaris 8, OpenSSH 3.1p1 and OpenSSL > 0.9.6c and it has been working fine for quite some time (ssh that is). > Today, /etc/system was updated to increase the maximum number of groups > from 16 to 32. After the system was rebooted, things seemed to be working > as expected, however one of our users who is a member of 21 groups (don't > ask) is now unable to log in. Previously the extra groups over 16 were > ignored and things were fine, but it seems like now that the system is > recognizing membership to these groups ssh is failing. The error that > appears in the log file and when connecting to a port running a debugging > server reports that getgroups failed with an invalid argument. This is > happening from all machines... except one which is the strange thing. If > the user connects via ssh from one certain machine, the error still > appears in the log file, however the login is successful. Has anyone ever > run into something like this before? Any and all advice would be greatly > appreciated. Thanks. > > sshd[847]: [ID 800047 auth.crit] fatal: getgroups: Invalid argument > > Matt Studley > American Mathematical Society > UNIX Sys Admin "Quantum Mechanics - > mjs at ams.org The dreams that stuff is made of" > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From kevin at atomicgears.com Wed Jun 19 05:29:22 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Tue, 18 Jun 2002 12:29:22 -0700 Subject: OpenSSH and Solaris groups In-Reply-To: References: Message-ID: <20020618192922.GC1422@jenny.crlsca.adelphia.net> On Tue, Jun 18, 2002 at 02:24:42PM -0400, Matt Studley wrote: > I have an odd problem and I was wondering if anyone has ever run into this > before. I have a machine running solaris 8, OpenSSH 3.1p1 and OpenSSL > 0.9.6c and it has been working fine for quite some time (ssh that is). > Today, /etc/system was updated to increase the maximum number of groups > from 16 to 32. After the system was rebooted, things seemed to be working > as expected, however one of our users who is a member of 21 groups (don't > ask) is now unable to log in. Previously the extra groups over 16 were > ignored and things were fine, but it seems like now that the system is > recognizing membership to these groups ssh is failing. The error that > appears in the log file and when connecting to a port running a debugging > server reports that getgroups failed with an invalid argument. This is > happening from all machines... except one which is the strange thing. If > the user connects via ssh from one certain machine, the error still > appears in the log file, however the login is successful. Has anyone ever > run into something like this before? Any and all advice would be greatly > appreciated. Thanks. it can fail in the client or the server, though i'm less familiar with the UID swapping on the server side. if it's the client, you might try to remove set-uid bit. i don't remember the version that first had supplementary group handling in uidswap. we should perhaps use sysconf to get the run-time value. what is the system tunable for ngroups on solaris? should this work: [stevesk at scott stevesk]$ getconf _SC_NGROUPS_MAX getconf: Invalid argument (_SC_NGROUPS_MAX) [stevesk at scott stevesk]$ getconf -a|grep NGROUPS NGROUPS_MAX: 16 _POSIX_NGROUPS_MAX: 0 From kevin at atomicgears.com Wed Jun 19 05:48:42 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Tue, 18 Jun 2002 12:48:42 -0700 Subject: [PATCH]: Eliminate HAVE_CYGWIN (and _UWIN) around calls to setgroups() [was Re: openssh for UWIN] In-Reply-To: References: <20020609194159.GC1822@jenny.crlsca.adelphia.net> Message-ID: <20020618194842.GD1422@jenny.crlsca.adelphia.net> On Sun, Jun 09, 2002 at 02:41:25PM -0500, Ben Lindstrom wrote: > > i think we wanted to move away from "fake-". for now bsd-misc.c > > makes sense, or perhaps i forgot some discussion on this. > > I'd like to see (and I think Damien also mirrors this belief): > > bsd-*.c -- Should implement useable correct code. > fake-*.c -- Should implement faked version for platforms that don't > need the feature, but used to keep the code clean > port-*.c -- Should be platform specific code. i think a directory grouping is better. what about something like this: openbsd/ copies of source from OpenBSD tree with little or no modifications that should be kept synced with OpenBSD. readpassphrase.c readpassphrase.h strlcpy.c strlcpy.h tree.h compat/ compatability functions for various platforms; e.g., when a function is missing on some platforms or a compatability library that works on multiple platforms. getaddrinfo.c getaddrinfo.h loginrec.c loginrec.h sigact.c sigact.h platform/ platform specific code; generally for one-platform. auth-sia.c auth-sia.h port-aix.c port-aix.h From dsa0000 at hotmail.com Wed Jun 19 09:46:34 2002 From: dsa0000 at hotmail.com (dsa main) Date: Tue, 18 Jun 2002 23:46:34 +0000 Subject: kex_reset_dispatch() Message-ID: Hi All, kex_reset_dispatch() function is called in kex_setup() function at the start of the key exchange. But kex_reset_dispatch() is called again in kex_finish(). Why is it needed ? Regards DSA _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com From dtucker at zip.com.au Wed Jun 19 14:46:22 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 19 Jun 2002 14:46:22 +1000 Subject: OpenSSH on NetBSD/sparc broken? References: <3917.1024423919@www52.gmx.net> Message-ID: <3D100C9E.929EB507@zip.com.au> Andreas Rother wrote: > I try to build the latest openssh-3.2.3.1 package and get the following > errors: > bash-2.05# make > ===> Configuring for openssh-3.2.3.1 > configure: WARNING: If you wanted to set the --build type, don't use --host. > cat: stdout: Input/output error > checking for C compiler default output... cat: conftest.c: Is a directory conftest.c is a directory? That's wierd! I don't recognise the output from make. Is that from a port? > configure: error: C compiler cannot create executables I suggest you download the vanilla source (eg from ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.2.3p1.tar.gz) and try building from that. If that fails, open a bugzilla bug (http://bugzilla.mindrot.org) and attach a compressed copy of of config.log. 3.2.3p1 works for me (NetBSD/sparc 1.5.2 on a SS5) using a vanilla OpenSSH portable tarball. # uname -a NetBSD sparc5 1.5.2 NetBSD 1.5.2 (GENERIC) #0: Wed Aug 22 04:33:09 CST 2001 toor at proxima:/usr/src/sys/arch/sparc/compile/GENERIC sparc # gzip -dc openssh-3.2.3p1.tar.gz |tar xf - # cd openssh-3.2.3p1 # ./configure checking for gcc... gcc checking for C compiler default output... a.out checking whether the C compiler works... yes [snip] # make [snip] # file sshd sshd: ELF 32-bit MSB executable, SPARC, version 1, dynamically linked (uses shared libs), not stripped -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Wed Jun 19 20:30:47 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 19 Jun 2002 12:30:47 +0200 Subject: kex_reset_dispatch() In-Reply-To: References: Message-ID: <20020619103047.GA23956@folly> rekeying. why do you ask? On Tue, Jun 18, 2002 at 11:46:34PM +0000, dsa main wrote: > Hi All, > > kex_reset_dispatch() function is called in kex_setup() function at the > start of the key exchange. But kex_reset_dispatch() is called again > in kex_finish(). Why is it needed ? > > Regards > DSA > > _________________________________________________________________ > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From dtucker at zip.com.au Wed Jun 19 20:03:26 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 19 Jun 2002 20:03:26 +1000 Subject: NEW: Urgent: OpenSSH_3.0.1p1 disconnects due to bad packet length and corrupted MAC on input. References: <1024397540.456d3600d-b@home.se> Message-ID: <3D1056EE.36A4A3FF@zip.com.au> Daniel Bergman wrote: > I'm having huge problems with OpenSSH 3.0.1p1, compiled with OpenSSL > 0.9.6b 9 Jul 2001 and running with prngd_0.9.23, it disconnects unexpectedly > during client session due to bad packet length and corruped MAC on input, > according to debug anyway. Since that version has at least one potential security problem (2 if it's linked with zlib 1.1.3) and the server appears to be a firewall I'd say an upgrade is in order. I don't know whether or not the errors you're seeing are indicative of any of these security problems (or attempts to exploit them.) Anyone else want to comment? -Daz. References: http://www.openbsd.org/advisories/ssh_channelalloc.txt http://www.gzip.org/zlib/advisory-2002-03-11.txt From bugzilla-daemon at mindrot.org Thu Jun 20 01:23:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 20 Jun 2002 01:23:31 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20020619152331.37B32E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 ------- Additional Comments From George.Baltz at noaa.gov 2002-06-20 01:23 ------- FWIW, I reported this to IBM Support, and they seem to agree realpath() is broken. I have received a patched libc.a, which in light testing seems to resolve the problem: public key login with perms 770 on ~/.ssh works. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From a.rother at gmx.de Thu Jun 20 18:31:11 2002 From: a.rother at gmx.de (Andreas Rother) Date: Thu, 20 Jun 2002 10:31:11 +0200 (MEST) Subject: OpenSSH on NetBSD/sparc broken? References: <3D100C9E.929EB507@zip.com.au> Message-ID: <614.1024561871@www27.gmx.net> > Andreas Rother wrote: > > I try to build the latest openssh-3.2.3.1 package and get the following > > errors: > > bash-2.05# make > > ===> Configuring for openssh-3.2.3.1 > > configure: WARNING: If you wanted to set the --build type, don't use > --host. > > cat: stdout: Input/output error > > checking for C compiler default output... cat: conftest.c: Is a > directory > > conftest.c is a directory? That's wierd! > I don't recognise the output from make. Is that from a port? Yes, it's from the NetBSD security/openssh port. > I suggest you download the vanilla source (eg from > ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.2.3p1.tar.gz) > and try building from that. Well, this works. Sorry for stirring you up! Thanks for the hint. Andreas -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net From bugzilla-daemon at mindrot.org Thu Jun 20 19:11:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 20 Jun 2002 19:11:32 +1000 (EST) Subject: [Bug 280] New: make failed on IRIX - SCM_RIGHTS unknown Message-ID: <20020620091132.837F1E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=280 Summary: make failed on IRIX - SCM_RIGHTS unknown Product: Portable OpenSSH Version: -current Platform: MIPS OS/Version: IRIX Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: o-men at gmx.de I tried to build openssh-3.2.3p1 on IRIX using: > env CC=cc CFLAGS="-n32 -mips3" LDFLAGS="-n32 -mips3" ./configure > gmake This works perfectly well with openssh-3.1p1, but fails for 3.2.3p1: ... (cd openbsd-compat && make) cc -n32 -mips3 -I. -I. -I/opt/TWWfsw/libopenssl09//include -I/usr/local/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/usr/local/etc\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c monitor_fdpass.c cc-1275 cc: WARNING File = defines.h, Line = 115 The indicated "typedef" name has already been declared (with same type). typedef unsigned int u_int; ^ cc-1275 cc: WARNING File = defines.h, Line = 215 The indicated "typedef" name has already been declared (with same type). typedef unsigned char u_char; ^ cc-1020 cc: ERROR File = monitor_fdpass.c, Line = 58 The identifier "SCM_RIGHTS" is undefined. cmsg->cmsg_type = SCM_RIGHTS; ^ cc-1020 cc: ERROR File = monitor_fdpass.c, Line = 117 The identifier "SCM_RIGHTS" is undefined. if (cmsg->cmsg_type != SCM_RIGHTS) ^ I checked /usr/include/sys/socket.h and found: ... #ifdef _XOPEN_SOURCE /* "Socket"-level control message types: */ #define SCM_RIGHTS 0x01 /* access rights (array of int) */ #endif /* _XOPEN_SOURCE */ ... Thus I tried this cc command with an additional -D_XOPEN_SOURCE, but this fails with a lot more (21) errors like: "ulong is undefined" ... "u_short is undefined" ... I didn't try gcc yet. Olaf. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Thu Jun 20 20:32:18 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 20 Jun 2002 12:32:18 +0200 Subject: kex_reset_dispatch() In-Reply-To: References: Message-ID: <20020620103218.GA24649@folly> On Wed, Jun 19, 2002 at 10:46:15PM +0000, dsa main wrote: > Hi Mark, > > At the start of the key exchange, kex_reset_dispatch() is called. > Why is it needed to call it again in kex_finish() because in between I > could not find at any place the call back functions are removed. > Sorry if it is a stupid question. kex_reset_dispatch restores the message dispatch table for rekeying. > To understand ssh proto version 2.0 better I made a client/server > interaction diagram. Could you please verify it. looks ok. From bugzilla-daemon at mindrot.org Thu Jun 20 21:54:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 20 Jun 2002 21:54:20 +1000 (EST) Subject: [Bug 281] New: unable to authorize with local shadow password Message-ID: <20020620115420.6034BE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=281 Summary: unable to authorize with local shadow password Product: Portable OpenSSH Version: -current Platform: MIPS OS/Version: IRIX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: komanek at natur.cuni.cz I get compilled OpenSSH 3.2.3p1 on Irix 6.2 with both the following configure options sets. I use shadow passwords, which work fine when loggin via telnet or pop. Using OpenSSH, I can only use the krb4 authentication, local passwords are not accepted. CC="cc -n32" CFLAGS="-I/usr/local/include -I/usr/include" LDFLAGS="-L/usr/loca l/lib -L/usr/lib32" ./configure --prefix=/usr/local --with-tcp-wrappers=/usr/local/lib32/libwrap.a --with-ssl-dir=/usr/local/ssl --with-mantype=man --with-kerberos4=/usr/athena --with-afs=/usr/afs --with-zlib=/usr/local/lib32/libz.a --with-rand-helper CC="cc -n32" CFLAGS="-I/usr/local/include -I/usr/include" LDFLAGS="-L/usr/loca l/lib -L/usr/lib32" ./configure --prefix=/usr/local --with-tcp-wrappers=/usr/local/lib32/libwrap.a --with-ssl-dir=/usr/local/ssl --with-mantype=man --with-kerberos4=/usr/athena --with-afs=/usr/afs --with-zlib=/usr/local/lib32/libz.a --with-rand-helper --with-md5-passwords # kdestroy; ssh -v -v -v -1 -l komanek bbs Tickets destroyed. OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Applying options for * debug3: cipher ok: 3des-cbc [3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc] debug3: cipher ok: blowfish-cbc [3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc] debug3: cipher ok: cast128-cbc [3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc] debug3: cipher ok: arcfour [3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc] debug3: cipher ok: aes128-cbc [3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc] debug3: ciphers ok: [3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc] debug1: Seeding random number generator debug1: restore_uid debug1: ssh_connect: getuid 0 geteuid 0 anon 0 debug1: Connecting to bbs [195.113.56.251] port 22. debug1: Allocated local port 1020. debug1: temporarily_use_uid: 0/1 (e=0) debug1: restore_uid debug1: Connection established. debug1: identity file /root/.ssh/identity type 0 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.2.3p1 debug1: match: OpenSSH_3.2.3p1 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_3.0.2p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: match line 22 debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: match line 22 debug1: Host 'bbs' is known and matches the RSA1 host key. debug1: Found key in /root/.ssh/known_hosts:22 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying Kerberos v4 authentication. debug3: Trying to reverse map address 195.113.56.251. debug1: Kerberos v4 authentication failed. debug1: Trying RSA authentication with key '/root/.ssh/identity' debug1: Server refused our key. debug1: Doing password authentication. komanek at bbs's password: Permission denied, please try again. komanek at bbs's password: Permission denied, please try again. komanek at bbs's password: Permission denied. debug1: Calling cleanup 0x120052030(0x0) bbs# /usr/local/sbin/sshd -p 8022 -d -d -d debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper debug1: sshd version OpenSSH_3.2.3p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 8022 on 0.0.0.0. Server listening on 0.0.0.0 port 8022. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 195.113.56.1 port 1022 debug1: Client protocol version 1.5; client software version OpenSSH_3.0.2p1 debug1: match: OpenSSH_3.0.2p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1* debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1 debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: 3des debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug3: allowed_user: today 11858 sp_expire -1 sp_lstchg 11857 sp_max -1 debug1: Attempting authentication for komanek. debug1: temporarily_use_uid: 112/20 (e=0) debug1: trying public RSA key file /home/komanek/.ssh/authorized_keys debug1: restore_uid Failed rsa for komanek from 195.113.56.1 port 1022 debug1: Kerberos v4 password authentication for komanek failed: Password incorre ct debug1: krb4_cleanup_proc called Failed password for komanek from 195.113.56.1 port 1022 debug1: Kerberos v4 password authentication for komanek failed: Password incorre ct debug1: krb4_cleanup_proc called Failed password for komanek from 195.113.56.1 port 1022 debug1: Kerberos v4 password authentication for komanek failed: Password incorre ct debug1: krb4_cleanup_proc called Failed password for komanek from 195.113.56.1 port 1022 Connection closed by 195.113.56.1 debug1: Calling cleanup 0x1002e2c0(0x101761a0) debug1: krb4_cleanup_proc called debug1: Calling cleanup 0x10058020(0x0) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Fri Jun 21 00:24:01 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 21 Jun 2002 00:24:01 +1000 Subject: OpenSSH on NetBSD/sparc broken? References: <3D100C9E.929EB507@zip.com.au> <614.1024561871@www27.gmx.net> Message-ID: <3D11E581.EE78AC02@zip.com.au> Andreas Rother wrote: [openssh port build problem] > Yes, it's from the NetBSD security/openssh port. > > > I suggest you download the vanilla source > > and try building from that. > > Well, this works. Sorry for stirring you up! I sup'ped pkgsrc and built from that, which worked too. The only thing I can suggest is that there is some problem with your source tree. -Daz. From bugzilla-daemon at mindrot.org Fri Jun 21 10:03:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 21 Jun 2002 10:03:09 +1000 (EST) Subject: [Bug 261] AIX capabilities + port-aix.c cleanup Message-ID: <20020621000309.573DCE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=261 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-06-21 10:03 ------- Commited fix. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Fri Jun 21 10:16:35 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 20 Jun 2002 19:16:35 -0500 (CDT) Subject: [PATCH]: auth-passwd.c: Eliminate a Cygwin special case In-Reply-To: <20020618085016.I30892@cygbert.vinschen.de> Message-ID: commited. On Tue, 18 Jun 2002, Corinna Vinschen wrote: > Hi, > > did anybody of the folks with checkin privileges have a look into this? > > Thanks, > Corinna > > On Fri, Jun 14, 2002 at 10:24:27AM +0200, Corinna Vinschen wrote: > > Hi, > > > > as it turned out on the Cygwin mailing list, the special handling > > of empty password in auth-passwd.c when running under Windows NT > > results in problems. > > > > Cause: The authentication methode "none" calls auth_password() > > with an empty password. A piece of HAVE_CYGWIN code allows empty > > passwords even if PermitEmptyPasswords is set to "no". This in > > turn results in calling the Windows internal logon routine with > > an invalid password, just because the auth method "none" is > > enabled. > > > > Result: Since many NT systems are set so that a couple of invalid > > logons lock the account, accounts are suddenly locked, even if the > > user never logged on locally. > > > > Solution: Check for PermitEmptyPassword first also on NT systems. > > > > This has the additional advantage that we can drop a snippet of > > Cygwin special code. Fix below. > > > > Corinna > > > > Index: auth-passwd.c > > =================================================================== > > RCS file: /cvs/openssh_cvs/auth-passwd.c,v > > retrieving revision 1.45 > > diff -u -p -r1.45 auth-passwd.c > > --- auth-passwd.c 15 May 2002 15:59:17 -0000 1.45 > > +++ auth-passwd.c 14 Jun 2002 08:15:04 -0000 > > @@ -124,13 +124,6 @@ auth_password(Authctxt *authctxt, const > > if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) > > return 0; > > #endif > > -#ifdef HAVE_CYGWIN > > - /* > > - * Empty password is only possible on NT if the user has _really_ > > - * an empty password and authentication is done, though. > > - */ > > - if (!is_winnt) > > -#endif > > if (*password == '\0' && options.permit_empty_passwd == 0) > > return 0; > > #ifdef KRB5 > > > > -- > > Corinna Vinschen > > Cygwin Developer > > Red Hat, Inc. > > mailto:vinschen at redhat.com > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From santanu.misra at reuters.com Fri Jun 21 10:29:40 2002 From: santanu.misra at reuters.com (Santanu Misra) Date: Thu, 20 Jun 2002 17:29:40 -0700 Subject: configure problem --- Can't find recent OpenSSL libcrypto Message-ID: Hello Gurus, I tried my best as I can to do RTFM and Googling to find any information to solve the problem myself which I failed. I installed OpenSSL 0.9.6d 9 May 2002 with this option on a Solaris 8 box using Sun Forte6-2 $config solaris64-sparcv9-cc --prefix=/local/santanu/pkg/ssl Now I am trying to install openssh 3.2.3p1 and getting this error. configure:8285: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) *** I tried ./configure --with-ssl-dir=/local/santanu/pkg/ssl and ./configure --with-ssl-dir=/local/santanu/pkg/ssl/lib and then I tried to export LIBRARY_PATH as some one mentioned in the mailing list. No luck yet. configure:8285: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) *** I am not a programmer but after looking details in config.log I found it is giving this error when it looks for symbol 'RAND_add'. But when I do nm on libcrypto I get like this. /local/santanu/pkg/ssl/lib> nm libcrypto.a | grep -i RAND_add [27] | 0| 0|FUNC |GLOB |0 |UNDEF |RAND_add [3] | 248| 1068|FUNC |LOCL |0 |2 |ssleay_rand_add [25] | 0| 0|FUNC |GLOB |0 |UNDEF |RAND_add [18] | 360| 68|FUNC |GLOB |0 |2 |RAND_add [23] | 0| 0|FUNC |GLOB |0 |UNDEF |RAND_add [57] | 0| 0|FUNC |GLOB |0 |UNDEF |RAND_add [96] | 0| 0|FUNC |GLOB |0 |UNDEF |RAND_add Any help will be great. But PLEASE think and read twice my mail before U mention to do RTFM for me. -Thanks in advance, Santanu configure:7846: result: yes configure:8215: cc -o conftest -g -I/local/santanu/pkg/ssl/include -I/usr/local/include -L/local/santanu/pkg/ssl/lib -R/lo cal/santanu/pkg/ssl/lib -L/usr/local/lib -R/usr/local/lib conftest.c -lz -lsocket -lnsl -lcrypto >&5 Undefined first referenced symbol in file RAND_add conftest.o ld: fatal: Symbol referencing errors. No output written to conftest configure:8218: $? = 1 configure: failed program was: #line 8189 "configure" #include "confdefs.h" Santanu Misra Email: santanu.misra at reuters.com Sr. System Administrator Direct: 650-461-3110 Reuters Main: 650-461-3000 3375 Hillview Avenue Fax: 650-461-3003 Palo Alto, CA 94304 WWW: http://www.reuters.com/ From dtucker at zip.com.au Fri Jun 21 11:30:24 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 21 Jun 2002 11:30:24 +1000 Subject: configure problem --- Can't find recent OpenSSL libcrypto References: Message-ID: <3D1281B0.DC875086@zip.com.au> Santanu Misra wrote: > I installed OpenSSL 0.9.6d 9 May 2002 with this option on a Solaris 8 box > using Sun Forte6-2 [snip] > configure:8285: error: *** Can't find recent OpenSSL libcrypto (see > config.log for details) *** [snip] The last problem of this type I saw was caused because there was an old libcrpyto.so and a new libcrypto.a (or vice versa, I forget) in the same ssl/lib directory. It might be picking up libcrypto from somewhere other than where you expect. Try: $ find / -name 'libcrypto.*' -print -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Fri Jun 21 13:02:54 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 20 Jun 2002 22:02:54 -0500 (CDT) Subject: Testing call. Message-ID: Can I have people test the cvs tree or the next snapshots. I believe NeXT is still broken (I will try to compile it tonight). getopts patch will be applied, but I can't find the email address of who sent to me (can you email me off list, thanks). - Ben From bugzilla-daemon at mindrot.org Fri Jun 21 16:43:21 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 21 Jun 2002 16:43:21 +1000 (EST) Subject: [Bug 260] Expanded features in spec file. Message-ID: <20020621064321.1CFD9E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=260 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-06-21 16:43 ------- Mostly applied - the new ssh-keysign makes the suid ssh unnecessary ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From vinschen at redhat.com Fri Jun 21 17:07:31 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 21 Jun 2002 09:07:31 +0200 Subject: Testing call. In-Reply-To: References: Message-ID: <20020621090731.G22705@cygbert.vinschen.de> On Thu, Jun 20, 2002 at 10:02:54PM -0500, Ben Lindstrom wrote: > > Can I have people test the cvs tree or the next snapshots. > > I believe NeXT is still broken (I will try to compile it tonight). > > getopts patch will be applied, but I can't find the email address of who > sent to me (can you email me off list, thanks). What about the NO_IPPORT_RESERVED_CONCEPT patch? I've send a revised version on 2002-06-13. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From barel_bhai at yahoo.com Fri Jun 21 19:22:10 2002 From: barel_bhai at yahoo.com (raam raam) Date: Fri, 21 Jun 2002 02:22:10 -0700 (PDT) Subject: Telnet In-Reply-To: <20020621091440.A67AAE881@shitei.mindrot.org> Message-ID: <20020621092210.62992.qmail@web20512.mail.yahoo.com> Hi All I am new to ssh. Somebody please tell me know how telnet is connected to SSH Thanks Barel __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com From bugzilla-daemon at mindrot.org Fri Jun 21 21:32:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 21 Jun 2002 21:32:55 +1000 (EST) Subject: [Bug 255] You must "exec" login from the lowest login shell. Message-ID: <20020621113255.CEB66E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=255 ------- Additional Comments From dtucker at zip.com.au 2002-06-21 21:32 ------- Created an attachment (id=115) Add LOGIN_NEEDS_UTMPX to configure.ac for AIX ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 21 21:36:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 21 Jun 2002 21:36:15 +1000 (EST) Subject: [Bug 255] You must "exec" login from the lowest login shell. Message-ID: <20020621113615.A9BD5E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=255 ------- Additional Comments From dtucker at zip.com.au 2002-06-21 21:36 ------- Confirmed problem still exists in -cvs and goes away with this patch, after make distprep, configure and rebuild. Tested on AIX 4.3.3 ML 0 only. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 21 23:43:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 21 Jun 2002 23:43:57 +1000 (EST) Subject: [Bug 145] sshd fails to increment AIX login failed counter Message-ID: <20020621134357.D2814E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=145 ------- Additional Comments From dtucker at zip.com.au 2002-06-21 23:43 ------- Created an attachment (id=116) Merge all previous patches and diff against -cvs ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 21 23:56:05 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 21 Jun 2002 23:56:05 +1000 (EST) Subject: [Bug 145] sshd fails to increment AIX login failed counter Message-ID: <20020621135605.1C6B3E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=145 ------- Additional Comments From dtucker at zip.com.au 2002-06-21 23:56 ------- I think I get it now: loginfailed() isn't called until the number of failures for a given child process is greater than AUTH_FAIL_MAX (currently defined as 6). Since ssh gives up after 3 password attempts (plus a couple of public-key?), loginfailed is never called and the counter is never incremented. Reconnecting to sshd gives a new child and the count starts again. Repeat. I've tested the above patch and confirmed working lockout with it (and lack thereof without) on AIX 4.3.3 ML0. The code deleted from auth[12].c was marked with /* XXX: privsep */ but I'm not sure what this indicates. Clues? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gwolosh at njit.edu Sat Jun 22 00:03:58 2002 From: gwolosh at njit.edu (Gedaliah Wolosh) Date: Fri, 21 Jun 2002 10:03:58 -0400 (EDT) Subject: AFS token passing Message-ID: Hi I was finally able to build openssh with afs support using the kth-kerberos libraries. I cannot get the token passing to work. I think I am missing something fundamental in setting this up but I can't seem to find any documentation. I would geatly appreciate any advice offered. _________________________________________________________________ Gedaliah Wolosh, Ph.D. 973 596-5437 New Jersey Institute of Technology Fax 596-2306 323 King Blvd GITC 2203 gwolosh at njit.edu Newark, NJ 07102 From d-b at home.se Sat Jun 22 01:25:51 2002 From: d-b at home.se (Daniel Bergman) Date: Fri, 21 Jun 2002 17:25:51 +0200 Subject: Telnet In-Reply-To: <20020621092210.62992.qmail@web20512.mail.yahoo.com> References: <20020621092210.62992.qmail@web20512.mail.yahoo.com> Message-ID: <79134299.1024680351@[172.16.10.11]> Barel, It is not! SSH is actually a secure replacement for telnet. Regards, Daniel --On den 21 juni 2002 02:22 -0700 raam raam wrote: > Hi All > > I am new to ssh. > > Somebody please tell me know how telnet is connected > to SSH > > Thanks > > Barel > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- Daniel Bergman Email: d-b at home.se From mouring at etoh.eviladmin.org Sat Jun 22 01:48:22 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 21 Jun 2002 10:48:22 -0500 (CDT) Subject: Testing call, ASAP (Re: Testing call) In-Reply-To: <20020621090731.G22705@cygbert.vinschen.de> Message-ID: Corinna, Sorry, It will have to wait. I'll get it in right after 3.3 release. It snuck up on me quicker than I expected. All, Please, grab a test and let us know any compile issues at this point. I think I'm limited to less than a 24 hour window.. so PLEASE PLEASE PLEASE =) This release will enabled PrivSep by default. It should (God willing) handle platforms w/out mmap(). Linux 2.2. may still be borken since I did not get around to merging Tim's patch. - Ben On Fri, 21 Jun 2002, Corinna Vinschen wrote: > On Thu, Jun 20, 2002 at 10:02:54PM -0500, Ben Lindstrom wrote: > > > > Can I have people test the cvs tree or the next snapshots. > > > > I believe NeXT is still broken (I will try to compile it tonight). > > > > getopts patch will be applied, but I can't find the email address of who > > sent to me (can you email me off list, thanks). > > What about the NO_IPPORT_RESERVED_CONCEPT patch? I've send a revised > version on 2002-06-13. > > Corinna > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > From mouring at etoh.eviladmin.org Sat Jun 22 01:51:48 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 21 Jun 2002 10:51:48 -0500 (CDT) Subject: Testing call, ASAP (Re: Testing call) In-Reply-To: Message-ID: Umm.. Froget it. =) Just try 3.3. On Fri, 21 Jun 2002, Ben Lindstrom wrote: > > Corinna, > > Sorry, It will have to wait. I'll get it in right after 3.3 release. It > snuck up on me quicker than I expected. > > All, > > Please, grab a test and let us know any compile issues at this point. I > think I'm limited to less than a 24 hour window.. so PLEASE PLEASE PLEASE > =) > > This release will enabled PrivSep by default. It should (God willing) > handle platforms w/out mmap(). Linux 2.2. may still be borken since I did > not get around to merging Tim's patch. > > - Ben > > > On Fri, 21 Jun 2002, Corinna Vinschen wrote: > > > On Thu, Jun 20, 2002 at 10:02:54PM -0500, Ben Lindstrom wrote: > > > > > > Can I have people test the cvs tree or the next snapshots. > > > > > > I believe NeXT is still broken (I will try to compile it tonight). > > > > > > getopts patch will be applied, but I can't find the email address of who > > > sent to me (can you email me off list, thanks). > > > > What about the NO_IPPORT_RESERVED_CONCEPT patch? I've send a revised > > version on 2002-06-13. > > > > Corinna > > > > -- > > Corinna Vinschen > > Cygwin Developer > > Red Hat, Inc. > > mailto:vinschen at redhat.com > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From vinschen at redhat.com Sat Jun 22 02:11:41 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 21 Jun 2002 18:11:41 +0200 Subject: Testing call, ASAP (Re: Testing call) In-Reply-To: References: Message-ID: <20020621181141.O22705@cygbert.vinschen.de> On Fri, Jun 21, 2002 at 10:51:48AM -0500, Ben Lindstrom wrote: > > Umm.. Froget it. =) Just try 3.3. I would but... $ cvs up ssh: connect to address 157.193.69.9 port 22: Connection timed out cvs [update aborted]: end of file from server (consult above messages if any) Corinna From bugzilla-daemon at mindrot.org Sat Jun 22 02:21:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 22 Jun 2002 02:21:27 +1000 (EST) Subject: [Bug 282] New: ttymodes sent can be invalid Message-ID: <20020621162127.11542E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=282 Summary: ttymodes sent can be invalid Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: todd at openbsd.org I noticed that when logging into a Linux machine with current that there is a message in the system log: sshd[21992]: Setting tty modes failed: Invalid argument After some debugging it came down to the realization that perhaps (thanks djm@) the modes being sent from OpenBSD are not valid on Linux. I'm not sure how to resolve this, or if this is a major problem, but it appears that since the mode settings failed, perhaps something ssh needed might not be set, or might be set wrong. I added a log message: /* Set the new modes for the terminal. */ if (tcsetattr(fd, TCSANOW, &tio) == -1) { log("Setting tty modes failed: %.100s", strerror(errno)); log("failed..: %d, %d, %d, %d, %d", fd, tio.c_iflag, tio.c_oflag, tio.c_cflag, tio.c_lflag); } And notice that the system logged the following the next time through: Setting tty modes failed: Invalid argument failed..: 10, 1280, 5, 447, 51771 and tried again and only the fd changed: Setting tty modes failed: Invalid argument failed..: 8, 1280, 5, 447, 51771 Hopefully this information is useful. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Roumen.Petrov at skalasoft.com Sat Jun 22 02:32:03 2002 From: Roumen.Petrov at skalasoft.com (Roumen.Petrov at skalasoft.com) Date: Fri, 21 Jun 2002 19:32:03 +0300 Subject: x509 extension new version is out Message-ID: <3D135503.9050706@skalasoft.com> Hi All, Please visit http://satva.skalasoft.com/~rumen/openssh/ to get new version with support for x509 certificate. - added authorization by 'Distinguished Name'; - added x509 CA store (new options in sshd_config); - client certificate is verified against CA certificates in x509 store; - added shell scripts to create 'Test CA' and test client certificates. Diffs aviable for OpenBSD and portable versions. From mdb at juniper.net Sat Jun 22 02:40:07 2002 From: mdb at juniper.net (Mark D. Baushke) Date: Fri, 21 Jun 2002 09:40:07 -0700 Subject: Testing call. In-Reply-To: Mail from Ben Lindstrom dated Thu, 20 Jun 2002 22:02:54 CDT Message-ID: <200206211640.g5LGe7m60136@merlot.juniper.net> Hi Ben, Using the openssh-SNAP-20020621 on Redhat 6.2 Linux (with a 2.2.19 kernel), I see the following: # sshd -d -d -d -p 24 debug1: sshd version OpenSSH_3.2.3p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /home/mdb/openssh-SNAP-20020621/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /home/mdb/openssh-SNAP-20020621/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 24 on 0.0.0.0. Server listening on 0.0.0.0 port 24. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 172.17.28.39 port 1339 debug1: Client protocol version 2.0; client software version OpenSSH_3.0.2 debug1: match: OpenSSH_3.0.2 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1 mmap(65536): Invalid argument debug1: Calling cleanup 0x8067a28(0x0) # when I tried to connect to it using an OpenSSH 3.0.2 SSH client. -- Mark From mouring at etoh.eviladmin.org Sat Jun 22 02:33:22 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 21 Jun 2002 11:33:22 -0500 (CDT) Subject: Testing call. In-Reply-To: <200206211640.g5LGe7m60136@merlot.juniper.net> Message-ID: the 2.2 'mmap() is fucked' issue. =) The patch Tim and I were discussing did not make it in.. so It will be in the next release. Just set: Compression no in sshd_config and it will be a decent work around for the moment. - Ben On Fri, 21 Jun 2002, Mark D. Baushke wrote: > Hi Ben, > > Using the openssh-SNAP-20020621 on Redhat 6.2 Linux (with a 2.2.19 kernel), > I see the following: > > # sshd -d -d -d -p 24 > debug1: sshd version OpenSSH_3.2.3p1 > debug1: private host key: #0 type 0 RSA1 > debug3: Not a RSA1 key file /home/mdb/openssh-SNAP-20020621/etc/ssh_host_rsa_key. > debug1: read PEM private key done: type RSA > debug1: private host key: #1 type 1 RSA > debug3: Not a RSA1 key file /home/mdb/openssh-SNAP-20020621/etc/ssh_host_dsa_key. > debug1: read PEM private key done: type DSA > debug1: private host key: #2 type 2 DSA > socket: Address family not supported by protocol > debug1: Bind to port 24 on 0.0.0.0. > Server listening on 0.0.0.0 port 24. > Generating 768 bit RSA key. > RSA key generation complete. > debug1: Server will not fork when running in debugging mode. > Connection from 172.17.28.39 port 1339 > debug1: Client protocol version 2.0; client software version OpenSSH_3.0.2 > debug1: match: OpenSSH_3.0.2 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1* > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1 > mmap(65536): Invalid argument > debug1: Calling cleanup 0x8067a28(0x0) > # > > when I tried to connect to it using an OpenSSH 3.0.2 SSH client. > > -- Mark > From mdb at juniper.net Sat Jun 22 02:50:44 2002 From: mdb at juniper.net (Mark D. Baushke) Date: Fri, 21 Jun 2002 09:50:44 -0700 Subject: Testing call. In-Reply-To: Mail from Ben Lindstrom dated Fri, 21 Jun 2002 11:33:22 CDT Message-ID: <200206211650.g5LGoim60716@merlot.juniper.net> Hi Ben, >Date: Fri, 21 Jun 2002 11:33:22 -0500 (CDT) >From: Ben Lindstrom > > the 2.2 'mmap() is fucked' issue. =) The patch Tim and I were >discussing did not make it in.. so It will be in the next release. > >Just set: Compression no in sshd_config and it will be a decent work >around for the moment. > >- Ben Neither putting 'Compression no' in sshd_config nor putting it on the command line allows the current snapshot to function on a linux 2.2.19 kernel. % sudo /home/mdb/openssh-SNAP-20020621/sbin/sshd -d -d -d -p 24 -o 'Compression no' debug1: sshd version OpenSSH_3.2.3p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /home/mdb/openssh-SNAP-20020621/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /home/mdb/openssh-SNAP-20020621/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 24 on 0.0.0.0. Server listening on 0.0.0.0 port 24. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 127.0.0.1 port 3322 debug1: Client protocol version 2.0; client software version OpenSSH_3.2.3p1 debug1: match: OpenSSH_3.2.3p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1 mmap(65536): Invalid argument debug1: Calling cleanup 0x8067a28(0x0) % From mouring at etoh.eviladmin.org Sat Jun 22 02:44:14 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 21 Jun 2002 11:44:14 -0500 (CDT) Subject: Testing call. In-Reply-To: <200206211650.g5LGoim60716@merlot.juniper.net> Message-ID: Look at the 3.3 release instead of the snapshot. On Fri, 21 Jun 2002, Mark D. Baushke wrote: > Hi Ben, > > >Date: Fri, 21 Jun 2002 11:33:22 -0500 (CDT) > >From: Ben Lindstrom > > > > the 2.2 'mmap() is fucked' issue. =) The patch Tim and I were > >discussing did not make it in.. so It will be in the next release. > > > >Just set: Compression no in sshd_config and it will be a decent work > >around for the moment. > > > >- Ben > > Neither putting 'Compression no' in sshd_config nor putting it on the > command line allows the current snapshot to function on a linux 2.2.19 > kernel. > > % sudo /home/mdb/openssh-SNAP-20020621/sbin/sshd -d -d -d -p 24 -o 'Compression no' > debug1: sshd version OpenSSH_3.2.3p1 > debug1: private host key: #0 type 0 RSA1 > debug3: Not a RSA1 key file /home/mdb/openssh-SNAP-20020621/etc/ssh_host_rsa_key. > debug1: read PEM private key done: type RSA > debug1: private host key: #1 type 1 RSA > debug3: Not a RSA1 key file /home/mdb/openssh-SNAP-20020621/etc/ssh_host_dsa_key. > debug1: read PEM private key done: type DSA > debug1: private host key: #2 type 2 DSA > socket: Address family not supported by protocol > debug1: Bind to port 24 on 0.0.0.0. > Server listening on 0.0.0.0 port 24. > Generating 768 bit RSA key. > RSA key generation complete. > debug1: Server will not fork when running in debugging mode. > Connection from 127.0.0.1 port 3322 > debug1: Client protocol version 2.0; client software version OpenSSH_3.2.3p1 > debug1: match: OpenSSH_3.2.3p1 pat OpenSSH* > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1 > mmap(65536): Invalid argument > debug1: Calling cleanup 0x8067a28(0x0) > % > From theo at markettos.org.uk Sat Jun 22 03:26:37 2002 From: theo at markettos.org.uk (Theo Markettos) Date: Fri, 21 Jun 2002 18:26:37 +0100 (BST) Subject: known_hosts file format Message-ID: Is there something that defines the .ssh/known_hosts file format anywhere? I'm writing an ssh client for another platform (where OpenSSH doesn't port very well), and I'd like to keep the known_hosts file the same format so it is interchangeable with other clients. Is hostfile.c the only documentation around. Is this format likely to be stable? Thanks, Theo From santanu.misra at reuters.com Sat Jun 22 04:27:48 2002 From: santanu.misra at reuters.com (Santanu Misra) Date: Fri, 21 Jun 2002 11:27:48 -0700 Subject: configure problem --- Can't find recent OpenSSL libcrypto Message-ID: Hi, Thanks for the input. I do not see any libcrypto.so so I tried libcrypt*.* and this is the result Does it make any sense? woola# find / -name 'libcrypt*.*' -print /usr/lib/sparcv9/libcrypt_i.so /usr/lib/sparcv9/libcrypt_i.so.1 /usr/lib/libcrypt_i.so /usr/lib/libcrypt_i.so.1 /usr/lib/libcrypt.so /usr/lib/libcrypt.so.1 /usr/lib/libcrypt_i.a /usr/lib/libcrypt.a /usr/lib/libcrypto.a /usr/share/man/sman3lib/libcrypt.3lib /local/santanu/pkg/ssl/lib/libcrypto.a /local/santanu/openssl-0.9.6d/libcrypto.a -Regards, Santanu -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Thursday, June 20, 2002 6:30 PM To: Santanu Misra Cc: 'openssh-unix-dev at mindrot.org' Subject: Re: configure problem --- Can't find recent OpenSSL libcrypto Santanu Misra wrote: > I installed OpenSSL 0.9.6d 9 May 2002 with this option on a Solaris 8 box > using Sun Forte6-2 [snip] > configure:8285: error: *** Can't find recent OpenSSL libcrypto (see > config.log for details) *** [snip] The last problem of this type I saw was caused because there was an old libcrpyto.so and a new libcrypto.a (or vice versa, I forget) in the same ssl/lib directory. It might be picking up libcrypto from somewhere other than where you expect. Try: $ find / -name 'libcrypto.*' -print -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From markus at openbsd.org Sat Jun 22 05:50:58 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 21 Jun 2002 21:50:58 +0200 Subject: OpenSSH 3.3 released Message-ID: <20020621195058.GA29426@folly> OpenSSH 3.3 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Changes since OpenSSH 3.2.3: ============================ Security Changes: ================= - improved support for privilege separation: privilege separation is now enabled by default See UsePrivilegeSeparation in sshd_config(5) and http://www.citi.umich.edu/u/provos/ssh/privsep.html for more information. - ssh no longer needs to be installed setuid root for protocol version 2 hostbased authentication, see ssh-keysign(8). protocol version 1 rhosts-rsa authentication still requires privileges and is not recommended. Other Changes: ============== - documentation for the client and server configuration options have been moved to ssh_config(5) and sshd_config(5). - the server now supports the Compression option, see sshd_config(5). - the client options RhostsRSAAuthentication and RhostsAuthentication now default to no, see ssh_config(5). - the client options FallBackToRsh and UseRsh are deprecated. - ssh-agent now supports locking and timeouts for keys, see ssh-add(1). - ssh-agent can now bind to unix-domain sockets given on the command line, see ssh-agent(1). - fixes problems with valid RSA signatures from putty clients. Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom. From bugzilla-daemon at mindrot.org Sat Jun 22 06:15:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 22 Jun 2002 06:15:46 +1000 (EST) Subject: [Bug 282] ttymodes sent can be invalid Message-ID: <20020621201546.D065CE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=282 ------- Additional Comments From stevesk at pobox.com 2002-06-22 06:15 ------- what kernel and glibc version? try with "stty -parenb" on client side. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From vinschen at redhat.com Sat Jun 22 06:23:30 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 21 Jun 2002 22:23:30 +0200 Subject: OpenSSH 3.3 released In-Reply-To: <20020621195058.GA29426@folly> References: <20020621195058.GA29426@folly> Message-ID: <20020621222330.P22705@cygbert.vinschen.de> On Fri, Jun 21, 2002 at 09:50:58PM +0200, Markus Friedl wrote: > OpenSSH 3.3 has just been released. It will be available from the > mirrors listed at http://www.openssh.com/ shortly. Markus, why is the test frame that short? I didn't even have a chance to try the today's cvs version since I'm (still) getting connection timeouts when trying to access the repository. Can't we have at least two or three days for testing before a new release? Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From bugzilla-daemon at mindrot.org Sat Jun 22 06:43:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 22 Jun 2002 06:43:12 +1000 (EST) Subject: [Bug 282] ttymodes sent can be invalid Message-ID: <20020621204312.90564E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=282 ------- Additional Comments From todd at openbsd.org 2002-06-22 06:43 ------- Client is OpenBSD, server is Linux. Using 'stty -parenb' on OpenBSD this does not log the problem on the Linux server. todd at cvis1:~> rpm -qa | egrep "glibc-2|^k_" k_deflt-2.4.10-12 glibc-2.2.4-64 todd at cvis1:~> ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From prj at po.cwru.edu Sat Jun 22 06:47:08 2002 From: prj at po.cwru.edu (Paul Jarc) Date: Fri, 21 Jun 2002 16:47:08 -0400 Subject: sshd initially ignores -e (log_stderr) if -i (inetd_flag) is given Message-ID: A non-text attachment was scrubbed... Name: sshd-stderr.patch Type: text/x-patch Size: 424 bytes Desc: make sshd honor -e even with -i Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020621/b29eef76/attachment.bin From carson at taltos.org Sat Jun 22 07:34:26 2002 From: carson at taltos.org (Carson Gaspar) Date: Fri, 21 Jun 2002 17:34:26 -0400 Subject: configure problem --- Can't find recent OpenSSL libcrypto In-Reply-To: References: Message-ID: <583066078.1024680866@[192.168.0.2]> --On Thursday, June 20, 2002 5:29 PM -0700 Santanu Misra wrote: > $config solaris64-sparcv9-cc --prefix=/local/santanu/pkg/ssl This generates a 64-bit OpenSSL library > configure:7846: result: yes > configure:8215: cc -o conftest -g -I/local/santanu/pkg/ssl/include > -I/usr/local/include -L/local/santanu/pkg/ssl/lib -R/lo > cal/santanu/pkg/ssl/lib -L/usr/local/lib -R/usr/local/lib conftest.c -lz > -lsocket -lnsl -lcrypto >&5 > Undefined first referenced > symbol in file > RAND_add conftest.o > ld: fatal: Symbol referencing errors. No output written to conftest This is looking for a 32-bit OpenSSL library (note the lack of 64-bit options for cc). You may not mix 64-bit and 32-bit objects in Solaris. You must either: - Compile OpenSSL in 32-bit mode or - Add the appropriate 64-bit options to CPPFLAGS when compiling OpenSSH. -- Carson From mouring at etoh.eviladmin.org Sat Jun 22 07:27:52 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 21 Jun 2002 16:27:52 -0500 (CDT) Subject: configure problem --- Can't find recent OpenSSL libcrypto In-Reply-To: <583066078.1024680866@[192.168.0.2]> Message-ID: [..] > - Compile OpenSSL in 32-bit mode > > or > > - Add the appropriate 64-bit options to CPPFLAGS when compiling OpenSSH. > And 64bit + OpenBSD == utmp issues last I checked and it should be avoided. - Ben From bugzilla-daemon at mindrot.org Sat Jun 22 07:51:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 22 Jun 2002 07:51:23 +1000 (EST) Subject: [Bug 283] New: UsePrivilegeSeparation fails on AIX, Couldn't set usrinfo: Message-ID: <20020621215123.B0EA8E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=283 Summary: UsePrivilegeSeparation fails on AIX, Couldn't set usrinfo: Product: Portable OpenSSH Version: -current Platform: PPC OS/Version: AIX Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: janfrode at parallab.uib.no OpenSSH 3.3p1 fails on AIX5.1 with UsePrivilegeSeparation enabled. If the server is running with '-d' the client prints /etc/motd and then dies with the message: Couldn't set usrinfo: Operation not permitted. debug1: Calling cleanup 0x2002a5ec(0x20032b58) debug1: Calling cleanup 0x2002a430(0x0) Connection to en closed by remote host. Connection to en closed. Commenting out: if (usrinfo(SETUINFO, cp, i) == -1) fatal("Couldn't set usrinfo: %s", strerror(errno)); from openbsd-compat/port-aix.c The man-page for userinfo() states that: "EPERM The Command parameter is set to SETUINFO, and the calling process does not have root user authority." so I'm guessing the privilege separated OpenSSH tries to call this as a normal user (or the sshd user?). -jf ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 22 07:59:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 22 Jun 2002 07:59:14 +1000 (EST) Subject: [Bug 282] ttymodes sent can be invalid Message-ID: <20020621215914.AF32BE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=282 ------- Additional Comments From stevesk at pobox.com 2002-06-22 07:59 ------- can a glibc/linux person look at sysdeps/unix/sysv/linux/tcsetattr.c and debug this? this code is interesting: if (retval == 0 && cmd == TCSETS) { /* The Linux kernel has a bug which silently ignore the invalid c_cflag on pty. We have to check it here. */ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 22 09:00:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 22 Jun 2002 09:00:08 +1000 (EST) Subject: [Bug 283] UsePrivilegeSeparation fails on AIX, Couldn't set usrinfo: Message-ID: <20020621230008.B66ADE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=283 ------- Additional Comments From janfrode at parallab.uib.no 2002-06-22 09:00 ------- hmm, I lost part of a sentence there.. I meant to say that commenting out: if (usrinfo(SETUINFO, cp, i) == -1) fatal("Couldn't set usrinfo: %s", strerror(errno)); from openbsd-compat/port-aix.c makes sshd function with UsePrivilegeSeparation enabled. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 22 10:17:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 22 Jun 2002 10:17:27 +1000 (EST) Subject: [Bug 283] UsePrivilegeSeparation fails on AIX, Couldn't set usrinfo: Message-ID: <20020622001727.DD882E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=283 ------- Additional Comments From mouring at eviladmin.org 2002-06-22 10:17 ------- Can I get a manpage for usrinfo() ? I know I've seen it before but I have to see why we are doing it and what privsep stuff that may have to be wrapped around it. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Sat Jun 22 11:42:34 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 22 Jun 2002 11:42:34 +1000 Subject: ssh-agent build failure on AIX Message-ID: <3D13D60A.73009DCD@zip.com.au> Hello All, I've just attempted to build from -cvs on AIX and get the following: $ gcc [snip] -c ssh-agent.c ssh-agent.c: In function `main': ssh-agent.c:975: `BSDoptarg' undeclared (first use in this function) ssh-agent.c:975: (Each undeclared identifier is reported only once ssh-agent.c:975: for each function it appears in.) make: 1254-004 The error code from the last command is 1. Adding "extern char *BSDoptarg;" to ssh-agent.c allows the build to complete. -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Sat Jun 22 13:05:01 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 21 Jun 2002 22:05:01 -0500 (CDT) Subject: ssh-agent build failure on AIX In-Reply-To: <3D13D60A.73009DCD@zip.com.au> Message-ID: do you have HAVE_GETOPT_OPTRESET or HAVE_GETOPT set? - Ben On Sat, 22 Jun 2002, Darren Tucker wrote: > Hello All, > I've just attempted to build from -cvs on AIX and get the following: > > $ gcc [snip] -c ssh-agent.c > ssh-agent.c: In function `main': > ssh-agent.c:975: `BSDoptarg' undeclared (first use in this function) > ssh-agent.c:975: (Each undeclared identifier is reported only once > ssh-agent.c:975: for each function it appears in.) > make: 1254-004 The error code from the last command is 1. > > Adding "extern char *BSDoptarg;" to ssh-agent.c allows the build to > complete. > > -Daz. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Sat Jun 22 14:12:49 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 22 Jun 2002 14:12:49 +1000 Subject: ssh-agent build failure on AIX References: Message-ID: <3D13F941.4E83CD64@zip.com.au> Ben Lindstrom wrote: > On Sat, 22 Jun 2002, Darren Tucker wrote: > > I've just attempted to build from -cvs on AIX and get the following: > > ssh-agent.c:975: `BSDoptarg' undeclared (first use in this function) > > do you have HAVE_GETOPT_OPTRESET or HAVE_GETOPT set? Yes, HAVE_GETOPT is defined. I did a make distprep, ./configure and make. It's vanilla -cvs current. (I just checked and rebuilt, same result). -Daz. $ grep HAVE_GETOPT config.h /* #undef HAVE_GETOPT_OPTRESET */ #define HAVE_GETOPT 1 /* #undef HAVE_GETOPT_H */ -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From cmadams at hiwaay.net Sat Jun 22 14:17:50 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 21 Jun 2002 23:17:50 -0500 Subject: OpenSSH 3.3 released In-Reply-To: <20020621195058.GA29426@folly>; from markus@openbsd.org on Fri, Jun 21, 2002 at 09:50:58PM +0200 References: <20020621195058.GA29426@folly> Message-ID: <20020621231750.C99283@hiwaay.net> Once upon a time, Markus Friedl said: > Security Changes: > ================= > > - improved support for privilege separation: > > privilege separation is now enabled by default I'm (finally!) looking at privsep and Tru64 Unix (with HAVE_OSF_SIA enabled), and I'm not sure I can see how it will work. The problem is in auth-sia.c session_setup_sia(). The sia_ses_estab() call has to run as root because in enhanced security mode it checks the protected password database to make sure the account is not expired, locked, etc., and updates the database with last successful login. However, it also also sets things like resource limits for the child process. The sia_ses_launch() call has to run as root as well because it generates audit records and has to run in the child because it sets the effective user and group IDs. Is this possible to do with privilege separation? -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From dtucker at zip.com.au Sat Jun 22 14:28:00 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 22 Jun 2002 14:28:00 +1000 Subject: AIX Package build update. Message-ID: <3D13FCD0.92228D6D@zip.com.au> Hello All, I've updated the AIX package builder (contrib/aix/buildbff.sh). The changes are below. Please review and commit if OK. First, a question: Does anyone want SRC (System Resource Controller) support in the packages? I don't use it but I've been sent an example of how do do it without modifying sshd itself. Onto the changes: * Supports PrivSep. Postinstall will create privsep user, group and directory if necessary. NOTE: 3.3p1 has a problem with PrivSep on AIX (bugids 270 & 283). Until this is fixed I recommend you add "UsePrivilegeSeparation no" to $srcdir/sshd_config before creating packages and to any systems you upgrade. * Supports config.local settings (based on Solaris buildpkg). * Now runs in build dir, same as buildpkg. Running in contrib/aix still works. * Prints a pointer to LICENCE rather than entire text during install. Includes LICENCE & README's in package. * Package version generation now handles missing "p" (ie "3.3"). * Minor fixes (typos, comments). The patch (against 3.3p1) can be had from: http://www.zip.com.au/~dtucker/openssh/openssh-3.3p1-aixbff.patch It has been tested on AIX 4.2.1 and 4.3.3. -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Sat Jun 22 14:22:04 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 21 Jun 2002 23:22:04 -0500 (CDT) Subject: ssh-agent build failure on AIX In-Reply-To: <3D13D60A.73009DCD@zip.com.au> Message-ID: can you do: extern char *optarg; instead? On Sat, 22 Jun 2002, Darren Tucker wrote: > Hello All, > I've just attempted to build from -cvs on AIX and get the following: > > $ gcc [snip] -c ssh-agent.c > ssh-agent.c: In function `main': > ssh-agent.c:975: `BSDoptarg' undeclared (first use in this function) > ssh-agent.c:975: (Each undeclared identifier is reported only once > ssh-agent.c:975: for each function it appears in.) > make: 1254-004 The error code from the last command is 1. > > Adding "extern char *BSDoptarg;" to ssh-agent.c allows the build to > complete. > > -Daz. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Sat Jun 22 15:12:54 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 22 Jun 2002 15:12:54 +1000 Subject: ssh-agent build failure on AIX References: Message-ID: <3D140756.82312E3F@zip.com.au> Ben Lindstrom wrote: > On Sat, 22 Jun 2002, Darren Tucker wrote: > > I've just attempted to build from -cvs on AIX and get the following: > > ssh-agent.c:975: `BSDoptarg' undeclared (first use in this function) > > > > Adding "extern char *BSDoptarg;" to ssh-agent.c allows the build to > > complete. > can you do: extern char *optarg; instead? Yes that works. -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From stuge at cdy.org Sat Jun 22 16:22:12 2002 From: stuge at cdy.org (Peter Stuge) Date: Sat, 22 Jun 2002 08:22:12 +0200 Subject: Testing call. In-Reply-To: ; from mouring@etoh.eviladmin.org on Fri, Jun 21, 2002 at 11:44:14AM -0500 References: <200206211650.g5LGoim60716@merlot.juniper.net> Message-ID: <20020622082212.A15339@foo.birdnet.se> On Fri, Jun 21, 2002 at 11:44:14AM -0500, Ben Lindstrom wrote: > > Look at the 3.3 release instead of the snapshot. On an old libc5 Linux system of mine, privsep doesn't work. Kernel 2.4.18. 3.3p1 client on more modern Linux system (where privsep'd sshd works fine) OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Host: i686-pc-linux-gnulibc1 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib Libraries: -lbsd -lz -lcrypto :/local/openssh# ./sshd -d -d -d debug1: sshd version OpenSSH_3.3 debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from x.x.x.x port y debug1: Client protocol version 2.0; client software version OpenSSH_3.3 debug1: match: OpenSSH_3.3 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.3 debug2: Network child is on pid 21604 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 53:53 initgroups: No such file or directory my_extra_debug: getuid=0 geteuid=0 getgid=53 getegid=53 my_extra_debug: pw->pw_name='sshd' pw->pw_gid=53 debug1: Calling cleanup 0x806aa88(0x0) my_extra debug is between the perror() and exit() at session.c:1185 Also, misc.c failed to compile because TCP_NODELAY wasn't defined in but only in - I copied the define to netinet/ip_tcp.h to solve this. privsep might not working because of a very broken system, like I said, it's an old system that I've upgraded bit by bit now and then. But initgroups() still shouldn't fail. Unfortunately I can't strace either, the process gets signal 11 then. A simple test program doing initgroups() with the same parameters as sshd works fine. Any ideas? //Peter From bugzilla-daemon at mindrot.org Sat Jun 22 16:48:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 22 Jun 2002 16:48:35 +1000 (EST) Subject: [Bug 282] ttymodes sent can be invalid Message-ID: <20020622064835.21947E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=282 ------- Additional Comments From stuge-openssh-bugzilla at cdy.org 2002-06-22 16:48 ------- /usr/src/linux/drivers/char/pty.c:345 reads static void pty_set_termios(struct tty_struct *tty, struct termios *old_termios) { tty->termios->c_cflag &= ~(CSIZE | PARENB); tty->termios->c_cflag |= (CS8 | CREAD); } This gets called when someone does tcsetattr() on a pty. I think I can see a reason for clearing CSIZE and setting CS8|CREAD, but why clear PARENB? And in the glibc code quoted by Kevin this behaviour is referred to as if it should return some error contrary to the current 'silently ignore' approach.. What do kernel gurus on/from LKML say? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 22 19:48:54 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 22 Jun 2002 19:48:54 +1000 (EST) Subject: [Bug 283] UsePrivilegeSeparation fails on AIX, Couldn't set usrinfo: Message-ID: <20020622094854.0CF1CE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=283 ------- Additional Comments From janfrode at parallab.uib.no 2002-06-22 19:48 ------- http://tre.ii.uib.no/doc_link/en_US/a_doc_lib/libs/basetrf2/usrinfo.htm ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 22 22:09:05 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 22 Jun 2002 22:09:05 +1000 (EST) Subject: [Bug 284] New: Hostbased authentication erroneously reported Message-ID: <20020622120905.A79B2E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=284 Summary: Hostbased authentication erroneously reported Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: trivial Priority: P5 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: arjones at simultan.dyndns.org I'm not entirely sure this is a bug, but it seems that way to me. I have hostbased authentication disabled in sshd_config on the server and in ssh_configon the client. When i log on to the server, the -d and -v options (respectively)clearly indicate that public key authentication succeeds. I receive, as normal, "Accepted publickey for root" blah blah in my log. However, as of 3.3p1, i ALSO receive "Accepted hostbased " blah blah. This seems in error. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 22 22:16:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 22 Jun 2002 22:16:29 +1000 (EST) Subject: [Bug 283] UsePrivilegeSeparation fails on AIX, Couldn't set usrinfo: Message-ID: <20020622121629.D85E8E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=283 ------- Additional Comments From gert at greenie.muc.de 2002-06-22 22:16 ------- Created an attachment (id=117) Manpage for AIX usrinfo(). Needed to setup proper user context for some legacy AIX applications. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From provos at citi.umich.edu Sat Jun 22 23:33:09 2002 From: provos at citi.umich.edu (Niels Provos) Date: Sat, 22 Jun 2002 09:33:09 -0400 Subject: OpenSSH 3.3 released In-Reply-To: <20020621231750.C99283@hiwaay.net> References: <20020621195058.GA29426@folly> <20020621231750.C99283@hiwaay.net> Message-ID: <20020622133309.GW15772@citi.citi.umich.edu> On Fri, Jun 21, 2002 at 11:17:50PM -0500, Chris Adams wrote: > I'm (finally!) looking at privsep and Tru64 Unix (with HAVE_OSF_SIA > enabled), and I'm not sure I can see how it will work. The problem is > in auth-sia.c session_setup_sia(). You can delay that call until the very beginning of privilege separation in the post-authentication phase. > The sia_ses_estab() call has to run as root because in enhanced security [...] > The sia_ses_launch() call has to run as root as well because it > generates audit records and has to run in the child because it sets the > effective user and group IDs. Same for these. Niels. From hadmut at danisch.de Sun Jun 23 03:26:39 2002 From: hadmut at danisch.de (Hadmut Danisch) Date: Sat, 22 Jun 2002 19:26:39 +0200 Subject: Suggestion: Environment parameter Message-ID: <20020622172639.GA7382@danisch.de> Hi, just a suggestion for a little feature: Would be nice if you could set some parameters on the client side (i.e. in the config file), which will be passed to the sshd server and then set as one (or multiple?) environment variable. (Reason: Several administrators have to log in as root on a server, and the server should run several .logins and .cshrcs depending on who is logging in as root) regards Hadmut From janfrode at parallab.uib.no Sun Jun 23 04:02:05 2002 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Sat, 22 Jun 2002 20:02:05 +0200 Subject: Suggestion: Environment parameter In-Reply-To: <20020622172639.GA7382@danisch.de>; from hadmut@danisch.de on Sat, Jun 22, 2002 at 07:26:39PM +0200 References: <20020622172639.GA7382@danisch.de> Message-ID: <20020622200205.A18712@ii.uib.no> environment="NAME=value" in the authorized_keys should probably solve your problem, assuming the administrators all use public key authetication. This is documented in 'man sshd'. -jf From bugzilla-daemon at mindrot.org Sun Jun 23 04:51:21 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 23 Jun 2002 04:51:21 +1000 (EST) Subject: [Bug 255] You must "exec" login from the lowest login shell. Message-ID: <20020622185121.1E698E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=255 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From stevesk at pobox.com 2002-06-23 04:51 ------- thanks, commited. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gwyllion at ace.ulyssis.org Sun Jun 23 07:48:50 2002 From: gwyllion at ace.ulyssis.org (Dries Schellekens) Date: Sat, 22 Jun 2002 23:48:50 +0200 (CEST) Subject: Provably Fixing the SSH Binary Packet Protocol Message-ID: Hey, Are there any plans in applying the changes suggested in "Provably Fixing the SSH Binary Packet Protocol" by Mihir Bellare, Tadayoshi Kohno and Chanathip Namprempre. http://eprint.iacr.org/2002/078/ I guess this would require a new protocol specification and maybe the task of the IETF Secure Shell Working Group. Dries -- Dries Schellekens email: gwyllion at ulyssis.org From bugzilla-daemon at mindrot.org Sun Jun 23 09:11:11 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 23 Jun 2002 09:11:11 +1000 (EST) Subject: [Bug 284] Hostbased authentication erroneously reported Message-ID: <20020622231111.AB1ADE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=284 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From stevesk at pobox.com 2002-06-23 09:11 ------- fixed: RCS file: /cvs/src/usr.bin/ssh/monitor.c,v Working file: monitor.c head: 1.17 branch: locks: strict access list: symbolic names: OPENBSD_2_9: 1.11.0.4 OPENBSD_3_0: 1.11.0.2 OPENBSD_3_1: 1.9.0.2 OPENBSD_3_1_BASE: 1.9 keyword substitution: kv total revisions: 22; selected revisions: 1 description: ---------------------------- revision 1.17 date: 2002/06/22 23:09:51; author: stevesk; state: Exp; lines: +3 -3 save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Sun Jun 23 10:00:13 2002 From: tim at multitalents.net (Tim Rice) Date: Sat, 22 Jun 2002 17:00:13 -0700 (PDT) Subject: Testing call. In-Reply-To: <20020622082212.A15339@foo.birdnet.se> Message-ID: On Sat, 22 Jun 2002, Peter Stuge wrote: > On Fri, Jun 21, 2002 at 11:44:14AM -0500, Ben Lindstrom wrote: > > > > Look at the 3.3 release instead of the snapshot. > > On an old libc5 Linux system of mine, privsep doesn't work. Kernel 2.4.18. > 3.3p1 client on more modern Linux system (where privsep'd sshd works fine) > [snip] > debug3: mm_request_receive entering > debug3: privsep user:group 53:53 > initgroups: No such file or directory ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Apply the attached patch. It's part of a privdsep patch I was working on that hasn't made it in yet. > my_extra_debug: getuid=0 geteuid=0 getgid=53 getegid=53 > my_extra_debug: pw->pw_name='sshd' pw->pw_gid=53 > debug1: Calling cleanup 0x806aa88(0x0) -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- openssh/session.c.old Sun May 12 20:25:02 2002 +++ openssh/session.c Wed May 29 07:39:22 2002 @@ -1089,10 +1089,11 @@ exit(1); } /* Initialize the group list. */ - if (initgroups(pw->pw_name, pw->pw_gid) < 0) { - perror("initgroups"); - exit(1); - } + if (strcmp(pw->pw_name, SSH_PRIVSEP_USER)) + if (initgroups(pw->pw_name, pw->pw_gid) < 0) { + perror("initgroups"); + exit(1); + } endgrent(); # ifdef USE_PAM /* From mouring at etoh.eviladmin.org Sun Jun 23 10:11:04 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 22 Jun 2002 19:11:04 -0500 (CDT) Subject: ssh-agent build failure on AIX In-Reply-To: <3D140756.82312E3F@zip.com.au> Message-ID: Applied. Thanks. On Sat, 22 Jun 2002, Darren Tucker wrote: > Ben Lindstrom wrote: > > On Sat, 22 Jun 2002, Darren Tucker wrote: > > > I've just attempted to build from -cvs on AIX and get the following: > > > ssh-agent.c:975: `BSDoptarg' undeclared (first use in this function) > > > > > > Adding "extern char *BSDoptarg;" to ssh-agent.c allows the build to > > > complete. > > > can you do: extern char *optarg; instead? > > Yes that works. > > -Daz. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From santanu.misra at reuters.com Sun Jun 23 10:50:20 2002 From: santanu.misra at reuters.com (Santanu Misra) Date: Sat, 22 Jun 2002 17:50:20 -0700 Subject: configure problem --- Can't find recent OpenSSL libcrypto Message-ID: Hi Carson, Thanks for mentioning about the 64/32 bit issue. I was able to configure ssh now :) But for further a good document to look. http://www.sun.com/solutions/blueprints/0701/openSSH.pdf Markus, Can it be mentioned in the INSTALL of later release of OPENSSH. Thanks every one for all the help. -Santanu -----Original Message----- From: Carson Gaspar [mailto:carson at taltos.org] Sent: Friday, June 21, 2002 2:34 PM To: 'openssh-unix-dev at mindrot.org' Subject: Re: configure problem --- Can't find recent OpenSSL libcrypto --On Thursday, June 20, 2002 5:29 PM -0700 Santanu Misra wrote: > $config solaris64-sparcv9-cc --prefix=/local/santanu/pkg/ssl This generates a 64-bit OpenSSL library > configure:7846: result: yes > configure:8215: cc -o conftest -g -I/local/santanu/pkg/ssl/include > -I/usr/local/include -L/local/santanu/pkg/ssl/lib -R/lo > cal/santanu/pkg/ssl/lib -L/usr/local/lib -R/usr/local/lib conftest.c -lz > -lsocket -lnsl -lcrypto >&5 > Undefined first referenced > symbol in file > RAND_add conftest.o > ld: fatal: Symbol referencing errors. No output written to conftest This is looking for a 32-bit OpenSSL library (note the lack of 64-bit options for cc). You may not mix 64-bit and 32-bit objects in Solaris. You must either: - Compile OpenSSL in 32-bit mode or - Add the appropriate 64-bit options to CPPFLAGS when compiling OpenSSH. -- Carson _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From kevin at atomicgears.com Sun Jun 23 11:24:27 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Sat, 22 Jun 2002 18:24:27 -0700 Subject: Testing call. In-Reply-To: References: <20020622082212.A15339@foo.birdnet.se> Message-ID: <20020623012427.GA2944@jenny.crlsca.adelphia.net> On Sat, Jun 22, 2002 at 05:00:13PM -0700, Tim Rice wrote: > On Sat, 22 Jun 2002, Peter Stuge wrote: > > On an old libc5 Linux system of mine, privsep doesn't work. Kernel 2.4.18. > > 3.3p1 client on more modern Linux system (where privsep'd sshd works fine) > > > [snip] > > debug3: mm_request_receive entering > > debug3: privsep user:group 53:53 > > initgroups: No such file or directory > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Apply the attached patch. It's part of a privdsep patch I was working > on that hasn't made it in yet. what is the file its referring to? what happens if there's an empty etc/group in /var/empty? From bugzilla-daemon at mindrot.org Sun Jun 23 19:32:16 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 23 Jun 2002 19:32:16 +1000 (EST) Subject: [Bug 285] New: 3.3p1 on Linux 2.2.x doesn't accept connections Message-ID: <20020623093216.E59B5E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=285 Summary: 3.3p1 on Linux 2.2.x doesn't accept connections Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P1 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: vms at bofhlet.net Jun 22 22:47:29 *server* sshd[711]: fatal: mmap(65536): Invalid argument And it closes the connection. Tested on two systems, both kernel 2.2.21, on other two systems with kernel 2.4.18 sshd works perfectly, and I'm able to login. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Jun 23 20:31:37 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 23 Jun 2002 20:31:37 +1000 (EST) Subject: [Bug 285] 3.3p1 on Linux 2.2.x doesn't accept connections Message-ID: <20020623103137.6A215E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=285 ------- Additional Comments From dtucker at zip.com.au 2002-06-23 20:31 ------- Disabling PrivSep (add "UsePrivilegeSeparation no" to sshd_config) should get it working on 2.2 kernels. 3.3p1 defaults PrivSep to on. Previous releases (that supported it) defaulted to off. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Sun Jun 23 21:24:04 2002 From: markus at openbsd.org (Markus Friedl) Date: Sun, 23 Jun 2002 13:24:04 +0200 Subject: Provably Fixing the SSH Binary Packet Protocol In-Reply-To: References: Message-ID: <20020623112404.GB8010@folly> it's more likely if someone sends a patch. From gwyllion at ace.ulyssis.org Sun Jun 23 21:34:19 2002 From: gwyllion at ace.ulyssis.org (Dries Schellekens) Date: Sun, 23 Jun 2002 13:34:19 +0200 (CEST) Subject: Provably Fixing the SSH Binary Packet Protocol In-Reply-To: <20020623112404.GB8010@folly> Message-ID: On Sun, 23 Jun 2002, Markus Friedl wrote: > it's more likely if someone sends a patch. They seem to suggest advice the replace CBC with stateful-decryption CTR (counter) mode: http://www-cse.ucsd.edu/users/tkohno/papers/SSH/sshadvice.html libssl/crypto seems to have AES_ctr128_encrypt. Dries -- Dries Schellekens email: gwyllion at ulyssis.org From abartlet at samba.org Sun Jun 23 21:35:15 2002 From: abartlet at samba.org (Andrew Bartlett) Date: Sun, 23 Jun 2002 21:35:15 +1000 Subject: Specifying a fixed uid for RedHat RPM PrivSep user Message-ID: <3D15B273.F097ABF4@bartlett.house> I'm a little unconfortable with the way the privsep user is created in the RedHat spec files. In particular the way a fixed UID is specified. Now it looks (from a glance at the apache/bind spec file) that it is 'the way it is done' - but is there a register of these numbers somewhere? Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet at samba.org Student Network Administrator, Hawker College abartlet at hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net From pekkas at netcore.fi Sun Jun 23 22:33:37 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Sun, 23 Jun 2002 15:33:37 +0300 (EEST) Subject: Specifying a fixed uid for RedHat RPM PrivSep user In-Reply-To: <3D15B273.F097ABF4@bartlett.house> Message-ID: On Sun, 23 Jun 2002, Andrew Bartlett wrote: > I'm a little unconfortable with the way the privsep user is created in > the RedHat spec files. In particular the way a fixed UID is specified. > > Now it looks (from a glance at the apache/bind spec file) that it is > 'the way it is done' - but is there a register of these numbers > somewhere? By adding a package to Red Hat Linux, the reservation will be done in /usr/share/doc/setup-*/uidgid eventually.. :-) -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From stuge at cdy.org Sun Jun 23 22:53:26 2002 From: stuge at cdy.org (Peter Stuge) Date: Sun, 23 Jun 2002 14:53:26 +0200 Subject: Testing call. In-Reply-To: ; from tim@multitalents.net on Sat, Jun 22, 2002 at 05:00:13PM -0700 References: <20020622082212.A15339@foo.birdnet.se> Message-ID: <20020623145326.A24317@foo.birdnet.se> On Sat, Jun 22, 2002 at 05:00:13PM -0700, Tim Rice wrote: > On Sat, 22 Jun 2002, Peter Stuge wrote: > [snip] > > debug3: mm_request_receive entering > > debug3: privsep user:group 53:53 > > initgroups: No such file or directory > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Apply the attached patch. It's part of a privdsep patch I was working > on that hasn't made it in yet. Works beautifully. Thanks! //Peter From provos at citi.umich.edu Sun Jun 23 23:58:28 2002 From: provos at citi.umich.edu (Niels Provos) Date: Sun, 23 Jun 2002 09:58:28 -0400 Subject: [Bug 285] 3.3p1 on Linux 2.2.x doesn't accept connections In-Reply-To: <20020623103137.6A215E881@shitei.mindrot.org> References: <20020623103137.6A215E881@shitei.mindrot.org> Message-ID: <20020623135828.GI15772@citi.citi.umich.edu> On Sun, Jun 23, 2002 at 08:31:37PM +1000, bugzilla-daemon at mindrot.org wrote: > ------- Additional Comments From dtucker at zip.com.au 2002-06-23 20:31 ------- > Disabling PrivSep (add "UsePrivilegeSeparation no" to sshd_config) should get it > working on 2.2 kernels. > > 3.3p1 defaults PrivSep to on. Previous releases (that supported it) defaulted to > off. Turn compression off in the server. From bugzilla-daemon at mindrot.org Mon Jun 24 03:16:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 24 Jun 2002 03:16:50 +1000 (EST) Subject: [Bug 286] New: sshd crash on connection Message-ID: <20020623171650.BAE57E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=286 Summary: sshd crash on connection Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: updates at clearscene.net All, I have recently upgraded openssh to the most current version. When a connection is made to the sshd service (which has started OK) it reports an 'invalid argument'. I have included the trace from an "sshd -d" session. ======== [root clearscene]# sshd -d debug1: sshd version OpenSSH_3.3 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 194.216.113.55. Server listening on 194.216.113.55 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 194.216.113.100 port 4221 debug1: Client protocol version 2.0; client software version OpenSSH_3.3 debug1: match: OpenSSH_3.3 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.3 mmap(65536): Invalid argument debug1: Calling cleanup 0x806b4c4(0x0) ======== I have compiled/installed this new version on serveral other machines and all is well. For your info the output from "cat /proc/version" is as follows ======== Linux version 2.2.14C11 (root at adrian1.cobalt.com) (gcc version 2.95.2 19991024 (release)) #2 Wed Jun 28 00:55:51 PDT 2000 ======== Many thanks for your time. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Jun 24 03:28:01 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 24 Jun 2002 03:28:01 +1000 (EST) Subject: [Bug 285] 3.3p1 on Linux 2.2.x doesn't accept connections Message-ID: <20020623172801.8D403E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=285 ------- Additional Comments From mouring at eviladmin.org 2002-06-24 03:27 ------- The issue is mmap() on Linux 2.2 kernel does not support any of the useful options in order to allow PrivSep and Compression at the same time. Either disable privsep (like what dtucker@ said) or change 'Compression yes' to 'Compression no'. There is a patch being worked out to straight some of this out. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From herrold at owlriver.com Mon Jun 24 03:30:29 2002 From: herrold at owlriver.com (R P Herrold) Date: Sun, 23 Jun 2002 13:30:29 -0400 (EDT) Subject: [o-ssh] Specifying a fixed uid for RedHat RPM PrivSep user In-Reply-To: <3D15B273.F097ABF4@bartlett.house> Message-ID: On Sun, 23 Jun 2002, Andrew Bartlett wrote: > I'm a little unconfortable with the way the privsep user is created in > the RedHat spec files. In particular the way a fixed UID is specified. > > Now it looks (from a glance at the apache/bind spec file) that it is > 'the way it is done' - but is there a register of these numbers > somewhere? see: /usr/share/doc/setup-2.5.12/uidgid bash-2.05a$ rpm -qf /usr/share/doc/setup-2.5.12/uidgid setup-2.5.12-1 for Red Hat -- Russ Herrold From bugzilla-daemon at mindrot.org Mon Jun 24 03:40:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 24 Jun 2002 03:40:29 +1000 (EST) Subject: [Bug 286] sshd crash on connection Message-ID: <20020623174029.0AD24E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=286 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From mouring at eviladmin.org 2002-06-24 03:40 ------- *** This bug has been marked as a duplicate of 285 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Jun 24 03:40:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 24 Jun 2002 03:40:33 +1000 (EST) Subject: [Bug 285] 3.3p1 on Linux 2.2.x doesn't accept connections Message-ID: <20020623174033.9B1FDE902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=285 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |updates at clearscene.net ------- Additional Comments From mouring at eviladmin.org 2002-06-24 03:40 ------- *** Bug 286 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Mon Jun 24 05:26:22 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 23 Jun 2002 14:26:22 -0500 (CDT) Subject: config.h collection for 3.3 Message-ID: I'm looking to do some statistics that I've been looking at doing for the last year and half. I'd like to see config.h from: AIX SGI SCO (all) NeXTStep (Intel, HP, etc) FreeBSD NetBSD OpenBSD Linux (Distro and Kernel release) and any other OS I may have missed (That includes cray and others that are sorta-almost-well-not-really-supported if the patches exists =). I'm *ONLY* interest in 3.3... not -current, not 3.2.x or below. send them to: config at eviladmin.org note the OS, version, and platform, and if privsep does not work. DO NOT SEND ATTACHMENTS. PUT THE STUFF IN THE BODY. What I'm looking for in general is to get an idea of platform support and what the hit/usage ratio of openbsd-compat/ stuff is. I'm hoping to have some semi-useful stats in two weeks. - Ben From bugzilla-daemon at mindrot.org Mon Jun 24 07:28:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 24 Jun 2002 07:28:25 +1000 (EST) Subject: [Bug 287] New: URL wrong in INSTALL file Message-ID: <20020623212825.6DBBBE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=287 Summary: URL wrong in INSTALL file Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: trivial Priority: P2 Component: Documentation AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: mator at mail.ru RPMs of OpenSSL are available at http://violet.ibs.com.au/openssh/files/support. For Red Hat Linux 6.2, they have been released as errata. RHL7 includes these. host violet.ibs.com.au is not found, please correct INSTALL file. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kevin at atomicgears.com Mon Jun 24 10:50:22 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Sun, 23 Jun 2002 17:50:22 -0700 Subject: remove --with-rsh Message-ID: <20020624005022.GH2042@jenny.crlsca.adelphia.net> is this ok (complete, correct)? Index: INSTALL =================================================================== RCS file: /var/cvs/openssh/INSTALL,v retrieving revision 1.53 diff -u -r1.53 INSTALL --- INSTALL 13 May 2002 05:22:21 -0000 1.53 +++ INSTALL 24 Jun 2002 00:50:20 -0000 @@ -105,11 +105,6 @@ There are a few other options to the configure script: ---with-rsh=PATH allows you to specify the path to your rsh program. -Normally ./configure will search the current $PATH for 'rsh'. You -may need to specify this option if rsh is not in your path or has a -different name. - --with-pam enables PAM support. --enable-gnome-askpass will build the GNOME passphrase dialog. You Index: acconfig.h =================================================================== RCS file: /var/cvs/openssh/acconfig.h,v retrieving revision 1.138 diff -u -r1.138 acconfig.h --- acconfig.h 12 Jun 2002 16:57:15 -0000 1.138 +++ acconfig.h 24 Jun 2002 00:50:20 -0000 @@ -228,9 +228,6 @@ /* Define if xauth is found in your path */ #undef XAUTH_PATH -/* Define if rsh is found in your path */ -#undef RSH_PATH - /* Define if you want to allow MD5 passwords */ #undef HAVE_MD5_PASSWORDS Index: configure.ac =================================================================== RCS file: /var/cvs/openssh/configure.ac,v retrieving revision 1.68 diff -u -r1.68 configure.ac --- configure.ac 22 Jun 2002 18:51:48 -0000 1.68 +++ configure.ac 24 Jun 2002 00:50:32 -0000 @@ -247,7 +247,6 @@ CPPFLAGS="$CPPFLAGS -Dftruncate=chsize -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" LIBS="$LIBS -los -lprot -lx -ltinfo -lm" - rsh_path="/usr/bin/rcmd" RANLIB=true no_dev_ptmx=1 AC_DEFINE(BROKEN_SYS_TERMIO_H) @@ -264,7 +263,6 @@ LDFLAGS="$LDFLAGS -L/usr/local/lib" LIBS="$LIBS -lprot -lx -ltinfo -lm" no_dev_ptmx=1 - rsh_path="/usr/bin/rcmd" AC_DEFINE(USE_PIPES) AC_DEFINE(HAVE_SECUREWARE) AC_DEFINE(DISABLE_SHADOW) @@ -1790,17 +1788,6 @@ LIBS="$LIBS $KLIBS $K5LIBS" # Looking for programs, paths and files -AC_ARG_WITH(rsh, - [ --with-rsh=PATH Specify path to remote shell program ], - [ - if test "x$withval" != "$no" ; then - rsh_path=$withval - fi - ], - [ - AC_PATH_PROG(rsh_path, rsh) - ] -) PRIVSEP_PATH=/var/empty AC_ARG_WITH(privsep-path, @@ -1835,9 +1822,6 @@ AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path") XAUTH_PATH=$xauth_path AC_SUBST(XAUTH_PATH) -fi -if test ! -z "$rsh_path" ; then - AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path") fi # Check for mail directory (last resort if we cannot get it from headers) Index: defines.h =================================================================== RCS file: /var/cvs/openssh/defines.h,v retrieving revision 1.91 diff -u -r1.91 defines.h --- defines.h 22 Jun 2002 00:27:00 -0000 1.91 +++ defines.h 24 Jun 2002 00:50:33 -0000 @@ -316,14 +316,6 @@ # define _PATH_MAILDIR MAILDIR #endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */ -#ifndef _PATH_RSH -# ifdef RSH_PATH -# define _PATH_RSH RSH_PATH -# else /* RSH_PATH */ -# define _PATH_RSH "/usr/bin/rsh" -# endif /* RSH_PATH */ -#endif /* _PATH_RSH */ - #ifndef _PATH_NOLOGIN # define _PATH_NOLOGIN "/etc/nologin" #endif From smueller at atsec.com Mon Jun 24 15:56:05 2002 From: smueller at atsec.com (Stephan Mueller) Date: Mon, 24 Jun 2002 07:56:05 +0200 Subject: Expired PAM accounts Message-ID: <200206240756.05807.smueller@atsec.com> Hi there, is there any reason why the code for supporting expired PAM accounts in auth-pam.c:do_pam_account is commented out? Ie. it is not possible to log in to an expired account. When you enable this, the login procedure asks for a new password - all of this seems to work fine. This was enabled in version 3.1 or so, but now? Thanks Stephan -- Stephan M?ller Stephan.Mueller at atsec.com Whenever you eliminate the impossible, whatever remains, however improbable, must be the truth. From steve at steveredlich.com Mon Jun 24 16:21:38 2002 From: steve at steveredlich.com (Steve Redlich) Date: Sun, 23 Jun 2002 23:21:38 -0700 (PDT) Subject: recvmsg gives unexpected type Message-ID: Hi, I'm getting the following in my server log when I try to connect. to openssh-3.3p1 on linux 2.0.36 Jun 23 22:53:49 bart sshd[10702]: Accepted password for steve from 10.0.0.240 port 3867 ssh2 Jun 23 22:53:49 bart sshd[10704]: fatal: mm_receive_fd: expected type 1 got 1074202577 Sorry if this came up already, but the search engine seemed to ignore underscores and all the matches matched receive. Other search matches did not come up with anything recent. A log of ssh -v is located at: http://steveredlich.com/ssh.txt It seemed rather long, so I didn't include it here. I'd appreciate any suggestions as what to try, as I don't have a clue about access rights. Thanks, Steve Redlich From mouring at etoh.eviladmin.org Mon Jun 24 16:16:25 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Jun 2002 01:16:25 -0500 (CDT) Subject: remove --with-rsh In-Reply-To: <20020624005022.GH2042@jenny.crlsca.adelphia.net> Message-ID: Looks fine to me. I can't see any other places where rsh lives. - Ben On Sun, 23 Jun 2002, Kevin Steves wrote: > is this ok (complete, correct)? > > Index: INSTALL > =================================================================== > RCS file: /var/cvs/openssh/INSTALL,v > retrieving revision 1.53 > diff -u -r1.53 INSTALL > --- INSTALL 13 May 2002 05:22:21 -0000 1.53 > +++ INSTALL 24 Jun 2002 00:50:20 -0000 > @@ -105,11 +105,6 @@ > > There are a few other options to the configure script: > > ---with-rsh=PATH allows you to specify the path to your rsh program. > -Normally ./configure will search the current $PATH for 'rsh'. You > -may need to specify this option if rsh is not in your path or has a > -different name. > - > --with-pam enables PAM support. > > --enable-gnome-askpass will build the GNOME passphrase dialog. You > Index: acconfig.h > =================================================================== > RCS file: /var/cvs/openssh/acconfig.h,v > retrieving revision 1.138 > diff -u -r1.138 acconfig.h > --- acconfig.h 12 Jun 2002 16:57:15 -0000 1.138 > +++ acconfig.h 24 Jun 2002 00:50:20 -0000 > @@ -228,9 +228,6 @@ > /* Define if xauth is found in your path */ > #undef XAUTH_PATH > > -/* Define if rsh is found in your path */ > -#undef RSH_PATH > - > /* Define if you want to allow MD5 passwords */ > #undef HAVE_MD5_PASSWORDS > > Index: configure.ac > =================================================================== > RCS file: /var/cvs/openssh/configure.ac,v > retrieving revision 1.68 > diff -u -r1.68 configure.ac > --- configure.ac 22 Jun 2002 18:51:48 -0000 1.68 > +++ configure.ac 24 Jun 2002 00:50:32 -0000 > @@ -247,7 +247,6 @@ > CPPFLAGS="$CPPFLAGS -Dftruncate=chsize -I/usr/local/include" > LDFLAGS="$LDFLAGS -L/usr/local/lib" > LIBS="$LIBS -los -lprot -lx -ltinfo -lm" > - rsh_path="/usr/bin/rcmd" > RANLIB=true > no_dev_ptmx=1 > AC_DEFINE(BROKEN_SYS_TERMIO_H) > @@ -264,7 +263,6 @@ > LDFLAGS="$LDFLAGS -L/usr/local/lib" > LIBS="$LIBS -lprot -lx -ltinfo -lm" > no_dev_ptmx=1 > - rsh_path="/usr/bin/rcmd" > AC_DEFINE(USE_PIPES) > AC_DEFINE(HAVE_SECUREWARE) > AC_DEFINE(DISABLE_SHADOW) > @@ -1790,17 +1788,6 @@ > LIBS="$LIBS $KLIBS $K5LIBS" > > # Looking for programs, paths and files > -AC_ARG_WITH(rsh, > - [ --with-rsh=PATH Specify path to remote shell program ], > - [ > - if test "x$withval" != "$no" ; then > - rsh_path=$withval > - fi > - ], > - [ > - AC_PATH_PROG(rsh_path, rsh) > - ] > -) > > PRIVSEP_PATH=/var/empty > AC_ARG_WITH(privsep-path, > @@ -1835,9 +1822,6 @@ > AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path") > XAUTH_PATH=$xauth_path > AC_SUBST(XAUTH_PATH) > -fi > -if test ! -z "$rsh_path" ; then > - AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path") > fi > > # Check for mail directory (last resort if we cannot get it from headers) > Index: defines.h > =================================================================== > RCS file: /var/cvs/openssh/defines.h,v > retrieving revision 1.91 > diff -u -r1.91 defines.h > --- defines.h 22 Jun 2002 00:27:00 -0000 1.91 > +++ defines.h 24 Jun 2002 00:50:33 -0000 > @@ -316,14 +316,6 @@ > # define _PATH_MAILDIR MAILDIR > #endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */ > > -#ifndef _PATH_RSH > -# ifdef RSH_PATH > -# define _PATH_RSH RSH_PATH > -# else /* RSH_PATH */ > -# define _PATH_RSH "/usr/bin/rsh" > -# endif /* RSH_PATH */ > -#endif /* _PATH_RSH */ > - > #ifndef _PATH_NOLOGIN > # define _PATH_NOLOGIN "/etc/nologin" > #endif > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Mon Jun 24 16:15:28 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Jun 2002 01:15:28 -0500 (CDT) Subject: Expired PAM accounts In-Reply-To: <200206240756.05807.smueller@atsec.com> Message-ID: On Mon, 24 Jun 2002, Stephan Mueller wrote: > Hi there, > > is there any reason why the code for supporting expired PAM accounts in > auth-pam.c:do_pam_account is commented out? > > Ie. it is not possible to log in to an expired account. When you enable this, > the login procedure asks for a new password - all of this seems to work fine. > > This was enabled in version 3.1 or so, but now? > There are conflicts in the way PAM works and how PrivSep works. It's on the list of things to fix. - Ben From binder at arago.de Mon Jun 24 18:41:28 2002 From: binder at arago.de (Thomas Binder) Date: Mon, 24 Jun 2002 10:41:28 +0200 Subject: configure problem --- Can't find recent OpenSSL libcrypto In-Reply-To: ; from mouring@etoh.eviladmin.org on Fri, Jun 21, 2002 at 04:27:52PM -0500 References: <583066078.1024680866@[192.168.0.2]> Message-ID: <20020624104128.A2127424@ohm.arago.de> Hi! On Fri, Jun 21, 2002 at 04:27:52PM -0500, Ben Lindstrom wrote: > And 64bit + OpenBSD == utmp issues last I checked and it should > be avoided. Speaking of 64bit: Is scp / sftp able to copy files > 2GB? Ciao Thomas From markus at openbsd.org Mon Jun 24 18:45:51 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 24 Jun 2002 10:45:51 +0200 Subject: configure problem --- Can't find recent OpenSSL libcrypto In-Reply-To: <20020624104128.A2127424@ohm.arago.de> References: <583066078.1024680866@[192.168.0.2]> <20020624104128.A2127424@ohm.arago.de> Message-ID: <20020624084551.GG7896@faui02> On Mon, Jun 24, 2002 at 10:41:28AM +0200, Thomas Binder wrote: > Speaking of 64bit: Is scp / sftp able to copy files > 2GB? yes. From cybermint at iname.com Mon Jun 24 20:52:07 2002 From: cybermint at iname.com (Jordan Mack) Date: Mon, 24 Jun 2002 03:52:07 -0700 Subject: Build problems Message-ID: <3D169767.1302.EC49E8@localhost> I'm getting a build error when trying to compile openssh3.3p1 under slackware 8.1 (i386). Clues anyone? gcc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o cl ientloop.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -lssh - lopenbsd-compat -l z -lcrypto /usr/local/lib/gcc-lib/i586-pc-linux-gnu/3.1/../../../../i586-pc-linux- gnu/bin/l d: Dwarf Error: Invalid or unhandled FORM value: 14. /usr/local/lib/gcc-lib/i586-pc-linux- gnu/3.1/../../../libc.a(getopt.o):/tmp/glib c-2.2.5/posix/getopt.c:304: multiple definition of `optind' /usr/local/lib/gcc-lib/i586-pc-linux-gnu/3.1/../../../../i586-pc-linux- gnu/bin/l d: Dwarf Error: Invalid or unhandled FORM value: 14. openbsd-compat//libopenbsd-compat.a(getopt.o):/tmp/openssh- 3.3p1/openbsd-compat/ getopt.c:64: first defined here /usr/local/lib/gcc-lib/i586-pc-linux- gnu/3.1/../../../libc.a(getopt.o):/tmp/glib c-2.2.5/posix/getopt.c:304: multiple definition of `opterr' openbsd-compat//libopenbsd-compat.a(getopt.o):/tmp/openssh- 3.3p1/openbsd-compat/ getopt.c:64: first defined here collect2: ld returned 1 exit status make: *** [ssh] Error 1 From astrand at lysator.liu.se Mon Jun 24 22:52:56 2002 From: astrand at lysator.liu.se (Peter Astrand) Date: Mon, 24 Jun 2002 14:52:56 +0200 (CEST) Subject: Password from open filedescriptor In-Reply-To: Message-ID: This is a third reminder. Will http://bugzilla.mindrot.org/show_bug.cgi?id=69 be accepted? If so, when? This is the bug that has the largest number of votes. It would be nice if you at least consider including the patch. -- /Peter ?strand On Wed, 8 May 2002, Peter Astrand wrote: > > > > No, it doesn't. It'd be nice if it did (protocol changes required?), > > > > though I wonder what the UI would look like. It can't very well ask > > > > for a password from the user after it daemonizes itself; is there some > > > > standard program it can launch to ask for a password? > > > > > > It will ask $SSH_ASKPASS for a password if $DISPLAY is set. Have a look > > > at http://bugzilla.mindrot.org/show_bug.cgi?id=69 for a patch to make it > > > do more. > > > > Nice. I like it. Will this patch be accepted? > > Any updates on this issue? I can rewrite my password-from-open-fd-patch to > an askpass-program, but it would be nice to know if the SSH_ASKPASS > generalization above will be accepted, so I don't write code in vain. > > From mouring at etoh.eviladmin.org Mon Jun 24 23:45:58 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Jun 2002 08:45:58 -0500 (CDT) Subject: Build problems In-Reply-To: <3D169767.1302.EC49E8@localhost> Message-ID: Don't compile staticly. - Ben On Mon, 24 Jun 2002, Jordan Mack wrote: > I'm getting a build error when trying to compile openssh3.3p1 under > slackware 8.1 (i386). Clues anyone? > > gcc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o > sshtty.o readconf.o cl > ientloop.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -lssh - > lopenbsd-compat -l > z -lcrypto > /usr/local/lib/gcc-lib/i586-pc-linux-gnu/3.1/../../../../i586-pc-linux- > gnu/bin/l > d: Dwarf Error: Invalid or unhandled FORM value: 14. > /usr/local/lib/gcc-lib/i586-pc-linux- > gnu/3.1/../../../libc.a(getopt.o):/tmp/glib > c-2.2.5/posix/getopt.c:304: multiple definition of `optind' > /usr/local/lib/gcc-lib/i586-pc-linux-gnu/3.1/../../../../i586-pc-linux- > gnu/bin/l > d: Dwarf Error: Invalid or unhandled FORM value: 14. > openbsd-compat//libopenbsd-compat.a(getopt.o):/tmp/openssh- > 3.3p1/openbsd-compat/ > getopt.c:64: first defined here > /usr/local/lib/gcc-lib/i586-pc-linux- > gnu/3.1/../../../libc.a(getopt.o):/tmp/glib > c-2.2.5/posix/getopt.c:304: multiple definition of `opterr' > openbsd-compat//libopenbsd-compat.a(getopt.o):/tmp/openssh- > 3.3p1/openbsd-compat/ > getopt.c:64: first defined here > collect2: ld returned 1 exit status > make: *** [ssh] Error 1 > > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From joshua.johnson at ftlsys.com Tue Jun 25 01:41:16 2002 From: joshua.johnson at ftlsys.com (Joshua Johnson) Date: Mon, 24 Jun 2002 10:41:16 -0500 Subject: Require multiple methods of authentication.. status... Message-ID: <7820000.1024933276@sinbad.ftlsystems.com> All, Forgive me if this is has been covered. I didn't find what I was looking for in the man pages or on the list archives. What is the status of being able to require a user to perform multiple methods of authentication. I.E. BOTH kerberos and pubkey -or- BOTH kerb V and smartcard -etc. etc. etc.- I saw an entry on the archive from Markus and Tom in Arpil 2001 that said there may be a patch to do this, but I can't seem to locate a directive to set this up. Can anyone give me a pointer/patch? Sincere Thanks, Joshua JOhnson From tusker at tusker.org Tue Jun 25 02:11:43 2002 From: tusker at tusker.org (Damien Mascord) Date: Tue, 25 Jun 2002 00:11:43 +0800 Subject: OpenSSH 3.3 released [be careful of not having sshd user or /var/empty] In-Reply-To: <20020621195058.GA29426@folly> Message-ID: <5.1.1.5.2.20020625000607.030372d0@fallen.tusker.net> Heya, Probably something to note in the release notes for 3.3: 1) A user sshd needs to exist before you do a /etc/init.d/sshd restart, ssh will not restart 2) A directory /var/empty needs to exists before you restart sshd, otherwise sshd will not restart. Probably even a good idea to put it in the make install section, something like echo ********************************************************** echo * WARNING, sshd user does not exist * echo * WARNING, /var/empty directory does not exist * echo * sshd will not restart * echo ********************************************************* Just an idea :) Glad I enabled telnet temporarily to restart sshd this time :) Damien At 09:50 PM 21/06/2002 +0200, you wrote: >OpenSSH 3.3 has just been released. It will be available from the >mirrors listed at http://www.openssh.com/ shortly. > >OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 >implementation and includes sftp client and server support. > >We would like to thank the OpenSSH community for their continued >support and encouragement. > > >Changes since OpenSSH 3.2.3: >============================ > >Security Changes: >================= > >- improved support for privilege separation: > > privilege separation is now enabled by default > > See UsePrivilegeSeparation in sshd_config(5) > and http://www.citi.umich.edu/u/provos/ssh/privsep.html for more > information. >- ssh no longer needs to be installed setuid root for protocol > version 2 hostbased authentication, see ssh-keysign(8). > protocol version 1 rhosts-rsa authentication still requires privileges > and is not recommended. > >Other Changes: >============== > >- documentation for the client and server configuration options have > been moved to ssh_config(5) and sshd_config(5). >- the server now supports the Compression option, see sshd_config(5). >- the client options RhostsRSAAuthentication and RhostsAuthentication now > default to no, see ssh_config(5). >- the client options FallBackToRsh and UseRsh are deprecated. >- ssh-agent now supports locking and timeouts for keys, see ssh-add(1). >- ssh-agent can now bind to unix-domain sockets given on the command line, > see ssh-agent(1). >- fixes problems with valid RSA signatures from putty clients. > >Reporting Bugs: >=============== > >- please read http://www.openssh.com/report.html > and http://bugzilla.mindrot.org/ > >OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, >Kevin Steves, Damien Miller and Ben Lindstrom. >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From markus at openbsd.org Tue Jun 25 02:15:27 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 24 Jun 2002 18:15:27 +0200 Subject: OpenSSH 3.3 released [be careful of not having sshd user or /var/empty] In-Reply-To: <5.1.1.5.2.20020625000607.030372d0@fallen.tusker.net> References: <20020621195058.GA29426@folly> <5.1.1.5.2.20020625000607.030372d0@fallen.tusker.net> Message-ID: <20020624161526.GA24956@faui02> if you try sshd -t sshd will check your current configuration and complain. From kaukasoi at elektroni.ee.tut.fi Tue Jun 25 02:48:34 2002 From: kaukasoi at elektroni.ee.tut.fi (Petri Kaukasoina) Date: Mon, 24 Jun 2002 19:48:34 +0300 Subject: Build problems In-Reply-To: <3D169767.1302.EC49E8@localhost> References: <3D169767.1302.EC49E8@localhost> Message-ID: <20020624164834.GB773@elektroni.ee.tut.fi> On Mon, Jun 24, 2002 at 03:52:07AM -0700, Jordan Mack wrote: > I'm getting a build error when trying to compile openssh3.3p1 under > slackware 8.1 (i386). Clues anyone? > > /usr/local/lib/gcc-lib/i586-pc-linux-gnu/3.1/../../../../i586-pc-linux- > gnu/bin/l > d: Dwarf Error: Invalid or unhandled FORM value: 14. > /usr/local/lib/gcc-lib/i586-pc-linux- > gnu/3.1/../../../libc.a(getopt.o):/tmp/glib > c-2.2.5/posix/getopt.c:304: multiple definition of `optind' > /usr/local/lib/gcc-lib/i586-pc-linux-gnu/3.1/../../../../i586-pc-linux- > gnu/bin/l Maybe you have a broken gcc installation and/or a broken libc installation under /usr/local ? The paths above are not the ones that Slackware uses. From kevin at atomicgears.com Tue Jun 25 02:52:28 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Mon, 24 Jun 2002 09:52:28 -0700 Subject: README.privsep Message-ID: <20020624165228.GB1890@jenny.crlsca.adelphia.net> Hi, This is included in the release now; any feedback? Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege escalation by containing corruption to an unprivileged process. More information is available at: http://www.citi.umich.edu/u/provos/ssh/privsep.html Privilege separation is now enabled by default; see the UsePrivilegeSeparation option in sshd_config(5). On systems which lack mmap or anonymous (MAP_ANON) memory mapping, compression must be disabled in order for privilege separation to function. When privsep is enabled, during the pre-authentication phase sshd will chroot(2) to "/var/empty" and change its privileges to the "sshd" user and its primary group. You should do something like the following to prepare the privsep preauth environment: # mkdir /var/empty # chown root:sys /var/empty # chmod 755 /var/empty # groupadd sshd # useradd -g sshd -c 'sshd privsep' -d /var/empty sshd If you are on UnixWare 7 or OpenUNIX 8 do this additional step. # ln /usr/lib/.ns.so /usr/lib/ns.so.1 /var/empty should not contain any files. configure supports the following options to change the default privsep user and chroot directory: --with-privsep-path=xxx Path for privilege separation chroot --with-privsep-user=user Specify non-privileged user for privilege separation Privsep requires operating system support for file descriptor passing and mmap(MAP_ANON). PAM-enabled OpenSSH is known to function with privsep on Linux. It does not function on HP-UX with a trusted system configuration. PAMAuthenticationViaKbdInt does not function with privsep. Note that for a normal interactive login with a shell, enabling privsep will require 1 additional process per login session. Given the following process listing (from HP-UX): UID PID PPID C STIME TTY TIME COMMAND root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk at 2 stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash process 1005 is the sshd process listening for new connections. process 6917 is the privileged monitor process, 6919 is the user owned sshd process and 6921 is the shell process. $Id: README.privsep,v 1.8 2002/06/24 16:49:22 stevesk Exp $ From bugzilla-daemon at mindrot.org Tue Jun 25 03:16:49 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 03:16:49 +1000 (EST) Subject: [Bug 285] 3.3p1 on Linux 2.2.x doesn't accept connections Message-ID: <20020624171649.B275AE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=285 ------- Additional Comments From greg17 at jewell.net 2002-06-25 03:16 ------- OpenServer 5.0.x also rejects incoming connections. The user will be prompted for their password, but the connection will close immediately after. The fixes suggested (setting "UsePrivilegeSeparation" and/or "Compression" to "no") resolve the inability to connect, though. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Tue Jun 25 03:32:42 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 24 Jun 2002 10:32:42 -0700 (PDT) Subject: Testing call. In-Reply-To: <20020623012427.GA2944@jenny.crlsca.adelphia.net> Message-ID: On Sat, 22 Jun 2002, Kevin Steves wrote: > On Sat, Jun 22, 2002 at 05:00:13PM -0700, Tim Rice wrote: > > On Sat, 22 Jun 2002, Peter Stuge wrote: > > > On an old libc5 Linux system of mine, privsep doesn't work. Kernel 2.4.18. > > > 3.3p1 client on more modern Linux system (where privsep'd sshd works fine) > > > > > [snip] > > > debug3: mm_request_receive entering > > > debug3: privsep user:group 53:53 > > > initgroups: No such file or directory > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Apply the attached patch. It's part of a privdsep patch I was working > > on that hasn't made it in yet. > > what is the file its referring to? > what happens if there's an empty etc/group in /var/empty? On UnixWare 2.x, if there's an empty etc/group in /var/empty, is works. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From Tony.T.Doan at irs.gov Tue Jun 25 03:48:58 2002 From: Tony.T.Doan at irs.gov (Doan Tony T) Date: Mon, 24 Jun 2002 12:48:58 -0500 Subject: ibm ptx/dynix 4.5.1 Message-ID: Do you know if OpenSSH supported for OS's ibm ptx/dynix 4.51 version? Thank you ============================================ Tony T. Doan SOI Devep. & Maint. Section 1160 W 1200 S Ogden, UT 84201 M/S 6380 tony.t.doan at irs.gov 801-620-7679 phone 801-620-7614 fax -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020624/ff3ca98b/attachment.html From mouring at etoh.eviladmin.org Tue Jun 25 03:50:35 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Jun 2002 12:50:35 -0500 (CDT) Subject: Build problems In-Reply-To: <20020624164834.GB773@elektroni.ee.tut.fi> Message-ID: On Mon, 24 Jun 2002, Petri Kaukasoina wrote: > On Mon, Jun 24, 2002 at 03:52:07AM -0700, Jordan Mack wrote: > > I'm getting a build error when trying to compile openssh3.3p1 under > > slackware 8.1 (i386). Clues anyone? > > > > /usr/local/lib/gcc-lib/i586-pc-linux-gnu/3.1/../../../../i586-pc-linux- > > gnu/bin/l > > d: Dwarf Error: Invalid or unhandled FORM value: 14. > > /usr/local/lib/gcc-lib/i586-pc-linux- > > gnu/3.1/../../../libc.a(getopt.o):/tmp/glib > > c-2.2.5/posix/getopt.c:304: multiple definition of `optind' > > /usr/local/lib/gcc-lib/i586-pc-linux-gnu/3.1/../../../../i586-pc-linux- > > gnu/bin/l > > Maybe you have a broken gcc installation and/or a broken libc installation > under /usr/local ? The paths above are not the ones that Slackware uses. The issue is Gnu lib lacks optreset feature. And if you staticly compile with our internal version glibc throws a fit. This has been fixed post 3.3. Until then just don't compile static. - Ben From mouring at etoh.eviladmin.org Tue Jun 25 03:52:36 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Jun 2002 12:52:36 -0500 (CDT) Subject: README.privsep In-Reply-To: <20020624165228.GB1890@jenny.crlsca.adelphia.net> Message-ID: Maybe we should state how to change the user and the chroot before the step by step. I can see someone changing the privsep user and whining about things not work. - Ben On Mon, 24 Jun 2002, Kevin Steves wrote: > Hi, > > This is included in the release now; any feedback? > > Privilege separation, or privsep, is method in OpenSSH by which > operations that require root privilege are performed by a separate > privileged monitor process. Its purpose is to prevent privilege > escalation by containing corruption to an unprivileged process. > More information is available at: > http://www.citi.umich.edu/u/provos/ssh/privsep.html > > Privilege separation is now enabled by default; see the > UsePrivilegeSeparation option in sshd_config(5). > > On systems which lack mmap or anonymous (MAP_ANON) memory mapping, > compression must be disabled in order for privilege separation to > function. > > When privsep is enabled, during the pre-authentication phase sshd will > chroot(2) to "/var/empty" and change its privileges to the "sshd" user > and its primary group. You should do something like the following to > prepare the privsep preauth environment: > > # mkdir /var/empty > # chown root:sys /var/empty > # chmod 755 /var/empty > # groupadd sshd > # useradd -g sshd -c 'sshd privsep' -d /var/empty sshd > > If you are on UnixWare 7 or OpenUNIX 8 do this additional step. > # ln /usr/lib/.ns.so /usr/lib/ns.so.1 > > /var/empty should not contain any files. > > configure supports the following options to change the default > privsep user and chroot directory: > > --with-privsep-path=xxx Path for privilege separation chroot > --with-privsep-user=user Specify non-privileged user for privilege separation > > Privsep requires operating system support for file descriptor passing > and mmap(MAP_ANON). > > PAM-enabled OpenSSH is known to function with privsep on Linux. > It does not function on HP-UX with a trusted system > configuration. PAMAuthenticationViaKbdInt does not function with > privsep. > > Note that for a normal interactive login with a shell, enabling privsep > will require 1 additional process per login session. > > Given the following process listing (from HP-UX): > > UID PID PPID C STIME TTY TIME COMMAND > root 1005 1 0 10:45:17 ? 0:08 /opt/openssh/sbin/sshd -u0 > root 6917 1005 0 15:19:16 ? 0:00 sshd: stevesk [priv] > stevesk 6919 6917 0 15:19:17 ? 0:03 sshd: stevesk at 2 > stevesk 6921 6919 0 15:19:17 pts/2 0:00 -bash > > process 1005 is the sshd process listening for new connections. > process 6917 is the privileged monitor process, 6919 is the user owned > sshd process and 6921 is the shell process. > > $Id: README.privsep,v 1.8 2002/06/24 16:49:22 stevesk Exp $ > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From carson at taltos.org Tue Jun 25 04:19:19 2002 From: carson at taltos.org (Carson Gaspar) Date: Mon, 24 Jun 2002 14:19:19 -0400 Subject: Require multiple methods of authentication.. status... In-Reply-To: <7820000.1024933276@sinbad.ftlsystems.com> References: <7820000.1024933276@sinbad.ftlsystems.com> Message-ID: <345447677.1024928359@[172.25.113.221]> --On Monday, June 24, 2002 10:41 AM -0500 Joshua Johnson wrote: > What is the status of being able to require a user to perform multiple > methods of authentication. I developed a patch a while ago to do this. It was rejected, because the functionality it provided included specifying the order of the authentication methods, and was deemed "too complicated". I was told that a patch that was order insensitive, and could therefore be reduced to a bitfield, would be acceptable. But that was not enough for my requirement (force pubkey before password), so I never did it. Recently, someone has taken my old patch and ported it to a recent release. See the list archives for details. I haven't looked at it at all, so caveat emptor. There is also a patch that integrates the keynote policy language. I haven't looked at it, as I changed employers and no longer require any of this (and my free time has been reduced ;-). -- Carson From packard at mail2.jpl.nasa.gov Tue Jun 25 06:36:57 2002 From: packard at mail2.jpl.nasa.gov (Scott Packard) Date: Mon, 24 Jun 2002 13:36:57 -0700 (PDT) Subject: sshd 3.1 dumps core when client connects -- Solaris 9 gcc 3.1 Message-ID: Team - I'm running Solaris 9 and gcc 3.1 on a Blade 1000, named jefferson. I built OpenSSH_3.3. I can use the client to connect out, but cannot use the client to connect to localhost (nor can I use a Linux box with OpenSSH_3.2.3 to connect to it). I *can* use F-Secure 3.0.0 on a Windoze box to get into it. I've tried configurations both with and without privsep enabled but get the same results. This is the trace when connecting using the OpenSSH client: jefferson# /usr/local/sbin/sshd -d -d -d debug1: sshd version OpenSSH_3.3 debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 127.0.0.1 port 33372 debug1: Client protocol version 2.0; client software version OpenSSH_3.3 debug1: match: OpenSSH_3.3 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.3 debug3: privsep user:group 60003:50006 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug2: Network child is on pid 27403 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 2048 8192 debug1: Calling cleanup 0x4ab78(0x0) Segmentation Fault(coredump) ** End trace using OpenSSH client ** Here is a trace when connecting with F-Secure SSH 3.0.0: jefferson# /usr/local/sbin/sshd -d -d -d debug1: sshd version OpenSSH_3.3 debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 137.79.12.130 port 1100 debug1: Client protocol version 1.99; client software version 3.0.0 SSH Secure Shell for Windows debug1: match: 3.0.0 SSH Secure Shell for Windows pat 3.0.* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.3 debug2: Network child is on pid 27409 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 60003:50006 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,x509v3-sign-dss,x509v3-sign-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,twofish-cbc,arcfour debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,twofish-cbc,arcfour debug2: kex_parse_kexinit: hmac-md5,hmac-sha1 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: dh_gen_key: priv key bits set: 141/256 debug1: bits set: 501/1024 debug1: expecting SSH2_MSG_KEXDH_INIT debug1: bits set: 513/1024 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 116990(143) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user sproot service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for sproot debug3: mm_start_pam entering debug3: mm_request_send entering: type 37 debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug3: mm_auth2_read_banner entering debug3: mm_request_send entering: type 8 debug3: mm_request_receive_expect entering: type 9 debug3: mm_request_receive entering debug3: monitor_read: checking request 37 debug1: Starting up PAM with username "sproot" debug3: Trying to reverse map address 137.79.12.130. debug1: PAM setting rhost to "cism-backup.jpl.nasa.gov" debug2: monitor_read: 37 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 8 debug3: mm_request_send entering: type 9 debug2: monitor_read: 8 used once, disabling now debug3: mm_request_receive entering debug1: userauth_banner: sent debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug1: PAM Password authentication for "sproot" failed[9]: Authentication failed debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for sproot from 137.79.12.130 port 1100 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for sproot from 137.79.12.130 port 1100 ssh2 debug1: userauth-request for user sproot service ssh-connection method password debug1: attempt 1 failures 1 debug2: input_userauth_request: try method password debug3: mm_auth_password entering ... and on it goes, eventually succeeding. ** End trace using F-Secure SSH 3.0.0 on Windows box. From mouring at etoh.eviladmin.org Tue Jun 25 06:32:30 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Jun 2002 15:32:30 -0500 (CDT) Subject: IRIX on OpenSSH 3.3 Message-ID: Can I get someone runing IRIX to tell me if this http://bugzilla.mindrot.org/show_bug.cgi?id=151 http://bugzilla.mindrot.org/show_bug.cgi?id=280 or http://bugzilla.mindrot.org/show_bug.cgi?id=281 are still valid. And if PrivSep works on it? If not a sshd -d -d -d of the server side? - Ben From bugzilla-daemon at mindrot.org Tue Jun 25 06:45:03 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 06:45:03 +1000 (EST) Subject: [Bug 266] Trailing comma in enum for 3.2.3p1 Message-ID: <20020624204503.CB30AE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=266 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-06-25 06:44 ------- This was commited to portable. If still issues, reopen ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Tue Jun 25 07:06:31 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 24 Jun 2002 23:06:31 +0200 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <200206242100.g5OL0BLL019128@cvs.openbsd.org> References: <200206242100.g5OL0BLL019128@cvs.openbsd.org> Message-ID: <20020624210631.GF24956@faui02> On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote: > Date: Mon, 24 Jun 2002 15:00:10 -0600 > From: Theo de Raadt > Subject: Upcoming OpenSSH vulnerability > To: bugtraq at securityfocus.com > Cc: announce at openbsd.org > Cc: dsi at iss.net > Cc: misc at openbsd.org > > There is an upcoming OpenSSH vulnerability that we're working on with > ISS. Details will be published early next week. > > However, I can say that when OpenSSH's sshd(8) is running with priv > seperation, the bug cannot be exploited. > > OpenSSH 3.3p was released a few days ago, with various improvements > but in particular, it significantly improves the Linux and Solaris > support for priv sep. However, it is not yet perfect. Compression is > disabled on some systems, and the many varieties of PAM are causing > major headaches. > > However, everyone should update to OpenSSH 3.3 immediately, and enable > priv seperation in their ssh daemons, by setting this in your > /etc/ssh/sshd_config file: > > UsePrivilegeSeparation yes > > Depending on what your system is, privsep may break some ssh > functionality. However, with privsep turned on, you are immune from > at least one remote hole. Understand? > > 3.3 does not contain a fix for this upcoming bug. > > If priv seperation does not work on your operating system, you need to > work with your vendor so that we get patches to make it work on your > system. Our developers are swamped enough without trying to support > the myriad of PAM and other issues which exist in various systems. > You must call on your vendors to help us. > > Basically, OpenSSH sshd(8) is something like 27000 lines of code. A > lot of that runs as root. But when UsePrivilegeSeparation is enabled, > the daemon splits into two parts. A part containing about 2500 lines > of code remains as root, and the rest of the code is shoved into a > chroot-jail without any privs. This makes the daemon less vulnerable > to attack. > > We've been trying to warn vendors about 3.3 and the need for privsep, > but they really have not heeded our call for assistance. They have > basically ignored us. Some, like Alan Cox, even went further stating > that privsep was not being worked on because "Nobody provided any info > which proves the problem, and many people dont trust you theo" and > suggested I "might be feeding everyone a trojan" (I think I'll publish > that letter -- it is just so funny). HP's representative was > downright rude, but that is OK because Compaq is retiring him. Except > for Solar Designer, I think none of them has helped the OpenSSH > portable developers make privsep work better on their systems. > Apparently Solar Designer is the only person who understands the need > for this stuff. > > So, if vendors would JUMP and get it working better, and send us > patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday > which supports these systems better. So send patches by Thursday > night please. Then on Tuesday or Wednesday the complete bug report > with patches (and exploits soon after I am sure) will hit BUGTRAQ. > > Let me repeat: even if the bug exists in a privsep'd sshd, it is not > exploitable. Clearly we cannot yet publish what the bug is, or > provide anyone with the real patch, but we can try to get maximum > deployement of privsep, and therefore make it hurt less when the > problem is published. > > So please push your vendor to get us maximally working privsep patches > as soon as possible! > > We've given most vendors since Friday last week until Thursday to get > privsep working well for you so that when the announcement comes out > next week their customers are immunized. That is nearly a full week > (but they have already wasted a weekend and a Monday). Really I think > this is the best we can hope to do (this thing will eventually leak, > at which point the details will be published). > > Customers can judge their vendors by how they respond to this issue. > > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. > On OpenBSD privsep works flawlessly, and I have reports that is also > true on NetBSD. All other systems appear to have minor or major > weaknesses when this code is running. > > (securityfocus postmaster; please post this through immediately, since > i have bcc'd over 30 other places..) From jnerad at cimedia.com Tue Jun 25 07:10:24 2002 From: jnerad at cimedia.com (Jack Nerad) Date: Mon, 24 Jun 2002 17:10:24 -0400 Subject: pointer warnings Message-ID: <02062417102405.11057@silver.cimedia.com> I'm trying to resolve a problem I'm getting from a Redhat 6.2 distribution. When I compile OpenSSH 3.3p1 with OpenSSL 0.9.6d gcc 2.95, glibc-2.1.3-22, I get problems with In file included from /usr/include/string.h:346, from includes.h:30, from ssh-keyscan.c:9: /usr/include/bits/string2.h: In function `__strcpy_small': and then a whole series of lines that look like: ssh-keyscan.c:790: warning: pointer of type `void *' used in arithmetic The error does not only occur in ssh-keyscan.c, but when every file is compiled. Is it safe to ignore this, or do I need to resolve it somehow? -- Jack Nerad From mouring at etoh.eviladmin.org Tue Jun 25 07:34:53 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Jun 2002 16:34:53 -0500 (CDT) Subject: Privsep and AIX.. In-Reply-To: <3D13FCD0.92228D6D@zip.com.au> Message-ID: I sent the first one privately to Darren, but I think everyone with AIX (and those WORKING for IBM) should comment on this... First off I noticed LOGIN= is stated as it should be set, but is not. Not an issue for Privsep... but either the manpage needs to be clarified, or we should add it. Second, what happens if TTY is always set to null? Reason being is privsep occurs long before Session *s; even has a hint of knowing the current TTY from the looks of it. And by than we are too late. Can someone from IBM tell me what ramification setting TTY=null for userinfo(SETUINFO,..) if the process has a tty? If there is none worth speaking of we can easily fix privsep for that platform and have yet another working platform. PLEASE.. *ASAP* .=) Clock is ticking. - Ben From mouring at etoh.eviladmin.org Tue Jun 25 07:42:29 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Jun 2002 16:42:29 -0500 (CDT) Subject: OpenSSH 3.3 released In-Reply-To: <20020622133309.GW15772@citi.citi.umich.edu> Message-ID: On Sat, 22 Jun 2002, Niels Provos wrote: > On Fri, Jun 21, 2002 at 11:17:50PM -0500, Chris Adams wrote: > > I'm (finally!) looking at privsep and Tru64 Unix (with HAVE_OSF_SIA > > enabled), and I'm not sure I can see how it will work. The problem is > > in auth-sia.c session_setup_sia(). > You can delay that call until the very beginning of privilege > separation in the post-authentication phase. > > > The sia_ses_estab() call has to run as root because in enhanced security > [...] > > The sia_ses_launch() call has to run as root as well because it > > generates audit records and has to run in the child because it sets the > > effective user and group IDs. > Same for these. > You face the same issue that AIX does. 1. we need to get session_setup_sia() into do_setusercontext(). 2. Need to preallocate a tty since TTY allocation does not normally happen until WAY after privsep takes affect. I think we could kill two birds with one stone if you look at how we can semi-cleanly handle pre-allocation of a TTY while we still have root. - Ben From gert at greenie.muc.de Tue Jun 25 07:56:16 2002 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 24 Jun 2002 23:56:16 +0200 Subject: Privsep and AIX.. In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, Jun 24, 2002 at 04:34:53PM -0500 References: <3D13FCD0.92228D6D@zip.com.au> Message-ID: <20020624235615.C18668@greenie.muc.de> Hi, On Mon, Jun 24, 2002 at 04:34:53PM -0500, Ben Lindstrom wrote: > I sent the first one privately to Darren, but I think everyone with AIX > (and those WORKING for IBM) should comment on this... > > First off I noticed LOGIN= is stated as it should be set, but is not. Not > an issue for Privsep... but either the manpage needs to be clarified, or > we should add it. For my initial usrinfo hack, I just looked at what AIX rlogind is setting, and it does not set LOGIN= - just LOGNAME, NAME, TTY. So that's what my patch did. > Second, what happens if TTY is always set to null? Reason being is > privsep occurs long before Session *s; even has a hint of knowing the > current TTY from the looks of it. And by than we are too late. > > Can someone from IBM tell me what ramification setting TTY=null for > userinfo(SETUINFO,..) if the process has a tty? I'm not sure about that. "Our" legacy application that uses usrinfo looks only at NAME=, and doesn't care about TTY. I have no idea what other applications might make use of this. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From dpsims at virtualdave.com Tue Jun 25 08:01:20 2002 From: dpsims at virtualdave.com (David Sims) Date: Mon, 24 Jun 2002 17:01:20 -0500 (CDT) Subject: Permissions problem of some sort??? Message-ID: Hi, Can anyone give me a clue? I have two identical Slackware 7.1 systems and have installed openssh-3.2.3p1 on both systems.... Once system is fine... everything is working without problem.... the other system everything works only when you are logged in as root... Here's what you get when logged in as a normal user: dpsims at linux:~$ ssh -vvv localhost OpenSSH_3.2.3p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 500 geteuid 0 anon 1 debug1: Connecting to localhost [127.0.0.1] port 22. debug1: temporarily_use_uid: 500/100 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 500/100 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/dpsims/.ssh/identity type -1 debug1: identity file /home/dpsims/.ssh/id_rsa type -1 debug1: identity file /home/dpsims/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.2.3p1 debug1: match: OpenSSH_3.2.3p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.2.3p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro up1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at open ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at open ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro up1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at open ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at open ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 138/256 debug1: bits set: 1559/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/dpsims/.ssh/known_hosts debug3: check_host_in_hostfile: filename /usr/local/etc/ssh_known_hosts Host key verification failed. debug1: Calling cleanup 0x8061854(0x0) Here's an ls -al of the .ssh directory in the user directory: dpsims at linux:~/.ssh$ ls -al total 8 drwx------ 2 dpsims users 4096 Jun 24 16:07 ./ drwx--x--x 5 dpsims users 4096 Jun 24 16:12 ../ dpsims at linux:~/.ssh$ I see that there is no known_hosts file in this subdirectory, but why doesn't ssh create one?? I'm stumped. Any clues would be very welcome. Regards, Dave Sims dpsims at virtualdave.com From axm135 at po.cwru.edu Tue Jun 25 08:05:42 2002 From: axm135 at po.cwru.edu (axm135 at po.cwru.edu) Date: Mon, 24 Jun 2002 15:05:42 -0700 Subject: OpenSSH 3.3 & privlege seperation? Message-ID: <20020624150542.I19281@chopin.gmi.com> Wondering --- I know theo sent out a message asking vendors to get off their butts to get privlege seperation working, so what I'm wondering is whether this is happening/working/etc with Solaris? (specifically 8)...I know this is a portability question, since Sun doesn't support SSH on solaris 8. not on the list, so please CC me. thanks. adam From bugzilla-daemon at mindrot.org Tue Jun 25 08:11:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 08:11:33 +1000 (EST) Subject: [Bug 288] New: UsePrivilegeSeparation fails on Redhat Linux 6.2, kernel 2.2.19 Message-ID: <20020624221133.E62AFE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=288 Summary: UsePrivilegeSeparation fails on Redhat Linux 6.2, kernel 2.2.19 Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P1 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: vjo at dulug.duke.edu Having UsePrivilegeSeparation on RedHat Linux 6.2 with kernel 2.2.19 results in the following mmap error messages on each attempt to connect. Jun 24 18:03:23 critterling sshd[31813]: Server listening on 0.0.0.0 port 22. Jun 24 18:03:46 critterling sshd[31817]: fatal: mmap(65536): Invalid argument Jun 24 18:03:53 critterling sshd[31834]: fatal: mmap(65536): Invalid argument Running without privilege separation works fine. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From packard at mail2.jpl.nasa.gov Tue Jun 25 09:08:33 2002 From: packard at mail2.jpl.nasa.gov (Scott Packard) Date: Mon, 24 Jun 2002 16:08:33 -0700 (PDT) Subject: sshd 3.1 dumps core -- I meant sshd 3.3!!! In-Reply-To: Message-ID: Sorry! I meant sshd 3.3 with gcc 3.1! Regards, Scott From johnh at aproposretail.com Tue Jun 25 09:20:49 2002 From: johnh at aproposretail.com (John Hardin) Date: 24 Jun 2002 16:20:49 -0700 Subject: 3.3p1 on Immunix (RH) 6.2 Message-ID: <1024960850.17897.192.camel@johnh.apropos.com> Just compiled the SRPM for 3.3p1 on my Immunix 6.2 box (Redhat 6.2 + Stackguard compiler), fired up the server, and tried to connect to it. No joy. In the spec file I changed the following options: # Is this build for RHL 6.x? %define build6x 1 # Disable IPv6 (avoids DNS hangs on some glibc versions) %define noip6 1 This appears in the system log: Jun 24 16:11:51 johnh sshd[27774]: fatal: mmap(65536): Invalid argument ...isn't this supposed to work on RH6.2? Where should I look to fix this? Thx. -- John Hardin Internal Systems Administrator voice: (425) 672-1304 Apropos Retail Management Systems, Inc. fax: (425) 672-0192 ----------------------------------------------------------------------- Any time that PR dominates the information stream, you can't trust the information. - CRYPTO-GRAM 01/2002 ----------------------------------------------------------------------- 6 days until First Class postage goes up to 37 cents From bugzilla-daemon at mindrot.org Tue Jun 25 09:21:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 09:21:08 +1000 (EST) Subject: [Bug 288] UsePrivilegeSeparation fails on Redhat Linux 6.2, kernel 2.2.19 Message-ID: <20020624232108.C6060E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=288 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From mouring at eviladmin.org 2002-06-25 09:21 ------- *** This bug has been marked as a duplicate of 285 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jun 25 09:21:16 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 09:21:16 +1000 (EST) Subject: [Bug 285] 3.3p1 on Linux 2.2.x doesn't accept connections Message-ID: <20020624232116.00F3EE902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=285 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vjo at dulug.duke.edu ------- Additional Comments From mouring at eviladmin.org 2002-06-25 09:21 ------- *** Bug 288 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jmknoble at pobox.com Tue Jun 25 09:25:24 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Mon, 24 Jun 2002 19:25:24 -0400 Subject: README.privsep In-Reply-To: <20020624165228.GB1890@jenny.crlsca.adelphia.net>; from kevin@atomicgears.com on Mon, Jun 24, 2002 at 09:52:28AM -0700 References: <20020624165228.GB1890@jenny.crlsca.adelphia.net> Message-ID: <20020624192524.D20075@zax.half.pint-stowp.cx> Circa 2002-Jun-24 09:52:28 -0700 dixit Kevin Steves: : This is included in the release now; any feedback? [...] : When privsep is enabled, during the pre-authentication phase sshd will : chroot(2) to "/var/empty" and change its privileges to the "sshd" user : and its primary group. You should do something like the following to : prepare the privsep preauth environment: : : # mkdir /var/empty : # chown root:sys /var/empty I would rather say here: chown 0 /var/empty chgrp 0 /var/empty since several systems differ in which group is GID 0 (root, wheel, sys), and since a few systems differ in the syntax that chown accepts for specifying both UID and GID together ('chown uid:gid' versus 'chown uid.gid'). Recommending the above syntax avoids the problem entirely. : # chmod 755 /var/empty : # groupadd sshd : # useradd -g sshd -c 'sshd privsep' -d /var/empty sshd I'd also recommend '-s /dev/null' here, e.g.: useradd -g sshd -c 'sshd privsep' -d /var/empty \ -s /dev/null sshd since '/sbin/nologin' cannot be guaranteed to be present, nor is '/bin/false' always a binary program (i've seen some cases where it's a shell script). [...] : Privsep requires operating system support for file descriptor passing : and mmap(MAP_ANON). : : PAM-enabled OpenSSH is known to function with privsep on Linux. Would it be appropriate here to note that setting 'Compression no' in /etc/sshd_config is necessary on Linux systems with 2.2.x or older kernels? -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020624/cdb2f68c/attachment.bin From mouring at etoh.eviladmin.org Tue Jun 25 09:19:00 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Jun 2002 18:19:00 -0500 (CDT) Subject: 3.3p1 on Immunix (RH) 6.2 In-Reply-To: <1024960850.17897.192.camel@johnh.apropos.com> Message-ID: mkdir /var/empty/etc/ touch /var/empty/etc/group and set 'Compression no' in sshd_config This should be corrected before 3.3.1 - Ben On 24 Jun 2002, John Hardin wrote: > Just compiled the SRPM for 3.3p1 on my Immunix 6.2 box (Redhat 6.2 + > Stackguard compiler), fired up the server, and tried to connect to it. > No joy. > > In the spec file I changed the following options: > > # Is this build for RHL 6.x? > %define build6x 1 > > # Disable IPv6 (avoids DNS hangs on some glibc versions) > %define noip6 1 > > This appears in the system log: > > Jun 24 16:11:51 johnh sshd[27774]: fatal: mmap(65536): Invalid argument > > ...isn't this supposed to work on RH6.2? Where should I look to fix > this? > > Thx. > > -- > John Hardin > Internal Systems Administrator voice: (425) 672-1304 > Apropos Retail Management Systems, Inc. fax: (425) 672-0192 > ----------------------------------------------------------------------- > Any time that PR dominates the information stream, you can't trust > the information. > - CRYPTO-GRAM 01/2002 > ----------------------------------------------------------------------- > 6 days until First Class postage goes up to 37 cents > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From djm at mindrot.org Tue Jun 25 09:58:43 2002 From: djm at mindrot.org (Damien Miller) Date: 25 Jun 2002 09:58:43 +1000 Subject: README.privsep In-Reply-To: <20020624192524.D20075@zax.half.pint-stowp.cx> References: <20020624165228.GB1890@jenny.crlsca.adelphia.net> <20020624192524.D20075@zax.half.pint-stowp.cx> Message-ID: <1024963124.5925.22.camel@xenon> On Tue, 2002-06-25 at 09:25, Jim Knoble wrote: > I would rather say here: > > chown 0 /var/empty > chgrp 0 /var/empty I recall that numeric arguments to some OS's chown & chgrp fail. -d From dtucker at zip.com.au Tue Jun 25 09:58:07 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 25 Jun 2002 09:58:07 +1000 Subject: OpenSSH 3.3 & privlege seperation? References: <20020624150542.I19281@chopin.gmi.com> Message-ID: <3D17B20F.57601DE0@zip.com.au> axm135 at po.cwru.edu wrote: > Wondering --- I know theo sent out a message asking vendors to get off > their butts to get privlege seperation working, so what I'm wondering > is whether this is happening/working/etc with Solaris? (specifically > 8)...I know this is a portability question, since Sun doesn't support > SSH on solaris 8. Works for me (Solaris 8/gcc 3.1). The only issue I'm aware of is you can't change expired passwords (the code is commented out because it doesn't work with PrivSep). Apparently that's on the list to be fixed. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Tue Jun 25 10:10:02 2002 From: djm at mindrot.org (Damien Miller) Date: 25 Jun 2002 10:10:02 +1000 Subject: README.privsep In-Reply-To: <1024963124.5925.22.camel@xenon> References: <20020624165228.GB1890@jenny.crlsca.adelphia.net> <20020624192524.D20075@zax.half.pint-stowp.cx> <1024963124.5925.22.camel@xenon> Message-ID: <1024963802.5924.36.camel@xenon> On Tue, 2002-06-25 at 09:58, Damien Miller wrote: > On Tue, 2002-06-25 at 09:25, Jim Knoble wrote: > > > I would rather say here: > > > > chown 0 /var/empty > > chgrp 0 /var/empty > > I recall that numeric arguments to some OS's chown & chgrp fail. Forget that - it was "chown 0.0 foo" that fails -d From cmadams at hiwaay.net Tue Jun 25 10:09:19 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 24 Jun 2002 19:09:19 -0500 Subject: README.privsep In-Reply-To: <1024963124.5925.22.camel@xenon>; from djm@mindrot.org on Tue, Jun 25, 2002 at 09:58:43AM +1000 References: <20020624165228.GB1890@jenny.crlsca.adelphia.net> <20020624192524.D20075@zax.half.pint-stowp.cx> <1024963124.5925.22.camel@xenon> Message-ID: <20020624190919.D220570@hiwaay.net> Once upon a time, Damien Miller said: > On Tue, 2002-06-25 at 09:25, Jim Knoble wrote: > > > I would rather say here: > > > > chown 0 /var/empty > > chgrp 0 /var/empty > > I recall that numeric arguments to some OS's chown & chgrp fail. chown `grep '^[^:]*:[^:]*:0:' /etc/passwd | head -1 | cut -d: -f1` /var/empty chgrp `grep '^[^:]*:[^:]*:0:' /etc/group | head -1 | cut -d: -f1` /var/empty I think that would cover everyone (at least if they use a Bourne shell :-) ). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From tusker at tusker.org Tue Jun 25 10:15:32 2002 From: tusker at tusker.org (Damien Mascord) Date: Tue, 25 Jun 2002 08:15:32 +0800 Subject: OpenSSH 3.3 & privlege seperation? In-Reply-To: <20020624150542.I19281@chopin.gmi.com> Message-ID: <5.1.1.5.2.20020625081433.02ee9de0@fallen.tusker.net> Hi Adam, Works fine for me on Solaris 8 for Intel. I have all the gnu stuff installed, and it works well :) root 29347 1 0 02:30:13 ? 0:01 /usr/local/sbin/sshd tusker 2222 2220 0 10:17:36 ? 0:00 /usr/local/sbin/sshd root 2220 29347 0 10:17:34 ? 0:00 /usr/local/sbin/sshd Damien At 03:05 PM 24/06/2002 -0700, axm135 at po.cwru.edu wrote: >Wondering --- I know theo sent out a message asking vendors to get off >their butts to get privlege seperation working, so what I'm wondering is >whether this is happening/working/etc with Solaris? (specifically 8)...I >know this is a portability question, since Sun doesn't support SSH on >solaris 8. > >not on the list, so please CC me. thanks. > >adam >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From mouring at etoh.eviladmin.org Tue Jun 25 10:07:52 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Jun 2002 19:07:52 -0500 (CDT) Subject: README.privsep In-Reply-To: <20020624190919.D220570@hiwaay.net> Message-ID: On Mon, 24 Jun 2002, Chris Adams wrote: > Once upon a time, Damien Miller said: > > On Tue, 2002-06-25 at 09:25, Jim Knoble wrote: > > > > > I would rather say here: > > > > > > chown 0 /var/empty > > > chgrp 0 /var/empty > > > > I recall that numeric arguments to some OS's chown & chgrp fail. > > chown `grep '^[^:]*:[^:]*:0:' /etc/passwd | head -1 | cut -d: -f1` /var/empty > chgrp `grep '^[^:]*:[^:]*:0:' /etc/group | head -1 | cut -d: -f1` /var/empty > > I think that would cover everyone (at least if they use a Bourne shell > :-) ). Gawd.. Lets leave it as is. It's rather not have people coming into #unixhelp whining about some wierdass command to run.=) It's bad enough getting the Linux 2.2 questions. - Ben From mouring at etoh.eviladmin.org Tue Jun 25 10:21:37 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Jun 2002 19:21:37 -0500 (CDT) Subject: Linux 2.2 + borken mmap() round 1 Message-ID: The following is just a simple 'if ANON|SHARE is broken, disable compression'. We don't have time for fancy stuff until we have time for long term testing. I have one friend of mine testing this. Can I get a few other people to test. This is against --current, but maybe work against 3.3p1. Unsure. BTW.. those on NeXT platform (if you have autoreconf) should also test this. this should solve your problem also. - Ben Index: acconfig.h =================================================================== RCS file: /var/cvs/openssh/acconfig.h,v retrieving revision 1.139 diff -u -r1.139 acconfig.h --- acconfig.h 24 Jun 2002 16:26:49 -0000 1.139 +++ acconfig.h 25 Jun 2002 00:15:54 -0000 @@ -355,6 +355,9 @@ /* Path that unprivileged child will chroot() to in privep mode */ #undef PRIVSEP_PATH +/* Define if you have the `mmap' function that supports MAP_ANON|SHARED */ +#undef HAVE_MMAP_ANON_SHARED + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ Index: configure.ac =================================================================== RCS file: /var/cvs/openssh/configure.ac,v retrieving revision 1.69 diff -u -r1.69 configure.ac --- configure.ac 24 Jun 2002 16:26:49 -0000 1.69 +++ configure.ac 25 Jun 2002 00:16:06 -0000 @@ -574,6 +574,30 @@ socketpair strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp \ truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty) +if test $ac_cv_func_mmap = yes ; then +AC_MSG_CHECKING([for mmap anon shared]) +AC_TRY_RUN( + [ +#include +#include +#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS) +#define MAP_ANON MAP_ANONYMOUS +#endif +main() { char *p; +p = (char *) mmap(NULL, 10, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); +if (p == (char *)-1) + exit(1); +exit(0); +} + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_MMAP_ANON_SHARED) + ], + [ AC_MSG_RESULT(no) ] +) +fi + dnl IRIX and Solaris 2.5.1 have dirname() in libgen AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[ AC_CHECK_LIB(gen, dirname,[ Index: monitor_mm.c =================================================================== RCS file: /var/cvs/openssh/monitor_mm.c,v retrieving revision 1.10 diff -u -r1.10 monitor_mm.c --- monitor_mm.c 7 Jun 2002 01:57:25 -0000 1.10 +++ monitor_mm.c 25 Jun 2002 00:16:09 -0000 @@ -84,13 +84,11 @@ */ mm->mmalloc = mmalloc; -#if defined(HAVE_MMAP) && defined(MAP_ANON) +#ifdef HAVE_MMAP_ANON_SHARED address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); - if (address == MAP_FAILED) - fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); #else - fatal("%s: UsePrivilegeSeparation=yes not supported", + fatal("%s: UsePrivilegeSeparation=yes and Compression=yes not supported", __func__); #endif Index: servconf.c =================================================================== RCS file: /var/cvs/openssh/servconf.c,v retrieving revision 1.92 diff -u -r1.92 servconf.c --- servconf.c 23 Jun 2002 21:29:24 -0000 1.92 +++ servconf.c 25 Jun 2002 00:16:12 -0000 @@ -257,7 +257,7 @@ if (use_privsep == -1) use_privsep = 1; -#if !defined(HAVE_MMAP) || !defined(MAP_ANON) +#if !defined(HAVE_MMAP_ANON_SHARED) if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " "separation and compression"); From mouring at etoh.eviladmin.org Tue Jun 25 10:26:31 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Jun 2002 19:26:31 -0500 (CDT) Subject: Linux 2.2 + borken mmap() round 1 In-Reply-To: Message-ID: Otherwise: http://www.pconline.com/~mouring/openssh.tar.gz is the complete --head w/ the patch and a configure. - Ben On Mon, 24 Jun 2002, Ben Lindstrom wrote: > > The following is just a simple 'if ANON|SHARE is broken, disable > compression'. We don't have time for fancy stuff until we have time for > long term testing. > > I have one friend of mine testing this. Can I get a few other people to > test. This is against --current, but maybe work against 3.3p1. Unsure. > > BTW.. those on NeXT platform (if you have autoreconf) should also test > this. this should solve your problem also. > > > - Ben > > Index: acconfig.h > =================================================================== > RCS file: /var/cvs/openssh/acconfig.h,v > retrieving revision 1.139 > diff -u -r1.139 acconfig.h > --- acconfig.h 24 Jun 2002 16:26:49 -0000 1.139 > +++ acconfig.h 25 Jun 2002 00:15:54 -0000 > @@ -355,6 +355,9 @@ > /* Path that unprivileged child will chroot() to in privep mode */ > #undef PRIVSEP_PATH > > +/* Define if you have the `mmap' function that supports MAP_ANON|SHARED */ > +#undef HAVE_MMAP_ANON_SHARED > + > @BOTTOM@ > > /* ******************* Shouldn't need to edit below this line ************** */ > Index: configure.ac > =================================================================== > RCS file: /var/cvs/openssh/configure.ac,v > retrieving revision 1.69 > diff -u -r1.69 configure.ac > --- configure.ac 24 Jun 2002 16:26:49 -0000 1.69 > +++ configure.ac 25 Jun 2002 00:16:06 -0000 > @@ -574,6 +574,30 @@ > socketpair strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp \ > truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty) > > +if test $ac_cv_func_mmap = yes ; then > +AC_MSG_CHECKING([for mmap anon shared]) > +AC_TRY_RUN( > + [ > +#include > +#include > +#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS) > +#define MAP_ANON MAP_ANONYMOUS > +#endif > +main() { char *p; > +p = (char *) mmap(NULL, 10, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); > +if (p == (char *)-1) > + exit(1); > +exit(0); > +} > + ], > + [ > + AC_MSG_RESULT(yes) > + AC_DEFINE(HAVE_MMAP_ANON_SHARED) > + ], > + [ AC_MSG_RESULT(no) ] > +) > +fi > + > dnl IRIX and Solaris 2.5.1 have dirname() in libgen > AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[ > AC_CHECK_LIB(gen, dirname,[ > Index: monitor_mm.c > =================================================================== > RCS file: /var/cvs/openssh/monitor_mm.c,v > retrieving revision 1.10 > diff -u -r1.10 monitor_mm.c > --- monitor_mm.c 7 Jun 2002 01:57:25 -0000 1.10 > +++ monitor_mm.c 25 Jun 2002 00:16:09 -0000 > @@ -84,13 +84,11 @@ > */ > mm->mmalloc = mmalloc; > > -#if defined(HAVE_MMAP) && defined(MAP_ANON) > +#ifdef HAVE_MMAP_ANON_SHARED > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, > -1, 0); > - if (address == MAP_FAILED) > - fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); > #else > - fatal("%s: UsePrivilegeSeparation=yes not supported", > + fatal("%s: UsePrivilegeSeparation=yes and Compression=yes not supported", > __func__); > #endif > > Index: servconf.c > =================================================================== > RCS file: /var/cvs/openssh/servconf.c,v > retrieving revision 1.92 > diff -u -r1.92 servconf.c > --- servconf.c 23 Jun 2002 21:29:24 -0000 1.92 > +++ servconf.c 25 Jun 2002 00:16:12 -0000 > @@ -257,7 +257,7 @@ > if (use_privsep == -1) > use_privsep = 1; > > -#if !defined(HAVE_MMAP) || !defined(MAP_ANON) > +#if !defined(HAVE_MMAP_ANON_SHARED) > if (use_privsep && options->compression == 1) { > error("This platform does not support both privilege " > "separation and compression"); > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Tue Jun 25 10:45:47 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Jun 2002 19:45:47 -0500 (CDT) Subject: Privsep and AIX.. In-Reply-To: <20020624235615.C18668@greenie.muc.de> Message-ID: Would anyone object if we dropped the TTY setting in usrinfo() move it up after the irix_*() call in do_setusercontext() and handle the case when someone whines? Hopefully by than OSF group will have a patch that we can tap off of. If not can one of you two pass me a patch to do it? Thanks - Ben On Mon, 24 Jun 2002, Gert Doering wrote: > Hi, > > On Mon, Jun 24, 2002 at 04:34:53PM -0500, Ben Lindstrom wrote: > > I sent the first one privately to Darren, but I think everyone with AIX > > (and those WORKING for IBM) should comment on this... > > > > First off I noticed LOGIN= is stated as it should be set, but is not. Not > > an issue for Privsep... but either the manpage needs to be clarified, or > > we should add it. > > For my initial usrinfo hack, I just looked at what AIX rlogind is setting, > and it does not set LOGIN= - just LOGNAME, NAME, TTY. So that's what > my patch did. > > > Second, what happens if TTY is always set to null? Reason being is > > privsep occurs long before Session *s; even has a hint of knowing the > > current TTY from the looks of it. And by than we are too late. > > > > Can someone from IBM tell me what ramification setting TTY=null for > > userinfo(SETUINFO,..) if the process has a tty? > > I'm not sure about that. "Our" legacy application that uses usrinfo > looks only at NAME=, and doesn't care about TTY. I have no idea what > other applications might make use of this. > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From djm at mindrot.org Tue Jun 25 10:58:09 2002 From: djm at mindrot.org (Damien Miller) Date: 25 Jun 2002 10:58:09 +1000 Subject: Help wanted: configure test for busted mmap Message-ID: <1024966689.5924.106.camel@xenon> Linux 2.2 (and probably others) have a deficient mmap which has caused a number of problems (e.g. bug #285). A workaround is in development, but it would be helpful to have a configure test to detect the bad mmaps(). Any takers? -d From mouring at etoh.eviladmin.org Tue Jun 25 10:52:00 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Jun 2002 19:52:00 -0500 (CDT) Subject: Help wanted: configure test for busted mmap In-Reply-To: <1024966689.5924.106.camel@xenon> Message-ID: Already posted a cut down version of Tim's to check for the defect. Waiting for testers. =) - Ben On 25 Jun 2002, Damien Miller wrote: > Linux 2.2 (and probably others) have a deficient mmap which has caused a > number of problems (e.g. bug #285). > > A workaround is in development, but it would be helpful to have a > configure test to detect the bad mmaps(). > > Any takers? > > -d > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From nalin at redhat.com Tue Jun 25 11:12:04 2002 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 24 Jun 2002 21:12:04 -0400 Subject: Help wanted: configure test for busted mmap In-Reply-To: <1024966689.5924.106.camel@xenon> References: <1024966689.5924.106.camel@xenon> Message-ID: <20020625011204.GB6701@redhat.com> On Tue, Jun 25, 2002 at 10:58:09AM +1000, Damien Miller wrote: > Linux 2.2 (and probably others) have a deficient mmap which has caused a > number of problems (e.g. bug #285). > > A workaround is in development, but it would be helpful to have a > configure test to detect the bad mmaps(). > > Any takers? It'd probably be better to try to work around it if the mmap() call fails at run-time. That'd be the easiest thing for us, anyway, as we can't guarantee that an sshd built on a 2.4 kernel will always be run under a 2.4 kernel. I'm attaching a patch extracted from Owl's package [1] that you might have seen before that attempts to do this. Nalin [1] ftp://ftp.ru.openwall.com/pub/Owl/current/native.tar.gz, in native/Owl/packages/openssh/ -------------- next part -------------- diff -ur openssh-3.3p1.orig/monitor_mm.c openssh-3.3p1/monitor_mm.c --- openssh-3.3p1.orig/monitor_mm.c Fri Jun 7 05:57:25 2002 +++ openssh-3.3p1/monitor_mm.c Mon Jun 24 01:30:58 2002 @@ -29,6 +29,7 @@ #ifdef HAVE_SYS_MMAN_H #include #endif +#include #include "ssh.h" #include "xmalloc.h" @@ -84,9 +85,42 @@ */ mm->mmalloc = mmalloc; -#if defined(HAVE_MMAP) && defined(MAP_ANON) +#ifdef HAVE_MMAP + mm->shm_not_mmap = 0; +#ifdef MAP_ANON address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); +#else + address = MAP_FAILED; +#endif + if (address == MAP_FAILED) { + int shmid; + + shmid = shmget(IPC_PRIVATE, size, IPC_CREAT|S_IRUSR|S_IWUSR); + if (shmid != -1) { + address = shmat(shmid, NULL, 0); + shmctl(shmid, IPC_RMID, NULL); + if (address != MAP_FAILED) + mm->shm_not_mmap = 1; + } + } + if (address == MAP_FAILED) { + char tmpname[sizeof(MM_SWAP_TEMPLATE)] = MM_SWAP_TEMPLATE; + int tmpfd; + int save_errno; + + tmpfd = mkstemp(tmpname); + if (tmpfd == -1) + fatal("mkstemp(\"%s\"): %s", + MM_SWAP_TEMPLATE, strerror(errno)); + unlink(tmpname); + ftruncate(tmpfd, size); + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED, + tmpfd, 0); + save_errno = errno; + close(tmpfd); + errno = save_errno; + } if (address == MAP_FAILED) fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); #else @@ -131,6 +165,10 @@ mm_freelist(mm->mmalloc, &mm->rb_allocated); #ifdef HAVE_MMAP + if (mm->shm_not_mmap) { + if (shmdt(mm->address) == -1) + fatal("shmdt(%p): %s", mm->address, strerror(errno)); + } else if (munmap(mm->address, mm->size) == -1) fatal("munmap(%p, %lu): %s", mm->address, (u_long)mm->size, strerror(errno)); diff -ur openssh-3.3p1.orig/monitor_mm.h openssh-3.3p1/monitor_mm.h --- openssh-3.3p1.orig/monitor_mm.h Tue Mar 26 06:42:21 2002 +++ openssh-3.3p1/monitor_mm.h Mon Jun 24 01:25:51 2002 @@ -40,6 +40,7 @@ struct mmtree rb_allocated; void *address; size_t size; + int shm_not_mmap; struct mm_master *mmalloc; /* Used to completely share */ @@ -52,6 +53,8 @@ #define MM_MINSIZE 128 #define MM_ADDRESS_END(x) (void *)((u_char *)(x)->address + (x)->size) + +#define MM_SWAP_TEMPLATE "/var/run/sshd.mm.XXXXXXXX" struct mm_master *mm_create(struct mm_master *, size_t); void mm_destroy(struct mm_master *); From mouring at etoh.eviladmin.org Tue Jun 25 11:03:13 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Jun 2002 20:03:13 -0500 (CDT) Subject: Help wanted: configure test for busted mmap In-Reply-To: <20020625011204.GB6701@redhat.com> Message-ID: Rejected already.. SysV Shm not an acceptable solution. Plus too complex to verify in less than a week. - Ben On Mon, 24 Jun 2002, Nalin Dahyabhai wrote: > On Tue, Jun 25, 2002 at 10:58:09AM +1000, Damien Miller wrote: > > Linux 2.2 (and probably others) have a deficient mmap which has caused a > > number of problems (e.g. bug #285). > > > > A workaround is in development, but it would be helpful to have a > > configure test to detect the bad mmaps(). > > > > Any takers? > > It'd probably be better to try to work around it if the mmap() call > fails at run-time. That'd be the easiest thing for us, anyway, as we > can't guarantee that an sshd built on a 2.4 kernel will always be run > under a 2.4 kernel. > > I'm attaching a patch extracted from Owl's package [1] that you might > have seen before that attempts to do this. > > Nalin > > [1] ftp://ftp.ru.openwall.com/pub/Owl/current/native.tar.gz, in > native/Owl/packages/openssh/ > From nalin at redhat.com Tue Jun 25 11:38:41 2002 From: nalin at redhat.com (Nalin Dahyabhai) Date: Mon, 24 Jun 2002 21:38:41 -0400 Subject: Help wanted: configure test for busted mmap In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, Jun 24, 2002 at 08:03:13PM -0500 References: <20020625011204.GB6701@redhat.com> Message-ID: <20020624213841.A20648@redhat.com> On Mon, Jun 24, 2002 at 08:03:13PM -0500, Ben Lindstrom wrote: > Rejected already.. SysV Shm not an acceptable solution. > > Plus too complex to verify in less than a week. I'd been wondering about the shm bits. Still, the non-anonymous mmap() to a known-good location looks like a reasonable fallback to me. Hard- coding the directory used to create the temporary file is probably too rigid, but I still prefer doing something like this to a configure check. Cheers, Nalin From tim at multitalents.net Tue Jun 25 11:41:52 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 24 Jun 2002 18:41:52 -0700 (PDT) Subject: Linux 2.2 + borken mmap() round 1 In-Reply-To: Message-ID: On Mon, 24 Jun 2002, Ben Lindstrom wrote: > > The following is just a simple 'if ANON|SHARE is broken, disable > compression'. We don't have time for fancy stuff until we have time for > long term testing. > > I have one friend of mine testing this. Can I get a few other people to > test. This is against --current, but maybe work against 3.3p1. Unsure. > > BTW.. those on NeXT platform (if you have autoreconf) should also test > this. this should solve your problem also. > > > - Ben [patch snipped] I think we should put the /dev/zero, SHARED test in too. That would allow Solaris < 8, & UnixWare 2.x, and maybe others to use compression. The two PRIVATE tests are not needed now. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Tue Jun 25 11:46:11 2002 From: djm at mindrot.org (Damien Miller) Date: 25 Jun 2002 11:46:11 +1000 Subject: Help wanted: configure test for busted mmap In-Reply-To: <20020624213841.A20648@redhat.com> References: <20020625011204.GB6701@redhat.com> <20020624213841.A20648@redhat.com> Message-ID: <1024969571.5924.157.camel@xenon> On Tue, 2002-06-25 at 11:38, Nalin Dahyabhai wrote: > On Mon, Jun 24, 2002 at 08:03:13PM -0500, Ben Lindstrom wrote: > > Rejected already.. SysV Shm not an acceptable solution. > > > > Plus too complex to verify in less than a week. > > I'd been wondering about the shm bits. Still, the non-anonymous mmap() > to a known-good location looks like a reasonable fallback to me. Hard- > coding the directory used to create the temporary file is probably too > rigid, but I still prefer doing something like this to a configure check. I don't mind the idea of a non-anon mmap do a file in a root-owned directory. -d From djm at mindrot.org Tue Jun 25 11:52:55 2002 From: djm at mindrot.org (Damien Miller) Date: 25 Jun 2002 11:52:55 +1000 Subject: PAM kbd-int with privsep Message-ID: <1024969975.5925.172.camel@xenon> The following is a patch (based on FreeBSD code) which gets kbd-int working with privsep. It moves the kbd-int PAM conversation to a child process and communicates with it over a socket. The patch has a limitation: it does not handle multiple prompts - I have no idea how common these are in real-life. Furthermore it is not well tested at all (despite my many requests on openssh-unix-dev@). -d Index: auth.h =================================================================== RCS file: /var/cvs/openssh/auth.h,v retrieving revision 1.42 diff -u -r1.42 auth.h --- auth.h 6 Jun 2002 20:52:37 -0000 1.42 +++ auth.h 25 Jun 2002 01:42:09 -0000 @@ -133,7 +133,6 @@ #endif /* KRB5 */ #include "auth-pam.h" -#include "auth2-pam.h" Authctxt *do_authentication(void); Authctxt *do_authentication2(void); Index: auth2-chall.c =================================================================== RCS file: /var/cvs/openssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 21 Jun 2002 00:41:52 -0000 1.18 +++ auth2-chall.c 25 Jun 2002 01:42:11 -0000 @@ -40,11 +40,17 @@ #ifdef BSD_AUTH extern KbdintDevice bsdauth_device; +extern KbdintDevice mm_bsdauth_device; #else #ifdef SKEY extern KbdintDevice skey_device; +extern KbdintDevice mm_skey_device; #endif #endif +#ifdef USE_PAM +extern KbdintDevice sshpam_device; +extern KbdintDevice mm_sshpam_device; +#endif KbdintDevice *devices[] = { #ifdef BSD_AUTH @@ -54,6 +60,23 @@ &skey_device, #endif #endif +#ifdef USE_PAM + &sshpam_device, +#endif + NULL +}; + +KbdintDevice *mm_devices[] = { +#ifdef BSD_AUTH + &mm_bsdauth_device, +#else +#ifdef SKEY + &mm_skey_device, +#endif +#ifdef USE_PAM + &mm_sshpam_device, +#endif +#endif NULL }; @@ -314,18 +337,8 @@ void privsep_challenge_enable(void) { -#ifdef BSD_AUTH - extern KbdintDevice mm_bsdauth_device; -#endif -#ifdef SKEY - extern KbdintDevice mm_skey_device; -#endif - /* As long as SSHv1 has devices[0] hard coded this is fine */ -#ifdef BSD_AUTH - devices[0] = &mm_bsdauth_device; -#else -#ifdef SKEY - devices[0] = &mm_skey_device; -#endif -#endif + int i; + + for(i = 0; devices[i] != NULL; i++) + devices[i] = mm_devices[i]; } Index: auth2-kbdint.c =================================================================== RCS file: /var/cvs/openssh/auth2-kbdint.c,v retrieving revision 1.1 diff -u -r1.1 auth2-kbdint.c --- auth2-kbdint.c 6 Jun 2002 20:27:56 -0000 1.1 +++ auth2-kbdint.c 25 Jun 2002 01:42:11 -0000 @@ -49,10 +49,6 @@ if (options.challenge_response_authentication) authenticated = auth2_challenge(authctxt, devs); -#ifdef USE_PAM - if (authenticated == 0 && options.pam_authentication_via_kbd_int) - authenticated = auth2_pam(authctxt); -#endif xfree(devs); xfree(lang); #ifdef HAVE_CYGWIN Index: auth2-pam.c =================================================================== RCS file: /var/cvs/openssh/auth2-pam.c,v retrieving revision 1.12 diff -u -r1.12 auth2-pam.c --- auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12 +++ auth2-pam.c 25 Jun 2002 01:42:11 -0000 @@ -1,158 +1,379 @@ +/*- + * Copyright (c) 2002 Networks Associates Technology, Inc. + * All rights reserved. + * + * This software was developed for the FreeBSD Project by ThinkSec AS and + * NAI Labs, the Security Research Division of Network Associates, Inc. + * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the + * DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/crypto/openssh/auth2-pam.c,v 1.1 2002/03/21 12:18:27 des Exp $ + */ + +/* + * XXX: todo: + * - Make this module handle multiple prompts. Currently it exits + * after each reply. It should stick around do it can process + * password change requests, etc. + * + * - Conver to buffer_() API instead of SOCK_DGRAM messages + */ + #include "includes.h" -RCSID("$Id: auth2-pam.c,v 1.12 2002/01/22 12:43:13 djm Exp $"); #ifdef USE_PAM +RCSID("$FreeBSD: src/crypto/openssh/auth2-pam.c,v 1.1 2002/03/21 12:18:27 des Exp $"); + #include #include "ssh.h" -#include "ssh2.h" #include "auth.h" -#include "auth-pam.h" -#include "packet.h" #include "xmalloc.h" -#include "dispatch.h" #include "log.h" +#include "monitor_wrap.h" + +extern char *__progname; -static int do_pam_conversation_kbd_int(int num_msg, - const struct pam_message **msg, struct pam_response **resp, - void *appdata_ptr); -void input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt); - -struct { - int finished, num_received, num_expected; - int *prompts; - struct pam_response *responses; -} context_pam2 = {0, 0, 0, NULL}; - -static struct pam_conv conv2 = { - do_pam_conversation_kbd_int, - NULL, +struct sshpam_ctxt { + char *user; + pid_t pid; + int sock; + int done; }; -int -auth2_pam(Authctxt *authctxt) +/* + * Send message to parent or child. + */ +static int +sshpam_send(struct sshpam_ctxt *ctxt, char *fmt, ...) { - int retval = -1; - - if (authctxt->user == NULL) - fatal("auth2_pam: internal error: no user"); + va_list ap; + char *mstr, buf[2048]; + size_t len; + int r; + + va_start(ap, fmt); + len = vsnprintf(buf, sizeof(buf), fmt, ap); + va_end(ap); + if (len == -1 || len > sizeof(buf)) + fatal("sshpam_send: message too long"); + mstr = xstrdup(buf); + if (ctxt->pid != 0) + debug2("to child: %d bytes", len); + r = send(ctxt->sock, mstr, len + 1, MSG_EOR); + free(mstr); + return (r); +} - conv2.appdata_ptr = authctxt; - do_pam_set_conv(&conv2); +/* + * Peek at first byte of next message. + */ +static int +sshpam_peek(struct sshpam_ctxt *ctxt) +{ + char ch; - dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, - &input_userauth_info_response_pam); - retval = (do_pam_authenticate(0) == PAM_SUCCESS); - dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); + if (recv(ctxt->sock, &ch, 1, MSG_PEEK) < 1) + return (-1); + return (ch); +} - return retval; +/* + * Receive a message from parent or child. + */ +static char * +sshpam_receive(struct sshpam_ctxt *ctxt) +{ + char *buf; + size_t len; + ssize_t rlen; + + len = 64; + buf = NULL; + do { + len *= 2; + buf = xrealloc(buf, len); + rlen = recv(ctxt->sock, buf, len, MSG_PEEK); + if (rlen < 1) { + xfree(buf); + return (NULL); + } + } while (rlen == len); + if (recv(ctxt->sock, buf, len, 0) != rlen) { + xfree(buf); + return (NULL); + } + if (ctxt->pid != 0) + debug2("from child: %s", buf); + return (buf); } +/* + * Conversation function for child process. + */ static int -do_pam_conversation_kbd_int(int num_msg, const struct pam_message **msg, - struct pam_response **resp, void *appdata_ptr) +sshpam_child_conv(int n, + const struct pam_message **msg, + struct pam_response **resp, + void *data) { - int i, j, done; - char *text; + struct sshpam_ctxt *ctxt; + int i; - context_pam2.finished = 0; - context_pam2.num_received = 0; - context_pam2.num_expected = 0; - context_pam2.prompts = xmalloc(sizeof(int) * num_msg); - context_pam2.responses = xmalloc(sizeof(struct pam_response) * num_msg); - memset(context_pam2.responses, 0, sizeof(struct pam_response) * num_msg); - - text = NULL; - for (i = 0, context_pam2.num_expected = 0; i < num_msg; i++) { - int style = PAM_MSG_MEMBER(msg, i, msg_style); - switch (style) { - case PAM_PROMPT_ECHO_ON: + ctxt = data; + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + if ((*resp = calloc(n, sizeof **resp)) == NULL) + return (PAM_BUF_ERR); + for (i = 0; i < n; ++i) { + resp[i]->resp_retcode = 0; + resp[i]->resp = NULL; + switch (msg[i]->msg_style) { case PAM_PROMPT_ECHO_OFF: - context_pam2.num_expected++; + sshpam_send(ctxt, "p%s", msg[i]->msg); + resp[i]->resp = sshpam_receive(ctxt); + break; + case PAM_PROMPT_ECHO_ON: + sshpam_send(ctxt, "P%s", msg[i]->msg); + resp[i]->resp = sshpam_receive(ctxt); break; - case PAM_TEXT_INFO: case PAM_ERROR_MSG: - default: - /* Capture all these messages to be sent at once */ - message_cat(&text, PAM_MSG_MEMBER(msg, i, msg)); + /*sshpam_send(ctxt, "e%s", msg[i]->msg);*/ + break; + case PAM_TEXT_INFO: + /*sshpam_send(ctxt, "i%s", msg[i]->msg);*/ break; + default: + goto fail; } } - - if (context_pam2.num_expected == 0) - return PAM_SUCCESS; - - packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); - packet_put_cstring(""); /* Name */ - packet_put_cstring(""); /* Instructions */ - packet_put_cstring(""); /* Language */ - packet_put_int(context_pam2.num_expected); - - for (i = 0, j = 0; i < num_msg; i++) { - int style = PAM_MSG_MEMBER(msg, i, msg_style); - - /* Skip messages which don't need a reply */ - if (style != PAM_PROMPT_ECHO_ON && style != PAM_PROMPT_ECHO_OFF) - continue; - - context_pam2.prompts[j++] = i; - if (text) { - message_cat(&text, PAM_MSG_MEMBER(msg, i, msg)); - packet_put_cstring(text); - text = NULL; - } else - packet_put_cstring(PAM_MSG_MEMBER(msg, i, msg)); - packet_put_char(style == PAM_PROMPT_ECHO_ON); + return (PAM_SUCCESS); + fail: + while (i--) { + if (resp[i]->resp) { + memset(resp[i]->resp, '\0', strlen(resp[i]->resp)); + free(resp[i]->resp); + } } - packet_send(); - packet_write_wait(); + free(*resp); + *resp = NULL; + return (PAM_CONV_ERR); +} +/* + * Child process. + */ +static void * +sshpam_child(struct sshpam_ctxt *ctxt) +{ + struct pam_conv conv = { sshpam_child_conv, ctxt }; + pam_handle_t *sshpamh; + int err; + + err = pam_start(SSHD_PAM_SERVICE, ctxt->user, &conv, &sshpamh); + if (err != PAM_SUCCESS) + goto auth_fail; + err = pam_authenticate(sshpamh, 0); + if (err != PAM_SUCCESS) + goto auth_fail; + err = pam_acct_mgmt(sshpamh, 0); + if (err != PAM_SUCCESS) + goto auth_fail; +#if 0 /* - * Grabbing control of execution and spinning until we get what - * we want is probably rude, but it seems to work properly, and - * the client *should* be in lock-step with us, so the loop should - * only be traversed once. + * Can't switch this on until we can handle multiple queries */ - while(context_pam2.finished == 0) { - done = 1; - dispatch_run(DISPATCH_BLOCK, &done, appdata_ptr); - if(context_pam2.finished == 0) - debug("extra packet during conversation"); - } + err = pam_acct_mgmt(sshpamh, 0); + if (err == PAM_NEW_AUTHTOK_REQD) + err = pam_chauthtok(sshpamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (err != PAM_SUCCESS) + goto auth_fail; +#endif + sshpam_send(ctxt, "=OK"); + pam_end(sshpamh, err); + exit(0); + + auth_fail: + sshpam_send(ctxt, "!%s", pam_strerror(sshpamh, err)); + pam_end(sshpamh, err); + exit(0); +} - if(context_pam2.num_received == context_pam2.num_expected) { - *resp = context_pam2.responses; - return PAM_SUCCESS; - } else - return PAM_CONV_ERR; +void * +sshpam_init_ctx(Authctxt *authctxt) +{ + struct sshpam_ctxt *ctxt; + int socks[2]; + int i; + + debug3("PAM kbd-int init ctx"); + + ctxt = xmalloc(sizeof *ctxt); + ctxt->user = xstrdup(authctxt->user); + ctxt->done = 0; + if (socketpair(AF_UNIX, SOCK_DGRAM, PF_UNSPEC, socks) == -1) { + error("%s: failed create sockets: %s", + __func__, strerror(errno)); + xfree(ctxt); + return (NULL); + } + if ((ctxt->pid = fork()) == -1) { + error("%s: failed to fork auth-pam child: %s", + __func__, strerror(errno)); + close(socks[0]); + close(socks[1]); + xfree(ctxt); + return (NULL); + } + if (ctxt->pid == 0) { + /* close everything except our end of the pipe */ + ctxt->sock = socks[1]; + for (i = 0; i < getdtablesize(); ++i) + if (i != ctxt->sock) + close(i); + sshpam_child(ctxt); + /* not reached */ + exit(1); + } + ctxt->sock = socks[0]; + close(socks[1]); + return (ctxt); } -void -input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt) +int +sshpam_query(void *ctx, char **name, char **info, + u_int *num, char ***prompts, u_int **echo_on) { - Authctxt *authctxt = ctxt; - unsigned int nresp = 0, rlen = 0, i = 0; - char *resp; + struct sshpam_ctxt *ctxt = ctx; + char *msg; - if (authctxt == NULL) - fatal("input_userauth_info_response_pam: no authentication context"); + debug3("PAM kbd-int query"); - nresp = packet_get_int(); /* Number of responses. */ - debug("got %d responses", nresp); + if ((msg = sshpam_receive(ctxt)) == NULL) + return (-1); + *name = xstrdup(""); + *info = xstrdup(""); + *prompts = xmalloc(sizeof(char *)); + *echo_on = xmalloc(sizeof(u_int)); + switch (*msg) { + case 'P': + **echo_on = 1; + case 'p': + *num = 1; + **prompts = xstrdup(msg + 1); + **echo_on = (*msg == 'P'); + break; + case '=': + *num = 0; + **echo_on = 0; + ctxt->done = 1; + break; + case '!': + error("%s", msg + 1); + default: + *num = 0; + **echo_on = 0; + xfree(msg); + ctxt->done = -1; + return (-1); + } + xfree(msg); + return (0); +} - for (i = 0; i < nresp; i++) { - int j = context_pam2.prompts[i]; +int +sshpam_respond(void *ctx, u_int num, char **resp) +{ + struct sshpam_ctxt *ctxt = ctx; + char *msg; - resp = packet_get_string(&rlen); - context_pam2.responses[j].resp_retcode = PAM_SUCCESS; - context_pam2.responses[j].resp = xstrdup(resp); - xfree(resp); - context_pam2.num_received++; + debug3("PAM kbd-int %d responses", num); + + debug2(__func__); + switch (ctxt->done) { + case 1: + return (0); + case 0: + break; + default: + return (-1); + } + if (num != 1) { + error("expected one response, got %u", num); + return (-1); + } + sshpam_send(ctxt, "%s", *resp); + switch (sshpam_peek(ctxt)) { + case 'P': + case 'p': + return (1); + case '=': + msg = sshpam_receive(ctxt); + xfree(msg); + ctxt->done = 1; + return (0); + default: + msg = sshpam_receive(ctxt); + if (*msg == '!') + error("%s", msg + 1); + xfree(msg); + ctxt->done = -1; + return (-1); } +} + +void +sshpam_free_ctx(void *ctxtp) +{ + struct sshpam_ctxt *ctxt = ctxtp; - context_pam2.finished = 1; + debug3("Freeing PAM kbd-int ctx"); - packet_check_eom(); + close(ctxt->sock); + kill(ctxt->pid, SIGHUP); + /* XXX: wait()? */ + xfree(ctxt->user); + xfree(ctxt); } -#endif +KbdintDevice sshpam_device = { + "pam", + sshpam_init_ctx, + sshpam_query, + sshpam_respond, + sshpam_free_ctx +}; + +KbdintDevice mm_sshpam_device = { + "pam", + mm_sshpam_init_ctx, + mm_sshpam_query, + mm_sshpam_respond, + mm_sshpam_free_ctx +}; + +#endif /* USE_PAM */ Index: auth2-pam.h =================================================================== RCS file: auth2-pam.h diff -N auth2-pam.h --- auth2-pam.h 9 Feb 2001 01:55:36 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,8 +0,0 @@ -/* $Id: auth2-pam.h,v 1.2 2001/02/09 01:55:36 djm Exp $ */ - -#include "includes.h" -#ifdef USE_PAM - -int auth2_pam(Authctxt *authctxt); - -#endif /* USE_PAM */ Index: auth2.c =================================================================== RCS file: /var/cvs/openssh/auth2.c,v retrieving revision 1.107 diff -u -r1.107 auth2.c --- auth2.c 21 Jun 2002 06:21:11 -0000 1.107 +++ auth2.c 25 Jun 2002 01:42:11 -0000 @@ -85,10 +85,6 @@ /* challenge-response is implemented via keyboard interactive */ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; - if (options.pam_authentication_via_kbd_int) - options.kbd_interactive_authentication = 1; - if (use_privsep) - options.pam_authentication_via_kbd_int = 0; dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); Index: monitor.c =================================================================== RCS file: /var/cvs/openssh/monitor.c,v retrieving revision 1.19 diff -u -r1.19 monitor.c --- monitor.c 23 Jun 2002 00:38:24 -0000 1.19 +++ monitor.c 25 Jun 2002 01:42:13 -0000 @@ -118,6 +118,17 @@ #ifdef USE_PAM int mm_answer_pam_start(int, Buffer *); +int mm_answer_sshpam_init_ctx(int, Buffer *); +int mm_answer_sshpamquery(int, Buffer *); +int mm_answer_sshpamrespond(int, Buffer *); +int mm_answer_sshpam_free_ctx(int, Buffer *); + +static void *sshpam_auth_ctxt = NULL; /* Local state for PAM kbd-int device */ + +extern void *sshpam_init_ctx(Authctxt *); +extern int sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); +extern int sshpam_respond(void *, u_int , char **); +extern void sshpam_free_ctx(void *); #endif static Authctxt *authctxt; @@ -155,7 +166,11 @@ {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM + {MONITOR_REQ_PAM_INIT_CTX, 0, mm_answer_sshpam_init_ctx}, {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, + {MONITOR_REQ_PAMQUERY, MON_ISAUTH, mm_answer_sshpamquery}, + {MONITOR_REQ_PAMRESPOND, MON_AUTH, mm_answer_sshpamrespond}, + {MONITOR_REQ_PAM_FREE_CTX, 0, mm_answer_sshpam_free_ctx}, #endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, @@ -202,6 +217,13 @@ #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif +#ifdef USE_PAM + {MONITOR_REQ_PAM_INIT_CTX, 0, mm_answer_sshpam_init_ctx}, + {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, + {MONITOR_REQ_PAMQUERY, MON_ISAUTH, mm_answer_sshpamquery}, + {MONITOR_REQ_PAMRESPOND, MON_AUTH, mm_answer_sshpamrespond}, + {MONITOR_REQ_PAM_FREE_CTX, 0, mm_answer_sshpam_free_ctx}, +#endif {0, 0, NULL} }; @@ -734,6 +756,100 @@ xfree(user); + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1); + + return (0); +} + +int +mm_answer_sshpam_init_ctx(int socket, Buffer *m) +{ + debug3("%s: entering", __FUNCTION__); + + if (sshpam_auth_ctxt == NULL) + sshpam_auth_ctxt = sshpam_init_ctx(authctxt); + + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1); + + return (0); +} + +int +mm_answer_sshpamquery(int socket, Buffer *m) +{ + char *name, *infotxt; + u_int numprompts; + u_int *echo_on; + char **prompts; + int res; + + if (sshpam_auth_ctxt == NULL) + fatal("%s: No PAM kbd-int auth context", __FUNCTION__); + + res = sshpam_query(sshpam_auth_ctxt, &name, &infotxt, &numprompts, + &prompts, &echo_on); + + if (res != -1) + debug3("%s: challenge %s", __FUNCTION__, prompts[0]); + + buffer_clear(m); + buffer_put_int(m, res); + if (res != -1) + buffer_put_cstring(m, prompts[0]); + + debug3("%s: sending PAM challenge res: %d", __FUNCTION__, res); + mm_request_send(socket, MONITOR_ANS_PAMQUERY, m); + + if (res != -1) { + xfree(name); + xfree(infotxt); + xfree(prompts); + xfree(echo_on); + } + + return (0); +} + +int +mm_answer_sshpamrespond(int socket, Buffer *m) +{ + char *response, *rs[1]; + int authok; + + if (sshpam_auth_ctxt == NULL) + fatal("%s: No PAM kbd-int auth context", __FUNCTION__); + + response = buffer_get_string(m, NULL); + rs[0] = response; + + authok = sshpam_respond(sshpam_auth_ctxt, 1, rs); + debug3("%s: <%s> = <%d>", __FUNCTION__, response, authok); + xfree(response); + + buffer_clear(m); + buffer_put_int(m, authok); + + debug3("%s: sending authenticated: %d", __FUNCTION__, authok == 0); + mm_request_send(socket, MONITOR_ANS_PAMRESPOND, m); + + auth_method = "pam"; + + sshpam_free_ctx(sshpam_auth_ctxt); + sshpam_auth_ctxt = NULL; + + return (authok == 0); +} + + +int +mm_answer_sshpam_free_ctx(int socket, Buffer *m) +{ + debug3("%s: entering", __FUNCTION__); + + if (sshpam_auth_ctxt != NULL) + sshpam_free_ctx(sshpam_auth_ctxt); + + sshpam_auth_ctxt = NULL; return (0); } #endif @@ -1152,6 +1268,10 @@ /* Turn on permissions for getpwnam */ monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); + +#ifdef USE_PAM + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); +#endif return (0); } Index: monitor.h =================================================================== RCS file: /var/cvs/openssh/monitor.h,v retrieving revision 1.8 diff -u -r1.8 monitor.h --- monitor.h 11 Jun 2002 16:42:49 -0000 1.8 +++ monitor.h 25 Jun 2002 01:42:13 -0000 @@ -39,6 +39,10 @@ MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY, MONITOR_REQ_SKEYRESPOND, MONITOR_ANS_SKEYRESPOND, + MONITOR_REQ_PAM_INIT_CTX, + MONITOR_REQ_PAMQUERY, MONITOR_ANS_PAMQUERY, + MONITOR_REQ_PAMRESPOND, MONITOR_ANS_PAMRESPOND, + MONITOR_REQ_PAM_FREE_CTX, MONITOR_REQ_KEYALLOWED, MONITOR_ANS_KEYALLOWED, MONITOR_REQ_KEYVERIFY, MONITOR_ANS_KEYVERIFY, MONITOR_REQ_KEYEXPORT, Index: monitor_wrap.c =================================================================== RCS file: /var/cvs/openssh/monitor_wrap.c,v retrieving revision 1.12 diff -u -r1.12 monitor_wrap.c --- monitor_wrap.c 21 Jun 2002 00:43:43 -0000 1.12 +++ monitor_wrap.c 25 Jun 2002 01:42:14 -0000 @@ -830,6 +830,81 @@ return ((authok == 0) ? -1 : 0); } +void * +mm_sshpam_init_ctx(struct Authctxt *authctxt) +{ + Buffer m; + + debug3("%s: entering", __FUNCTION__); + + buffer_init(&m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); + + return (authctxt); +} + +int +mm_sshpam_query(void *ctx, char **name, char **infotxt, + u_int *numprompts, char ***prompts, u_int **echo_on) +{ + Buffer m; + int res; + char *challenge; + + debug3("%s: entering", __FUNCTION__); + + buffer_init(&m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAMQUERY, &m); + + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAMQUERY, &m); + res = buffer_get_int(&m); + if (res == -1) { + debug3("%s: no challenge", __FUNCTION__); + buffer_free(&m); + return (-1); + } + + /* Get the challenge, and format the response */ + challenge = buffer_get_string(&m, NULL); + buffer_free(&m); + + debug3("%s: received challenge: %s", __FUNCTION__, challenge); + + mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); + + (*prompts)[0] = challenge; + + return (0); +} + +int +mm_sshpam_respond(void *ctx, u_int numresponses, char **responses) +{ + Buffer m; + int authok; + + debug3("%s: entering", __FUNCTION__); + if (numresponses != 1) + return (-1); + + buffer_init(&m); + buffer_put_cstring(&m, responses[0]); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAMRESPOND, &m); + + mm_request_receive_expect(pmonitor->m_recvfd, + MONITOR_ANS_PAMRESPOND, &m); + + authok = buffer_get_int(&m); + buffer_free(&m); + + return (authok); +} + +void +mm_sshpam_free_ctx(void *ctxtp) +{ +} + void mm_ssh1_session_id(u_char session_id[16]) { Index: monitor_wrap.h =================================================================== RCS file: /var/cvs/openssh/monitor_wrap.h,v retrieving revision 1.6 diff -u -r1.6 monitor_wrap.h --- monitor_wrap.h 13 May 2002 01:07:42 -0000 1.6 +++ monitor_wrap.h 25 Jun 2002 01:42:14 -0000 @@ -83,6 +83,12 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_skey_respond(void *, u_int, char **); +/* pam */ +void *mm_sshpam_init_ctx(struct Authctxt *); +int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); +int mm_sshpam_respond(void *, u_int, char **); +void mm_sshpam_free_ctx(void *); + /* zlib allocation hooks */ void *mm_zalloc(struct mm_master *, u_int, u_int); Index: servconf.c =================================================================== RCS file: /var/cvs/openssh/servconf.c,v retrieving revision 1.92 diff -u -r1.92 servconf.c --- servconf.c 23 Jun 2002 21:29:24 -0000 1.92 +++ servconf.c 25 Jun 2002 01:42:15 -0000 @@ -55,10 +55,6 @@ { memset(options, 0, sizeof(*options)); - /* Portable-specific options */ - options->pam_authentication_via_kbd_int = -1; - - /* Standard Options */ options->num_ports = 0; options->ports_from_cmdline = 0; options->listen_addrs = NULL; @@ -130,11 +126,6 @@ void fill_default_server_options(ServerOptions *options) { - /* Portable-specific options */ - if (options->pam_authentication_via_kbd_int == -1) - options->pam_authentication_via_kbd_int = 0; - - /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2; if (options->num_host_key_files == 0) { @@ -271,9 +262,6 @@ /* Keyword tokens. */ typedef enum { sBadOption, /* == unknown option */ - /* Portable-specific options */ - sPAMAuthenticationViaKbdInt, - /* Standard Options */ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, @@ -307,9 +295,6 @@ const char *name; ServerOpCodes opcode; } keywords[] = { - /* Portable-specific options */ - { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, - /* Standard Options */ { "port", sPort }, { "hostkey", sHostKeyFile }, { "hostdsakey", sHostKeyFile }, /* alias */ @@ -453,12 +438,6 @@ charptr = NULL; opcode = parse_token(arg, filename, linenum); switch (opcode) { - /* Portable-specific options */ - case sPAMAuthenticationViaKbdInt: - intptr = &options->pam_authentication_via_kbd_int; - goto parse_flag; - - /* Standard Options */ case sBadOption: return -1; case sPort: Index: servconf.h =================================================================== RCS file: /var/cvs/openssh/servconf.h,v retrieving revision 1.49 diff -u -r1.49 servconf.h --- servconf.h 21 Jun 2002 01:09:47 -0000 1.49 +++ servconf.h 25 Jun 2002 01:42:16 -0000 @@ -130,7 +130,6 @@ char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; - int pam_authentication_via_kbd_int; } ServerOptions; void initialize_server_options(ServerOptions *); Index: sshd_config =================================================================== RCS file: /var/cvs/openssh/sshd_config,v retrieving revision 1.51 diff -u -r1.51 sshd_config --- sshd_config 21 Jun 2002 01:11:36 -0000 1.51 +++ sshd_config 25 Jun 2002 01:42:16 -0000 @@ -69,10 +69,6 @@ # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no -# Set this to 'yes' to enable PAM keyboard-interactive authentication -# Warning: enabling this may bypass the setting of 'PasswordAuthentication' -#PAMAuthenticationViaKbdInt yes - #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes From tim at multitalents.net Tue Jun 25 11:56:36 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 24 Jun 2002 18:56:36 -0700 (PDT) Subject: README.privsep In-Reply-To: <20020624165228.GB1890@jenny.crlsca.adelphia.net> Message-ID: On Mon, 24 Jun 2002, Kevin Steves wrote: > Hi, > > If you are on UnixWare 7 or OpenUNIX 8 do this additional step. > # ln /usr/lib/.ns.so /usr/lib/ns.so.1 Drop these two lines. If we are not going to do something like the patch below to fix the initgroups problem on UnixWare and some Linux, then add some lines like On UnixWare, OpenUNIX, and some Linux systems you will have to # mkdir /var/empty/etc # touch /var/empty/etc/group --- session.c.orig Mon Jun 24 07:29:13 2002 +++ session.c Mon Jun 24 18:49:49 2002 @@ -1180,6 +1180,7 @@ exit(1); } /* Initialize the group list. */ + if (strcmp(pw->pw_name, SSH_PRIVSEP_USER)) if (initgroups(pw->pw_name, pw->pw_gid) < 0) { perror("initgroups"); exit(1); -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From itojun at itojun.org Tue Jun 25 11:58:58 2002 From: itojun at itojun.org (Jun-ichiro itojun Hagino) Date: Tue, 25 Jun 2002 10:58:58 +0900 (JST) Subject: use libcrypt before libcrypto Message-ID: <20020625015858.A3CC87B9@starfruit.itojun.org> these days many unix-based systems contain crypt() with more than DES support (for instance, MD5 in freebsd/openbsd/netbsd, bcrypt in openbsd/netbsd). we need to use crypt() in libcrypt, not in licrypto, as much as possible. itojun --- configure.ac.orig Tue Jun 25 10:56:47 2002 +++ configure.ac Tue Jun 25 10:57:25 2002 @@ -697,6 +702,9 @@ ) fi +# use libcrypt if there is +AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt") + # Search for OpenSSL saved_CPPFLAGS="$CPPFLAGS" saved_LDFLAGS="$LDFLAGS" @@ -761,12 +769,6 @@ ] ) -# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the -# version in OpenSSL. Skip this for PAM -if test "x$PAM_MSG" = "xno" -a "x$check_for_libcrypt_later" = "x1"; then - AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt") -fi - ### Configure cryptographic random number support From openssh-unix-dev at thewrittenword.com Tue Jun 25 12:25:17 2002 From: openssh-unix-dev at thewrittenword.com (Albert Chin) Date: Mon, 24 Jun 2002 21:25:17 -0500 Subject: use libcrypt before libcrypto In-Reply-To: <20020625015858.A3CC87B9@starfruit.itojun.org>; from itojun@itojun.org on Tue, Jun 25, 2002 at 10:58:58AM +0900 References: <20020625015858.A3CC87B9@starfruit.itojun.org> Message-ID: <20020624212517.A8211@oolong.il.thewrittenword.com> On Tue, Jun 25, 2002 at 10:58:58AM +0900, Jun-ichiro itojun Hagino wrote: > these days many unix-based systems contain crypt() with more than > DES support (for instance, MD5 in freebsd/openbsd/netbsd, bcrypt in > openbsd/netbsd). we need to use crypt() in libcrypt, not in licrypto, > as much as possible. > > itojun > > --- configure.ac.orig Tue Jun 25 10:56:47 2002 > +++ configure.ac Tue Jun 25 10:57:25 2002 > @@ -697,6 +702,9 @@ > ) > fi > > +# use libcrypt if there is > +AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt") > + AC_CHECK_LIB(crypt, crypt) will automatically add -lcrypt to $LIBS. It will also define HAVE_LIBCRYPT (is this what you're trying to avoid)? Anyway, I'd prefer: AC_CHECK_FUNCS(crypt, , AC_CHECK_LIB(crypt, crypt)) This way we check if crypt is resolvable using the existing $LIBS and, if not, use $LIBS+-lcrypt. -- albert chin (china at thewrittenword.com) From itojun at iijlab.net Tue Jun 25 12:31:04 2002 From: itojun at iijlab.net (itojun at iijlab.net) Date: Tue, 25 Jun 2002 11:31:04 +0900 Subject: use libcrypt before libcrypto In-Reply-To: openssh-unix-dev's message of Mon, 24 Jun 2002 21:25:17 EST. <20020624212517.A8211@oolong.il.thewrittenword.com> Message-ID: <20020625023104.09EDF4B24@coconut.itojun.org> >> +# use libcrypt if there is >> +AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt") >> + >AC_CHECK_LIB(crypt, crypt) will automatically add -lcrypt to $LIBS. It >will also define HAVE_LIBCRYPT (is this what you're trying to avoid)? >Anyway, I'd prefer: > AC_CHECK_FUNCS(crypt, , AC_CHECK_LIB(crypt, crypt)) >This way we check if crypt is resolvable using the existing $LIBS and, >if not, use $LIBS+-lcrypt. either way is fine for me, as long as crypt() supplied by the native system is preferred than openssl crypt(). thanks. itojun From cmadams at hiwaay.net Tue Jun 25 13:21:30 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 24 Jun 2002 22:21:30 -0500 Subject: Privsep and AIX.. In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, Jun 24, 2002 at 07:45:47PM -0500 References: <20020624235615.C18668@greenie.muc.de> Message-ID: <20020624222130.E220570@hiwaay.net> Once upon a time, Ben Lindstrom said: > Would anyone object if we dropped the TTY setting in usrinfo() move it up > after the irix_*() call in do_setusercontext() and handle the case when > someone whines? Hopefully by than OSF group will have a patch that we can > tap off of. Uhh, I will do my best, but I wouldn't hold your breath. AFAIK, I'm the "OSF group", and I just do it as time allows because we've (the ISP I work for) got Tru64 systems with lots of shell users. I haven't had the time to look at privsep since it was introduced (I've given it brief looks a couple of times but haven't quite got my head around it yet). I don't think anyone at DEC^WCompaq^WHP has any interest in OpenSSH, as they have on their site as a free download the SSH.com version (which I understand will be in Tru64 5.1B later this year). I plan to continue to run OpenSSH instead (because I think it is the superior solution), so I'll try to keep it working, but I don't know how much other interest there is. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From mike at enoch.org Tue Jun 25 13:45:33 2002 From: mike at enoch.org (Mike Johnson) Date: Mon, 24 Jun 2002 23:45:33 -0400 Subject: Small patch for RPM spec file (kerberos) Message-ID: <20020625034532.GZ22072@enoch.org> I decided to try openssh 3.3p1 on my Mandrake box that's lacking a complete install of kerberos. Installed the SRPM, ran rpm -bb openssh.spec and it bombed. Made it through the configure stage and moved onto compilation, where it barfed because it couldn't find the kerberos headers (I had krb5-libs installed, but not krb5-devel). Attached is a small little patch to the spec file to add a couple build prerequisites that seem to take care of the problem. Do with it as you will. Mike -- "Let the power of Ponch compel you! Let the power of Ponch compel you!" -- Zorak on Space Ghost GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF C821 89C4 DF9A 5DDD 95D1 GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc -------------- next part -------------- --- openssh.spec.orig Mon Jun 24 23:16:36 2002 +++ openssh.spec Mon Jun 24 23:17:16 2002 @@ -97,6 +97,10 @@ %if ! %{no_gnome_askpass} BuildPreReq: gnome-libs-devel %endif +%if %{kerberos5} +BuildPreReq: krb5-libs, krb5-devel +%endif + %package clients Summary: OpenSSH clients. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 230 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020624/c9815708/attachment.bin From fcusack at fcusack.com Tue Jun 25 15:51:35 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Mon, 24 Jun 2002 22:51:35 -0700 Subject: PAM kbd-int with privsep In-Reply-To: <1024969975.5925.172.camel@xenon>; from djm@mindrot.org on Tue, Jun 25, 2002 at 11:52:55AM +1000 References: <1024969975.5925.172.camel@xenon> Message-ID: <20020624225135.L23163@google.com> On Tue, Jun 25, 2002 at 11:52:55AM +1000, Damien Miller wrote: > The patch has a limitation: it does not handle multiple prompts - I have > no idea how common these are in real-life. I need multiple prompts, and I'm real. :-) /fc From pekkas at netcore.fi Tue Jun 25 15:59:00 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 25 Jun 2002 08:59:00 +0300 (EEST) Subject: use libcrypt before libcrypto In-Reply-To: <20020625023104.09EDF4B24@coconut.itojun.org> Message-ID: On Tue, 25 Jun 2002 itojun at iijlab.net wrote: > >> +# use libcrypt if there is > >> +AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt") > >> + > >AC_CHECK_LIB(crypt, crypt) will automatically add -lcrypt to $LIBS. It > >will also define HAVE_LIBCRYPT (is this what you're trying to avoid)? > >Anyway, I'd prefer: > > AC_CHECK_FUNCS(crypt, , AC_CHECK_LIB(crypt, crypt)) > >This way we check if crypt is resolvable using the existing $LIBS and, > >if not, use $LIBS+-lcrypt. > > either way is fine for me, as long as crypt() supplied by the > native system is preferred than openssl crypt(). thanks. Umm.. could this (possibly) break some of those ancient flawors of Unix where native crypt is really crappy and OpenSSL crypt is the only real way to go? -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From itojun at iijlab.net Tue Jun 25 16:23:00 2002 From: itojun at iijlab.net (itojun at iijlab.net) Date: Tue, 25 Jun 2002 15:23:00 +0900 Subject: use libcrypt before libcrypto In-Reply-To: pekkas's message of Tue, 25 Jun 2002 08:59:00 +0300. Message-ID: <20020625062300.CF8904B24@coconut.itojun.org> >> either way is fine for me, as long as crypt() supplied by the >> native system is preferred than openssl crypt(). thanks. >Umm.. could this (possibly) break some of those ancient flawors of Unix >where native crypt is really crappy and OpenSSL crypt is the only real way >to go? such as? such platform should have been in trouble anyways... itojun From pekkas at netcore.fi Tue Jun 25 16:39:45 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 25 Jun 2002 09:39:45 +0300 (EEST) Subject: use libcrypt before libcrypto In-Reply-To: <20020625062300.CF8904B24@coconut.itojun.org> Message-ID: On Tue, 25 Jun 2002 itojun at iijlab.net wrote: > >> either way is fine for me, as long as crypt() supplied by the > >> native system is preferred than openssl crypt(). thanks. > >Umm.. could this (possibly) break some of those ancient flawors of Unix > >where native crypt is really crappy and OpenSSL crypt is the only real way > >to go? > > such as? such platform should have been in trouble anyways... I don't know, but looking at how broken && old systems OpenSSH supports, I wouldn't be surprised. All I'm saying this might not be a "trivial" change and may need some testing.. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From bugzilla-daemon at mindrot.org Tue Jun 25 16:45:22 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 16:45:22 +1000 (EST) Subject: [Bug 289] New: mmap error when trying to use 3.3p1 with privsep Message-ID: <20020625064522.DC35CE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=289 Summary: mmap error when trying to use 3.3p1 with privsep Product: Portable OpenSSH Version: 3.1p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: mark.hershenson at aresdirect.com In order to play with 3.3p1 and privelege separation, I compiled and installed the OpenSSH source into /usr/local/openssh-3.3p1. I also created the /var/empty directory and assigned it its proper priveleges, and added the sshd user/group. I then ran the sshd daemon using: /usr/local/openssh-3.3p1/sbin/sshd With the following config file: ================ # $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh-3.3p1/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. Port 2200 Protocol 2,1 ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 HostKey /usr/local/openssh-3.3p1/etc/ssh_host_key # HostKeys for protocol version 2 HostKey /usr/local/openssh-3.3p1/etc/ssh_host_rsa_key HostKey /usr/local/openssh-3.3p1/etc/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel DEBUG # Authentication: #LoginGraceTime 600 PermitRootLogin yes #StrictModes yes #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # rhosts authentication should not be used #RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # For this to work you will also need host keys in /usr/local/openssh-3.3p1/etc/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no # Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes PrintMotd yes PrintLastLog yes KeepAlive yes #UseLogin no UsePrivilegeSeparation yes Compression yes #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/local/openssh-3.3p1/libexec/sftp-server ================ I try to SSH to that port, and I see this in /var/log/messages: Jun 24 23:39:31 mallard sshd[26833]: Server listening on 0.0.0.0 port 2200. Jun 24 23:39:31 mallard sshd[26833]: Generating 768 bit RSA key. Jun 24 23:39:31 mallard sshd[26833]: RSA key generation complete. Jun 24 23:39:35 mallard sshd[26839]: Connection from 127.0.0.1 port 1193 Jun 24 23:39:35 mallard sshd[26839]: Enabling compatibility mode for protocol 2.0 Jun 24 23:39:35 mallard sshd[26839]: fatal: mmap(65536): Invalid argument If it's on an mmap level, it wouldn't seem a source level bug, not a misconfiguration, but if I'm wrong, I'd love to find that out. :) The system is running RedHat 7.0, kernel 2.2.16-22, and runs OpenSSH 3.x just great! Any help would be welcome, and any additional information required need only be asked for. Thanks! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jun 25 17:01:22 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 17:01:22 +1000 (EST) Subject: [Bug 290] New: auth_method set incorrectly in mm_answer_keyverify() Message-ID: <20020625070122.9C923E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=290 Summary: auth_method set incorrectly in mm_answer_keyverify() Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: halley at play-bow.org Some friends pointed out some logging weirdness with OpenSSH 3.3; I check it out on my system and saw the same thing. It says: sshd[24182]: Accepted hostbased for halley from 127.0.0.1 port 52472 ssh2 even though it was using publickey authentication (and tracing via the client verifies that the publickey was used). Hostbased authentication is disabled in my config file. Figuring this was a logging bug, I went hunting in the code. In mm_answer_keyverify() is the line: auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased"; But this line occurs *after* the call to monitor_reset_key_state(), which sets key_blobtype to MM_NOKEY. Moving the auth_method assignment before the call to monitor_reset_key_state() fixed the problem. I don't think anything else bad happens because of this bug, but I don't know the code well enough to be sure. I also don't think there are any side effects from moving the assignment, but again, I can't be certain. Keep up the good work on OpenSSH! /Bob ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jun 25 17:08:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 17:08:43 +1000 (EST) Subject: [Bug 289] mmap error when trying to use 3.3p1 with privsep Message-ID: <20020625070843.5CA92E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=289 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From dtucker at zip.com.au 2002-06-25 17:08 ------- *** This bug has been marked as a duplicate of 285 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jun 25 17:08:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 17:08:48 +1000 (EST) Subject: [Bug 285] 3.3p1 on Linux 2.2.x doesn't accept connections Message-ID: <20020625070848.C0597E902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=285 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mark.hershenson at aresdirect.c | |om ------- Additional Comments From dtucker at zip.com.au 2002-06-25 17:08 ------- *** Bug 289 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From janfrode at parallab.uib.no Tue Jun 25 17:48:25 2002 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Tue, 25 Jun 2002 09:48:25 +0200 Subject: IRIX on OpenSSH 3.3 In-Reply-To: References: Message-ID: <20020625074825.GA14717@ii.uib.no> On Mon, Jun 24, 2002 at 03:32:30PM -0500, Ben Lindstrom wrote: > > Can I get someone runing IRIX to tell me if this > > http://bugzilla.mindrot.org/show_bug.cgi?id=151 > http://bugzilla.mindrot.org/show_bug.cgi?id=280 > http://bugzilla.mindrot.org/show_bug.cgi?id=281 > Bug 280 is at least fixed, and ssh with privsep enabled works for me on IRIX 6.5 with the MIPSPro compilers. I don't know about 151 and 281 as I haven't tested on IRIX 6.2/R4000 yet. OpenSSH has been configured with the following options: User binaries: /usr/openssh/bin System binaries: /usr/openssh/sbin Configuration files: /usr/openssh/etc Askpass program: /usr/openssh/libexec/ssh-askpass Manual pages: /usr/openssh/man/manX PID file: /usr/openssh/etc Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/openssh/bin Manpage format: man PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: ssh-rand-helper ssh-rand-helper collects from: Command hashing (timeout 200) Host: mips-sgi-irix6.5 Compiler: cc Compiler flags: -g Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include Linker flags: -L/usr/local/ssl/lib Libraries: -lwrap -lz -lgen -lcrypto WARNING: you are using the builtin random number collection service. Please read WARNING.RNG and request that your OS vendor includes kernel-based random number collection in future versions of your OS. -jf From papier at sdv.fr Tue Jun 25 17:53:54 2002 From: papier at sdv.fr (Laurent Papier) Date: Tue, 25 Jun 2002 09:53:54 +0200 Subject: Info on OpenSSH lastest vuln. ? Message-ID: <20020625095354.5a37ecfb.papier@sdv.fr> Hi, it seems that there is a vulnerability in OpenSSH including version 3.3. Using privilege separation do not fix the problem but fail the intruder in the chroot of the sshd daemon. The OpenBSD team announce that they will release a new version 3.4 on monday that fix the vulnerability. Will a new version of portable OpenSSH be also release on monday ? Or could we already upgrade to v3.3 and activate the privilege separation. -- Laurent Papier - Sys. Admin From gert at greenie.muc.de Tue Jun 25 18:09:15 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 25 Jun 2002 10:09:15 +0200 Subject: Privsep and AIX.. In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, Jun 24, 2002 at 07:45:47PM -0500 References: <20020624235615.C18668@greenie.muc.de> Message-ID: <20020625100914.E18668@greenie.muc.de> Hi, On Mon, Jun 24, 2002 at 07:45:47PM -0500, Ben Lindstrom wrote: > Would anyone object if we dropped the TTY setting in usrinfo() move it up > after the irix_*() call in do_setusercontext() and handle the case when > someone whines? Hopefully by than OSF group will have a patch that we can > tap off of. No objections from me. Sounds like a strategy to get it working quickly, but with a route to "do it right" later on. gert ... off to upgrade a gazillion FreeBSD and Linux systems to 3.3 -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From bugzilla-daemon at mindrot.org Tue Jun 25 18:09:41 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 18:09:41 +1000 (EST) Subject: [Bug 259] UsePrivilegeSeparation crashed sshd under Linux 2.2 Message-ID: <20020625080941.15B7EE8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=259 ------- Additional Comments From Al.Smith at gold.net 2002-06-25 18:09 ------- Linux 2.2 defines MAP_ANON in , however it can seen in /usr/src/linux/mm/mmap.c (lines 200 onwards) that if MAP_ANON is used then the system call will return -EINVAL. The following is a quick hack to get openssh to compile on linux 2.2: diff -ur openssh-3.3p1-orig/monitor_mm.c openssh-3.3p1/monitor_mm.c --- openssh-3.3p1-orig/monitor_mm.c Fri Jun 7 03:57:25 2002 +++ openssh-3.3p1/monitor_mm.c Tue Jun 25 10:06:06 2002 @@ -84,6 +84,7 @@ */ mm->mmalloc = mmalloc; +#undef MAP_ANON #if defined(HAVE_MMAP) && defined(MAP_ANON) address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); diff -ur openssh-3.3p1-orig/servconf.c openssh-3.3p1/servconf.c --- openssh-3.3p1-orig/servconf.c Fri Jun 21 08:20:44 2002 +++ openssh-3.3p1/servconf.c Tue Jun 25 10:06:02 2002 @@ -257,6 +257,7 @@ if (use_privsep == -1) use_privsep = 1; +#undef MAP_ANON #if !defined(HAVE_MMAP) || !defined(MAP_ANON) if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From marek at bmlv.gv.at Tue Jun 25 18:27:24 2002 From: marek at bmlv.gv.at (Ph. Marek) Date: Tue, 25 Jun 2002 10:27:24 +0200 Subject: Using SSH as "su"-substitute Message-ID: <200206251027.25009.marek@bmlv.gv.at> Hello everybody! I'd like to present a feature wish: using ssh as a substitue for su. Of course, if I have a forwarding agent (or the correct key) I can simply do a ssh -l localhost but that's not really optimal - the environment gets lost as I'm newly logged in, agent forwarding has one more hop to traverse, the data is once more en/decrypted, ... So I propose a new ssu tool which uses the current ssh-agent (or key in the filesystem) to verify authorization to su to another user (without using a password). Alternatively it may be possible (at least on some systems) to use a PAM-Module which does this. Usage: ssu [-] [Username] [-i identityFile] [-c command] It has the verification part of sshd and the frontend of ssh. Comments? Regards, Phil From vinschen at redhat.com Tue Jun 25 18:34:33 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 25 Jun 2002 10:34:33 +0200 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020624210631.GF24956@faui02> References: <200206242100.g5OL0BLL019128@cvs.openbsd.org> <20020624210631.GF24956@faui02> Message-ID: <20020625103433.U22705@cygbert.vinschen.de> On Mon, Jun 24, 2002 at 11:06:31PM +0200, Markus Friedl wrote: > On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote: > > However, I can say that when OpenSSH's sshd(8) is running with priv > > seperation, the bug cannot be exploited. I hope that you're working on getting that bug fixed also for systems which aren't able to support privsep due to system constraints. The Cygwin version of OpenSSH can't support it since sendmsg()/recvmsg() currently can't transmit file descriptors. Can we expect a bug fix which helps also for non-privsep'd sshds? Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From bugzilla-daemon at mindrot.org Tue Jun 25 18:50:24 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 18:50:24 +1000 (EST) Subject: [Bug 291] New: /tmp/ssh-xxxx socket directories clutter up /tmp Message-ID: <20020625085024.493A3E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=291 Summary: /tmp/ssh-xxxx socket directories clutter up /tmp Product: Portable OpenSSH Version: -current Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: ssh-agent AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: simons+mindrot at cryp.to Would it be possible to put the directories holding the ssh-agent's socket to some other location than /tmp? I am asking, because on a highly frequented system, those directories clutter-up /tmp significantly. Maybe /var/run or /var/spool/sockets would be a more appropriate place for them? Or would you consider using /tmp/.ssh-xxxx instead so that at least the directories are not visible all the time, like X11 and others do it? Thanks! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jun 25 19:59:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 19:59:38 +1000 (EST) Subject: [Bug 292] New: sshd[1663]: fatal: mmap(65536): Invalid argument Message-ID: <20020625095938.36DA0E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=292 Summary: sshd[1663]: fatal: mmap(65536): Invalid argument Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: buggz at america.net I get an error on the 3.3 version. From dtucker at zip.com.au Tue Jun 25 20:08:27 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 25 Jun 2002 20:08:27 +1000 Subject: Privsep and AIX.. References: Message-ID: <3D18411A.B15E63E4@zip.com.au> Ben Lindstrom wrote: > > Would anyone object if we dropped the TTY setting in usrinfo() move it up > after the irix_*() call in do_setusercontext() and handle the case when > someone whines? Hopefully by than OSF group will have a patch that we can > tap off of. > > If not can one of you two pass me a patch to do it? Yep, that works on my 4.2.1 box! -Daz. $ ssh -l dtucker -p 3022 localhost dtucker at localhost's password: $ uname -s AIX $ ps -eaf | grep sshd | grep Priv root 12380 19194 0 19:56:55 pts/1 0:01 ./sshd -d -o UsePrivilegeSeparation -o Port dtucker 18768 12380 0 19:57:29 pts/1 0:00 ./sshd -d -o UsePrivilegeSeparation -o Port -------------- next part -------------- Index: session.c =================================================================== RCS file: /cvs/openssh/session.c,v retrieving revision 1.204 diff -u -r1.204 session.c --- session.c 23 Jun 2002 21:48:29 -0000 1.204 +++ session.c 25 Jun 2002 09:44:08 -0000 @@ -1152,6 +1152,8 @@ void do_setusercontext(struct passwd *pw) { + char tty; + #ifdef HAVE_CYGWIN if (is_winnt) { #else /* HAVE_CYGWIN */ @@ -1196,6 +1198,9 @@ # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) irix_setusercontext(pw); # endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ +# ifdef _AIX + aix_usrinfo(pw, &tty, -1); +# endif /* _AIX */ /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #endif @@ -1259,7 +1264,8 @@ #else /* HAVE_OSF_SIA */ do_nologin(pw); # ifdef _AIX - aix_usrinfo(pw, s->tty, s->ttyfd); + if (geteuid() == 0) + aix_usrinfo(pw, s->tty, s->ttyfd); # endif /* _AIX */ do_setusercontext(pw); #endif /* HAVE_OSF_SIA */ From bugzilla-daemon at mindrot.org Tue Jun 25 20:22:28 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 20:22:28 +1000 (EST) Subject: [Bug 292] sshd[1663]: fatal: mmap(65536): Invalid argument Message-ID: <20020625102228.D77EAE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=292 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From dtucker at zip.com.au 2002-06-25 20:22 ------- *** This bug has been marked as a duplicate of 285 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jun 25 20:22:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 20:22:33 +1000 (EST) Subject: [Bug 285] 3.3p1 on Linux 2.2.x doesn't accept connections Message-ID: <20020625102233.CBE19E902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=285 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |buggz at america.net ------- Additional Comments From dtucker at zip.com.au 2002-06-25 20:22 ------- *** Bug 292 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From provos at citi.umich.edu Tue Jun 25 20:24:46 2002 From: provos at citi.umich.edu (Niels Provos) Date: Tue, 25 Jun 2002 06:24:46 -0400 Subject: PAM kbd-int with privsep In-Reply-To: <1024969975.5925.172.camel@xenon> References: <1024969975.5925.172.camel@xenon> Message-ID: <20020625102446.GF15772@citi.citi.umich.edu> On Tue, Jun 25, 2002 at 11:52:55AM +1000, Damien Miller wrote: > The following is a patch (based on FreeBSD code) which gets kbd-int > working with privsep. It moves the kbd-int PAM conversation to a child > process and communicates with it over a socket. Some comments. I am pretty tried so I might have missed something. > + va_start(ap, fmt); > + len = vsnprintf(buf, sizeof(buf), fmt, ap); > + va_end(ap); > + if (len == -1 || len > sizeof(buf)) > + fatal("sshpam_send: message too long"); > + mstr = xstrdup(buf); > + if (ctxt->pid != 0) > + debug2("to child: %d bytes", len); > + r = send(ctxt->sock, mstr, len + 1, MSG_EOR); > + free(mstr); > + return (r); > +} The check on the vsnprintf length is off by one. It should be len >= sizeof(buf): These functions return the number of characters printed (not including the trailing `\0' used to end output to strings), except for snprintf() and vsnprintf(), which return the number of characters that would have been printed if the size were unlimited (again, not including the final `\0'). > + ctxt = data; > + if (n <= 0 || n > PAM_MAX_NUM_MSG) > + return (PAM_CONV_ERR); > + if ((*resp = calloc(n, sizeof **resp)) == NULL) > + return (PAM_BUF_ERR); This code would be better if the sizeof would be on struct pam_msg or whatever it is that resp points to. > + > + debug2(__func__); > + switch (ctxt->done) { > + case 1: > + return (0); > + case 0: > + break; > + default: > + return (-1); > + } > + if (num != 1) { > + error("expected one response, got %u", num); > + return (-1); > + } > + sshpam_send(ctxt, "%s", *resp); > + switch (sshpam_peek(ctxt)) { > + case 'P': > + case 'p': > + return (1); > + case '=': > + msg = sshpam_receive(ctxt); > + xfree(msg); > + ctxt->done = 1; > + return (0); > + default: > + msg = sshpam_receive(ctxt); > + if (*msg == '!') > + error("%s", msg + 1); > + xfree(msg); > + ctxt->done = -1; > + return (-1); > } This part could use some comments about what the magic values do. > +#ifdef USE_PAM > + {MONITOR_REQ_PAM_INIT_CTX, 0, mm_answer_sshpam_init_ctx}, > + {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, > + {MONITOR_REQ_PAMQUERY, MON_ISAUTH, mm_answer_sshpamquery}, > + {MONITOR_REQ_PAMRESPOND, MON_AUTH, mm_answer_sshpamrespond}, > + {MONITOR_REQ_PAM_FREE_CTX, 0, mm_answer_sshpam_free_ctx}, > +#endif > {0, 0, NULL} > }; Th INIT and FREE_CTX could you MON_ONCE. Right? (I do not rally no, but it looks like it). > > +void > +mm_sshpam_free_ctx(void *ctxtp) > +{ > +} > + If the child never calls free_ctx, then the monitor code for this case is not needed. Or this function needs to be filled in to free the context correctly. More eyes should look at the monitor code. Niels. From ayamura at ayamura.org Tue Jun 25 20:40:16 2002 From: ayamura at ayamura.org (Ayamura KIKUCHI) Date: Tue, 25 Jun 2002 19:40:16 +0900 Subject: IRIX on OpenSSH 3.3 In-Reply-To: <20020625074825.GA14717@ii.uib.no> References: <20020625074825.GA14717@ii.uib.no> Message-ID: <86vg87d4kv.wl@sea.ayamura.org> > > Can I get someone runing IRIX to tell me if this > > > > http://bugzilla.mindrot.org/show_bug.cgi?id=151 > > http://bugzilla.mindrot.org/show_bug.cgi?id=280 > > http://bugzilla.mindrot.org/show_bug.cgi?id=281 > Bug 280 is at least fixed, and ssh with privsep enabled works for > me on IRIX 6.5 with the MIPSPro compilers. I don't know about 151 and > 281 as I haven't tested on IRIX 6.2/R4000 yet. Bug# 151 and 280 are already fixed. PasswordAuthentication on IRIX 6.5 works well at least on IRIX 6.5 without Kerberos. PrivSep is not supported on IRIX which lacks mmap or anonymous (MAP_ANON) memory mapping. But the patch included in the message may resolve it. -- ayamura Ayamura KIKUCHI, M.D., Ph.D. From markus at openbsd.org Tue Jun 25 20:40:24 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 25 Jun 2002 12:40:24 +0200 Subject: BSD/OS with privsep Message-ID: <20020625104024.GA29885@faui02> I need this for BSD/OS 4.2 + privsep perhaps we should not call do_setusercontext() after chroot(). --- sshd.c.orig Fri Jun 21 03:09:47 2002 +++ sshd.c Tue Jun 25 13:11:03 2002 @@ -548,21 +548,35 @@ /* Change our root directory*/ if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, strerror(errno)); if (chdir("/") == -1) fatal("chdir(\"/\"): %s", strerror(errno)); /* Drop our privileges */ debug3("privsep user:group %u:%u", (u_int)pw->pw_uid, (u_int)pw->pw_gid); +#if 0 + /* XXX not ready, to heavy after chroot */ do_setusercontext(pw); +#else + { + gid_t gidset[2]; + + gidset[0] = pw->pw_gid; + if (setgid(pw->pw_gid) < 0) + fatal("setgid failed for %u", pw->pw_gid ); + if (setgroups(1, gidset) < 0) + fatal("setgroups: %.100s", strerror(errno)); + permanently_set_uid(pw); + } +#endif } static Authctxt* privsep_preauth(void) { Authctxt *authctxt = NULL; int status; pid_t pid; /* Set up unprivileged child process to deal with network data */ --- session.c.orig Tue Jun 25 13:28:07 2002 +++ session.c Tue Jun 25 13:33:16 2002 @@ -1154,22 +1154,26 @@ { #ifdef HAVE_CYGWIN if (is_winnt) { #else /* HAVE_CYGWIN */ if (getuid() == 0 || geteuid() == 0) { #endif /* HAVE_CYGWIN */ #ifdef HAVE_SETPCRED setpcred(pw->pw_name); #endif /* HAVE_SETPCRED */ #ifdef HAVE_LOGIN_CAP - if (setusercontext(lc, pw, pw->pw_uid, - (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { + int flags = LOGIN_SETALL & ~LOGIN_SETPATH; +#ifdef __bsdi__ + if (getpid() != getpgrp()) + flags &= ~LOGIN_SETLOGIN; +#endif + if (setusercontext(lc, pw, pw->pw_uid, flags) < 0) { perror("unable to set user context"); exit(1); } #else # if defined(HAVE_GETLUID) && defined(HAVE_SETLUID) /* Sets login uid for accounting */ if (getluid() == -1 && setluid(pw->pw_uid) == -1) error("setluid: %s", strerror(errno)); # endif /* defined(HAVE_GETLUID) && defined(HAVE_SETLUID) */ From openssh-unix-dev at thewrittenword.com Tue Jun 25 20:45:56 2002 From: openssh-unix-dev at thewrittenword.com (Albert Chin) Date: Tue, 25 Jun 2002 05:45:56 -0500 Subject: use libcrypt before libcrypto In-Reply-To: ; from pekkas@netcore.fi on Tue, Jun 25, 2002 at 09:39:45AM +0300 References: <20020625062300.CF8904B24@coconut.itojun.org> Message-ID: <20020625054556.A18340@oolong.il.thewrittenword.com> On Tue, Jun 25, 2002 at 09:39:45AM +0300, Pekka Savola wrote: > On Tue, 25 Jun 2002 itojun at iijlab.net wrote: > > >> either way is fine for me, as long as crypt() supplied by the > > >> native system is preferred than openssl crypt(). thanks. > > >Umm.. could this (possibly) break some of those ancient flawors of Unix > > >where native crypt is really crappy and OpenSSL crypt is the only real way > > >to go? > > > > such as? such platform should have been in trouble anyways... > > I don't know, but looking at how broken && old systems OpenSSH supports, I > wouldn't be surprised. > > All I'm saying this might not be a "trivial" change and may need some > testing.. Then you should test for a "broken" crypt and not assume that finding crypt in $LIBS or "$LIBS -lcrypt" works. -- albert chin (china at thewrittenword.com) From provos at citi.umich.edu Tue Jun 25 21:04:42 2002 From: provos at citi.umich.edu (Niels Provos) Date: Tue, 25 Jun 2002 07:04:42 -0400 Subject: BSD/OS with privsep In-Reply-To: <20020625104024.GA29885@faui02> References: <20020625104024.GA29885@faui02> Message-ID: <20020625110442.GI15772@citi.citi.umich.edu> On Tue, Jun 25, 2002 at 12:40:24PM +0200, Markus Friedl wrote: > perhaps we should not call do_setusercontext() after > chroot(). Your suggestion of a more light-weight function seemed fine to me. Any reasons why the below should not work everywhere else? Niels. From Weimer at CERT.Uni-Stuttgart.DE Tue Jun 25 22:48:53 2002 From: Weimer at CERT.Uni-Stuttgart.DE (Florian Weimer) Date: Tue, 25 Jun 2002 14:48:53 +0200 Subject: Help wanted: configure test for busted mmap In-Reply-To: (Ben Lindstrom's message of "Mon, 24 Jun 2002 20:03:13 -0500 (CDT)") References: Message-ID: <87n0tjfrre.fsf@CERT.Uni-Stuttgart.DE> Ben Lindstrom writes: > Rejected already.. SysV Shm not an acceptable solution. MAP_ANONYMOUS and even mmap() is not available on all systems. (BTW: AFAIK, on some systems, you can mmap() from /dev/zero as a replacement of MAP_ANON.) -- Florian Weimer Weimer at CERT.Uni-Stuttgart.DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898 From bugzilla-daemon at mindrot.org Tue Jun 25 23:13:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 23:13:44 +1000 (EST) Subject: [Bug 293] New: sshd 3.3p1 doesn't work on Slackware Message-ID: <20020625131344.DCB44E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=293 Summary: sshd 3.3p1 doesn't work on Slackware Product: Portable OpenSSH Version: -current Platform: ix86 URL: http://www.slynet.lu/ OS/Version: Linux Status: NEW Severity: critical Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: slyoldfox at bonbon.net After compiling sshd 3.3p1 on Slackware 7.2 and Slackware 8.0 (for Slackware 7.2 with: LIBS=-lcrypt ./configure --with-ssl-dir=/usr/local/openssl-0.9.6d --with-tcp- wrappers ) the sshd doesn't allow new connections even tho 3.2.3p1 does. The error i get in /var/log/syslog is: -- Jun 25 11:27:14 Slynet sshd[18678]: fatal: mmap(65536): Invalid argument Jun 25 11:27:48 Slynet sshd[18682]: fatal: mmap(65536): Invalid argument Jun 25 11:30:31 Slynet sshd[18733]: fatal: mmap(65536): Invalid argument Jun 25 11:53:03 Slynet sshd[24948]: fatal: mmap(65536): Invalid argument Jun 25 11:53:25 Slynet sshd[24950]: fatal: mmap(65536): Invalid argument Jun 25 11:54:38 Slynet sshd[24954]: fatal: mmap(65536): Invalid argument Jun 25 12:22:40 Slynet sshd[31001]: fatal: mmap(65536): Invalid argument -- This happens for every incoming connection .. the connection brakes off and the other client closes with a 'broken pipe' ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gert at greenie.muc.de Tue Jun 25 23:21:05 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 25 Jun 2002 15:21:05 +0200 Subject: getnameinfo(), PrivSep, FreeBSD 4.1.1 Message-ID: <20020625152105.H18668@greenie.muc.de> Hi, I spent the last couple of hours scratching my head about a problem on FreeBSD 4.1.1 with OpenSSH 3.3p1. Without privsep: debug1: Trying rhosts with RSA host authentication for client user gert debug3: Trying to reverse map address 195.30.1.100. debug1: Rhosts RSA authentication: canonical host moebius2.space.net debug2: auth_rhosts2: clientuser gert hostname moebius2.space.net ipaddr 195.30.1.100 With privsep: debug3: mm_auth_password: user not authenticated debug3: mm_request_receive entering debug1: Trying rhosts with RSA host authentication for client user gert debug3: Trying to reverse map address 195.30.1.100. Could not reverse map address 195.30.1.100. debug1: Rhosts RSA authentication: canonical host 195.30.1.100 debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 This happens both with the library getnameinfo() and with the openbsd-compat/fake-getnameinfo one. It happens only for ssh-1 connections and only if RhostsRSAAuthentication is enabled (which I currently can't completely get rid of). On more recent FreeBSD systems [4.4 and up], PrivSep works just fine, no weird hangs due to reverse DNS failing. Any ideas what could be causing this? Why is this lookup needed at all? (RhostsAuthentication is off, RhostsRSAAuthentication doesn't use the IP->Hostname relation for the .*hosts lookup anyway) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From dtucker at zip.com.au Tue Jun 25 23:23:42 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 25 Jun 2002 23:23:42 +1000 Subject: Privsep and AIX: patch take 2 References: <3D18411A.B15E63E4@zip.com.au> Message-ID: <3D186EDE.1F1171A5@zip.com.au> Darren Tucker wrote: > > Ben Lindstrom wrote: > > > > Would anyone object if we dropped the TTY setting in usrinfo() move it up > > after the irix_*() call in do_setusercontext() and handle the case when > > someone whines? Hopefully by than OSF group will have a patch that we can > > tap off of. > > > > If not can one of you two pass me a patch to do it? > > Yep, that works on my 4.2.1 box! Further testing shows that calling usrinfo the second time when PrivSep is off doesn't set the TTY anyway. I don't know why. (Maybe you can only call usrinfo once?) You can wrap the first inside a if (use_privsep) and the second inside if (!use_privsep) and that does set TTY but I agree with Ben: put it back if it's needed. New patch attached. -Daz. -------------- next part -------------- Index: session.c =================================================================== RCS file: /cvs/openssh/session.c,v retrieving revision 1.204 diff -u -r1.204 session.c --- session.c 23 Jun 2002 21:48:29 -0000 1.204 +++ session.c 25 Jun 2002 13:08:09 -0000 @@ -1152,6 +1152,8 @@ void do_setusercontext(struct passwd *pw) { + char tty='\0'; + #ifdef HAVE_CYGWIN if (is_winnt) { #else /* HAVE_CYGWIN */ @@ -1196,6 +1198,9 @@ # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) irix_setusercontext(pw); # endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ +# ifdef _AIX + aix_usrinfo(pw, &tty, -1); +# endif /* _AIX */ /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #endif @@ -1258,9 +1263,6 @@ do_motd(); #else /* HAVE_OSF_SIA */ do_nologin(pw); -# ifdef _AIX - aix_usrinfo(pw, s->tty, s->ttyfd); -# endif /* _AIX */ do_setusercontext(pw); #endif /* HAVE_OSF_SIA */ } From bugzilla-daemon at mindrot.org Tue Jun 25 23:36:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 23:36:14 +1000 (EST) Subject: [Bug 293] sshd 3.3p1 doesn't work on Slackware Message-ID: <20020625133614.1669FE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=293 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From dtucker at zip.com.au 2002-06-25 23:36 ------- *** This bug has been marked as a duplicate of 285 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jun 25 23:36:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 25 Jun 2002 23:36:20 +1000 (EST) Subject: [Bug 285] 3.3p1 on Linux 2.2.x doesn't accept connections Message-ID: <20020625133620.22E5FE8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=285 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |slyoldfox at bonbon.net ------- Additional Comments From dtucker at zip.com.au 2002-06-25 23:36 ------- *** Bug 293 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 26 00:07:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 00:07:20 +1000 (EST) Subject: [Bug 294] New: tcp wrapper access changed between 2.9.9p2 and 3.3p1 Message-ID: <20020625140720.BCC6CE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=294 Summary: tcp wrapper access changed between 2.9.9p2 and 3.3p1 Product: Portable OpenSSH Version: -current Platform: MIPS OS/Version: IRIX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: ktaylor at daac.gsfc.nasa.gov We would like to be able to have tcp wrappers allow ssh access based on ip address groups, rather than names only. This was working as expected for 2.9.9p2 and seems to only allow access by hostname for 3.3p1. I started looking at how we have tcpd compiled, but I don't think that's the problem because this was working fine with the older openssh, but not the new one. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Tue Jun 25 23:58:35 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 08:58:35 -0500 (CDT) Subject: Privsep and AIX.. In-Reply-To: <3D18411A.B15E63E4@zip.com.au> Message-ID: On Tue, 25 Jun 2002, Darren Tucker wrote: > Ben Lindstrom wrote: > > > > Would anyone object if we dropped the TTY setting in usrinfo() move it up > > after the irix_*() call in do_setusercontext() and handle the case when > > someone whines? Hopefully by than OSF group will have a patch that we can > > tap off of. > > > > If not can one of you two pass me a patch to do it? > > Yep, that works on my 4.2.1 box! > You do realize that in non-privsep mode that the second call to aix_usrinfo() will blow away the tty entry. - Ben From bugzilla-daemon at mindrot.org Wed Jun 26 00:12:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 00:12:34 +1000 (EST) Subject: [Bug 151] 3.0.2p1 and 3.1p1 fail to build. Message-ID: <20020625141234.E62A4E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=151 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-06-26 00:12 ------- Stated Resolved in 3.3 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 26 00:13:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 00:13:23 +1000 (EST) Subject: [Bug 280] make failed on IRIX - SCM_RIGHTS unknown Message-ID: <20020625141323.8CF2DE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=280 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-06-26 00:13 ------- Stated Resolved in 3.3 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Wed Jun 26 00:07:02 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 09:07:02 -0500 (CDT) Subject: BSD/OS with privsep In-Reply-To: <20020625110442.GI15772@citi.citi.umich.edu> Message-ID: Hmm... I'd have to look closer, but there are portable related things called in do_setusercontext(). do we still have root at this time? On Tue, 25 Jun 2002, Niels Provos wrote: > On Tue, Jun 25, 2002 at 12:40:24PM +0200, Markus Friedl wrote: > > perhaps we should not call do_setusercontext() after > > chroot(). > Your suggestion of a more light-weight function seemed fine to me. > Any reasons why the below should not work everywhere else? > > Niels. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Wed Jun 26 00:09:50 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 09:09:50 -0500 (CDT) Subject: Help wanted: configure test for busted mmap In-Reply-To: <87n0tjfrre.fsf@CERT.Uni-Stuttgart.DE> Message-ID: Understood... Those lacking mmap() or bad enough that can't be used will have to live without Compression feature on the server side. Or live without privsep Why? Personally I refuse to commit SysV Shm based code because the whole SysV Shm is a piece of shit waiting for a race condition. If Kevin or Damien want to commit such stuff that's their choice, but I won't touch it. Now is a good time to harrass your vendors about putting in mmap() for those with UNIXes that are still actively developed. - Ben On Tue, 25 Jun 2002, Florian Weimer wrote: > Ben Lindstrom writes: > > > Rejected already.. SysV Shm not an acceptable solution. > > MAP_ANONYMOUS and even mmap() is not available on all systems. > > (BTW: AFAIK, on some systems, you can mmap() from /dev/zero as a > replacement of MAP_ANON.) > > -- > Florian Weimer Weimer at CERT.Uni-Stuttgart.DE > University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ > RUS-CERT fax +49-711-685-5898 > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From markus at openbsd.org Wed Jun 26 00:20:40 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 25 Jun 2002 16:20:40 +0200 Subject: BSD/OS with privsep In-Reply-To: References: <20020625110442.GI15772@citi.citi.umich.edu> Message-ID: <20020625142040.GA17662@faui02> do_setusercontext() was written to setup the env for the loginshell or command run by the user. using it for the unpriv thing might cause problems, but people should check. -m On Tue, Jun 25, 2002 at 09:07:02AM -0500, Ben Lindstrom wrote: > > Hmm... I'd have to look closer, but there are portable related things > called in do_setusercontext(). do we still have root at this time? > > On Tue, 25 Jun 2002, Niels Provos wrote: > > > On Tue, Jun 25, 2002 at 12:40:24PM +0200, Markus Friedl wrote: > > > perhaps we should not call do_setusercontext() after > > > chroot(). > > Your suggestion of a more light-weight function seemed fine to me. > > Any reasons why the below should not work everywhere else? > > > > Niels. > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From markus at openbsd.org Wed Jun 26 00:37:12 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 25 Jun 2002 16:37:12 +0200 Subject: BSD/OS with privsep In-Reply-To: References: <20020625110442.GI15772@citi.citi.umich.edu> Message-ID: <20020625143712.GE17662@faui02> On Tue, Jun 25, 2002 at 09:07:02AM -0500, Ben Lindstrom wrote: > > Hmm... I'd have to look closer, but there are portable related things > called in do_setusercontext(). do we still have root at this time? yes, you need root permissions to call do_setusercontext From wendyp at cray.com Wed Jun 26 00:37:41 2002 From: wendyp at cray.com (Wendy Palm) Date: Tue, 25 Jun 2002 09:37:41 -0500 Subject: OpenSSH 3.3 released [be careful of not having sshd useror /var/empty] References: <5.1.1.5.2.20020625000607.030372d0@fallen.tusker.net> Message-ID: <3D188035.9C9E8CD6@cray.com> is the user "sshd" and /var/empty still needed even without privsep? Damien Mascord wrote: > > Heya, > > Probably something to note in the release notes for 3.3: > > 1) A user sshd needs to exist before you do a /etc/init.d/sshd restart, ssh > will not restart > 2) A directory /var/empty needs to exists before you restart sshd, > otherwise sshd will not restart. > > Probably even a good idea to put it in the make install section, something like > echo ********************************************************** > echo * WARNING, sshd user does not exist * > echo * WARNING, /var/empty directory does not exist * > echo * sshd will not restart * > echo ********************************************************* > > Just an idea :) Glad I enabled telnet temporarily to restart sshd this time :) > > Damien > > At 09:50 PM 21/06/2002 +0200, you wrote: > >OpenSSH 3.3 has just been released. It will be available from the > >mirrors listed at http://www.openssh.com/ shortly. > > > >OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 > >implementation and includes sftp client and server support. > > > >We would like to thank the OpenSSH community for their continued > >support and encouragement. > > > > > >Changes since OpenSSH 3.2.3: > >============================ > > > >Security Changes: > >================= > > > >- improved support for privilege separation: > > > > privilege separation is now enabled by default > > > > See UsePrivilegeSeparation in sshd_config(5) > > and http://www.citi.umich.edu/u/provos/ssh/privsep.html for more > > information. > >- ssh no longer needs to be installed setuid root for protocol > > version 2 hostbased authentication, see ssh-keysign(8). > > protocol version 1 rhosts-rsa authentication still requires privileges > > and is not recommended. > > > >Other Changes: > >============== > > > >- documentation for the client and server configuration options have > > been moved to ssh_config(5) and sshd_config(5). > >- the server now supports the Compression option, see sshd_config(5). > >- the client options RhostsRSAAuthentication and RhostsAuthentication now > > default to no, see ssh_config(5). > >- the client options FallBackToRsh and UseRsh are deprecated. > >- ssh-agent now supports locking and timeouts for keys, see ssh-add(1). > >- ssh-agent can now bind to unix-domain sockets given on the command line, > > see ssh-agent(1). > >- fixes problems with valid RSA signatures from putty clients. > > > >Reporting Bugs: > >=============== > > > >- please read http://www.openssh.com/report.html > > and http://bugzilla.mindrot.org/ > > > >OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > >Kevin Steves, Damien Miller and Ben Lindstrom. > >_______________________________________________ > >openssh-unix-dev at mindrot.org mailing list > >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From mbac at netgraft.com Wed Jun 26 00:38:01 2002 From: mbac at netgraft.com (Michael Bacarella) Date: Tue, 25 Jun 2002 10:38:01 -0400 Subject: Patch for OpenSSH/mmap() on Linux 2.2 Message-ID: <20020625103801.A3710@romulus.netgraft.com> A colleague was having trouble running OpenSSH 3.3p on his server. He, like many of us, has been clobbered by the mighty security penis of Theo De Raadt into enabling "privsep". But on some Linux 2.2 kernels, this is broken. Apparantly, OpenSSH "portable" relies on non-POSIX compliant mmap() features. Making the mmap() call in monitor_mm.c look something like this: { char template[40], c = 0; int fd; sprintf(template,"/tmp/sshd-XXXXXX"); fd = mkstemp(template); unlink(template); lseek(fd,(size/4096*4096*2)-1,SEEK_SET); write(fd,&c,1); address = mmap(NULL,size,PROT_WRITE|PROT_READ,MAP_SHARED,fd,0); memset(address,0,size); close(fd); } fixes it on his server. If you use this, it is, like everything else in life, at your own risk. I don't follow the list so I have no idea if this has been reported, fixed, or otherwise dealt with. If you're going to respond to yell at me, do it off list. -- Michael Bacarella | Netgraft Corporation | 545 Eighth Ave #401 Systems Analysis | New York, NY 10018 Technical Support | 212 946-1038 | 917 670-6982 Managed Services | mbac at netgraft.com From bugzilla-daemon at mindrot.org Wed Jun 26 00:40:36 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 00:40:36 +1000 (EST) Subject: [Bug 295] New: rpm specfile needs build prereqs for Kerberos Message-ID: <20020625144036.C24D2E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=295 Summary: rpm specfile needs build prereqs for Kerberos Product: Portable OpenSSH Version: -current Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: mike at enoch.org I sent this to the dev list, then decided it would be better to just open a bug. On both my Mandrake 8.2 and RedHat 7.3 if I use the stock spec file (from the source RPM, but the openssh.spec file that's in -current in the contrib directory is the same) it tries to build with kerberos support (because that flag is on in the spec file by default) but fails because I don't have krb5-devel installed. Attached is a patch that alters the spec file to check for krb5-libs and krb5-devel if kerberos5 is defined. --- openssh.spec.orig Mon Jun 24 23:16:36 2002 +++ openssh.spec Mon Jun 24 23:17:16 2002 @@ -97,6 +97,10 @@ %if ! %{no_gnome_askpass} BuildPreReq: gnome-libs-devel %endif +%if %{kerberos5} +BuildPreReq: krb5-libs, krb5-devel +%endif + %package clients Summary: OpenSSH clients. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Wed Jun 26 00:44:47 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 26 Jun 2002 00:44:47 +1000 Subject: Privsep and AIX.. References: Message-ID: <3D1881DF.6815C48D@zip.com.au> Ben Lindstrom wrote: > You do realize that in non-privsep mode that the second call to > aix_usrinfo() will blow away the tty entry. Not when I posted it :-). The second patch does away with the original call entirely. -Daz. From smueller at atsec.com Tue Jun 25 23:20:12 2002 From: smueller at atsec.com (Stephan Mueller) Date: Tue, 25 Jun 2002 15:20:12 +0200 Subject: PAMAuthenticationViaKbdInt and KeyAuth Message-ID: <200206251520.12828.smueller@atsec.com> Hi there, when enabling the option PAMAuthenticationViaKbdInt, a login with password is always possible, even though when you disabled it with PasswordAuthentication no and PermitRootLogin without-password! Is this intended? Why is there no documentation about this (or at least a waring in the default configuration file)? The problem is, it is enabled in the default installation of Debian OpenSSH packages! Thanks Stephan -- Stephan M?ller Stephan.Mueller at atsec.com Whenever you eliminate the impossible, whatever remains, however improbable, must be the truth. From vinschen at redhat.com Wed Jun 26 00:51:12 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 25 Jun 2002 16:51:12 +0200 Subject: Help wanted: configure test for busted mmap In-Reply-To: References: <87n0tjfrre.fsf@CERT.Uni-Stuttgart.DE> Message-ID: <20020625165112.Z22705@cygbert.vinschen.de> On Tue, Jun 25, 2002 at 09:09:50AM -0500, Ben Lindstrom wrote: > Why? Personally I refuse to commit SysV Shm based code because the whole > SysV Shm is a piece of shit waiting for a race condition. > > If Kevin or Damien want to commit such stuff that's their choice, but I > won't touch it. Even if it gets committed, please remember to add HAVE_SHM's or similar to protect building on systems lacking SysV IPC. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From bugzilla-daemon at mindrot.org Wed Jun 26 00:53:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 00:53:20 +1000 (EST) Subject: [Bug 294] tcp wrapper access changed between 2.9.9p2 and 3.3p1 Message-ID: <20020625145320.38B9CE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=294 ------- Additional Comments From ktaylor at daac.gsfc.nasa.gov 2002-06-26 00:53 ------- This is what's reported in the syslog from openssh-2.9.9p2 - with an ip address range listed in hosts.allow Jun 25 10:50:08 6D:server sshd[30123536]: Failed keyboard-interactive for ktaylor from xxx.xxx.xxx.xxx port 40333 ssh2 Jun 25 10:50:13 6D:server sshd[30123536]: Accepted password for ktaylor from xxx.xxx.xxx.xxx port 40333 ssh2 With openssh-3.3p1, I don't connect from the client, because I'm being refused from the server: Jun 25 10:52:02 4D:server sshd[30412458]: refused connect from client.com ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From itojun at iijlab.net Wed Jun 26 00:52:53 2002 From: itojun at iijlab.net (Jun-ichiro itojun Hagino) Date: Tue, 25 Jun 2002 23:52:53 +0900 Subject: 3.3p1 patch for Solaris 2.6 Message-ID: <20020625145253.2AA8E7BA@starfruit.itojun.org> here's a patch to 3.3p1 for Solaris 2.6 - it does not handle mmap() with fd = -1. does it look okay? itojun --- work.i386/openssh-3.3p1/servconf.c- Tue Jun 25 23:43:22 2002 +++ work.i386/openssh-3.3p1/servconf.c Tue Jun 25 23:43:33 2002 @@ -257,7 +257,7 @@ if (use_privsep == -1) use_privsep = 1; -#if !defined(HAVE_MMAP) || !defined(MAP_ANON) +#if !defined(HAVE_MMAP) if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " "separation and compression"); --- work.i386/openssh-3.3p1/monitor_mm.c- Tue Jun 25 23:42:02 2002 +++ work.i386/openssh-3.3p1/monitor_mm.c Tue Jun 25 23:43:11 2002 @@ -71,6 +71,9 @@ { void *address; struct mm_master *mm; +#if defined(HAVE_MMAP) && !defined(MAP_ANON) + int fd; +#endif if (mmalloc == NULL) mm = xmalloc(sizeof(struct mm_master)); @@ -87,6 +90,13 @@ #if defined(HAVE_MMAP) && defined(MAP_ANON) address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); + if (address == MAP_FAILED) + fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); +#elif defined(HAVE_MMAP) && !defined(MAP_ANON) + fd = open("/dev/zero", O_RDWR); + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, + fd, 0); + close(fd); if (address == MAP_FAILED) fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); #else From markus at openbsd.org Wed Jun 26 00:58:50 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 25 Jun 2002 16:58:50 +0200 Subject: PAMAuthenticationViaKbdInt and KeyAuth In-Reply-To: <200206251520.12828.smueller@atsec.com> References: <200206251520.12828.smueller@atsec.com> Message-ID: <20020625145850.GH17662@faui02> PAMAuthenticationViaKbdInt Specifies whether PAM challenge response authentication is al- lowed. This allows the use of most PAM challenge response authen- tication modules, but it will allow password authentication re- gardless of whether PasswordAuthentication is yes, the password provided by the user will be validated through the Kerberos KDC. To use this option, the server needs a Kerberos servtab which al- lows the verification of the KDC's identity. Default is ``no''. On Tue, Jun 25, 2002 at 03:20:12PM +0200, Stephan Mueller wrote: > Hi there, > > when enabling the option PAMAuthenticationViaKbdInt, a login with password is > always possible, even though when you disabled it with PasswordAuthentication > no and PermitRootLogin without-password! > > Is this intended? Why is there no documentation about this (or at least a > waring in the default configuration file)? > > The problem is, it is enabled in the default installation of Debian OpenSSH > packages! > > Thanks > Stephan > -- > Stephan M?ller Stephan.Mueller at atsec.com > Whenever you eliminate the impossible, whatever > remains, however improbable, must be the truth. > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From provos at citi.umich.edu Wed Jun 26 01:02:54 2002 From: provos at citi.umich.edu (Niels Provos) Date: Tue, 25 Jun 2002 11:02:54 -0400 Subject: 3.3p1 patch for Solaris 2.6 In-Reply-To: <20020625145253.2AA8E7BA@starfruit.itojun.org> References: <20020625145253.2AA8E7BA@starfruit.itojun.org> Message-ID: <20020625150254.GR15772@citi.citi.umich.edu> On Tue, Jun 25, 2002 at 11:52:53PM +0900, Jun-ichiro itojun Hagino wrote: > here's a patch to 3.3p1 for Solaris 2.6 - it does not handle > mmap() with fd = -1. does it look okay? That looks good. Any reason why you do not check the open result, too. I mean I know mmap is going to fail with an invalid fd, but still. Niels. From itojun at iijlab.net Wed Jun 26 01:06:55 2002 From: itojun at iijlab.net (itojun at iijlab.net) Date: Wed, 26 Jun 2002 00:06:55 +0900 Subject: 3.3p1 patch for Solaris 2.6 In-Reply-To: provos's message of Tue, 25 Jun 2002 11:02:54 -0400. <20020625150254.GR15772@citi.citi.umich.edu> Message-ID: <20020625150657.9358E4B24@coconut.itojun.org> >> here's a patch to 3.3p1 for Solaris 2.6 - it does not handle >> mmap() with fd = -1. does it look okay? >That looks good. Any reason why you do not check the open result, >too. I mean I know mmap is going to fail with an invalid fd, but >still. i just wasn't careful enough. here's a new one. itojun --- work.i386/openssh-3.3p1/servconf.c- Tue Jun 25 23:43:22 2002 +++ work.i386/openssh-3.3p1/servconf.c Tue Jun 25 23:43:33 2002 @@ -257,7 +257,7 @@ if (use_privsep == -1) use_privsep = 1; -#if !defined(HAVE_MMAP) || !defined(MAP_ANON) +#if !defined(HAVE_MMAP) if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " "separation and compression"); --- work.i386/openssh-3.3p1/monitor_mm.c- Tue Jun 25 23:42:02 2002 +++ work.i386/openssh-3.3p1/monitor_mm.c Wed Jun 26 00:05:42 2002 @@ -71,6 +71,9 @@ { void *address; struct mm_master *mm; +#if defined(HAVE_MMAP) && !defined(MAP_ANON) + int fd; +#endif if (mmalloc == NULL) mm = xmalloc(sizeof(struct mm_master)); @@ -87,6 +90,15 @@ #if defined(HAVE_MMAP) && defined(MAP_ANON) address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); + if (address == MAP_FAILED) + fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); +#elif defined(HAVE_MMAP) && !defined(MAP_ANON) + fd = open("/dev/zero", O_RDWR); + if (fd < 0) + fatal("open(/dev/zero): %s", strerror(errno)); + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, + fd, 0); + close(fd); if (address == MAP_FAILED) fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); #else From bugzilla-daemon at mindrot.org Wed Jun 26 01:07:16 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 01:07:16 +1000 (EST) Subject: [Bug 296] New: Priv separation does not work on OSF/1 Message-ID: <20020625150716.4183EE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=296 Summary: Priv separation does not work on OSF/1 Product: Portable OpenSSH Version: -current Platform: Alpha OS/Version: OSF/1 Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: Al.Smith at gold.net Under openssh-3.2.3p1 and openssh-3.3p1, enabling UsePrivilegeSeparation results in only root being able to log in. Under Digital UNIX 4.0F, regular users see "connection closed". With 5.1, a regular user sees the additional message: cannot set login uid 1000: error Not owner. Connection to foo closed by remote host. Sadly, sshd -d -d -d yields no clues. Turning off priv separation 'cures' this problem. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From iwamoto at sat.t.u-tokyo.ac.jp Wed Jun 26 01:07:29 2002 From: iwamoto at sat.t.u-tokyo.ac.jp (IWAMOTO Toshihiro) Date: Wed, 26 Jun 2002 00:07:29 +0900 Subject: 3.3p1 patch for Solaris 2.6 In-Reply-To: <20020625145253.2AA8E7BA@starfruit.itojun.org> References: <20020625145253.2AA8E7BA@starfruit.itojun.org> Message-ID: <20020625150730.40DA27704@mail.asahi-net.or.jp> At Tue, 25 Jun 2002 23:52:53 +0900, Jun-ichiro itojun Hagino wrote: > > here's a patch to 3.3p1 for Solaris 2.6 - it does not handle > mmap() with fd = -1. does it look okay? If open() fails, mmap() should fail because of an invalid file descriptor. So I think retval check of open() can be omitted. I'm not perfectly sure this usage of /dev/zero is correct, although comments in NetBSD's sys/uvm/uvm_mmap.c suggests so. > @@ -87,6 +90,13 @@ > #if defined(HAVE_MMAP) && defined(MAP_ANON) > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, > -1, 0); > + if (address == MAP_FAILED) > + fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); > +#elif defined(HAVE_MMAP) && !defined(MAP_ANON) > + fd = open("/dev/zero", O_RDWR); > + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, > + fd, 0); This should be as follows, because MAP_ANON isn't defined. + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED, + fd, 0); > + close(fd); > if (address == MAP_FAILED) > fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); > #else -- IWAMOTO Toshihiro From gwyllion at ace.ulyssis.org Wed Jun 26 01:10:05 2002 From: gwyllion at ace.ulyssis.org (Dries Schellekens) Date: Tue, 25 Jun 2002 17:10:05 +0200 (CEST) Subject: Patch for OpenSSH/mmap() on Linux 2.2 In-Reply-To: <20020625103801.A3710@romulus.netgraft.com> Message-ID: On Tue, 25 Jun 2002, Michael Bacarella wrote: > But on some Linux 2.2 kernels, this is broken. Apparantly, OpenSSH "portable" > relies on non-POSIX compliant mmap() features. > > fixes it on his server. If you use this, it is, like everything else in > life, at your own risk. > > I don't follow the list so I have no idea if this has been reported, fixed, > or otherwise dealt with. If you're going to respond to yell at me, do it off list. This has been reported numerous times. http://bugzilla.mindrot.org/show_bug.cgi?id=285 Set "Compression" to "no" to hqve privsep. Dries -- Dries Schellekens email: gwyllion at ulyssis.org From provos at citi.umich.edu Wed Jun 26 01:10:14 2002 From: provos at citi.umich.edu (Niels Provos) Date: Tue, 25 Jun 2002 11:10:14 -0400 Subject: 3.3p1 patch for Solaris 2.6 In-Reply-To: <20020625150657.9358E4B24@coconut.itojun.org> References: <20020625150254.GR15772@citi.citi.umich.edu> <20020625150657.9358E4B24@coconut.itojun.org> Message-ID: <20020625151014.GS15772@citi.citi.umich.edu> On Wed, Jun 26, 2002 at 12:06:55AM +0900, itojun at iijlab.net wrote: > i just wasn't careful enough. here's a new one. The correct way to test for a failing open is to test againt -1. I know I am picky. From mouring at etoh.eviladmin.org Wed Jun 26 01:01:06 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 10:01:06 -0500 (CDT) Subject: Patch for OpenSSH/mmap() on Linux 2.2 In-Reply-To: <20020625103801.A3710@romulus.netgraft.com> Message-ID: On Tue, 25 Jun 2002, Michael Bacarella wrote: > A colleague was having trouble running OpenSSH 3.3p on his server. > > He, like many of us, has been clobbered by the mighty security penis > of Theo De Raadt into enabling "privsep". > Theo does not have a gun to your head. Or last I checked he did not. > But on some Linux 2.2 kernels, this is broken. Apparantly, OpenSSH "portable" > relies on non-POSIX compliant mmap() features. > Known issue. mmap() w/out a working MAP_ANON is currently requires sshd to have compression off (won't start with Compression on). Post Monday I'll accept complete patches (Some form of OpenWall's Owl + Tim's /dev/zero) to improve it. I'm not at the point where I want to introduce too many mmap() ways before the end of the week due to the limited testing period we have. - Ben From bugzilla-daemon at mindrot.org Wed Jun 26 01:20:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 01:20:08 +1000 (EST) Subject: [Bug 296] Priv separation does not work on OSF/1 Message-ID: <20020625152008.B8558E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=296 ------- Additional Comments From bugzilla-openssh at thewrittenword.com 2002-06-26 01:20 ------- Are you sure? I have 3.3p1 running on 4.0D and 5.1 and I can connect as non-root. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 26 01:21:54 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 01:21:54 +1000 (EST) Subject: [Bug 296] Priv separation does not work on OSF/1 Message-ID: <20020625152154.8E443E904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=296 ------- Additional Comments From cmadams at hiwaay.net 2002-06-26 01:21 ------- Are you using Enhanced Security? I think that privsep should work in Base Security (but I don't have a box running Base to test). I am working on getting privsep working in Enhanced. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Wed Jun 26 01:13:49 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 10:13:49 -0500 (CDT) Subject: 3.3p1 patch for Solaris 2.6 In-Reply-To: <20020625150657.9358E4B24@coconut.itojun.org> Message-ID: Even if it's more of a moving target it would be easier if you did this against the current CVS or a newer snapshot. Also this will fail under Linux 2.2. So we still need to test if that method works in configure.ac. Are we comfortable getting such a beast done by at a reasonable time so I can call for Linux 2.2 and Solaris testing before I go to bed? I'm not sure I'm comfortable. Mainly because I can't test it outside of 2.5.1 solaris. - Ben On Wed, 26 Jun 2002 itojun at iijlab.net wrote: > >> here's a patch to 3.3p1 for Solaris 2.6 - it does not handle > >> mmap() with fd = -1. does it look okay? > >That looks good. Any reason why you do not check the open result, > >too. I mean I know mmap is going to fail with an invalid fd, but > >still. > > i just wasn't careful enough. here's a new one. > > itojun > > > --- work.i386/openssh-3.3p1/servconf.c- Tue Jun 25 23:43:22 2002 > +++ work.i386/openssh-3.3p1/servconf.c Tue Jun 25 23:43:33 2002 > @@ -257,7 +257,7 @@ > if (use_privsep == -1) > use_privsep = 1; > > -#if !defined(HAVE_MMAP) || !defined(MAP_ANON) > +#if !defined(HAVE_MMAP) > if (use_privsep && options->compression == 1) { > error("This platform does not support both privilege " > "separation and compression"); > --- work.i386/openssh-3.3p1/monitor_mm.c- Tue Jun 25 23:42:02 2002 > +++ work.i386/openssh-3.3p1/monitor_mm.c Wed Jun 26 00:05:42 2002 > @@ -71,6 +71,9 @@ > { > void *address; > struct mm_master *mm; > +#if defined(HAVE_MMAP) && !defined(MAP_ANON) > + int fd; > +#endif > > if (mmalloc == NULL) > mm = xmalloc(sizeof(struct mm_master)); > @@ -87,6 +90,15 @@ > #if defined(HAVE_MMAP) && defined(MAP_ANON) > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, > -1, 0); > + if (address == MAP_FAILED) > + fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); > +#elif defined(HAVE_MMAP) && !defined(MAP_ANON) > + fd = open("/dev/zero", O_RDWR); > + if (fd < 0) > + fatal("open(/dev/zero): %s", strerror(errno)); > + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, > + fd, 0); > + close(fd); > if (address == MAP_FAILED) > fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); > #else > From openssh-unix-dev at thewrittenword.com Wed Jun 26 01:25:34 2002 From: openssh-unix-dev at thewrittenword.com (Albert Chin) Date: Tue, 25 Jun 2002 10:25:34 -0500 Subject: PrivSep and AIX 4.3.2 Message-ID: <20020625102534.A24608@oolong.il.thewrittenword.com> With 3.3p1 built on AIX 4.3.2: $ ssh [blah] Couldn't set usrinfo: Not owner debug1: Calling cleanup 0x20019080(0x200219a0) debug3: mm_request_send entering: type 27 debug1: Calling cleanup 0x20018dd4(0x0) Connection to songohan closed by remote host. Connection to songohan closed. Output from sshd -d -d -d: ... debug3: tty_parse_modes: 92 0 debug3: tty_parse_modes: 93 0 debug1: server_input_channel_req: channel 0 request x11-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req x11-req debug1: bind port 6010: Address already in use debug1: bind port 6011: Address already in use debug1: fd 11 setting O_NONBLOCK debug2: fd 11 is O_NONBLOCK debug1: channel 1: new [X11 inet listener] debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: fd 4 setting TCP_NODELAY debug1: channel 0: rfd 10 isatty debug1: fd 10 setting O_NONBLOCK debug2: fd 9 is O_NONBLOCK setsid: Not owner debug3: monitor_read: checking request 27 debug3: mm_answer_pty_cleanup entering debug1: session_by_tty: session 0 tty /dev/pts/4 debug3: mm_session_close: session 0 pid 20872 debug3: mm_session_close: tty /dev/pts/4 ptyfd 3 debug1: session_pty_cleanup: session 0 release /dev/pts/4 debug3: mm_request_receive entering Connection closed by remote host. debug1: channel_free: channel 0: server-session, nchannels 2 debug3: channel_free: status: The following connections are open: #0 server-session (t4 r0 i0/63 o0/0 fd 10/9) debug3: channel_close_fds: channel 0: r 10 w 9 e -1 debug1: channel_free: channel 1: X11 inet listener, nchannels 1 debug3: channel_free: status: The following connections are open: debug3: channel_close_fds: channel 1: r 11 w 11 e -1 debug1: session_close: session 0 pid 19744 debug3: mm_request_send entering: type 27 debug3: monitor_read: checking request 27 debug3: mm_answer_pty_cleanup entering debug1: session_by_tty: unknown tty /dev/pts/4 debug1: dump: used 0 session 0 200219a0 channel -1 pid 20872 debug1: dump: used 0 session 0 20021b3c channel 0 pid 0 debug1: dump: used 0 session 0 20021cd8 channel 0 pid 0 debug1: dump: used 0 session 0 20021e74 channel 0 pid 0 debug1: dump: used 0 session 0 20022010 channel 0 pid 0 debug1: dump: used 0 session 0 200221ac channel 0 pid 0 debug1: dump: used 0 session 0 20022348 channel 0 pid 0 debug1: dump: used 0 session 0 200224e4 channel 0 pid 0 debug1: dump: used 0 session 0 20022680 channel 0 pid 0 debug1: dump: used 0 session 0 2002281c channel 0 pid 0 debug3: mm_request_receive entering Closing connection to 192.168.1.38 debug3: mm_request_send entering: type 38 debug3: monitor_read: checking request 38 debug3: mm_answer_term: tearing down sessions debug1: Received SIGCHLD. -- albert chin (china at thewrittenword.com) From bugzilla-daemon at mindrot.org Wed Jun 26 01:26:37 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 01:26:37 +1000 (EST) Subject: [Bug 296] Priv separation does not work on OSF/1 Message-ID: <20020625152637.382A8E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=296 ------- Additional Comments From bugzilla-openssh at thewrittenword.com 2002-06-26 01:26 ------- I'm running with base security. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 26 01:28:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 01:28:09 +1000 (EST) Subject: [Bug 270] PrivSep breaks sshd on AIX for non-root users Message-ID: <20020625152809.8146EE906@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=270 pas50 at cam.ac.uk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pas50 at cam.ac.uk Summary|PrivSep breaks sshd on AIX |PrivSep breaks sshd on AIX |for non-root users |for non-root users ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 26 01:35:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 01:35:34 +1000 (EST) Subject: [Bug 151] 3.0.2p1 and 3.1p1 fail to build. Message-ID: <20020625153534.DF7B2E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=151 ------- Additional Comments From bugzilla-openssh at thewrittenword.com 2002-06-26 01:35 ------- 3.3p1 builds fine for me on IRIX 6.5.16m and the 7.3.1.3m C compiler. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Wed Jun 26 01:36:56 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 26 Jun 2002 01:36:56 +1000 Subject: PrivSep and AIX 4.3.2 References: <20020625102534.A24608@oolong.il.thewrittenword.com> Message-ID: <3D188E18.BEBCF51A@zip.com.au> Albert Chin wrote: > With 3.3p1 built on AIX 4.3.2: > $ ssh [blah] > Couldn't set usrinfo: Not owner > debug1: Calling cleanup 0x20019080(0x200219a0) > debug3: mm_request_send entering: type 27 > debug1: Calling cleanup 0x20018dd4(0x0) > Connection to songohan closed by remote host. > Connection to songohan closed. Disable PrivSep ("UsePrivilegeSeparation no" in sshd_config) or if you're adventurous try the attached patch. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: session.c =================================================================== RCS file: /cvs/openssh/session.c,v retrieving revision 1.204 diff -u -r1.204 session.c --- session.c 23 Jun 2002 21:48:29 -0000 1.204 +++ session.c 25 Jun 2002 13:08:09 -0000 @@ -1152,6 +1152,8 @@ void do_setusercontext(struct passwd *pw) { + char tty='\0'; + #ifdef HAVE_CYGWIN if (is_winnt) { #else /* HAVE_CYGWIN */ @@ -1196,6 +1198,9 @@ # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) irix_setusercontext(pw); # endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ +# ifdef _AIX + aix_usrinfo(pw, &tty, -1); +# endif /* _AIX */ /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #endif @@ -1258,9 +1263,6 @@ do_motd(); #else /* HAVE_OSF_SIA */ do_nologin(pw); -# ifdef _AIX - aix_usrinfo(pw, s->tty, s->ttyfd); -# endif /* _AIX */ do_setusercontext(pw); #endif /* HAVE_OSF_SIA */ } From bugzilla-daemon at mindrot.org Wed Jun 26 01:41:04 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 01:41:04 +1000 (EST) Subject: [Bug 296] Priv separation does not work on OSF/1 Message-ID: <20020625154104.E54C8E902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=296 ------- Additional Comments From Al.Smith at gold.net 2002-06-26 01:41 ------- Yeah, I'm sure that UsePrivilegeSeparation yes is the spanner in the works. Attached is the output from ssh -d -d -d for your perusal. First case is with UsePrivilegeSeparation no, second is with yes. Same results occur with 4.0F, as described earlier. # ./sshd -d -d -d debug3: Seeding PRNG from /sys/inet/ssh/libexec/ssh-rand-helper debug1: sshd version OpenSSH_3.3 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /sys/inet/ssh/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug3: Not a RSA1 key file /sys/inet/ssh/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #2 type 1 RSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 172.20.32.65 port 24513 debug1: Client protocol version 2.0; client software version OpenSSH_3.3 debug1: match: OpenSSH_3.3 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.3 debug1: list_hostkey_types: ssh-dss,ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 124/256 debug1: bits set: 1013/2049 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 1069/2049 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user ajs service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for ajs debug2: input_userauth_request: try method none Failed none for ajs from 172.20.32.65 port 24513 ssh2 debug1: userauth-request for user ajs service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: trying public key file /u/ajs/.ssh/authorized_keys debug3: secure_filename: checking '/u/ajs/.ssh' debug3: secure_filename: checking '/u/ajs' debug3: secure_filename: terminating check at '/u/ajs' debug1: matching key found: file /u/ajs/.ssh/authorized_keys, line 2 Found matching RSA key: 50:e9:c4:a3:1d:21:6d:97:79:48:54:3d:9a:7e:43:29 debug1: restore_uid debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Postponed publickey for ajs from 172.20.32.65 port 24513 ssh2 debug1: userauth-request for user ajs service ssh-connection method publickey debug1: attempt 2 failures 1 debug2: input_userauth_request: try method publickey debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: trying public key file /u/ajs/.ssh/authorized_keys debug3: secure_filename: checking '/u/ajs/.ssh' debug3: secure_filename: checking '/u/ajs' debug3: secure_filename: terminating check at '/u/ajs' debug1: matching key found: file /u/ajs/.ssh/authorized_keys, line 2 Found matching RSA key: 50:e9:c4:a3:1d:21:6d:97:79:48:54:3d:9a:7e:43:29 debug1: restore_uid debug1: ssh_rsa_verify: signature correct debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa Accepted publickey for ajs from 172.20.32.65 port 24513 ssh2 debug1: Entering interactive session for SSH2. debug1: fd 3 setting O_NONBLOCK debug1: fd 8 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/pts/2 debug3: tty_parse_modes: SSH2 n_bytes 266 debug3: tty_parse_modes: ospeed 19200 debug3: tty_parse_modes: ispeed 19200 debug3: tty_parse_modes: 1 3 debug3: tty_parse_modes: 2 28 debug3: tty_parse_modes: 3 8 debug3: tty_parse_modes: 4 21 debug3: tty_parse_modes: 5 4 debug3: tty_parse_modes: 6 0 debug3: tty_parse_modes: 7 0 debug3: tty_parse_modes: 8 17 debug3: tty_parse_modes: 9 19 debug3: tty_parse_modes: 10 26 debug3: tty_parse_modes: 11 0 debug3: tty_parse_modes: 12 18 debug3: tty_parse_modes: 13 23 debug3: tty_parse_modes: 14 22 debug1: Ignoring unsupported tty mode opcode 16 (0x10) debug3: tty_parse_modes: 18 15 debug3: tty_parse_modes: 30 1 debug3: tty_parse_modes: 31 0 debug3: tty_parse_modes: 32 0 debug3: tty_parse_modes: 33 1 debug3: tty_parse_modes: 34 0 debug3: tty_parse_modes: 35 0 debug3: tty_parse_modes: 36 1 debug3: tty_parse_modes: 37 0 debug3: tty_parse_modes: 38 1 debug3: tty_parse_modes: 39 1 debug3: tty_parse_modes: 40 0 debug3: tty_parse_modes: 41 0 debug3: tty_parse_modes: 50 1 debug3: tty_parse_modes: 51 1 debug3: tty_parse_modes: 52 0 debug3: tty_parse_modes: 53 1 debug3: tty_parse_modes: 54 1 debug3: tty_parse_modes: 55 1 debug3: tty_parse_modes: 56 0 debug3: tty_parse_modes: 57 0 debug3: tty_parse_modes: 58 0 debug3: tty_parse_modes: 59 1 debug3: tty_parse_modes: 60 1 debug3: tty_parse_modes: 61 1 debug3: tty_parse_modes: 62 0 debug3: tty_parse_modes: 70 1 debug3: tty_parse_modes: 71 0 debug3: tty_parse_modes: 72 1 debug3: tty_parse_modes: 73 0 debug3: tty_parse_modes: 74 0 debug3: tty_parse_modes: 75 0 debug3: tty_parse_modes: 90 1 debug3: tty_parse_modes: 91 1 debug3: tty_parse_modes: 92 0 debug3: tty_parse_modes: 93 0 debug1: server_input_channel_req: channel 0 request x11-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req x11-req debug1: bind port 6010: Can't assign requested address debug1: fd 11 setting O_NONBLOCK debug2: fd 11 is O_NONBLOCK debug1: channel 1: new [X11 inet listener] debug1: server_input_channel_req: channel 0 request auth-agent-req at openssh.com reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req auth-agent-req at openssh.com debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: restore_uid debug1: fd 12 setting O_NONBLOCK debug2: fd 12 is O_NONBLOCK debug1: channel 2: new [auth socket] debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: fd 5 setting TCP_NODELAY debug1: channel 0: rfd 10 isatty debug1: fd 10 setting O_NONBLOCK debug2: fd 9 is O_NONBLOCK debug1: Setting controlling tty using TIOCSCTTY. debug1: Received SIGCHLD. debug1: session_by_pid: pid 133618 debug1: session_exit_message: session 0 channel 0 pid 133618 debug1: channel request 0: exit-status debug1: session_exit_message: release channel 0 debug1: channel 0: write failed debug1: channel 0: close_write debug1: channel 0: output open -> closed debug1: session_close: session 0 pid 133618 debug1: session_pty_cleanup: session 0 release /dev/pts/2 debug2: notify_done: reading debug1: channel 0: read<=0 rfd 10 len -1 debug1: channel 0: read failed debug1: channel 0: close_read debug1: channel 0: input open -> drain debug1: channel 0: ibuf empty debug1: channel 0: send eof debug1: channel 0: input drain -> closed debug1: channel 0: send close debug3: channel 0: will not send data after close debug1: channel 0: rcvd close debug3: channel 0: will not send data after close debug1: channel 0: is dead debug1: channel 0: garbage collecting debug1: channel_free: channel 0: server-session, nchannels 3 debug3: channel_free: status: The following connections are open: #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1) debug3: channel_close_fds: channel 0: r -1 w -1 e -1 Connection closed by remote host. debug1: channel_free: channel 1: X11 inet listener, nchannels 2 debug3: channel_free: status: The following connections are open: debug3: channel_close_fds: channel 1: r 11 w 11 e -1 debug1: channel_free: channel 2: auth socket, nchannels 1 debug3: channel_free: status: The following connections are open: debug3: channel_close_fds: channel 2: r 12 w 12 e -1 debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: restore_uid Closing connection to 172.20.32.65 # ./sshd -d -d -d debug3: Seeding PRNG from /sys/inet/ssh/libexec/ssh-rand-helper debug1: sshd version OpenSSH_3.3 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /sys/inet/ssh/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug3: Not a RSA1 key file /sys/inet/ssh/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #2 type 1 RSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 172.20.32.65 port 24578 debug1: Client protocol version 2.0; client software version OpenSSH_3.3 debug1: match: OpenSSH_3.3 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.3 debug2: Network child is on pid 133718 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 903:903 debug1: list_hostkey_types: ssh-dss,ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 2048 8192 debug3: mm_request_send entering: type 1 debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 127/256 debug1: bits set: 1010/2049 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug1: bits set: 1057/2049 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 140053aa0(143) debug3: mm_request_send entering: type 5 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user ajs service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for ajs debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug3: mm_auth2_read_banner entering debug3: mm_request_send entering: type 8 debug3: mm_request_receive_expect entering: type 9 debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 8 debug3: mm_request_send entering: type 9 debug2: monitor_read: 8 used once, disabling now debug3: mm_request_receive entering debug1: userauth_banner: sent debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for ajs from 172.20.32.65 port 24578 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for ajs from 172.20.32.65 port 24578 ssh2 debug1: userauth-request for user ajs service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 14005c080 debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: trying public key file /u/ajs/.ssh/authorized_keys debug3: secure_filename: checking '/u/ajs/.ssh' debug3: secure_filename: checking '/u/ajs' debug3: secure_filename: terminating check at '/u/ajs' debug1: matching key found: file /u/ajs/.ssh/authorized_keys, line 2 Found matching RSA key: 50:e9:c4:a3:1d:21:6d:97:79:48:54:3d:9a:7e:43:29 debug1: restore_uid debug3: mm_answer_keyallowed: key 14005c080 is allowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Postponed publickey for ajs from 172.20.32.65 port 24578 ssh2 debug1: userauth-request for user ajs service ssh-connection method publickey debug1: attempt 2 failures 1 debug2: input_userauth_request: try method publickey debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 14005c1e0 debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: trying public key file /u/ajs/.ssh/authorized_keys debug3: secure_filename: checking '/u/ajs/.ssh' debug3: secure_filename: checking '/u/ajs' debug3: secure_filename: terminating check at '/u/ajs' debug1: matching key found: file /u/ajs/.ssh/authorized_keys, line 2 Found matching RSA key: 50:e9:c4:a3:1d:21:6d:97:79:48:54:3d:9a:7e:43:29 debug1: restore_uid debug3: mm_answer_keyallowed: key 14005c1e0 is allowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug3: mm_key_verify entering debug3: mm_request_send entering: type 22 debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY debug3: mm_request_receive_expect entering: type 23 debug3: mm_request_receive entering debug3: monitor_read: checking request 22 debug1: ssh_rsa_verify: signature correct debug3: mm_answer_keyverify: key 14004eee0 signature verified debug3: mm_request_send entering: type 23 Accepted hostbased for ajs from 172.20.32.65 port 24578 ssh2 debug1: monitor_child_preauth: ajs has been authenticated by privileged process debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 24 debug3: mm_request_receive entering debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa Accepted publickey for ajs from 172.20.32.65 port 24578 ssh2 debug3: mm_send_keystate: Sending new keys: 14004ed80 14004ec80 debug3: mm_newkeys_to_blob: converting 14004ed80 debug3: mm_newkeys_to_blob: converting 14004ec80 debug3: mm_send_keystate: New keys have been sent debug3: mm_send_keystate: Sending compression state debug3: mm_request_send entering: type 24 debug3: mm_send_keystate: Finished sending state debug3: mm_newkeys_from_blob: 140054220(122) debug2: mac_init: found hmac-md5 debug3: mm_get_keystate: Waiting for second key debug3: mm_newkeys_from_blob: 140054040(122) debug2: mac_init: found hmac-md5 debug3: mm_get_keystate: Getting compression state debug3: mm_get_keystate: Getting Network I/O buffers debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end debug2: User child is on pid 133720 debug3: mm_request_receive entering debug1: newkeys: mode 0 debug1: newkeys: mode 1 debug1: Entering interactive session for SSH2. debug1: fd 8 setting O_NONBLOCK debug1: fd 9 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug3: mm_request_send entering: type 25 debug3: monitor_read: checking request 25 debug3: mm_answer_pty entering debug1: session_new: init debug1: session_new: session 0 debug3: mm_request_send entering: type 26 debug3: Trying to reverse map address 172.20.32.65. debug3: mm_pty_allocate: waiting for MONITOR_ANS_PTY debug3: mm_request_receive_expect entering: type 26 debug3: mm_request_receive entering debug1: session_pty_req: session 0 alloc /dev/pts/2 debug3: tty_parse_modes: SSH2 n_bytes 266 debug3: tty_parse_modes: ospeed 19200 debug3: tty_parse_modes: ispeed 19200 debug3: tty_parse_modes: 1 3 debug3: tty_parse_modes: 2 28 debug3: tty_parse_modes: 3 8 debug3: tty_parse_modes: 4 21 debug3: tty_parse_modes: 5 4 debug3: tty_parse_modes: 6 0 debug3: tty_parse_modes: 7 0 debug3: tty_parse_modes: 8 17 debug3: tty_parse_modes: 9 19 debug3: tty_parse_modes: 10 26 debug3: tty_parse_modes: 11 0 debug3: tty_parse_modes: 12 18 debug3: tty_parse_modes: 13 23 debug3: tty_parse_modes: 14 22 debug1: Ignoring unsupported tty mode opcode 16 (0x10) debug3: tty_parse_modes: 18 15 debug3: tty_parse_modes: 30 1 debug3: tty_parse_modes: 31 0 debug3: tty_parse_modes: 32 0 debug3: tty_parse_modes: 33 1 debug3: tty_parse_modes: 34 0 debug3: tty_parse_modes: 35 0 debug3: tty_parse_modes: 36 1 debug3: tty_parse_modes: 37 0 debug3: tty_parse_modes: 38 1 debug3: tty_parse_modes: 39 1 debug3: tty_parse_modes: 40 0 debug3: tty_parse_modes: 41 0 debug3: tty_parse_modes: 50 1 debug3: tty_parse_modes: 51 1 debug3: tty_parse_modes: 52 0 debug3: tty_parse_modes: 53 1 debug3: tty_parse_modes: 54 1 debug3: tty_parse_modes: 55 1 debug3: tty_parse_modes: 56 0 debug3: tty_parse_modes: 57 0 debug3: tty_parse_modes: 58 0 debug3: tty_parse_modes: 59 1 debug3: tty_parse_modes: 60 1 debug3: mm_answer_pty: tty /dev/pts/2 ptyfd 3 debug3: mm_request_receive entering debug3: tty_parse_modes: 61 1 debug3: tty_parse_modes: 62 0 debug3: tty_parse_modes: 70 1 debug3: tty_parse_modes: 71 0 debug3: tty_parse_modes: 72 1 debug3: tty_parse_modes: 73 0 debug3: tty_parse_modes: 74 0 debug3: tty_parse_modes: 75 0 debug3: tty_parse_modes: 90 1 debug3: tty_parse_modes: 91 1 debug3: tty_parse_modes: 92 0 debug3: tty_parse_modes: 93 0 debug1: server_input_channel_req: channel 0 request x11-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req x11-req debug1: bind port 6010: Can't assign requested address debug1: fd 12 setting O_NONBLOCK debug2: fd 12 is O_NONBLOCK debug1: channel 1: new [X11 inet listener] debug1: server_input_channel_req: channel 0 request auth-agent-req at openssh.com reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req auth-agent-req at openssh.com debug1: temporarily_use_uid: 1000/1000 (e=1000) debug1: restore_uid debug1: fd 13 setting O_NONBLOCK debug2: fd 13 is O_NONBLOCK debug1: channel 2: new [auth socket] debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: fd 5 setting TCP_NODELAY debug1: channel 0: rfd 11 isatty debug1: fd 11 setting O_NONBLOCK debug2: fd 10 is O_NONBLOCK debug1: Setting controlling tty using TIOCSCTTY. debug3: monitor_read: checking request 27 debug3: mm_answer_pty_cleanup entering debug1: session_by_tty: session 0 tty /dev/pts/2 debug3: mm_session_close: session 0 pid 133720 debug3: mm_session_close: tty /dev/pts/2 ptyfd 3 debug1: session_pty_cleanup: session 0 release /dev/pts/2 debug3: mm_request_receive entering Connection closed by remote host. debug1: channel_free: channel 0: server-session, nchannels 3 debug3: channel_free: status: The following connections are open: #0 server-session (t4 r0 i0/1037 o0/0 fd 11/10) debug3: channel_close_fds: channel 0: r 11 w 10 e -1 debug1: channel_free: channel 1: X11 inet listener, nchannels 2 debug3: channel_free: status: The following connections are open: debug3: channel_close_fds: channel 1: r 12 w 12 e -1 debug1: channel_free: channel 2: auth socket, nchannels 1 debug3: channel_free: status: The following connections are open: debug3: channel_close_fds: channel 2: r 13 w 13 e -1 debug1: session_close: session 0 pid 133721 debug3: mm_request_send entering: type 27 debug3: monitor_read: checking request 27 debug3: mm_answer_pty_cleanup entering debug1: session_by_tty: unknown tty /dev/pts/2 debug1: dump: used 0 session 0 140040488 channel -1 pid 133720 debug1: dump: used 0 session 0 140040650 channel 0 pid 0 debug1: dump: used 0 session 0 140040818 channel 0 pid 0 debug1: dump: used 0 session 0 1400409e0 channel 0 pid 0 debug1: dump: used 0 session 0 140040ba8 channel 0 pid 0 debug1: dump: used 0 session 0 140040d70 channel 0 pid 0 debug1: dump: used 0 session 0 140040f38 channel 0 pid 0 debug1: dump: used 0 session 0 140041100 channel 0 pid 0 debug1: dump: used 0 session 0 1400412c8 channel 0 pid 0 debug1: dump: used 0 session 0 140041490 channel 0 pid 0 debug3: mm_request_receive entering debug1: Received SIGCHLD. debug1: temporarily_use_uid: 1000/1000 (e=1000) debug1: restore_uid Closing connection to 172.20.32.65 debug3: mm_request_send entering: type 38 debug3: monitor_read: checking request 38 debug3: mm_answer_term: tearing down sessions ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From russell at rademacher.org Wed Jun 26 01:45:30 2002 From: russell at rademacher.org (Russell "Elik" Rademacher) Date: Tue, 25 Jun 2002 11:45:30 -0400 Subject: Public Key Authentication Bug Message-ID: <004301c21c5f$5ba3d690$0a01a8c0@pippy> Greetings all. I usually don't get involved in the mailing lists unless it is of a major importance. Here is a new problem that came up with the 3.3.p1 version, which I already reported to the Mandrake Developers on their RPM build. Basically, it boils down to this. In the Priv Seperation Mode or not, the public Key Authentication is throughly broken on all 3 versions of Keys, RSA1, RSA, and DSA versions. It applies to SSH1 and SSH2. This is reported on 7.2 version Mandrake with the 2.2. Kernel Build. I am still working on testing it on the 2.4 Kernel Build to see how it works out on the Redhat. This SSH Build have a patch from Solar Designer which is made to make it work on 2.2 Kernel. But other than that, the functionality of the SSH is perfect and working as usual. Just no Public Key Authentication. From cmadams at hiwaay.net Wed Jun 26 01:55:41 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Tue, 25 Jun 2002 10:55:41 -0500 Subject: OpenSSH 3.3 released In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, Jun 24, 2002 at 04:42:29PM -0500 References: <20020622133309.GW15772@citi.citi.umich.edu> Message-ID: <20020625105541.G137372@hiwaay.net> Once upon a time, Ben Lindstrom said: > You face the same issue that AIX does. > > 1. we need to get session_setup_sia() into do_setusercontext(). > 2. Need to preallocate a tty since TTY allocation does not normally > happen until WAY after privsep takes affect. > > I think we could kill two birds with one stone if you look at how we can > semi-cleanly handle pre-allocation of a TTY while we still have root. Are you thinking about pre-allocating a TTY and then throwing it away if it isn't needed? -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From binder at arago.de Wed Jun 26 02:05:57 2002 From: binder at arago.de (Thomas Binder) Date: Tue, 25 Jun 2002 18:05:57 +0200 Subject: 3.3p1 patch for Solaris 2.6 In-Reply-To: <20020625145253.2AA8E7BA@starfruit.itojun.org>; from itojun@iijlab.net on Tue, Jun 25, 2002 at 11:52:53PM +0900 References: <20020625145253.2AA8E7BA@starfruit.itojun.org> Message-ID: <20020625180557.A3050553@ohm.arago.de> Hi! On Tue, Jun 25, 2002 at 11:52:53PM +0900, Jun-ichiro itojun Hagino wrote: > here's a patch to 3.3p1 for Solaris 2.6 - it does not handle > mmap() with fd = -1. does it look okay? Strange thing is that here 3.3p1 works out of the box on Solaris 2.6. What problems did you encounter? Ciao Thomas From jmknoble at pobox.com Wed Jun 26 02:15:40 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Tue, 25 Jun 2002 12:15:40 -0400 Subject: use libcrypt before libcrypto In-Reply-To: <20020625023104.09EDF4B24@coconut.itojun.org>; from itojun@iijlab.net on Tue, Jun 25, 2002 at 11:31:04AM +0900 References: <20020624212517.A8211@oolong.il.thewrittenword.com> <20020625023104.09EDF4B24@coconut.itojun.org> Message-ID: <20020625121540.I20075@zax.half.pint-stowp.cx> [Copied to openssl-users at openssl.org] Circa 2002-Jun-25 11:31:04 +0900 dixit itojun at iijlab.net: : >> +# use libcrypt if there is : >> +AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt") : >> + : >AC_CHECK_LIB(crypt, crypt) will automatically add -lcrypt to $LIBS. It : >will also define HAVE_LIBCRYPT (is this what you're trying to avoid)? : >Anyway, I'd prefer: : > AC_CHECK_FUNCS(crypt, , AC_CHECK_LIB(crypt, crypt)) : >This way we check if crypt is resolvable using the existing $LIBS and, : >if not, use $LIBS+-lcrypt. : : either way is fine for me, as long as crypt() supplied by the : native system is preferred than openssl crypt(). thanks. : : itojun Isn't this really a problem for OpenSSL? I know that several vendors (notably Linux ones...) already patch OpenSSL to remove crypt() from OpenSSL's libcrypto, so that crypt() is only available via the system libcrypt. Even the stock OpenSSL-0.9.6d sources omit crypt() under FreeBSD, NeXT, and Darwin. I really think that OpenSSL should not contain crypt() at all. For situations where the system crypt() is so broken as to prefer OpenSSL's implementation, the symbol should be openssl_crypt(), or something similarly named, and it's up to the calling application to #define it as crypt() or not. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020625/0b4bf641/attachment.bin From luc at suryo.com Wed Jun 26 02:16:41 2002 From: luc at suryo.com (Luc I. Suryo) Date: Tue, 25 Jun 2002 11:16:41 -0500 Subject: /dev/urandom|random and Solaris Message-ID: <20020625161641.GD18247@nc1701.suryo.com> Hello, Being new to the list i hope this question has not been asked before.... As you might know Solaris 9 supportes /dev/random and /dev/urandom bij default and earlier version need to install a patch to have these devices.... But the configuration script under Solaris (Sparc/X86) does not test the existing of the devices... is this to be known as a error/bug? and is there a patch? thanks -- Kind regards, Luc Suryo From nalin at redhat.com Wed Jun 26 02:22:56 2002 From: nalin at redhat.com (Nalin Dahyabhai) Date: Tue, 25 Jun 2002 12:22:56 -0400 Subject: PAMAuthenticationViaKbdInt and KeyAuth In-Reply-To: <20020625145850.GH17662@faui02>; from markus@openbsd.org on Tue, Jun 25, 2002 at 04:58:50PM +0200 References: <200206251520.12828.smueller@atsec.com> <20020625145850.GH17662@faui02> Message-ID: <20020625122256.B19444@redhat.com> On Tue, Jun 25, 2002 at 04:58:50PM +0200, Markus Friedl wrote: > PAMAuthenticationViaKbdInt > Specifies whether PAM challenge response authentication is al- > lowed. This allows the use of most PAM challenge response authen- > tication modules, but it will allow password authentication re- > gardless of whether PasswordAuthentication is yes, the password > provided by the user will be validated through the Kerberos KDC. > To use this option, the server needs a Kerberos servtab which al- > lows the verification of the KDC's identity. Default is ``no''. That doesn't look right -- there's nothing that ties this to Kerberos unless a Kerberos PAM is in use. Attached is a possible correction. Nalin -------------- next part -------------- Index: sshd_config.5 =================================================================== RCS file: /cvs/openssh/sshd_config.5,v retrieving revision 1.2 diff -u -u -r1.2 sshd_config.5 --- sshd_config.5 23 Jun 2002 00:35:26 -0000 1.2 +++ sshd_config.5 25 Jun 2002 16:20:43 -0000 @@ -305,10 +305,6 @@ .It Cm KerberosAuthentication Specifies whether Kerberos authentication is allowed. This can be in the form of a Kerberos ticket, or if -.It Cm PAMAuthenticationViaKbdInt -Specifies whether PAM challenge response authentication is allowed. This -allows the use of most PAM challenge response authentication modules, but -it will allow password authentication regardless of whether .Cm PasswordAuthentication is yes, the password provided by the user will be validated through the Kerberos KDC. @@ -425,6 +421,12 @@ are refused if the number of unauthenticated connections reaches .Dq full (60). +.It Cm PAMAuthenticationViaKbdInt +Specifies whether PAM challenge response authentication is allowed. This +allows the use of most PAM challenge response authentication modules, but +it will allow password authentication regardless of whether +.Cm PasswordAuthentication +is enabled. .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is From bugzilla-daemon at mindrot.org Wed Jun 26 02:31:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 02:31:55 +1000 (EST) Subject: [Bug 297] New: sshd version 3.3 incompatible with pre-3.3 clients in ssh1 mode Message-ID: <20020625163155.8A119E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=297 Summary: sshd version 3.3 incompatible with pre-3.3 clients in ssh1 mode Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: henrik-sshbugzilla at hswn.dk After installing the 3.3p1 release on our webserver, I have received a couple of reports from users who can no longer login. It seems to be a problem only when using ssh v1 protocol. The connection is terminated with a message "Disconnecting: Corrupted check bytes on input." The output from "ssh -v1" is: $ ssh -v -1 sslug.dk OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 501 geteuid 0 anon 1 debug1: Connecting to sslug.dk [130.228.2.150] port 22. debug1: temporarily_use_uid: 501/504 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 501/504 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/tange/.ssh/identity type 0 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.3 debug1: match: OpenSSH_3.3 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.9p2 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'sslug.dk' is known and matches the RSA1 host key. debug1: Found key in /home/tange/.ssh/known_hosts:3 debug1: Encryption type: blowfish debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. Disconnecting: Corrupted check bytes on input. debug1: Calling cleanup 0x8067590(0x0) I have an identical report from a user running a 3.1p1 client. However, I cannot reproduce it myself with neither a 3.3p1 nor a 3.1p1 client. The logs on the server does not indicate anything unusual. Server is a heavily patched Red Hat 6.2 installation, running a Linux 2.4.19-pre10 kernel with OpenSSH 3.3p1 (rebuilt from the openssh.com distribution). UsePrivilegeSeparation is enabled. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From phil-openssh-unix-dev at ipal.net Wed Jun 26 02:34:23 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Tue, 25 Jun 2002 11:34:23 -0500 Subject: Works for me - Was: [Bug 293] New: sshd 3.3p1 doesn't work on Slackware In-Reply-To: <20020625131344.DCB44E881@shitei.mindrot.org> References: <20020625131344.DCB44E881@shitei.mindrot.org> Message-ID: <20020625163423.GA12786@vega.ipal.net> On Tue, Jun 25, 2002 at 11:13:44PM +1000, bugzilla-daemon at mindrot.org wrote: | http://bugzilla.mindrot.org/show_bug.cgi?id=293 [...] | After compiling sshd 3.3p1 on Slackware 7.2 and Slackware 8.0 | (for Slackware 7.2 with: | LIBS=-lcrypt ./configure --with-ssl-dir=/usr/local/openssl-0.9.6d --with-tcp- | wrappers | ) | | the sshd doesn't allow new connections even tho 3.2.3p1 does. | The error i get in /var/log/syslog is: | -- | Jun 25 11:27:14 Slynet sshd[18678]: fatal: mmap(65536): Invalid argument | Jun 25 11:27:48 Slynet sshd[18682]: fatal: mmap(65536): Invalid argument | Jun 25 11:30:31 Slynet sshd[18733]: fatal: mmap(65536): Invalid argument | Jun 25 11:53:03 Slynet sshd[24948]: fatal: mmap(65536): Invalid argument | Jun 25 11:53:25 Slynet sshd[24950]: fatal: mmap(65536): Invalid argument | Jun 25 11:54:38 Slynet sshd[24954]: fatal: mmap(65536): Invalid argument | Jun 25 12:22:40 Slynet sshd[31001]: fatal: mmap(65536): Invalid argument | -- | | This happens for every incoming connection .. the connection brakes off and the | other client closes with a 'broken pipe' I just compiled openssh 3.3p1 with openssl 0.9.6d and zlib 1.1.4 and it works fine for me. The kernel is 2.4.18. The only hitch I'm running into is trying to get a static compile done (of at least sshd). Here's a snippet of what strace tells me: ============================================================================= socketpair(PF_UNIX, SOCK_STREAM, 0, [3, 7]) = 0 shmat(3, 0x8097790, 0x2ptrace: umoven: Input/output error ) = ? shmat(7, 0x8097790, 0x2ptrace: umoven: Input/output error ) = ? mmap2(NULL, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = 0x40254000 mmap2(NULL, 1310720, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = 0x40264000 fork() = 29595 [pid 29595] close(7) = 0 [pid 29595] SYS_199(0x4023da58, 0, 0x4023e760, 0x4023c1f0, 0x80925e0) = 0 [pid 29595] open("/etc/passwd", O_RDONLY) = 7 [pid 29595] shmat(7, 0x4023e760, 0x1ptrace: umoven: Input/output error ) = ? [pid 29595] shmat(7, 0x4023e760, 0x2ptrace: umoven: Input/output error ) = ? [pid 29595] fstat64(0x7, 0xbfffebac) = 0 [pid 29595] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000 [pid 29595] _llseek(7, 0, [0], SEEK_CUR) = 0 [pid 29595] read(7, "root:x:0:0:root:/root:/bin/tcsh\n"..., 4096) = 1522 [pid 29595] close(7) = 0 [pid 29595] munmap(0x40017000, 4096) = 0 [pid 29595] chroot("/var/empty") = 0 [pid 29595] chdir("/") = 0 [pid 29595] SYS_199(0x4023da58, 0, 0x4023e760, 0x4023c1f0, 0x809266f) = 0 [pid 29595] msgctl(65022, IPC_RMID, 0x4023c1f0) = 0 [pid 29595] open("/etc/group", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 29595] ipc_subcall(0x1, 0x8093138, 0x4023e760, 0x8093138) = 0 [pid 29595] msgctl(65022, IPC_STAT, 0x4023c1f0) = 0 [pid 29595] msgget(65022, 0x2|02) = 0 [pid 29595] SYS_199(0x4023da58, 0x2, 0x4023e760, 0x4023c1f0, 0x809266f) = 65022 [pid 29595] semop(1076091480, 0x4023c1f0, 2) = 65022 [pid 29595] write(2, "debug1: list_hostkey_types: ssh-"..., 45debug1: list_hostkey_types: ssh-dss,ssh-rsa ) = 45 [pid 29595] brk(0x809b000) = 0x809b000 [pid 29595] write(2, "debug1: SSH2_MSG_KEXINIT sent\r\n", 31debug1: SSH2_MSG_KEXINIT sent ) = 31 [pid 29595] write(4, "\0\0\1\274\t\24\213\34\323H\1\207*;\263\310\313\334\3\323"..., 448) = 448 [pid 29595] select(5, [4], NULL, NULL, NULL [pid 29593] close(3) = 0 [pid 29593] read(7, [pid 29595] <... select resumed> ) = 1 (in [4]) [pid 29595] read(4, "\0\0\1l\5\24\230p\367t6\315X_s\275\244=J\372\tz\0\0\0="..., 8192) = 368 ============================================================================= -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From nalin at redhat.com Wed Jun 26 02:39:57 2002 From: nalin at redhat.com (Nalin Dahyabhai) Date: Tue, 25 Jun 2002 12:39:57 -0400 Subject: PAM kbd-int with privsep In-Reply-To: <1024969975.5925.172.camel@xenon>; from djm@mindrot.org on Tue, Jun 25, 2002 at 11:52:55AM +1000 References: <1024969975.5925.172.camel@xenon> Message-ID: <20020625123957.A29726@redhat.com> On Tue, Jun 25, 2002 at 11:52:55AM +1000, Damien Miller wrote: > The following is a patch (based on FreeBSD code) which gets kbd-int > working with privsep. It moves the kbd-int PAM conversation to a child > process and communicates with it over a socket. > > The patch has a limitation: it does not handle multiple prompts - I have > no idea how common these are in real-life. Furthermore it is not well > tested at all (despite my many requests on openssh-unix-dev@). It looks like this limitation exists because the authentication via PAM is actually performed in a child of the privileged process, and the PAM handle is lost after successful authentication when this child exits. Once the PAM-encapsulating child exits, you don't have a context to perform account or session management with, so the ability to perform PAM session management is just lost. Because PAM data items can point to dynamically-allocated memory, I don't see a clean way to transfer the context data to the parent. It might be fixable by modifying it to have the parent do the PAM work, but it'd require an approach similar the existing kbdint code, and I don't know how it would work in the context of a monitoring setup. It might also be resolved (at least for Linux-PAM 0.65 and later and derivatives, I haven't a clue about other implementations) by using the PAM_CONV_AGAIN/PAM_INCOMPLETE framework and letting the privileged process drive the conversation, but the framework is not well supported by most of the modules I've spot-checked. (That's fixable, though.) Nalin From mouring at etoh.eviladmin.org Wed Jun 26 02:30:26 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 11:30:26 -0500 (CDT) Subject: OpenSSH 3.3 released In-Reply-To: <20020625105541.G137372@hiwaay.net> Message-ID: I truely don't know how SIA works.. If you feed it a real TTY but in the end never use it does it cause problems? How about if you feed it no TTY and you really are using a TTY? If you can get by with the latter concept for the time being that would simplify your diff and be faster. On Tue, 25 Jun 2002, Chris Adams wrote: > Once upon a time, Ben Lindstrom said: > > You face the same issue that AIX does. > > > > 1. we need to get session_setup_sia() into do_setusercontext(). > > 2. Need to preallocate a tty since TTY allocation does not normally > > happen until WAY after privsep takes affect. > > > > I think we could kill two birds with one stone if you look at how we can > > semi-cleanly handle pre-allocation of a TTY while we still have root. > > Are you thinking about pre-allocating a TTY and then throwing it away if > it isn't needed? > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > From markus at openbsd.org Wed Jun 26 02:49:25 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 25 Jun 2002 18:49:25 +0200 Subject: [Bug 296] Priv separation does not work on OSF/1 In-Reply-To: <20020625154104.E54C8E902@shitei.mindrot.org> References: <20020625154104.E54C8E902@shitei.mindrot.org> Message-ID: <20020625164925.GA776@faui02> just a fyi: it seems that fd-passing is broken on DEC OSF/1 DU-4.0d so something like > --- ../openssh-3.3/sshd.c Fri Jun 21 01:05:56 2002 > +++ ./sshd.c Fri Jun 21 21:17:37 2002 > @@ -596,7 +596,11 @@ > /* XXX - Remote port forwarding */ > x_authctxt = authctxt; > > +#ifdef DEC_OSF... > + if (1) { > +#else > if (authctxt->pw->pw_uid == 0 || options.use_login) { > +#endif > /* File descriptor passing is broken or root login */ > monitor_apply_keystate(pmonitor); > use_privsep = 0; > could help (it turns of privsep for post-auth, but you still get protection against a certain class of attacks). -m From ed at UDel.Edu Wed Jun 26 02:52:30 2002 From: ed at UDel.Edu (Ed Phillips) Date: Tue, 25 Jun 2002 12:52:30 -0400 (EDT) Subject: /dev/urandom|random and Solaris In-Reply-To: <20020625161641.GD18247@nc1701.suryo.com> Message-ID: On Tue, 25 Jun 2002, Luc I. Suryo wrote: > Date: Tue, 25 Jun 2002 11:16:41 -0500 > From: Luc I. Suryo > To: openssh-unix-dev at mindrot.org > Subject: /dev/urandom|random and Solaris > > > Hello, > > Being new to the list i hope this question has not been asked before.... > As you might know Solaris 9 supportes /dev/random and /dev/urandom bij > default and earlier version need to install a patch to have these > devices.... > > But the configuration script under Solaris (Sparc/X86) does not test the > existing of the devices... is this to be known as a error/bug? and is > there a patch? It doesn't need to... the OpenSSL code uses /dev/urandom if it exists. If you want to change to /dev/random, you have to edit the code (look for DEVRANDOM in the source). With OpenSSH, you should use the configuration options to disable the OpenSSH-supplied entropy gathering stuff (--with-rand-helper=no?). Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From bugzilla-daemon at mindrot.org Wed Jun 26 02:54:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 02:54:29 +1000 (EST) Subject: [Bug 296] Priv separation does not work on OSF/1 Message-ID: <20020625165429.5B796E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=296 ------- Additional Comments From jss at ast.cam.ac.uk 2002-06-26 02:54 ------- I get this too with 4.0F and SSH1. I can log into the server as root (as long as root logins are allowed), but with privsep on I can't log in as other users. The connection just gets closed. Debug ssh client: OpenSSH_3.3, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /home/jss/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to xalph2 [131.111.68.136] port 22. debug1: Connection established. debug1: identity file /home/jss/.ssh/identity type 0 debug1: identity file /home/jss/.ssh/id_rsa type -1 debug1: identity file /home/jss/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.3 debug1: match: OpenSSH_3.3 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.3 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'xalph2' is known and matches the RSA1 host key. debug1: Found key in /etc/ssh/ssh_known_hosts:150 debug1: Encryption type: blowfish debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying RSA authentication with key '/home/jss/.ssh/identity' debug1: Received RSA challenge from server. debug1: Sending response to host key RSA challenge. debug1: Remote: RSA authentication accepted. debug1: RSA authentication accepted by server. debug1: Requesting pty. debug1: Requesting X11 forwarding with authentication spoofing. debug1: fd 3 setting TCP_NODELAY debug1: Requesting shell. debug1: Entering interactive session. Connection to xalph2 closed by remote host. Connection to xalph2 closed. debug1: Transferred: stdin 0, stdout 0, stderr 75 bytes in 0.0 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 15191.4 debug1: Exit status -1 On the server: [root at xalph2 /var]# /usr/sbin/sshd -d debug1: sshd version OpenSSH_3.3 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 131.111.68.219 port 33065 debug1: Client protocol version 1.5; client software version OpenSSH_3.3 debug1: match: OpenSSH_3.3 pat OpenSSH* debug1: Local version string SSH-1.99-OpenSSH_3.3 debug1: Rhosts Authentication disabled, originating port 33065 not trusted. debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Attempting authentication for jss. Failed none for jss from 131.111.68.219 port 33065 debug1: temporarily_use_uid: 914/15 (e=0) debug1: trying public RSA key file /home/jss/.ssh/authorized_keys debug1: restore_uid Accepted rsa for jss from 131.111.68.219 port 33065 debug1: : jss has been authenticated by privileged process Found matching RSA1 key: d3:a3:b2:69:3e:e8:db:21:9a:8d:d0:83:ea:d4:e4:b4 Accepted rsa for jss from 131.111.68.219 port 33065 debug1: session_new: init debug1: session_new: session 0 debug1: Installing crc compensation attack detector. debug1: Allocating pty. debug1: session_new: init debug1: session_new: session 0 debug1: session_pty_req: session 0 alloc /dev/ttyp3 debug1: bind port 6010: Address already in use debug1: bind port 6011: Address already in use debug1: bind port 6012: Address already in use debug1: fd 10 setting O_NONBLOCK debug1: channel 0: new [X11 inet listener] debug1: fd 4 setting TCP_NODELAY debug1: Entering interactive session. debug1: fd 7 setting O_NONBLOCK debug1: fd 12 setting O_NONBLOCK debug1: fd 13 setting O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 debug1: Setting controlling tty using TIOCSCTTY. debug1: session_by_tty: session 0 tty /dev/ttyp3 debug1: session_pty_cleanup: session 0 release /dev/ttyp3 Connection closed by remote host. debug1: Calling cleanup 0x120064bcc(0x0) debug1: channel_free: channel 0: X11 inet listener, nchannels 1 debug1: Calling cleanup 0x12004fab0(0x140030ce8) debug1: Calling cleanup 0x120056f50(0x0) : unpermitted request 27 debug1: Calling cleanup 0x120056f50(0x0) In /var/adm/syslogs.dated/current: Jun 25 17:46:41 xalph2 sshd[13114]: Accepted rsa for jss from 131.111.68.219 port 33087 Jun 25 17:46:42 xalph2 sshd[13120]: audgen(LOGIN): Permission denied Jun 25 17:46:42 xalph2 sshd[13120]: fatal: Couldn't establish session for jss from xpc1.ast.cam.ac.uk Jun 25 17:46:43 xalph2 sshd[13109]: fatal: : unpermitted request 27 Jun 25 17:46:52 xalph2 sshd[13114]: fatal: : unpermitted request 27 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From luc at suryo.com Wed Jun 26 03:09:51 2002 From: luc at suryo.com (Luc I. Suryo) Date: Tue, 25 Jun 2002 12:09:51 -0500 Subject: /dev/urandom|random and Solaris In-Reply-To: References: <20020625161641.GD18247@nc1701.suryo.com> Message-ID: <20020625170951.GA19879@nc1701.suryo.com> Thanks Ed, I was confused by the message after ./configure and totally forgot that the binary uses shared-lib and a 'strings' did not show /dev/urandom... i recompiled against statis-lib and 'truss' it, it uses /dev/urandom as defined by the openssl libs.. which make sense... i guess i was to much in a hurry to get the new version pkg-ed :) again thanks! > > > Date: Tue, 25 Jun 2002 11:16:41 -0500 > > From: Luc I. Suryo > > To: openssh-unix-dev at mindrot.org > > Subject: /dev/urandom|random and Solaris > > > > > > Hello, > > > > Being new to the list i hope this question has not been asked before.... > > As you might know Solaris 9 supportes /dev/random and /dev/urandom bij > > default and earlier version need to install a patch to have these > > devices.... > > > > But the configuration script under Solaris (Sparc/X86) does not test the > > existing of the devices... is this to be known as a error/bug? and is > > there a patch? > > It doesn't need to... the OpenSSL code uses /dev/urandom if it exists. > If you want to change to /dev/random, you have to edit the code (look for > DEVRANDOM in the source). > > With OpenSSH, you should use the configuration options to disable the > OpenSSH-supplied entropy gathering stuff (--with-rand-helper=no?). > > Ed > > Ed Phillips University of Delaware (302) 831-6082 > Systems Programmer III, Network and Systems Services > finger -l ed at polycut.nss.udel.edu for PGP public key > --- End of ed at UDel.Edu's quote --- -- Kind regards, Luc Suryo From mouring at etoh.eviladmin.org Wed Jun 26 03:02:44 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 12:02:44 -0500 (CDT) Subject: PrivSep and AIX 4.3.2 In-Reply-To: <3D188E18.BEBCF51A@zip.com.au> Message-ID: this patch has gone into the CVS tree. Plus a note in the tree and into TODO about the whole TTY= not being set. On Wed, 26 Jun 2002, Darren Tucker wrote: > Albert Chin wrote: > > With 3.3p1 built on AIX 4.3.2: > > $ ssh [blah] > > Couldn't set usrinfo: Not owner > > debug1: Calling cleanup 0x20019080(0x200219a0) > > debug3: mm_request_send entering: type 27 > > debug1: Calling cleanup 0x20018dd4(0x0) > > Connection to songohan closed by remote host. > > Connection to songohan closed. > > Disable PrivSep ("UsePrivilegeSeparation no" in sshd_config) or if > you're adventurous try the attached patch. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From vinschen at redhat.com Wed Jun 26 03:14:16 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 25 Jun 2002 19:14:16 +0200 Subject: [Bug 296] Priv separation does not work on OSF/1 In-Reply-To: <20020625164925.GA776@faui02> References: <20020625154104.E54C8E902@shitei.mindrot.org> <20020625164925.GA776@faui02> Message-ID: <20020625191416.D22705@cygbert.vinschen.de> On Tue, Jun 25, 2002 at 06:49:25PM +0200, Markus Friedl wrote: > > just a fyi: > it seems that fd-passing is broken on DEC OSF/1 DU-4.0d > > so something like > > > --- ../openssh-3.3/sshd.c Fri Jun 21 01:05:56 2002 > > +++ ./sshd.c Fri Jun 21 21:17:37 2002 > > @@ -596,7 +596,11 @@ > > /* XXX - Remote port forwarding */ > > x_authctxt = authctxt; > > > > +#ifdef DEC_OSF... Thank you! I didn't know that this is possible. It also works on Cygwin then since descriptor passing is the actual problem preventing the usage of privsep on Cygwin. Would you mind to change that to #if defined (DEC_OSF) || defined (HAVE_CYGWIN) ??? If I understand that correctly, privsep still works for preauth then. Is it correct that this doesn't create a second sshd process? At least I don't see one in the process list when privsep is on and the above patch applied. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From mouring at etoh.eviladmin.org Wed Jun 26 03:08:37 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 12:08:37 -0500 (CDT) Subject: BSD/OS 5.0 + Privsep failure. Message-ID: *Dianora* bsd/os 5.0 report *Dianora* paul borman notice it would fail on /etc/login.conf *Dianora* after it chrooted Can I get someone running BSD/OS to trace down the offending block a code? I'm also seeing if I get can someone from Wind River to join the list.. Anyone from Wind River? =) - Ben From kevin at atomicgears.com Wed Jun 26 03:17:24 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Tue, 25 Jun 2002 10:17:24 -0700 Subject: BSD/OS with privsep In-Reply-To: <20020625104024.GA29885@faui02> References: <20020625104024.GA29885@faui02> Message-ID: <20020625171724.GA2020@jenny.crlsca.adelphia.net> On Tue, Jun 25, 2002 at 12:40:24PM +0200, Markus Friedl wrote: > +#if 0 > + /* XXX not ready, to heavy after chroot */ > do_setusercontext(pw); > +#else > + { > + gid_t gidset[2]; > + > + gidset[0] = pw->pw_gid; > + if (setgid(pw->pw_gid) < 0) > + fatal("setgid failed for %u", pw->pw_gid ); > + if (setgroups(1, gidset) < 0) > + fatal("setgroups: %.100s", strerror(errno)); > + permanently_set_uid(pw); > + } > +#endif this looks fine to me. > --- session.c.orig Tue Jun 25 13:28:07 2002 > +++ session.c Tue Jun 25 13:33:16 2002 > @@ -1154,22 +1154,26 @@ > { > #ifdef HAVE_CYGWIN > if (is_winnt) { > #else /* HAVE_CYGWIN */ > if (getuid() == 0 || geteuid() == 0) { > #endif /* HAVE_CYGWIN */ > #ifdef HAVE_SETPCRED > setpcred(pw->pw_name); > #endif /* HAVE_SETPCRED */ > #ifdef HAVE_LOGIN_CAP > - if (setusercontext(lc, pw, pw->pw_uid, > - (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { > + int flags = LOGIN_SETALL & ~LOGIN_SETPATH; > +#ifdef __bsdi__ > + if (getpid() != getpgrp()) > + flags &= ~LOGIN_SETLOGIN; > +#endif > + if (setusercontext(lc, pw, pw->pw_uid, flags) < 0) { > perror("unable to set user context"); > exit(1); > } i don't understand the reasons for setlogin() differences between bsdi !bsdi. From mouring at etoh.eviladmin.org Wed Jun 26 03:10:43 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 12:10:43 -0500 (CDT) Subject: [Bug 296] Priv separation does not work on OSF/1 In-Reply-To: <20020625191416.D22705@cygbert.vinschen.de> Message-ID: On Tue, 25 Jun 2002, Corinna Vinschen wrote: > On Tue, Jun 25, 2002 at 06:49:25PM +0200, Markus Friedl wrote: > > > > just a fyi: > > it seems that fd-passing is broken on DEC OSF/1 DU-4.0d > > > > so something like > > > > > --- ../openssh-3.3/sshd.c Fri Jun 21 01:05:56 2002 > > > +++ ./sshd.c Fri Jun 21 21:17:37 2002 > > > @@ -596,7 +596,11 @@ > > > /* XXX - Remote port forwarding */ > > > x_authctxt = authctxt; > > > > > > +#ifdef DEC_OSF... > > Thank you! I didn't know that this is possible. It also works > on Cygwin then since descriptor passing is the actual problem > preventing the usage of privsep on Cygwin. > > Would you mind to change that to > > #if defined (DEC_OSF) || defined (HAVE_CYGWIN) > > ??? > > If I understand that correctly, privsep still works for preauth > then. Is it correct that this doesn't create a second sshd > process? At least I don't see one in the process list when > privsep is on and the above patch applied. > > Corinna > #ifdef BROKEN_FD_PASSING or something like that since it affects multiple platforms. - Ben From bugzilla-daemon at mindrot.org Wed Jun 26 03:29:11 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 03:29:11 +1000 (EST) Subject: [Bug 285] 3.3p1 on Linux 2.2.x doesn't accept connections Message-ID: <20020625172911.C4C55E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=285 ------- Additional Comments From jim at ai-media.co.jp 2002-06-26 03:29 ------- bug also found on Kernel 2.2.17-14 installed in Cartman Redhat 6.1 not seen on Mac OS X 10.1.5 "Compression no" solves on Linux ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From vinschen at redhat.com Wed Jun 26 03:33:38 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 25 Jun 2002 19:33:38 +0200 Subject: [Bug 296] Priv separation does not work on OSF/1 In-Reply-To: References: <20020625191416.D22705@cygbert.vinschen.de> Message-ID: <20020625193338.E22705@cygbert.vinschen.de> On Tue, Jun 25, 2002 at 12:10:43PM -0500, Ben Lindstrom wrote: > On Tue, 25 Jun 2002, Corinna Vinschen wrote: > > On Tue, Jun 25, 2002 at 06:49:25PM +0200, Markus Friedl wrote: > > > > +#ifdef DEC_OSF... > > > > #if defined (DEC_OSF) || defined (HAVE_CYGWIN) > > #ifdef BROKEN_FD_PASSING > > or something like that since it affects multiple platforms. That's better. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From jeevfart at yahoo.com Wed Jun 26 03:44:27 2002 From: jeevfart at yahoo.com (jackson clan) Date: Tue, 25 Jun 2002 10:44:27 -0700 (PDT) Subject: error with new version? Message-ID: <20020625174427.90939.qmail@web21306.mail.yahoo.com> root at ns2:~# sshd -D -dddd Too high debugging level. root at ns2:~# sshd -D -ddd debug1: sshd version OpenSSH_3.3 debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from myip port 4991 debug1: Client protocol version 2.0; client software version 3.4.2 SecureCRT debug1: no match: 3.4.2 SecureCRT Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.3 mmap(65536): Invalid argument debug1: Calling cleanup 0x806b1c4(0x0) root at ns2:~# anybody encounter this error? i JUSt upgraded all my servers to the new version and im getting this type of error, and broken pipe when i connect from linux/freebsd. Read from socket failed: Broken pipe i have the default configuration pretty much. j __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com From kevin at atomicgears.com Wed Jun 26 03:43:53 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Tue, 25 Jun 2002 10:43:53 -0700 Subject: /dev/urandom|random and Solaris In-Reply-To: References: <20020625161641.GD18247@nc1701.suryo.com> Message-ID: <20020625174353.GB2020@jenny.crlsca.adelphia.net> On Tue, Jun 25, 2002 at 12:52:30PM -0400, Ed Phillips wrote: > > But the configuration script under Solaris (Sparc/X86) does not test the > > existing of the devices... is this to be known as a error/bug? and is > > there a patch? > > It doesn't need to... the OpenSSL code uses /dev/urandom if it exists. > If you want to change to /dev/random, you have to edit the code (look for > DEVRANDOM in the source). > > With OpenSSH, you should use the configuration options to disable the > OpenSSH-supplied entropy gathering stuff (--with-rand-helper=no?). You don't need to do that. configure will figure out if OpenSSL can see itself. configure should then display: Random number source: OpenSSL internal ONLY From tim at multitalents.net Wed Jun 26 03:49:11 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 25 Jun 2002 10:49:11 -0700 (PDT) Subject: error with new version? In-Reply-To: <20020625174427.90939.qmail@web21306.mail.yahoo.com> Message-ID: On Tue, 25 Jun 2002, jackson clan wrote: > root at ns2:~# sshd -D -dddd > Too high debugging level. > root at ns2:~# sshd -D -ddd [snip] > debug1: Local version string SSH-2.0-OpenSSH_3.3 > mmap(65536): Invalid argument ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Set "Compression no" in sshd_config > debug1: Calling cleanup 0x806b1c4(0x0) > root at ns2:~# > > anybody encounter this error? i JUSt upgraded all my > servers to the new version and im getting this type of > error, and broken pipe when i connect from > linux/freebsd. > > Read from socket failed: Broken pipe > > i have the default configuration pretty much. > > j > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From luc at suryo.com Wed Jun 26 03:49:53 2002 From: luc at suryo.com (Luc I. Suryo) Date: Tue, 25 Jun 2002 12:49:53 -0500 Subject: /dev/urandom|random and Solaris In-Reply-To: <20020625174353.GB2020@jenny.crlsca.adelphia.net> References: <20020625161641.GD18247@nc1701.suryo.com> <20020625174353.GB2020@jenny.crlsca.adelphia.net> Message-ID: <20020625174953.GA25674@nc1701.suryo.com> > On Tue, Jun 25, 2002 at 12:52:30PM -0400, Ed Phillips wrote: > > > But the configuration script under Solaris (Sparc/X86) does not test the > > > existing of the devices... is this to be known as a error/bug? and is > > > there a patch? > > > > It doesn't need to... the OpenSSL code uses /dev/urandom if it exists. > > If you want to change to /dev/random, you have to edit the code (look for > > DEVRANDOM in the source). > > > > With OpenSSH, you should use the configuration options to disable the > > OpenSSH-supplied entropy gathering stuff (--with-rand-helper=no?). > > You don't need to do that. configure will figure out if OpenSSL > can see itself. > > configure should then display: > Random number source: OpenSSL internal ONLY correct, my fault i did not look closer it says OpenSSL and NOT OpenSSH and OpenSSL was compiled with /dev/urandom support :) -- Kind regards, Luc Suryo From bugzilla-daemon at mindrot.org Wed Jun 26 03:52:13 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 03:52:13 +1000 (EST) Subject: [Bug 290] auth_method set incorrectly in mm_answer_keyverify() Message-ID: <20020625175213.2A7C0E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=290 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From stevesk at pobox.com 2002-06-26 03:52 ------- already fixed *** This bug has been marked as a duplicate of 284 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 26 03:52:18 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 03:52:18 +1000 (EST) Subject: [Bug 284] Hostbased authentication erroneously reported Message-ID: <20020625175218.A6029E918@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=284 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |halley at play-bow.org ------- Additional Comments From stevesk at pobox.com 2002-06-26 03:52 ------- *** Bug 290 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From provos at citi.umich.edu Wed Jun 26 04:03:14 2002 From: provos at citi.umich.edu (Niels Provos) Date: Tue, 25 Jun 2002 14:03:14 -0400 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020625103433.U22705@cygbert.vinschen.de> References: <200206242100.g5OL0BLL019128@cvs.openbsd.org> <20020624210631.GF24956@faui02> <20020625103433.U22705@cygbert.vinschen.de> Message-ID: <20020625180313.GN15772@citi.citi.umich.edu> On Tue, Jun 25, 2002 at 10:34:33AM +0200, Corinna Vinschen wrote: > The Cygwin version of OpenSSH can't support it since sendmsg()/recvmsg() > currently can't transmit file descriptors. You still get pre-authentication privilege separation if you support mmap. File descriptor passing is required only for post-authentication privilege separation. Niels. From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Jun 26 04:05:54 2002 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 25 Jun 2002 20:05:54 +0200 Subject: use libcrypt before libcrypto In-Reply-To: <20020625121540.I20075@zax.half.pint-stowp.cx> References: <20020624212517.A8211@oolong.il.thewrittenword.com> <20020625023104.09EDF4B24@coconut.itojun.org> <20020625121540.I20075@zax.half.pint-stowp.cx> Message-ID: <20020625180553.GA15726@serv01.aet.tu-cottbus.de> On Tue, Jun 25, 2002 at 12:15:40PM -0400, Jim Knoble wrote: > Isn't this really a problem for OpenSSL? I know that several vendors > (notably Linux ones...) already patch OpenSSL to remove crypt() from > OpenSSL's libcrypto, so that crypt() is only available via the system > libcrypt. Even the stock OpenSSL-0.9.6d sources omit crypt() under > FreeBSD, NeXT, and Darwin. > > I really think that OpenSSL should not contain crypt() at all. For > situations where the system crypt() is so broken as to prefer OpenSSL's > implementation, the symbol should be openssl_crypt(), or something > similarly named, and it's up to the calling application to #define it > as crypt() or not. As of OpenSSL 0.9.7, libcrypto will only contain DES_crypt(). However: there will be a macro #define crypt() DES_crypt() in (by default included for compatibility from ). This should remove all name clashes except for applications explicitly including (or ) in the file using the crypt() call (in which case DES_crypt() will be used). Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From mouring at etoh.eviladmin.org Wed Jun 26 03:58:29 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 12:58:29 -0500 (CDT) Subject: [Bug 296] Priv separation does not work on OSF/1 In-Reply-To: <20020625193338.E22705@cygbert.vinschen.de> Message-ID: I'm sorry I can't find the complete message for this.. Can someone send it to me off-list. My mailbox is getting worse by the second. - Ben On Tue, 25 Jun 2002, Corinna Vinschen wrote: > On Tue, Jun 25, 2002 at 12:10:43PM -0500, Ben Lindstrom wrote: > > On Tue, 25 Jun 2002, Corinna Vinschen wrote: > > > On Tue, Jun 25, 2002 at 06:49:25PM +0200, Markus Friedl wrote: > > > > > +#ifdef DEC_OSF... > > > > > > #if defined (DEC_OSF) || defined (HAVE_CYGWIN) > > > > #ifdef BROKEN_FD_PASSING > > > > or something like that since it affects multiple platforms. > > That's better. > > Corinna > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From kevin at atomicgears.com Wed Jun 26 04:09:41 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Tue, 25 Jun 2002 11:09:41 -0700 Subject: OpenSSH 3.3 released [be careful of not having sshd useror /var/empty] In-Reply-To: <3D188035.9C9E8CD6@cray.com> References: <5.1.1.5.2.20020625000607.030372d0@fallen.tusker.net> <3D188035.9C9E8CD6@cray.com> Message-ID: <20020625180941.GC2020@jenny.crlsca.adelphia.net> On Tue, Jun 25, 2002 at 09:37:41AM -0500, Wendy Palm wrote: > is the user "sshd" and /var/empty still needed even without privsep? no, they will not be used. From markus at openbsd.org Wed Jun 26 04:19:30 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 25 Jun 2002 20:19:30 +0200 Subject: BSD/OS 5.0 + Privsep failure. In-Reply-To: References: Message-ID: <20020625181930.GA1147@faui02> the bsd/os 4.2 patch i sent should help. On Tue, Jun 25, 2002 at 12:08:37PM -0500, Ben Lindstrom wrote: > > *Dianora* bsd/os 5.0 report > *Dianora* paul borman notice it would fail on /etc/login.conf > *Dianora* after it chrooted > > > Can I get someone running BSD/OS to trace down the offending block a code? > > I'm also seeing if I get can someone from Wind River to join the list.. > > Anyone from Wind River? =) > > - Ben > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From Darren.Moffat at Sun.COM Wed Jun 26 04:38:09 2002 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Tue, 25 Jun 2002 11:38:09 -0700 Subject: PAM kbd-int with privsep References: <1024969975.5925.172.camel@xenon> Message-ID: <3D18B891.6020302@Sun.COM> I think __FUNCTION__ is a gcc specific (if wasn't recognised by the Sun C compiler). I got it to compile with the Sun compiler by changing them all to __func__. I also had some problems with the definition of the converstation function. I've attached diffs (untested) to make this compile on Solaris with the Sun compiler, the conversation function problem probably needs to be solved another way since I think this is area of difference between the PAM various implementations. -- Darren J Moffat -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020625/2b7c7c1c/attachment.ksh From cmadams at hiwaay.net Wed Jun 26 04:38:31 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Tue, 25 Jun 2002 13:38:31 -0500 Subject: [Bug 296] Priv separation does not work on OSF/1 In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Jun 25, 2002 at 12:10:43PM -0500 References: <20020625191416.D22705@cygbert.vinschen.de> Message-ID: <20020625133831.K137372@hiwaay.net> Once upon a time, Ben Lindstrom said: > On Tue, 25 Jun 2002, Corinna Vinschen wrote: > > On Tue, Jun 25, 2002 at 06:49:25PM +0200, Markus Friedl wrote: > > > just a fyi: > > > it seems that fd-passing is broken on DEC OSF/1 DU-4.0d It does not appear to be broken on Tru64 5.1A (I would guess if it is broken in 4.x it got fixed in 5.x). > #ifdef BROKEN_FD_PASSING > > or something like that since it affects multiple platforms. Anybody got an autoconf test for FD passing? -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From vherva at niksula.hut.fi Wed Jun 26 04:43:42 2002 From: vherva at niksula.hut.fi (Ville Herva) Date: Tue, 25 Jun 2002 21:43:42 +0300 Subject: Privilege separation and linux kernel 2.0.x: mm_receive_fd fails Message-ID: <20020625184341.GI1465@niksula.cs.hut.fi> FWIW, after patching the mmap issue, openssh still doesn't work on linux kernel 2.0.39 (+ patches): sshd[22202]: fatal: mm_receive_fd: expected type 1 got 2355841 I didn't dig deeper into it yet, but I believe 2.0 kernel does not support the kind of recvmsg() use privsep expects. -- v -- v at iki.fi From markus at openbsd.org Wed Jun 26 04:49:32 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 25 Jun 2002 20:49:32 +0200 Subject: BSD/OS with privsep In-Reply-To: <20020625171724.GA2020@jenny.crlsca.adelphia.net> References: <20020625104024.GA29885@faui02> <20020625171724.GA2020@jenny.crlsca.adelphia.net> Message-ID: <20020625184931.GA10476@faui02> On Tue, Jun 25, 2002 at 10:17:24AM -0700, Kevin Steves wrote: > On Tue, Jun 25, 2002 at 12:40:24PM +0200, Markus Friedl wrote: > > +#if 0 > > + /* XXX not ready, to heavy after chroot */ > > do_setusercontext(pw); > > +#else > > + { > > + gid_t gidset[2]; > > + > > + gidset[0] = pw->pw_gid; > > + if (setgid(pw->pw_gid) < 0) > > + fatal("setgid failed for %u", pw->pw_gid ); > > + if (setgroups(1, gidset) < 0) > > + fatal("setgroups: %.100s", strerror(errno)); > > + permanently_set_uid(pw); > > + } > > +#endif > > this looks fine to me. ok, i'm going to commit this. From yamaneko at centurytel.net Wed Jun 26 05:13:51 2002 From: yamaneko at centurytel.net (Sam Vaughan) Date: Tue, 25 Jun 2002 12:13:51 -0700 Subject: privsep on SCO Openserver Message-ID: <3D18C0EF.2080400@centurytel.net> Has anyone got privsep to work under SCO Openserver? I am testing openssh3.3p1. I have Compression turned off in sshd_config. Here is the error messages that I am getting. sshd[21469]: fatal: mm_send_fd: sendmsg(3): Bad file number sshd[21476]: fatal: mm_receive_fd: recvmsg: expected received 1 got 0 --Sam From tim at multitalents.net Wed Jun 26 05:21:25 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 25 Jun 2002 12:21:25 -0700 (PDT) Subject: privsep on SCO Openserver In-Reply-To: <3D18C0EF.2080400@centurytel.net> Message-ID: On Tue, 25 Jun 2002, Sam Vaughan wrote: > Has anyone got privsep to work under SCO Openserver? > I am testing openssh3.3p1. I have Compression turned off in sshd_config. > > Here is the error messages that I am getting. > sshd[21469]: fatal: mm_send_fd: sendmsg(3): Bad file number > sshd[21476]: fatal: mm_receive_fd: recvmsg: expected received 1 got 0 I have it working now with a patch to sshd.c suggested by Marcus I'm trying to figure out a configure time test now. > > --Sam > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From ssklar at stanford.edu Wed Jun 26 05:34:02 2002 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Tue, 25 Jun 2002 12:34:02 -0700 Subject: For us AIXers ... Message-ID: ... who are nervous because: (a) it seems that there will be a widely-known vulnerability and/exploit for OpenSSH available in the coming days, and (b) the advertised fix for the problem, privilege separation, doesn't seem to be working on AIX as of the latest release version of OpenSSH (based on the comments I've read; I haven't tried it yet) ... ... what should we do? I've seen a whole bunch of comments and patches flying on the list, but I don't know if any of those patches definitively fix the AIX problem, nor do I know whether they will be committed to CVS, nor do I know if there will be a new release in the next few days incorporating these fixes. Can someone authoritatively answer this question? Thanks, --Sandy -- Sandor W. Sklar - Unix Systems Administrator - Stanford University ITSS Non impediti ratione cogitationis. http://whippet.stanford.edu/~ssklar/ From mouring at etoh.eviladmin.org Wed Jun 26 05:31:58 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 14:31:58 -0500 (CDT) Subject: For us AIXers ... In-Reply-To: Message-ID: On Tue, 25 Jun 2002, Sandor W. Sklar wrote: > ... who are nervous because: > > (a) it seems that there will be a widely-known vulnerability > and/exploit for OpenSSH available in the coming days, and > > (b) the advertised fix for the problem, privilege separation, doesn't > seem to be working on AIX as of the latest release version of OpenSSH > (based on the comments I've read; I haven't tried it yet) ... > moving aix_usrinfo() into do_setusercontext() is the fix.. And it's current in the CVS tree. Mr Tucker was nice enough to provide the patch and verify it. The only downfall at this point is TTY= is not set by usrinfo(). At this moment I've not heard from anyone that has stated this is a problem in the short term. - Ben From ssklar at stanford.edu Wed Jun 26 05:48:35 2002 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Tue, 25 Jun 2002 12:48:35 -0700 Subject: For us AIXers ... In-Reply-To: References: Message-ID: At 2:31 PM -0500 6/25/02, Ben Lindstrom wrote: >On Tue, 25 Jun 2002, Sandor W. Sklar wrote: > >> ... who are nervous because: >> >> (a) it seems that there will be a widely-known vulnerability >> and/exploit for OpenSSH available in the coming days, and >> >> (b) the advertised fix for the problem, privilege separation, doesn't >> seem to be working on AIX as of the latest release version of OpenSSH >> (based on the comments I've read; I haven't tried it yet) ... >> > >moving aix_usrinfo() into do_setusercontext() is the fix.. And it's >current in the CVS tree. Mr Tucker was nice enough to provide the patch >and verify it. > >The only downfall at this point is TTY= is not set by usrinfo(). At this >moment I've not heard from anyone that has stated this is a problem in the >short term. Thank you so much! Are there plans to do another "release" shortly (before the announcement of the "you'll be rooted" vulnerability) with that fix incorporated, or do I need to go with the CVS version? I'm hesitant to roll out "in-flux" code to my production systems, but I'll do what I got to do. Thanks again, -S- -- Sandor W. Sklar - Unix Systems Administrator - Stanford University ITSS Non impediti ratione cogitationis. http://whippet.stanford.edu/~ssklar/ From schurro at georgetown.edu Wed Jun 26 05:51:43 2002 From: schurro at georgetown.edu (Oliver Schurr) Date: Tue, 25 Jun 2002 15:51:43 -0400 Subject: make fails during linking Message-ID: <3D18C9CE.4BD9E98E@georgetown.edu> Hi OpenSSH developers LINUX, i586, libc5, kernel 2.0.39, gcc 2.7.2.3, OpenSSH 3.3p1 source First I tried just 'configure' and then 'make' but that gave the same error message as given below. Next I tried to explicitly tell the 'configure' process where zlib 1.1.4 and openssl 0.9.6d are installed. configure --with-ssl-dir=/usr/local/ssl --with-zlib=/usr/local results in Host: i586-pc-linux-gnulibc1 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/lib Libraries: -lbsd -lz -lcrypto make fails during linking with the following error message: gcc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -L/usr/local/lib -lssh -lopenbsd-compat -lbsd -lz -lcrypto ./libssh.a(monitor_fdpass.o): In function `mm_send_fd': /home/oliver/test/openssh-3.3p1/monitor_fdpass.c:54: undefined reference to `CMSG_FIRSTHDR' /home/oliver/test/openssh-3.3p1/monitor_fdpass.c:58: undefined reference to `CMSG_DATA' ./libssh.a(monitor_fdpass.o): In function `mm_receive_fd': /home/oliver/test/openssh-3.3p1/monitor_fdpass.c:114: undefined reference to `CMSG_FIRSTHDR' /home/oliver/test/openssh-3.3p1/monitor_fdpass.c:118: undefined reference to `CMSG_DATA' make: *** [ssh] Error 1 The SSL libraries and includes are installed in /usr/local/ssl tree. What is going on here? The earlier versions of OpenSSH compiled just fine. Thanks a lot Oliver Schurr From cmadams at hiwaay.net Wed Jun 26 05:58:17 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Tue, 25 Jun 2002 14:58:17 -0500 Subject: [Bug 296] Priv separation does not work on OSF/1 In-Reply-To: <20020625164925.GA776@faui02>; from markus@openbsd.org on Tue, Jun 25, 2002 at 06:49:25PM +0200 References: <20020625154104.E54C8E902@shitei.mindrot.org> <20020625164925.GA776@faui02> Message-ID: <20020625145817.N137372@hiwaay.net> Once upon a time, Markus Friedl said: > so something like > > > --- ../openssh-3.3/sshd.c Fri Jun 21 01:05:56 2002 > > +++ ./sshd.c Fri Jun 21 21:17:37 2002 > > @@ -596,7 +596,11 @@ > > /* XXX - Remote port forwarding */ > > x_authctxt = authctxt; > > > > +#ifdef DEC_OSF... > > + if (1) { > > +#else > > if (authctxt->pw->pw_uid == 0 || options.use_login) { > > +#endif > > /* File descriptor passing is broken or root login */ > > monitor_apply_keystate(pmonitor); > > use_privsep = 0; > > > > could help (it turns of privsep for post-auth, but > you still get protection against a certain class of attacks). I can get Tru64 SIA to work if I do something like this (with #ifdef HAVE_OSF_SIA), because the problem with SIA is trying to do session setup that requires root access as the sshd user (it needs to be done after PTY setup/allocation too, so I don't really see how to do it with post-auth privsep). Question (if anyone can answer this, maybe in private email): will this new security bug that is to be announced be pre-auth or post-auth? In other words, if I don't do post-auth privsep, will I be vulnerable? -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From gert at greenie.muc.de Wed Jun 26 05:59:45 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 25 Jun 2002 21:59:45 +0200 Subject: version.h of portable says "3.3"? Message-ID: <20020625215944.J18668@greenie.muc.de> Hi, version.h of the 3.3p1 portable release, and of (yesterday's) CVS tree says #define SSH_VERSION "OpenSSH_3.3" and not "OpenSSH_3.3p1". Is this an oversight, or are portable releases not tagged anymore? (I'm asking because I used this to distinguish between the different FreeBSD ports - "openbsd openssh" and "portable", which is harder now). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From wendyp at cray.com Wed Jun 26 06:06:41 2002 From: wendyp at cray.com (Wendy Palm) Date: Tue, 25 Jun 2002 15:06:41 -0500 Subject: [Bug 296] Priv separation does not work on OSF/1 References: <20020625191416.D22705@cygbert.vinschen.de> <20020625193338.E22705@cygbert.vinschen.de> Message-ID: <3D18CD51.BD30A4AB@cray.com> this worked for the crays too. thanks much! wendy Corinna Vinschen wrote: > > On Tue, Jun 25, 2002 at 12:10:43PM -0500, Ben Lindstrom wrote: > > On Tue, 25 Jun 2002, Corinna Vinschen wrote: > > > On Tue, Jun 25, 2002 at 06:49:25PM +0200, Markus Friedl wrote: > > > > > +#ifdef DEC_OSF... > > > > > > #if defined (DEC_OSF) || defined (HAVE_CYGWIN) > > > > #ifdef BROKEN_FD_PASSING > > > > or something like that since it affects multiple platforms. > > That's better. > > Corinna > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From gert at greenie.muc.de Wed Jun 26 06:23:39 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 25 Jun 2002 22:23:39 +0200 Subject: [Bug 296] Priv separation does not work on OSF/1 In-Reply-To: <20020625191416.D22705@cygbert.vinschen.de>; from vinschen@redhat.com on Tue, Jun 25, 2002 at 07:14:16PM +0200 References: <20020625154104.E54C8E902@shitei.mindrot.org> <20020625164925.GA776@faui02> <20020625191416.D22705@cygbert.vinschen.de> Message-ID: <20020625222339.K18668@greenie.muc.de> Hi, On Tue, Jun 25, 2002 at 07:14:16PM +0200, Corinna Vinschen wrote: > If I understand that correctly, privsep still works for preauth > then. Is it correct that this doesn't create a second sshd > process? At least I don't see one in the process list when > privsep is on and the above patch applied. I have just observed this on FreeBSD 4.2 - during preauth, you can see two sshd processes, and as soon as the user is logged in, only one sshd daemon is left. Confused the hell out of me ("is privsep now working or not?"). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From lubos at klokner.sk Wed Jun 26 06:35:03 2002 From: lubos at klokner.sk (lubos klokner) Date: Tue, 25 Jun 2002 22:35:03 +0200 Subject: openssh-3.3p1 and pam_mysql Message-ID: <20020625203503.GB31551@creon.profinet.sk> hello, i have found that openssh 3.3p1 doesn't work with pam_mysql (latest). it works perfectly until i upgrade openssh to 3.3p1. logs: Jun 25 21:15:01 host sshd[29839]: Accepted password for testicek from ip port 36488 ssh2 Jun 25 21:15:01 host sshd[29850]: PAM _pam_init_handlers: no default config /etc/pam.d/other Jun 25 21:15:01 host sshd[29850]: PAM error reading PAM configuration file Jun 25 21:15:01 host pam_stack[29850]: _pam_init_handlers() returned (null) Jun 25 21:15:02 host sshd[29850]: fatal: PAM session setup failed[4]: System error if you have any question to fix this problem please contact me. i'm not in this list. thank you. best regards -- lubos klokner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020625/6ad400e5/attachment.bin From bugzilla-daemon at mindrot.org Wed Jun 26 06:46:17 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 06:46:17 +1000 (EST) Subject: [Bug 285] 3.3p1 on Linux 2.2.x doesn't accept connections Message-ID: <20020625204617.71D6FE902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=285 ------- Additional Comments From janderson at ceeva.com 2002-06-26 06:46 ------- Also found on Kernel 2.2.14-5.0 Red Hat 6.2 (Zoot). I can't make Compression no work. With UsePrivilegeSeparation No, it doesn't work either. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 26 06:56:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 06:56:23 +1000 (EST) Subject: [Bug 298] New: sshd fails to set user context, preventing all logins, also setgroups is failing Message-ID: <20020625205623.C13BCE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=298 Summary: sshd fails to set user context, preventing all logins, also setgroups is failing Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: BSDI Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: sshbugs at wayne47.com openssh-3.3p1 Config line: LDFLAGS="-L. -Lopenbsd-compat/ -L/usr/local/ssl//lib -ldl" CFLAGS="-ldl" ./configure -with-ssl-dir=/usr/local/ssl/ -with-tcp-wrappers running on an alternate port to test yields: debug1: sshd version OpenSSH_3.3 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: setgroups() failed: Invalid argument debug1: Bind to port 6161 on 0.0.0.0. Server listening on 0.0.0.0 port 6161. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 148.59.19.13 port 1015 debug1: Client protocol version 1.5; client software version 1.2.27 debug1: match: 1.2.27 pat 1.2.1*,1.2.2*,1.2.3* debug1: Local version string SSH-1.99-OpenSSH_3.3 unable to set user context: Bad file descriptor gdb says: #0 0x805c8c3 in do_setusercontext (pw=0x813c000) at session.c:1164 1164 if (setusercontext(lc, pw, pw->pw_uid, (gdb) print lc $1 = (login_cap_t *) 0x0 (gdb) print *pw $2 = {pw_name = 0x8141000 "sshd", pw_passwd = 0x8141005 "", pw_uid = 10658, pw_gid = 1010, pw_change = 0, pw_class = 0x8141007 "", pw_gecos = 0x8141008 "SSH,,,", pw_dir = 0x814100f "/var/empty", pw_shell = 0x814101a "nologin", pw_expire = 0} Setting "Compression no" has no effect Setting "UsePrivilegeSeparation no" has no effect Tried several versions of openssh (including current ssh). All have the same problem. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 26 07:01:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 07:01:31 +1000 (EST) Subject: [Bug 296] Priv separation does not work on OSF/1 Message-ID: <20020625210131.AFCEDE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=296 ------- Additional Comments From benchoff at vt.edu 2002-06-26 07:01 ------- Same thing here. Tru64 4.0F. Same syslog messages, UsePrivilegeSeparation no fixes the problem. openssh-3.3p1 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From vinschen at redhat.com Wed Jun 26 07:23:15 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 25 Jun 2002 23:23:15 +0200 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020625180313.GN15772@citi.citi.umich.edu> References: <200206242100.g5OL0BLL019128@cvs.openbsd.org> <20020624210631.GF24956@faui02> <20020625103433.U22705@cygbert.vinschen.de> <20020625180313.GN15772@citi.citi.umich.edu> Message-ID: <20020625232315.H22705@cygbert.vinschen.de> On Tue, Jun 25, 2002 at 02:03:14PM -0400, Niels Provos wrote: > On Tue, Jun 25, 2002 at 10:34:33AM +0200, Corinna Vinschen wrote: > > The Cygwin version of OpenSSH can't support it since sendmsg()/recvmsg() > > currently can't transmit file descriptors. > You still get pre-authentication privilege separation if you support > mmap. File descriptor passing is required only for > post-authentication privilege separation. Yep, I've already released a new version of OpenSSH (3.3p1-2) as part of the Cygwin net release containing Markus' fix to suppress postauth privsep. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From vinschen at redhat.com Wed Jun 26 07:24:10 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 25 Jun 2002 23:24:10 +0200 Subject: [Bug 296] Priv separation does not work on OSF/1 In-Reply-To: <20020625222339.K18668@greenie.muc.de> References: <20020625154104.E54C8E902@shitei.mindrot.org> <20020625164925.GA776@faui02> <20020625191416.D22705@cygbert.vinschen.de> <20020625222339.K18668@greenie.muc.de> Message-ID: <20020625232410.I22705@cygbert.vinschen.de> On Tue, Jun 25, 2002 at 10:23:39PM +0200, Gert Doering wrote: > Hi, > > On Tue, Jun 25, 2002 at 07:14:16PM +0200, Corinna Vinschen wrote: > > If I understand that correctly, privsep still works for preauth > > then. Is it correct that this doesn't create a second sshd > > process? At least I don't see one in the process list when > > privsep is on and the above patch applied. > > I have just observed this on FreeBSD 4.2 - during preauth, you can see > two sshd processes, and as soon as the user is logged in, only one sshd > daemon is left. Confused the hell out of me ("is privsep now working or > not?"). :-) Thanks for the info. I was a bit unsure as you might guess... Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From mouring at etoh.eviladmin.org Wed Jun 26 07:30:02 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 16:30:02 -0500 (CDT) Subject: Last call. Message-ID: Outside the pre-auth patch by Markus to fix Cygwin and a few other platforms. SEND ME (privately) ANY required patch against the lastest snapshot. I'm doing the final commits this evening. Patches that have been temporary rejected for this release. - Owl's full patch for SysV Shm if mmap fails - mmap() on /dev/zero - mmap() on sparse file .. Not looked at the BSD/OS 5.0 patch tonight when I get home. Cut off.. 9pm CST. (5 and 1/2 hours). At that time I'll throw a openssh*.tar.gz tar ball out for people to do quick tests on to ensure nothing else was broken. I know this has been a strain on some people.. =) Just have a coke and rum and relax if your platform works. I know I'll be breaking out the whiskey as soon as I get home. - Ben From deengert at anl.gov Wed Jun 26 07:47:03 2002 From: deengert at anl.gov (Douglas E. Engert) Date: Tue, 25 Jun 2002 16:47:03 -0500 Subject: Upcoming OpenSSH vulnerability References: <20020625104024.GA29885@faui02> <20020625171724.GA2020@jenny.crlsca.adelphia.net> Message-ID: <3D18E4D7.3E9AECDE@anl.gov> From mouring at etoh.eviladmin.org Wed Jun 26 07:51:47 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 16:51:47 -0500 (CDT) Subject: Upcoming OpenSSH vulnerability In-Reply-To: <3D18E4D7.3E9AECDE@anl.gov> Message-ID: On Tue, 25 Jun 2002, Douglas E. Engert wrote: > >From all of the e-mail recently, it appears that the "solution" to the > upcomming OpenSSH vulnerability will be to run OpenSSH-3.3 with the Privilege > Separation enabled. > > This scares the daylights out of me! Think about what you are doing here. > > (1) OpenSSH 3.3 with the privsep code has been only out for less then a week. > Incorrect, 3.1 has Privsep. > (2) Its hundreds of lines of code. > > (3) The privsep does not run on all platforms > If vendors would have started back in 3.1 helping us (over a month ago now?) this would not be an issue. > (4) The privsep does not work with all the features in current ssh. > What features? You have debugging information? Patches? Solutions? or are you just blowing steam? > (5) The privsep code has SSHD using here-to-for unused operating >system features. > Umm.. you wish to clarify this babble? > (6) People with local modifications to SSH may not be able to > integrate them in such a short time frame. > > Don't get me wrong, the privsep concept looks like a great idea, as a second > line of defense. But it should not be the primary defense. > > A fix is needed for the original bug. You still need it to keep the hackers > off the machine. Saying that they are confined to the unprivileged child process > still lets then have access to cycles and the network where they can try and > attack the operating system and your network from inside. > Look at it this way. Do you want us to release the expliot and the patch now? Or would you rather have us wait the few days to gather patch fixes so hopefully 70% of those following along can at least be semiprotected? This is the correct course of action. I agree with Theo's reasons 100%. > The other aspect of this is the reliability of 3.3. With all the new code > what other problems might be introduced? > You bothered to help us test? I've not seen a patch from you nor any testing data? I'm starting to get sick and tired of people whining but not doing one bit of useful work. I hear it on bugtraq, I hear it on slashdot, and I hear it on #unix and #unixhelp on efnet. Frankly. I'm starting to understand thy Theo and other take the... "Sit down, shutup and code." mindset. > If you publish the problem, with out a real fix, and expect everyone to > implement 3.3 with privsep you will have a lot of people upset who can't run 3.3 or > can't run the privsep code. These people will be left out in the cold. > Privsep is a stopgap.... If you are stupid enough to think that we sould leave an expliot around in our tree just because we don't want to publish it. Your extremely wrong. > You need to provide a universal fix for all, not a partial fix for only some. > You bothered to read the the announcement by Theo? THERE WILL BE A FIX. However, we want to ensure we can get as many people to a semi-safe position *BEFORE* every black hat in the gawd damn net gets their hands on it. Ain't that a good idea? =) Or would you rather have a hacker crack your system before you even get a chance to patch it? Take your choice. - Ben From luc at suryo.com Wed Jun 26 08:14:55 2002 From: luc at suryo.com (Luc I. Suryo) Date: Tue, 25 Jun 2002 17:14:55 -0500 Subject: OpenSSH 3.3 tested on solsris 8 Sparc/Intel Message-ID: <20020625221455.GA27144@nc1701.suryo.com> FYI: Compiled version 3.3 on Solaris 8 Sparc and Intel, installed and tested the 'jailed' option (UsePrivilegeSeparation yes) hardcoded user=noaccess and dir /var/spool/sshd Openssl version 0.9.6 Using /dev/urandom C-compiler: Sun WorkShop 6 update 2 On Sparc tested bith 32-bits and 64-bits Running for the last 2 hours and no problem reported by the users... -- Kind regards, Luc Suryo From johnh at aproposretail.com Wed Jun 26 08:22:03 2002 From: johnh at aproposretail.com (John Hardin) Date: 25 Jun 2002 15:22:03 -0700 Subject: Last call. In-Reply-To: References: Message-ID: <1025043724.30502.84.camel@johnh.apropos.com> On Tue, 2002-06-25 at 14:30, Ben Lindstrom wrote: > Patches that have been temporary rejected for this release. > > - Owl's full patch for SysV Shm if mmap fails > - mmap() on /dev/zero > - mmap() on sparse file Will the RH6.2 builds automatically turn off compression? -- John Hardin Internal Systems Administrator voice: (425) 672-1304 Apropos Retail Management Systems, Inc. fax: (425) 672-0192 ----------------------------------------------------------------------- Any time that PR dominates the information stream, you can't trust the information. - CRYPTO-GRAM 01/2002 ----------------------------------------------------------------------- 5 days until First Class postage goes up to 37 cents From tim at multitalents.net Wed Jun 26 08:31:34 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 25 Jun 2002 15:31:34 -0700 (PDT) Subject: Last call. In-Reply-To: <1025043724.30502.84.camel@johnh.apropos.com> Message-ID: On 25 Jun 2002, John Hardin wrote: > On Tue, 2002-06-25 at 14:30, Ben Lindstrom wrote: > > Patches that have been temporary rejected for this release. > > > > - Owl's full patch for SysV Shm if mmap fails > > - mmap() on /dev/zero > > - mmap() on sparse file > > Will the RH6.2 builds automatically turn off compression? Yes. > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From tim at multitalents.net Wed Jun 26 08:45:18 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 25 Jun 2002 15:45:18 -0700 (PDT) Subject: BROKEN_FD_PASSING (Bug 269) In-Reply-To: Message-ID: I've just commited a change sugested by Markus that disables post-auth privsep on platforms that can't pass fd's. I've added AC_DEFINE(BROKEN_FD_PASSING) to Cygwin, Cray, and SCO Would some DEC people look over configure.ac and sugest some changes to address the versions that need AC_DEFINE(BROKEN_FD_PASSING) The e-mail I've seen seems to indicate that not all versions need it. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From deengert at anl.gov Wed Jun 26 08:52:58 2002 From: deengert at anl.gov (Douglas E. Engert) Date: Tue, 25 Jun 2002 17:52:58 -0500 Subject: Upcoming OpenSSH vulnerability References: Message-ID: <3D18F44A.C855FF7B@anl.gov> You response appears to have address many of my points of concern. And I realize that you and your group must be under a lot of presure at this time. So thanks for taking the time to respond. Ben Lindstrom wrote: > > On Tue, 25 Jun 2002, Douglas E. Engert wrote: > > > >From all of the e-mail recently, it appears that the "solution" to the > > upcomming OpenSSH vulnerability will be to run OpenSSH-3.3 with the Privilege > > Separation enabled. > > > > This scares the daylights out of me! Think about what you are doing here. > > > > (1) OpenSSH 3.3 with the privsep code has been only out for less then a week. > > > Incorrect, 3.1 has Privsep. I am sorry, but I don't see it in the version I have: openssh-3.1p1.tar.gz But that's a minor point. > > > (2) Its hundreds of lines of code. > > > > (3) The privsep does not run on all platforms > > > If vendors would have started back in 3.1 helping us (over a month ago > now?) this would not be an issue. Yes that would have been helpful. > > > (4) The privsep does not work with all the features in current ssh. > > > What features? "Compression is disabled on some systems, and the many varieties of PAM are causing major headaches." (From: Theo de Raadt 6/24) You have debugging information? Patches? Solutions? or > are you just blowing steam? No debuging yet, I just got 3.3 without privsep working today with GSSAPI. I am going by what I have been reading in recent e-mails. > > > (5) The privsep code has SSHD using here-to-for unused operating > >system features. > > > Umm.. you wish to clarify this babble? This appears to be the first time SSH is using shared memmory, and the passing of FDs. > > > (6) People with local modifications to SSH may not be able to > > integrate them in such a short time frame. > > > > Don't get me wrong, the privsep concept looks like a great idea, as a second > > line of defense. But it should not be the primary defense. > > > > A fix is needed for the original bug. You still need it to keep the hackers > > off the machine. Saying that they are confined to the unprivileged child process > > still lets then have access to cycles and the network where they can try and > > attack the operating system and your network from inside. > > > > Look at it this way. Do you want us to release the expliot and the patch > now? No, What I would like you to do is release the patch when it is ready. But correct me if I am wrong, from all the e-mail about using privsep, I was worried that it would be the solution. If you have a patch for the real problem, that would be great. > Or would you rather have us wait the few days to gather patch fixes > so hopefully 70% of those following along can at least be semiprotected? > > This is the correct course of action. I agree with Theo's reasons 100%. > > > The other aspect of this is the reliability of 3.3. With all the new code > > what other problems might be introduced? > > > > You bothered to help us test? I've not seen a patch from you nor any > testing data? I'm starting to get sick and tired of people whining but > not doing one bit of useful work. Actually I have been very happy with the support of the OpenSSH, and was trying to test this week with 3.3 with GSSAPI modifications and Krb5-1.2.5 on Solaris, then HPUX, AIX, and SGI. Unfortunatly the GSS code needs work if it is to be used with privsep. I have been in touch with Simon Wilkinsonn on this. That is my main concern. If the upcoming solution was to rely mainly on privsep, then I have a major problem. Your comments imple that it will not. > > I hear it on bugtraq, I hear it on slashdot, and I hear it on #unix and > #unixhelp on efnet. Frankly. I'm starting to understand thy Theo and > other take the... > > "Sit down, shutup and code." mindset. > > > If you publish the problem, with out a real fix, and expect everyone to > > implement 3.3 with privsep you will have a lot of people upset who can't run 3.3 or > > can't run the privsep code. These people will be left out in the cold. > > > > Privsep is a stopgap.... If you are stupid enough to think that we sould > leave an expliot around in our tree just because we don't want to publish > it. Your extremely wrong. Thanks for pointing that out. I am trying to encourage you to provide the fix. As I don't believe I have the option to rely on the privsep alone. > > > You need to provide a universal fix for all, not a partial fix for only some. > > > > You bothered to read the the announcement by Theo? THERE WILL BE A FIX. > However, we want to ensure we can get as many people to a semi-safe > position *BEFORE* every black hat in the gawd damn net gets their hands on > it. > > Ain't that a good idea? =) Or would you rather have a hacker crack your > system before you even get a chance to patch it? Take your choice. I realize you must be under a lot of presure to get this problem fixed, and I intend to apply the fix as soon as it is released. > > - Ben -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From doctor at doctor.nl2k.ab.ca Wed Jun 26 09:03:23 2002 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Tue, 25 Jun 2002 17:03:23 -0600 Subject: BSD/OS 5.0 + Privsep failure. In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Jun 25, 2002 at 12:08:37PM -0500 References: Message-ID: <20020625170323.A26106@doctor.nl2k.ab.ca> On Tue, Jun 25, 2002 at 12:08:37PM -0500, Ben Lindstrom wrote: > > *Dianora* bsd/os 5.0 report > *Dianora* paul borman notice it would fail on /etc/login.conf > *Dianora* after it chrooted > > > Can I get someone running BSD/OS to trace down the offending block a code? > > I'm also seeing if I get can someone from Wind River to join the list.. > > Anyone from Wind River? =) > > - Ben > What is BSD/OS 5.0 ?? I am aware of BSD/OS 4.3 . > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Member - Liberal International On 11 Sept 2001 the WORLD was violated. This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca Society MUST be saved! Extremists must dissolve. Beware of defining as intelligent only those who share your opinions From kevin at atomicgears.com Wed Jun 26 09:17:30 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Tue, 25 Jun 2002 16:17:30 -0700 Subject: README.privsep In-Reply-To: References: <20020624165228.GB1890@jenny.crlsca.adelphia.net> Message-ID: <20020625231730.GF2020@jenny.crlsca.adelphia.net> On Mon, Jun 24, 2002 at 06:56:36PM -0700, Tim Rice wrote: > On Mon, 24 Jun 2002, Kevin Steves wrote: > > > Hi, > > > > If you are on UnixWare 7 or OpenUNIX 8 do this additional step. > > # ln /usr/lib/.ns.so /usr/lib/ns.so.1 > > Drop these two lines. If we are not going to do something like the patch > below to fix the initgroups problem on UnixWare and some Linux, then > add some lines like > > On UnixWare, OpenUNIX, and some Linux systems you will have to > # mkdir /var/empty/etc > # touch /var/empty/etc/group we have this now: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd.c.diff?r1=1.250&r2=1.251 the ln stuff can go away now? From johnh at aproposretail.com Wed Jun 26 09:23:59 2002 From: johnh at aproposretail.com (John Hardin) Date: 25 Jun 2002 16:23:59 -0700 Subject: Last call. In-Reply-To: References: Message-ID: <1025047439.30497.88.camel@johnh.apropos.com> On Tue, 2002-06-25 at 15:31, Tim Rice wrote: > > Will the RH6.2 builds automatically turn off compression? > > Yes. Your answer conflicts with Ben's - who's right? -- John Hardin Internal Systems Administrator voice: (425) 672-1304 Apropos Retail Management Systems, Inc. fax: (425) 672-0192 ----------------------------------------------------------------------- Any time that PR dominates the information stream, you can't trust the information. - CRYPTO-GRAM 01/2002 ----------------------------------------------------------------------- 5 days until First Class postage goes up to 37 cents From mouring at etoh.eviladmin.org Wed Jun 26 09:22:22 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 18:22:22 -0500 (CDT) Subject: Last call. In-Reply-To: <1025047439.30497.88.camel@johnh.apropos.com> Message-ID: On 25 Jun 2002, John Hardin wrote: > On Tue, 2002-06-25 at 15:31, Tim Rice wrote: > > > Will the RH6.2 builds automatically turn off compression? > > > > Yes. > > Your answer conflicts with Ben's - who's right? > Sorry, he is right. #if !defined(HAVE_MMAP_ANON_SHARED) if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " "separation and compression"); error("Compression disabled"); options->compression = 0; } #endif It spews warnings and then disables compression. - Ben From tim at multitalents.net Wed Jun 26 09:35:52 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 25 Jun 2002 16:35:52 -0700 (PDT) Subject: Last call. In-Reply-To: <1025047439.30497.88.camel@johnh.apropos.com> Message-ID: On 25 Jun 2002, John Hardin wrote: > On Tue, 2002-06-25 at 15:31, Tim Rice wrote: > > > Will the RH6.2 builds automatically turn off compression? > > > > Yes. > > Your answer conflicts with Ben's - who's right? Recent changes to CVS added a test for a working MAP_ANON It now runs without modifying sshd_config -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From vancleef at microunity.com Wed Jun 26 09:37:49 2002 From: vancleef at microunity.com (Bob Van Cleef) Date: Tue, 25 Jun 2002 16:37:49 -0700 (PDT) Subject: openssh-3.3p1 and SPARC Message-ID: Hi; I just attempted to install openssh-3.3p1 on a Sparc box running linux kernel 2.2.14-5.0 However any attempt to connect to the daemon causes a crash. (See below) Given the current security issue, will there be an available option for running the up coming 3.4 release on a Linux 2.2 kernel? Bob ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> ><> # /usr/local/sbin/sshd -d debug1: sshd version OpenSSH_3.3 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Invalid argument debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.86.6.8 port 1380 debug1: Client protocol version 1.5; client software version 1.2.27 debug1: match: 1.2.27 pat 1.2.1*,1.2.2*,1.2.3* debug1: Local version string SSH-1.99-OpenSSH_3.3 mmap(65536): Invalid argument debug1: Calling cleanup 0x34934(0x0) From stevev at darkwing.uoregon.edu Wed Jun 26 09:51:26 2002 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Tue, 25 Jun 2002 16:51:26 -0700 Subject: Upcoming OpenSSH vulnerability In-Reply-To: References: <3D18E4D7.3E9AECDE@anl.gov> Message-ID: <15641.510.429570.494980@darkwing.uoregon.edu> Ben Lindstrom writes: > Incorrect, 3.1 has Privsep. Funny, I can't find the options in the stock OpenSSH 3.1p1 source tree. If it was available, it was obviously as an unsupported patch at the time. > Look at it this way. Do you want us to release the expliot and the patch > now? Or would you rather have us wait the few days to gather patch fixes > so hopefully 70% of those following along can at least be semiprotected? I, personally, would much rather have a patch that fixes the real security problem now for the platforms for which privilege separation is problematic (like Tru64 UNIX with C2 security) so that my systems will be protected whether or not I can get privilege separation working on them. I'd like to get it working on all of them eventually, but it's clear from the flurry of bug reports and activity this week that it's just not ready for widespread production use yet. > This is the correct course of action. I agree with Theo's reasons 100%. I think it's good that Theo put out the alert and said that privilege separation (on the platforms where it works) will prevent the exploit. I don't think it's realistic to expect that everyone can rush privilege separation into production as a means of addressing this problem. You can compain that vendors should have helped you get this working earlier, but it doesn't surprise me that most haven't responded without a major incentive to do so. From johnh at aproposretail.com Wed Jun 26 10:04:02 2002 From: johnh at aproposretail.com (John Hardin) Date: 25 Jun 2002 17:04:02 -0700 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <15641.510.429570.494980@darkwing.uoregon.edu> References: <3D18E4D7.3E9AECDE@anl.gov> <15641.510.429570.494980@darkwing.uoregon.edu> Message-ID: <1025049843.30501.110.camel@johnh.apropos.com> On Tue, 2002-06-25 at 16:51, Steve VanDevender wrote: > I, personally, would much rather have a patch that fixes the real > security problem now Ben, Theo, whoever can answer: Is fixing the underlying security problem that much more thorny a problem than getting privsep working on all/most/many platforms? -- John Hardin Internal Systems Administrator voice: (425) 672-1304 Apropos Retail Management Systems, Inc. fax: (425) 672-0192 ----------------------------------------------------------------------- Any time that PR dominates the information stream, you can't trust the information. - CRYPTO-GRAM 01/2002 ----------------------------------------------------------------------- 5 days until First Class postage goes up to 37 cents From deraadt at cvs.openbsd.org Wed Jun 26 10:23:52 2002 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Tue, 25 Jun 2002 18:23:52 -0600 Subject: Upcoming OpenSSH vulnerability In-Reply-To: Your message of "Tue, 25 Jun 2002 16:47:03 CDT." <3D18E4D7.3E9AECDE@anl.gov> Message-ID: <200206260023.g5Q0NqLI025204@cvs.openbsd.org> Obviously you can't think this thing through. Everyone who understands, please educate him. I'm sick of people who are not thinking this through. > Date: Tue, 25 Jun 2002 16:47:03 -0500 > From: "Douglas E. Engert" > X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U) > X-Accept-Language: en > MIME-Version: 1.0 > CC: openssh-unix-dev at mindrot.org, openssh at openbsd.org > Subject: Upcoming OpenSSH vulnerability > References: <20020625104024.GA29885 at faui02> <20020625171724.GA2020 at jenny.crlsca.adelphia.net> > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > > >From all of the e-mail recently, it appears that the "solution" to the > upcomming OpenSSH vulnerability will be to run OpenSSH-3.3 with the Privilege > Separation enabled. > > This scares the daylights out of me! Think about what you are doing here. > > (1) OpenSSH 3.3 with the privsep code has been only out for less then a week. > > (2) Its hundreds of lines of code. > > (3) The privsep does not run on all platforms > > (4) The privsep does not work with all the features in current ssh. > > (5) The privsep code has SSHD using here-to-for unused operating system features. > > (6) People with local modifications to SSH may not be able to > integrate them in such a short time frame. > > Don't get me wrong, the privsep concept looks like a great idea, as a second > line of defense. But it should not be the primary defense. > > A fix is needed for the original bug. You still need it to keep the hackers > off the machine. Saying that they are confined to the unprivileged child process > still lets then have access to cycles and the network where they can try and > attack the operating system and your network from inside. > > The other aspect of this is the reliability of 3.3. With all the new code > what other problems might be introduced? > > If you publish the problem, with out a real fix, and expect everyone to > implement 3.3 with privsep you will have a lot of people upset who can't run 3.3 or > can't run the privsep code. These people will be left out in the cold. > > You need to provide a universal fix for all, not a partial fix for only some. > > Thanks for listening. > > -- > > Douglas E. Engert > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 From deraadt at cvs.openbsd.org Wed Jun 26 10:35:59 2002 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Tue, 25 Jun 2002 18:35:59 -0600 Subject: Upcoming OpenSSH vulnerability In-Reply-To: Your message of "Tue, 25 Jun 2002 17:52:58 CDT." <3D18F44A.C855FF7B@anl.gov> Message-ID: <200206260035.g5Q0ZxLI004527@cvs.openbsd.org> Thank you for now realizing that we are trying to do the best possible disclosure procedure. Immunization. From vdanen-sender-20597b45 at freezer-burn.org Wed Jun 26 10:55:46 2002 From: vdanen-sender-20597b45 at freezer-burn.org (Vincent Danen) Date: Tue, 25 Jun 2002 18:55:46 -0600 Subject: Public Key Authentication Bug In-Reply-To: <004301c21c5f$5ba3d690$0a01a8c0@pippy> References: <004301c21c5f$5ba3d690$0a01a8c0@pippy> Message-ID: <20020626005546.GC22583@freezer-burn.org> On Tue Jun 25, 2002 at 11:45:30AM -0400, Russell Elik Rademacher wrote: > I usually don't get involved in the mailing lists unless it is of a major > importance. Here is a new problem that came up with the 3.3.p1 version, which I > already reported to the Mandrake Developers on their RPM build. Basically, it > boils down to this. > > In the Priv Seperation Mode or not, the public Key Authentication is > throughly broken on all 3 versions of Keys, RSA1, RSA, and DSA versions. It > applies to SSH1 and SSH2. This is reported on 7.2 version Mandrake with the > 2.2. Kernel Build. I am still working on testing it on the 2.4 Kernel Build to > see how it works out on the Redhat. This SSH Build have a patch from Solar > Designer which is made to make it work on 2.2 Kernel. > > But other than that, the functionality of the SSH is perfect and working as > usual. Just no Public Key Authentication. I don't think this has anything to do with Solar's patch. You forgot to mention that you were using Putty and F-Protect as clients (I think F-Protect is the other you mentioned). Before we put the Mandrake updates out, both public key and password authentication were tested on all platforms, with 2.2 and 2.4 kernels (using openssh as a client, not Putty or anything else). Both forms of authentication worked fine. I still have to hop on a windows machine and test Putty with public keys to see if I can reproduce your problem; without testing I can only suspect that Putty and/or F-Protect are the problem, or that something in openssh changed (doubtful) that prevents it from working unless an openssh client is used. As soon as I have a chance to test this, I'll post my findings. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" {GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD} Current Linux kernel 2.4.18-6.10mdk uptime: 17 days 21 hours 8 minutes. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020625/038cd757/attachment.bin From bugzilla-daemon at mindrot.org Wed Jun 26 11:06:01 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 11:06:01 +1000 (EST) Subject: [Bug 298] sshd fails to set user context, preventing all logins, also setgroups is failing Message-ID: <20020626010601.66A58E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=298 ------- Additional Comments From sshbugs at wayne47.com 2002-06-26 11:05 ------- Problem appears to be that setusercontext is being called after a chroot. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From elik at rademacher.org Wed Jun 26 11:20:46 2002 From: elik at rademacher.org (Russell "Elik" Rademacher) Date: Tue, 25 Jun 2002 21:20:46 -0400 Subject: Public Key Authentication Bug References: <004301c21c5f$5ba3d690$0a01a8c0@pippy> <20020626005546.GC22583@freezer-burn.org> Message-ID: <03b101c21caf$b9a0c190$0a01a8c0@pippy> It does seems to incidiate that the Client SSH other than OpenSSH that uses the Public Key Authentication seems to have a problem with the 3.3p1 version compared to the previous versions. I have been using both F-Serve and Putty to connect and authenticate by Public Key Authentication for long time. Just when I did the update to patch the system to 3.3p1, that when it failed. Maybe it is the client or it may be something else in the OpenSSH implemention that got changed somewhat that caused this problems to manifest itself. I am going to build a new one on the vanilla Redhat 7.2 system and see if this problem is reproducable as well. If it is, then it is the OpenSSH itself that got the problem with it, or if it works, then one of the patches that went into the Mandrake's OpenSSH version got something changed to make it break entirely. I will let you know tomorrow on this. I am sort of beat doing the OpenSSH upgrade over 21 servers of various linux distros in various ages, like Slackware, Redhat, Debian, and Mandrake, plus Solaris 8. I haven't had the chance to test the public key on any of them yet, since they are on internal network and we use OpenSSH to connect to them from outside though a gateway server. On Tue Jun 25, 2002 at 11:45:30AM -0400, Russell Elik Rademacher wrote: > I usually don't get involved in the mailing lists unless it is of a major > importance. Here is a new problem that came up with the 3.3.p1 version, which I > already reported to the Mandrake Developers on their RPM build. Basically, it > boils down to this. > > In the Priv Seperation Mode or not, the public Key Authentication is > throughly broken on all 3 versions of Keys, RSA1, RSA, and DSA versions. It > applies to SSH1 and SSH2. This is reported on 7.2 version Mandrake with the > 2.2. Kernel Build. I am still working on testing it on the 2.4 Kernel Build to > see how it works out on the Redhat. This SSH Build have a patch from Solar > Designer which is made to make it work on 2.2 Kernel. > > But other than that, the functionality of the SSH is perfect and working as > usual. Just no Public Key Authentication. I don't think this has anything to do with Solar's patch. You forgot to mention that you were using Putty and F-Protect as clients (I think F-Protect is the other you mentioned). Before we put the Mandrake updates out, both public key and password authentication were tested on all platforms, with 2.2 and 2.4 kernels (using openssh as a client, not Putty or anything else). Both forms of authentication worked fine. I still have to hop on a windows machine and test Putty with public keys to see if I can reproduce your problem; without testing I can only suspect that Putty and/or F-Protect are the problem, or that something in openssh changed (doubtful) that prevents it from working unless an openssh client is used. As soon as I have a chance to test this, I'll post my findings. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" {GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD} Current Linux kernel 2.4.18-6.10mdk uptime: 17 days 21 hours 8 minutes. From mouring at etoh.eviladmin.org Wed Jun 26 11:52:13 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 20:52:13 -0500 (CDT) Subject: final build. Message-ID: http://www.eviladmin.org/~mouring/openssh.tar.gz If there are any issues that are not marked as known. Let us know ASAP. - Ben From phil-openssh-unix-dev at ipal.net Wed Jun 26 12:12:06 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Tue, 25 Jun 2002 21:12:06 -0500 Subject: openssh-3.3p1 and SPARC In-Reply-To: References: Message-ID: <20020626021206.GB12786@vega.ipal.net> On Tue, Jun 25, 2002 at 04:37:49PM -0700, Bob Van Cleef wrote: | I just attempted to install openssh-3.3p1 on a Sparc box running | linux kernel 2.2.14-5.0 However any attempt to connect to the | daemon causes a crash. (See below) | | Given the current security issue, will there be an available option | for running the up coming 3.4 release on a Linux 2.2 kernel? That depends on what this strange mmap(65536) call is trying to do. What I know is that 3.3p1 works for me, but I'm on kernel 2.4.18, so that could be why. I've read some people saying the problem is with shared anonymous mmap, but that doesn't seem right to me because I have used shared anonymous mmap with the 2.2 kernel. | mmap(65536): Invalid argument I seem to remember mmap() having 6 arguments, not 1. So I have no idea what this message really means, especially the 65536 part. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From dtucker at zip.com.au Wed Jun 26 12:18:15 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 26 Jun 2002 12:18:15 +1000 Subject: Last call. References: Message-ID: <3D192467.4B7DD378@zip.com.au> Ben Lindstrom wrote: [about a test tarball] > http://www.eviladmin.org/~mouring/openssh.tar.gz That seems to work fine on AIX 4.3.3. I'll beat on it a bit more but it looks good. $ uname -s; oslevel AIX 4.3.3.0 $ ps -eaf |grep sshd dtucker 5164 10828 1 12:08:09 pts/0 0:00 grep sshd dtucker 9252 9632 0 12:07:55 - 0:00 /usr/local/sbin/sshd root 9632 11516 0 12:07:47 - 0:00 /usr/local/sbin/sshd root 11516 1 0 12:04:24 - 0:03 /usr/local/sbin/sshd I'd like to thank you and the rest of the team for doing such a great job with openssh in general and the handling of this upcoming problem in particular. I imagine it's not easy. -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From cmadams at hiwaay.net Wed Jun 26 12:21:58 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Tue, 25 Jun 2002 21:21:58 -0500 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <15641.510.429570.494980@darkwing.uoregon.edu>; from stevev@darkwing.uoregon.edu on Tue, Jun 25, 2002 at 04:51:26PM -0700 References: <3D18E4D7.3E9AECDE@anl.gov> <15641.510.429570.494980@darkwing.uoregon.edu> Message-ID: <20020625212158.A150812@hiwaay.net> Once upon a time, Steve VanDevender said: > I, personally, would much rather have a patch that fixes the real > security problem now for the platforms for which privilege separation is > problematic (like Tru64 UNIX with C2 security) so that my systems will The next release will support privsep on Tru64 for pre-auth but not post-auth. As far as I can see, post-auth privsep just won't work for post-auth on Tru64. setup_session_sia() needs to be called as root, and if a PTY is to be allocated, needs to be called after the PTY is allocated and connected to the client. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From phil-openssh-unix-dev at ipal.net Wed Jun 26 12:24:12 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Tue, 25 Jun 2002 21:24:12 -0500 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <15641.510.429570.494980@darkwing.uoregon.edu> References: <3D18E4D7.3E9AECDE@anl.gov> <15641.510.429570.494980@darkwing.uoregon.edu> Message-ID: <20020626022412.GC12786@vega.ipal.net> On Tue, Jun 25, 2002 at 04:51:26PM -0700, Steve VanDevender wrote: | I think it's good that Theo put out the alert and said that privilege | separation (on the platforms where it works) will prevent the exploit. | I don't think it's realistic to expect that everyone can rush privilege | separation into production as a means of addressing this problem. You | can compain that vendors should have helped you get this working | earlier, but it doesn't surprise me that most haven't responded without | a major incentive to do so. Apparently the non-portable OpenSSH has had this feature working for a while. Given it is a security feature, it's really wrong that vendors have failed to get it working on their platforms. Security in and of itself should be the major incentive to do so. Why should the authors of OpenSSH be the only ones to be expected to address security issues in a timely manner? And even if they do, how can they be expected to make source patches that work universally if there are crippled versions of OpenSSH ported to certain platforms which can make these patches not work? What better incentive can you think of to get them to budge but a real live security situation? If they can't respond to that, then it is time to write them off as another MSFT-wannabe. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From vdanen-sender-20597b45 at freezer-burn.org Wed Jun 26 12:24:40 2002 From: vdanen-sender-20597b45 at freezer-burn.org (Vincent Danen) Date: Tue, 25 Jun 2002 20:24:40 -0600 Subject: Public Key Authentication Bug In-Reply-To: <03b101c21caf$b9a0c190$0a01a8c0@pippy> References: <004301c21c5f$5ba3d690$0a01a8c0@pippy> <20020626005546.GC22583@freezer-burn.org> <03b101c21caf$b9a0c190$0a01a8c0@pippy> Message-ID: <20020626022440.GC24668@freezer-burn.org> On Tue Jun 25, 2002 at 09:20:46PM -0400, Russell Elik Rademacher wrote: > It does seems to incidiate that the Client SSH other than OpenSSH that uses > the Public Key Authentication seems to have a problem with the 3.3p1 version > compared to the previous versions. Not necessarily. I just did some quick testing using putty 0.52 (latest version according to the website). I don't normally use keys with putty (I don't really use putty at all), but this is what happened: Generated RSA1, RSA2, and DSA2 keys with puttygen.exe. Imported the RSA1 public key and the RSA2/DSA2 "openssh strings" that puttygen outputs into ~/.ssh/authorized_keys on an 8.2 Mandrake box running 3.3p1 and on another 8.2 Mandrake box running 3.1p1. RSA1 works fine; no issues there. Both RSA2 and DSA2 keys proved problematic with putty reporting that it "Couldn't load private key file". All three keys were generated by putty. Then I copied the RSA1, RSA2, and DSA2 private keys from my Mandrake workstation (all keys generated sometime in the 2.x openssh versions, don't recall exactly, but it's been quite a while). Again, RSA1 worked without problem. RSA2 and DSA2, both keys again couldn't be loaded. This seems to me like it's a problem with putty, not openssh. With both putty-generated and openssh-generated keys, only the RSA1 key worked properly. I have not tried F-Serve. > I have been using both F-Serve and Putty to connect and authenticate by > Public Key Authentication for long time. Just when I did the update to patch > the system to 3.3p1, that when it failed. Maybe it is the client or it may be > something else in the OpenSSH implemention that got changed somewhat that caused > this problems to manifest itself. Out of curiousity (actually, it would help a lot), which version of openssh did you upgrade *from*. Did you upgrade from 3.1p1 or an earlier version? > I am going to build a new one on the vanilla Redhat 7.2 system and see if > this problem is reproducable as well. If it is, then it is the OpenSSH itself > that got the problem with it, or if it works, then one of the patches that went > into the Mandrake's OpenSSH version got something changed to make it break > entirely. I will let you know tomorrow on this. I am sort of beat doing the > OpenSSH upgrade over 21 servers of various linux distros in various ages, like > Slackware, Redhat, Debian, and Mandrake, plus Solaris 8. Again, I don't think it's our (Mandrake's) packaging, but you never know. I'm going to build vanilla 3.3p1 openssh's for my workstation a little later on, and will also try using some older version (2.9 or something), just for comparison's sake, and will see if putty works with either of them. I didn't bother to test on Mandrake 7.2 using a 2.2 kernel because this really doesn't look to me to be an issue with openssh 3.3p1. > I haven't had the chance to test the public key on any of them yet, since > they are on internal network and we use OpenSSH to connect to them from outside > though a gateway server. It would be good to see how it works on these. I've got openbsd 3.0 in vmware and will give it a try also later (with the new openssh) to see if putty will work there. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" {GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD} Current Linux kernel 2.4.18-6.10mdk uptime: 17 days 22 hours 33 minutes. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020625/8e38f240/attachment.bin From bugzilla-daemon at mindrot.org Wed Jun 26 12:29:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 12:29:32 +1000 (EST) Subject: [Bug 298] sshd fails to set user context, preventing all logins, also setgroups is failing Message-ID: <20020626022932.ADAA2E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=298 ------- Additional Comments From sshbugs at wayne47.com 2002-06-26 12:29 ------- As the problem appears to be releated to chroot, I copied /etc/{master.passwd,passwd,login.conf} to /var/empty/etc. Now it appears to be having a problem getting a tty as the last error message seen on the source machine is "Requesting pty" The target shows: debug1: monitor_child_preauth: wayne has been authenticated by privileged process debug1: Calling cleanup 0x80758d4(0x0) I tried making /var/empty/dev and filling it with standard devices, no luck). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From elik at rademacher.org Wed Jun 26 12:50:14 2002 From: elik at rademacher.org (Russell "Elik" Rademacher) Date: Tue, 25 Jun 2002 22:50:14 -0400 Subject: Public Key Authentication Bug References: <004301c21c5f$5ba3d690$0a01a8c0@pippy> <20020626005546.GC22583@freezer-burn.org> <03b101c21caf$b9a0c190$0a01a8c0@pippy> <20020626022440.GC24668@freezer-burn.org> Message-ID: <03e801c21cbc$3c1c9250$0a01a8c0@pippy> I knew for long time that keys generated by puttygen is problemetic at most. I usually have the keys generated where the host server is located and set the public keys in the .ssh/authorized_keys file. With that, I did use the RSA1 and DSA Keys and didn't have any problems with them using the OpenSSH 3.1p1 version, which is before the 3.3p1 appeared. I haven't tried the RSA SSH2 key on it yet, but I am not sure if it got problems with it or not. On the F-Serve, I didn't have any problems with all 3 different key-generated Keys on the OpenSSH 3.1p1 and earlier versions on different distros either provided they are generated with OpenSSH itself, not from the client side. I am trying out that new build that Ben have produced and see if something have been changed in there to fix that problem. We see on that. :) On Tue Jun 25, 2002 at 09:20:46PM -0400, Russell Elik Rademacher wrote: > It does seems to incidiate that the Client SSH other than OpenSSH that uses > the Public Key Authentication seems to have a problem with the 3.3p1 version > compared to the previous versions. Not necessarily. I just did some quick testing using putty 0.52 (latest version according to the website). I don't normally use keys with putty (I don't really use putty at all), but this is what happened: Generated RSA1, RSA2, and DSA2 keys with puttygen.exe. Imported the RSA1 public key and the RSA2/DSA2 "openssh strings" that puttygen outputs into ~/.ssh/authorized_keys on an 8.2 Mandrake box running 3.3p1 and on another 8.2 Mandrake box running 3.1p1. RSA1 works fine; no issues there. Both RSA2 and DSA2 keys proved problematic with putty reporting that it "Couldn't load private key file". All three keys were generated by putty. Then I copied the RSA1, RSA2, and DSA2 private keys from my Mandrake workstation (all keys generated sometime in the 2.x openssh versions, don't recall exactly, but it's been quite a while). Again, RSA1 worked without problem. RSA2 and DSA2, both keys again couldn't be loaded. This seems to me like it's a problem with putty, not openssh. With both putty-generated and openssh-generated keys, only the RSA1 key worked properly. I have not tried F-Serve. > I have been using both F-Serve and Putty to connect and authenticate by > Public Key Authentication for long time. Just when I did the update to patch > the system to 3.3p1, that when it failed. Maybe it is the client or it may be > something else in the OpenSSH implemention that got changed somewhat that caused > this problems to manifest itself. Out of curiousity (actually, it would help a lot), which version of openssh did you upgrade *from*. Did you upgrade from 3.1p1 or an earlier version? > I am going to build a new one on the vanilla Redhat 7.2 system and see if > this problem is reproducable as well. If it is, then it is the OpenSSH itself > that got the problem with it, or if it works, then one of the patches that went > into the Mandrake's OpenSSH version got something changed to make it break > entirely. I will let you know tomorrow on this. I am sort of beat doing the > OpenSSH upgrade over 21 servers of various linux distros in various ages, like > Slackware, Redhat, Debian, and Mandrake, plus Solaris 8. Again, I don't think it's our (Mandrake's) packaging, but you never know. I'm going to build vanilla 3.3p1 openssh's for my workstation a little later on, and will also try using some older version (2.9 or something), just for comparison's sake, and will see if putty works with either of them. I didn't bother to test on Mandrake 7.2 using a 2.2 kernel because this really doesn't look to me to be an issue with openssh 3.3p1. > I haven't had the chance to test the public key on any of them yet, since > they are on internal network and we use OpenSSH to connect to them from outside > though a gateway server. It would be good to see how it works on these. I've got openbsd 3.0 in vmware and will give it a try also later (with the new openssh) to see if putty will work there. -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" {GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD} Current Linux kernel 2.4.18-6.10mdk uptime: 17 days 22 hours 33 minutes. From bugzilla-daemon at mindrot.org Wed Jun 26 13:21:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 13:21:26 +1000 (EST) Subject: [Bug 283] UsePrivilegeSeparation fails on AIX, Couldn't set usrinfo: Message-ID: <20020626032126.33297E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=283 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From dtucker at zip.com.au 2002-06-26 13:21 ------- The fix for this was just committed to CVS by Ben: $ cvs log session.c [snip] revision 1.205 date: 2002/06/25 17:12:27; author: mouring; state: Exp; lines: +6 -3 20020626 - (bal) moved aix_usrinfo() and noted not setting real TTY. Patch by dtucker at zip.com.au [snip] Be aware that this will now set TTY to a null value in the system environment (use "setsenv" to view). It's possible that this will cause problems with "legacy" apps but there are no known cases at the moment. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 26 13:22:45 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 13:22:45 +1000 (EST) Subject: [Bug 270] PrivSep breaks sshd on AIX for non-root users Message-ID: <20020626032245.B867AE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=270 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From dtucker at zip.com.au 2002-06-26 13:22 ------- *** This bug has been marked as a duplicate of 283 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Wed Jun 26 13:11:35 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 22:11:35 -0500 (CDT) Subject: Public Key Authentication Bug In-Reply-To: <03e801c21cbc$3c1c9250$0a01a8c0@pippy> Message-ID: On Tue, 25 Jun 2002, Russell "Elik" Rademacher wrote: > I knew for long time that keys generated by puttygen is problemetic > at most. I usually have the keys generated where the host server is > located and set the public keys in the .ssh/authorized_keys file. > > With that, I did use the RSA1 and DSA Keys and didn't have any problems with > them using the OpenSSH 3.1p1 version, which is before the 3.3p1 appeared. I > haven't tried the RSA SSH2 key on it yet, but I am not sure if it got problems > with it or not. > I don't use DSA keys, but putty 0.52 (last blessed release) does not support using OpenSSH or SSH Corp keys first off.. Second off no matter what server I used with RSA (v2) from putty (snapshot as of tonight) I get: Unable to use key file "C:\WINDOWS\Desktop\id_rsa" (OpenSSH SSH2 private key) And no hint that it was even tried. I'm doing this to 3.1pX and --current on OpenBSD. Are you sure putty has working support for ssh keys from anything but their generator? - Ben From bugzilla-daemon at mindrot.org Wed Jun 26 13:22:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 13:22:56 +1000 (EST) Subject: [Bug 283] UsePrivilegeSeparation fails on AIX, Couldn't set usrinfo: Message-ID: <20020626032256.EA87EE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=283 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au ------- Additional Comments From dtucker at zip.com.au 2002-06-26 13:22 ------- *** Bug 270 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Wed Jun 26 14:03:40 2002 From: djm at mindrot.org (Damien Miller) Date: 26 Jun 2002 14:03:40 +1000 Subject: PAM kbd-int with privsep In-Reply-To: <20020625123957.A29726@redhat.com> References: <1024969975.5925.172.camel@xenon> <20020625123957.A29726@redhat.com> Message-ID: <1025064221.5235.17.camel@xenon> On Wed, 2002-06-26 at 02:39, Nalin Dahyabhai wrote: > > The patch has a limitation: it does not handle multiple prompts - I have > > no idea how common these are in real-life. Furthermore it is not well > > tested at all (despite my many requests on openssh-unix-dev@). > > It looks like this limitation exists because the authentication via PAM > is actually performed in a child of the privileged process, and the PAM > handle is lost after successful authentication when this child exits. The existing code could be modified to handle multiple prompts with some more work, I just need to grok the kbd-int stuff a bit better. > Once the PAM-encapsulating child exits, you don't have a context to > perform account or session management with, so the ability to perform > PAM session management is just lost. Because PAM data items can point > to dynamically-allocated memory, I don't see a clean way to transfer > the context data to the parent. We still do the account and session management, just with a different PAM handle. Any state accumulated in the auth modules will be lost. Ideally we would do both auth and acct in the PAM helper child, that way we could handle password changing interactively. > It might be fixable by modifying it to have the parent do the PAM work, > but it'd require an approach similar the existing kbdint code, and I > don't know how it would work in the context of a monitoring setup. It is conceivable that we could hook into the shared memory malloc routines to make the PAM context available to parent and child. Unfortunately doing so may expose us to issues where the child attempts privilege escalation by deliberately corrupting its PAM context. > It might also be resolved (at least for Linux-PAM 0.65 and later and > derivatives, I haven't a clue about other implementations) by using > the PAM_CONV_AGAIN/PAM_INCOMPLETE framework and letting the privileged > process drive the conversation, but the framework is not well supported > by most of the modules I've spot-checked. (That's fixable, though.) Am I correct in believing that this framework isn't in the original PAM RFC? If so, that doesn't help us for Solaris, HP/UX and other non-Linux PAM-supported platforms. This sort of framework is desperately needed though - PAM's design is really showing its age and is not at all suited to async operation. It would be excellent for everyone if the PAM spec could be reexamined with these issues in mind (have a look at BSD auth[1] for inspiration). IMO Redhat and Sun are in an excellent position to lead this process. I hope this opportunity is not wasted. -d [1] http://www.openbsd.org/cgi-bin/man.cgi?query=authenticate&apropos=0&sektion=3&manpath=OpenBSD+Current&arch=i386&format=html http://www.openbsd.org/cgi-bin/man.cgi?query=bsd_auth&sektion=3&arch=i386&apropos=0&manpath=OpenBSD+Current From phil-openssh-unix-dev at ipal.net Wed Jun 26 14:09:31 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Tue, 25 Jun 2002 23:09:31 -0500 Subject: final build. In-Reply-To: References: Message-ID: <20020626040931.GD12786@vega.ipal.net> On Tue, Jun 25, 2002 at 08:52:13PM -0500, Ben Lindstrom wrote: | http://www.eviladmin.org/~mouring/openssh.tar.gz Works for me on: Slackware-8.0 (modified) Linux 2.4.18 Glibc 2.2.3 OpenSSL 0.9.6d Zlib 1.1.4 I simply started up the daemon and connected to it from the same machine, and also from another machine running 3.2.3p1. I also cross checked that its client will still connect to 3.2.3p1 (so I can do upgrades of all my remote servers once I figure out how to get a clean static compile). -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From mouring at etoh.eviladmin.org Wed Jun 26 14:01:01 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Jun 2002 23:01:01 -0500 (CDT) Subject: final build. In-Reply-To: <20020626040931.GD12786@vega.ipal.net> Message-ID: Do note this is a test snapshot. Don't get comfortable, and what static issues are left? On Tue, 25 Jun 2002, Phil Howard wrote: > On Tue, Jun 25, 2002 at 08:52:13PM -0500, Ben Lindstrom wrote: > > | http://www.eviladmin.org/~mouring/openssh.tar.gz > > Works for me on: > Slackware-8.0 (modified) > Linux 2.4.18 > Glibc 2.2.3 > OpenSSL 0.9.6d > Zlib 1.1.4 > I simply started up the daemon and connected to it from the same > machine, and also from another machine running 3.2.3p1. I also > cross checked that its client will still connect to 3.2.3p1 (so > I can do upgrades of all my remote servers once I figure out how > to get a clean static compile). > > -- > ----------------------------------------------------------------- > | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | > | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | > ----------------------------------------------------------------- > From fcusack at fcusack.com Wed Jun 26 14:33:36 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Tue, 25 Jun 2002 21:33:36 -0700 Subject: PAM kbd-int with privsep In-Reply-To: <20020625102446.GF15772@citi.citi.umich.edu>; from provos@citi.umich.edu on Tue, Jun 25, 2002 at 06:24:46AM -0400 References: <1024969975.5925.172.camel@xenon> <20020625102446.GF15772@citi.citi.umich.edu> Message-ID: <20020625213336.H26891@google.com> On Tue, Jun 25, 2002 at 06:24:46AM -0400, Niels Provos wrote: > On Tue, Jun 25, 2002 at 11:52:55AM +1000, Damien Miller wrote: > > The following is a patch (based on FreeBSD code) which gets kbd-int > > working with privsep. It moves the kbd-int PAM conversation to a child > > process and communicates with it over a socket. > > + va_start(ap, fmt); > > + len = vsnprintf(buf, sizeof(buf), fmt, ap); > > + va_end(ap); > > + if (len == -1 || len > sizeof(buf)) > > + fatal("sshpam_send: message too long"); > The check on the vsnprintf length is off by one. It should be > len >= sizeof(buf): > > These functions return the number of characters printed (not > including the trailing `\0' used to end output to strings), except for > snprintf() and vsnprintf(), which return the number of characters that > would have been printed if the size were unlimited (again, not > including the final `\0'). That's only for the C99 version of snprintf(). There are several versions which return several different values, one of which returns the number of characters actually placed into the buffer (ie, max = sizeof(buf)). From luc at suryo.com Wed Jun 26 15:00:16 2002 From: luc at suryo.com (Luc I. Suryo) Date: Wed, 26 Jun 2002 00:00:16 -0500 Subject: final build. In-Reply-To: References: Message-ID: <20020626050016.GB28227@nc1701.suryo.com> > http://www.eviladmin.org/~mouring/openssh.tar.gz > If there are any issues that are not marked as known. Let us know ASAP. FYI: Solaris 8 Sparc 64bits/32bits compiled no error tested client and server, no problem 23:56 momo[2710] ./ssh -v OpenSSH_3.3, SSH protocols 1.5/2.0, OpenSSL 0x0090604f -- Kind regards, Luc Suryo From barel_bhai at yahoo.com Wed Jun 26 15:45:31 2002 From: barel_bhai at yahoo.com (raam raam) Date: Tue, 25 Jun 2002 22:45:31 -0700 (PDT) Subject: Version Exchange In-Reply-To: Message-ID: <20020626054531.52137.qmail@web20507.mail.yahoo.com> Hi All I was checking the code with the drafts available I could not find any message number for version exchange . In this case how do we check whether the message is for version exchange. Please help Regards Barel __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com From mouring at etoh.eviladmin.org Wed Jun 26 15:40:51 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 26 Jun 2002 00:40:51 -0500 (CDT) Subject: Close of testing. Message-ID: I've taken down the openssh.tar.gz file. I'm happy with what I've recieved for testing. I'd like to thank everyone who took the time to test. I did not see a few platforms, but that is fine. Most of the worry some ones checked in. I was floored to see PrivSep working under OSX with no real source code changes. =) I'd like to thank a friend of mine from #unixhelp for doing that compile for me. - Ben From phil-openssh-unix-dev at ipal.net Wed Jun 26 15:57:12 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Wed, 26 Jun 2002 00:57:12 -0500 Subject: final build. In-Reply-To: References: <20020626040931.GD12786@vega.ipal.net> Message-ID: <20020626055712.GE12786@vega.ipal.net> On Tue, Jun 25, 2002 at 11:01:01PM -0500, Ben Lindstrom wrote: | Do note this is a test snapshot. Don't get comfortable, and what static | issues are left? The stock 3.3p1 works for me, too. I guess it's the 2.4.18 kernel that makes the difference. fpr mmap(), through I don't understand yet what that difference is supposed to be. I'm still trying to figure out what code is running in the privsep child. As for the static, I tried applying the patch you posted for 3.2.3p1 that was changing the getopt() calls around to avoid a conflict with getopt() from glibc. Apparently something else (in openssl or zlib, maybe) was referencing something in getopt() that the OpenBSD flavor included in OpenSSH didn't have, so the glibc version got loaded, too. The current error message stopping the static compile is: ============================================================================= gcc -g -O2 -Wall -Wno-uninitialized -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-agent.c ssh-agent.c: In function `main': ssh-agent.c:975: `BSDoptarg' undeclared (first use in this function) ssh-agent.c:975: (Each undeclared identifier is reported only once ssh-agent.c:975: for each function it appears in.) make: *** [ssh-agent.o] Error 1 make failed ============================================================================= I don't need to have static executeables immediately. But I do need to be on static executeables by the next time OpenSSL needs to be upgraded. I have a lot of remote servers to manage and I use SSH to access them. It is not practical to go driving around to each site to make changes on the console (would take about 2-3 days to do that now). And that's with the 20 I have now all local. The number is expanding and will soon have most out of town. I need to perfect the install from remote procedure. The procedure I use now is to have multiple instances of sshd running on different ports. I take down one of the ports and update its executeable and restart it, then test it. While each works, this continues until all the port instances are upgraded. If the executeables are static this works cleanly. If the executeables are dynamic, this works cleanly if the change does not involve the libraries sshd uses. If the libraries are updated, this frequently clobbers the running processes. If the library updates create a new version number, this is not a problem as the old version is still present (until I clean it out later). The big problem is that OpenSSL does not name the libraries according to their packaging version. So the library name for 0.9.6c has 0.9.6, and then when the upgrade to 0.9.6d is done, it clobbers the previous library and all the sshd daemons listening on all the ports will seg fault and then I'm locked out of access (except for 2 servers where I have dialup serial console). The install program, which almost every package uses to install files into the system, is broken in principle because it opens the existing file, truncates it, then writes the new binary data. For executeables, I get "Text file busy" busy. But libraries are not locked, and do get clobbered. I'm now experimenting with some scripts to pre-build everything on a central machine under chroot, extract the appropriate files (the script figures this out), distribute those to remote machines (rsync via ssh), then run another script to "install" the selected files by means of copying to a temporary name in the appropriate directory and doing mv -f to replace. However, this is still running into library problems that I have not yet fully determined, but it seems that when a file that is memory mapped, but not open, is full unlinked, it really goes away. Do that to a library which needs to get swapped in and you still get a seg fault or some other error. I think my next step is to make my installer script more sophisticated and instead of just replacing a file with mv -f, it first links that file to an "-old" name, then does the mv -f (and thus no process ever sees an absent file). Maybe if ld.so and libdl were to use the flag MAP_EXECUTABLE on mmap() calls to load libraries, some of this might have been less of a problem. | On Tue, 25 Jun 2002, Phil Howard wrote: | | > On Tue, Jun 25, 2002 at 08:52:13PM -0500, Ben Lindstrom wrote: | > | > | http://www.eviladmin.org/~mouring/openssh.tar.gz | > | > Works for me on: | > Slackware-8.0 (modified) | > Linux 2.4.18 | > Glibc 2.2.3 | > OpenSSL 0.9.6d | > Zlib 1.1.4 | > I simply started up the daemon and connected to it from the same | > machine, and also from another machine running 3.2.3p1. I also | > cross checked that its client will still connect to 3.2.3p1 (so | > I can do upgrades of all my remote servers once I figure out how | > to get a clean static compile). | > | > -- | > ----------------------------------------------------------------- | > | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | > | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | | > ----------------------------------------------------------------- | > | | _______________________________________________ | openssh-unix-dev at mindrot.org mailing list | http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From dtucker at zip.com.au Wed Jun 26 16:38:08 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 26 Jun 2002 16:38:08 +1000 Subject: final build. References: <20020626040931.GD12786@vega.ipal.net> <20020626055712.GE12786@vega.ipal.net> Message-ID: <3D196150.6905DAB4@zip.com.au> Phil Howard wrote: > The current error message stopping the static compile is: > > ============================================================================= > gcc -g -O2 -Wall -Wno-uninitialized -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-agent.c > ssh-agent.c: In function `main': > ssh-agent.c:975: `BSDoptarg' undeclared (first use in this function) > ssh-agent.c:975: (Each undeclared identifier is reported only once > ssh-agent.c:975: for each function it appears in.) > make: *** [ssh-agent.o] Error 1 > make failed Adding "extern char *optarg;" to ssh-agent.c fixed a similar error building on AIX. This is in -cvs and Ben's test tarballs but not 3.3p1. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From kaukasoi at elektroni.ee.tut.fi Wed Jun 26 16:46:19 2002 From: kaukasoi at elektroni.ee.tut.fi (Petri Kaukasoina) Date: Wed, 26 Jun 2002 09:46:19 +0300 Subject: final build. In-Reply-To: <20020626055712.GE12786@vega.ipal.net> References: <20020626040931.GD12786@vega.ipal.net> <20020626055712.GE12786@vega.ipal.net> Message-ID: <20020626064619.GB31169@elektroni.ee.tut.fi> On Wed, Jun 26, 2002 at 12:57:12AM -0500, Phil Howard wrote: > So the library name for 0.9.6c has 0.9.6, and then > when the upgrade to 0.9.6d is done, it clobbers the previous library > and all the sshd daemons listening on all the ports will seg fault Hi. I think it's not a good idea to use shared openssl library before openssl stabilizes. openssl's INSTALL: Shared library is currently an experimental feature. The only reason to have them would be to conserve memory on systems where several program are using OpenSSL. Binary backward compatibility can't be guaranteed before OpenSSL version 1.0. If you remove your /usr/lib/libcrypto.so symbolic link then openssh links that library statically even though it links other libraries dynamically. From kouril at ics.muni.cz Wed Jun 26 16:47:54 2002 From: kouril at ics.muni.cz (Daniel Kouril) Date: Wed, 26 Jun 2002 08:47:54 +0200 Subject: Using Kerberos5 in 3.3p1 Message-ID: <20020626084754.A23936@odorn.ics.muni.cz> Hello all, I'm not able to get Kerberos5 authenticarion work together with PrivSep. According to strace, it seems that the kerberos authentication stage is performed by the user process in chrooted enviroment. The problem is that Kerberos authentication must be done by root. Is anybody working on a fix? (or am I missing something in configuration?) Thanks for any advice. -- Dan From marek at bmlv.gv.at Wed Jun 26 16:58:12 2002 From: marek at bmlv.gv.at (Ph. Marek) Date: Wed, 26 Jun 2002 08:58:12 +0200 Subject: Using SSH as "su"-substitute In-Reply-To: <200206260135.10079.xbud@g0thead.com> References: <200206251027.25009.marek@bmlv.gv.at> <200206260135.10079.xbud@g0thead.com> Message-ID: <200206260858.12973.marek@bmlv.gv.at> On Wednesday 26 June 2002 08:35, orlando wrote: > Wouldn't > ssh root@ "command as root" > > accomplish this? Yes, it would. But at the overhead of a ssh process, a new chain of sshd and subprocesses, losing all environment, and encryption/decryption of all data via loopback. That's why I suggest doing a ssh-su which avoid all these and just uses ssh keys or the agent to verify the authorization. Regards, Phil From djm at mindrot.org Wed Jun 26 17:20:15 2002 From: djm at mindrot.org (Damien Miller) Date: 26 Jun 2002 17:20:15 +1000 Subject: Using SSH as "su"-substitute In-Reply-To: <200206260858.12973.marek@bmlv.gv.at> References: <200206251027.25009.marek@bmlv.gv.at> <200206260135.10079.xbud@g0thead.com> <200206260858.12973.marek@bmlv.gv.at> Message-ID: <1025076016.5532.27.camel@xenon> On Wed, 2002-06-26 at 16:58, Ph. Marek wrote: > That's why I suggest doing a ssh-su which avoid all these and just uses ssh > keys or the agent to verify the authorization. Better yet - patch sudo to understand authorized_keys and to query a ssh-agent. -d From vinschen at redhat.com Wed Jun 26 17:50:27 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 26 Jun 2002 09:50:27 +0200 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020626022412.GC12786@vega.ipal.net> References: <3D18E4D7.3E9AECDE@anl.gov> <15641.510.429570.494980@darkwing.uoregon.edu> <20020626022412.GC12786@vega.ipal.net> Message-ID: <20020626095027.K22705@cygbert.vinschen.de> On Tue, Jun 25, 2002 at 09:24:12PM -0500, Phil Howard wrote: > On Tue, Jun 25, 2002 at 04:51:26PM -0700, Steve VanDevender wrote: > > | I think it's good that Theo put out the alert and said that privilege > | separation (on the platforms where it works) will prevent the exploit. > | I don't think it's realistic to expect that everyone can rush privilege > | separation into production as a means of addressing this problem. You > | can compain that vendors should have helped you get this working > | earlier, but it doesn't surprise me that most haven't responded without > | a major incentive to do so. > > Apparently the non-portable OpenSSH has had this feature working > for a while. Given it is a security feature, it's really wrong > that vendors have failed to get it working on their platforms. > Security in and of itself should be the major incentive to do so. > Why should the authors of OpenSSH be the only ones to be expected > to address security issues in a timely manner? And even if they > do, how can they be expected to make source patches that work > universally if there are crippled versions of OpenSSH ported to > certain platforms which can make these patches not work? What > better incentive can you think of to get them to budge but a real > live security situation? If they can't respond to that, then it > is time to write them off as another MSFT-wannabe. You're living in an ideal world, right? Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From gert at greenie.muc.de Wed Jun 26 17:55:50 2002 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Jun 2002 09:55:50 +0200 Subject: final build. In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Jun 25, 2002 at 08:52:13PM -0500 References: Message-ID: <20020626095550.N18668@greenie.muc.de> Hi, On Tue, Jun 25, 2002 at 08:52:13PM -0500, Ben Lindstrom wrote: > If there are any issues that are not marked as known. Let us know ASAP. sco3.2v4 needs BROKEN_FD_PASSING as well (that is: it doesn't *have* FD passing, so I assume it has to be defined as "BROKEN"). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From marek at bmlv.gv.at Wed Jun 26 18:09:46 2002 From: marek at bmlv.gv.at (Ph. Marek) Date: Wed, 26 Jun 2002 10:09:46 +0200 Subject: using block devices as harddisks Message-ID: <200206261009.46129.marek@bmlv.gv.at> Hello everybody, I'm currently working to get bochs to support block devices (eg. /dev/hda) as harddisks. I downloaded the current release http://prdownloads.sourceforge.net/bochs/bochs-1.4.tar.gz and found that size detection doesn't work. Here's a patch to get the detection working. But I got another problem: the bios won't boot if there are more than 15 heads! Is there another bios which support 255 heads? the parameter "newharddrivesupport" doesn't work (of course - that's a bochs parameter, but the bios is another point) I'd need to have something along the lines spt=63, heads=255, cyls=1023 Can somebody help me please? Regards, Phil diff -urN bochs-1.4.orig/iodev/harddrv.cc bochs-1.4/iodev/harddrv.cc --- bochs-1.4.orig/iodev/harddrv.cc Mon Mar 25 02:47:14 2002 +++ bochs-1.4/iodev/harddrv.cc Wed Jun 26 09:42:51 2002 @@ -2779,6 +2779,20 @@ if (ret) { BX_PANIC(("fstat() returns error!")); } + if (S_ISBLK(stat_buf.st_mode)) + { +/* it's a block device. st_size will be 0, so set it to the correct size. */ + if (ioctl(fd_table[i],BLKGETSIZE,&(stat_buf.st_size))==-1) + BX_PANIC(("size of block device %s can't be read",pathname)); + if (stat_buf.st_size > (0x7ffffff/512)) + { + BX_ERROR(("size of disk image is too big, rounded down")); + stat_buf.st_size=0x7ffffe00; /* maximum size without overflow */ + } + else + stat_buf.st_size*=512; /* returned value is sectors */ + /* what about an overflow here? should possibly use fstat64 */ + } if ((stat_buf.st_size % 512) != 0) { BX_PANIC(("size of disk image must be multiple of 512 bytes")); } diff -urN bochs-1.4.orig/bochs.h bochs-1.4/bochs.h --- bochs-1.4.orig/bochs.h Tue Mar 26 14:59:36 2002 +++ bochs-1.4/bochs.h Wed Jun 26 09:34:59 2002 @@ -58,6 +58,7 @@ #else # ifndef WIN32 # include +# include # endif # include # include From erik at debian.franken.de Wed Jun 26 18:19:42 2002 From: erik at debian.franken.de (Erik Tews) Date: Wed, 26 Jun 2002 10:19:42 +0200 Subject: Problem with openssh on linux 2.0.34 mips Message-ID: <20020626081942.GN15393@no-maam.dyndns.org> Hi I tried to compile openssh 3.3p1 on a linux 2.0.34 mips system. First I was not able to compile it at all, but then I added the following line to monitor_fdpass.c #define SCM_RIGHTS 0x01 Then it compiled fine, but I am not able to log in. After having entered the password I get the following message in the logfile: Jun 25 20:25:46 raq2 sshd[16129]: fatal: mm_receive_fd: expected type 1 got 269726544 Can anybody guess what that means or has somebody got openssh running on such an old system on similar hardware? Compression is turned off. Are there any configuration options I should try? From joel at ionix.com.au Wed Jun 26 18:49:40 2002 From: joel at ionix.com.au (Joel Sing) Date: Wed, 26 Jun 2002 18:49:40 +1000 Subject: OpenSSH 3.3, OpenSSL 0.9.6d and OpenBSD 2.7 Message-ID: <5.1.0.14.0.20020626184321.02429700@mail.origin.net.au> Hi All, Just spent a number of hours fighting with the above combination of operating system, crypto library and OpenSSH. Password authentication kept failing and it took a number of hours to nut out the problem. It turns out that the OpenBSD/libc version of crypt (which supports Blowfish, MD5 and DES) wasn't being used, instead the version found in libcryto was being utilised. The follow change soon corrected the problem: ssh/sshd/Makefile +LDFLAGS+=-lc Hope this will save someone else the time and effort in debugging the problem :) Cheers, Joel PS. Many thanks to the OpenSSH team for providing such a brilliant suite of software! OpenSSH rocks!!! -------------------------------------------------------------------------- => Joel Sing | joel at ionix.com.au | 0419 577 603 <= -------------------------------------------------------------------------- "Never ascribe to malice, that which can be explained by incompetence." From b.courtin at t-online.net Wed Jun 26 18:47:32 2002 From: b.courtin at t-online.net (Courtin Bert) Date: Wed, 26 Jun 2002 10:47:32 +0200 Subject: debug output when ssh'ing a remote host Message-ID: <60F1F87A64834D45A1EBAE9618305FB86ECCC7@qeo00200> Hi list, I'm not sure whether this (see below) is a "bug" or a feature but as I cannot find any information on this neither in the INSTALL file nor via ./configure --help or somewhere else, I would like to ask you whether there is an answer to my question. Thanx a lot & kind regards - have a nice day, B. Courtin Question: --------- I lately updatet from OpenSSH 3.0.1p1 to OpenSSH 3.3p1 by compiling the sources on my solaris 2.8 box with gcc. Everything works fine exept one thing that sort of annoys me: When ssh'ing (or scp'ing) a host I get debug output even when I haven't specified the "-v" option (see below). What causes this behaviour resp. how can I stop ssh behave this way. Recompile with some other config option? (btw: I used "./configure --prefix=/opt/OpenSSH --sysconfdir=/etc/ssh") I appreciate your feedback. x at y # /opt/OpenSSH/bin/ssh -l root somehost debug: Forwarding authentication connection. debug: channel 0: new [authentication agent connection] debug: channel 0: OUTPUT_OPEN -> OUTPUT_WAIT_DRAIN [rvcd IEOF] debug: channel 0: OUTPUT_WAIT_DRAIN -> OUTPUT_CLOSED [obuf empty, send OCLOSE] debug: channel 0: shutdown_write debug: channel 0: INPUT_OPEN -> INPUT_WAIT_DRAIN [read failed] debug: channel 0: shutdown_read debug: channel 0: INPUT_WAIT_DRAIN -> INPUT_WAIT_OCLOSE [inbuf empty, send IEOF] debug: channel 0: INPUT_WAIT_OCLOSE -> INPUT_CLOSED [rcvd OCLOSE] debug: channel 0: full closed Last login: Wed Jun 26 10:43:51 2002 from antherhost Sun Microsystems Inc. SunOS 5.8 Generic February 2000 # ------------------------------------- ./configure reportet: Host: sparc-sun-solaris2.8 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/usr/local/include Linker flags: -L/usr/local/lib -R/usr/local/lib Libraries: -lz -lsocket -lnsl -lcrypto ------------------------------------- From dtucker at zip.com.au Wed Jun 26 18:58:12 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 26 Jun 2002 18:58:12 +1000 Subject: Problem with openssh on linux 2.0.34 mips References: <20020626081942.GN15393@no-maam.dyndns.org> Message-ID: <3D198224.4D57D523@zip.com.au> Erik Tews wrote: > Jun 25 20:25:46 raq2 sshd[16129]: fatal: mm_receive_fd: expected type 1 > got 269726544 > > Can anybody guess what that means or has somebody got openssh running on > such an old system on similar hardware? Compression is turned off. Are > there any configuration options I should try? Try "UsePrivilegeSeparation no". 3.3p1 works for me on 2.0.36/i386 with privsep off. With privsep on and compression off I get: mm_receive_fd: expected type 1 got 1074194385 -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From tusker at tusker.org Wed Jun 26 19:03:59 2002 From: tusker at tusker.org (Damien Mascord) Date: Wed, 26 Jun 2002 19:03:59 +1000 (EST) Subject: using block devices as harddisks In-Reply-To: <200206261009.46129.marek@bmlv.gv.at> References: <200206261009.46129.marek@bmlv.gv.at> Message-ID: <48470.192.169.41.41.1025082239.squirrel@tusker.org> uhmm... what does this have to do with openssh?... > Hello everybody, > > I'm currently working to get bochs to support block devices (eg. > /dev/hda) as harddisks. > I downloaded the current release > http://prdownloads.sourceforge.net/bochs/bochs-1.4.tar.gz > and found that size detection doesn't work. > > Here's a patch to get the detection working. > > But I got another problem: the bios won't boot if there are more than > 15 heads! Is there another bios which support 255 heads? the parameter > "newharddrivesupport" doesn't work (of course - that's a bochs > parameter, but the bios is another point) > I'd need to have something along the lines spt=63, heads=255, cyls=1023 > > > Can somebody help me please? > > > Regards, > > Phil > > > > > diff -urN bochs-1.4.orig/iodev/harddrv.cc bochs-1.4/iodev/harddrv.cc > --- bochs-1.4.orig/iodev/harddrv.cc Mon Mar 25 02:47:14 2002 > +++ bochs-1.4/iodev/harddrv.cc Wed Jun 26 09:42:51 2002 > @@ -2779,6 +2779,20 @@ > if (ret) { > BX_PANIC(("fstat() returns error!")); > } > + if (S_ISBLK(stat_buf.st_mode)) > + { > +/* it's a block device. st_size will be 0, so set it to the correct > size. */ + if > (ioctl(fd_table[i],BLKGETSIZE,&(stat_buf.st_size))==-1) > + BX_PANIC(("size of block device %s can't be read",pathname)); > + if (stat_buf.st_size > (0x7ffffff/512)) > + { > + BX_ERROR(("size of disk image is too big, rounded down")); + > stat_buf.st_size=0x7ffffe00; /* maximum size without overflow */ + > } > + else > + stat_buf.st_size*=512; /* returned value is sectors */ > + /* what about an overflow here? should possibly use fstat64 */ + > } > if ((stat_buf.st_size % 512) != 0) { > BX_PANIC(("size of disk image must be multiple of 512 bytes")); > } > diff -urN bochs-1.4.orig/bochs.h bochs-1.4/bochs.h > --- bochs-1.4.orig/bochs.h Tue Mar 26 14:59:36 2002 > +++ bochs-1.4/bochs.h Wed Jun 26 09:34:59 2002 > @@ -58,6 +58,7 @@ > #else > # ifndef WIN32 > # include > +# include > # endif > # include > # include > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From gert at greenie.muc.de Wed Jun 26 19:09:48 2002 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Jun 2002 11:09:48 +0200 Subject: final build. In-Reply-To: <20020626095550.N18668@greenie.muc.de>; from gert@greenie.muc.de on Wed, Jun 26, 2002 at 09:55:50AM +0200 References: <20020626095550.N18668@greenie.muc.de> Message-ID: <20020626110948.P18668@greenie.muc.de> Hi, On Wed, Jun 26, 2002 at 09:55:50AM +0200, Gert Doering wrote: > On Tue, Jun 25, 2002 at 08:52:13PM -0500, Ben Lindstrom wrote: > > If there are any issues that are not marked as known. Let us know ASAP. > > sco3.2v4 needs BROKEN_FD_PASSING as well (that is: it doesn't *have* > FD passing, so I assume it has to be defined as "BROKEN"). ok - forget about SCO 3.2v4.2 for this release. The code in monitor.c still uses socketpair(), which does not exist on SCO 3.2v4.x, and it will take a while to change that to use pipes. As I seem to be the last remaining SCO 3.2v4.x user (at least the last one that publically voices this fact), just ignore this issue for the moment - I will find a workaround, and the next release can then get a proper fix. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From phil-openssh-unix-dev at ipal.net Wed Jun 26 19:18:48 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Wed, 26 Jun 2002 04:18:48 -0500 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020626095027.K22705@cygbert.vinschen.de> References: <3D18E4D7.3E9AECDE@anl.gov> <15641.510.429570.494980@darkwing.uoregon.edu> <20020626022412.GC12786@vega.ipal.net> <20020626095027.K22705@cygbert.vinschen.de> Message-ID: <20020626091848.GG12786@vega.ipal.net> On Wed, Jun 26, 2002 at 09:50:27AM +0200, Corinna Vinschen wrote: | On Tue, Jun 25, 2002 at 09:24:12PM -0500, Phil Howard wrote: | > On Tue, Jun 25, 2002 at 04:51:26PM -0700, Steve VanDevender wrote: | > | > | I think it's good that Theo put out the alert and said that privilege | > | separation (on the platforms where it works) will prevent the exploit. | > | I don't think it's realistic to expect that everyone can rush privilege | > | separation into production as a means of addressing this problem. You | > | can compain that vendors should have helped you get this working | > | earlier, but it doesn't surprise me that most haven't responded without | > | a major incentive to do so. | > | > Apparently the non-portable OpenSSH has had this feature working | > for a while. Given it is a security feature, it's really wrong | > that vendors have failed to get it working on their platforms. | > Security in and of itself should be the major incentive to do so. | > Why should the authors of OpenSSH be the only ones to be expected | > to address security issues in a timely manner? And even if they | > do, how can they be expected to make source patches that work | > universally if there are crippled versions of OpenSSH ported to | > certain platforms which can make these patches not work? What | > better incentive can you think of to get them to budge but a real | > live security situation? If they can't respond to that, then it | > is time to write them off as another MSFT-wannabe. | | You're living in an ideal world, right? It depends on whose definition you want to use. Bill Gates' definition? How long has the opportunity to port privilege separation been there? -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From djm at mindrot.org Wed Jun 26 19:35:14 2002 From: djm at mindrot.org (Damien Miller) Date: 26 Jun 2002 19:35:14 +1000 Subject: [Fwd: Kerberos buglet in OpenSSH-3.3p1] Message-ID: <1025084114.12959.0.camel@mothra.mindrot.org> Can anyone with Heimdal KrbV verify this? -------------- next part -------------- An embedded message was scrubbed... From: Dag-Erling Smorgrav Subject: Kerberos buglet in OpenSSH-3.3p1 Date: 25 Jun 2002 14:52:10 +0200 Size: 1291 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020626/347e123e/attachment.mht From phil-openssh-unix-dev at ipal.net Wed Jun 26 19:28:52 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Wed, 26 Jun 2002 04:28:52 -0500 Subject: final build. In-Reply-To: <20020626064619.GB31169@elektroni.ee.tut.fi> References: <20020626040931.GD12786@vega.ipal.net> <20020626055712.GE12786@vega.ipal.net> <20020626064619.GB31169@elektroni.ee.tut.fi> Message-ID: <20020626092852.GH12786@vega.ipal.net> On Wed, Jun 26, 2002 at 09:46:19AM +0300, Petri Kaukasoina wrote: | On Wed, Jun 26, 2002 at 12:57:12AM -0500, Phil Howard wrote: | | > So the library name for 0.9.6c has 0.9.6, and then | > when the upgrade to 0.9.6d is done, it clobbers the previous library | > and all the sshd daemons listening on all the ports will seg fault | | Hi. I think it's not a good idea to use shared openssl library before | openssl stabilizes. openssl's INSTALL: | | Shared library is currently an experimental feature. The only reason to | have them would be to conserve memory on systems where several program | are using OpenSSL. Binary backward compatibility can't be guaranteed | before OpenSSL version 1.0. | | If you remove your /usr/lib/libcrypto.so symbolic link then openssh links | that library statically even though it links other libraries dynamically. That does not seem to be happening. Is there an option to tell the configure script to just assume it is missing? At whatever point in the configure logic it makes that determination, it should have an option to specifically override. I could not find it when I looked a few OpenSSH versions back. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From vinschen at redhat.com Wed Jun 26 19:44:59 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 26 Jun 2002 11:44:59 +0200 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020626091848.GG12786@vega.ipal.net> References: <3D18E4D7.3E9AECDE@anl.gov> <15641.510.429570.494980@darkwing.uoregon.edu> <20020626022412.GC12786@vega.ipal.net> <20020626095027.K22705@cygbert.vinschen.de> <20020626091848.GG12786@vega.ipal.net> Message-ID: <20020626114459.R22705@cygbert.vinschen.de> On Wed, Jun 26, 2002 at 04:18:48AM -0500, Phil Howard wrote: > On Wed, Jun 26, 2002 at 09:50:27AM +0200, Corinna Vinschen wrote: > | On Tue, Jun 25, 2002 at 09:24:12PM -0500, Phil Howard wrote: > | > live security situation? If they can't respond to that, then it > | > is time to write them off as another MSFT-wannabe. > | > | You're living in an ideal world, right? > > It depends on whose definition you want to use. Bill Gates' definition? I'm working for Red Hat so it should be obvious that I don't follow Bill Gates' definition. Especially I don't think that this is a valid comment. We don't talk about good and bad or correct and incorrect. > How long has the opportunity to port privilege separation been there? It's not privilege separation since that hasn't to be ported. It's the OS dependend concepts used by privilege separation. Regardless of what you or me are thinking about the different concepts of Windows and POSIX systems, it's (not only) Cygwin's problem to get the POSIX concepts working on a platform which is pretty different. E. g. the concept of descriptor passing. It's known on Windows systems and it's probably no problem to get that working on systems which are lacking any security concept (9x/Me). It is a problem, though, to fit the Windows concept of handle passing into the POSIX concept of descriptor passing using sendmsg/recvmsg. The problem is that the Windows concept requires the involved processes to have knowledges and permissions on each other, which is something hidden in the kernel on POSIX systems. Again, this isn't a question of good or bad, correct or incorrect, it's just a question of being different. In this case, the differences are so that we still don't have an implementation of descriptor passing using sendmsg/recvmsg in Cygwin. That's unfortunate and we're working on that (still discussing the best way to do it) but you won't change that in a minute. Another concept is chroot. This isn't known at all on Windows systems. So our implementation is just a fake. But due to that restriction in the underlying OS *we depend on* we have no other way to accomplish a chroot. So what? Do you just shrug and disallow Windows users the usage of sshd since you don't like the concept of the OS? I'd find this attitude somewhat ignorant but I still hope that you actually don't mean it that way. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From kaukasoi at elektroni.ee.tut.fi Wed Jun 26 19:46:16 2002 From: kaukasoi at elektroni.ee.tut.fi (Petri Kaukasoina) Date: Wed, 26 Jun 2002 12:46:16 +0300 Subject: final build. In-Reply-To: <20020626092852.GH12786@vega.ipal.net> References: <20020626040931.GD12786@vega.ipal.net> <20020626055712.GE12786@vega.ipal.net> <20020626064619.GB31169@elektroni.ee.tut.fi> <20020626092852.GH12786@vega.ipal.net> Message-ID: <20020626094616.GA793@elektroni.ee.tut.fi> On Wed, Jun 26, 2002 at 04:28:52AM -0500, Phil Howard wrote: > On Wed, Jun 26, 2002 at 09:46:19AM +0300, Petri Kaukasoina wrote: > | If you remove your /usr/lib/libcrypto.so symbolic link then openssh links > | that library statically even though it links other libraries dynamically. > > That does not seem to be happening. I don't understand. > Is there an option to tell the configure script to just assume it is > missing? At whatever point in the configure logic it makes that > determination, it should have an option to specifically override. I could > not find it when I looked a few OpenSSH versions back. When you do the final linking of the binary and there is '-lcrypto' on the line, ld links against libcrypto.so if the link is there and against libcrypto.a if that is all there is. (You could have libcrypto.so.0 and libcrypto.so.0.9.6 to make old binaries work because ld does not look for them). From phil-openssh-unix-dev at ipal.net Wed Jun 26 19:46:26 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Wed, 26 Jun 2002 04:46:26 -0500 Subject: =?unknown-8bit?B?rbu05LFNt36kV6r5uXG4?= =?unknown-8bit?B?o8Llpc0tLSC4o7ijs3E=?= In-Reply-To: <20020626093527.58A56E8EA@shitei.mindrot.org> References: <20020626093527.58A56E8EA@shitei.mindrot.org> Message-ID: <20020626094626.GI12786@vega.ipal.net> [garbage in Chinese snipped] Is there any way to set up a post-confirmation system for non-subscribers so that their posts do not get distributed unless they confirm first? -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From vinschen at redhat.com Wed Jun 26 19:50:46 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 26 Jun 2002 11:50:46 +0200 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020626114459.R22705@cygbert.vinschen.de> References: <3D18E4D7.3E9AECDE@anl.gov> <15641.510.429570.494980@darkwing.uoregon.edu> <20020626022412.GC12786@vega.ipal.net> <20020626095027.K22705@cygbert.vinschen.de> <20020626091848.GG12786@vega.ipal.net> <20020626114459.R22705@cygbert.vinschen.de> Message-ID: <20020626115046.S22705@cygbert.vinschen.de> On Wed, Jun 26, 2002 at 11:44:59AM +0200, Corinna Vinschen wrote: > [...] Oh, and if that's not clear from my posting. I'm not talking about Windows/Cygwin only. It's just the example I know the most of. I'm also talking about systems which are lacking features and which won't change since the manufacturer doesn't exist anymore or for any other reason. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From phil-openssh-unix-dev at ipal.net Wed Jun 26 19:56:31 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Wed, 26 Jun 2002 04:56:31 -0500 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020626114459.R22705@cygbert.vinschen.de> References: <3D18E4D7.3E9AECDE@anl.gov> <15641.510.429570.494980@darkwing.uoregon.edu> <20020626022412.GC12786@vega.ipal.net> <20020626095027.K22705@cygbert.vinschen.de> <20020626091848.GG12786@vega.ipal.net> <20020626114459.R22705@cygbert.vinschen.de> Message-ID: <20020626095631.GJ12786@vega.ipal.net> On Wed, Jun 26, 2002 at 11:44:59AM +0200, Corinna Vinschen wrote: | It's not privilege separation since that hasn't to be ported. It's | the OS dependend concepts used by privilege separation. Regardless | of what you or me are thinking about the different concepts of Windows | and POSIX systems, it's (not only) Cygwin's problem to get the POSIX | concepts working on a platform which is pretty different. E. g. the | concept of descriptor passing. It's known on Windows systems and it's | probably no problem to get that working on systems which are lacking | any security concept (9x/Me). It is a problem, though, to fit the | Windows concept of handle passing into the POSIX concept of descriptor | passing using sendmsg/recvmsg. The problem is that the Windows concept | requires the involved processes to have knowledges and permissions | on each other, which is something hidden in the kernel on POSIX systems. | Again, this isn't a question of good or bad, correct or incorrect, it's | just a question of being different. In this case, the differences are | so that we still don't have an implementation of descriptor passing | using sendmsg/recvmsg in Cygwin. That's unfortunate and we're working | on that (still discussing the best way to do it) but you won't change | that in a minute. | | Another concept is chroot. This isn't known at all on Windows | systems. So our implementation is just a fake. But due to that | restriction in the underlying OS *we depend on* we have no other | way to accomplish a chroot. | | So what? Do you just shrug and disallow Windows users the usage of | sshd since you don't like the concept of the OS? I'd find this | attitude somewhat ignorant but I still hope that you actually don't | mean it that way. In the interim, Windows users might be stuck with whatever level of security exists had Privilege Separation not been created. Maybe a direction to pursue is to not implement exactly what is done in POSIX (since clearly if this is the case, Cygwin isn't completely POSIX), but to implement something that isolates a process as much as can be done within Windows. Maybe that's a daemon running somewhere to do the tasks, instead of a child in chroot. And maybe instead of doing descriptor passing, the process can just stay and shuffle data between descriptors for now. As for changing things in a minute, I don't see that as having been the need to do. Privilege Separation has been in OpenSSH for a couple months or so as beta. My understanding of beta is that serves not only an opportunity to find bugs early, but for developers (those who are porting OpenSSH to others than OpenBSD) to have a head start on the task of porting and making decisions. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From phil-openssh-unix-dev at ipal.net Wed Jun 26 20:13:14 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Wed, 26 Jun 2002 05:13:14 -0500 Subject: final build. In-Reply-To: <20020626094616.GA793@elektroni.ee.tut.fi> References: <20020626040931.GD12786@vega.ipal.net> <20020626055712.GE12786@vega.ipal.net> <20020626064619.GB31169@elektroni.ee.tut.fi> <20020626092852.GH12786@vega.ipal.net> <20020626094616.GA793@elektroni.ee.tut.fi> Message-ID: <20020626101314.GK12786@vega.ipal.net> On Wed, Jun 26, 2002 at 12:46:16PM +0300, Petri Kaukasoina wrote: | On Wed, Jun 26, 2002 at 04:28:52AM -0500, Phil Howard wrote: | > On Wed, Jun 26, 2002 at 09:46:19AM +0300, Petri Kaukasoina wrote: | > | If you remove your /usr/lib/libcrypto.so symbolic link then openssh links | > | that library statically even though it links other libraries dynamically. | > | > That does not seem to be happening. | | I don't understand. | | > Is there an option to tell the configure script to just assume it is | > missing? At whatever point in the configure logic it makes that | > determination, it should have an option to specifically override. I could | > not find it when I looked a few OpenSSH versions back. | | When you do the final linking of the binary and there is '-lcrypto' on the | line, ld links against libcrypto.so if the link is there and against | libcrypto.a if that is all there is. (You could have libcrypto.so.0 and | libcrypto.so.0.9.6 to make old binaries work because ld does not look for | them). I had added some rm statements to my openssh build script so it would remove them before configuring, since openssl is built prior. All of this is done from scratch in chroot, seeded by a 400 meg slackware tree. But I forgot to put on ldconfig, so I assume it thought the library was going to be there. I have no idea of all the quirkyness ld does, but it has done this before. But the latest build (added "ldconfig") now seems to build it OK. So this steps seems to be working now. But. Now I've hit an old OpenSSL problem. OpenSSL wants a single specific version of libc. And with OpenSSL being statically linked into the OpenSSH executeables, and libc not, problems emerge again, since the various servers to install to have different versions of libc. So I'm back to trying to get a purely static compile going. The problem seems to be that different code wants different versions of getopt that each have at least one referenced unique symbol, and some that are the same (causing the conflict). And compiling on the target machines isn't an option in most cases due to the level of software, and some varying distributions, that have been installed. A fully static build seems to be the only way to make it work. It worked in 3.2.3p1 with a patch I got here. I need to find the time to convert the patch to 3.3p1 or wait for someone else to do that. It would be nice if I could just do: ./configure --static and it would do whatever it takes to make it work. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From phil-openssh-unix-dev at ipal.net Wed Jun 26 20:15:36 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Wed, 26 Jun 2002 05:15:36 -0500 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020626115046.S22705@cygbert.vinschen.de> References: <3D18E4D7.3E9AECDE@anl.gov> <15641.510.429570.494980@darkwing.uoregon.edu> <20020626022412.GC12786@vega.ipal.net> <20020626095027.K22705@cygbert.vinschen.de> <20020626091848.GG12786@vega.ipal.net> <20020626114459.R22705@cygbert.vinschen.de> <20020626115046.S22705@cygbert.vinschen.de> Message-ID: <20020626101536.GL12786@vega.ipal.net> On Wed, Jun 26, 2002 at 11:50:46AM +0200, Corinna Vinschen wrote: | Oh, and if that's not clear from my posting. I'm not talking | about Windows/Cygwin only. It's just the example I know the most | of. I'm also talking about systems which are lacking features | and which won't change since the manufacturer doesn't exist anymore | or for any other reason. And some of those machines may be security vulnerable without SSH even being in the picture. If a feature is needed for them to be secure and they don't have the feature, then they are not secure. But why does everyone wait to the last minute to do this? -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From erik at debian.franken.de Wed Jun 26 20:36:51 2002 From: erik at debian.franken.de (Erik Tews) Date: Wed, 26 Jun 2002 12:36:51 +0200 Subject: Problem with openssh on linux 2.0.34 mips In-Reply-To: <3D198224.4D57D523@zip.com.au> References: <20020626081942.GN15393@no-maam.dyndns.org> <3D198224.4D57D523@zip.com.au> Message-ID: <20020626103651.GA28059@no-maam.dyndns.org> On Wed, Jun 26, 2002 at 06:58:12PM +1000, Darren Tucker wrote: > Erik Tews wrote: > > Jun 25 20:25:46 raq2 sshd[16129]: fatal: mm_receive_fd: expected type 1 > > got 269726544 > > > > Can anybody guess what that means or has somebody got openssh running on > > such an old system on similar hardware? Compression is turned off. Are > > there any configuration options I should try? > > Try "UsePrivilegeSeparation no". 3.3p1 works for me on 2.0.36/i386 with > privsep off. > > With privsep on and compression off I get: > mm_receive_fd: expected type 1 got 1074194385 That is exactly my problem, but I think the number is different. Is it somehow possible to get privilegeseparation running on 2.0.x, because I want to upgrade to minimize the impact of the upcoming exploit for openssh. From kouril at ics.muni.cz Wed Jun 26 20:38:29 2002 From: kouril at ics.muni.cz (Daniel Kouril) Date: Wed, 26 Jun 2002 12:38:29 +0200 Subject: [kouril: Re: [Fwd: Kerberos buglet in OpenSSH-3.3p1]] Message-ID: <20020626123829.A24536@odorn.ics.muni.cz> resending to the whole mailing list .. ----- Forwarded message from kouril ----- Date: Wed, 26 Jun 2002 11:50:14 +0200 To: Damien Miller Subject: Re: [Fwd: Kerberos buglet in OpenSSH-3.3p1] User-Agent: Mutt/1.2.5i In-Reply-To: <1025084114.12959.0.camel at mothra.mindrot.org>; from djm at mindrot.org on Wed, Jun 26, 2002 at 07:35:14PM +1000 On Wed, Jun 26, 2002 at 07:35:14PM +1000, Damien Miller wrote: > Can anyone with Heimdal KrbV verify this? Content-Description: Forwarded message - Kerberos buglet in OpenSSH-3.3p1 > X-URL: http://www.ofug.org/~des/ > X-Disclaimer: The views expressed in this message do not necessarily > coincide with those of any organisation or company with which I am or have > been affiliated. > To: djm at mindrot.org > Subject: Kerberos buglet in OpenSSH-3.3p1 > From: Dag-Erling Smorgrav > Date: 25 Jun 2002 14:52:10 +0200 > User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 > > servconf.c includes the wrong header for Kerberos V: > > --- servconf.c 24 Jun 2002 22:46:15 -0000 1.111 > +++ servconf.c 25 Jun 2002 01:16:22 -0000 > @@ -17,7 +17,7 @@ > #endif > #if defined(KRB5) > #ifdef HEIMDAL > -#include > +#include > #else > /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V > * keytab */ > I don't know why KEYFILE is defined at all. It's not used anywhere in ssh. I think it's a legacy definition from (approx.) 3.0.2p1 , where existence of the file was tested during testing whether or not to use Kerberos. So, the answer is yes, you can change it. But you also can remove the #include entirely. -- Dan ----- End forwarded message ----- From Roumen.Petrov at skalasoft.com Wed Jun 26 20:54:38 2002 From: Roumen.Petrov at skalasoft.com (Roumen.Petrov at skalasoft.com) Date: Wed, 26 Jun 2002 13:54:38 +0300 Subject: Public Key Authentication Bug - I can connect without problem Message-ID: <3D199D6E.4060203@skalasoft.com> 'Public Key Authentication' works for me. SERVERs: OpenSSH3.3p1 on linux - 2.4.x and 2.2.x kernels CLIENTs: Putty 0.52; OpenSSH 2.5.2p2,3.1p1,3.3p1 - with Public key ! SAMPLE: $ ssh -v SERVER echo 'NO problem to CONNECT' OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: ...... debug1: Remote protocol version 2.0, remote software version OpenSSH_3.3 debug1: match: OpenSSH_3.3 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.5.2p2 debug1: ...... debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key /home/rumen/.ssh/skala_rsa.id debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 151 lastkey 0x808d758 hint -1 debug1: ssh-userauth2 successful: method publickey debug1: ...... NO problem to CONNECT debug1: ...... debug1: Exit status 0 From bugzilla-daemon at mindrot.org Wed Jun 26 21:45:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 21:45:27 +1000 (EST) Subject: [Bug 299] New: mmap problem with 3.3p1 version Message-ID: <20020626114527.81586E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=299 Summary: mmap problem with 3.3p1 version Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: colin at colino.net Hi, I just upgraded to sshd 3.3p1, compile went well, but after testing it I have : # ./sshd -d -p 2222 [...] Connection from 192.168.0.40 port 3418 debug1: Client protocol version 2.0; client software version OpenSSH_3.2.3p1 debug1: match: OpenSSH_3.2.3p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.3 mmap(65536): Invalid argument debug1: Calling cleanup 0x806c3b4(0x0) With strace : write(2, "debug1: Local version string SSH"..., 50debug1: Local version string SSH-2.0-OpenSSH_3.3 ) = 50 fcntl(4, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 socketpair(PF_UNIX, SOCK_STREAM, 0, [3, 7]) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 fcntl(7, F_SETFD, FD_CLOEXEC) = 0 old_mmap(NULL, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = -1 EINVAL (Invalid argument) write(2, "mmap(65536): Invalid argument\r\n", 31mmap(65536): Invalid argument ) = 31 write(2, "debug1: Calling cleanup 0x806c3b"..., 40debug1: Calling cleanup 0x806c3b4(0x0) Tell me if I cut the log too much... It happens on a Debian Linux, i386, kernel 2.2.20, glibc 2.1.3. Regards, Colin. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 26 22:03:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 22:03:48 +1000 (EST) Subject: [Bug 299] mmap problem with 3.3p1 version Message-ID: <20020626120348.801B6E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=299 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From dtucker at zip.com.au 2002-06-26 22:03 ------- *** This bug has been marked as a duplicate of 285 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jun 26 22:03:53 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 26 Jun 2002 22:03:53 +1000 (EST) Subject: [Bug 285] 3.3p1 on Linux 2.2.x doesn't accept connections Message-ID: <20020626120353.9B061E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=285 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |colin at colino.net ------- Additional Comments From dtucker at zip.com.au 2002-06-26 22:03 ------- *** Bug 299 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From binder at arago.de Wed Jun 26 22:06:31 2002 From: binder at arago.de (Thomas Binder) Date: Wed, 26 Jun 2002 14:06:31 +0200 Subject: [Bug 296] Priv separation does not work on OSF/1 In-Reply-To: <20020625164925.GA776@faui02>; from markus@openbsd.org on Tue, Jun 25, 2002 at 06:49:25PM +0200 References: <20020625154104.E54C8E902@shitei.mindrot.org> <20020625164925.GA776@faui02> Message-ID: <20020626140631.A3625440@ohm.arago.de> Hi! On Tue, Jun 25, 2002 at 06:49:25PM +0200, Markus Friedl wrote: > just a fyi: > it seems that fd-passing is broken on DEC OSF/1 DU-4.0d > > so something like > > [snip] > > could help (it turns of privsep for post-auth, but > you still get protection against a certain class of attacks). Also FYI: This also makes OpenSSH 3.3p1 work with Linux 2.0.x Thanks for the tip. Ciao Thomas From strube at physik3.gwdg.de Wed Jun 26 22:08:33 2002 From: strube at physik3.gwdg.de (Hans Werner Strube) Date: Wed, 26 Jun 2002 14:08:33 +0200 (MET DST) Subject: MAP_ANON replacement? Message-ID: <200206261208.OAA27001@r2d2.physik3.gwdg.de> Here I would like to suggest a replacement for MAP_ANON on systems which do not have it, such as Solaris < 8. In "man mmap" of Solaris 8: When MAP_ANON is set in flags, and fd is set to -1, mmap() provides a direct path to return anonymous pages to the caller. This operation is equivalent to passing mmap() an open file descriptor on /dev/zero with MAP_ANON elided from the flags argument. Thus, I suppose in monitor_mm.c (of 3.3p1), the lines 88-89 address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); could be replaced by { static int mmfd = -1; if(mmfd < 0) mmfd = open("/dev/zero", O_RDWR); address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED, mmfd, 0); } Sorry, I have *not* tested it since I am running 3.1p1 and waiting for 3.4p1 announced for next week! Hans Werner Strube strube at physik3.gwdg.de Drittes Physikalisches Institut, Univ. Goettingen Buergerstr. 42-44, 37073 Goettingen, Germany From binder at arago.de Wed Jun 26 22:09:58 2002 From: binder at arago.de (Thomas Binder) Date: Wed, 26 Jun 2002 14:09:58 +0200 Subject: BROKEN_FD_PASSING (Bug 269) In-Reply-To: ; from tim@multitalents.net on Tue, Jun 25, 2002 at 03:45:18PM -0700 References: Message-ID: <20020626140958.B3625440@ohm.arago.de> Hi! On Tue, Jun 25, 2002 at 03:45:18PM -0700, Tim Rice wrote: > I've just commited a change sugested by Markus that disables post-auth > privsep on platforms that can't pass fd's. > > I've added AC_DEFINE(BROKEN_FD_PASSING) to Cygwin, Cray, and SCO If possible, please also add it for Linux 2.0.x Ciao Thomas -- Two sure ways to tell a REALLY sexy man; the first is, he has a bad memory. I forget the second. From sxw at dcs.ed.ac.uk Wed Jun 26 22:29:54 2002 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Wed, 26 Jun 2002 13:29:54 +0100 (BST) Subject: Using Kerberos5 in 3.3p1 In-Reply-To: <20020626084754.A23936@odorn.ics.muni.cz> Message-ID: On Wed, 26 Jun 2002, Daniel Kouril wrote: > I'm not able to get Kerberos5 authenticarion work together with PrivSep. > According to strace, it seems that the kerberos authentication stage is > performed by the user process in chrooted enviroment. The problem is that > Kerberos authentication must be done by root. Is anybody working on a fix? > (or am I missing something in configuration?) No - I think that's correct. I'm working on getting my GSSAPI patches going with PrivSep - I think I'm nearly there. I haven't looked in depth at the protocol 1 krb5 stuff. Cheers, Simon. From luc at suryo.com Wed Jun 26 22:34:18 2002 From: luc at suryo.com (Luc I. Suryo) Date: Wed, 26 Jun 2002 07:34:18 -0500 Subject: debug output when ssh'ing a remote host In-Reply-To: <60F1F87A64834D45A1EBAE9618305FB86ECCC7@qeo00200> References: <60F1F87A64834D45A1EBAE9618305FB86ECCC7@qeo00200> Message-ID: <20020626123418.GA5131@nc1701.suryo.com> I compiled 3.3p1 yesterday and no problem.... Check the following ssh/slogin is not aliased to something like alias ssh='ssh -v' check setup of your .ssh/config check setup of the global /etc/ssh/ssh_config hope this may help > > I'm not sure whether this (see below) is a "bug" or a feature but as I cannot find any information on this neither in the INSTALL file nor via ./configure --help or somewhere else, I would like to ask you whether there is an answer to my question. > > Thanx a lot & kind regards - have a nice day, > B. Courtin > > > Question: > --------- > I lately updatet from OpenSSH 3.0.1p1 to OpenSSH 3.3p1 by compiling the sources on my solaris 2.8 box with gcc. Everything works fine exept one thing that sort of annoys me: When ssh'ing (or scp'ing) a host I get debug output even when I haven't specified the "-v" option (see below). What causes this behaviour resp. how can I stop ssh behave this way. Recompile with some other config option? (btw: I used "./configure --prefix=/opt/OpenSSH --sysconfdir=/etc/ssh") > > I appreciate your feedback. > > x at y # /opt/OpenSSH/bin/ssh -l root somehost > debug: Forwarding authentication connection. > debug: channel 0: new [authentication agent connection] > debug: channel 0: OUTPUT_OPEN -> OUTPUT_WAIT_DRAIN [rvcd IEOF] > debug: channel 0: OUTPUT_WAIT_DRAIN -> OUTPUT_CLOSED [obuf empty, send OCLOSE] > debug: channel 0: shutdown_write > debug: channel 0: INPUT_OPEN -> INPUT_WAIT_DRAIN [read failed] > debug: channel 0: shutdown_read > debug: channel 0: INPUT_WAIT_DRAIN -> INPUT_WAIT_OCLOSE [inbuf empty, send IEOF] > debug: channel 0: INPUT_WAIT_OCLOSE -> INPUT_CLOSED [rcvd OCLOSE] > debug: channel 0: full closed > Last login: Wed Jun 26 10:43:51 2002 from antherhost > Sun Microsystems Inc. SunOS 5.8 Generic February 2000 > # > > > ------------------------------------- > > ./configure reportet: > > Host: sparc-sun-solaris2.8 > Compiler: gcc > Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized > Preprocessor flags: -I/usr/local/include > Linker flags: -L/usr/local/lib -R/usr/local/lib > Libraries: -lz -lsocket -lnsl -lcrypto > > ------------------------------------- > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev --- End of b.courtin at t-online.net's quote --- -- Kind regards, Luc Suryo From mouring at etoh.eviladmin.org Wed Jun 26 22:53:31 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 26 Jun 2002 07:53:31 -0500 (CDT) Subject: final build. In-Reply-To: <20020626095550.N18668@greenie.muc.de> Message-ID: Is the configure test not picking it up? On Wed, 26 Jun 2002, Gert Doering wrote: > Hi, > > On Tue, Jun 25, 2002 at 08:52:13PM -0500, Ben Lindstrom wrote: > > If there are any issues that are not marked as known. Let us know ASAP. > > sco3.2v4 needs BROKEN_FD_PASSING as well (that is: it doesn't *have* > FD passing, so I assume it has to be defined as "BROKEN"). > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de > From mouring at etoh.eviladmin.org Wed Jun 26 23:02:32 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 26 Jun 2002 08:02:32 -0500 (CDT) Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020626115046.S22705@cygbert.vinschen.de> Message-ID: Or the company is SGI and their flagship product IRIX is really in maintance mode because the company is not doing so hot in light of losing contracts left and right to Linux vendors for large rendering farms. - Ben On Wed, 26 Jun 2002, Corinna Vinschen wrote: > On Wed, Jun 26, 2002 at 11:44:59AM +0200, Corinna Vinschen wrote: > > [...] > > Oh, and if that's not clear from my posting. I'm not talking > about Windows/Cygwin only. It's just the example I know the most > of. I'm also talking about systems which are lacking features > and which won't change since the manufacturer doesn't exist anymore > or for any other reason. > > Corinna > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From nectar at FreeBSD.org Thu Jun 27 00:10:16 2002 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Wed, 26 Jun 2002 09:10:16 -0500 Subject: [Fwd: Kerberos buglet in OpenSSH-3.3p1] In-Reply-To: <1025084114.12959.0.camel@mothra.mindrot.org> References: <1025084114.12959.0.camel@mothra.mindrot.org> Message-ID: <20020626141016.GA58209@madman.nectar.cc> On Wed, Jun 26, 2002 at 07:35:14PM +1000, Damien Miller wrote: > Can anyone with Heimdal KrbV verify this? I've used this patch for many moons with Heimdal. It should do the right thing in the MIT Kerberos case, also. --- servconf.c Fri Jun 21 01:20:44 2002 +++ servconf.c.good Wed Jun 26 09:05:09 2002 @@ -16,13 +16,7 @@ #include #endif #if defined(KRB5) -#ifdef HEIMDAL -#include -#else -/* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V - * keytab */ -#define KEYFILE "/etc/krb5.keytab" -#endif +extern const char *krb5_defkeyname; #endif #ifdef AFS #include @@ -130,6 +124,10 @@ void fill_default_server_options(ServerOptions *options) { + int krb4_keyfile, krb5_keyfile; + + krb4_keyfile = krb5_keyfile = 0; + /* Portable-specific options */ if (options->pam_authentication_via_kbd_int == -1) options->pam_authentication_via_kbd_int = 0; @@ -199,9 +197,15 @@ options->rsa_authentication = 1; if (options->pubkey_authentication == -1) options->pubkey_authentication = 1; +#ifdef KRB4 + krb4_keyfile = (access(KEYFILE, R_OK) == 0); +#endif +#ifdef KRB5 + krb5_keyfile = (access(krb5_defkeyname, R_OK) == 0); +#endif #if defined(KRB4) || defined(KRB5) if (options->kerberos_authentication == -1) - options->kerberos_authentication = 0; + options->kerberos_authentication = krb4_keyfile||krb5_keyfile; if (options->kerberos_or_local_passwd == -1) options->kerberos_or_local_passwd = 1; if (options->kerberos_ticket_cleanup == -1) Content-Description: Forwarded message - Kerberos buglet in OpenSSH-3.3p1 > Date: 25 Jun 2002 14:52:10 +0200 > From: Dag-Erling Smorgrav > To: djm at mindrot.org > Subject: Kerberos buglet in OpenSSH-3.3p1 > > servconf.c includes the wrong header for Kerberos V: > > --- servconf.c 24 Jun 2002 22:46:15 -0000 1.111 > +++ servconf.c 25 Jun 2002 01:16:22 -0000 > @@ -17,7 +17,7 @@ > #endif > #if defined(KRB5) > #ifdef HEIMDAL > -#include > +#include > #else > /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V > * keytab */ > > DES > -- > Dag-Erling Smorgrav - des at ofug.org -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine at verio.net . nectar at FreeBSD.org . nectar at kth.se From b.courtin at t-online.net Thu Jun 27 00:06:46 2002 From: b.courtin at t-online.net (Courtin Bert) Date: Wed, 26 Jun 2002 16:06:46 +0200 Subject: debug output when ssh'ing a remote host Message-ID: <60F1F87A64834D45A1EBAE9618305FB86ECCCE@qeo00200> Hi, thank you for your feedback - it was something different: I stopped the parent process of my current running ssh-session and additionaly replaced everything in /opt/OpenSSH where all the old stuff (OpenSSH 3.0.1.p1) used to reside after compiling the sources for v 3.3p1. After then doing a 'ssh' to a remote host, e.g. committing this command from my still runnig old ssh session I created with OpenSSH 3.0.1.p1 and after replacing all stuff in /opt/OpenSSH to v 3.3, the behaviour described below occoured. After terminating my old session and opening a new one, everything was find and ssh'ing remote hosts didn't print debug messages without specifying the Option "-v". Hope this information helps anyone who faces a similar probelm... Kind regards, B. Courtin -----Original Message----- From: Luc I. Suryo [mailto:luc at suryo.com] Sent: Wednesday, June 26, 2002 2:34 PM To: Courtin Bert Cc: openssh-unix-dev at mindrot.org Subject: Re: debug output when ssh'ing a remote host I compiled 3.3p1 yesterday and no problem.... Check the following ssh/slogin is not aliased to something like alias ssh='ssh -v' check setup of your .ssh/config check setup of the global /etc/ssh/ssh_config hope this may help > > I'm not sure whether this (see below) is a "bug" or a feature but as I cannot find any information on this neither in the INSTALL file nor via ./configure --help or somewhere else, I would like to ask you whether there is an answer to my question. > > Thanx a lot & kind regards - have a nice day, > B. Courtin > > > Question: > --------- > I lately updatet from OpenSSH 3.0.1p1 to OpenSSH 3.3p1 by compiling the sources on my solaris 2.8 box with gcc. Everything works fine exept one thing that sort of annoys me: When ssh'ing (or scp'ing) a host I get debug output even when I haven't specified the "-v" option (see below). What causes this behaviour resp. how can I stop ssh behave this way. Recompile with some other config option? (btw: I used "./configure --prefix=/opt/OpenSSH --sysconfdir=/etc/ssh") > > I appreciate your feedback. > > x at y # /opt/OpenSSH/bin/ssh -l root somehost > debug: Forwarding authentication connection. > debug: channel 0: new [authentication agent connection] > debug: channel 0: OUTPUT_OPEN -> OUTPUT_WAIT_DRAIN [rvcd IEOF] > debug: channel 0: OUTPUT_WAIT_DRAIN -> OUTPUT_CLOSED [obuf empty, send OCLOSE] > debug: channel 0: shutdown_write > debug: channel 0: INPUT_OPEN -> INPUT_WAIT_DRAIN [read failed] > debug: channel 0: shutdown_read > debug: channel 0: INPUT_WAIT_DRAIN -> INPUT_WAIT_OCLOSE [inbuf empty, send IEOF] > debug: channel 0: INPUT_WAIT_OCLOSE -> INPUT_CLOSED [rcvd OCLOSE] > debug: channel 0: full closed > Last login: Wed Jun 26 10:43:51 2002 from antherhost > Sun Microsystems Inc. SunOS 5.8 Generic February 2000 > # > > > ------------------------------------- > > ./configure reportet: > > Host: sparc-sun-solaris2.8 > Compiler: gcc > Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized > Preprocessor flags: -I/usr/local/include > Linker flags: -L/usr/local/lib -R/usr/local/lib > Libraries: -lz -lsocket -lnsl -lcrypto > > ------------------------------------- > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev --- End of b.courtin at t-online.net's quote --- -- Kind regards, Luc Suryo From mouring at etoh.eviladmin.org Thu Jun 27 00:06:59 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 26 Jun 2002 09:06:59 -0500 (CDT) Subject: MAP_ANON replacement? In-Reply-To: <200206261208.OAA27001@r2d2.physik3.gwdg.de> Message-ID: This is one of the things on our list. This seems to work for Solaris, but fails for Linux 2.2 and maybe Linux 2.0. Hopefully post 3.4p1 we can get back and resolve this problem since we will not be trying to cram 10 CVS patches into the tree a minute.=) - Ben On Wed, 26 Jun 2002, Hans Werner Strube wrote: > Here I would like to suggest a replacement for MAP_ANON on systems which > do not have it, such as Solaris < 8. In "man mmap" of Solaris 8: > When MAP_ANON is set in flags, and fd is set to -1, mmap() > provides a direct path to return anonymous pages to the > caller. This operation is equivalent to passing mmap() an > open file descriptor on /dev/zero with MAP_ANON elided from > the flags argument. > Thus, I suppose in monitor_mm.c (of 3.3p1), the lines 88-89 > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, > -1, 0); > could be replaced by > { > static int mmfd = -1; > if(mmfd < 0) > mmfd = open("/dev/zero", O_RDWR); > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED, > mmfd, 0); > } > Sorry, I have *not* tested it since I am running 3.1p1 and waiting for 3.4p1 > announced for next week! > > Hans Werner Strube strube at physik3.gwdg.de > Drittes Physikalisches Institut, Univ. Goettingen > Buergerstr. 42-44, 37073 Goettingen, Germany > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Thu Jun 27 00:36:13 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 27 Jun 2002 00:36:13 +1000 Subject: OpenSSH 3.3p1 AIX packages available Message-ID: <3D19D15D.AB28FE56@zip.com.au> Hi All. If anyone wants them, SMIT installable .bff packages of 3.3p1+privsep for AIX 4.[23].x are available for download from the link below. The usual caveats apply (see page). Link: http://www.zip.com.au/~dtucker/openssh/ -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From gwyllion at ace.ulyssis.org Thu Jun 27 00:37:56 2002 From: gwyllion at ace.ulyssis.org (Dries Schellekens) Date: Wed, 26 Jun 2002 16:37:56 +0200 (CEST) Subject: OpenSSH Remote Challenge Vulnerability In-Reply-To: Message-ID: Is ISS putting this to soon on its website? http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 Dries -- Dries Schellekens email: gwyllion at ulyssis.org From Markus_Friedl at genua.de Thu Jun 27 00:40:31 2002 From: Markus_Friedl at genua.de (Markus Friedl) Date: Wed, 26 Jun 2002 16:40:31 +0200 Subject: OpenSSH 3.4 released Message-ID: <20020626144031.GA16478@skaidan> OpenSSH 3.4 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Changes since OpenSSH 3.3: ============================ Security Changes: ================= All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 fixes this bug. In addition, OpenSSH 3.4 adds many checks to detect invalid input and mitigate resource exhaustion attacks. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables UsePrivilegeSeparation by default. Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom. From markus at openbsd.org Thu Jun 27 00:42:06 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 26 Jun 2002 16:42:06 +0200 Subject: OpenSSH Security Advisory (adv.iss) Message-ID: <20020626144206.GA23672@folly> 1. Versions affected: All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 and later are not affected. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables UsePrivilegeSeparation by default. Although OpenSSH 2.9 and earlier are not affected upgrading to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds checks for a class of potential bugs. 2. Impact: This bug can be exploited remotely if ChallengeResponseAuthentication is enabled in sshd_config. Affected are at least systems supporting s/key over SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD as well as other systems supporting s/key with SSH). Exploitablitly of systems using PAM in combination has not been verified. 3. Short-Term Solution: Disable ChallengeResponseAuthentication in sshd_config. or Enable UsePrivilegeSeparation in sshd_config. 4. Solution: Upgrade to OpenSSH 3.4 or apply the following patches. 5. Credits: ISS. Appendix: A: Index: auth2-chall.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@ -256,6 +256,8 @@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: Index: auth2-pam.c =================================================================== RCS file: /var/cvs/openssh/auth2-pam.c,v retrieving revision 1.12 diff -u -r1.12 auth2-pam.c --- auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12 +++ auth2-pam.c 26 Jun 2002 10:12:31 -0000 @@ -140,6 +140,15 @@ nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp); + + if (nresp != context_pam2.num_expected) + fatal("%s: Received incorrect number of responses " + "(expected %u, received %u)", __func__, nresp, + context_pam2.num_expected); + + if (nresp > 100) + fatal("%s: too many replies", __func__); + for (i = 0; i < nresp; i++) { int j = context_pam2.prompts[i]; From jnerad at cimedia.com Thu Jun 27 00:55:14 2002 From: jnerad at cimedia.com (Jack Nerad) Date: Wed, 26 Jun 2002 10:55:14 -0400 Subject: pointer warnings Message-ID: <02062610551401.16819@silver.cimedia.com> ---------- Forwarded Message ---------- Subject: pointer warnings Date: Mon, 24 Jun 2002 17:10:24 -0400 From: Jack Nerad To: openssh-unix-dev at mindrot.org I'm trying to resolve a problem I'm getting from a Redhat 6.2 distribution. When I compile OpenSSH 3.3p1 with OpenSSL 0.9.6d gcc 2.95, glibc-2.1.3-22, I get problems with In file included from /usr/include/string.h:346, from includes.h:30, from ssh-keyscan.c:9: /usr/include/bits/string2.h: In function `__strcpy_small': and then a whole series of lines that look like: ssh-keyscan.c:790: warning: pointer of type `void *' used in arithmetic The error does not only occur in ssh-keyscan.c, but when every file is compiled. Is it safe to ignore this, or do I need to resolve it somehow? -- Jack Nerad ------------------------------------------------------- This question was answered off list. The problem was the old compiler. Upgrading the compiler fixed the issue. No more warnings. -- Jack Nerad From jmknoble at pobox.com Thu Jun 27 01:09:50 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Wed, 26 Jun 2002 11:09:50 -0400 Subject: Problem with openssh on linux 2.0.34 mips In-Reply-To: <20020626103651.GA28059@no-maam.dyndns.org>; from erik@debian.franken.de on Wed, Jun 26, 2002 at 12:36:51PM +0200 References: <20020626081942.GN15393@no-maam.dyndns.org> <3D198224.4D57D523@zip.com.au> <20020626103651.GA28059@no-maam.dyndns.org> Message-ID: <20020626110950.M20075@zax.half.pint-stowp.cx> Circa 2002-Jun-26 12:36:51 +0200 dixit Erik Tews: : On Wed, Jun 26, 2002 at 06:58:12PM +1000, Darren Tucker wrote: : > Erik Tews wrote: : > > Jun 25 20:25:46 raq2 sshd[16129]: fatal: mm_receive_fd: expected type 1 : > > got 269726544 [...] : > With privsep on and compression off I get: : > mm_receive_fd: expected type 1 got 1074194385 The problem is that the Linux kernel-2.0.x doesn't set the cmsg_type of the struct cmsghdr in recvmsg(). Check out this snippet from kernel-2.0.39's net/unix/af_unix.c: -------- static int unix_recvmsg(struct socket *sock, struct msghdr *msg, int size, int noblock, int flags, int *addr_len) { ... if(msg->msg_control) { cm=unix_copyrights(msg->msg_control, msg->msg_controllen); if(cm==NULL || msg->msg_controllencmsg_type!=SCM_RIGHTS || cm->cmsg_level!=SOL_SOCKET || msg->msg_controllen!=cm->cmsg_len #endif ) -------- Another fun one is this snippet from 2.0.39's include/linux/socket.h: -------- struct msghdr { void * msg_name; /* Socket name */ int msg_namelen; /* Length of name */ struct iovec * msg_iov; /* Data blocks */ int msg_iovlen; /* Number of blocks */ void * msg_control; /* Per protocol magic (eg BSD file descr iptor passing) */ int msg_controllen; /* Length of rights list */ int msg_flags; /* 4.4 BSD item we dont use */ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ }; -------- Yee-haw. The attached patch ignores the cmsg_type and causes UsePrivilegeSeparation to "work" (although you still need to turn off compression via 'Compression no' in sshd_config). +---------------------------------------------------------------------+ | ???CAUTION!!! This patch may decrease the security of the | | privilege-separated code, since it is now making an unvalidated | | assumption about the content of the message it receives over a | | socket. Don't blame me if someone breaks into your machine because | | you used this patch! No warranty, etc., etc. | +---------------------------------------------------------------------+ -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- --- ./monitor_fdpass.c.orig-linux20 Thu Jun 6 17:40:51 2002 +++ ./monitor_fdpass.c Tue Jun 25 18:37:57 2002 @@ -112,9 +112,12 @@ fatal("%s: no fd", __func__); #else cmsg = CMSG_FIRSTHDR(&msg); +#if 0 + /* Linux kernel 2.0.x doesn't handle cmsg_type in recvmsg(). */ if (cmsg->cmsg_type != SCM_RIGHTS) fatal("%s: expected type %d got %d", __func__, SCM_RIGHTS, cmsg->cmsg_type); +#endif /* 0 */ fd = (*(int *)CMSG_DATA(cmsg)); #endif return fd; -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020626/d3a77f5d/attachment.bin From bugzilla-daemon at mindrot.org Thu Jun 27 01:10:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Jun 2002 01:10:10 +1000 (EST) Subject: [Bug 300] New: publickey authentication logged as hotsbased authentication Message-ID: <20020626151010.1B3F1E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=300 Summary: publickey authentication logged as hotsbased authentication Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: OpenBSD Status: NEW Severity: minor Priority: P4 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: nestler at speakeasy.net I am running OpenSSH 3.3 on OpenBSD 2.9 (using the 2.9 patch provided for OpenSSH 3.3 on the OpenSSH web page). The following lines of my sshd_config are different from the sshd_config shipped with OpenSSH 3.3 (my config lines are listed here): Protocol 2 PasswordAuthentication no ChallengeResponseAuthentication no X11Forwarding yes So I only allow protocol 2 public key authentication. I can log in successfully with a public key, but the bug is that in /var/log/authlog the entry says: "Jun 26 09:44:46 zappa sshd[5986]: Accepted hostbased for nestler from 1.2.3.4 port 48831 ssh2" It should say "publickey"; not "hostbased". It is definitely doing a publickey login (according to "ssh -v - v"), and not a hostbased login. -Ivan ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jmknoble at pobox.com Thu Jun 27 01:12:11 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Wed, 26 Jun 2002 11:12:11 -0400 Subject: BROKEN_FD_PASSING (Bug 269) In-Reply-To: <20020626140958.B3625440@ohm.arago.de>; from binder@arago.de on Wed, Jun 26, 2002 at 02:09:58PM +0200 References: <20020626140958.B3625440@ohm.arago.de> Message-ID: <20020626111210.N20075@zax.half.pint-stowp.cx> Circa 2002-Jun-26 14:09:58 +0200 dixit Thomas Binder: : On Tue, Jun 25, 2002 at 03:45:18PM -0700, Tim Rice wrote: : > I've just commited a change sugested by Markus that disables post-auth : > privsep on platforms that can't pass fd's. : > : > I've added AC_DEFINE(BROKEN_FD_PASSING) to Cygwin, Cray, and SCO : : If possible, please also add it for Linux 2.0.x Although, see the following thread for a patch which enables Linux 2.0.x to work with post-auth privsep: Subject: Re: Problem with openssh on linux 2.0.34 mips -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020626/f1be585b/attachment.bin From bugzilla-daemon at mindrot.org Thu Jun 27 01:15:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Jun 2002 01:15:52 +1000 (EST) Subject: [Bug 300] publickey authentication logged as hotsbased authentication Message-ID: <20020626151552.CE88BE930@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=300 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From djm at mindrot.org 2002-06-27 01:15 ------- Don't people check exisiting bug reports anymore? *** This bug has been marked as a duplicate of 284 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jun 27 01:15:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Jun 2002 01:15:58 +1000 (EST) Subject: [Bug 284] Hostbased authentication erroneously reported Message-ID: <20020626151558.8B7D0E934@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=284 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nestler at speakeasy.net ------- Additional Comments From djm at mindrot.org 2002-06-27 01:15 ------- *** Bug 300 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Thu Jun 27 01:40:15 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 26 Jun 2002 08:40:15 -0700 (PDT) Subject: final build. In-Reply-To: <20020626095550.N18668@greenie.muc.de> Message-ID: On Wed, 26 Jun 2002, Gert Doering wrote: > Hi, > > On Tue, Jun 25, 2002 at 08:52:13PM -0500, Ben Lindstrom wrote: > > If there are any issues that are not marked as known. Let us know ASAP. > > sco3.2v4 needs BROKEN_FD_PASSING as well (that is: it doesn't *have* > FD passing, so I assume it has to be defined as "BROKEN"). sco3.2v4.2 doesn't even have enough capabilities the even try fd passing so defining BROKEN_FD_PASSING would not do anything on that platform. > > gert > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From binder at arago.de Thu Jun 27 01:47:33 2002 From: binder at arago.de (Thomas Binder) Date: Wed, 26 Jun 2002 17:47:33 +0200 Subject: BROKEN_FD_PASSING (Bug 269) In-Reply-To: <20020626111210.N20075@zax.half.pint-stowp.cx>; from jmknoble@pobox.com on Wed, Jun 26, 2002 at 11:12:11AM -0400 References: <20020626140958.B3625440@ohm.arago.de> <20020626111210.N20075@zax.half.pint-stowp.cx> Message-ID: <20020626174732.A3746291@ohm.arago.de> Hi! On Wed, Jun 26, 2002 at 11:12:11AM -0400, Jim Knoble wrote: > : > I've added AC_DEFINE(BROKEN_FD_PASSING) to Cygwin, Cray, and SCO > : > : If possible, please also add it for Linux 2.0.x > > Although, see the following thread for a patch which enables Linux > 2.0.x to work with post-auth privsep: > > Subject: Re: Problem with openssh on linux 2.0.34 mips Nope, at least not for me on i386-Linux 2.0.39, as it already breaks earlier with: mm_receive_fd: recvmsg: expected received 1 got 2 Ciao Thomas -- If little green men land in your back yard, hide any little green women you've got in the house. -- Mike Harding, "The Armchair Anarchist's Almanac" From nalin at redhat.com Thu Jun 27 02:02:12 2002 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 26 Jun 2002 12:02:12 -0400 Subject: PAM kbd-int with privsep In-Reply-To: <1025064221.5235.17.camel@xenon>; from djm@mindrot.org on Wed, Jun 26, 2002 at 02:03:40PM +1000 References: <1024969975.5925.172.camel@xenon> <20020625123957.A29726@redhat.com> <1025064221.5235.17.camel@xenon> Message-ID: <20020626120212.B24979@redhat.com> On Wed, Jun 26, 2002 at 02:03:40PM +1000, Damien Miller wrote: > On Wed, 2002-06-26 at 02:39, Nalin Dahyabhai wrote: > > It might be fixable by modifying it to have the parent do the PAM work, > > but it'd require an approach similar the existing kbdint code, and I > > don't know how it would work in the context of a monitoring setup. > > It is conceivable that we could hook into the shared memory malloc > routines to make the PAM context available to parent and child. > Unfortunately doing so may expose us to issues where the child attempts > privilege escalation by deliberately corrupting its PAM context. Unless you can affect how modules allocate memory, they may (and often do) allocate memory for their own use and store it in the PAM context as a PAM data item. Storing the data just keeps a pointer to the data in the PAM context, so you can't determine how big it is, either. > > It might also be resolved (at least for Linux-PAM 0.65 and later and > > derivatives, I haven't a clue about other implementations) by using > > the PAM_CONV_AGAIN/PAM_INCOMPLETE framework and letting the privileged > > process drive the conversation, but the framework is not well supported > > by most of the modules I've spot-checked. (That's fixable, though.) > > Am I correct in believing that this framework isn't in the original PAM > RFC? If so, that doesn't help us for Solaris, HP/UX and other non-Linux > PAM-supported platforms. My reading of the RFC also indicates this, but it's an old document and given that Linux-PAM implements a superset of what the RFC defines, it's possible (though unlikely) that other implementations may also implement this framework. Nalin From bugzilla-daemon at mindrot.org Thu Jun 27 02:05:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Jun 2002 02:05:31 +1000 (EST) Subject: [Bug 301] New: In openssh 3.3 and 3.4 pam session seems be called from non-root Message-ID: <20020626160531.16A39E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=301 Summary: In openssh 3.3 and 3.4 pam session seems be called from non-root Product: Portable OpenSSH Version: -current Platform: All OS/Version: Linux Status: NEW Severity: critical Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: misiek at pld.org.pl I have limits set in limits.conf and I'm using pam_limits. Now sshd (with or without priviledge separation) started with ulimit -c 0 (core limit) does: 11860 geteuid() = 1000 ... 11860 getuid() = 1000 ... 11860 open("/etc/security/limits.conf", O_RDONLY) = 9 11860 fstat(9, {st_mode=S_IFREG|0644, st_size=2508, ...}) = 0 11860 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x126000 11860 read(9, "# /etc/security/limits.conf\n#\n#E"..., 4096) = 2508 11860 read(9, "", 4096) = 0 11860 close(9) = 0 11860 munmap(0x126000, 4096) = 0 11860 setreuid(1000, 4294967295) = 0 11860 setrlimit(RLIMIT_CPU, {rlim_cur=2147483647, rlim_max=2147483647}) = 0 11860 setrlimit(RLIMIT_FSIZE, {rlim_cur=2147483647, rlim_max=2147483647}) = 0 11860 setrlimit(RLIMIT_DATA, {rlim_cur=2147483647, rlim_max=2147483647}) = 0 11860 setrlimit(RLIMIT_STACK, {rlim_cur=2147483647, rlim_max=2147483647}) = 0 11860 setrlimit(RLIMIT_CORE, {rlim_cur=50000*1024, rlim_max=50000*1024}) = -1 EPERM (Operation not permitted) 11860 setrlimit(RLIMIT_RSS, {rlim_cur=2147483647, rlim_max=2147483647}) = 0 11860 setrlimit(RLIMIT_NPROC, {rlim_cur=257, rlim_max=257}) = 0 11860 setrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=1024}) = 0 11860 setrlimit(RLIMIT_MEMLOCK, {rlim_cur=2147483647, rlim_max=2147483647}) = 0 11860 setrlimit(RLIMIT_AS, {rlim_cur=2147483647, rlim_max=2147483647}) = 0 11860 setrlimit(0xa /* RLIMIT_??? */, {rlim_cur=2147483647, rlim_max=2147483647}) = 0 11860 setpriority(PRIO_PROCESS, 0, 0) = 0 11860 open("/etc/security/pam_mail.conf", O_RDONLY) = 9 As you can see setting RLIMIT_CORE failed because sshd is not running as root at this moment, pam returns LIMIT_ERR (1) and sshd tells me: Jun 26 17:57:46 arm sshd[4188]: fatal: PAM session setup failed[6]: Permission denied Why pam is no longer called as root? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From vinschen at redhat.com Thu Jun 27 02:21:03 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 26 Jun 2002 18:21:03 +0200 Subject: OpenSSH 3.4 released In-Reply-To: <20020626144031.GA16478@skaidan> References: <20020626144031.GA16478@skaidan> Message-ID: <20020626182103.B22705@cygbert.vinschen.de> On Wed, Jun 26, 2002 at 04:40:31PM +0200, Markus Friedl wrote: > OpenSSH 3.4 has just been released. It will be available from the > mirrors listed at http://www.openssh.com/ shortly. > [...] > In addition, OpenSSH 3.4 adds many checks to detect > invalid input and mitigate resource exhaustion attacks. Cool. This version introduces a new error: --- sshd.c.orig 2002-06-26 18:21:03.000000000 +0200 +++ sshd.c 2002-06-26 18:20:55.000000000 +0200 @@ -1035,7 +1035,13 @@ main(int ac, char **av) (S_ISDIR(st.st_mode) == 0)) fatal("Missing privilege separation directory: %s", _PATH_PRIVSEP_CHROOT_DIR); +#ifdef HAVE_CYGWIN + if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) && + (st.st_uid != getuid () || + (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) +#else if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) +#endif fatal("Bad owner or mode for %s", _PATH_PRIVSEP_CHROOT_DIR); } I really wanted to test Ben's test version but there's also a time for sleep and when I tried to download that testversion it was already unavailable. Thanks, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From phil-openssh-unix-dev at ipal.net Thu Jun 27 02:28:25 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Wed, 26 Jun 2002 11:28:25 -0500 Subject: final build. In-Reply-To: <3D196150.6905DAB4@zip.com.au> References: <20020626040931.GD12786@vega.ipal.net> <20020626055712.GE12786@vega.ipal.net> <3D196150.6905DAB4@zip.com.au> Message-ID: <20020626162825.GA4543@vega.ipal.net> On Wed, Jun 26, 2002 at 04:38:08PM +1000, Darren Tucker wrote: | Phil Howard wrote: | > The current error message stopping the static compile is: | > | > ============================================================================= | > gcc -g -O2 -Wall -Wno-uninitialized -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-agent.c | > ssh-agent.c: In function `main': | > ssh-agent.c:975: `BSDoptarg' undeclared (first use in this function) | > ssh-agent.c:975: (Each undeclared identifier is reported only once | > ssh-agent.c:975: for each function it appears in.) | > make: *** [ssh-agent.o] Error 1 | > make failed | | Adding "extern char *optarg;" to ssh-agent.c fixed a similar error | building on AIX. This is in -cvs and Ben's test tarballs but not 3.3p1. This one change fixed it. There appear to be no others. After applying Ben's patch, then making the change suggested above, it compiles fine, and runs OK. I have not done thorough testing, yet, but as long as I can at least login as root to remote machines, I can fix problems that crop up. Every machine tested so far is Linux 2.4.X based. I have a couple of 2.2.X based machines to work on next. I'll probably just leave off compression or something as I doubt I can upgrade the kernel on them this week. The integrated patch I built with is here: http://phil.ipal.org/openssh-3.3p1-getopt.patch -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From phil-openssh-unix-dev at ipal.net Thu Jun 27 02:46:24 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Wed, 26 Jun 2002 11:46:24 -0500 Subject: why fd passing? Message-ID: <20020626164624.GB4543@vega.ipal.net> If I understand privsep correctly, and I'm not sure I do as there are some ambiguities in the illustration of what processes are doing what, there is a way to avoid doing fd passing. What I see is that fd passing is done to send the PTY to the user privileged process after the monitor process was requested to set one up. Why not go ahead and have the monitor set one up before it forks the child? If it is already know that the child won't need one, then it doesn't have to be done. But if that isn't know at fork time, go ahead and set one up and then if the user privilege child decides it does not need one, it can just close the descriptors. The needless resource usage should be very brief. As long as the closing of the descriptors properly releases the resource to be re-usable again, all should be OK. There might also be descriptor passing to send the network fd back to the privileged monitor after the unprivileged process authenticated the connection so that it can be passed to the user privilege child. If this is the case, I'd think the monitor could just hang onto that descriptor, but not select it for anything. Then it can let the user child inherit it, and close it at that time. I do not see from this illustration how mmap() is involved. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From bugzilla-daemon at mindrot.org Thu Jun 27 03:09:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Jun 2002 03:09:10 +1000 (EST) Subject: [Bug 301] In openssh 3.3 and 3.4 pam session seems be called from non-root Message-ID: <20020626170910.C84ECE8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=301 ------- Additional Comments From ldv at altlinux.org 2002-06-27 03:09 ------- In your case, to make pam_limits work, use "ulimit -Sc 0" instead of "ulimit -c 0". ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jun 27 03:12:49 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Jun 2002 03:12:49 +1000 (EST) Subject: [Bug 301] In openssh 3.3 and 3.4 pam session seems be called from non-root Message-ID: <20020626171249.2072CE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=301 ------- Additional Comments From misiek at pld.org.pl 2002-06-27 03:12 ------- I don't want ugly workaround. I want openssh to be fixed :) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Darren.Moffat at Sun.COM Thu Jun 27 03:12:54 2002 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Wed, 26 Jun 2002 10:12:54 -0700 Subject: PAM kbd-int with privsep References: <1024969975.5925.172.camel@xenon> <20020625123957.A29726@redhat.com> <1025064221.5235.17.camel@xenon> Message-ID: <3D19F616.8020603@Sun.COM> Damien Miller wrote: > We still do the account and session management, just with a different > PAM handle. Any state accumulated in the auth modules will be lost. > Ideally we would do both auth and acct in the PAM helper child, that way > we could handle password changing interactively. Using a different handle for auth, acct and session is a major issue for Solaris since there are private pam data items set in our pam_unix* module(s) by auth that are later retrieved by account and by account to be later retrieved by session and chauthtok. For this to work it requires the same pam handle to be used in all calls. Not doing this isn't really using PAM as intended. I understand this is difficult and I'm not bashing your current attempt, just pointing out that it is important. > It is conceivable that we could hook into the shared memory malloc > routines to make the PAM context available to parent and child. > Unfortunately doing so may expose us to issues where the child attempts > privilege escalation by deliberately corrupting its PAM context. That is how I had thought about doing it, I'm not sure about any priveilege escalation though since the calls to PAM must run with privelge anyway and the modules must be trusted. >>It might also be resolved (at least for Linux-PAM 0.65 and later and >>derivatives, I haven't a clue about other implementations) by using >>the PAM_CONV_AGAIN/PAM_INCOMPLETE framework and letting the privileged >>process drive the conversation, but the framework is not well supported >>by most of the modules I've spot-checked. (That's fixable, though.) > > > Am I correct in believing that this framework isn't in the original PAM > RFC? If so, that doesn't help us for Solaris, HP/UX and other non-Linux > PAM-supported platforms. These are Linux extensions to the framework. The people who look after the Linux-PAM have made significant incompatible changes to the framework from the original RFC (which was never ratified by Open Group). > This sort of framework is desperately needed though - PAM's design is > really showing its age and is not at all suited to async operation. It > would be excellent for everyone if the PAM spec could be reexamined with > these issues in mind (have a look at BSD auth[1] for inspiration). IMO > Redhat and Sun are in an excellent position to lead this process. Agreed, last time Sun attempted to work with the Linux-PAM people on getting back in sync some minor progress was made but nothing concrete. Open Group has officially released control of PAM back to its original inventors (Sun). A new working group on PAM does need to be formed since Linux and the original PAM have diverged too far. -- Darren J Moffat From cmadams at hiwaay.net Thu Jun 27 03:23:17 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Wed, 26 Jun 2002 12:23:17 -0500 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020624210631.GF24956@faui02>; from markus@openbsd.org on Mon, Jun 24, 2002 at 11:06:31PM +0200 References: <200206242100.g5OL0BLL019128@cvs.openbsd.org> <20020624210631.GF24956@faui02> Message-ID: <20020626122317.H43983@hiwaay.net> On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote: > Date: Mon, 24 Jun 2002 15:00:10 -0600 > From: Theo de Raadt > Subject: Upcoming OpenSSH vulnerability > To: bugtraq at securityfocus.com > Cc: announce at openbsd.org > Cc: dsi at iss.net > Cc: misc at openbsd.org > So, if vendors would JUMP and get it working better, and send us > patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday > which supports these systems better. So send patches by Thursday > night please. Then on Tuesday or Wednesday the complete bug report > with patches (and exploits soon after I am sure) will hit BUGTRAQ. > We've given most vendors since Friday last week until Thursday to get > privsep working well for you so that when the announcement comes out > next week their customers are immunized. That is nearly a full week > (but they have already wasted a weekend and a Monday). Really I think > this is the best we can hope to do (this thing will eventually leak, > at which point the details will be published). 1) I've done most of the work getting OpenSSH working on Tru64 Unix, not any "vendor". Compaq^WHP doesn't support OpenSSH because they've got a license for SSH.com's software and make that version available for free for Tru64 (I don't use it because I prefer OpenSSH). Telling them to fix something they not only don't support but supply a different implementation of is not real bright. 2) What happened to the interim release on Friday? I (as everyone is) am very busy, and allocated my time according to what was said. I did submit a patch late Tuesday, but it was not included (hence, privsep still does not work on Tru64). There was a "test" release for a few hours last night (sorry, I guess I'm deficient because I need sleep). The following patch is still needed on Tru64 (not because FD passing is broken but because audit and enhanced security modes require root in the session setup, and if a PTY is allocated, the session setup needs to be done after PTY allocation - I don't see how to make that work with privsep): diff -urN openssh-3.4p1-dist/sshd.c openssh-3.4p1/sshd.c --- openssh-3.4p1-dist/sshd.c Tue Jun 25 18:24:19 2002 +++ openssh-3.4p1/sshd.c Wed Jun 26 10:42:00 2002 @@ -624,7 +624,7 @@ /* XXX - Remote port forwarding */ x_authctxt = authctxt; -#ifdef BROKEN_FD_PASSING +#if defined(BROKEN_FD_PASSING) || defined(HAVE_OSF_SIA) if (1) { #else if (authctxt->pw->pw_uid == 0 || options.use_login) { -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From Jason.Lacoss-Arnold at AGEDWARDS.com Thu Jun 27 03:26:33 2002 From: Jason.Lacoss-Arnold at AGEDWARDS.com (Lacoss-Arnold, Jason) Date: Wed, 26 Jun 2002 12:26:33 -0500 Subject: question on priorities... Message-ID: <6808DCE827EBD5119DFB0002A58EF4DA032402FA@hqempn06.agedwards.com> I know that there's a lot of stuff that will be on the plate for the next release in further tweaking on how privsep plays out on various platforms, but I was wondering if there is a consensus on when the PAM fixes to allow expired password changes will occur? Do enough people rely on that to make it into the next release? It seems really critical from our perspective, but I'm trying to crawl out of my skin to look beyond my point of view. *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020626/a493d5d6/attachment.html From kevin at atomicgears.com Thu Jun 27 03:32:47 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Wed, 26 Jun 2002 10:32:47 -0700 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020626091848.GG12786@vega.ipal.net> References: <3D18E4D7.3E9AECDE@anl.gov> <15641.510.429570.494980@darkwing.uoregon.edu> <20020626022412.GC12786@vega.ipal.net> <20020626095027.K22705@cygbert.vinschen.de> <20020626091848.GG12786@vega.ipal.net> Message-ID: <20020626173247.GB2752@jenny.crlsca.adelphia.net> On Wed, Jun 26, 2002 at 04:18:48AM -0500, Phil Howard wrote: > How long has the opportunity to port privilege separation been there? March. Big sync on 3/21 followed by stuff to get things somewhat working on a few platforms on 3/22. 20020322 - (stevesk) HAVE_ACCRIGHTS_IN_MSGHDR configure support - (stevesk) [monitor.c monitor_wrap.c] #ifdef HAVE_PW_CLASS_IN_PASSWD - (stevesk) configure and cpp __FUNCTION__ gymnastics to handle nielsisms - (stevesk) [monitor_fdpass.c] support for access rights style file descriptor passing - (stevesk) [auth2.c] merge cleanup/sync - (stevesk) [defines.h] hp-ux 11 has ancillary data style fd passing, but is missing CMSG_LEN() and CMSG_SPACE() macros. - (stevesk) [defines.h] #define MAP_ANON MAP_ANONYMOUS for HP-UX; other platforms may need this--I'm not sure. mmap() issues will need to be addressed further. - (tim) [cipher.c] fix problem with OpenBSD sync - (stevesk) [LICENCE] OpenBSD sync 20020321 - (bal) OpenBSD CVS Sync From vancleef at microunity.com Thu Jun 27 03:39:21 2002 From: vancleef at microunity.com (Bob Van Cleef) Date: Wed, 26 Jun 2002 10:39:21 -0700 (PDT) Subject: OpenSSH 3.4 released In-Reply-To: <20020626144031.GA16478@skaidan> Message-ID: Sigh... Even though it is listed on all the mirror site web pages, openssh-3.4p1.tar.gz is not actually on the ftp sites. The only location that pretends to have it available is ftp.openbsd.org and there the transfer hangs... Bob From carson at taltos.org Thu Jun 27 03:41:14 2002 From: carson at taltos.org (Carson Gaspar) Date: Wed, 26 Jun 2002 13:41:14 -0400 Subject: OpenSSH Security Advisory (adv.iss) In-Reply-To: <20020626144206.GA23672@folly> References: <20020626144206.GA23672@folly> Message-ID: <98310813.1025098874@[172.25.113.221]> Use the Source, Luke: { "challengeresponseauthentication", sChallengeResponseAuthentication }, { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */ One must make sure that neither option is enabled. { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, Is also suspect, based on the patch, although the advisory isn't sure if it's exploitable or not. --On Wednesday, June 26, 2002 4:42 PM +0200 Markus Friedl wrote: > 2. Impact: > > This bug can be exploited remotely if > ChallengeResponseAuthentication is enabled in sshd_config. > > Affected are at least systems supporting > s/key over SSH protocol version 2 (OpenBSD, FreeBSD > and NetBSD as well as other systems supporting > s/key with SSH). Exploitablitly of systems > using PAM in combination has not been verified. > > 3. Short-Term Solution: > > Disable ChallengeResponseAuthentication in sshd_config. From vancleef at microunity.com Thu Jun 27 03:44:48 2002 From: vancleef at microunity.com (Bob Van Cleef) Date: Wed, 26 Jun 2002 10:44:48 -0700 (PDT) Subject: OpenSSH Security Advisory (adv.iss) In-Reply-To: <20020626144206.GA23672@folly> Message-ID: On Wed, 26 Jun 2002, Markus Friedl wrote: > 2. Impact: > > This bug can be exploited remotely if > ChallengeResponseAuthentication is enabled in sshd_config. > Question: If ChallengeResponseAuthentication is set to 'no' in sshd_config, can the bug be exploited in OpenSSH_3.1p1? Bob From mouring at etoh.eviladmin.org Thu Jun 27 04:01:20 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 26 Jun 2002 13:01:20 -0500 (CDT) Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020626122317.H43983@hiwaay.net> Message-ID: > > We've given most vendors since Friday last week until Thursday to get > > privsep working well for you so that when the announcement comes out > > next week their customers are immunized. That is nearly a full week > > (but they have already wasted a weekend and a Monday). Really I think > > this is the best we can hope to do (this thing will eventually leak, > > at which point the details will be published). > > 1) I've done most of the work getting OpenSSH working on Tru64 Unix, not > any "vendor". Compaq^WHP doesn't support OpenSSH because they've got > a license for SSH.com's software and make that version available for > free for Tru64 (I don't use it because I prefer OpenSSH). Telling > them to fix something they not only don't support but supply a > different implementation of is not real bright. > HP/Compaq uses OpenSSH in their routers and switches. > 2) What happened to the interim release on Friday? I (as everyone is) > am very busy, and allocated my time according to what was said. I > did submit a patch late Tuesday, but it was not included (hence, > privsep still does not work on Tru64). There was a "test" release > for a few hours last night (sorry, I guess I'm deficient because I > need sleep). The following patch is still needed on Tru64 (not > because FD passing is broken but because audit and enhanced security > modes require root in the session setup, and if a PTY is allocated, > the session setup needs to be done after PTY allocation - I don't see > how to make that work with privsep): > Say thank you to who ever leaked the expliot. Next track them down and cut their hands off. > diff -urN openssh-3.4p1-dist/sshd.c openssh-3.4p1/sshd.c > --- openssh-3.4p1-dist/sshd.c Tue Jun 25 18:24:19 2002 > +++ openssh-3.4p1/sshd.c Wed Jun 26 10:42:00 2002 > @@ -624,7 +624,7 @@ > /* XXX - Remote port forwarding */ > x_authctxt = authctxt; > > -#ifdef BROKEN_FD_PASSING > +#if defined(BROKEN_FD_PASSING) || defined(HAVE_OSF_SIA) > if (1) { No. Fix Configure.ac. There is a reason Tim and I agreed on that define. So we don't have to litter the source with more #ifdef changes. Better yet now we are post 3.4 we need a real solution. Security releases never go the way you want them to. I've seen more fubared released because of expliot leaks in the last 10 years than anything else. And it is just as frustrating for us as you. - Ben From bugzilla-daemon at mindrot.org Thu Jun 27 04:28:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Jun 2002 04:28:38 +1000 (EST) Subject: [Bug 296] Priv separation does not work on OSF/1 Message-ID: <20020626182838.99E61E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=296 ------- Additional Comments From lennox at cs.columbia.edu 2002-06-27 04:28 ------- Same problem with 3.4p1. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jmknoble at pobox.com Thu Jun 27 04:32:36 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Wed, 26 Jun 2002 14:32:36 -0400 Subject: BROKEN_FD_PASSING (Bug 269) In-Reply-To: <20020626174732.A3746291@ohm.arago.de>; from binder@arago.de on Wed, Jun 26, 2002 at 05:47:33PM +0200 References: <20020626140958.B3625440@ohm.arago.de> <20020626111210.N20075@zax.half.pint-stowp.cx> <20020626174732.A3746291@ohm.arago.de> Message-ID: <20020626143236.O20075@zax.half.pint-stowp.cx> Circa 2002-Jun-26 17:47:33 +0200 dixit Thomas Binder: : On Wed, Jun 26, 2002 at 11:12:11AM -0400, Jim Knoble wrote: : > Although, see the following thread for a patch which enables Linux : > 2.0.x to work with post-auth privsep: : > : > Subject: Re: Problem with openssh on linux 2.0.34 mips : : Nope, at least not for me on i386-Linux 2.0.39, as it already : breaks earlier with: : : mm_receive_fd: recvmsg: expected received 1 got 2 Is that repeatable? Can you strace it? -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020626/7cdcff9f/attachment.bin From bugzilla-daemon at mindrot.org Thu Jun 27 04:50:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Jun 2002 04:50:32 +1000 (EST) Subject: [Bug 296] Priv separation does not work on OSF/1 Message-ID: <20020626185032.6086FE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=296 ------- Additional Comments From mouring at eviladmin.org 2002-06-27 04:50 ------- The platform was not tagged to set 'BROKEN_FD_PASSING' after ./configure go into config.h and grep for it and set it. It is a temporary work around. Something that was regretfully missed. A full solution needs to be forth coming from the OSF/1 user/developers. Summary of issue: The issue is by time do_child() is ran when PrivSep is enabled it has lost root access and therefor can not set the SIA security information. For this to be correctly fixed one has to pre-allocate the TTY *BEFORE* root privs are dropped. This is a massive hack. And needs someone willing to look at the problem to solve. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From cmadams at hiwaay.net Thu Jun 27 04:50:46 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Wed, 26 Jun 2002 13:50:46 -0500 Subject: Upcoming OpenSSH vulnerability In-Reply-To: ; from mouring@etoh.eviladmin.org on Wed, Jun 26, 2002 at 01:01:20PM -0500 References: <20020626122317.H43983@hiwaay.net> Message-ID: <20020626135046.L43983@hiwaay.net> Once upon a time, Ben Lindstrom said: > > 1) I've done most of the work getting OpenSSH working on Tru64 Unix, not > > any "vendor". Compaq^WHP doesn't support OpenSSH because they've got > > a license for SSH.com's software and make that version available for > > free for Tru64 (I don't use it because I prefer OpenSSH). Telling > > them to fix something they not only don't support but supply a > > different implementation of is not real bright. > > HP/Compaq uses OpenSSH in their routers and switches. I really don't think they use Tru64 Unix in their routers and switches, nor are any of the same people involved. > > 2) What happened to the interim release on Friday? I (as everyone is) > > am very busy, and allocated my time according to what was said. I > > did submit a patch late Tuesday, but it was not included (hence, > > privsep still does not work on Tru64). There was a "test" release > > for a few hours last night (sorry, I guess I'm deficient because I > > need sleep). The following patch is still needed on Tru64 (not > > because FD passing is broken but because audit and enhanced security > > modes require root in the session setup, and if a PTY is allocated, > > the session setup needs to be done after PTY allocation - I don't see > > how to make that work with privsep): > > Say thank you to who ever leaked the expliot. Sorry, I wasn't aware of that. It would have been nice if that had been at least mentioned in the release notes or something, since it was a significant change from the previously announced schedule. > Next track them down and cut their hands off. That I would love to do. > > diff -urN openssh-3.4p1-dist/sshd.c openssh-3.4p1/sshd.c > > --- openssh-3.4p1-dist/sshd.c Tue Jun 25 18:24:19 2002 > > +++ openssh-3.4p1/sshd.c Wed Jun 26 10:42:00 2002 > > @@ -624,7 +624,7 @@ > > /* XXX - Remote port forwarding */ > > x_authctxt = authctxt; > > > > -#ifdef BROKEN_FD_PASSING > > +#if defined(BROKEN_FD_PASSING) || defined(HAVE_OSF_SIA) > > if (1) { > > No. Fix Configure.ac. There is a reason Tim and I agreed on > that define. So we don't have to litter the source with more #ifdef > changes. Then name the define something else, like "NO_POSTAUTH_PRIVSEP", and auto-define it if BROKEN_FD_PASSING is defined. FD passing is not broken on Tru64 (4.x or 5.x as far as I can tell). If something else is added in the future that uses FD passing, it should be supported on Tru64, so Tru64 should not set BROKEN_FD_PASSING in configure.ac. > Better yet now we are post 3.4 we need a real solution. As I said above, I don't see how to do post-auth privsep on Tru64. The requirements just don't seem to match the capabilities. The only thing I can see to do is to open a PTY unconditionally before post-auth privsep and close it later if it is not needed (but I don't know for sure that would work either). That would be a fairly major change; would such a change be accepted back into "core" OpenSSH? -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From mouring at etoh.eviladmin.org Thu Jun 27 04:45:59 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 26 Jun 2002 13:45:59 -0500 (CDT) Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020626135046.L43983@hiwaay.net> Message-ID: [..] > > > diff -urN openssh-3.4p1-dist/sshd.c openssh-3.4p1/sshd.c > > > --- openssh-3.4p1-dist/sshd.c Tue Jun 25 18:24:19 2002 > > > +++ openssh-3.4p1/sshd.c Wed Jun 26 10:42:00 2002 > > > @@ -624,7 +624,7 @@ > > > /* XXX - Remote port forwarding */ > > > x_authctxt = authctxt; > > > > > > -#ifdef BROKEN_FD_PASSING > > > +#if defined(BROKEN_FD_PASSING) || defined(HAVE_OSF_SIA) > > > if (1) { > > > > No. Fix Configure.ac. There is a reason Tim and I agreed on > > that define. So we don't have to litter the source with more #ifdef > > changes. > > Then name the define something else, like "NO_POSTAUTH_PRIVSEP", and > auto-define it if BROKEN_FD_PASSING is defined. FD passing is not > broken on Tru64 (4.x or 5.x as far as I can tell). If something else is > added in the future that uses FD passing, it should be supported on > Tru64, so Tru64 should not set BROKEN_FD_PASSING in configure.ac. > It will be left at BROKEN_FD_PASSING because when all platforms are sqaured away that will be what is set if we run accross such a platform. No one said what was going in 3.4 was set in stone for changes.=) > > Better yet now we are post 3.4 we need a real solution. > > As I said above, I don't see how to do post-auth privsep on Tru64. The > requirements just don't seem to match the capabilities. The only thing > I can see to do is to open a PTY unconditionally before post-auth > privsep and close it later if it is not needed (but I don't know for > sure that would work either). That would be a fairly major change; > would such a change be accepted back into "core" OpenSSH? > If you can get a preview fix posted. I'll work within the OpenSSH porable group to ensure that some version of it gets included. If that preview fix says 'we always open a temporary TTY' then so be it. We can look at how to handle non-tty case handled after. - Ben From vancleef at microunity.com Thu Jun 27 04:58:19 2002 From: vancleef at microunity.com (Bob Van Cleef) Date: Wed, 26 Jun 2002 11:58:19 -0700 (PDT) Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: <20020626143236.O20075@zax.half.pint-stowp.cx> Message-ID: Well, back to 3.1p1.... Linux ns1 2.2.14-5.0 #1 Tue Mar 7 20:54:26 EST 2000 sparc unknown ------------------------------------------------------------------------ During the install of 3.4p1 I saw: [snip] ./mkinstalldirs /var/empty chmod 0700 /var/empty [snip] id sshd || \ echo "WARNING: Privilege separation user \"sshd\" does not exist" uid=9999(sshd) gid=9999(sshd) groups=9999(sshd) ------------------------------------------------------------------------ When attempting to run I see: [root at ns1 openssh-3.4p1]# /usr/local/sbin/sshd -d This platform does not support both privilege separation and compression Compression disabled debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA Bad owner or mode for /var/empty [root at ns1 openssh-3.4p1]# ls -l /usr/local/sbin/sshd -rwxr-xr-x 1 root root 801476 Jun 26 11:36 /usr/local/sbin/sshd [root at ns1 openssh-3.4p1]# ls -lag /var/empty total 5 drwx------ 2 sshd sshd 1024 Jun 25 16:13 . drwxr-xr-x 19 root root 1024 Jun 25 16:13 .. -rw-r--r-- 1 sshd sshd 24 Jun 25 16:13 .bash_logout -rw-r--r-- 1 sshd sshd 230 Jun 25 16:13 .bash_profile -rw-r--r-- 1 sshd sshd 124 Jun 25 16:13 .bashrc [root at ns1 openssh-3.4p1]# ------------------------------------------------------------------------ Built --with-pam, so: [root at ns1 openssh-3.4p1]# cat /etc/pam.d/sshd #%PAM-1.0 auth required /lib/security/pam_pwdb.so shadow nodelay auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok md5 session required /lib/security/pam_pwdb.so session required /lib/security/pam_limits.so [root at ns1 openssh-3.4p1]# grep ssh /etc/shadow /etc/passwd /etc/group /etc/shadow:sshd:!!:11863:0:99999:7::: /etc/passwd:sshd:x:9999:9999::/var/empty:/bin/bash /etc/group:sshd:x:9999: From markus at openbsd.org Thu Jun 27 05:08:25 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 26 Jun 2002 21:08:25 +0200 Subject: Revised OpenSSH Security Advisory (adv.iss) Message-ID: <20020626190825.GA27268@folly> This is the 2nd revision of the Advisory. 1. Versions affected: Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. All versions between 2.3.1 and 3.3 contain a bug in the PAMAuthenticationViaKbdInt code. All versions between 2.9.9 and 3.3 contain a bug in the ChallengeResponseAuthentication code. OpenSSH 3.4 and later are not affected. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables UsePrivilegeSeparation by default. Although some earlier versions are not affected upgrading to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds checks for a class of potential bugs. 2. Impact: This bug can be exploited remotely if ChallengeResponseAuthentication is enabled in sshd_config. Affected are at least systems supporting s/key over SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD as well as other systems supporting s/key with SSH). Exploitablitly of systems using PAMAuthenticationViaKbdInt has not been verified. 3. Short-Term Solution: Disable ChallengeResponseAuthentication in sshd_config. and Disable PAMAuthenticationViaKbdInt in sshd_config. Alternatively you can prevent privilege escalation if you enable UsePrivilegeSeparation in sshd_config. 4. Solution: Upgrade to OpenSSH 3.4 or apply the following patches. 5. Credits: ISS. Appendix: A: Index: auth2-chall.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@ -256,6 +256,8 @@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: Index: auth2-pam.c =================================================================== RCS file: /var/cvs/openssh/auth2-pam.c,v retrieving revision 1.12 diff -u -r1.12 auth2-pam.c --- auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12 +++ auth2-pam.c 26 Jun 2002 10:12:31 -0000 @@ -140,6 +140,15 @@ nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp); + + if (nresp != context_pam2.num_expected) + fatal("%s: Received incorrect number of responses " + "(expected %u, received %u)", __func__, nresp, + context_pam2.num_expected); + + if (nresp > 100) + fatal("%s: too many replies", __func__); + for (i = 0; i < nresp; i++) { int j = context_pam2.prompts[i]; From pekkas at netcore.fi Thu Jun 27 05:16:14 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 26 Jun 2002 22:16:14 +0300 (EEST) Subject: Revised OpenSSH Security Advisory (adv.iss) In-Reply-To: <20020626190825.GA27268@folly> Message-ID: On Wed, 26 Jun 2002, Markus Friedl wrote: > and > > Disable PAMAuthenticationViaKbdInt in sshd_config. I'd rather say: Make sure PAMAuthenticationViaKbdInt has not been enabled in sshd_config. (as it defaults to off, contrary to ChallengeResponseAuthentication), but that's just a minor clarification. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From tim at multitalents.net Thu Jun 27 05:25:07 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 26 Jun 2002 12:25:07 -0700 (PDT) Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: Message-ID: chown root:root /var/empty On Wed, 26 Jun 2002, Bob Van Cleef wrote: > > Well, back to 3.1p1.... > > Linux ns1 2.2.14-5.0 #1 Tue Mar 7 20:54:26 EST 2000 sparc unknown > ------------------------------------------------------------------------ > During the install of 3.4p1 I saw: > > [snip] > ./mkinstalldirs /var/empty > chmod 0700 /var/empty > [snip] > id sshd || \ > echo "WARNING: Privilege separation user \"sshd\" does not exist" > uid=9999(sshd) gid=9999(sshd) groups=9999(sshd) > > ------------------------------------------------------------------------ > When attempting to run I see: > > [root at ns1 openssh-3.4p1]# /usr/local/sbin/sshd -d > This platform does not support both privilege separation and compression > Compression disabled > debug1: sshd version OpenSSH_3.4p1 > debug1: private host key: #0 type 0 RSA1 > debug1: read PEM private key done: type RSA > debug1: private host key: #1 type 1 RSA > debug1: read PEM private key done: type DSA > debug1: private host key: #2 type 2 DSA > Bad owner or mode for /var/empty > [root at ns1 openssh-3.4p1]# ls -l /usr/local/sbin/sshd > -rwxr-xr-x 1 root root 801476 Jun 26 11:36 > /usr/local/sbin/sshd > [root at ns1 openssh-3.4p1]# ls -lag /var/empty > total 5 > drwx------ 2 sshd sshd 1024 Jun 25 16:13 . > drwxr-xr-x 19 root root 1024 Jun 25 16:13 .. > -rw-r--r-- 1 sshd sshd 24 Jun 25 16:13 .bash_logout > -rw-r--r-- 1 sshd sshd 230 Jun 25 16:13 .bash_profile > -rw-r--r-- 1 sshd sshd 124 Jun 25 16:13 .bashrc > [root at ns1 openssh-3.4p1]# > > ------------------------------------------------------------------------ > Built --with-pam, so: > > [root at ns1 openssh-3.4p1]# cat /etc/pam.d/sshd > #%PAM-1.0 > auth required /lib/security/pam_pwdb.so shadow nodelay > auth required /lib/security/pam_nologin.so > account required /lib/security/pam_pwdb.so > password required /lib/security/pam_cracklib.so > password required /lib/security/pam_pwdb.so shadow nullok use_authtok md5 > session required /lib/security/pam_pwdb.so > session required /lib/security/pam_limits.so > > [root at ns1 openssh-3.4p1]# grep ssh /etc/shadow /etc/passwd /etc/group > /etc/shadow:sshd:!!:11863:0:99999:7::: > /etc/passwd:sshd:x:9999:9999::/var/empty:/bin/bash > /etc/group:sshd:x:9999: > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From jmknoble at pobox.com Thu Jun 27 05:30:11 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Wed, 26 Jun 2002 15:30:11 -0400 Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: ; from vancleef@microunity.com on Wed, Jun 26, 2002 at 11:58:19AM -0700 References: <20020626143236.O20075@zax.half.pint-stowp.cx> Message-ID: <20020626153010.P20075@zax.half.pint-stowp.cx> Circa 2002-Jun-26 11:58:19 -0700 dixit Bob Van Cleef: [...] : When attempting to run I see: : : [root at ns1 openssh-3.4p1]# /usr/local/sbin/sshd -d : This platform does not support both privilege separation and compression : Compression disabled : debug1: sshd version OpenSSH_3.4p1 : debug1: private host key: #0 type 0 RSA1 : debug1: read PEM private key done: type RSA : debug1: private host key: #1 type 1 RSA : debug1: read PEM private key done: type DSA : debug1: private host key: #2 type 2 DSA : Bad owner or mode for /var/empty : [root at ns1 openssh-3.4p1]# ls -l /usr/local/sbin/sshd : -rwxr-xr-x 1 root root 801476 Jun 26 11:36 : /usr/local/sbin/sshd : [root at ns1 openssh-3.4p1]# ls -lag /var/empty : total 5 : drwx------ 2 sshd sshd 1024 Jun 25 16:13 . : drwxr-xr-x 19 root root 1024 Jun 25 16:13 .. : -rw-r--r-- 1 sshd sshd 24 Jun 25 16:13 .bash_logout : -rw-r--r-- 1 sshd sshd 230 Jun 25 16:13 .bash_profile : -rw-r--r-- 1 sshd sshd 124 Jun 25 16:13 .bashrc : [root at ns1 openssh-3.4p1]# No. Bad. /var/empty should be mode 0755, owner 0 (root), group 0 (root, wheel, sys, or whatever it is on your system). And, it should be empty. Does your useradd default to creating the user's home directory? Perhaps that's why your /var/empty appears to have been chowned and populated from /etc/skel. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020626/5c438e19/attachment.bin From stevev at darkwing.uoregon.edu Thu Jun 27 05:39:50 2002 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Wed, 26 Jun 2002 12:39:50 -0700 Subject: Revised OpenSSH Security Advisory (adv.iss) In-Reply-To: References: <20020626190825.GA27268@folly> Message-ID: <15642.6278.898843.260946@darkwing.uoregon.edu> Pekka Savola writes: > On Wed, 26 Jun 2002, Markus Friedl wrote: > > and > > > > Disable PAMAuthenticationViaKbdInt in sshd_config. > > > I'd rather say: > > Make sure PAMAuthenticationViaKbdInt has not been enabled > in sshd_config. > > (as it defaults to off, contrary to ChallengeResponseAuthentication), but > that's just a minor clarification. I think the announcement is fine the way it is. Having an explicit "PAMAuthenticationViaKbdInt no" in sshd_config is a lot less ambiguous than assuming it's disabled by default. From kevin at atomicgears.com Thu Jun 27 05:41:46 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Wed, 26 Jun 2002 12:41:46 -0700 Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: <20020626153010.P20075@zax.half.pint-stowp.cx> References: <20020626143236.O20075@zax.half.pint-stowp.cx> <20020626153010.P20075@zax.half.pint-stowp.cx> Message-ID: <20020626194146.GE2752@jenny.crlsca.adelphia.net> On Wed, Jun 26, 2002 at 03:30:11PM -0400, Jim Knoble wrote: > No. Bad. /var/empty should be mode 0755, owner 0 (root), group 0 > (root, wheel, sys, or whatever it is on your system). And, it should > be empty. Does your useradd default to creating the user's home > directory? Perhaps that's why your /var/empty appears to have been > chowned and populated from /etc/skel. yes. also note we do try hard to keep documentation up-to-date; from sshd.8: /var/empty chroot(2) directory used by sshd during privilege separation in the pre-authentication phase. The directory should not contain any files and must be owned by root and not group or world- writable. From hin at stacken.kth.se Thu Jun 27 05:43:05 2002 From: hin at stacken.kth.se (Hans Insulander) Date: 26 Jun 2002 21:43:05 +0200 Subject: Using Kerberos5 in 3.3p1 In-Reply-To: References: Message-ID: <87adphltbq.fsf@ashaman.hin.nu> Simon Wilkinson writes: > On Wed, 26 Jun 2002, Daniel Kouril wrote: > > > I'm not able to get Kerberos5 authenticarion work together with PrivSep. > > According to strace, it seems that the kerberos authentication stage is > > performed by the user process in chrooted enviroment. The problem is that > > Kerberos authentication must be done by root. Is anybody working on a fix? > > (or am I missing something in configuration?) > > No - I think that's correct. I'm working on getting my GSSAPI patches > going with PrivSep - I think I'm nearly there. I haven't looked in depth > at the protocol 1 krb5 stuff. As far as i can tell, it does not work at the moment. And people seem to have elected me as a volunteer to fix this... However, my time is pretty limited right now, and i'm not an ssh hacker, so if someone wants to help me out with this i'd really appreciate it. What needs to be done, afaik, is to receive the kerberos auth data in the unprivileged client process, marshal it and send over to the monitor process. The monitor should validate the information and say "ok" or "not ok" back to the client. I have very little clues as how to do that. -- --- Hans Insulander , SM0UTY ----------------------- Gravity never looses. The best you can hope for is a draw. From tim at multitalents.net Thu Jun 27 05:50:59 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 26 Jun 2002 12:50:59 -0700 (PDT) Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: <20020626194146.GE2752@jenny.crlsca.adelphia.net> Message-ID: On Wed, 26 Jun 2002, Kevin Steves wrote: > On Wed, Jun 26, 2002 at 03:30:11PM -0400, Jim Knoble wrote: > > No. Bad. /var/empty should be mode 0755, owner 0 (root), group 0 > > (root, wheel, sys, or whatever it is on your system). And, it should > > be empty. Does your useradd default to creating the user's home > > directory? Perhaps that's why your /var/empty appears to have been > > chowned and populated from /etc/skel. > > yes. also note we do try hard to keep documentation up-to-date; > from sshd.8: Shall we patch Makefile.in ? --- Makefile.in.old Tue Jun 25 16:45:42 2002 +++ Makefile.in Wed Jun 26 12:49:25 2002 @@ -219,6 +219,7 @@ $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH) chmod 0700 $(DESTDIR)$(PRIVSEP_PATH) + chown 0 $(DESTDIR)$(PRIVSEP_PATH) $(INSTALL) -m 0755 -s ssh $(DESTDIR)$(bindir)/ssh $(INSTALL) -m 0755 -s scp $(DESTDIR)$(bindir)/scp $(INSTALL) -m 0755 -s ssh-add $(DESTDIR)$(bindir)/ssh-add > > /var/empty > chroot(2) directory used by sshd during privilege separation in > the pre-authentication phase. The directory should not contain > any files and must be owned by root and not group or world- > writable. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From andreas at conectiva.com.br Thu Jun 27 05:54:56 2002 From: andreas at conectiva.com.br (Andreas Hasenack) Date: Wed, 26 Jun 2002 16:54:56 -0300 Subject: Revised OpenSSH Security Advisory (adv.iss) In-Reply-To: <15642.6278.898843.260946@darkwing.uoregon.edu> References: <20020626190825.GA27268@folly> <15642.6278.898843.260946@darkwing.uoregon.edu> Message-ID: <20020626195456.GK19640@conectiva.com.br> Em Wed, Jun 26, 2002 at 12:39:50PM -0700, Steve VanDevender escreveu: > I think the announcement is fine the way it is. Having an explicit > "PAMAuthenticationViaKbdInt no" in sshd_config is a lot less ambiguous > than assuming it's disabled by default. All these authentication mechanisms can be confusing, since many can overlap. Just throw in challengeresponse, keyboard-interactive, password, kerberos (via ticket or password), S/Key (which is challengeresponse but can also be used via PAM) and so on. Is there another document besides the man page sshd_config(5) which explains all the available mechanisms in more detail? Or "just" the RFC/protocol/standard/whatever description? From andreas at conectiva.com.br Thu Jun 27 06:00:48 2002 From: andreas at conectiva.com.br (Andreas Hasenack) Date: Wed, 26 Jun 2002 17:00:48 -0300 Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: References: <20020626194146.GE2752@jenny.crlsca.adelphia.net> Message-ID: <20020626200048.GM19640@conectiva.com.br> Em Wed, Jun 26, 2002 at 12:50:59PM -0700, Tim Rice escreveu: > Shall we patch Makefile.in ? > > --- Makefile.in.old Tue Jun 25 16:45:42 2002 > +++ Makefile.in Wed Jun 26 12:49:25 2002 > @@ -219,6 +219,7 @@ > $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) > $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH) > chmod 0700 $(DESTDIR)$(PRIVSEP_PATH) > + chown 0 $(DESTDIR)$(PRIVSEP_PATH) Distros will just remove this line again, otherwise they would have to start building packages as root. From vancleef at microunity.com Thu Jun 27 06:06:05 2002 From: vancleef at microunity.com (Bob Van Cleef) Date: Wed, 26 Jun 2002 13:06:05 -0700 (PDT) Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: Message-ID: On Wed, 26 Jun 2002, Tim Rice wrote: > > chown root:root /var/empty Thank you = that fixed the problem. So, for the record, sparc linux RH 6.2 works.... Thank you all! > > Linux ns1 2.2.14-5.0 #1 Tue Mar 7 20:54:26 EST 2000 sparc unknown [root at ns1 openssh-3.4p1]# /usr/local/sbin/sshd -d This platform does not support both privilege separation and compression Compression disabled debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Invalid argument debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.86.6.8 port 1476 debug1: Client protocol version 1.5; client software version 1.2.25 debug1: match: 1.2.25 pat 1.2.1*,1.2.2*,1.2.3* debug1: Local version string SSH-1.99-OpenSSH_3.4p1 debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: 3des debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Attempting authentication for vancleef. debug1: Starting up PAM with username "vancleef" debug1: PAM setting rhost to "pan-6.microunity.com" debug1: PAM Password authentication for "vancleef" failed[7]: Authentication failure Failed none for vancleef from 192.86.6.8 port 1476 debug1: temporarily_use_uid: 500/500 (e=0) debug1: trying public RSA key file /home/vancleef/.ssh/authorized_keys debug1: restore_uid Failed rsa for vancleef from 192.86.6.8 port 1476 debug1: PAM Password authentication accepted for user "vancleef" Accepted password for vancleef from 192.86.6.8 port 1476 Accepted password for vancleef from 192.86.6.8 port 1476 debug1: monitor_child_preauth: vancleef has been authenticated by privileged process debug1: PAM establishing creds debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: session_new: init debug1: session_new: session 0 debug1: Installing crc compensation attack detector. debug1: Allocating pty. debug1: session_new: init debug1: session_new: session 0 debug1: session_pty_req: session 0 alloc /dev/pts/3 debug1: Ignoring unsupported tty mode opcode 16 (0x10) debug1: Ignoring unsupported tty mode opcode 17 (0x11) Setting tty modes failed: Invalid argument debug1: PAM setting tty to "/dev/pts/3" debug1: PAM establishing creds debug1: fd 4 setting TCP_NODELAY debug1: Entering interactive session. debug1: Setting controlling tty using TIOCSCTTY. debug1: fd 7 setting O_NONBLOCK debug1: fd 10 setting O_NONBLOCK debug1: fd 11 setting O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 debug1: Received SIGCHLD. debug1: End of interactive session; stdin 5, stdout (read 781, sent 781), stderr 0 bytes. debug1: Command exited with status 0. debug1: Received exit confirmation. debug1: session_close: session 0 pid 6665 debug1: session_by_tty: session 0 tty /dev/pts/3 debug1: session_pty_cleanup: session 0 release /dev/pts/3 Closing connection to 192.86.6.8 [root at ns1 openssh-3.4p1]# From gert at greenie.muc.de Thu Jun 27 06:06:34 2002 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Jun 2002 22:06:34 +0200 Subject: final build. In-Reply-To: ; from tim@multitalents.net on Wed, Jun 26, 2002 at 08:40:15AM -0700 References: <20020626095550.N18668@greenie.muc.de> Message-ID: <20020626220634.R18668@greenie.muc.de> Hi, On Wed, Jun 26, 2002 at 08:40:15AM -0700, Tim Rice wrote: > > > If there are any issues that are not marked as known. Let us know ASAP. > > sco3.2v4 needs BROKEN_FD_PASSING as well (that is: it doesn't *have* > > FD passing, so I assume it has to be defined as "BROKEN"). > > sco3.2v4.2 doesn't even have enough capabilities the even try fd passing > so defining BROKEN_FD_PASSING would not do anything on that platform. OK. I was just guessing according to configure.ac not having it. See my other mail - it's not working yet anyway due to socketpair() missing... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From vancleef at microunity.com Thu Jun 27 06:10:32 2002 From: vancleef at microunity.com (Bob Van Cleef) Date: Wed, 26 Jun 2002 13:10:32 -0700 (PDT) Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: <20020626153010.P20075@zax.half.pint-stowp.cx> Message-ID: On Wed, 26 Jun 2002, Jim Knoble wrote: > Circa 2002-Jun-26 11:58:19 -0700 dixit Bob Van Cleef: > > [...] > : When attempting to run I see: > : > : [root at ns1 openssh-3.4p1]# /usr/local/sbin/sshd -d > : This platform does not support both privilege separation and compression > : Compression disabled > : debug1: sshd version OpenSSH_3.4p1 > : debug1: private host key: #0 type 0 RSA1 > : debug1: read PEM private key done: type RSA > : debug1: private host key: #1 type 1 RSA > : debug1: read PEM private key done: type DSA > : debug1: private host key: #2 type 2 DSA > : Bad owner or mode for /var/empty > : [root at ns1 openssh-3.4p1]# ls -l /usr/local/sbin/sshd > : -rwxr-xr-x 1 root root 801476 Jun 26 11:36 > : /usr/local/sbin/sshd > : [root at ns1 openssh-3.4p1]# ls -lag /var/empty > : total 5 > : drwx------ 2 sshd sshd 1024 Jun 25 16:13 . > : drwxr-xr-x 19 root root 1024 Jun 25 16:13 .. > : -rw-r--r-- 1 sshd sshd 24 Jun 25 16:13 .bash_logout > : -rw-r--r-- 1 sshd sshd 230 Jun 25 16:13 .bash_profile > : -rw-r--r-- 1 sshd sshd 124 Jun 25 16:13 .bashrc > : [root at ns1 openssh-3.4p1]# > > No. Bad. /var/empty should be mode 0755, owner 0 (root), group 0 > (root, wheel, sys, or whatever it is on your system). And, it should > be empty. Does your useradd default to creating the user's home > directory? Perhaps that's why your /var/empty appears to have been > chowned and populated from /etc/skel. > > Jim; You are correct. I used useradd to create the account and it populated the directory. As previously noted, chown root.root cured the problem and I have now deleted the .bash cruft. Thanks again everyone for the quick response to this issue. Bob [ now to get it working under SunOS 4.1.4 - I love old systems :) ] From bugzilla-daemon at mindrot.org Thu Jun 27 06:27:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Jun 2002 06:27:07 +1000 (EST) Subject: [Bug 207] Connect timeout patch Message-ID: <20020626202707.1DC09E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=207 ------- Additional Comments From jclonguet at free.fr 2002-06-27 06:27 ------- Created an attachment (id=118) Patch for OpenSSH-3.4p1 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From vinschen at redhat.com Thu Jun 27 06:29:37 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 26 Jun 2002 22:29:37 +0200 Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: <20020626200048.GM19640@conectiva.com.br> References: <20020626194146.GE2752@jenny.crlsca.adelphia.net> <20020626200048.GM19640@conectiva.com.br> Message-ID: <20020626222937.J22705@cygbert.vinschen.de> On Wed, Jun 26, 2002 at 05:00:48PM -0300, Andreas Hasenack wrote: > Em Wed, Jun 26, 2002 at 12:50:59PM -0700, Tim Rice escreveu: > > Shall we patch Makefile.in ? > > > > --- Makefile.in.old Tue Jun 25 16:45:42 2002 > > +++ Makefile.in Wed Jun 26 12:49:25 2002 > > @@ -219,6 +219,7 @@ > > $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) > > $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH) > > chmod 0700 $(DESTDIR)$(PRIVSEP_PATH) > > + chown 0 $(DESTDIR)$(PRIVSEP_PATH) > > Distros will just remove this line again, otherwise they would have to start > building packages as root. And uid 0 has no meaning on some systems... Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From bugzilla-daemon at mindrot.org Thu Jun 27 06:37:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Jun 2002 06:37:15 +1000 (EST) Subject: [Bug 302] New: make install reports that separation user does not exist... Message-ID: <20020626203715.6DAA7E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=302 Summary: make install reports that separation user does not exist... Product: Portable OpenSSH Version: -current Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: adudek at sprint.net I followed the directions in the README.prev and I am seeing this, not having any issues so far, but I am getting the following with make install... /etc/ssh/ssh_host_rsa_key already exists, skipping. id sshd || \ echo "WARNING: Privilege separation user \"sshd\" does not exist" uid=1011(sshd) gid=102(sshd) Box specifics... SunOS raistlin 5.8 Generic_108528-14 sun4u sparc adudek at raistlin: ~/openssh-3.4p1/ >gcc -v Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/specs Configured with: ../gcc-3.0.3/configure --enable-shared : (reconfigured) ../gcc-3.0.3/configure --enable-shared --with-gnu-as --with-gnu-ld --enable-libgcj Thread model: posix gcc version 3.0.3adudek at raistlin: ~/openssh-3.4p1/ >./configure --with-xauth=/usr/openwin/bin --with-mantype=man --with-md5-passwords --with-ipaddr-display --with-ipv4-default --with-4in6 --sysconfdir=/etc/ssh ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jclonguet at free.fr Thu Jun 27 06:43:22 2002 From: jclonguet at free.fr (Jean-Charles Longuet) Date: Wed, 26 Jun 2002 22:43:22 +0200 Subject: [PATCH] connect() timeout References: <3CAB7B01.270260E6@free.fr> <20020404140958.GA6477@folly> Message-ID: <3D1A276A.F519E99E@free.fr> Here is the version of this patch for the last portable version of OpenSSH (3.4p1), as it is not included in the main tree. The patch avoids waiting to long when using ssh() or scp() on a down host, it is usefull when you have to update many hosts via rsync or rdist themselves relying upon ssh(). It enables a new option 'ConnectTimeout' to control exactly the timeout value, so that it can be used even on slow links. These patches can also be found on http://charts.free.fr/ If you think this patch is worth to be included in the main tree, then you can vote for it on http://bugzilla.mindrot.org/showvotes.cgi?voteon=207 but this requires a login. You can also just browse the case at http://bugzilla.mindrot.org/show_bug.cgi?id=207 Hope this patch help you. -- Jean-Charles -------------- next part -------------- --- openssh-3.4p1/readconf.c.ORIG Wed Jun 26 22:14:41 2002 +++ openssh-3.4p1/readconf.c Wed Jun 26 21:51:13 2002 @@ -114,7 +114,7 @@ oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oDeprecated + oConnectTimeout, oDeprecated } OpCodes; /* Textual representations of the tokens. */ @@ -186,6 +186,7 @@ { "smartcarddevice", oSmartcardDevice }, { "clearallforwardings", oClearAllForwardings }, { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, + { "connecttimeout", oConnectTimeout }, { NULL, oBadOption } }; @@ -293,6 +294,18 @@ /* don't panic, but count bad options */ return -1; /* NOTREACHED */ + case oConnectTimeout: + intptr = &options->connection_timeout; +parse_time: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing time argument.", filename, linenum); + if ((value = convtime(arg)) == -1) + fatal("%.200s line %d: Invalid time argument.", filename, linenum); + if (*intptr == -1) + *intptr = value; + break; + case oForwardAgent: intptr = &options->forward_agent; parse_flag: @@ -769,6 +782,7 @@ options->compression_level = -1; options->port = -1; options->connection_attempts = -1; + options->connection_timeout = -1; options->number_of_password_prompts = -1; options->cipher = -1; options->ciphers = NULL; --- openssh-3.4p1/readconf.h.ORIG Wed Jun 26 22:14:41 2002 +++ openssh-3.4p1/readconf.h Wed Jun 26 21:51:13 2002 @@ -66,6 +66,8 @@ int port; /* Port to connect. */ int connection_attempts; /* Max attempts (seconds) before * giving up */ + int connection_timeout; /* Max time (seconds) before + * aborting connection attempt */ int number_of_password_prompts; /* Max number of password * prompts. */ int cipher; /* Cipher to use. */ --- openssh-3.4p1/ssh.c.ORIG Wed Jun 26 22:14:41 2002 +++ openssh-3.4p1/ssh.c Wed Jun 26 22:14:06 2002 @@ -614,7 +614,7 @@ /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, IPv4or6, - options.connection_attempts, + options.connection_attempts, options.connection_timeout, #ifdef HAVE_CYGWIN options.use_privileged_port, #else --- openssh-3.4p1/ssh_config.0.ORIG Wed Jun 26 22:14:41 2002 +++ openssh-3.4p1/ssh_config.0 Wed Jun 26 21:51:13 2002 @@ -111,6 +111,13 @@ exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. The default is 1. + ConnectTimeout + Specifies the timeout used when connecting to the ssh server, + instead of using default system values. This value is used only + when the target is down or really unreachable, not when it refuses + the connection. This may be usefull for tools using ssh for + communication, as it avoid long TCP timeouts. + DynamicForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application protocol is then --- openssh-3.4p1/ssh_config.5.ORIG Wed Jun 26 22:14:41 2002 +++ openssh-3.4p1/ssh_config.5 Wed Jun 26 21:51:13 2002 @@ -220,6 +220,12 @@ The argument must be an integer. This may be useful in scripts if the connection sometimes fails. The default is 1. +.It Cm ConnectTimeout +Specifies the timeout used when connecting to the ssh +server, instead of using default system values. This value is used +only when the target is down or really unreachable, not when it +refuses the connection. This may be usefull for tools using ssh +for communication, as it avoid long TCP timeouts. .It Cm DynamicForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application --- openssh-3.4p1/sshconnect.c.ORIG Wed Jun 26 22:14:41 2002 +++ openssh-3.4p1/sshconnect.c Wed Jun 26 21:51:13 2002 @@ -211,6 +211,61 @@ return sock; } +int +timeout_connect(int sockfd, const struct sockaddr *serv_addr, + socklen_t addrlen, int timeout) +{ + fd_set *fdset; + struct timeval tv; + socklen_t optlen; + int fdsetsz, optval, rc; + + if (timeout <= 0) + return(connect(sockfd, serv_addr, addrlen)); + + if (fcntl(sockfd, F_SETFL, O_NONBLOCK) < 0) + return -1; + + rc = connect(sockfd, serv_addr, addrlen); + if (rc == 0) + return 0; + if (errno != EINPROGRESS) + return -1; + + fdsetsz = howmany(sockfd+1, NFDBITS) * sizeof(fd_mask); + fdset = (fd_set *)xmalloc(fdsetsz); + memset(fdset, 0, fdsetsz); + FD_SET(sockfd, fdset); + tv.tv_sec = timeout; + tv.tv_usec = 0; + rc=select(sockfd+1, NULL, fdset, NULL, &tv); + + switch(rc) { + case 0: + errno = ETIMEDOUT; + case -1: + return -1; + break; + case 1: + optval = 0; + optlen = sizeof(optval); + if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, &optlen) == -1) + return -1; + if (optval != 0) + { + errno = optval; + return -1; + } + return 0; + + default: + /* Should not occur */ + return -1; + break; + } + return -1; +} + /* * Opens a TCP/IP connection to the remote server on the given host. * The address of the remote host will be returned in hostaddr. @@ -230,7 +285,7 @@ */ int ssh_connect(const char *host, struct sockaddr_storage * hostaddr, - u_short port, int family, int connection_attempts, + u_short port, int family, int connection_attempts, int connection_timeout, int needpriv, const char *proxy_command) { int gaierr; @@ -300,7 +355,8 @@ /* Any error is already output */ continue; - if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) { + if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen, + connection_timeout) >= 0) { /* Successful connection. */ memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); break; --- openssh-3.4p1/sshconnect.h.ORIG Wed Jun 26 22:14:41 2002 +++ openssh-3.4p1/sshconnect.h Wed Jun 26 21:51:13 2002 @@ -35,7 +35,7 @@ int ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int, - int, const char *); + int, int, const char *); void ssh_login(Sensitive *, const char *, struct sockaddr *, struct passwd *); From wendyp at cray.com Thu Jun 27 06:42:26 2002 From: wendyp at cray.com (Wendy Palm) Date: Wed, 26 Jun 2002 15:42:26 -0500 Subject: [Bug 302] New: make install reports that separation user does not exist... References: <20020626203715.6DAA7E881@shitei.mindrot.org> Message-ID: <3D1A2732.3CBCA1EB@cray.com> that's not an error. you're seeing the debug output. immediately after it, the uid=1011(sshd) gid=102(sshd) line indicates that the user actually does exist. you're ok. bugzilla-daemon at mindrot.org wrote: > > http://bugzilla.mindrot.org/show_bug.cgi?id=302 > > Summary: make install reports that separation user does not > exist... > Product: Portable OpenSSH > Version: -current > Platform: UltraSparc > OS/Version: Solaris > Status: NEW > Severity: normal > Priority: P2 > Component: Build system > AssignedTo: openssh-unix-dev at mindrot.org > ReportedBy: adudek at sprint.net > > I followed the directions in the README.prev and I am seeing this, not having > any issues so far, but I am getting the following with make install... > /etc/ssh/ssh_host_rsa_key already exists, skipping. > id sshd || \ > echo "WARNING: Privilege separation user \"sshd\" does not exist" > uid=1011(sshd) gid=102(sshd) > > Box specifics... > SunOS raistlin 5.8 Generic_108528-14 sun4u sparc > adudek at raistlin: ~/openssh-3.4p1/ >gcc -v > Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/specs > Configured with: ../gcc-3.0.3/configure --enable-shared : (reconfigured) > ../gcc-3.0.3/configure --enable-shared --with-gnu-as --with-gnu-ld > --enable-libgcj > Thread model: posix > gcc version 3.0.3adudek at raistlin: ~/openssh-3.4p1/ >./configure > --with-xauth=/usr/openwin/bin --with-mantype=man --with-md5-passwords > --with-ipaddr-display --with-ipv4-default --with-4in6 --sysconfdir=/etc/ssh > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From tim at multitalents.net Thu Jun 27 06:46:58 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 26 Jun 2002 13:46:58 -0700 (PDT) Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: <20020626200048.GM19640@conectiva.com.br> Message-ID: On Wed, 26 Jun 2002, Andreas Hasenack wrote: > Em Wed, Jun 26, 2002 at 12:50:59PM -0700, Tim Rice escreveu: > > Shall we patch Makefile.in ? > > > > --- Makefile.in.old Tue Jun 25 16:45:42 2002 > > +++ Makefile.in Wed Jun 26 12:49:25 2002 > > @@ -219,6 +219,7 @@ > > $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) > > $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH) > > chmod 0700 $(DESTDIR)$(PRIVSEP_PATH) > > + chown 0 $(DESTDIR)$(PRIVSEP_PATH) > > Distros will just remove this line again, otherwise they would have to start > building packages as root. Good point. That would mess up buildpkg.sh Bad Idea. :-) -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From atb at zoo.uvm.edu Thu Jun 27 07:13:56 2002 From: atb at zoo.uvm.edu (Ashton Trey Belew) Date: Wed, 26 Jun 2002 17:13:56 -0400 (EDT) Subject: Problem with interaction between commercial and openssh Message-ID: Hello all, Earlier this week we disabled protocol 1 upon our machines while installing commercial ssh 3.2.0. Suddenly I discovered that the AIX systems running Openssh were not able to connect. I upgraded to the newly minted 3.4p1 and discovered the same problem. My limited poking around has shown the following: <16:59:38>atb at ursus:>ssh -vv atb at host debug1: bits set: 503/1024 debug1: ssh_dss_verify: signature incorrect key_verify failed for server_host_key debug1: Calling cleanup 0x2000ca44(0x0) Putting an #if 0 ... #endif around the key_verify call in kexdh.c solves the problem, but in a most unsatisfactory fashion. I double checked my compiles for linux and solaris and they are working perfectly. Looking in ssh-dss.c at ssh_dss_verify it appears that all is well right up until the end when the following occurs: ret = DSA_do_verify(digest, dlen, sig, key->dsa); memset(digest, 'd', sizeof(digest)); DSA_SIG_free(sig); debug("ssh_dss_verify: signature %s", ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error"); return ret; If I am not mistaken, DSA_do_verify comes out of openssl. I am poking around in it now to see what I can learn; but I figured I would write here and see if anyone has any suggestions about where I should look. Have a nice day, -Trey -- Ashton Trey Belew 802 656 1260 atb at zoo.uvm.edu Recall Larry's 2nd Law of Language Redesign: Larry gets the colon. From bugzilla-daemon at mindrot.org Thu Jun 27 07:38:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Jun 2002 07:38:30 +1000 (EST) Subject: [Bug 303] New: conftest fails to determine mmap anon shared Message-ID: <20020626213830.3A65BE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=303 Summary: conftest fails to determine mmap anon shared Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: FreeBSD Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: gert at greenie.muc.de configure:6530: checking for mmap anon shared configure:6555: cc -o conftest -O -pipe -mpentium -march=pentium -Wall -Wpointer-arith -Wno-uninitialized conftest.c -lutil -lz >&5 In file included from configure:6540: /usr/include/sys/mman.h:141: syntax error before `mode_t' configure:6544: warning: return-type defaults to `int' configure:6558: $? = 1 configure: program exited with status 1 needs before - easily changed in configure.ac 3.4p1 on FreeBSD 4.6-RELEASE, and on 3.4-RELEASE, so I assume this hits all FreeBSD versions. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From andreas at conectiva.com.br Thu Jun 27 08:06:13 2002 From: andreas at conectiva.com.br (Andreas Hasenack) Date: Wed, 26 Jun 2002 19:06:13 -0300 Subject: sshd and file descriptors Message-ID: <20020626220613.GO19640@conectiva.com.br> I have an openssh RPM package that restarts the sshd server during an upgrade if the daemon is already running. So far, so good, restart works. But I observed the following behaviour: - when issuing rpm -Uvh bla.rpm, rpm, obviously, opens the rpm file and gets a file descriptor. Say, 8. - rpm does its stuff and spawns a shell to execute the %post script. The shell also gets fd 8 (should rpm close all descriptors before executing its scripts? More below). - the script decides at some point to restart sshd. It stops the daemon and starts a new one. The new sshd daemon also gets fd 8 pointing to the rpm package. Shouldn't sshd close all descriptors before daemonizing? If I do this remotely I then get the famous hang-on-exit problem. For example (just after upgrading the packages) # ls -la /proc/15301/fd total 0 dr-x------ 2 root root 0 Jun 26 19:02 ./ dr-xr-xr-x 3 root root 0 Jun 26 19:02 ../ lrwx------ 1 root root 64 Jun 26 19:02 0 -> /dev/null lrwx------ 1 root root 64 Jun 26 19:02 1 -> /dev/null lrwx------ 1 root root 64 Jun 26 19:02 16 -> /dev/pts/0 lrwx------ 1 root root 64 Jun 26 19:02 2 -> /dev/null l-wx------ 1 root root 64 Jun 26 19:02 21 -> /dev/null lrwx------ 1 root root 64 Jun 26 19:02 3 -> socket:[192227] lr-x------ 1 root root 64 Jun 26 19:02 7 -> pipe:[192223] lr-x------ 1 root root 64 Jun 26 19:02 8 -> /home/user/rpm/RPMS/i386/openssh-server-3.4p1-1cl.i386.rpm l-wx------ 1 root root 64 Jun 26 19:02 9 -> pipe:[192223] Shouldn't a daemon close all fds before going into "daemon land"? What exactly is broken here? From bugzilla-daemon at mindrot.org Thu Jun 27 08:18:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Jun 2002 08:18:25 +1000 (EST) Subject: [Bug 304] New: ssh-keysign memory freeing bug Message-ID: <20020626221825.E690BE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=304 Summary: ssh-keysign memory freeing bug Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: major Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: openssh at sigint.cs.purdue.edu CC: openssh at sigint.cs.purdue.edu The data received from ssh is freed before key_sign is run on it, which results in a bogus signature, at least under Linux. (Solaris and IRIX don't seem to mind.) --- ssh-keysign.c~ Wed Jun 26 17:01:42 2002 +++ ssh-keysign.c Wed Jun 26 17:01:49 2002 @@ -192,7 +192,6 @@ data = buffer_get_string(&b, &dlen); if (valid_request(pw, host, &key, data, dlen) < 0) fatal("not a valid request"); - xfree(data); xfree(host); found = 0; @@ -208,6 +207,7 @@ if (key_sign(keys[i], &signature, &slen, data, dlen) != 0) fatal("key_sign failed"); + xfree(data); /* send reply */ buffer_clear(&b); ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dot at dotat.at Thu Jun 27 08:18:58 2002 From: dot at dotat.at (Tony Finch) Date: Wed, 26 Jun 2002 23:18:58 +0100 Subject: [PATCH] improved chroot handling Message-ID: <20020626231858.E26954@chiark.greenend.org.uk> There are a couple of niggles with the sandboxing of the unprivileged child in the privsep code: the empty directory causes namespace pollution, and it requires care to ensure that it is set up properly and remains set up properly. The patch below (against the portable OpenSSH, although the patch against the OpenBSD version is very similar) replaces the fixed empty directory with one that is created on demand and is immediately removed after the child process has chdir()ed and chroot()ed into it. This ensures that the directory is in a known-safe state and that no-one (not even root) can mess it up. Index: pathnames.h =================================================================== RCS file: /home/ncvs/src/crypto/openssh-portable/pathnames.h,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 pathnames.h --- pathnames.h 24 Jun 2002 22:46:13 -0000 1.1.1.1 +++ pathnames.h 26 Jun 2002 17:58:59 -0000 @@ -145,11 +145,6 @@ #define _PATH_SFTP_SERVER "/usr/libexec/sftp-server" #endif -/* chroot directory for unprivileged user when UsePrivilegeSeparation=yes */ -#ifndef _PATH_PRIVSEP_CHROOT_DIR -#define _PATH_PRIVSEP_CHROOT_DIR "/var/empty" -#endif - #ifndef _PATH_LS #define _PATH_LS "ls" #endif Index: sshd.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh-portable/sshd.c,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 sshd.c --- sshd.c 24 Jun 2002 22:46:20 -0000 1.1.1.1 +++ sshd.c 26 Jun 2002 18:00:25 -0000 @@ -545,14 +545,9 @@ memset(pw->pw_passwd, 0, strlen(pw->pw_passwd)); endpwent(); - /* Change our root directory*/ - if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) - fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, - strerror(errno)); - if (chdir("/") == -1) - fatal("chdir(\"/\"): %s", strerror(errno)); - - /* Drop our privileges */ + /* Change our root directory and drop privileges */ + if (chroot(".") < 0) + fatal("chroot(): %s\n", strerror(errno)); debug3("privsep user:group %u:%u", (u_int)pw->pw_uid, (u_int)pw->pw_gid); do_setusercontext(pw); @@ -561,6 +556,7 @@ static Authctxt* privsep_preauth(void) { + char emptydir[] = "/var/tmp/sshd.XXXXXXXXXX"; Authctxt *authctxt = NULL; int status; pid_t pid; @@ -570,12 +566,31 @@ /* Store a pointer to the kex for later rekeying */ pmonitor->m_pkex = &xxx_kex; + /* + * We create a safe environment for the child by creating an empty + * directory into which the child chroots, and the parent prevents + * others from fooling around with it by removing the directory. We do + * it this way because the child can't remove its own current working + * directory (except on some systems by giving an absolute path to + * rmdir, but it is highly dependent on the OS and filesystem). We + * create the directory in /var/tmp in order that we are more likely + * to get a well-behaved disk filesystem. + */ + if (mkdtemp(emptydir) == NULL) + fatal("mkdtemp(\"%s\"): %s", emptydir, strerror(errno)); + pid = fork(); if (pid == -1) { fatal("fork of unprivileged child failed"); } else if (pid != 0) { debug2("Network child is on pid %ld", (long)pid); + /* Wait for the child to chdir then remove the directory */ + if (read(pmonitor->m_recvfd, &status, 1) < 0) + fatal("read(): %s", strerror(errno)); + if (rmdir(emptydir) < 0) + fatal("rmdir(\"%s\"): %s", emptydir, strerror(errno)); + close(pmonitor->m_recvfd); authctxt = monitor_child_preauth(pmonitor); close(pmonitor->m_sendfd); @@ -591,6 +606,10 @@ } else { /* child */ + if (chdir(emptydir) == -1) + fatal("chdir(\"%s\"): %s", emptydir, strerror(errno)); + if (write(pmonitor->m_sendfd, &status, 1) < 0) + fatal("write(): %s", strerror(errno)); close(pmonitor->m_sendfd); /* Demote the child */ @@ -1008,10 +1027,6 @@ if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) fatal("Privilege separation user %s does not exist", SSH_PRIVSEP_USER); - if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || - (S_ISDIR(st.st_mode) == 0)) - fatal("Missing privilege separation directory: %s", - _PATH_PRIVSEP_CHROOT_DIR); } /* Configuration looks good, so exit if in test mode. */ Tony. -- f.a.n.finch http://dotat.at/ FISHER GERMAN BIGHT: WESTERLY VEERING NORTHWESTERLY 4 OR 5, OCCASIONALLY 6. SHOWERS. MODERATE OR GOOD. From drk at sgi.com Thu Jun 27 08:21:26 2002 From: drk at sgi.com (David Kaelbling) Date: Wed, 26 Jun 2002 18:21:26 -0400 Subject: IRIX 6.5 patch for Compression with UsePrivilegeSeparation Message-ID: <3D1A3E66.3A3704F7@sgi.com> Simon Cooper already mailed in a patch to get the effects of MAP_ANON on IRIX systems, but it was against openssh/3.3p1. I've reapplied his patach to openssh/3.4p1 and include it as an attachment. Here's his explanation: > I noticed that the recent release requires the existence of MAP_ANON to get > an anonymous memory region. In Irix the equivalent functionality can be > obtained by mapping the file /dev/zero. This feature is rather obliquely > documented in the "zero(7)" man page... > > Mapping a zero special file creates a zero-initialized unnamed memory > object of a length equal to the length of the mapping and rounded up to > the nearest page size as returned by getpagesize(2). Multiple processes > can share such a zero special file object provided a common ancestor > mapped the object MAP_SHARED. > > I will be fixing our "mmap" documentation to include this useful bit of > information. > > So, > > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED,-1,0); > > becomes, > > fd_zero = open ("/dev/zero", O_RDRW); /* Check missing */ > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED, fd_zero, 0); > close (fd_zero) > > With this in mind the following diffs will permit openssh-3.3p1 with > compression and UsePrivilegeSeparation to work on all Irix 6.5 sub versions > and likely anything since Irix 5.3 (ie 10 years ago!). David -- David KAELBLING Silicon Graphics Computer Systems 1 Cabot Rd, suite 250; Hudson, MA 01749 781.839.2157, fax ...2357 -------------- next part -------------- --- ./config.h.in Wed Jun 26 10:08:19 2002 +++ ../openssh-3.4p1/./config.h.in Wed Jun 26 17:46:01 2002 @@ -358,6 +358,9 @@ /* Define if you have the `mmap' function that supports MAP_ANON|SHARED */ #undef HAVE_MMAP_ANON_SHARED +/* Define if mmap of /dev/zero gives an anonymous memory region. */ +#undef HAVE_MMAP_DEV_ZERO + /* Define if sendmsg()/recvmsg() has problems passing file descriptors */ #undef BROKEN_FD_PASSING --- ./servconf.c Mon Jun 24 23:22:04 2002 +++ ../openssh-3.4p1/./servconf.c Wed Jun 26 17:54:55 2002 @@ -257,7 +257,7 @@ if (use_privsep == -1) use_privsep = 1; -#if !defined(HAVE_MMAP_ANON_SHARED) +#if !defined(HAVE_MMAP_ANON_SHARED) && !defined(HAVE_MMAP_DEV_ZERO) if (use_privsep && options->compression == 1) { error("This platform does not support both privilege " "separation and compression"); --- ./configure.ac Tue Jun 25 18:35:16 2002 +++ ../openssh-3.4p1/./configure.ac Wed Jun 26 18:18:32 2002 @@ -154,6 +154,7 @@ AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)]) AC_DEFINE(BROKEN_INET_NTOA) AC_DEFINE(WITH_ABBREV_NO_TTY) + AC_DEFINE(HAVE_MMAP_DEV_ZERO) ;; *-*-linux*) no_dev_ptmx=1 --- ./monitor_mm.c Tue Jun 25 20:29:03 2002 +++ ../openssh-3.4p1/./monitor_mm.c Wed Jun 26 17:54:29 2002 @@ -71,6 +71,9 @@ { void *address; struct mm_master *mm; +#if defined(HAVE_MMAP_DEV_ZERO) + int fd_zero; +#endif if (mmalloc == NULL) mm = xmalloc(sizeof(struct mm_master)); @@ -84,7 +87,16 @@ */ mm->mmalloc = mmalloc; -#ifdef HAVE_MMAP_ANON_SHARED +#if defined(HAVE_MMAP_DEV_ZERO) + fd_zero = open ("/dev/zero", O_RDWR); + if (!fd_zero) + fatal("open(/dev/zero): %s", strerror(errno)); + address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED, + fd_zero, 0); + if (address == MAP_FAILED) + fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); + close (fd_zero); +#elif defined(HAVE_MMAP_ANON_SHARED) address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); if (address == MAP_FAILED) @@ -130,7 +142,7 @@ mm_freelist(mm->mmalloc, &mm->rb_free); mm_freelist(mm->mmalloc, &mm->rb_allocated); -#ifdef HAVE_MMAP_ANON_SHARED +#if defined(HAVE_MMAP_ANON_SHARED) || defined(HAVE_MMAP_DEV_ZERO) if (munmap(mm->address, mm->size) == -1) fatal("munmap(%p, %lu): %s", mm->address, (u_long)mm->size, strerror(errno)); --- ./configure Wed Jun 26 10:08:18 2002 +++ ../openssh-3.4p1/./configure Wed Jun 26 18:19:05 2002 @@ -3898,6 +3898,10 @@ #define WITH_ABBREV_NO_TTY 1 _ACEOF + cat >>confdefs.h <<\_ACEOF +#define HAVE_MMAP_DEV_ZERO 1 +_ACEOF + ;; *-*-linux*) no_dev_ptmx=1 From des at ofug.org Thu Jun 27 08:24:13 2002 From: des at ofug.org (Dag-Erling Smorgrav) Date: 27 Jun 2002 00:24:13 +0200 Subject: Using Kerberos5 in 3.3p1 In-Reply-To: <87adphltbq.fsf@ashaman.hin.nu> References: <87adphltbq.fsf@ashaman.hin.nu> Message-ID: Hans Insulander writes: > What needs to be done, afaik, is to receive the kerberos auth data in the > unprivileged client process, marshal it and send over to the monitor process. > The monitor should validate the information and say "ok" or "not ok" back to > the client. I have very little clues as how to do that. I can work on this tomorrow provided someone can help me with the Kerberos aspect of things. DES -- Dag-Erling Smorgrav - des at ofug.org From dot at dotat.at Thu Jun 27 08:26:31 2002 From: dot at dotat.at (Tony Finch) Date: Wed, 26 Jun 2002 23:26:31 +0100 Subject: privilege separation breaks dns lookups Message-ID: <20020626232631.F26954@chiark.greenend.org.uk> When the unprivileged child has chrooted it can no longer open /etc/resolv.conf, so if the resolver hasn't yet initialized itself then dns lookups will not be possible. This is unfortunately what normally happens, but sshd falls back gracefully. There are a couple of wrinkles: the resolver will typically try talking to a nameserver on the local host by default (using INADDR_ANY rather than INADDR_LOOPBACK) so if one is running then things will still work. However if for some reason the name server is running but has ACLs which only permit queries on 127.0.0.1 then sshd will hang when attempting a DNS lookup since it gets neither an ICMP port unreachable nor a response. Tony. -- f.a.n.finch http://dotat.at/ VIKING: WESTERLY VEERING NORTHWESTERLY 4 OR 5, OCCASIONALLY 6 IN WEST LATER. RAIN OR SQUALLY SHOWERS. MODERATE OR GOOD. From des at ofug.org Thu Jun 27 08:25:32 2002 From: des at ofug.org (Dag-Erling Smorgrav) Date: 27 Jun 2002 00:25:32 +0200 Subject: PAM kbd-int with privsep In-Reply-To: <3D19F616.8020603@Sun.COM> References: <1024969975.5925.172.camel@xenon> <20020625123957.A29726@redhat.com> <1025064221.5235.17.camel@xenon> <3D19F616.8020603@Sun.COM> Message-ID: Darren J Moffat writes: > > [PAM_CONV_AGAIN/PAM_INCOMPLETE] > These are Linux extensions to the framework. The people who look > after the Linux-PAM have made significant incompatible changes to the > framework from the original RFC (which was never ratified by Open > Group). The Linux-PAM authors seem (IMHO) to have a very poor understanding of PAM and little interest in conforming to any kind of standard. The number of misfeatures and deliberate incompatibilities is so great that I gave up trying to debug & fix them, and wrote OpenPAM instead. > Open Group has officially released control of PAM back to its original > inventors (Sun). A new working group on PAM does need to be formed > since Linux and the original PAM have diverged too far. As the author of OpenPAM, I would be very interested in participating in such a working group. DES -- Dag-Erling Smorgrav - des at ofug.org From bugzilla-daemon at mindrot.org Thu Jun 27 08:31:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Jun 2002 08:31:34 +1000 (EST) Subject: [Bug 304] ssh-keysign memory freeing bug Message-ID: <20020626223134.9099BE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=304 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From markus at openbsd.org 2002-06-27 08:31 ------- thanks, patch applied (post 3.4) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mstone at cs.loyola.edu Thu Jun 27 08:58:52 2002 From: mstone at cs.loyola.edu (Michael Stone) Date: Wed, 26 Jun 2002 18:58:52 -0400 Subject: pam session as root Message-ID: <20020626185852.A6498@justice.loyola.edu> Beyond any more general questions of whether pam sessions *should* be run as root, is there an immediate security concern with moving the pam_open_session (and pam_setcred) stuff to the parent (root) process? (E.g., via the patch below.) -- Mike Stone diff -u -r1.4 auth-pam.c --- auth-pam.c 25 Jun 2002 00:45:33 -0000 1.4 +++ auth-pam.c 25 Jun 2002 20:33:41 -0000 @@ -286,6 +286,8 @@ pam_retval, PAM_STRERROR(__pamh, pam_retval)); } + if (session_opened) + return; /*Be idempotent so we can be called in monitor and child*/ pam_retval = pam_open_session(__pamh, 0); if (pam_retval != PAM_SUCCESS) fatal("PAM session setup failed[%d]: %.200s", @@ -304,6 +306,8 @@ do_pam_set_conv(&conv); + if (init&&creds_set) + return; /*be idempotent so we can be called in monitor and child*/ debug("PAM establishing creds"); pam_retval = pam_setcred(__pamh, init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED); diff -u -r1.1.1.1 monitor.c --- monitor.c 24 Jun 2002 23:29:52 -0000 1.1.1.1 +++ monitor.c 25 Jun 2002 20:33:41 -0000 @@ -278,6 +278,8 @@ #ifdef USE_PAM if (!do_pam_account(authctxt->pw->pw_name, NULL)) authenticated = 0; + do_pam_session(authctxt->pw->pw_name, NULL); + do_pam_setcred(1); #endif } From fcusack at fcusack.com Thu Jun 27 09:10:56 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 26 Jun 2002 16:10:56 -0700 Subject: sshd and file descriptors In-Reply-To: <20020626220613.GO19640@conectiva.com.br>; from andreas@conectiva.com.br on Wed, Jun 26, 2002 at 07:06:13PM -0300 References: <20020626220613.GO19640@conectiva.com.br> Message-ID: <20020626161056.R2377@google.com> On Wed, Jun 26, 2002 at 07:06:13PM -0300, Andreas Hasenack wrote: > > Shouldn't a daemon close all fds before going into "daemon land"? > What exactly is broken here? > rpm A workaround which really isn't so great is to put this in your %post exec 0/dev/null done service restart sshd You might need to bump the end fd higher. 12 seems to work for rpm 4.0.x. The w/a is kind of bad cuz now sshd will have all those fd's open. /fc From luc at suryo.com Thu Jun 27 09:17:47 2002 From: luc at suryo.com (Luc I. Suryo) Date: Wed, 26 Jun 2002 18:17:47 -0500 Subject: [PATCH] improved chroot handling In-Reply-To: <20020626231858.E26954@chiark.greenend.org.uk> References: <20020626231858.E26954@chiark.greenend.org.uk> Message-ID: <20020626231747.GA8490@nc1701.suryo.com> Tony, it is maybe me but the code: char emptydir[] = "/var/tmp/sshd.XXXXXXXXXX"; is hard coded...and we want to use what is defined by _PATH_PRIVSEP_CHROOT_DIR yes? and should not one make sure that there is no overflow in emptydir??? malloc/free/strlen and that kinda of stuff just me quick 25c :) > There are a couple of niggles with the sandboxing of the unprivileged > child in the privsep code: the empty directory causes namespace pollution, > and it requires care to ensure that it is set up properly and remains set > up properly. The patch below (against the portable OpenSSH, although the > patch against the OpenBSD version is very similar) replaces the fixed > empty directory with one that is created on demand and is immediately > removed after the child process has chdir()ed and chroot()ed into it. > This ensures that the directory is in a known-safe state and that no-one > (not even root) can mess it up. > > Index: pathnames.h > =================================================================== > RCS file: /home/ncvs/src/crypto/openssh-portable/pathnames.h,v > retrieving revision 1.1.1.1 > diff -u -r1.1.1.1 pathnames.h > --- pathnames.h 24 Jun 2002 22:46:13 -0000 1.1.1.1 > +++ pathnames.h 26 Jun 2002 17:58:59 -0000 > @@ -145,11 +145,6 @@ > #define _PATH_SFTP_SERVER "/usr/libexec/sftp-server" > #endif > > -/* chroot directory for unprivileged user when UsePrivilegeSeparation=yes */ > -#ifndef _PATH_PRIVSEP_CHROOT_DIR > -#define _PATH_PRIVSEP_CHROOT_DIR "/var/empty" > -#endif > - > #ifndef _PATH_LS > #define _PATH_LS "ls" > #endif > Index: sshd.c > =================================================================== > RCS file: /home/ncvs/src/crypto/openssh-portable/sshd.c,v > retrieving revision 1.1.1.1 > diff -u -r1.1.1.1 sshd.c > --- sshd.c 24 Jun 2002 22:46:20 -0000 1.1.1.1 > +++ sshd.c 26 Jun 2002 18:00:25 -0000 > @@ -545,14 +545,9 @@ > memset(pw->pw_passwd, 0, strlen(pw->pw_passwd)); > endpwent(); > > - /* Change our root directory*/ > - if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) > - fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, > - strerror(errno)); > - if (chdir("/") == -1) > - fatal("chdir(\"/\"): %s", strerror(errno)); > - > - /* Drop our privileges */ > + /* Change our root directory and drop privileges */ > + if (chroot(".") < 0) > + fatal("chroot(): %s\n", strerror(errno)); > debug3("privsep user:group %u:%u", (u_int)pw->pw_uid, > (u_int)pw->pw_gid); > do_setusercontext(pw); > @@ -561,6 +556,7 @@ > static Authctxt* > privsep_preauth(void) > { > + char emptydir[] = "/var/tmp/sshd.XXXXXXXXXX"; > Authctxt *authctxt = NULL; > int status; > pid_t pid; > @@ -570,12 +566,31 @@ > /* Store a pointer to the kex for later rekeying */ > pmonitor->m_pkex = &xxx_kex; > > + /* > + * We create a safe environment for the child by creating an empty > + * directory into which the child chroots, and the parent prevents > + * others from fooling around with it by removing the directory. We do > + * it this way because the child can't remove its own current working > + * directory (except on some systems by giving an absolute path to > + * rmdir, but it is highly dependent on the OS and filesystem). We > + * create the directory in /var/tmp in order that we are more likely > + * to get a well-behaved disk filesystem. > + */ > + if (mkdtemp(emptydir) == NULL) > + fatal("mkdtemp(\"%s\"): %s", emptydir, strerror(errno)); > + > pid = fork(); > if (pid == -1) { > fatal("fork of unprivileged child failed"); > } else if (pid != 0) { > debug2("Network child is on pid %ld", (long)pid); > > + /* Wait for the child to chdir then remove the directory */ > + if (read(pmonitor->m_recvfd, &status, 1) < 0) > + fatal("read(): %s", strerror(errno)); > + if (rmdir(emptydir) < 0) > + fatal("rmdir(\"%s\"): %s", emptydir, strerror(errno)); > + > close(pmonitor->m_recvfd); > authctxt = monitor_child_preauth(pmonitor); > close(pmonitor->m_sendfd); > @@ -591,6 +606,10 @@ > } else { > /* child */ > > + if (chdir(emptydir) == -1) > + fatal("chdir(\"%s\"): %s", emptydir, strerror(errno)); > + if (write(pmonitor->m_sendfd, &status, 1) < 0) > + fatal("write(): %s", strerror(errno)); > close(pmonitor->m_sendfd); > > /* Demote the child */ > @@ -1008,10 +1027,6 @@ > if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) > fatal("Privilege separation user %s does not exist", > SSH_PRIVSEP_USER); > - if ((stat(_PATH_PRIVSEP_CHROOT_DIR, &st) == -1) || > - (S_ISDIR(st.st_mode) == 0)) > - fatal("Missing privilege separation directory: %s", > - _PATH_PRIVSEP_CHROOT_DIR); > } > > /* Configuration looks good, so exit if in test mode. */ > > > Tony. > -- > f.a.n.finch http://dotat.at/ > FISHER GERMAN BIGHT: WESTERLY VEERING NORTHWESTERLY 4 OR 5, OCCASIONALLY 6. > SHOWERS. MODERATE OR GOOD. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev --- End of dot at dotat.at's quote --- -- Kind regards, Luc Suryo From dot at dotat.at Thu Jun 27 09:23:14 2002 From: dot at dotat.at (Tony Finch) Date: Thu, 27 Jun 2002 00:23:14 +0100 Subject: [PATCH] improved chroot handling In-Reply-To: <20020626231747.GA8490@nc1701.suryo.com>; from luc@suryo.com on Wed, Jun 26, 2002 at 06:17:47PM -0500 References: <20020626231858.E26954@chiark.greenend.org.uk> <20020626231747.GA8490@nc1701.suryo.com> Message-ID: <20020627002314.G26954@chiark.greenend.org.uk> On Wed, Jun 26, 2002 at 06:17:47PM -0500, Luc I. Suryo wrote: > > it is maybe me but the code: > > char emptydir[] = "/var/tmp/sshd.XXXXXXXXXX"; > > is hard coded...and we want to use what is defined by > > _PATH_PRIVSEP_CHROOT_DIR > > yes? Why? The point is to make _PATH_PRIVSEP_CHROOT_DIR unnecessary. > and should not one make sure that there is no overflow in > emptydir??? malloc/free/strlen and that kinda of stuff I suggest you have a look at the manual page for mkdtemp(). Tony. -- f.a.n.finch http://dotat.at/ NORTH UTSIRE SOUTH UTSIRE: WESTERLY VEERING NORTHWESTERLY 4 OR 5, OCCASIONALLY 6 LATER. SHOWERS. GOOD. From djm at mindrot.org Thu Jun 27 09:33:36 2002 From: djm at mindrot.org (Damien Miller) Date: 27 Jun 2002 09:33:36 +1000 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020626114459.R22705@cygbert.vinschen.de> References: <3D18E4D7.3E9AECDE@anl.gov> <15641.510.429570.494980@darkwing.uoregon.edu> <20020626022412.GC12786@vega.ipal.net> <20020626095027.K22705@cygbert.vinschen.de> <20020626091848.GG12786@vega.ipal.net> <20020626114459.R22705@cygbert.vinschen.de> Message-ID: <1025134416.5235.35.camel@xenon> On Wed, 2002-06-26 at 19:44, Corinna Vinschen wrote: > > How long has the opportunity to port privilege separation been there? > > It's not privilege separation since that hasn't to be ported. It's > the OS dependend concepts used by privilege separation. I have been telling people that privsep will be switched on by default in the next release since it showed up in the builds. Look what happened: - Did anyone test it? A couple of people (no vendors) - Did anyone comment on my patches to get it working more completely? None, just complaints That's why we're annoyed. -d (Not singling out Corinna here, just the attitude) From djm at mindrot.org Thu Jun 27 09:35:02 2002 From: djm at mindrot.org (Damien Miller) Date: 27 Jun 2002 09:35:02 +1000 Subject: =?unknown-8bit?B?rbu05LFNt36kV6r5uXG4?= =?unknown-8bit?B?o8Llpc0tLSC4o7ijs3E=?= In-Reply-To: <20020626094626.GI12786@vega.ipal.net> References: <20020626093527.58A56E8EA@shitei.mindrot.org> <20020626094626.GI12786@vega.ipal.net> Message-ID: <1025134502.5532.39.camel@xenon> On Wed, 2002-06-26 at 19:46, Phil Howard wrote: > [garbage in Chinese snipped] > > Is there any way to set up a post-confirmation system for non-subscribers > so that their posts do not get distributed unless they confirm first? If more recent versions of mailman support it, then yes. One thing I will be doing when I get time is hooking up spamassassin to the list server. I'd also like to remind everyone that discussions about list spam are off-topic. Send them directly to me instead. -d From mouring at etoh.eviladmin.org Thu Jun 27 09:26:42 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 26 Jun 2002 18:26:42 -0500 (CDT) Subject: [PATCH] improved chroot handling In-Reply-To: <20020626231858.E26954@chiark.greenend.org.uk> Message-ID: On Wed, 26 Jun 2002, Tony Finch wrote: > There are a couple of niggles with the sandboxing of the unprivileged > child in the privsep code: the empty directory causes namespace pollution, > and it requires care to ensure that it is set up properly and remains set > up properly. The patch below (against the portable OpenSSH, although the > patch against the OpenBSD version is very similar) replaces the fixed > empty directory with one that is created on demand and is immediately > removed after the child process has chdir()ed and chroot()ed into it. > This ensures that the directory is in a known-safe state and that no-one > (not even root) can mess it up. > > Index: pathnames.h > =================================================================== > RCS file: /home/ncvs/src/crypto/openssh-portable/pathnames.h,v > retrieving revision 1.1.1.1 > diff -u -r1.1.1.1 pathnames.h > --- pathnames.h 24 Jun 2002 22:46:13 -0000 1.1.1.1 > +++ pathnames.h 26 Jun 2002 17:58:59 -0000 > @@ -145,11 +145,6 @@ > #define _PATH_SFTP_SERVER "/usr/libexec/sftp-server" > #endif > > -/* chroot directory for unprivileged user when UsePrivilegeSeparation=yes */ > -#ifndef _PATH_PRIVSEP_CHROOT_DIR > -#define _PATH_PRIVSEP_CHROOT_DIR "/var/empty" > -#endif > - > #ifndef _PATH_LS > #define _PATH_LS "ls" > #endif > Index: sshd.c > =================================================================== > RCS file: /home/ncvs/src/crypto/openssh-portable/sshd.c,v > retrieving revision 1.1.1.1 > diff -u -r1.1.1.1 sshd.c > --- sshd.c 24 Jun 2002 22:46:20 -0000 1.1.1.1 > +++ sshd.c 26 Jun 2002 18:00:25 -0000 > @@ -545,14 +545,9 @@ > memset(pw->pw_passwd, 0, strlen(pw->pw_passwd)); > endpwent(); > > - /* Change our root directory*/ > - if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) > - fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, > - strerror(errno)); > - if (chdir("/") == -1) > - fatal("chdir(\"/\"): %s", strerror(errno)); > - > - /* Drop our privileges */ > + /* Change our root directory and drop privileges */ > + if (chroot(".") < 0) > + fatal("chroot(): %s\n", strerror(errno)); No chdir("/").. Bad form. Trusting where the current path is without an explicist chdir() before it is also bad form. > debug3("privsep user:group %u:%u", (u_int)pw->pw_uid, > (u_int)pw->pw_gid); > do_setusercontext(pw); > @@ -561,6 +556,7 @@ > static Authctxt* > privsep_preauth(void) > { > + char emptydir[] = "/var/tmp/sshd.XXXXXXXXXX"; Hard coded directories that one has to sprawl through to find. Also in very bad taste. Not very thrilled about the implementation. - Ben From djm at mindrot.org Thu Jun 27 09:41:54 2002 From: djm at mindrot.org (Damien Miller) Date: 27 Jun 2002 09:41:54 +1000 Subject: OpenSSH Security Advisory (adv.iss) In-Reply-To: References: Message-ID: <1025134914.5235.41.camel@xenon> On Thu, 2002-06-27 at 03:44, Bob Van Cleef wrote: > Question: If ChallengeResponseAuthentication is set to 'no' in > sshd_config, can the bug be exploited in OpenSSH_3.1p1? No, but there are other fixes so you should upgrade anyway. -d From djm at mindrot.org Thu Jun 27 09:43:19 2002 From: djm at mindrot.org (Damien Miller) Date: 27 Jun 2002 09:43:19 +1000 Subject: Upcoming OpenSSH vulnerability In-Reply-To: References: Message-ID: <1025134999.4668.43.camel@xenon> On Thu, 2002-06-27 at 04:45, Ben Lindstrom wrote: > If you can get a preview fix posted. I'll work within the OpenSSH porable > group to ensure that some version of it gets included. I am happy to do a 3.4p2 release in a couple of days to get platform issues resolved if there is sufficient demand. -d From vancleef at microunity.com Thu Jun 27 09:48:05 2002 From: vancleef at microunity.com (Bob Van Cleef) Date: Wed, 26 Jun 2002 16:48:05 -0700 (PDT) Subject: OpenSSH Security Advisory (adv.iss) In-Reply-To: <1025134914.5235.41.camel@xenon> Message-ID: On 27 Jun 2002, Damien Miller wrote: > On Thu, 2002-06-27 at 03:44, Bob Van Cleef wrote: > > Question: If ChallengeResponseAuthentication is set to 'no' in > > sshd_config, can the bug be exploited in OpenSSH_3.1p1? > > No, but there are other fixes so you should upgrade anyway. > > -d > Thanks Unfortunately my SunOS 4.1.4 build is having severe problems. Tons of redefines and problems with _memmove. Most likely all related to the age of the compiler ( 2.7.2 ). I'll disable that stuff until I can get a working build. Sigh... one day I will retire those beasts. /grin Bob From sxw at dcs.ed.ac.uk Thu Jun 27 09:49:12 2002 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Thu, 27 Jun 2002 00:49:12 +0100 (BST) Subject: Using Kerberos5 in 3.3p1 In-Reply-To: Message-ID: On 27 Jun 2002, Dag-Erling Smorgrav wrote: > Hans Insulander writes: > > What needs to be done, afaik, is to receive the kerberos auth data in the > > unprivileged client process, marshal it and send over to the monitor process. > > The monitor should validate the information and say "ok" or "not ok" back to > > the client. I have very little clues as how to do that. > > I can work on this tomorrow provided someone can help me with the > Kerberos aspect of things. I've just completed adding privsep support to my GSSAPI patches. They're being tested and reviewed at present, I hope to be able to release them tomorrow. Based on my experience with these, and a quick review of the krb5 code, can I offer the following: You need to decide upon which process the Kerberos context lives in. I think, due to the libraries reliance on configuration (and stash) files in /etc/ this is going to have to be the priviledged process. So, most of the code in auth_krb5 needs to be called through the privsep monitor. auth_con_setaddrs_from_fd() will cause problems, as I don't think the priviledged process has the file descriptor of the connection. You can probably get around this by working out the necessary information (local addr, remote addr) and passing this through the monitor to a different variant of the setaddrs function. Similarly, auth_krb5_tgt probably needs to be a stub, with most of the work being done in the priviledged process. I'm not sure if you want to still create the credentials cache here, or defer it to a later stage (by copying the delegated credentials to a memory cache) Apart from that, and providing you're happy with the implications of copying chunks of network data straight from the child to the parent, it looks fairly straight-forward. If no-one else gets to this before next week, I could possibly have a more in-depth look then. Cheers, Simon. From djm at mindrot.org Thu Jun 27 09:51:12 2002 From: djm at mindrot.org (Damien Miller) Date: 27 Jun 2002 09:51:12 +1000 Subject: pam session as root In-Reply-To: <20020626185852.A6498@justice.loyola.edu> References: <20020626185852.A6498@justice.loyola.edu> Message-ID: <1025135472.4668.46.camel@xenon> On Thu, 2002-06-27 at 08:58, Michael Stone wrote: Regardless of other issues: > + if (session_opened) > + return; /*Be idempotent so we can be called in monitor and > child*/ May break clients which allow multiple sessions over the same connection (e.g. ssh.com's) -d From dot at dotat.at Thu Jun 27 09:54:39 2002 From: dot at dotat.at (Tony Finch) Date: Thu, 27 Jun 2002 00:54:39 +0100 Subject: [PATCH] improved chroot handling In-Reply-To: ; from mouring@etoh.eviladmin.org on Wed, Jun 26, 2002 at 06:26:42PM -0500 References: <20020626231858.E26954@chiark.greenend.org.uk> Message-ID: <20020627005439.A16744@chiark.greenend.org.uk> On Wed, Jun 26, 2002 at 06:26:42PM -0500, Ben Lindstrom wrote: > > No chdir("/").. Bad form. > Trusting where the current path is without an explicist chdir() before it > is also bad form. That function is only called from one place shortly after the chdir into the secure directory. The unusual ordering is to avoid passing around lots of extraneous information. > Hard coded directories that one has to sprawl through to find. Also > in very bad taste. I have an updated patch that fixes that, if anyone is interested. Thanks for your comments. Tony. -- f.a.n.finch http://dotat.at/ NORTH UTSIRE SOUTH UTSIRE: WESTERLY VEERING NORTHWESTERLY 4 OR 5, OCCASIONALLY 6 LATER. SHOWERS. GOOD. From tim at multitalents.net Thu Jun 27 09:55:54 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 26 Jun 2002 16:55:54 -0700 (PDT) Subject: OpenSSH Security Advisory (adv.iss) In-Reply-To: Message-ID: On Wed, 26 Jun 2002, Bob Van Cleef wrote: > Thanks > > Unfortunately my SunOS 4.1.4 build is having severe problems. Tons of > redefines and problems with _memmove. Most likely all related to the age > of the compiler ( 2.7.2 ). I'm using gcc 2.7.2.1 on my old SCO 3.2v4.2 box here and it builds 3.4p1 > > I'll disable that stuff until I can get a working build. Sigh... one > day I will retire those beasts. /grin > > Bob > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Thu Jun 27 09:50:01 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 26 Jun 2002 18:50:01 -0500 (CDT) Subject: OpenSSH Security Advisory (adv.iss) In-Reply-To: Message-ID: Tons or just a few? I saw one person with a _memmove() issue and it was related to how define.h was being included. I did not have a chance to review and figure out the issue before we went live with 3.4 On Wed, 26 Jun 2002, Tim Rice wrote: > On Wed, 26 Jun 2002, Bob Van Cleef wrote: > > > Thanks > > > > Unfortunately my SunOS 4.1.4 build is having severe problems. Tons of > > redefines and problems with _memmove. Most likely all related to the age > > of the compiler ( 2.7.2 ). > > I'm using gcc 2.7.2.1 on my old SCO 3.2v4.2 box here and it builds 3.4p1 > > > > > I'll disable that stuff until I can get a working build. Sigh... one > > day I will retire those beasts. /grin > > > > Bob > > > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From luc at suryo.com Thu Jun 27 10:03:30 2002 From: luc at suryo.com (Luc I. Suryo) Date: Wed, 26 Jun 2002 19:03:30 -0500 Subject: [PATCH] improved chroot handling In-Reply-To: <20020627002314.G26954@chiark.greenend.org.uk> References: <20020626231858.E26954@chiark.greenend.org.uk> <20020626231747.GA8490@nc1701.suryo.com> <20020627002314.G26954@chiark.greenend.org.uk> Message-ID: <20020627000330.GA8608@nc1701.suryo.com> Tony Finch wrote at Thu, Jun 27, 2002 at 12:23:14AM +0100: > On Wed, Jun 26, 2002 at 06:17:47PM -0500, Luc I. Suryo wrote: > > > > it is maybe me but the code: > > > > char emptydir[] = "/var/tmp/sshd.XXXXXXXXXX"; > > > > is hard coded...and we want to use what is defined by > > > > _PATH_PRIVSEP_CHROOT_DIR > > > > yes? > > Why? The point is to make _PATH_PRIVSEP_CHROOT_DIR unnecessary. there maybe ppl out there that want to make the path soemwhere else.... i personaly do like hardcoded thinks like that .... but that is just me. > > > and should not one make sure that there is no overflow in > > emptydir??? malloc/free/strlen and that kinda of stuff > > I suggest you have a look at the manual page for mkdtemp(). Sure openssh test for mkdtemp an don soem system there is NO mkdtemp like under Solaris ... i looked into openbsd-compat/mktemp.c But again i still preffer to do over flow check before calling mkdtemp as what is an OS does have mkdtemp but the implementation is broken .... and one more thing ... :) chdir("/") shouldn't one first test if teh location (current dir) is where we want to be ..... again my 25c.... -- Kind regards, Luc Suryo From vancleef at microunity.com Thu Jun 27 10:12:35 2002 From: vancleef at microunity.com (Bob Van Cleef) Date: Wed, 26 Jun 2002 17:12:35 -0700 (PDT) Subject: OpenSSH Security Advisory (adv.iss) In-Reply-To: Message-ID: On Wed, 26 Jun 2002, Ben Lindstrom wrote: > > Tons or just a few? I saw one person with a _memmove() issue and it was > related to how define.h was being included. > > I did not have a chance to review and figure out the issue before we went > live with 3.4 The _memmove problem is what breaks the compile: gcc -o ssh-agent ssh-agent.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -lssh -lopenbsd-compat -lz -lcrypto collect2: ld returned 2 exit status ld: Undefined symbol _memmove *** Error code 1 make: Fatal error: Command failed for target `ssh-agent' But there are bunches of warnings, not directly related to SSH, that make me nervous. It is a local compiler install issue, not a problem with SSH. Such as: /usr/include/sys/ioctl.h:64: warning: `PENDIN' redefined /pathtolib/gcc-lib/sparc-sun-sunos4.1.3/2.7.2/include/termios.h:190: warning: this is the location of the previous definition I've disabled external access to SSH on the impacted system, only allowing access from the internal network, so there is no risk, just frustrations. > > On Wed, 26 Jun 2002, Tim Rice wrote: > > > On Wed, 26 Jun 2002, Bob Van Cleef wrote: > > > > > Thanks > > > > > > Unfortunately my SunOS 4.1.4 build is having severe problems. Tons of > > > redefines and problems with _memmove. Most likely all related to the age > > > of the compiler ( 2.7.2 ). > > > > I'm using gcc 2.7.2.1 on my old SCO 3.2v4.2 box here and it builds 3.4p1 > > > > > > > > I'll disable that stuff until I can get a working build. Sigh... one > > > day I will retire those beasts. /grin > > > > > > Bob > > > > > > > -- > > Tim Rice Multitalents (707) 887-1469 > > tim at multitalents.net > > > > > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > From cmadams at hiwaay.net Thu Jun 27 10:14:42 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Wed, 26 Jun 2002 19:14:42 -0500 Subject: Upcoming OpenSSH vulnerability In-Reply-To: ; from mouring@etoh.eviladmin.org on Wed, Jun 26, 2002 at 01:45:59PM -0500 References: <20020626135046.L43983@hiwaay.net> Message-ID: <20020626191442.A237907@hiwaay.net> Once upon a time, Ben Lindstrom said: > > > Better yet now we are post 3.4 we need a real solution. > > > > As I said above, I don't see how to do post-auth privsep on Tru64. The > > requirements just don't seem to match the capabilities. The only thing > > I can see to do is to open a PTY unconditionally before post-auth > > privsep and close it later if it is not needed (but I don't know for > > sure that would work either). That would be a fairly major change; > > would such a change be accepted back into "core" OpenSSH? > > > > If you can get a preview fix posted. I'll work within the OpenSSH porable > group to ensure that some version of it gets included. > > If that preview fix says 'we always open a temporary TTY' then so be it. > We can look at how to handle non-tty case handled after. I guess from that I should go ahead and make OpenSSH always open the TTY and then discard it if it is not needed for all platforms, not just Tru64 (at least the AIX folks were looking for this as well). That would lessen the "#ifdef HAVE_OSF_SIA" count. Unless I head otherwise, I'll work towards that. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From luc at suryo.com Thu Jun 27 10:20:45 2002 From: luc at suryo.com (Luc I. Suryo) Date: Wed, 26 Jun 2002 19:20:45 -0500 Subject: [PATCH] improved chroot handling In-Reply-To: <20020627000330.GA8608@nc1701.suryo.com> References: <20020626231858.E26954@chiark.greenend.org.uk> <20020626231747.GA8490@nc1701.suryo.com> <20020627002314.G26954@chiark.greenend.org.uk> <20020627000330.GA8608@nc1701.suryo.com> Message-ID: <20020627002045.GA8684@nc1701.suryo.com> Luc I. Suryo wrote at Wed, Jun 26, 2002 at 07:03:30PM -0500: > > Tony Finch > wrote at Thu, Jun 27, 2002 at 12:23:14AM +0100: > > > On Wed, Jun 26, 2002 at 06:17:47PM -0500, Luc I. Suryo wrote: > > > > > > it is maybe me but the code: > > > > > > char emptydir[] = "/var/tmp/sshd.XXXXXXXXXX"; > > > > > > is hard coded...and we want to use what is defined by > > > > > > _PATH_PRIVSEP_CHROOT_DIR > > > > > > yes? > > > > Why? The point is to make _PATH_PRIVSEP_CHROOT_DIR unnecessary. > > there maybe ppl out there that want to make the path soemwhere else.... > i personaly do like hardcoded thinks like that .... but that is just me. typo :) ... I personaly do *not* like hardcoded why: if the location is not know to the public, it maybe a extra security .... and how about if the directory is randomized? (well under /var/......mabe /var/spool/sshd/run-${pid}-(randomized value) > > > > > > and should not one make sure that there is no overflow in > > > emptydir??? malloc/free/strlen and that kinda of stuff > > > > I suggest you have a look at the manual page for mkdtemp(). > Sure openssh test for mkdtemp an don soem system there is NO mkdtemp > like under Solaris ... i looked into openbsd-compat/mktemp.c > But again i still preffer to do over flow check before calling mkdtemp > as what is an OS does have mkdtemp but the implementation is broken .... > > and one more thing ... :) chdir("/") shouldn't one first test if teh > location (current dir) is where we want to be ..... > again my 25c.... -- Kind regards, Luc Suryo From cmadams at hiwaay.net Thu Jun 27 10:22:38 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Wed, 26 Jun 2002 19:22:38 -0500 Subject: Upcoming OpenSSH vulnerability In-Reply-To: <20020626191442.A237907@hiwaay.net>; from cmadams@hiwaay.net on Wed, Jun 26, 2002 at 07:14:42PM -0500 References: <20020626135046.L43983@hiwaay.net> <20020626191442.A237907@hiwaay.net> Message-ID: <20020626192238.B237907@hiwaay.net> Once upon a time, Chris Adams said: > I guess from that I should go ahead and make OpenSSH always open the TTY > and then discard it if it is not needed for all platforms, not just > Tru64 (at least the AIX folks were looking for this as well). That > would lessen the "#ifdef HAVE_OSF_SIA" count. Thinking about this some more (I never think before I send apparently :-) )... If a TTY were always allocated before post-auth privsep kicked in, the whole BROKEN_FD_PASSING would go away (because as far as I can see in a quick look, FD passing is only used for the parent to open a TTY for the child). This could just always be done and the FD passing code and privsep wrapping of pty_allocate() would go away. Or, the TTY pre-allocation could depend on BROKEN_FD_PASSING, HAVE_OSF_SIA, and _AIX. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From des at ofug.org Thu Jun 27 10:25:21 2002 From: des at ofug.org (Dag-Erling Smorgrav) Date: 27 Jun 2002 02:25:21 +0200 Subject: Using Kerberos5 in 3.3p1 In-Reply-To: References: Message-ID: Simon Wilkinson writes: > auth_con_setaddrs_from_fd() will cause problems, as I don't think the > priviledged process has the file descriptor of the connection. You can > probably get around this by working out the necessary information (local > addr, remote addr) and passing this through the monitor to a different > variant of the setaddrs function. The monitor already has that information. DES -- Dag-Erling Smorgrav - des at ofug.org From mouring at etoh.eviladmin.org Thu Jun 27 10:17:43 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 26 Jun 2002 19:17:43 -0500 (CDT) Subject: OpenSSH Security Advisory (adv.iss) In-Reply-To: Message-ID: can you grep for HAVE_MEMMOVE and HAVE_BCOPY in config.h ? On Wed, 26 Jun 2002, Bob Van Cleef wrote: > > On Wed, 26 Jun 2002, Ben Lindstrom wrote: > > > > > Tons or just a few? I saw one person with a _memmove() issue and it was > > related to how define.h was being included. > > > > I did not have a chance to review and figure out the issue before we went > > live with 3.4 > > The _memmove problem is what breaks the compile: > > gcc -o ssh-agent ssh-agent.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib > -lssh -lopenbsd-compat -lz -lcrypto > collect2: ld returned 2 exit status > ld: Undefined symbol > _memmove > *** Error code 1 > make: Fatal error: Command failed for target `ssh-agent' > > But there are bunches of warnings, not directly related to SSH, that make > me nervous. It is a local compiler install issue, not a problem with SSH. > Such as: > > /usr/include/sys/ioctl.h:64: warning: `PENDIN' redefined > /pathtolib/gcc-lib/sparc-sun-sunos4.1.3/2.7.2/include/termios.h:190: > warning: this is the location of the previous definition > > I've disabled external access to SSH on the impacted system, only allowing > access from the internal network, so there is no risk, just frustrations. > > > > > > On Wed, 26 Jun 2002, Tim Rice wrote: > > > > > On Wed, 26 Jun 2002, Bob Van Cleef wrote: > > > > > > > Thanks > > > > > > > > Unfortunately my SunOS 4.1.4 build is having severe problems. Tons of > > > > redefines and problems with _memmove. Most likely all related to the age > > > > of the compiler ( 2.7.2 ). > > > > > > I'm using gcc 2.7.2.1 on my old SCO 3.2v4.2 box here and it builds 3.4p1 > > > > > > > > > > > I'll disable that stuff until I can get a working build. Sigh... one > > > > day I will retire those beasts. /grin > > > > > > > > Bob > > > > > > > > > > -- > > > Tim Rice Multitalents (707) 887-1469 > > > tim at multitalents.net > > > > > > > > > _______________________________________________ > > > openssh-unix-dev at mindrot.org mailing list > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > > > > From jason-exp-1025829148.32b4c5 at mastaler.com Thu Jun 27 10:32:20 2002 From: jason-exp-1025829148.32b4c5 at mastaler.com (Jason R. Mastaler) Date: Wed, 26 Jun 2002 18:32:20 -0600 Subject: UsePrivilegeSeparation: "fatal: xrealloc: out of memory" Message-ID: <20020626183220.A6955@mastaler.com> I just upgraded to OpenSSH 3.4p1 from 2.5.2p2 to take advantage of privilege separation. After installation, when a user tries to login he gets dropped almost immediately. In the server's /var/log/messages: Jun 26 20:15:04 sclp3 sshd[6433]: Accepted password for jason from 128.165.148.66 port 41871 ssh2 Jun 26 20:15:12 sclp3 jason[110]: sshd[6444]: fatal: xrealloc: out of memory (new_size 5566464 bytes) The server is running BSD/OS 4.0, whose mmap(2) seems to indicate that it supports anonymous (MAP_ANON) memory mapping. I've created /var/empty and a sshd user and group. Setting "UsePrivilegeSeparation no" in sshd_config clears up this problem, but I'd rather not have to disable this. Any ideas? Thanks. -- (http://tmda.sourceforge.net/) From andreas at conectiva.com.br Thu Jun 27 11:18:23 2002 From: andreas at conectiva.com.br (Andreas Hasenack) Date: Wed, 26 Jun 2002 22:18:23 -0300 Subject: sshd and file descriptors In-Reply-To: <20020626161056.R2377@google.com> References: <20020626220613.GO19640@conectiva.com.br> <20020626161056.R2377@google.com> Message-ID: <20020627011823.GA370@conectiva.com.br> Em Wed, Jun 26, 2002 at 04:10:56PM -0700, Frank Cusack escreveu: > A workaround which really isn't so great is to put this in your %post > > exec 0 for fd in `seq 1 12`; do > exec ${fd}>/dev/null > done > service restart sshd > > You might need to bump the end fd higher. 12 seems to work for rpm 4.0.x. > The w/a is kind of bad cuz now sshd will have all those fd's open. I started doing this, but closing the fds instead of opening them to /dev/null. Just use: for n in `seq 3 100`; do eval "exec $n<&-" done This will close those fds. Not very ellegant, but it's what I was doing for now. From fcusack at fcusack.com Thu Jun 27 11:25:05 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 26 Jun 2002 18:25:05 -0700 Subject: sshd and file descriptors In-Reply-To: <20020627011823.GA370@conectiva.com.br>; from andreas@conectiva.com.br on Wed, Jun 26, 2002 at 10:18:23PM -0300 References: <20020626220613.GO19640@conectiva.com.br> <20020626161056.R2377@google.com> <20020627011823.GA370@conectiva.com.br> Message-ID: <20020626182505.U2377@google.com> On Wed, Jun 26, 2002 at 10:18:23PM -0300, Andreas Hasenack wrote: > Just use: > > for n in `seq 3 100`; do > eval "exec $n<&-" > done > > This will close those fds. Not very ellegant, but it's what I was doing > for now. > Shame on me. Yours is much better. Shouldn't it be '$n>&-'? /fc From andreas at conectiva.com.br Thu Jun 27 11:35:39 2002 From: andreas at conectiva.com.br (Andreas Hasenack) Date: Wed, 26 Jun 2002 22:35:39 -0300 Subject: sshd and file descriptors In-Reply-To: <20020626182505.U2377@google.com> References: <20020626220613.GO19640@conectiva.com.br> <20020626161056.R2377@google.com> <20020627011823.GA370@conectiva.com.br> <20020626182505.U2377@google.com> Message-ID: <20020627013539.GB370@conectiva.com.br> Em Wed, Jun 26, 2002 at 06:25:05PM -0700, Frank Cusack escreveu: > Shame on me. Yours is much better. Shouldn't it be '$n>&-'? Could work, I haven't tried it, but man bash says this is the way to do it: The redirection operator [n]<&word is used to duplicate input file descriptors. If word expands to one or more digits, the file descriptor denoted by n is made to be a copy of that file descriptor. If the digits in word do not specify a file descriptor open for input, a redirection error occurs. If word evaluates to -, file descriptor n is closed. If n is not specified, the standard input (file descriptor 0) is used. Anyway, I don't like this method very much, will check with the rpm guys what's happening. Thanks for your input! From fcusack at fcusack.com Thu Jun 27 11:51:31 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 26 Jun 2002 18:51:31 -0700 Subject: [PATCH] kbdintctxt->nreq test Message-ID: <20020626185131.V2377@google.com> If the info_response code is going to test that the # of responses is < 100, then the info_request code should check that < 100 prompts are sent. It would be rude to send 101 prompts and then fail when the responses come back. I actually think the test should be removed altogether, the limit seems quite arbitrary, but here is a patch to not send > 100 prompts. With this patch, the test in the info_response code could actually be removed. --- auth2-chall.c.orig Wed Jun 26 18:40:14 2002 +++ auth2-chall.c Wed Jun 26 18:42:54 2002 @@ -217,6 +217,8 @@ if (kbdintctxt->device->query(kbdintctxt->ctxt, &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on)) return 0; + if (kbdintctxt->nreq > 100) + fatal("send_userauth_info_request: too many prompts"); packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); packet_put_cstring(name); /fc From tim at multitalents.net Thu Jun 27 13:01:35 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 26 Jun 2002 20:01:35 -0700 (PDT) Subject: [PATCH]: Eliminate HAVE_CYGWIN (and _UWIN) around calls to setgroups() [was Re: openssh for UWIN] In-Reply-To: <20020618194842.GD1422@jenny.crlsca.adelphia.net> Message-ID: On Tue, 18 Jun 2002, Kevin Steves wrote: > On Sun, Jun 09, 2002 at 02:41:25PM -0500, Ben Lindstrom wrote: > > > i think we wanted to move away from "fake-". for now bsd-misc.c > > > makes sense, or perhaps i forgot some discussion on this. > > > > I'd like to see (and I think Damien also mirrors this belief): > > > > bsd-*.c -- Should implement useable correct code. > > fake-*.c -- Should implement faked version for platforms that don't > > need the feature, but used to keep the code clean > > port-*.c -- Should be platform specific code. > > i think a directory grouping is better. what about something like > this: While I like your directory grouping idea better, it would only work if we don't have -Lopenbsd/ -Lcompat/ -Lplatform/ Some linkers on older systems have a limit on the number of -L options. > openbsd/ > copies of source from OpenBSD tree with little or no > modifications that should be kept synced with OpenBSD. > > readpassphrase.c > readpassphrase.h > strlcpy.c > strlcpy.h > tree.h > > compat/ > compatability functions for various platforms; e.g., > when a function is missing on some platforms or a > compatability library that works on multiple platforms. > > getaddrinfo.c > getaddrinfo.h > loginrec.c > loginrec.h > sigact.c > sigact.h > > platform/ > platform specific code; generally for one-platform. > > auth-sia.c > auth-sia.h > port-aix.c > port-aix.h > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From fcusack at fcusack.com Thu Jun 27 13:06:09 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 26 Jun 2002 20:06:09 -0700 Subject: [PATCH] kbdintctxt->nreq test In-Reply-To: <20020626185131.V2377@google.com>; from fcusack@fcusack.com on Wed, Jun 26, 2002 at 06:51:31PM -0700 References: <20020626185131.V2377@google.com> Message-ID: <20020626200608.X2377@google.com> Along the lines of the previous patch, here's one for auth2-pam.c. The same applies, if you won't accept > 100 responses, you should never send that many. Besides that, I've removed a bit of what is now obsolete code. There are two other bugs here which I haven't fixed. 1) if all the messages are just informational (PAM_TEXT_INFO or PAM_ERROR_MSG), then the user doesn't see them. 2) information messages are not presented to the client in the correct order. The fix for those two is simply to get rid of the loop in do_pam_conversation_kbd_int() which checks the prompt style (and just set context_pam2.num_expected = num_msg directly). --- auth2-pam.c.orig Wed Jun 26 19:55:34 2002 +++ auth2-pam.c Wed Jun 26 20:00:24 2002 @@ -19,7 +19,7 @@ void input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt); struct { - int finished, num_received, num_expected; + int finished, num_expected; int *prompts; struct pam_response *responses; } context_pam2 = {0, 0, 0, NULL}; @@ -55,8 +55,10 @@ int i, j, done; char *text; + if (num_msg > 100) + fatal("%s: too many messages", __func__); + context_pam2.finished = 0; - context_pam2.num_received = 0; context_pam2.num_expected = 0; context_pam2.prompts = xmalloc(sizeof(int) * num_msg); context_pam2.responses = xmalloc(sizeof(struct pam_response) * num_msg); @@ -120,11 +122,8 @@ debug("extra packet during conversation"); } - if(context_pam2.num_received == context_pam2.num_expected) { - *resp = context_pam2.responses; - return PAM_SUCCESS; - } else - return PAM_CONV_ERR; + *resp = context_pam2.responses; + return PAM_SUCCESS; } void @@ -156,7 +155,6 @@ context_pam2.responses[j].resp_retcode = PAM_SUCCESS; context_pam2.responses[j].resp = xstrdup(resp); xfree(resp); - context_pam2.num_received++; } context_pam2.finished = 1; /fc From dtucker at zip.com.au Thu Jun 27 13:51:02 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 27 Jun 2002 13:51:02 +1000 Subject: UsePrivilegeSeparation: "fatal: xrealloc: out of memory" References: <20020626183220.A6955@mastaler.com> Message-ID: <3D1A8BA6.A731D810@zip.com.au> "Jason R. Mastaler" wrote: > Jun 26 20:15:04 sclp3 sshd[6433]: Accepted password for jason from 128.165.148.66 port 41871 ssh2 > Jun 26 20:15:12 sclp3 jason[110]: sshd[6444]: fatal: xrealloc: out of memory (new_size 5566464 bytes) > > Setting "UsePrivilegeSeparation no" in sshd_config clears up this > problem, but I'd rather not have to disable this. Any ideas? Ulimits? Check with ulimit -a if the data size is <5.5M. If that's it you'll need to increase it (eg "ulimit -d unlimited") and kill and restart sshd. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jmknoble at pobox.com Wed Jun 26 17:19:34 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Wed, 26 Jun 2002 03:19:34 -0400 Subject: final build. In-Reply-To: <20020626055712.GE12786@vega.ipal.net>; from phil-openssh-unix-dev@ipal.net on Wed, Jun 26, 2002 at 12:57:12AM -0500 References: <20020626040931.GD12786@vega.ipal.net> <20020626055712.GE12786@vega.ipal.net> Message-ID: <20020626031934.A9722@quipu.half.pint-stowp.cx> Circa 2002-Jun-26 00:57:12 -0500 dixit Phil Howard: : I don't need to have static executeables immediately. But I do need : to be on static executeables by the next time OpenSSL needs to be : upgraded. I have a lot of remote servers to manage and I use SSH to : access them. Phil, another option is to patch the OpenSSL builds to use unique SONAMEs for each new (and incompatible) version of the library. For example, i generally install the OpenSSL libraries as: .../libcrypto-0.9.6d.so.0 -> libcrypto-0.9.6d.so.0.0.0 .../libcrypto-0.9.6d.so.0.0.0 .../libssl-0.9.6d.so.0 -> libssl-0.9.6d.so.0.0.0 .../libssl-0.9.6d.so.0 This both keeps OpenSSL-0.9.6d from stomping on OpenSSL-0.9.6c and allows packages which contain only the shared libraries to peacefully coexist. Thus, you can install new OpenSSL shared libs, upgrade the development libs and headers, and compile OpenSSH against the new libraries without danger that the old one will stop working in the middle of the process. I have a patch against OpenSSL-0.9.6d which accomplishes the above; please mail me privately if you'd like it. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020626/aa9e2576/attachment.bin From jason-exp-1025844218.84a9f7 at mastaler.com Thu Jun 27 14:43:29 2002 From: jason-exp-1025844218.84a9f7 at mastaler.com (Jason R. Mastaler) Date: Wed, 26 Jun 2002 22:43:29 -0600 Subject: UsePrivilegeSeparation: "fatal: xrealloc: out of memory" In-Reply-To: <3D1A8BA6.A731D810@zip.com.au>; from dtucker@zip.com.au on Thu, Jun 27, 2002 at 01:51:02PM +1000 References: <20020626183220.A6955@mastaler.com> <3D1A8BA6.A731D810@zip.com.au> Message-ID: <20020626224329.A12122@mastaler.com> Darren Tucker writes: > Ulimits? Check with ulimit -a if the data size is <5.5M. Doesn't look like it: sclp3# bash bash-2.01# ulimit -a core file size (blocks) unlimited data seg size (kbytes) 32768 file size (blocks) unlimited max locked memory (kbytes) 42278 max memory size (kbytes) 126832 open files 128 pipe size (512 bytes) 2 stack size (kbytes) 2048 cpu time (seconds) unlimited max user processes 64 virtual memory (kbytes) 34816 From dtucker at zip.com.au Thu Jun 27 15:08:54 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 27 Jun 2002 15:08:54 +1000 Subject: OpenSSH 3.4p1 AIX packages available Message-ID: <3D1A9DE6.233923D4@zip.com.au> Hi All. The 3.3p1 packages became obsolete even faster than I expected! I've just put up SMIT installable .bff packages of 3.4p1 for AIX 4.[23].x at the link below. The usual caveats apply (see page). Link: http://www.zip.com.au/~dtucker/openssh/ -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From phil-openssh-unix-dev at ipal.net Thu Jun 27 15:10:57 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Thu, 27 Jun 2002 00:10:57 -0500 Subject: sshd and file descriptors In-Reply-To: <20020626220613.GO19640@conectiva.com.br> References: <20020626220613.GO19640@conectiva.com.br> Message-ID: <20020627051057.GE4543@vega.ipal.net> On Wed, Jun 26, 2002 at 07:06:13PM -0300, Andreas Hasenack wrote: | I have an openssh RPM package that restarts the sshd server during | an upgrade if the daemon is already running. So far, so good, restart | works. What happens if you were connected via ssh when it restarts? | Shouldn't a daemon close all fds before going into "daemon land"? What exactly is broken here? Should a package manager be restarting a daemon? Maybe the package manager should use close-on-exec on all the descriptors that aren't to be passed on to the daemon, while it still knows what descriptors are open instead of imposing on the next program to do thousands of close() calls. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From gert at greenie.muc.de Thu Jun 27 18:17:47 2002 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Jun 2002 10:17:47 +0200 Subject: UsePrivilegeSeparation: "fatal: xrealloc: out of memory" In-Reply-To: <20020626183220.A6955@mastaler.com>; from jason-exp-1025829148.32b4c5@mastaler.com on Wed, Jun 26, 2002 at 06:32:20PM -0600 References: <20020626183220.A6955@mastaler.com> Message-ID: <20020627101746.U18668@greenie.muc.de> Hi, On Wed, Jun 26, 2002 at 06:32:20PM -0600, Jason R. Mastaler wrote: > Jun 26 20:15:04 sclp3 sshd[6433]: Accepted password for jason from 128.165.148.66 port 41871 ssh2 > Jun 26 20:15:12 sclp3 jason[110]: sshd[6444]: fatal: xrealloc: out of memory (new_size 5566464 bytes) I've seen this on some old FreeBSD systems (2.2.7) when using "-2 -C". Protocol 1 works with compression, Protocol 2 works without, but if you use -2 -C, sshd will grow to about 25 Mbyte of memory, and then ulimit will strike. I'm not sure where the bug is, but something in the old system is triggering it. (There's another weirdness. DSA operations on FreeBSD 2.2.x with x<7 reliably trigger a core dump crash, so no "-2" on these OSes at all). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From jouni.viikari at vip.fi Thu Jun 27 18:33:46 2002 From: jouni.viikari at vip.fi (Jouni Viikari) Date: Thu, 27 Jun 2002 11:33:46 +0300 Subject: openssh-3.4p1-1.src.rpm & RH 6.2 Message-ID: <005f01c21db5$5b0474e0$3c81add5@vip.fi> When trying to compile openssh3.4 to Redhat 6.2 I get following error: #rpm --rebuild openssh-3.4p1-1.src.rpm Installing openssh-3.4p1-1.src.rpm error: failed build dependencies: db1-devel is needed by openssh-3.4p1-1 Please advice about the recommend way to proceed. There is no (official) db1 rpm package for RH6.2. I did not have any db1 dependency problems with previous versions of openssh src.rpm I have installed Best regards, Jouni From wichert at wiggy.net Thu Jun 27 18:35:52 2002 From: wichert at wiggy.net (Wichert Akkerman) Date: Thu, 27 Jun 2002 10:35:52 +0200 Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: <20020626200048.GM19640@conectiva.com.br> References: <20020626194146.GE2752@jenny.crlsca.adelphia.net> <20020626200048.GM19640@conectiva.com.br> Message-ID: <20020627083552.GG9384@wiggy.net> Previously Andreas Hasenack wrote: > Distros will just remove this line again, otherwise they would have to start > building packages as root. Not if they use fakeroot Wichert. -- _________________________________________________________________ /wichert at wiggy.net This space intentionally left occupied \ | wichert at deephackmode.org http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | From jouni.viikari at vip.fi Thu Jun 27 18:41:24 2002 From: jouni.viikari at vip.fi (Jouni Viikari) Date: Thu, 27 Jun 2002 11:41:24 +0300 Subject: openssh-3.4p1-1.src.rpm & RH 6.2 Message-ID: <007101c21db6$6b6f39e0$3c81add5@vip.fi> Follow-up to my own question. I finally found the answer. (Good FAQ candidate...) # rpm --rebuild openssh-3.4p1-1.src.rpm --define build_6x=1 Jouni ----- Original Message ----- From: "Jouni Viikari" To: Sent: 27. kes?kuuta 2002 11:33 Subject: openssh-3.4p1-1.src.rpm & RH 6.2 > When trying to compile openssh3.4 to Redhat 6.2 I get following error: > > #rpm --rebuild openssh-3.4p1-1.src.rpm > Installing openssh-3.4p1-1.src.rpm > error: failed build dependencies: > db1-devel is needed by openssh-3.4p1-1 > > Please advice about the recommend way to proceed. There is no (official) > db1 rpm package for RH6.2. > > I did not have any db1 dependency problems with previous versions of openssh > src.rpm I have installed > > Best regards, > > Jouni > > From gert at greenie.muc.de Thu Jun 27 18:44:55 2002 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Jun 2002 10:44:55 +0200 Subject: OpenSSH Security Advisory (adv.iss) In-Reply-To: ; from tim@multitalents.net on Wed, Jun 26, 2002 at 04:55:54PM -0700 References: Message-ID: <20020627104455.V18668@greenie.muc.de> Hi, On Wed, Jun 26, 2002 at 04:55:54PM -0700, Tim Rice wrote: > I'm using gcc 2.7.2.1 on my old SCO 3.2v4.2 box here and it builds 3.4p1 You're not using PrivSep on that box, are you? Besides PrivSep not working, yes, that's similar to what I do - gcc 2.7.2.3 gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From dtucker at zip.com.au Thu Jun 27 19:07:24 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 27 Jun 2002 19:07:24 +1000 Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 References: <20020626194146.GE2752@jenny.crlsca.adelphia.net> <20020626200048.GM19640@conectiva.com.br> <20020627083552.GG9384@wiggy.net> Message-ID: <3D1AD5CB.B743029@zip.com.au> Wichert Akkerman wrote: > Previously Andreas Hasenack wrote: > > Distros will just remove this line again, otherwise they would have to start > > building packages as root. > > Not if they use fakeroot The patch referred to was to Makefile.in: "+ chown 0 $(DESTDIR)$(PRIVSEP_PATH)" I don't see how a fake root (ie "make install DESTDIR=/some/dir") as a vanilla user helps create a root-owned directory....... -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From binder at arago.de Thu Jun 27 19:36:10 2002 From: binder at arago.de (Thomas Binder) Date: Thu, 27 Jun 2002 11:36:10 +0200 Subject: Fixed paths (Was: [PATCH] improved chroot handling) In-Reply-To: ; from mouring@etoh.eviladmin.org on Wed, Jun 26, 2002 at 06:26:42PM -0500 References: <20020626231858.E26954@chiark.greenend.org.uk> Message-ID: <20020627113609.A4231375@ohm.arago.de> Hi! On Wed, Jun 26, 2002 at 06:26:42PM -0500, Ben Lindstrom wrote: > > + char emptydir[] = "/var/tmp/sshd.XXXXXXXXXX"; > > Hard coded directories that one has to sprawl through to find. > Also in very bad taste. That reminds me: The path to the authentication socket is also hardcoded in session.c and ssh-agent.c Ciao Thomas From bugzilla-daemon at mindrot.org Thu Jun 27 19:42:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 27 Jun 2002 19:42:12 +1000 (EST) Subject: [Bug 305] New: openssh-3.4p1/openbsd-compat/setenv.c lacks include Message-ID: <20020627094212.95AE0E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=305 Summary: openssh-3.4p1/openbsd-compat/setenv.c lacks include Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: SunOS Status: NEW Severity: normal Priority: P3 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: tdsc.af at infineon.com openssh-3.4p1/openbsd-compat/setenv.c lacks #include "includes.h" so memmove is not defined to bcopy on platforms, that don't have memmove and thus the linker will fail with a message, that _memmove is not defined. Suggest to add it following #include ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From binder at arago.de Thu Jun 27 19:45:58 2002 From: binder at arago.de (Thomas Binder) Date: Thu, 27 Jun 2002 11:45:58 +0200 Subject: sshd and file descriptors In-Reply-To: <20020627051057.GE4543@vega.ipal.net>; from phil-openssh-unix-dev@ipal.net on Thu, Jun 27, 2002 at 12:10:57AM -0500 References: <20020626220613.GO19640@conectiva.com.br> <20020627051057.GE4543@vega.ipal.net> Message-ID: <20020627114557.B4231375@ohm.arago.de> Hi! On Thu, Jun 27, 2002 at 12:10:57AM -0500, Phil Howard wrote: > > I have an openssh RPM package that restarts the sshd server > > during an upgrade if the daemon is already running. So far, so > > good, restart works. > > What happens if you were connected via ssh when it restarts? Nothing special - all existing ssh sessions stay alive when the "root" sshd process dies; all that happens is that they have init as their parent process afterwards. Actually, I always update sshd remotely using an ssh session to the old sshd. Ciao Thomas From matthew at debian.org Thu Jun 27 20:02:39 2002 From: matthew at debian.org (Matthew Vernon) Date: 27 Jun 2002 11:02:39 +0100 Subject: why fd passing? In-Reply-To: Phil Howard's message of Wed, 26 Jun 2002 17:32:01 GMT References: <20020626164624.GB4543@vega.ipal.net> Message-ID: <5b4rfp9gzk.fsf@chiark.greenend.org.uk> Phil Howard writes: > then it doesn't have to be done. But if that isn't know at fork > time, go ahead and set one up and then if the user privilege child > decides it does not need one, it can just close the descriptors. This doesn't work - the client may request a shell service at any point, so you'd have to keep the pty ready-to-use for the entire session. > I do not see from this illustration how mmap() is involved. AIUI, the shared memory is for zlib use. Matthew -- "At least you know where you are with Microsoft." "True. I just wish I'd brought a paddle." http://www.debian.org From markus at openbsd.org Thu Jun 27 20:02:32 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 27 Jun 2002 12:02:32 +0200 Subject: why fd passing? In-Reply-To: <20020626164624.GB4543@vega.ipal.net> References: <20020626164624.GB4543@vega.ipal.net> Message-ID: <20020627100232.GA22620@folly> On Wed, Jun 26, 2002 at 11:46:24AM -0500, Phil Howard wrote: > Why not go ahead and have the monitor set one up before it forks > the child? with protocol 2 multiple pty and multiple login shells over one connection are allowed. the ssh.com windows clients supports this for example. > I do not see from this illustration how mmap() is involved. it's used for passing the internal zlib compression state around. -m From phil-openssh-unix-dev at ipal.net Thu Jun 27 20:04:18 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Thu, 27 Jun 2002 05:04:18 -0500 Subject: /var/empty and r/o filesystem Message-ID: <20020627100418.GA27749@vega.ipal.net> Since nothing is to be written into /var/empty (or whatever the path de jour is) I would assume it would be safe to make it be a read-only filesystem. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From markus at openbsd.org Thu Jun 27 20:05:45 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 27 Jun 2002 12:05:45 +0200 Subject: Revised OpenSSH Security Advisory (adv.iss) In-Reply-To: <20020626195456.GK19640@conectiva.com.br> References: <20020626190825.GA27268@folly> <15642.6278.898843.260946@darkwing.uoregon.edu> <20020626195456.GK19640@conectiva.com.br> Message-ID: <20020627100545.GB22620@folly> On Wed, Jun 26, 2002 at 04:54:56PM -0300, Andreas Hasenack wrote: > Em Wed, Jun 26, 2002 at 12:39:50PM -0700, Steve VanDevender escreveu: > > I think the announcement is fine the way it is. Having an explicit > > "PAMAuthenticationViaKbdInt no" in sshd_config is a lot less ambiguous > > than assuming it's disabled by default. > > All these authentication mechanisms can be confusing, since many can > overlap. Just throw in challengeresponse, keyboard-interactive, password, > kerberos (via ticket or password), S/Key (which is challengeresponse but > can also be used via PAM) and so on. > > Is there another document besides the man page sshd_config(5) > which explains all the available mechanisms in more detail? Or "just" the > RFC/protocol/standard/whatever description? keyboard-interactive is just a mechanism. and if you run PAM over keyboard-interactive you can do all auth methods that PAM allows (with some restrictions). so if PAM allows passwd or skey, then you can do s/key over pam over kbdint. but no, there is no detailed documentation, it depends on many things... From steve.kitchener at aspentech.com Thu Jun 27 20:06:32 2002 From: steve.kitchener at aspentech.com (Stephen Kitchener) Date: 27 Jun 2002 11:06:32 +0100 Subject: Still logs me out - openssh 3.4.p1 Message-ID: <1025172393.3925.21.camel@scooter.lon.aspentech.com> Hi, I am still having difficulties in logging in as a non root user. I have installed 3.4.p1. I am logging in from a Linux box that has been upgraded to 3.3p1 and experience no problems in loggin in to other linux boxes, root or non-root. Output from ./configure OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: man PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: ssh-rand-helper ssh-rand-helper collects from: Command hashing (timeout 200) Host: alpha-dec-osf4.0d Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib Libraries: -lz -lsecurity -ldb -lm -laud -lcrypto Output from ssh -v -v -v hostname -l steve OpenSSH_3.3, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to bgvx10 [10.96.176.110] port 22. debug1: Connection established. debug1: identity file /home/stephen/.ssh/identity type 0 debug1: identity file /home/stephen/.ssh/id_rsa type -1 debug1: identity file /home/stephen/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 120/256 debug1: bits set: 1032/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/stephen/.ssh/known_hosts debug2: key_type_from_name: unknown key type '1024' debug3: key_read: no key found debug3: check_host_in_hostfile: match line 16 debug3: check_host_in_hostfile: filename /home/stephen/.ssh/known_hosts debug2: key_type_from_name: unknown key type '1024' debug3: key_read: no key found debug3: check_host_in_hostfile: match line 16 debug1: Host 'bgvx10' is known and matches the RSA host key. debug1: Found key in /home/stephen/.ssh/known_hosts:16 debug1: bits set: 1020/2049 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug2: userauth_pubkey_agent: no keys at all debug2: userauth_pubkey_agent: no more keys debug2: userauth_pubkey_agent: no message sent debug1: try privkey: /home/stephen/.ssh/id_rsa debug3: no such identity: /home/stephen/.ssh/id_rsa debug1: try privkey: /home/stephen/.ssh/id_dsa debug3: no such identity: /home/stephen/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: next auth method to try is keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: next auth method to try is password steve at bgvx10's password: debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: ssh-userauth2 successful: method password debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug2: callback start debug1: ssh_session2_setup: id 0 debug1: channel request 0: pty-req debug3: tty_make_modes: ospeed 38400 debug3: tty_make_modes: ispeed 38400 debug3: tty_make_modes: 1 3 debug3: tty_make_modes: 2 28 debug3: tty_make_modes: 3 127 debug3: tty_make_modes: 4 21 debug3: tty_make_modes: 5 4 debug3: tty_make_modes: 6 0 debug3: tty_make_modes: 7 0 debug3: tty_make_modes: 8 17 debug3: tty_make_modes: 9 19 debug3: tty_make_modes: 10 26 debug3: tty_make_modes: 12 18 debug3: tty_make_modes: 13 23 debug3: tty_make_modes: 14 22 debug3: tty_make_modes: 18 15 debug3: tty_make_modes: 30 0 debug3: tty_make_modes: 31 0 debug3: tty_make_modes: 32 0 debug3: tty_make_modes: 33 0 debug3: tty_make_modes: 34 0 debug3: tty_make_modes: 35 0 debug3: tty_make_modes: 36 1 debug3: tty_make_modes: 37 0 debug3: tty_make_modes: 38 1 debug3: tty_make_modes: 39 0 debug3: tty_make_modes: 40 0 debug3: tty_make_modes: 41 0 debug3: tty_make_modes: 50 1 debug3: tty_make_modes: 51 1 debug3: tty_make_modes: 52 0 debug3: tty_make_modes: 53 1 debug3: tty_make_modes: 54 1 debug3: tty_make_modes: 55 1 debug3: tty_make_modes: 56 0 debug3: tty_make_modes: 57 0 debug3: tty_make_modes: 58 0 debug3: tty_make_modes: 59 1 debug3: tty_make_modes: 60 1 debug3: tty_make_modes: 61 1 debug3: tty_make_modes: 62 0 debug3: tty_make_modes: 70 1 debug3: tty_make_modes: 71 0 debug3: tty_make_modes: 72 1 debug3: tty_make_modes: 73 0 debug3: tty_make_modes: 74 0 debug3: tty_make_modes: 75 0 debug3: tty_make_modes: 90 1 debug3: tty_make_modes: 91 1 debug3: tty_make_modes: 92 0 debug3: tty_make_modes: 93 0 debug1: channel request 0: shell debug1: fd 3 setting TCP_NODELAY debug2: callback done debug1: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 debug1: channel_free: channel 0: client-session, nchannels 1 debug3: channel_free: status: The following connections are open: #0 client-session (t4 r0 i0/0 o0/0 fd 4/5) debug3: channel_close_fds: channel 0: r 4 w 5 e 6 Connection to bgvx10 closed by remote host. Connection to bgvx10 closed. debug1: Transferred: stdin 0, stdout 0, stderr 75 bytes in 0.1 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 1147.4 debug1: Exit status -1 -- Stephen M Kitchener Unix Systems Administrator EMEA APAC Supply Chain Division. AspenTech UK 1 Century Court, Tolpits Lane, Watford, Herts, WD18 9PT TEL +44 (0) 1923 652125 FAX +44 (0) 1923 652215 EMAIL steve.kitchener at aspentech.com WEB http://www.aspentech.com From phil-openssh-unix-dev at ipal.net Thu Jun 27 20:12:50 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Thu, 27 Jun 2002 05:12:50 -0500 Subject: why fd passing? In-Reply-To: <20020627100232.GA22620@folly> References: <20020626164624.GB4543@vega.ipal.net> <20020627100232.GA22620@folly> Message-ID: <20020627101250.GB27749@vega.ipal.net> On Thu, Jun 27, 2002 at 12:02:32PM +0200, Markus Friedl wrote: | On Wed, Jun 26, 2002 at 11:46:24AM -0500, Phil Howard wrote: | > Why not go ahead and have the monitor set one up before it forks | > the child? | | with protocol 2 multiple pty and multiple login | shells over one connection are allowed. | the ssh.com windows clients supports this for | example. If a given system can allocate a pty w/o root, would it be possible for that system to just let the user privilege process do it? If so, a system which can't do fd passing but can do pty w/o root could get around that problem that way. What about a configurable quota on the maximum number of ptys a process can get set up for it by the monitor, so that can't be used as a denial of service exploit from inside a cracked user privilege process? Or would that not be worth the trouble? I like privsep, but I can certainly see a lot of complications in it. | > I do not see from this illustration how mmap() is involved. | | it's used for passing the internal zlib compression | state around. I was assuming something like that. It just wasn't shown. I hope when things settle down that detailed technical documentation can be prepared, or the current little blub can be expanded. Not everyone can figure this out by reading code. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From binder at arago.de Thu Jun 27 20:13:04 2002 From: binder at arago.de (Thomas Binder) Date: Thu, 27 Jun 2002 12:13:04 +0200 Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: <20020626153010.P20075@zax.half.pint-stowp.cx>; from jmknoble@pobox.com on Wed, Jun 26, 2002 at 03:30:11PM -0400 References: <20020626143236.O20075@zax.half.pint-stowp.cx> <20020626153010.P20075@zax.half.pint-stowp.cx> Message-ID: <20020627121303.C4231375@ohm.arago.de> Hi! On Wed, Jun 26, 2002 at 03:30:11PM -0400, Jim Knoble wrote: > No. Bad. /var/empty should be mode 0755, owner 0 (root), group > 0 (root, wheel, sys, or whatever it is on your system). Btw, there's one discrepancy between what README.privsep (and you) say(s) and what make install does: README.privsep: mkdir /var/empty chown root:sys /var/empty chmod 755 /var/empty Makefile.in: $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH) chmod 0700 $(DESTDIR)$(PRIVSEP_PATH) Note that make install will create the directory with 0700, while README.privsep propagates 0755. Which mode is the one to use? From my tests, it works with both, but IMO it would be better to sync README.privsep and Makefile.in in that respect. Ciao Thomas -- Pilfering Treasury property is paticularly dangerous: big thieves are ruthless in punishing little thieves. -- Diogenes From wichert at wiggy.net Thu Jun 27 20:20:20 2002 From: wichert at wiggy.net (Wichert Akkerman) Date: Thu, 27 Jun 2002 12:20:20 +0200 Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: <3D1AD5CB.B743029@zip.com.au> References: <20020626194146.GE2752@jenny.crlsca.adelphia.net> <20020626200048.GM19640@conectiva.com.br> <20020627083552.GG9384@wiggy.net> <3D1AD5CB.B743029@zip.com.au> Message-ID: <20020627102020.GH9384@wiggy.net> Previously Darren Tucker wrote: > I don't see how a fake root (ie "make install DESTDIR=/some/dir") as a > vanilla user helps create a root-owned directory....... fakeroot is not a fake root, it fakes root. [tornado;~]-15> dpkg -p fakeroot Package: fakeroot Priority: optional Section: utils Installed-Size: 136 Maintainer: joost witteveen Architecture: i386 Version: 0.4.5-2.3 Depends: libc6 (>= 2.2.4-4), libstdc++2.10-glibc2.2 (>= 1:2.95.4-0.010810) Filename: dists/woody/mirror/binary-i386/fakeroot_0.4.5-2.3.deb Size: 32848 MD5sum: a5194884c1bc44095e3b0b0ff039f622 Description: Gives a fake root environment. This package is intended to enable something like: dpkg-buildpackage -rfakeroot i.e. to remove the need to become root for a package build. This is done by setting LD_PRELOAD to libfakeroot.so, which provides wrappers around getuid, chown, chmod, mknod, stat, ..., thereby creating a fake root environment. . If you don't understand any of this, you do not need fakeroot! Wichert. -- _________________________________________________________________ /wichert at wiggy.net This space intentionally left occupied \ | wichert at deephackmode.org http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | From dtucker at zip.com.au Thu Jun 27 20:19:12 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 27 Jun 2002 20:19:12 +1000 Subject: UsePrivilegeSeparation: "fatal: xrealloc: out of memory" References: <20020626183220.A6955@mastaler.com> <3D1A8BA6.A731D810@zip.com.au> <20020626224329.A12122@mastaler.com> Message-ID: <3D1AE6A0.85E29EA2@zip.com.au> "Jason R. Mastaler" wrote: > > Darren Tucker writes: > > > Ulimits? Check with ulimit -a if the data size is <5.5M. > > Doesn't look like it: > > sclp3# bash > bash-2.01# ulimit -a [snip] > data seg size (kbytes) 32768 [snip] Gert Doering gave an example of sshd using 25MB of memory (!) so you might want try setting "ulimit -d unlimited" anyway. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Jun 27 20:43:21 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 27 Jun 2002 20:43:21 +1000 Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 References: <20020626194146.GE2752@jenny.crlsca.adelphia.net> <20020626200048.GM19640@conectiva.com.br> <20020627083552.GG9384@wiggy.net> <3D1AD5CB.B743029@zip.com.au> <20020627102020.GH9384@wiggy.net> Message-ID: <3D1AEC49.695DD14D@zip.com.au> Wichert Akkerman wrote: > Previously Darren Tucker wrote: > > I don't see how a fake root (ie "make install DESTDIR=/some/dir") as a > > vanilla user helps create a root-owned directory....... > > fakeroot is not a fake root, it fakes root. > i.e. to remove the need to become root for a package build. > This is done by setting LD_PRELOAD to libfakeroot.so, > which provides wrappers around getuid, chown, chmod, mknod, > stat, ..., thereby creating a fake root environment. Neat! I didn't know about that. It doesn't help for platforms that don't support LD_PRELOAD (eg AIX 4.x) and since the AIX package builder uses "make install DESTDIR=..." *I'd* be patching Makefile.in and whining.... -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From matthew at debian.org Thu Jun 27 20:45:20 2002 From: matthew at debian.org (Matthew Vernon) Date: 27 Jun 2002 11:45:20 +0100 Subject: pam session as root In-Reply-To: Michael Stone's message of Wed, 26 Jun 2002 23:32:01 GMT References: <20020626185852.A6498@justice.loyola.edu> Message-ID: <5b3cv99f0f.fsf@chiark.greenend.org.uk> Michael Stone writes: > > Beyond any more general questions of whether pam sessions *should* be > run as root, is there an immediate security concern with moving the I believe that the original PAM authors intended pam_session to be run as root. Whether this is sensible or not is left as an exercise... Matthew -- "At least you know where you are with Microsoft." "True. I just wish I'd brought a paddle." http://www.debian.org From binder at arago.de Thu Jun 27 21:18:13 2002 From: binder at arago.de (Thomas Binder) Date: Thu, 27 Jun 2002 13:18:13 +0200 Subject: BROKEN_FD_PASSING (Bug 269) In-Reply-To: <20020626143236.O20075@zax.half.pint-stowp.cx>; from jmknoble@pobox.com on Wed, Jun 26, 2002 at 02:32:36PM -0400 References: <20020626140958.B3625440@ohm.arago.de> <20020626111210.N20075@zax.half.pint-stowp.cx> <20020626174732.A3746291@oh Message-ID: <20020627131813.A4257741@ohm.arago.de> Hi! On Wed, Jun 26, 2002 at 02:32:36PM -0400, Jim Knoble wrote: > : Nope, at least not for me on i386-Linux 2.0.39, as it already > : breaks earlier with: > : > : mm_receive_fd: recvmsg: expected received 1 got 2 > > Is that repeatable? Can you strace it? It is repeatable, but astonishingly not straceable. Calling ./sshd -p 2222 -d -d -d and connecting as a user (authenticated via public key; it does not fail when connecting as root, btw.) will result in mm_receive_fd: recvmsg: expected received 1 got 2 As soon as I add strace, as in strace -f -o /tmp/strace.user ./sshd -p 2222 -d -d -d it fails with the "expected" message mm_receive_fd: expected type 1 got 1074277169 (unless patched as suggested). Running as a daemon behaves as in case 1, i.e. needs BROKEN_FD_PASSING. Further investigating this issue, I found out that linking with TransArc's AFS libraries is the culprit. Without them, everything's fine (except, of course, one can't login as a user). Thus, it seems to be a local problem only, nothing to worry about here. Of course, it unfortunately forces me to define BROKEN_FD_PASSING, but I'll have to live with that. But it's really interesting that running sshd with and without strace behaves differently. Ciao Thomas From des at ofug.org Thu Jun 27 21:28:24 2002 From: des at ofug.org (Dag-Erling Smorgrav) Date: 27 Jun 2002 13:28:24 +0200 Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: <20020627121303.C4231375@ohm.arago.de> References: <20020626143236.O20075@zax.half.pint-stowp.cx> <20020626153010.P20075@zax.half.pint-stowp.cx> <20020627121303.C4231375@ohm.arago.de> Message-ID: Thomas Binder writes: > Note that make install will create the directory with 0700, while > README.privsep propagates 0755. Which mode is the one to use? FreeBSD uses 0555 with no apparent trouble. DES -- Dag-Erling Smorgrav - des at ofug.org From seth at kokos.cz Thu Jun 27 21:51:13 2002 From: seth at kokos.cz (seth at kokos.cz) Date: Thu, 27 Jun 2002 13:51:13 +0200 Subject: OpenSSH 3.4p1 - compilation problem on Linux Message-ID: <4113498429.20020627135113@kokos.cz> Hello openssh-unix-dev, Some time ago I successfully compiled version 3.1 of OpenSSH. Today I tried new OpenSSH version and I am not able to compile it. Configuration script runned well. When running make, following error occured: make[1]: Entering directory `/tools/openssh-3.4p1/openbsd-compat' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/tools/openssh-3.4p1/openbsd-compat' gcc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -lssh -lopenbsd-compat -lbsd -lz -lcrypto ./libssh.a(monitor_fdpass.o): In function `mm_send_fd': /tools/openssh-3.4p1/monitor_fdpass.c:54: undefined reference to `CMSG_FIRSTHDR' /tools/openssh-3.4p1/monitor_fdpass.c:58: undefined reference to `CMSG_DATA' ./libssh.a(monitor_fdpass.o): In function `mm_receive_fd': /tools/openssh-3.4p1/monitor_fdpass.c:114: undefined reference to `CMSG_FIRSTHDR' /tools/openssh-3.4p1/monitor_fdpass.c:118: undefined reference to `CMSG_DATA' collect2: ld returned 1 exit status make: *** [ssh] Error 1 Really don't know where the problem could be. Some info about comp: i386 Slackware linux Kernel 2.0.34 OpenSSL 0.9.6 egcs-2.90.29 980515 (egcs-1.0.3 release) libc 4.7.6 - don't know what other info can help you. -- Best regards, seth mailto:seth at kokos.cz From craig.emery at 3glab.com Thu Jun 27 22:05:42 2002 From: craig.emery at 3glab.com (Craig Emery) Date: Thu, 27 Jun 2002 13:05:42 +0100 Subject: OpenSSH 3.4p1 - compilation problem on Linux References: <4113498429.20020627135113@kokos.cz> Message-ID: <3D1AFF96.90307@3glab.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've just sucessfully build RedHat 7.2 RPMs. (Does anyone wnat to upload them somewhere?) Looking up CMSG_FIRSTHDR I find it in /usr/include/bits/socket.h and /usr/include/linux/socket.h The former belongs to my glibc-devel package and the latter belongs to my kernel-headers package. Seeing "Kernel 2.0.34" in your systems configuration make me suspicious of your kernel headers but it could be the version of glibc you've got installed. You could try upgrading but both of these packages are *really* fundamental things that you should upgrade with care. Craig. seth at kokos.cz wrote: > Hello openssh-unix-dev, > > Some time ago I successfully compiled version 3.1 of OpenSSH. > Today I tried new OpenSSH version and I am not able to compile it. > Configuration script runned well. When running make, following error > occured: > > make[1]: Entering directory `/tools/openssh-3.4p1/openbsd-compat' > make[1]: Nothing to be done for `all'. > make[1]: Leaving directory `/tools/openssh-3.4p1/openbsd-compat' > gcc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -lssh -lopenbsd-compat -lbsd -lz -lcrypto > ./libssh.a(monitor_fdpass.o): In function `mm_send_fd': > /tools/openssh-3.4p1/monitor_fdpass.c:54: undefined reference to `CMSG_FIRSTHDR' > /tools/openssh-3.4p1/monitor_fdpass.c:58: undefined reference to `CMSG_DATA' > ./libssh.a(monitor_fdpass.o): In function `mm_receive_fd': > /tools/openssh-3.4p1/monitor_fdpass.c:114: undefined reference to `CMSG_FIRSTHDR' > /tools/openssh-3.4p1/monitor_fdpass.c:118: undefined reference to `CMSG_DATA' > collect2: ld returned 1 exit status > make: *** [ssh] Error 1 > > Really don't know where the problem could be. > > Some info about comp: > i386 Slackware linux > Kernel 2.0.34 > OpenSSL 0.9.6 > egcs-2.90.29 980515 (egcs-1.0.3 release) > libc 4.7.6 > > - don't know what other info can help you. > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9Gv+XBIRM2chQkvERAo0rAJ49FH/Mjp/ivKTKlxF/wkyi/L06/wCfYuhH gOCod8oU7k3jnnFRw6RrAQ8= =q1Qf -----END PGP SIGNATURE----- From kouril at ics.muni.cz Thu Jun 27 22:42:30 2002 From: kouril at ics.muni.cz (Daniel Kouril) Date: Thu, 27 Jun 2002 14:42:30 +0200 Subject: Using Kerberos5 in 3.3p1 In-Reply-To: ; from des@ofug.org on Thu, Jun 27, 2002 at 12:24:13AM +0200 References: <87adphltbq.fsf@ashaman.hin.nu> Message-ID: <20020627144230.A27215@odorn.ics.muni.cz> On Thu, Jun 27, 2002 at 12:24:13AM +0200, Dag-Erling Smorgrav wrote: > Hans Insulander writes: > > What needs to be done, afaik, is to receive the kerberos auth data in the > > unprivileged client process, marshal it and send over to the monitor process. > > The monitor should validate the information and say "ok" or "not ok" back to > > the client. I have very little clues as how to do that. > > I can work on this tomorrow provided someone can help me with the > Kerberos aspect of things. I could spend some time on solving the problem now. Are you (or anyone else) working on that so that I could join? -- Dan From vinschen at redhat.com Thu Jun 27 23:18:39 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 27 Jun 2002 15:18:39 +0200 Subject: OpenSSH 3.4 released In-Reply-To: <20020626182103.B22705@cygbert.vinschen.de> References: <20020626144031.GA16478@skaidan> <20020626182103.B22705@cygbert.vinschen.de> Message-ID: <20020627151839.B4069@cygbert.vinschen.de> On Wed, Jun 26, 2002 at 06:21:03PM +0200, Corinna Vinschen wrote: > --- sshd.c.orig 2002-06-26 18:21:03.000000000 +0200 > +++ sshd.c 2002-06-26 18:20:55.000000000 +0200 > @@ -1035,7 +1035,13 @@ main(int ac, char **av) > (S_ISDIR(st.st_mode) == 0)) > fatal("Missing privilege separation directory: %s", > _PATH_PRIVSEP_CHROOT_DIR); > +#ifdef HAVE_CYGWIN > + if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) && > + (st.st_uid != getuid () || > + (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) > +#else > if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) > +#endif > fatal("Bad owner or mode for %s", > _PATH_PRIVSEP_CHROOT_DIR); > } Hi, is that patch ok to get into the sources or should it be changed somehow? Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From barel_bhai at yahoo.com Thu Jun 27 23:30:56 2002 From: barel_bhai at yahoo.com (raam raam) Date: Thu, 27 Jun 2002 06:30:56 -0700 (PDT) Subject: Message Numbers In-Reply-To: <005f01c21db5$5b0474e0$3c81add5@vip.fi> Message-ID: <20020627133056.34672.qmail@web20507.mail.yahoo.com> Hi All I checked the available drafts . It says about the message number but not all the message numbers are defined. Please help in telling where I can find all the message numbers defenation Thanks Barel __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com From chris at obelix.hedonism.cx Thu Jun 27 23:34:00 2002 From: chris at obelix.hedonism.cx (Christian Vogel) Date: Thu, 27 Jun 2002 15:34:00 +0200 Subject: OpenSSH 3.4p1 - compilation problem on Linux In-Reply-To: <3D1AFF96.90307@3glab.com>; from craig.emery@3glab.com on Thu, Jun 27, 2002 at 01:05:42PM +0100 References: <4113498429.20020627135113@kokos.cz> <3D1AFF96.90307@3glab.com> Message-ID: <20020627153400.B15104@obelix.frop.org> Hi, > I've just sucessfully build RedHat 7.2 RPMs. The question is if it is wise to grab such security sensitive things like the ssh-server from just somewhere...? On the other hand it should be made very easy for people to upgrade, and maybe some people don't want to rpm -ba/--rebuild or don't even hava a compiler on their web/dns/... server? Is there some official policy encouraging people to contrinute binaries... or to refrain from it? Chris (who just built RH7.1 i386.rpms... :-) ) -- "Anybody who has ever seen a photograph showing the kind of damage that a trout traveling that fast can inflict on the human skull knows that such photographs are very valuable. I paid $20 for mine." - Dave Barry From phil-openssh-unix-dev at ipal.net Thu Jun 27 23:37:35 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Thu, 27 Jun 2002 08:37:35 -0500 Subject: OpenSSH 3.4p1 - compilation problem on Linux In-Reply-To: <4113498429.20020627135113@kokos.cz> References: <4113498429.20020627135113@kokos.cz> Message-ID: <20020627133735.GA4800@vega.ipal.net> On Thu, Jun 27, 2002 at 01:51:13PM +0200, seth at kokos.cz wrote: | Hello openssh-unix-dev, | | Some time ago I successfully compiled version 3.1 of OpenSSH. | Today I tried new OpenSSH version and I am not able to compile it. | Configuration script runned well. When running make, following error | occured: | | make[1]: Entering directory `/tools/openssh-3.4p1/openbsd-compat' | make[1]: Nothing to be done for `all'. | make[1]: Leaving directory `/tools/openssh-3.4p1/openbsd-compat' | gcc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -lssh -lopenbsd-compat -lbsd -lz -lcrypto | ./libssh.a(monitor_fdpass.o): In function `mm_send_fd': | /tools/openssh-3.4p1/monitor_fdpass.c:54: undefined reference to `CMSG_FIRSTHDR' | /tools/openssh-3.4p1/monitor_fdpass.c:58: undefined reference to `CMSG_DATA' | ./libssh.a(monitor_fdpass.o): In function `mm_receive_fd': | /tools/openssh-3.4p1/monitor_fdpass.c:114: undefined reference to `CMSG_FIRSTHDR' | /tools/openssh-3.4p1/monitor_fdpass.c:118: undefined reference to `CMSG_DATA' | collect2: ld returned 1 exit status | make: *** [ssh] Error 1 | | Really don't know where the problem could be. | | Some info about comp: | i386 Slackware linux Which specific Slackware? Too embarrassed to say? | Kernel 2.0.34 | OpenSSL 0.9.6 Which OpenSSL? 0.9.6a? 0.9.6b? 0.9.6c? 0.9.6d? | egcs-2.90.29 980515 (egcs-1.0.3 release) | libc 4.7.6 | | - don't know what other info can help you. How about telling me how long you're going to leave this machine running such an old system? Slackware 8.1 is out now. Be sure to get the "patches" directory, which includes OpenSSH 3.4p1. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From craig.emery at 3glab.com Thu Jun 27 23:48:53 2002 From: craig.emery at 3glab.com (Craig Emery) Date: Thu, 27 Jun 2002 14:48:53 +0100 Subject: OpenSSH 3.4p1 - compilation problem on Linux Message-ID: <3D1B17C5.1070900@3glab.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hiya, One of the other "issues" I came across with building RPMs was that I couldn't just do % rpm -tb SOURCES/openssh-3.4p1.tar.gz because the .spec file that was found was *not* the openssh-3.4p1/contrib/redhat/openssh.spec one. :-( I haven't checked but I guess rpm "grabs" the first one it finds in a tarball (which would have been openssh-3.4p1/contrib/caldera/openssh.spec). Now you may say "if a user can do rpm -tb ... they can figure this out" but this made me scratch my head for a while & I maintain RPMs for two SF.net projects. On the general note of who to trust binaries from, you're right. All the signature on the binaries I've produced proves is that *I'm* the guy who built it. It speaks naught to how trustable I am! :-) Now a process where people submit themselves to some kind of scrutiny (presumably to DJM as it's his key we're all trusting for the tarballs), & get their public keys a degree of "trust" might be a good start. Just my $0.02. :-) Craig. Christian Vogel wrote: > Hi, > > >>I've just sucessfully build RedHat 7.2 RPMs. > > > The question is if it is wise to grab such security > sensitive things like the ssh-server from just somewhere...? > > On the other hand it should be made very easy for people > to upgrade, and maybe some people don't want to rpm -ba/--rebuild > or don't even hava a compiler on their web/dns/... server? > > Is there some official policy encouraging people > to contrinute binaries... or to refrain from it? > > Chris > (who just built RH7.1 i386.rpms... :-) ) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9GxfFBIRM2chQkvERAo3CAKD7cXPOZ7oAS0tOWaIyvaz89XnskgCfYXfe 8l+yHWSEeAe2rIMig8VgpzQ= =FxK5 -----END PGP SIGNATURE----- From andreas at conectiva.com.br Thu Jun 27 23:49:31 2002 From: andreas at conectiva.com.br (Andreas Hasenack) Date: Thu, 27 Jun 2002 10:49:31 -0300 Subject: sshd and file descriptors In-Reply-To: <20020627051057.GE4543@vega.ipal.net> References: <20020626220613.GO19640@conectiva.com.br> <20020627051057.GE4543@vega.ipal.net> Message-ID: <20020627134931.GA3580@conectiva.com.br> Em Thu, Jun 27, 2002 at 12:10:57AM -0500, Phil Howard escreveu: > On Wed, Jun 26, 2002 at 07:06:13PM -0300, Andreas Hasenack wrote: > > | I have an openssh RPM package that restarts the sshd server during > | an upgrade if the daemon is already running. So far, so good, restart > | works. > > What happens if you were connected via ssh when it restarts? Only the parent sshd process is restarted, current connections are left untouched. I can safely do this remotely. > | Shouldn't a daemon close all fds before going into "daemon land"? What exactly is broken here? > > Should a package manager be restarting a daemon? If it is already running, yes, that's a plus, many users forget to restart their services after an upgrade and are left vulnerable (if it's a security upgrade, for example). > Maybe the package manager should use close-on-exec on all the > descriptors that aren't to be passed on to the daemon, while it > still knows what descriptors are open instead of imposing on the > next program to do thousands of close() calls. Yeah, I think so too, it's easier and safer, no risk of closing something that it shouldn't. But remember the hang-on-exit discussions? We all said that the daemons should be fixed and close its descriptors before daemonizing. But maybe folks were just talking about 0, 1 and 2. Anyway, I'll get rpm maintainers into this. Worst that can happen is jeff tell me to go to .... :) From lannert at users.sourceforge.net Thu Jun 27 23:50:42 2002 From: lannert at users.sourceforge.net (Detlef Lannert) Date: Thu, 27 Jun 2002 15:50:42 +0200 Subject: OpenSSH 3.3p1 on SunOS 4.1.4 Message-ID: <20020627135042.GN15018@det.rz.uni-duesseldorf.de> Hi, I just installed OpenSSH 3.3p1 on a SunOS 4.1.4 system (actually a 3-year old Auspex file server) as a replacement for an older, probably vulnerable ssh version. I used gcc, openssl 0.9.6d, zlib 1.1.4 and the configure incantation ./configure --with-tcp-wrappers --with-privsep-user=privsep (the latter option obviously being the default value). There were two problems: (a) memmove seems to be unavailable; I replaced it by memcpy, hoping that it won't break on overlapping areas, (b) optarg was undefined and needed to be declared. I enclose the diffs of the patches I made. Compilation, linking, and installation were OK, and (apparently) it's working. I do know that this OS is not the latest fad; just thought this information might be useful for someone else out there who has to work with a similar system. Please cc any replies as I'm not subscribed to the list. Thank you. Regards, Detlef ------------8<------------- cut here ------------8<------------- *** openbsd-compat/setenv.c.orig Wed Feb 13 06:00:16 2002 --- openbsd-compat/setenv.c Wed Jun 26 18:27:17 2002 *************** *** 40,45 **** --- 40,46 ---- #include #include + #include /* * __findenv -- *************** *** 123,129 **** (cnt + 2))); if (!P) return (-1); ! memmove(P, environ, cnt * sizeof(char *)); environ = P; } environ[cnt + 1] = NULL; --- 124,130 ---- (cnt + 2))); if (!P) return (-1); ! memcpy(P, environ, cnt * sizeof(char *)); environ = P; } environ[cnt + 1] = NULL; *** ssh-agent.c.orig Fri Jun 21 02:41:52 2002 --- ssh-agent.c Wed Jun 26 18:18:48 2002 *************** *** 939,944 **** --- 939,945 ---- char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid]; char *agentsocket = NULL; extern int optind; + extern char *optarg; fd_set *readsetp = NULL, *writesetp = NULL; SSLeay_add_all_algorithms(); From markus at openbsd.org Thu Jun 27 23:57:05 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 27 Jun 2002 15:57:05 +0200 Subject: sshd and file descriptors In-Reply-To: <20020627134931.GA3580@conectiva.com.br> References: <20020626220613.GO19640@conectiva.com.br> <20020627051057.GE4543@vega.ipal.net> <20020627134931.GA3580@conectiva.com.br> Message-ID: <20020627135705.GC15818@faui02> On Thu, Jun 27, 2002 at 10:49:31AM -0300, Andreas Hasenack wrote: > Em Thu, Jun 27, 2002 at 12:10:57AM -0500, Phil Howard escreveu: > > On Wed, Jun 26, 2002 at 07:06:13PM -0300, Andreas Hasenack wrote: > > > > | I have an openssh RPM package that restarts the sshd server during > > | an upgrade if the daemon is already running. So far, so good, restart > > | works. > > > > What happens if you were connected via ssh when it restarts? > > Only the parent sshd process is restarted, current connections are left > untouched. I can safely do this remotely. you could also do sshd -t && kill -HUP `cat /var/run/sshd.pid` From mailinglist at wirelessteam.net Fri Jun 28 00:07:36 2002 From: mailinglist at wirelessteam.net (Wireless Team) Date: Thu, 27 Jun 2002 17:07:36 +0300 Subject: ** Outdoor Wireless Router ** Message-ID: <200206271412.g5REC5095893@postoffice.telstra.net> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020627/58205f92/attachment.html From tim at multitalents.net Fri Jun 28 00:07:35 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 27 Jun 2002 07:07:35 -0700 (PDT) Subject: OpenSSH Security Advisory (adv.iss) In-Reply-To: <20020627104455.V18668@greenie.muc.de> Message-ID: On Thu, 27 Jun 2002, Gert Doering wrote: > Hi, > > On Wed, Jun 26, 2002 at 04:55:54PM -0700, Tim Rice wrote: > > I'm using gcc 2.7.2.1 on my old SCO 3.2v4.2 box here and it builds 3.4p1 > > You're not using PrivSep on that box, are you? No. > Besides PrivSep not working, yes, that's similar to what I do - gcc 2.7.2.3 > > gert > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Fri Jun 28 00:15:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 00:15:35 +1000 (EST) Subject: [Bug 297] sshd version 3.3 incompatible with pre-3.3 clients in ssh1 mode Message-ID: <20020627141535.EA921E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=297 ------- Additional Comments From mindrot at downhill.at.eu.org 2002-06-28 00:15 ------- OpenSSH >= 3 does not work well with openssl 0.9.5, recompile against 0.9.6 and your Problem is gone (Fetch src.rpm from RH7.3, compile and install it (--nodeps) temporarily, and rebuild ssh with %define static_libcrypto 1 reinstall the old ssl Version and the new ssh. Voila! cu andreas PS: http://bugzilla.mindrot.org/show_bug.cgi?id=141 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 00:23:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 00:23:55 +1000 (EST) Subject: [Bug 306] New: ssh on Tru64 returns " Name does not resolv to supplied parameters" Message-ID: <20020627142355.E2C16E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=306 Summary: ssh on Tru64 returns " Name does not resolv to supplied parameters" Product: Portable OpenSSH Version: -current Platform: Alpha OS/Version: OSF/1 Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jakari at bithose.com ssh 3.3p1 and 3.4p1 both exhibit this problem on a Tru64 5.1 box. When attempting to ssh to another host: Name does not resolv to supplied parameters; neither nodename nor servname were passed. Doesn't matter what host I try to ssh to, same result. My DNS works properly, same result for hosts listed explicitly in /etc/hosts. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From andreas at conectiva.com.br Fri Jun 28 00:24:13 2002 From: andreas at conectiva.com.br (Andreas Hasenack) Date: Thu, 27 Jun 2002 11:24:13 -0300 Subject: sshd and file descriptors In-Reply-To: <20020627135705.GC15818@faui02> References: <20020626220613.GO19640@conectiva.com.br> <20020627051057.GE4543@vega.ipal.net> <20020627134931.GA3580@conectiva.com.br> <20020627135705.GC15818@faui02> Message-ID: <20020627142413.GF3580@conectiva.com.br> Em Thu, Jun 27, 2002 at 03:57:05PM +0200, Markus Friedl escreveu: > you could also do > sshd -t && kill -HUP `cat /var/run/sshd.pid` Hmm, interesting, manpages are our best friends indeed: sshd rereads its configuration file when it receives a hangup signal, SIGHUP, by executing itself with the name it was started as, i.e., /usr/sbin/sshd. I assumed it would only reread its configuration file, and not execute itself again. Thanks! From bugzilla-daemon at mindrot.org Fri Jun 28 00:26:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 00:26:14 +1000 (EST) Subject: [Bug 307] New: configure fails to add -ldl (RedHat specfile) Message-ID: <20020627142614.4572AE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=307 Summary: configure fails to add -ldl (RedHat specfile) Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: mindrot at downhill.at.eu.org Hello, Rebuilding openssh-3.4p1-1.src.rpm on both RedHat 6.2 and RedHat 7.3 fails: ---------------------------------- i386-redhat-linux-gcc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o -L. -Lopenbsd-compat/ -lssh -lopenbsd-compat -lutil -lz -lnsl /usr/lib/libcrypto.a /usr/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_load': dso_dlfcn.o(.text+0x8a): undefined reference to `dlopen' dso_dlfcn.o(.text+0xe8): undefined reference to `dlclose' /usr/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload': dso_dlfcn.o(.text+0x18c): undefined reference to `dlclose' /usr/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var': dso_dlfcn.o(.text+0x239): undefined reference to `dlsym' /usr/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_func': dso_dlfcn.o(.text+0x309): undefined reference to `dlsym' collect2: ld returned 1 exit status make: *** [ssh] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.46927 (%build) ---------------------------------- I do not know why configure does not add -ldl to LD_FLAGS, I _have_ installed glibc-devel, and ----------------------- ls -l /lib/libdl* /usr/lib/libdl* -rwxr-xr-x 1 root root 11728 Jun 18 16:13 /lib/libdl-2.2.5.so lrwxrwxrwx 1 root root 14 Jun 27 13:54 /lib/libdl.so.2 -> libdl-2.2.5.so -rw-r--r-- 1 root root 6820 Jun 18 16:13 /usr/lib/libdl.a lrwxrwxrwx 1 root root 20 Jun 27 13:55 /usr/lib/libdl.so -> ../../lib/libdl.so.2 ----------------------- Adding --with-libs=-ldl to the call of configure hotfixes the problem, but imvvvvho ./configure is broken. thanks, cu andreas ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Fri Jun 28 00:14:45 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 27 Jun 2002 09:14:45 -0500 (CDT) Subject: sshd and file descriptors In-Reply-To: <20020627134931.GA3580@conectiva.com.br> Message-ID: On Thu, 27 Jun 2002, Andreas Hasenack wrote: > Em Thu, Jun 27, 2002 at 12:10:57AM -0500, Phil Howard escreveu: > > On Wed, Jun 26, 2002 at 07:06:13PM -0300, Andreas Hasenack wrote: > > [..] > > | Shouldn't a daemon close all fds before going into "daemon land"? What exactly is broken here? > > > > Should a package manager be restarting a daemon? > > If it is already running, yes, that's a plus, many users forget to restart > their services after an upgrade and are left vulnerable (if it's a > security upgrade, for example). > From bugzilla-daemon at mindrot.org Fri Jun 28 00:32:01 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 00:32:01 +1000 (EST) Subject: [Bug 306] ssh on Tru64 returns " Name does not resolv to supplied parameters" Message-ID: <20020627143201.09BA4E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=306 ------- Additional Comments From cmadams at hiwaay.net 2002-06-28 00:31 ------- I'm not seeing this on Tru64 4.0G or 5.1A with OpenSSH 3.4p1. What does "rsh [server]" say? Are you using IPv6? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From andreas at conectiva.com.br Fri Jun 28 00:39:15 2002 From: andreas at conectiva.com.br (Andreas Hasenack) Date: Thu, 27 Jun 2002 11:39:15 -0300 Subject: sshd and file descriptors In-Reply-To: References: <20020627134931.GA3580@conectiva.com.br> Message-ID: <20020627143915.GH3580@conectiva.com.br> Em Thu, Jun 27, 2002 at 09:14:45AM -0500, Ben Lindstrom escreveu: > >From a full time admin view the concept that an RPM randomly restarts my > services without me telling it SUCKS. Randomly? Not at all. Without telling you? Not at all again. > Why? Configuration files changes. I've seen too many people do RPM > upgrades of critical services only to have a service that is working to > fail or worse yet an interrupted connection which drops the ssh connection > now leaving them unable to log into the box. The current ssh session is untouched. I can call "service sshd stop" on a server in Antartica if I want to (those penguins know linux :). Besides, the config file is untouched if the user has made any changes to it. The worst that could happen is for some reason the new daemon won't start, some previous option that is no longer valid for the new version. This is told visually to the user, he/she will see in red FAILED. In my opinion, the tradeoff is OK. > *ANYONE* saying a package manager should automately restart services > without user interaction is cursing their users to pain and suffering. Those users will also be in pain if they forget to restart the service. And this happens very often, I've seen users upgrading apache before the weekend and forgetting to restart it and going home relieved. Poor bastards. Worse, their server just halted during the weekend when logrotate kicked in and HUPed the daemon. > =) I'll stop ranting on the topic. It's quite off-topic, yes :) I was just asking about those file descriptors :) From dtucker at zip.com.au Fri Jun 28 00:49:07 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 28 Jun 2002 00:49:07 +1000 Subject: OpenSSH 3.4p1 - compilation problem on Linux References: <4113498429.20020627135113@kokos.cz> <3D1AFF96.90307@3glab.com> <20020627153400.B15104@obelix.frop.org> Message-ID: <3D1B25E3.8871126D@zip.com.au> Christian Vogel wrote: > The question is if it is wise to grab such security > sensitive things like the ssh-server from just somewhere...? > > On the other hand it should be made very easy for people > to upgrade, and maybe some people don't want to rpm -ba/--rebuild > or don't even hava a compiler on their web/dns/... server? > > Is there some official policy encouraging people > to contrinute binaries... or to refrain from it? This in no way constitutes policy, official or otherwise, but: I contributed the scripts to allow anyone to build AIX native packages. I later started to offer pre-packaged binaries. I recommend people don't use them and build their own instead (and it says so, right on the download page), but I offer them because: a) I can. I have to build the packages anyway, putting them up is little effort. b) The previous source (Bull Freeware) seems to have stopped offering updates. Their latest offering is 3.0.2p1. I'd rather have people running my 3.4p1 packages than someone else's 3.0.2p1. c) I've offered them to a couple of people and they accepted. The binaries have detached gpg signatures to mitigate the risk of third-party tampering. (Obviously it doesn't stop first party tampering :-) To date, they've been downloaded from 9 distinct IPs; 2 of those also downloaded the signatures. So wise or not, people seem to do it. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From phil-openssh-unix-dev at ipal.net Fri Jun 28 01:12:31 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Thu, 27 Jun 2002 10:12:31 -0500 Subject: sshd and file descriptors In-Reply-To: <20020627134931.GA3580@conectiva.com.br> References: <20020626220613.GO19640@conectiva.com.br> <20020627051057.GE4543@vega.ipal.net> <20020627134931.GA3580@conectiva.com.br> Message-ID: <20020627151231.GB4800@vega.ipal.net> On Thu, Jun 27, 2002 at 10:49:31AM -0300, Andreas Hasenack wrote: | Em Thu, Jun 27, 2002 at 12:10:57AM -0500, Phil Howard escreveu: | > Should a package manager be restarting a daemon? | | If it is already running, yes, that's a plus, many users forget to restart | their services after an upgrade and are left vulnerable (if it's a | security upgrade, for example). What about for those system administrators that don't want surprises? I consider it a negative. It should at least be a choice. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From craig.emery at 3glab.com Fri Jun 28 01:12:31 2002 From: craig.emery at 3glab.com (Craig Emery) Date: Thu, 27 Jun 2002 16:12:31 +0100 Subject: OpenSSH 3.4p1 - compilation problem on Linux References: <4113498429.20020627135113@kokos.cz> <3D1AFF96.90307@3glab.com> <20020627153400.B15104@obelix.frop.org> <3D1B25E3.8871126D@zip.com.au> Message-ID: <3D1B2B5F.8090308@3glab.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well I can garauntee(sp?) the hostname forever (it changes if I have to reboot my cable-modem but that doesn't happen often) but my signed RedHat 7.2 RPMs etc are at: http://pc1-camc6-0-cust237.cam.cable.ntl.com/openssh/ Craig. Darren Tucker wrote: > Christian Vogel wrote: > >>The question is if it is wise to grab such security >>sensitive things like the ssh-server from just somewhere...? >> >>On the other hand it should be made very easy for people >>to upgrade, and maybe some people don't want to rpm -ba/--rebuild >>or don't even hava a compiler on their web/dns/... server? >> >>Is there some official policy encouraging people >>to contrinute binaries... or to refrain from it? > > > This in no way constitutes policy, official or otherwise, but: > > I contributed the scripts to allow anyone to build AIX native packages. > I later started to offer pre-packaged binaries. I recommend people don't > use them and build their own instead (and it says so, right on the > download page), but I offer them because: > > a) I can. I have to build the packages anyway, putting them up is little > effort. > > b) The previous source (Bull Freeware) seems to have stopped offering > updates. Their latest offering is 3.0.2p1. I'd rather have people > running my 3.4p1 packages than someone else's 3.0.2p1. > > c) I've offered them to a couple of people and they accepted. > > The binaries have detached gpg signatures to mitigate the risk of > third-party tampering. (Obviously it doesn't stop first party tampering > :-) To date, they've been downloaded from 9 distinct IPs; 2 of those > also downloaded the signatures. > > So wise or not, people seem to do it. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9GytfBIRM2chQkvERAmbXAKCiRsSe5etP0GejGdZQkZfgfrFCqACeLHJw 09Nl0DlJNwH/wByP/dYDBCo= =CNkU -----END PGP SIGNATURE----- From mike at enoch.org Fri Jun 28 01:27:34 2002 From: mike at enoch.org (Mike Johnson) Date: Thu, 27 Jun 2002 11:27:34 -0400 Subject: sshd and file descriptors In-Reply-To: <20020627151231.GB4800@vega.ipal.net> References: <20020626220613.GO19640@conectiva.com.br> <20020627051057.GE4543@vega.ipal.net> <20020627134931.GA3580@conectiva.com.br> <20020627151231.GB4800@vega.ipal.net> Message-ID: <20020627152734.GZ22072@enoch.org> Phil Howard [phil-openssh-unix-dev at ipal.net] wrote: > What about for those system administrators that don't want surprises? > I consider it a negative. It should at least be a choice. You have an option: rpm -ivh openssh-server --noscripts By including it in there by default, you're helping the clueless to make the world a better place (okay, I'm exaggerating). Mike -- "Let the power of Ponch compel you! Let the power of Ponch compel you!" -- Zorak on Space Ghost GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF C821 89C4 DF9A 5DDD 95D1 GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 230 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020627/38ead4f4/attachment.bin From phil-openssh-unix-dev at ipal.net Fri Jun 28 01:22:45 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Thu, 27 Jun 2002 10:22:45 -0500 Subject: sshd and file descriptors In-Reply-To: <20020627142413.GF3580@conectiva.com.br> References: <20020626220613.GO19640@conectiva.com.br> <20020627051057.GE4543@vega.ipal.net> <20020627134931.GA3580@conectiva.com.br> <20020627135705.GC15818@faui02> <20020627142413.GF3580@conectiva.com.br> Message-ID: <20020627152245.GC4800@vega.ipal.net> On Thu, Jun 27, 2002 at 11:24:13AM -0300, Andreas Hasenack wrote: | Em Thu, Jun 27, 2002 at 03:57:05PM +0200, Markus Friedl escreveu: | > you could also do | > sshd -t && kill -HUP `cat /var/run/sshd.pid` | | Hmm, interesting, manpages are our best friends indeed: | sshd rereads its configuration file when it receives a hangup signal, | SIGHUP, by executing itself with the name it was started as, i.e., | /usr/sbin/sshd. | | I assumed it would only reread its configuration file, and not execute | itself again. It also forks a new process, too, as opposed to just exec within the same process. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From bugzilla-daemon at mindrot.org Fri Jun 28 01:23:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 01:23:19 +1000 (EST) Subject: [Bug 306] ssh on Tru64 returns " Name does not resolv to supplied parameters" Message-ID: <20020627152319.4635FE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=306 ------- Additional Comments From jakari at bithose.com 2002-06-28 01:23 ------- rsh works fine for the one host I can test it for. I am not using IPv6. Tru64 machine is running in Enhanced Security mode (SIA), but I don't see how that should matter here. I see this in debug output: [jakari at poptart ~] ssh -v -v frogstar OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 ssh: frogstar: Name does not resolv to supplied parameters; neither nodename nor servname were passed. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From phil-openssh-unix-dev at ipal.net Fri Jun 28 01:27:18 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Thu, 27 Jun 2002 10:27:18 -0500 Subject: sshd and file descriptors In-Reply-To: References: <20020627134931.GA3580@conectiva.com.br> Message-ID: <20020627152718.GD4800@vega.ipal.net> On Thu, Jun 27, 2002 at 09:14:45AM -0500, Ben Lindstrom wrote: | >From a full time admin view the concept that an RPM randomly restarts my | services without me telling it SUCKS. | | Why? Configuration files changes. I've seen too many people do RPM | upgrades of critical services only to have a service that is working to | fail or worse yet an interrupted connection which drops the ssh connection | now leaving them unable to log into the box. | | *ANYONE* saying a package manager should automately restart services | without user interaction is cursing their users to pain and suffering. | | =) I'll stop ranting on the topic. IMHO, anyone who needed the package manager to restart the service for them because they forget to restart, or didn't know they needed to restart, isn't qualified to be a system administrator. Yeah, time to stop ranting ... here. This is probably more appropriate for some other places. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From bugzilla-daemon at mindrot.org Fri Jun 28 01:32:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 01:32:55 +1000 (EST) Subject: [Bug 308] New: openssh 3.4 won't install or run on Solaris 8, on an Ultra 10 Sparc station Message-ID: <20020627153255.4ABE1E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=308 Summary: openssh 3.4 won't install or run on Solaris 8, on an Ultra 10 Sparc station Product: Portable OpenSSH Version: -current Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: critical Priority: P1 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: margaret_doll at brown.edu I had openssh running on Ultra 10 systems running Solaris 8. I have sshd:x:74:74::/var/empty/sshd:/bin/false in /etc/passwd sshd:x:11864:::::: in /etc/shadow sshd::74: added in /etc/group When I "make install" for openssh 3.4 on these systems, I get the following error: id sshd || \ echo "WARNING: Privilege separation user \"sshd\" does not exist" id: invalid user name: "sshd" When I try to start 3.4, I get /etc/init.d/sshd start Bad owner or mode for /var/empty or starting directly from the file: ./sshd Privilege separation user sshd does not exist WARNING:ls -sal /var/empty total 6 2 drwx------ 3 sshd sshd 512 Jun 27 09:27 . 2 drwxr-xr-x 29 root sys 512 Jun 26 14:57 .. 2 drwx------ 2 sshd sshd 512 Jun 27 09:27 sshd ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 01:36:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 01:36:34 +1000 (EST) Subject: [Bug 309] New: opemssh-3.3 and openssh-3.4 won't install on Sparc Station 5, Solaris 8 Message-ID: <20020627153634.A439EE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=309 Summary: opemssh-3.3 and openssh-3.4 won't install on Sparc Station 5, Solaris 8 Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: critical Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: margaret_doll at brown.edu At the end of the "make install" if [ -f /usr/local/etc/ssh_host_rsa_key ] ; then \ echo "/usr/local/etc/ssh_host_rsa_key already exists, skipping." ; \ else \ ./ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N "" ; \ fi ; \ fi ; ./ssh-keygen: syntax error at line 4: `^A\223^\^Bn^BH^By^A' unexpected *** Error code 2 make: Fatal error: Command failed for target `host-key' ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From phil-openssh-unix-dev at ipal.net Fri Jun 28 01:36:49 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Thu, 27 Jun 2002 10:36:49 -0500 Subject: sshd and file descriptors In-Reply-To: <20020627143915.GH3580@conectiva.com.br> References: <20020627134931.GA3580@conectiva.com.br> <20020627143915.GH3580@conectiva.com.br> Message-ID: <20020627153649.GE4800@vega.ipal.net> On Thu, Jun 27, 2002 at 11:39:15AM -0300, Andreas Hasenack wrote: | The current ssh session is untouched. I can call "service sshd stop" on a | server in Antartica if I want to (those penguins know linux :). | Besides, the config file is untouched if the user has made any changes to | it. The worst that could happen is for some reason the new daemon won't | start, some previous option that is no longer valid for the new version. | This is told visually to the user, he/she will see in red FAILED. But now the service is down. You're busy trying to get things fixed so it will start back up OK (fix the config file). Then your connection drops or a router fails for a while and you end up losing that connection. Now what? Telnet? | Those users will also be in pain if they forget to restart the service. And | this happens very often, I've seen users upgrading apache before the weekend | and forgetting to restart it and going home relieved. Poor bastards. Worse, | their server just halted during the weekend when logrotate kicked in and | HUPed the daemon. And you call these people system administrators? I don't. But at least I wrote a log splitter that apache starts, gets the log stream via a pipe, and splits every log entry by date, time, and even virtual host (configurable). It doesn't need to HUP. OK, Now back to SSH. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From bugzilla-daemon at mindrot.org Fri Jun 28 01:42:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 01:42:12 +1000 (EST) Subject: [Bug 306] ssh on Tru64 returns " Name does not resolv to supplied parameters" Message-ID: <20020627154212.B6CD3E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=306 ------- Additional Comments From cmadams at hiwaay.net 2002-06-28 01:42 ------- That is the error I get if I try to ssh to something that doesn't resolve: $ ssh xyzzy ssh: xyzzy: Name does not resolv to supplied parameters; neither nodename nor servname were passed. $ but ssh to hosts that resolve works fine. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From luc at suryo.com Fri Jun 28 01:46:14 2002 From: luc at suryo.com (Luc I. Suryo) Date: Thu, 27 Jun 2002 10:46:14 -0500 Subject: [Bug 308] New: openssh 3.4 won't install or run on Solaris 8, on an Ultra 10 Sparc station In-Reply-To: <20020627153255.4ABE1E881@shitei.mindrot.org> References: <20020627153255.4ABE1E881@shitei.mindrot.org> Message-ID: <20020627154614.GA11876@nc1701.suryo.com> I'm not sure if i can/allow to answer, but this is NOT a bug in 3.4 I compiled and installed 3.4 on well over 40 Sun system all running Solaris (include 1 Ultra 10) and 4x X86 systems... try to do this truss -f -o truss.out {where-is-your}/sshd and show me the output ...and how about the flags used to compile the binary?? maybe you sepc. a diff user??? > http://bugzilla.mindrot.org/show_bug.cgi?id=308 > > Summary: openssh 3.4 won't install or run on Solaris 8, on an > Ultra 10 Sparc station > Product: Portable OpenSSH > Version: -current > Platform: UltraSparc > OS/Version: Solaris > Status: NEW > Severity: critical > Priority: P1 > Component: Build system > AssignedTo: openssh-unix-dev at mindrot.org > ReportedBy: margaret_doll at brown.edu > > > I had openssh running on Ultra 10 systems running Solaris 8. I have > sshd:x:74:74::/var/empty/sshd:/bin/false in /etc/passwd > sshd:x:11864:::::: > in /etc/shadow > sshd::74: > added in /etc/group > > When I "make install" for openssh 3.4 on these systems, I get the following error: > > id sshd || \ > echo "WARNING: Privilege separation user \"sshd\" does not exist" > id: invalid user name: "sshd" > > > When I try to start 3.4, I get > > /etc/init.d/sshd start > Bad owner or mode for /var/empty > > or starting directly from the file: > > ./sshd > Privilege separation user sshd does not exist > > > WARNING:ls -sal /var/empty > total 6 > 2 drwx------ 3 sshd sshd 512 Jun 27 09:27 . > 2 drwxr-xr-x 29 root sys 512 Jun 26 14:57 .. > 2 drwx------ 2 sshd sshd 512 Jun 27 09:27 sshd > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev --- End of bugzilla-daemon at mindrot.org's quote --- -- Kind regards, Luc Suryo From vancleef at microunity.com Fri Jun 28 01:59:22 2002 From: vancleef at microunity.com (Bob Van Cleef) Date: Thu, 27 Jun 2002 08:59:22 -0700 (PDT) Subject: OpenSSH Security Advisory (adv.iss) In-Reply-To: Message-ID: On Wed, 26 Jun 2002, Ben Lindstrom wrote: > > can you grep for HAVE_MEMMOVE and HAVE_BCOPY in config.h ? > vancleef [786] > egrep 'HAVE_MEMMOVE|HAVE_BCOPY' config.h #define HAVE_BCOPY 1 /* #undef HAVE_MEMMOVE */ vancleef [787] > From Darren.Moffat at Sun.COM Fri Jun 28 02:01:58 2002 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Thu, 27 Jun 2002 09:01:58 -0700 Subject: pam session as root References: <20020626185852.A6498@justice.loyola.edu> <5b3cv99f0f.fsf@chiark.greenend.org.uk> Message-ID: <3D1B36F6.6070409@Sun.COM> Matthew Vernon wrote: > Michael Stone writes: > > >>Beyond any more general questions of whether pam sessions *should* be >>run as root, is there an immediate security concern with moving the > > > I believe that the original PAM authors intended pam_session to be run > as root. Whether this is sensible or not is left as an exercise... The application calling the PAM API needs to run with sufficient privelge for all of the configured service modules to do their job. This does not necesarily mean root, but it does degenerate to root on most systems that use PAM. In Solaris that means that all PAM functions must be called as root. -- Darren J Moffat From bugzilla-daemon at mindrot.org Fri Jun 28 02:06:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 02:06:27 +1000 (EST) Subject: [Bug 285] 3.3p1 on Linux 2.2.x doesn't accept connections Message-ID: <20020627160627.72E79E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=285 ------- Additional Comments From a.c.li at ieee.org 2002-06-28 02:06 ------- If neither "Compression no" nor "UsePrivilegeSeparation no" work, are your host keys in ssh1 format? It seems that the new ssh's doesn't understand ssh1 format host keys. If you use ssh2-format rsa/dsa keys, does it work? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 02:16:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 02:16:08 +1000 (EST) Subject: [Bug 306] ssh on Tru64 returns " Name does not resolv to supplied parameters" Message-ID: <20020627161608.E9185E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=306 ------- Additional Comments From jakari at bithose.com 2002-06-28 02:16 ------- I get the same error either way. Looks like address reolution is broken somewhere. I still have the 2.9p2 binaries and they work fine. [jakari at poptart ~] host frogstar frogstar.bithose.com. has address 192.168.1.72 [jakari at poptart ~] ssh frogstar ssh: frogstar: Name does not resolv to supplied parameters; neither nodename nor servname were passed. [jakari at poptart ~] host foobar Host foobar. not found: 3(NXDOMAIN) [jakari at poptart ~] ssh foobar ssh: foobar: Name does not resolv to supplied parameters; neither nodename nor servname were passed. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From andreas at conectiva.com.br Fri Jun 28 02:18:50 2002 From: andreas at conectiva.com.br (Andreas Hasenack) Date: Thu, 27 Jun 2002 13:18:50 -0300 Subject: sshd and file descriptors In-Reply-To: <20020627153649.GE4800@vega.ipal.net> References: <20020627134931.GA3580@conectiva.com.br> <20020627143915.GH3580@conectiva.com.br> <20020627153649.GE4800@vega.ipal.net> Message-ID: <20020627161850.GI3580@conectiva.com.br> Em Thu, Jun 27, 2002 at 10:36:49AM -0500, Phil Howard escreveu: > your connection drops or a router fails for a while and you end > up losing that connection. Now what? Telnet? Too many things can happen even in the scenario where the service isn't restarted. > And you call these people system administrators? I don't. No, they are users who don't read instructions. And no, I don't restart apache automatically. > But at least I wrote a log splitter that apache starts, gets the log > stream via a pipe, and splits every log entry by date, time, and even > virtual host (configurable). It doesn't need to HUP. Cool. From andreas at conectiva.com.br Fri Jun 28 02:20:26 2002 From: andreas at conectiva.com.br (Andreas Hasenack) Date: Thu, 27 Jun 2002 13:20:26 -0300 Subject: sshd and file descriptors In-Reply-To: <20020627151231.GB4800@vega.ipal.net> References: <20020626220613.GO19640@conectiva.com.br> <20020627051057.GE4543@vega.ipal.net> <20020627134931.GA3580@conectiva.com.br> <20020627151231.GB4800@vega.ipal.net> Message-ID: <20020627162026.GJ3580@conectiva.com.br> Em Thu, Jun 27, 2002 at 10:12:31AM -0500, Phil Howard escreveu: > What about for those system administrators that don't want surprises? > I consider it a negative. It should at least be a choice. That would please both worlds, yes. Unfortunately RPM can't offer this as of now. From mstone at cs.loyola.edu Fri Jun 28 02:24:35 2002 From: mstone at cs.loyola.edu (Michael Stone) Date: Thu, 27 Jun 2002 12:24:35 -0400 Subject: pam session as root In-Reply-To: <3D1B36F6.6070409@Sun.COM>; from Darren.Moffat@Sun.COM on Thu, Jun 27, 2002 at 09:01:58AM -0700 References: <20020626185852.A6498@justice.loyola.edu> <5b3cv99f0f.fsf@chiark.greenend.org.uk> <3D1B36F6.6070409@Sun.COM> Message-ID: <20020627122435.D23824@justice.loyola.edu> On Thu, Jun 27, 2002 at 09:01:58AM -0700, Darren J Moffat wrote: > Matthew Vernon wrote: > > I believe that the original PAM authors intended pam_session to be run > > as root. Whether this is sensible or not is left as an exercise... > > The application calling the PAM API needs to run with sufficient > privelge for all of the configured service modules to do their job. > This does not necesarily mean root, but it does degenerate to root on > most systems that use PAM. > > In Solaris that means that all PAM functions must be called as root. What I was trying to get at was whether, setting aside the question of whether pam sessions should/must be run as root, is it 1) possible to do this in the privsep model, 2) possible to do securely in the privsep model, and 3) possible to do in the privsep model without breaking other functionality. The first patch someone pointed me at failed 3). Does anyone else have any ideas? Discussions of whether it's necessary to do so are premature if it can't be done in the first place. (It is, of course, already possible to disable privsep and run pam sessions as root, so the question is in the integration of privsep & pam.) -- Mike Stone From hans at nohack.de Fri Jun 28 02:54:49 2002 From: hans at nohack.de (Hans Nohack) Date: Thu, 27 Jun 2002 18:54:49 +0200 Subject: jailing transfer-only accounts Message-ID: <000501c21dfb$5ab17010$40331eac@dehls> hello, we need to transfer files in a secure way with different partners and clients. at the momet we're using commercial ssh because we found it the only way to transfer files in a jailed environment and without offering a login shell. we'd like to use openssh but found only some patches and wrapper scripts but nothing "official" to do what we need. i could image (and read on many lists) that lots of people seem to need this feature. will it be part of the "official" openssh some day? thanks hans From mouring at etoh.eviladmin.org Fri Jun 28 03:39:28 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 27 Jun 2002 12:39:28 -0500 (CDT) Subject: OpenSSH Security Advisory (adv.iss) In-Reply-To: Message-ID: Where does it bomb? setenv.c? Change #include "config.h" to #include "includes.h" and see if it compiles. As for the rest of the errors.. I can't say.. I've not touched a 4.1.x box in.. oh... since 93 or 94 when our Sun 4/50 lab was replaced by whitebox NeXTStep. - Ben On Thu, 27 Jun 2002, Bob Van Cleef wrote: > > On Wed, 26 Jun 2002, Ben Lindstrom wrote: > > > > > can you grep for HAVE_MEMMOVE and HAVE_BCOPY in config.h ? > > > > > vancleef [786] > egrep 'HAVE_MEMMOVE|HAVE_BCOPY' config.h > #define HAVE_BCOPY 1 > /* #undef HAVE_MEMMOVE */ > vancleef [787] > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From cmadams at hiwaay.net Fri Jun 28 03:53:54 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 27 Jun 2002 12:53:54 -0500 Subject: No TTY prealloc; Tru64 can't do post-auth privsep Message-ID: <20020627125354.B102947@hiwaay.net> Well, after digging around and thinking some more, I'm giving up on the idea of preallocating a TTY to get post-auth privsep working on Tru64. I don't think it will work, because just allocating a TTY doesn't fix the problem - there's no valid way to tie that TTY back to the client process (because it hasn't requested a TTY yet and may not ever do so). The problem is that the Tru64 session setup routines may require a TTY for interaction with the client (changing expired passwords for example) or for notifying the client that the account is locked, expired, etc. The interactive cases obviously don't work on non-TTY logins right now, but I don't want to break them for the TTY cases too where they currently work. Just add Tru64 to the set of platforms that can't do post-auth privsep (I still don't think it should be flagged as BROKEN_FD_PASSING because FD passing does work on Tru64, but whatever). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From mouring at etoh.eviladmin.org Fri Jun 28 03:54:50 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 27 Jun 2002 12:54:50 -0500 (CDT) Subject: OpenSSH 3.4 released In-Reply-To: <20020627151839.B4069@cygbert.vinschen.de> Message-ID: Applied. FYI, for everyone pounding for 3.4 fixes for platform issues. Give us a few days to recover please.. I know I've been up late merging and trying to test the last few days. If you have a patch that has not gone into bugzilla. Do so. Also PLEASE CHECK TO ENSURE THAT NO ONE ELSE has an open ticket on the same issue. - Ben On Thu, 27 Jun 2002, Corinna Vinschen wrote: > On Wed, Jun 26, 2002 at 06:21:03PM +0200, Corinna Vinschen wrote: > > --- sshd.c.orig 2002-06-26 18:21:03.000000000 +0200 > > +++ sshd.c 2002-06-26 18:20:55.000000000 +0200 > > @@ -1035,7 +1035,13 @@ main(int ac, char **av) > > (S_ISDIR(st.st_mode) == 0)) > > fatal("Missing privilege separation directory: %s", > > _PATH_PRIVSEP_CHROOT_DIR); > > +#ifdef HAVE_CYGWIN > > + if (check_ntsec(_PATH_PRIVSEP_CHROOT_DIR) && > > + (st.st_uid != getuid () || > > + (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) > > +#else > > if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) > > +#endif > > fatal("Bad owner or mode for %s", > > _PATH_PRIVSEP_CHROOT_DIR); > > } > > Hi, > > is that patch ok to get into the sources or should it be changed somehow? > > Corinna > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Fri Jun 28 03:56:22 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 27 Jun 2002 12:56:22 -0500 (CDT) Subject: OpenSSH 3.3p1 on SunOS 4.1.4 In-Reply-To: <20020627135042.GN15018@det.rz.uni-duesseldorf.de> Message-ID: The optarg fix is in 3.4p1. We are using bcopy() if memmove() does not exist. I have a question pending to the rest of the portable group in regards to a few include changes which this will be part of. So hopefully in the next day or so it will be in the tree. - Ben On Thu, 27 Jun 2002, Detlef Lannert wrote: > Hi, > > I just installed OpenSSH 3.3p1 on a SunOS 4.1.4 system (actually a > 3-year old Auspex file server) as a replacement for an older, probably > vulnerable ssh version. > > I used gcc, openssl 0.9.6d, zlib 1.1.4 and the configure incantation > ./configure --with-tcp-wrappers --with-privsep-user=privsep > (the latter option obviously being the default value). > > There were two problems: (a) memmove seems to be unavailable; I replaced > it by memcpy, hoping that it won't break on overlapping areas, (b) optarg > was undefined and needed to be declared. > > I enclose the diffs of the patches I made. Compilation, linking, and > installation were OK, and (apparently) it's working. > > I do know that this OS is not the latest fad; just thought this > information might be useful for someone else out there who has to work > with a similar system. > > Please cc any replies as I'm not subscribed to the list. Thank you. > > Regards, > Detlef > > ------------8<------------- cut here ------------8<------------- > *** openbsd-compat/setenv.c.orig Wed Feb 13 06:00:16 2002 > --- openbsd-compat/setenv.c Wed Jun 26 18:27:17 2002 > *************** > *** 40,45 **** > --- 40,46 ---- > > #include > #include > + #include > > /* > * __findenv -- > *************** > *** 123,129 **** > (cnt + 2))); > if (!P) > return (-1); > ! memmove(P, environ, cnt * sizeof(char *)); > environ = P; > } > environ[cnt + 1] = NULL; > --- 124,130 ---- > (cnt + 2))); > if (!P) > return (-1); > ! memcpy(P, environ, cnt * sizeof(char *)); > environ = P; > } > environ[cnt + 1] = NULL; > *** ssh-agent.c.orig Fri Jun 21 02:41:52 2002 > --- ssh-agent.c Wed Jun 26 18:18:48 2002 > *************** > *** 939,944 **** > --- 939,945 ---- > char *shell, *format, *pidstr, pidstrbuf[1 + 3 * sizeof pid]; > char *agentsocket = NULL; > extern int optind; > + extern char *optarg; > fd_set *readsetp = NULL, *writesetp = NULL; > > SSLeay_add_all_algorithms(); > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Fri Jun 28 03:59:25 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 27 Jun 2002 12:59:25 -0500 (CDT) Subject: sshd and ai_socktype errors.... (fwd) Message-ID: Anyone from the Tru64 camp have any comments? Ken, can you log this into http://bugzilla.mindrot.org/ to ensure we don't lose the bug report? Thanks. - Ben ---------- Forwarded message ---------- Date: Thu, 27 Jun 2002 11:25:02 -0400 (EDT) From: Ken Kleiner To: secureshell at securityfocus.com Cc: Ken Kleiner Subject: sshd and ai_socktype errors.... Hello.. I am Running openssh 3.4p1 on Tru64 v5.0a. In my system logs, I see the following when I ssh to that machine with 'ssh -X system_name': error: getaddrinfo: servname not supported for ai_socktype Any idea what that could be? I can get in okay, but X11 forwarding isn't working, although sshd_config has it enabled. I had a somewhat same type of error initially when I installed ssh on top of openssh 3.1p1 - running 'ssh hostname' gave me : ssh: hostname: servname not supported for ai_socktype I got rid of that ERROR by putting : ssh 22/tcp into my /etc/services. Thanks in advance for some help with this... -- <>< ><> <>< ><> <>< ><> <>< ><> <>< ><> <>< Ken Kleiner System Manager Computer Science Department Umass Lowell voice : 978 934 3645 fax : 978 934 3551 cell : 603 930 5582 (emergencies only, please) ken at cs.uml.edu From jason at mastaler.com Fri Jun 28 04:17:49 2002 From: jason at mastaler.com (Jason R.Mastaler) Date: Thu, 27 Jun 2002 12:17:49 -0600 Subject: UsePrivilegeSeparation: "fatal: xrealloc: out of memory" References: <20020626183220.A6955@mastaler.com> <20020627101746.U18668@greenie.muc.de> Message-ID: Gert Doering writes: > Protocol 1 works with compression, Protocol 2 works without, but if > you use -2 -C, sshd will grow to about 25 Mbyte of memory, and then > ulimit will strike. This seems unrelated though, because as I mentioned in my first message, I only have this problem when UsePrivilegeSeparation is enabled. With "UsePrivilegeSeparation no", ``-2 -C'' works fine. -- (http://tmda.sourceforge.net/) From jmknoble at pobox.com Fri Jun 28 04:21:21 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 27 Jun 2002 14:21:21 -0400 Subject: BROKEN_FD_PASSING (Bug 269) In-Reply-To: <20020627131813.A4257741@ohm.arago.de>; from binder@arago.de on Thu, Jun 27, 2002 at 01:18:13PM +0200 References: <20020626140958.B3625440@ohm.arago.de> <20020626111210.N20075@zax.half.pint-stowp.cx> <20020626174732.A3746291@oh <20020626143236.O20075@zax.half.pint-stowp.cx> <20020627131813.A4257741@ohm.arago.de> Message-ID: <20020627142121.B2776@zax.half.pint-stowp.cx> Circa 2002-Jun-27 13:18:13 +0200 dixit Thomas Binder: : On Wed, Jun 26, 2002 at 02:32:36PM -0400, Jim Knoble wrote: : > : Nope, at least not for me on i386-Linux 2.0.39, as it already : > : breaks earlier with: : > : : > : mm_receive_fd: recvmsg: expected received 1 got 2 : > : > Is that repeatable? Can you strace it? : : It is repeatable, but astonishingly not straceable. : : Calling : : ./sshd -p 2222 -d -d -d : : and connecting as a user (authenticated via public key; it does : not fail when connecting as root, btw.) will result in : : mm_receive_fd: recvmsg: expected received 1 got 2 : : As soon as I add strace, as in : : strace -f -o /tmp/strace.user ./sshd -p 2222 -d -d -d : : it fails with the "expected" message : : mm_receive_fd: expected type 1 got 1074277169 : : (unless patched as suggested). : : Running as a daemon behaves as in case 1, i.e. needs : BROKEN_FD_PASSING. : : Further investigating this issue, I found out that linking with : TransArc's AFS libraries is the culprit. Without them, : everything's fine (except, of course, one can't login as a user). : : Thus, it seems to be a local problem only, nothing to worry about : here. Of course, it unfortunately forces me to define : BROKEN_FD_PASSING, but I'll have to live with that. : : But it's really interesting that running sshd with and without : strace behaves differently. That is indeed very weird. I wonder if the AFS libs are somehow sending another control message that the recvmsg() call in mm_recieve_fd() is intercepting.... Sounds like BROKEN_FD_PASSING is the workaround for you (unless you're able to upgrade your Linux kernel to v2.2.x). -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020627/3763a33d/attachment.bin From bruceg at em.ca Fri Jun 28 04:26:25 2002 From: bruceg at em.ca (Bruce Guenter) Date: Thu, 27 Jun 2002 12:26:25 -0600 Subject: Disabling compression in sshd causes problems Message-ID: <20020627122625.A2524@em.ca> Greetings. If compression is disabled in the sshd config file, and a client attempts to connect with compression enabled, the session fails with the following error message: no matching comp found: client zlib server none This error message is produced on line 285 of kex.c (version 3.4p1). This happens with either UsePrivilegeSeperation on or off, so I do not believe it is a PrivSep issue. Am I mistaken in thinking that disabling compression on the server would simply silently disable compression for all connections to that server? -- Bruce Guenter http://em.ca/~bruceg/ http://untroubled.org/ OpenPGP key: 699980E8 / D0B7 C8DD 365D A395 29DA 2E2A E96F B2DC 6999 80E8 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020627/209c7615/attachment.bin From mouring at etoh.eviladmin.org Fri Jun 28 04:24:42 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 27 Jun 2002 13:24:42 -0500 (CDT) Subject: UsePrivilegeSeparation: "fatal: xrealloc: out of memory" In-Reply-To: Message-ID: On Thu, 27 Jun 2002, Jason R.Mastaler wrote: > Gert Doering writes: > > > Protocol 1 works with compression, Protocol 2 works without, but if > > you use -2 -C, sshd will grow to about 25 Mbyte of memory, and then > > ulimit will strike. > > This seems unrelated though, because as I mentioned in my first > message, I only have this problem when UsePrivilegeSeparation is > enabled. With "UsePrivilegeSeparation no", ``-2 -C'' works fine. > Do something for me.. do Privsep w/out -C .. do you have this issue? One needs to narrow down where the issue is occuring.. And my first guess it the mmap() is going awry. From jmknoble at pobox.com Fri Jun 28 04:36:22 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 27 Jun 2002 14:36:22 -0400 Subject: OpenSSH 3.4p1 - compilation problem on Linux In-Reply-To: <3D1B17C5.1070900@3glab.com>; from craig.emery@3glab.com on Thu, Jun 27, 2002 at 02:48:53PM +0100 References: <3D1B17C5.1070900@3glab.com> Message-ID: <20020627143622.D2776@zax.half.pint-stowp.cx> Circa 2002-Jun-27 14:48:53 +0100 dixit Craig Emery: : One of the other "issues" I came across with building RPMs was that I : couldn't just do : : % rpm -tb SOURCES/openssh-3.4p1.tar.gz : : because the .spec file that was found was *not* the : openssh-3.4p1/contrib/redhat/openssh.spec one. :-( : I haven't checked but I guess rpm "grabs" the first one it finds in a : tarball (which would have been openssh-3.4p1/contrib/caldera/openssh.spec). : Now you may say "if a user can do rpm -tb ... they can figure this out" : but this made me scratch my head for a while & I maintain RPMs for two : SF.net projects. You are mostly correct. 'rpm -t ' is only guaranteed to work properly when contains exactly one specfile (i.e., no more, and no fewer). If there is more than one specfile in the tarball (which there is for OpenSSH), then rpm picks an arbitrary specfile, which may well not be the one you meant to use. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020627/f70e34fa/attachment.bin From bugzilla-daemon at mindrot.org Fri Jun 28 04:39:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 04:39:46 +1000 (EST) Subject: [Bug 310] New: sshd reporting ai_socktype errors when using ssh -X to server Message-ID: <20020627183946.739F8E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=310 Summary: sshd reporting ai_socktype errors when using ssh -X to server Product: Portable OpenSSH Version: -current Platform: Alpha OS/Version: OSF/1 Status: NEW Severity: major Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: kkleiner at cs.uml.edu I am Running openssh 3.4p1 on Tru64 v5.0a. In my system logs, I see the following when I ssh to that machine with 'ssh -X system_name': error: getaddrinfo: servname not supported for ai_socktype Any idea what that could be? I can get in okay, but X11 forwarding isn't working, although sshd_config has it enabled. I had a somewhat same type of error initially when I installed ssh on top of openssh 3.1p1 - running 'ssh hostname' gave me : ssh: hostname: servname not supported for ai_socktype I got rid of that ERROR by putting : ssh 22/tcp into my /etc/services. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 04:44:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 04:44:56 +1000 (EST) Subject: [Bug 307] configure fails to add -ldl (RedHat specfile) Message-ID: <20020627184456.81918E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=307 ------- Additional Comments From jmknoble at pobox.com 2002-06-28 04:44 ------- '-ldl' is generally not necessary to build OpenSSH unless you're building against a version of OpenSSL that includes the "engine" for smart cards, etc. (that is, for example, openssl-engine-0.9.6d instead of openssl-0.9.6d). If that's the library you're compiling against, then you need '-ldl' because of OpenSSL, not because of OpenSSH. The only way for OpenSSH's ./configure to detect that OpenSSL needs '-ldl' is for OpenSSL to provide a pkgconfig thingy that explains what OpenSSL's linktime needs are. Since openssl(-engine)?-0.9.6d doesn't provide that, you need to do so manually. If there's nothing in OpenSSL's documentation that explains OpenSSL's linktime needs, then please file a bug report with OpenSSL. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jason at mastaler.com Fri Jun 28 05:02:53 2002 From: jason at mastaler.com (Jason R.Mastaler) Date: Thu, 27 Jun 2002 13:02:53 -0600 Subject: UsePrivilegeSeparation: "fatal: xrealloc: out of memory" References: Message-ID: Ben Lindstrom writes: > Do something for me.. > > do Privsep w/out -C .. do you have this issue? No, I do not. Bingo. -- (http://tmda.sourceforge.net/) From jmknoble at pobox.com Fri Jun 28 05:03:04 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 27 Jun 2002 15:03:04 -0400 Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: ; from des@ofug.org on Thu, Jun 27, 2002 at 01:28:24PM +0200 References: <20020626143236.O20075@zax.half.pint-stowp.cx> <20020626153010.P20075@zax.half.pint-stowp.cx> <20020627121303.C4231375@ohm.arago.de> Message-ID: <20020627150304.E2776@zax.half.pint-stowp.cx> Circa 2002-Jun-27 13:28:24 +0200 dixit Dag-Erling Smorgrav: : Thomas Binder writes: : > Note that make install will create the directory with 0700, while : > README.privsep propagates 0755. Which mode is the one to use? : : FreeBSD uses 0555 with no apparent trouble. I suspect that the privsep/chroot directory could even be mode 0111. sshd complains about it if (a) either chroot() or the subsequent chdir("/") fails, (b) the privsep directory is owned by anyone other than root, or (c) the privsep directory is either group- or world-writeable. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020627/b1c5c1c8/attachment.bin From gert at greenie.muc.de Fri Jun 28 05:40:01 2002 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Jun 2002 21:40:01 +0200 Subject: UsePrivilegeSeparation: "fatal: xrealloc: out of memory" In-Reply-To: <3D1AE6A0.85E29EA2@zip.com.au>; from dtucker@zip.com.au on Thu, Jun 27, 2002 at 08:19:12PM +1000 References: <20020626183220.A6955@mastaler.com> <3D1A8BA6.A731D810@zip.com.au> <20020626224329.A12122@mastaler.com> <3D1AE6A0.85E29EA2@zip.com.au> Message-ID: <20020627214001.H836@greenie.muc.de> Hi, On Thu, Jun 27, 2002 at 08:19:12PM +1000, Darren Tucker wrote: > Gert Doering gave an example of sshd using 25MB of memory (!) so you > might want try setting "ulimit -d unlimited" anyway. This is a kind of a misunderstanding. I do consider this a BUG - a sshd should never grow to a size larger than a few MB. It only happens (for me) with "-2 -C", and only on very ancient FreeBSDs. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From gert at greenie.muc.de Fri Jun 28 05:40:35 2002 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Jun 2002 21:40:35 +0200 Subject: UsePrivilegeSeparation: "fatal: xrealloc: out of memory" In-Reply-To: ; from jason@mastaler.com on Thu, Jun 27, 2002 at 12:17:49PM -0600 References: <20020626183220.A6955@mastaler.com> <20020627101746.U18668@greenie.muc.de> Message-ID: <20020627214034.I836@greenie.muc.de> Hi, On Thu, Jun 27, 2002 at 12:17:49PM -0600, Jason R . Mastaler wrote: > Gert Doering writes: > > > Protocol 1 works with compression, Protocol 2 works without, but if > > you use -2 -C, sshd will grow to about 25 Mbyte of memory, and then > > ulimit will strike. > > This seems unrelated though, because as I mentioned in my first > message, I only have this problem when UsePrivilegeSeparation is > enabled. With "UsePrivilegeSeparation no", ``-2 -C'' works fine. Forgot to add that - sorry. Same for me, it's only a problem if UsePrivilegeSeparation is enabled. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From gert at greenie.muc.de Fri Jun 28 05:41:15 2002 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 27 Jun 2002 21:41:15 +0200 Subject: UsePrivilegeSeparation: "fatal: xrealloc: out of memory" In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, Jun 27, 2002 at 01:24:42PM -0500 References: Message-ID: <20020627214115.J836@greenie.muc.de> Hi, On Thu, Jun 27, 2002 at 01:24:42PM -0500, Ben Lindstrom wrote: > > > Protocol 1 works with compression, Protocol 2 works without, but if > > > you use -2 -C, sshd will grow to about 25 Mbyte of memory, and then > > > ulimit will strike. [..] > Do something for me.. > > do Privsep w/out -C .. do you have this issue? PrivSep works fine with out -C. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From kevin at atomicgears.com Fri Jun 28 05:53:29 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 27 Jun 2002 12:53:29 -0700 Subject: bad owner on /var/empty: RH6.2 sparc 3.4p1 In-Reply-To: <20020627121303.C4231375@ohm.arago.de> References: <20020626143236.O20075@zax.half.pint-stowp.cx> <20020626153010.P20075@zax.half.pint-stowp.cx> <20020627121303.C4231375@ohm.arago.de> Message-ID: <20020627195329.GB2547@jenny.crlsca.adelphia.net> On Thu, Jun 27, 2002 at 12:13:04PM +0200, Thomas Binder wrote: > Btw, there's one discrepancy between what README.privsep (and you) > say(s) and what make install does: > > README.privsep: > > mkdir /var/empty > chown root:sys /var/empty > chmod 755 /var/empty > > Makefile.in: > > $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH) > chmod 0700 $(DESTDIR)$(PRIVSEP_PATH) > > Note that make install will create the directory with 0700, while > README.privsep propagates 0755. Which mode is the one to use? From > my tests, it works with both, but IMO it would be better to sync > README.privsep and Makefile.in in that respect. either is fine, but we should be consistent and use 755. that is what is used by OpenBSD and Owl. From mouring at etoh.eviladmin.org Fri Jun 28 05:55:56 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 27 Jun 2002 14:55:56 -0500 (CDT) Subject: UsePrivilegeSeparation: "fatal: xrealloc: out of memory" In-Reply-To: Message-ID: On Thu, 27 Jun 2002, Jason R.Mastaler wrote: > Ben Lindstrom writes: > > > Do something for me.. > > > > do Privsep w/out -C .. do you have this issue? > > No, I do not. Bingo. > $ grep MM_MEMSIZE *.c monitor.c:#define MM_MEMSIZE 65536 monitor.c: mon->m_zback = mm_create(NULL, MM_MEMSIZE); monitor.c: mon->m_zlib = mm_create(mon->m_zback, 20 * MM_MEMSIZE); So we have 65k pages... and we allocate 20 of them we hit 1Meg worth of mmap() for sharing the actually for zlib. If I read the code right (come someone verify?) So.. Unless there is a memory leak somewhere I'm not sure why sshd would grow such. - Ben From pekkas at netcore.fi Fri Jun 28 06:37:56 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 27 Jun 2002 23:37:56 +0300 (EEST) Subject: sshd and file descriptors In-Reply-To: <20020627152718.GD4800@vega.ipal.net> Message-ID: On Thu, 27 Jun 2002, Phil Howard wrote: > IMHO, anyone who needed the package manager to restart the service > for them because they forget to restart, or didn't know they needed > to restart, isn't qualified to be a system administrator. Come back when you're really administering systems, not your own or a friend's, and possibly a company's 5-10 servers. When you have 50 or 100 systems you want to upgrade, _you don't_ go around by manually upgrading RPM's and restarting the daemons. Automatic unattended RPM updates are the key, and restarting the service is a big win. Crap.. this is really offfffffff-topic now.. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From kevin at atomicgears.com Fri Jun 28 06:55:43 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 27 Jun 2002 13:55:43 -0700 Subject: [PATCH]: Eliminate HAVE_CYGWIN (and _UWIN) around calls to setgroups() [was Re: openssh for UWIN] In-Reply-To: References: <20020618194842.GD1422@jenny.crlsca.adelphia.net> Message-ID: <20020627205543.GF2547@jenny.crlsca.adelphia.net> On Wed, Jun 26, 2002 at 08:01:35PM -0700, Tim Rice wrote: > While I like your directory grouping idea better, it would only > work if we don't have -Lopenbsd/ -Lcompat/ -Lplatform/ > Some linkers on older systems have a limit on the number of -L options. if that's really an issue there would still be just 1 .a file. i'm just trying to organize source files so we don't have to prepend fake- and such things. From mouring at etoh.eviladmin.org Fri Jun 28 06:53:33 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 27 Jun 2002 15:53:33 -0500 (CDT) Subject: [PATCH]: Eliminate HAVE_CYGWIN (and _UWIN) around calls to setgroups() [was Re: openssh for UWIN] In-Reply-To: <20020627205543.GF2547@jenny.crlsca.adelphia.net> Message-ID: go down to compat/ and built sub directories. So you still have a single -L. It would be nice in some respects if we could pull some of the files out of the root directory, but spliting up things liek auth-*.c and auth2-*.c feels wrong to me. Don't know. Just know it's only seems to get worse. - Ben On Thu, 27 Jun 2002, Kevin Steves wrote: > On Wed, Jun 26, 2002 at 08:01:35PM -0700, Tim Rice wrote: > > While I like your directory grouping idea better, it would only > > work if we don't have -Lopenbsd/ -Lcompat/ -Lplatform/ > > Some linkers on older systems have a limit on the number of -L options. > > if that's really an issue there would still be just 1 .a file. > i'm just trying to organize source files so we don't have to > prepend fake- and such things. > From tim at multitalents.net Fri Jun 28 07:29:15 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 27 Jun 2002 14:29:15 -0700 (PDT) Subject: [PATCH]: Eliminate HAVE_CYGWIN (and _UWIN) around calls to setgroups() [was Re: openssh for UWIN] In-Reply-To: <20020627205543.GF2547@jenny.crlsca.adelphia.net> Message-ID: On Thu, 27 Jun 2002, Kevin Steves wrote: > On Wed, Jun 26, 2002 at 08:01:35PM -0700, Tim Rice wrote: > > While I like your directory grouping idea better, it would only > > work if we don't have -Lopenbsd/ -Lcompat/ -Lplatform/ > > Some linkers on older systems have a limit on the number of -L options. > > if that's really an issue there would still be just 1 .a file. > i'm just trying to organize source files so we don't have to > prepend fake- and such things. It could be as many .a files as we have subdirectories. I haven't been able to overload -l options yet, just the -L option. If we make the .a target be in the parent we could have 1 -L. Ie. In openbsd-compat/Makefile ./libopenbsd-compat.a: $(COMPAT) $(OPENBSD) $(PORTS) $(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS) $(RANLIB) $@ Your idea sounds good. Let's do it. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From tim at multitalents.net Fri Jun 28 07:58:35 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 27 Jun 2002 14:58:35 -0700 (PDT) Subject: [PATCH]: Eliminate HAVE_CYGWIN (and _UWIN) around calls to setgroups() [was Re: openssh for UWIN] In-Reply-To: Message-ID: On Thu, 27 Jun 2002, Tim Rice wrote: > > ./libopenbsd-compat.a: $(COMPAT) $(OPENBSD) $(PORTS) Yuk, a . got swallowed. Should have been ../libopenbsd-compat.a: $(COMPAT) $(OPENBSD) $(PORTS) > $(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS) > $(RANLIB) $@ > > Your idea sounds good. Let's do it. > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Fri Jun 28 08:29:39 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 08:29:39 +1000 (EST) Subject: [Bug 311] New: Compile fails on MIPS Linux (Cobalt Raq2) - SCM_RIGHTS undeclared Message-ID: <20020627222939.BF3ACE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=311 Summary: Compile fails on MIPS Linux (Cobalt Raq2) - SCM_RIGHTS undeclared Product: Portable OpenSSH Version: -current Platform: MIPS OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: matt at primefactor.com I'm using Linux kernel 2.0.34C52_SK on a Cobalt Raq2 (a MIPS based machine). I'm attempting to compile OpenSSH 3.4p1. When I run make, it compiles quite a bit but fails here: gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. - I/usr/local/ssl/include -DSSHDIR=\"/usr/local/etc\" - D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" - D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" - D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" - D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" - D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" - DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c monitor_fdpass.c monitor_fdpass.c: In function `mm_send_fd': monitor_fdpass.c:57: `SCM_RIGHTS' undeclared (first use this function) monitor_fdpass.c:57: (Each undeclared identifier is reported only once monitor_fdpass.c:57: for each function it appears in.) monitor_fdpass.c: In function `mm_receive_fd': monitor_fdpass.c:115: `SCM_RIGHTS' undeclared (first use this function) make: *** [monitor_fdpass.o] Error 1 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 09:00:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 09:00:46 +1000 (EST) Subject: [Bug 311] Compile fails on MIPS Linux (Cobalt Raq2) - SCM_RIGHTS undeclared Message-ID: <20020627230046.06961E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=311 ------- Additional Comments From jmknoble at pobox.com 2002-06-28 09:00 ------- What version of glibc? What's the output of the following? find /usr/include -name \*.h -follow -exec grep -l SCM_RIGHTS \{\} \; ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Fri Jun 28 09:06:33 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 28 Jun 2002 09:06:33 +1000 Subject: UsePrivilegeSeparation: "fatal: xrealloc: out of memory" References: <20020626183220.A6955@mastaler.com> <3D1A8BA6.A731D810@zip.com.au> <20020626224329.A12122@mastaler.com> <3D1AE6A0.85E29EA2@zip.com.au> <20020627214001.H836@greenie.muc.de> Message-ID: <3D1B9A79.60B789@zip.com.au> Gert Doering wrote: > On Thu, Jun 27, 2002 at 08:19:12PM +1000, Darren Tucker wrote: > > Gert Doering gave an example of sshd using 25MB of memory (!) so you > > might want try setting "ulimit -d unlimited" anyway. > > This is a kind of a misunderstanding. I do consider this a BUG - a sshd > should never grow to a size larger than a few MB. I did realise that. I only suggested it as a way of isolating the problem. Sorry for the misunderstanding. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Fri Jun 28 09:37:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 09:37:32 +1000 (EST) Subject: [Bug 309] openssh-3.3 and openssh-3.4 won't install on Sparc Station 5, Solaris 8 Message-ID: <20020627233732.BA2ECE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=309 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|opemssh-3.3 and openssh-3.4 |openssh-3.3 and openssh-3.4 |won't install on Sparc |won't install on Sparc |Station 5, Solaris 8 |Station 5, Solaris 8 ------- Additional Comments From dtucker at zip.com.au 2002-06-28 09:37 ------- Only a guess but worth checking: I've seen binaries corrupted on Solaris/SPARC when programs linked by /usr/ccs/bin/ld are stripped with GNU strip. Try putting /usr/ccs/bin at the start of your path and recompiling. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From sxw at dcs.ed.ac.uk Fri Jun 28 09:56:13 2002 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Fri, 28 Jun 2002 00:56:13 +0100 (BST) Subject: GSSAPI patches for OpenSSH 3.4p1 now available Message-ID: An updated version of my GSSAPI patches is now available for use with OpenSSH 3.4p1. This version also includes support for running with privsep enabled. The patches are available from http://www.sxw.org.uk/computing/patches/openssh.html These patches provide support for Kerberos and GSI authentication and credential passing with version 2 of the SSH protocol. They implement the protocol described in draft-ietf-secsh-gsskeyex-03, which is hopefully approaching WG last call! I'd be very grateful if anyone more familiar with the privsep code could review the GSSAPI monitor routines. Thanks to those who put time aside to test this code over the last week! Cheers, Simon. From mouring at etoh.eviladmin.org Fri Jun 28 10:01:12 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 27 Jun 2002 19:01:12 -0500 (CDT) Subject: No TTY prealloc; Tru64 can't do post-auth privsep In-Reply-To: <20020627125354.B102947@hiwaay.net> Message-ID: can I get the manpages for the sia_*() functions used? - Ben On Thu, 27 Jun 2002, Chris Adams wrote: > Well, after digging around and thinking some more, I'm giving up on the > idea of preallocating a TTY to get post-auth privsep working on Tru64. > I don't think it will work, because just allocating a TTY doesn't fix > the problem - there's no valid way to tie that TTY back to the client > process (because it hasn't requested a TTY yet and may not ever do so). > The problem is that the Tru64 session setup routines may require a TTY > for interaction with the client (changing expired passwords for example) > or for notifying the client that the account is locked, expired, etc. > The interactive cases obviously don't work on non-TTY logins right now, > but I don't want to break them for the TTY cases too where they > currently work. > > Just add Tru64 to the set of platforms that can't do post-auth privsep > (I still don't think it should be flagged as BROKEN_FD_PASSING because > FD passing does work on Tru64, but whatever). > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From klewall at uvic.ca Fri Jun 28 10:14:24 2002 From: klewall at uvic.ca (Kim Lewall) Date: Thu, 27 Jun 2002 17:14:24 -0700 (PDT) Subject: ssh_rsa_verify: RSA_verify failed: error: Message-ID: Host based authentication does not seem to be working for us after upgrading to openssh-3.4p1 (we were at openssh-3.1p1) (openssl is at 0.96d). Any time we try to connect from another unix box also running openssh-3.4p1, we get the following error (on the server side) and host based auth fails (it falls back to password prompt). sshd[15038]: error: ssh_rsa_verify: RSA_verify failed: error:04077068:lib(4):func(119):reason(104) We are running on AIX 4.3.3 using the IBM VAC C compiler. User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /usr/local/etc Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: man PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: ssh-rand-helper ssh-rand-helper collects from: Command hashing (timeout 200) Host: rs6000-ibm-aix4.3.3.0 Compiler: cc Compiler flags: -g Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib Libraries: -lwrap -lz -lcrypto Changing UsePrivilegeSeperation to no has no effect. Removing and creating new keys on both sides has no effect. The only changes to the sshd_config file are: PermitRootLogin no IgnoreRhosts no HostbasedAuthentication yes The only changes to the ssh_config file are: Host * ForwardX11 yes HostbasedAuthentication yes RhostsRSAAuthentication yes The relevant part of sshd -ddd output seems to be: debug3: mm_send_debug: Sending debug: Accepted by .rhosts. debug3: mm_send_debug: Sending debug: Accepted host bmx.comp.uvic.ca ip 142.104.16.101 client_user klewall server_user klewall debug3: mm_key_verify entering debug3: mm_request_send entering: type 22 debug3: monitor_read: checking request 22 ssh_rsa_verify: RSA_verify failed: error:04077068:lib(4):func(119):reason(104) debug1: ssh_rsa_verify: signature incorrect debug3: mm_answer_keyverify: key 2003b5e8 signature unverified debug3: mm_request_send entering: type 23 Failed hostbased for klewall from 142.104.16.101 port 36574 ssh2 debug3: mm_request_receive entering debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY debug3: mm_request_receive_expect entering: type 23 debug3: mm_request_receive entering debug2: userauth_hostbased: authenticated 0 Failed hostbased for klewall from 142.104.16.101 port 36574 ssh2 Any ideas? Thanks. -------------------- Kim Lewall tel 250/721-7650 Systems Programmer klewall at uvic.ca cel 250/213-7887 University of Victoria Cle D039 fax 250/721-8778 From mouring at etoh.eviladmin.org Fri Jun 28 10:09:55 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 27 Jun 2002 19:09:55 -0500 (CDT) Subject: ssh_rsa_verify: RSA_verify failed: error: In-Reply-To: Message-ID: Try the following patch: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-keysign.c.diff?r1=1.4&r2=1.5 On Thu, 27 Jun 2002, Kim Lewall wrote: > Host based authentication does not seem to be working for us after > upgrading to openssh-3.4p1 (we were at openssh-3.1p1) (openssl is at > 0.96d). Any time we try to connect from another unix box also running > openssh-3.4p1, we get the following error (on the server side) and host > based auth fails (it falls back to password prompt). > > sshd[15038]: error: ssh_rsa_verify: RSA_verify failed: > error:04077068:lib(4):func(119):reason(104) > > We are running on AIX 4.3.3 using the IBM VAC C compiler. > > User binaries: /usr/local/bin > System binaries: /usr/local/sbin > Configuration files: /usr/local/etc > Askpass program: /usr/local/libexec/ssh-askpass > Manual pages: /usr/local/man/manX > PID file: /usr/local/etc > Privilege separation chroot path: /var/empty > sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin > Manpage format: man > PAM support: no > KerberosIV support: no > KerberosV support: no > Smartcard support: no > AFS support: no > S/KEY support: no > TCP Wrappers support: yes > MD5 password support: no > IP address in $DISPLAY hack: no > Use IPv4 by default hack: no > Translate v4 in v6 hack: no > BSD Auth support: no > Random number source: ssh-rand-helper > ssh-rand-helper collects from: Command hashing (timeout 200) > > Host: rs6000-ibm-aix4.3.3.0 > Compiler: cc > Compiler flags: -g > Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include > Linker flags: -L/usr/local/ssl/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib > Libraries: -lwrap -lz -lcrypto > > Changing UsePrivilegeSeperation to no has no effect. Removing and > creating new keys on both sides has no effect. The only changes to the > sshd_config file are: > > PermitRootLogin no > IgnoreRhosts no > HostbasedAuthentication yes > > The only changes to the ssh_config file are: > > Host * > ForwardX11 yes > HostbasedAuthentication yes > RhostsRSAAuthentication yes > > The relevant part of sshd -ddd output seems to be: > > debug3: mm_send_debug: Sending debug: Accepted by .rhosts. > debug3: mm_send_debug: Sending debug: Accepted host bmx.comp.uvic.ca ip > 142.104.16.101 client_user klewall server_user klewall > debug3: mm_key_verify entering > debug3: mm_request_send entering: type 22 > debug3: monitor_read: checking request 22 > ssh_rsa_verify: RSA_verify failed: > error:04077068:lib(4):func(119):reason(104) > debug1: ssh_rsa_verify: signature incorrect > debug3: mm_answer_keyverify: key 2003b5e8 signature unverified > debug3: mm_request_send entering: type 23 > Failed hostbased for klewall from 142.104.16.101 port 36574 ssh2 > debug3: mm_request_receive entering > debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY > debug3: mm_request_receive_expect entering: type 23 > debug3: mm_request_receive entering > debug2: userauth_hostbased: authenticated 0 > Failed hostbased for klewall from 142.104.16.101 port 36574 ssh2 > > Any ideas? Thanks. > > -------------------- > Kim Lewall tel 250/721-7650 > Systems Programmer klewall at uvic.ca cel 250/213-7887 > University of Victoria Cle D039 fax 250/721-8778 > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Fri Jun 28 10:25:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 10:25:06 +1000 (EST) Subject: [Bug 305] openssh-3.4p1/openbsd-compat/setenv.c lacks include Message-ID: <20020628002506.DD8ACE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=305 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-06-28 10:25 ------- fixed in cvs ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 10:38:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 10:38:58 +1000 (EST) Subject: [Bug 303] conftest fails to determine mmap anon shared Message-ID: <20020628003858.705A6E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=303 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-06-28 10:38 ------- commited. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 10:54:54 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 10:54:54 +1000 (EST) Subject: [Bug 311] Compile fails on MIPS Linux (Cobalt Raq2) - SCM_RIGHTS undeclared Message-ID: <20020628005454.3D450E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=311 ------- Additional Comments From matt at primefactor.com 2002-06-28 10:54 ------- As best as I can tell, I appear to be using glibc 2.0.7. The output of the find command returned one line which was: /usr/include/linux/socket.h ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From phil-openssh-unix-dev at ipal.net Fri Jun 28 11:36:23 2002 From: phil-openssh-unix-dev at ipal.net (Phil Howard) Date: Thu, 27 Jun 2002 20:36:23 -0500 Subject: your mail In-Reply-To: <5136896824.20020627202114@kokos.cz> References: <5136896824.20020627202114@kokos.cz> Message-ID: <20020628013623.GF4800@vega.ipal.net> On Thu, Jun 27, 2002 at 08:21:14PM +0200, seth at kokos.cz wrote: | Hi Phil, | | answer to your questions: | | > Which specific Slackware? Too embarrassed to say? | | Really, really don't know exactly. :) | Installed approx. 5 yeras ago (maybe 4.5, 4.6, maybe 5.0 ... who knows now ... ) Sounds like about 3.6. After 4.0 came 7.0. | > Which OpenSSL? 0.9.6a? 0.9.6b? 0.9.6c? 0.9.6d? | | Only info I found is 0.9.6. Let's suppose it's 0.9.6. ;) Probably doesn't matter. | > How about telling me how long you're going to leave this machine | > running such an old system? Slackware 8.1 is out now. Be sure | > to get the "patches" directory, which includes OpenSSH 3.4p1. | | As long as it will be able to make it's job. :) First, it's working 5 | years with only minor problems (patching from time to time). Second, | I now have not regular access to HW of this machine so complete re-installing | with new version is not possible. Nobody other will do that. It's | configured and tuned. It's working. That's the point. We know it's | old. Doesn't matter. "It's working fine" is probably _the_ most common reason management types refuse to allow security to be added to a server. The fact is it may be NOT working fine at all ... you just don't know that until the cracker comes around. So it probably does matter, if security is an issue. If it isn't, why are you trying to upgrade SSH? Post your IP address. I'm sure it will be cracked into very soon. If you happen to get a really kind cracker, he'll re-install a new version of Slackware for you (with his own backdoor, of course) just to keep the other vultures from taking the kill. | Speak francly I expected answer of type - upgrade kernel to version | bla bla bla or list of versions and components required for | successfull compilation. More advanced features in newer kernels are needed. Even 2.2 has problems. I expect 2.0 to have more problems. | Let's look at problematic code in file monitor_fdpass.c: [snip] | Okay, compiler is complaining about CMSG_FIRSTHDR and CMSG_DATA. Where | they are??? Shouldn't be in defines.h ??? (as CMSG_LEN) ... I was | grepping for them in all files ... they are not there ... They are defined by POSIX, not SSH. Do "man cmsg" for more info. I grepped for where they are defined and found: /usr/include/bits/socket.h:# define CMSG_DATA(cmsg) ((cmsg)->__cmsg_data) /usr/include/bits/socket.h:# define CMSG_DATA(cmsg) ((unsigned char *) ((struct cmsghdr *) (cmsg) + 1)) /usr/include/bits/socket.h:#define CMSG_FIRSTHDR(mhdr) \ /usr/include/bits/socket.h:#define CMSG_LEN(len) (CMSG_ALIGN (sizeof (struct cmsghdr)) + (len)) /usr/include/linux/socket.h:#define CMSG_DATA(cmsg) ((void *)((char *)(cmsg) + CMSG_ALIGN(sizeof(struct cmsghdr)))) /usr/include/linux/socket.h:#define CMSG_LEN(len) (CMSG_ALIGN(sizeof(struct cmsghdr)) + (len)) /usr/include/linux/socket.h:#define __CMSG_FIRSTHDR(ctl,len) ((len) >= sizeof(struct cmsghdr) ? \ /usr/include/linux/socket.h:#define CMSG_FIRSTHDR(msg) __CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen) /usr/src/linux/include/linux/socket.h:#define CMSG_DATA(cmsg) ((void *)((char *)(cmsg) + CMSG_ALIGN(sizeof(struct cmsghdr)))) /usr/src/linux/include/linux/socket.h:#define CMSG_LEN(len) (CMSG_ALIGN(sizeof(struct cmsghdr)) + (len)) /usr/src/linux/include/linux/socket.h:#define __CMSG_FIRSTHDR(ctl,len) ((len) >= sizeof(struct cmsghdr) ? \ /usr/src/linux/include/linux/socket.h:#define CMSG_FIRSTHDR(msg) __CMSG_FIRSTHDR((msg)->msg_control, (msg)->msg_controllen) | Regards, Richard. | | PS: Attaching config.log. Maybe will help you to identify the problem. I can tell they are missing from your system. That's why you'll need to do some upgrading. -- ----------------------------------------------------------------- | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | phil-nospam at ipal.net | Texas, USA | http://phil.ipal.org/ | ----------------------------------------------------------------- From bugzilla-daemon at mindrot.org Fri Jun 28 15:45:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 15:45:14 +1000 (EST) Subject: [Bug 312] New: canhost.h needs to be included Message-ID: <20020628054514.59E85E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=312 Summary: canhost.h needs to be included Product: Portable OpenSSH Version: -current Platform: All OS/Version: FreeBSD Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dirk.meyer at dinoex.sub.org --- auth1.c.orig Fri Jun 21 08:21:11 2002 +++ auth1.c Fri Jun 28 06:57:42 2002 @@ -26,6 +26,7 @@ #include "session.h" #include "uidswap.h" #include "monitor_wrap.h" +#include "canohost.h" /* import */ extern ServerOptions options; --- auth2.c.orig Fri Jun 21 08:21:11 2002 +++ auth2.c Fri Jun 28 06:57:56 2002 @@ -35,6 +35,7 @@ #include "dispatch.h" #include "pathnames.h" #include "monitor_wrap.h" +#include "canohost.h" /* import */ extern ServerOptions options; ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 15:46:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 15:46:33 +1000 (EST) Subject: [Bug 313] New: undefined type in older cc's Message-ID: <20020628054633.87A49E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=313 Summary: undefined type in older cc's Product: Portable OpenSSH Version: -current Platform: Other OS/Version: FreeBSD Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dirk.meyer at dinoex.sub.org --- defines.h.orig Tue Feb 26 17:40:49 2002 +++ defines.h Fri Mar 8 18:51:27 2002 @@ -146,7 +146,7 @@ including rpc/rpc.h breaks Solaris 6 */ #ifndef INADDR_LOOPBACK -#define INADDR_LOOPBACK ((ulong)0x7f000001) +#define INADDR_LOOPBACK ((u_long)0x7f000001) #endif /* Types */ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 15:48:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 15:48:14 +1000 (EST) Subject: [Bug 314] New: switch to READPASSPHRASE_H to avoid conflicts with exiisting headers Message-ID: <20020628054814.AA9B0E904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=314 Summary: switch to READPASSPHRASE_H to avoid conflicts with exiisting headers Product: Portable OpenSSH Version: -current Platform: Other OS/Version: FreeBSD Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dirk.meyer at dinoex.sub.org --- openbsd-compat/readpassphrase.h.orig Sun Jan 27 19:18:10 2002 +++ openbsd-compat/readpassphrase.h Sun Jan 27 19:18:54 2002 @@ -28,6 +28,6 @@ */ -#ifndef _READPASSPHRASE_H_ -#define _READPASSPHRASE_H_ +#ifndef READPASSPHRASE_H_ +#define READPASSPHRASE_H_ #include "includes.h" @@ -43,6 +43,7 @@ char *readpassphrase(const char *, char *, size_t, int); - +#else /* HAVE_READPASSPHRASE */ +#include #endif /* HAVE_READPASSPHRASE */ -#endif /* !_READPASSPHRASE_H_ */ +#endif /* !READPASSPHRASE_H_ */ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 15:50:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 15:50:58 +1000 (EST) Subject: [Bug 315] New: add miissing includes and defines for FREEBSD Message-ID: <20020628055058.9D82CE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=315 Summary: add miissing includes and defines for FREEBSD Product: Portable OpenSSH Version: -current Platform: Other OS/Version: FreeBSD Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dirk.meyer at dinoex.sub.org --- session.c.orig Wed Jun 26 15:51:06 2002 +++ session.c Wed Jun 26 18:20:35 2002 @@ -64,6 +64,13 @@ #define is_winnt (GetVersion() < 0x80000000) #endif +#ifdef __FreeBSD__ +#include +#include +#include +#define _PATH_CHPASS "/usr/bin/passwd" +#endif /* __FreeBSD__ */ + /* func */ Session *session_new(void); ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 15:52:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 15:52:12 +1000 (EST) Subject: [Bug 316] New: ifdefs for systems without IPV6 Message-ID: <20020628055212.884ADE902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=316 Summary: ifdefs for systems without IPV6 Product: Portable OpenSSH Version: -current Platform: Other OS/Version: FreeBSD Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dirk.meyer at dinoex.sub.org --- sshconnect.c.orig Wed Aug 8 00:29:09 2001 +++ sshconnect.c Wed Oct 3 14:28:15 2001 @@ -577,11 +577,13 @@ sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; salen = sizeof(struct sockaddr_in); break; +#ifdef HAVE_STRUCT_SOCKADDR_IN6 case AF_INET6: local = IN6_IS_ADDR_LOOPBACK( &(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); salen = sizeof(struct sockaddr_in6); break; +#endif default: local = 0; salen = sizeof(struct sockaddr_storage); ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 15:53:45 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 15:53:45 +1000 (EST) Subject: [Bug 317] New: add header so ptty functions are found Message-ID: <20020628055345.C9CDDE917@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=317 Summary: add header so ptty functions are found Product: Portable OpenSSH Version: -current Platform: Other OS/Version: FreeBSD Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dirk.meyer at dinoex.sub.org --- sshpty.c.orig Wed Jun 26 01:21:42 2002 +++ sshpty.c Fri Jun 28 07:09:38 2002 @@ -30,6 +30,9 @@ #ifdef HAVE_PTY_H # include #endif +#ifdef __FreeBSD__ +#include +#endif #if defined(HAVE_DEV_PTMX) && defined(HAVE_SYS_STROPTS_H) # include #endif ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 16:09:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 16:09:15 +1000 (EST) Subject: [Bug 311] Compile fails on MIPS Linux (Cobalt Raq2) - SCM_RIGHTS undeclared Message-ID: <20020628060915.A1B0FE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=311 ------- Additional Comments From jmknoble at pobox.com 2002-06-28 16:09 ------- Created an attachment (id=119) Patch for Linux 2.0.x on Cobalt/MIPS platforms with missing SCM_RIGHTS in glibc includes ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 16:09:54 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 16:09:54 +1000 (EST) Subject: [Bug 311] Compile fails on MIPS Linux (Cobalt Raq2) - SCM_RIGHTS undeclared Message-ID: <20020628060954.453E3E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=311 ------- Additional Comments From jmknoble at pobox.com 2002-06-28 16:09 ------- Your glibc package (or glibc-devel package, depending on your distribution) is probably broken; /usr/include/socketbits.h should also be listed in the output from the 'find' command. Has Cobalt/Sun not provided any update or errata packages for glibc? The equivalent Red Hat package is glibc-devel-2.0.7-29.4. Try compiling with the attached patch. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 20:26:41 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 20:26:41 +1000 (EST) Subject: [Bug 294] tcp wrapper access changed between 2.9.9p2 and 3.3p1 Message-ID: <20020628102641.B051FE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=294 ktaylor at daac.gsfc.nasa.gov changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |major ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From police at terrabox.com Fri Jun 28 20:45:08 2002 From: police at terrabox.com (police at terrabox.com) Date: Fri, 28 Jun 2002 05:45:08 -0500 Subject: Opensh Bug Free Message-ID: <200206281045.g5SAj8RX000384@ironsides.terrabox.com> Hey all, I am just wondering if I need to install openssh on my production servers which version from 2.x to 3.x is the best or bug free so far, or let me put my question in another form, which Openssh has less exploits on Solaris. Thanks. From bugzilla-daemon at mindrot.org Fri Jun 28 20:51:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 20:51:23 +1000 (EST) Subject: [Bug 294] tcp wrapper access changed between 2.9.9p2 and 3.3p1 Message-ID: <20020628105123.18A46E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=294 ------- Additional Comments From markus at openbsd.org 2002-06-28 20:51 ------- that's all we changed: packet_set_connection(sock_in, sock_out); remote_port = get_remote_port(); remote_ip = get_remote_ipaddr(); - /* Check whether logins are denied from this host. */ #ifdef LIBWRAP - /* XXX LIBWRAP noes not know about IPv6 */ + /* Check whether logins are denied from this host. */ { struct request_info req; - request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, NULL); + request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); fromhost(&req); if (!hosts_access(&req)) { + debug("Connection refused by tcp wrapper"); refuse(&req); - close(sock_in); - close(sock_out); + /* NOTREACHED */ + fatal("libwrap refuse returns"); } -/*XXX IPv6 verbose("Connection from %.500s port %d", eval_client(&req), remote_port); */ } #endif /* LIBWRAP */ + /* Log the connection. */ verbose("Connection from %.500s port %d", remote_ip, remote_port); : ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jun 28 20:56:45 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 20:56:45 +1000 (EST) Subject: [Bug 294] tcp wrapper access changed between 2.9.9p2 and 3.3p1 Message-ID: <20020628105645.D4B24E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=294 ------- Additional Comments From ktaylor at daac.gsfc.nasa.gov 2002-06-28 20:56 ------- hmm...that's weird. I wonder why the different behavior suddenly. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From barel_bhai at yahoo.com Fri Jun 28 21:37:50 2002 From: barel_bhai at yahoo.com (raam raam) Date: Fri, 28 Jun 2002 04:37:50 -0700 (PDT) Subject: SSH 1 In-Reply-To: <20020628102641.B051FE881@shitei.mindrot.org> Message-ID: <20020628113750.44977.qmail@web20512.mail.yahoo.com> Hi All I checked in the drafts but couldnot find more information on SSH 1. Is there any draft or any document available for SSH 1. Where I can get more information for SSH1 Thanks Barel __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com From bugzilla-daemon at mindrot.org Fri Jun 28 21:43:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 21:43:51 +1000 (EST) Subject: [Bug 294] tcp wrapper access changed between 2.9.9p2 and 3.3p1 Message-ID: <20020628114351.3B6BCE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=294 ktaylor at daac.gsfc.nasa.gov changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From ktaylor at daac.gsfc.nasa.gov 2002-06-28 21:43 ------- ok. I think I may be on to a way to get it working. If I compile it on IRIX with the IRIX native compilers (n32 mode), everything is working as it probably should. However, when using gcc 2.95.3 on IRIX, it had the tcp wrapper problem. Why this is an issue at all, I don't know....and way beyond my area of expertise to figure out...and probably not worth the effort. Thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Fri Jun 28 21:45:43 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 28 Jun 2002 13:45:43 +0200 Subject: SSH 1 In-Reply-To: <20020628113750.44977.qmail@web20512.mail.yahoo.com> References: <20020628102641.B051FE881@shitei.mindrot.org> <20020628113750.44977.qmail@web20512.mail.yahoo.com> Message-ID: <20020628114543.GB7488@faui02> check http://www.snailbook.com/docs/protocol-1.5.txt On Fri, Jun 28, 2002 at 04:37:50AM -0700, raam raam wrote: > Hi All > > I checked in the drafts but couldnot find more > information on SSH 1. > Is there any draft or any document available for SSH > 1. > Where I can get more information for SSH1 > > Thanks > > Barel > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From bugzilla-daemon at mindrot.org Fri Jun 28 22:28:21 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 22:28:21 +1000 (EST) Subject: [Bug 318] New: Install failure creating ssh_prng_cmds Message-ID: <20020628122821.5D89EE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=318 Summary: Install failure creating ssh_prng_cmds Product: Portable OpenSSH Version: -current Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: j.wilson at eee.strath.ac.uk Installation is failing during make install. Output from make: if [ -f ssh_prng_cmds -a ! -z "yes" ]; then \ /usr/bin/perl ./fixprogs ssh_prng_cmds ; \ if [ ! -f /usr/local/etc/ssh_prng_cmds ] ; then \ ./install-sh -c -m 644 ssh_prng_cmds.out /usr/local/etc/ssh_prng_cmds; \ else \ echo "/usr/local/etc/ssh_prng_cmds already exists, install will not overwrite"; \ fi ; \ fi Couldn't open output file ssh_prng_cmds.out at ./fixprogs line 31. *** Error code 13 make: Fatal error: Command failed for target `install-files' ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From terryk at enterasys.com Fri Jun 28 22:32:29 2002 From: terryk at enterasys.com (Karpowicz, Theresa) Date: Fri, 28 Jun 2002 08:32:29 -0400 Subject: auto login and logout Message-ID: <71383200D43DD51196540002A5519F4A03E33E71@corp-exc1.enterasys.com> I am a test engineer, testing SSH server implementation of SSH into one of our switches. How can I automate the login and logout of an SSH client from the command line? I have in a script file the following, but I get prompted for the password. How can I automate the password and the exit. ssh2 -l $1 $2 (ssh2 -l ) Theresa C. Karpowicz Software Engineer Enterasys Networks Phone: (800) 332-9401 x41263 Email: terryk @enterasys.com www: http://www.enterasys.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020628/77605fa4/attachment.html From bugzilla-daemon at mindrot.org Fri Jun 28 22:59:11 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 28 Jun 2002 22:59:11 +1000 (EST) Subject: [Bug 285] 3.3p1 on Linux 2.2.x doesn't accept connections Message-ID: <20020628125911.CCEE0E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=285 janderson at ceeva.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From janderson at ceeva.com 2002-06-28 22:59 ------- OpenSSH 3.4p1 fixed this problem. Kernel 2.2.14-5.0 - Compression yes and UsePrivilegeSeparation yes work Kernel 2.2.12-32 - Compression musr be disabled for UsePrivilegeSeparation to work. I wanted to pass that along, I didn't know if that was "known" or not. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jc at np.ph.bham.ac.uk Fri Jun 28 23:12:45 2002 From: jc at np.ph.bham.ac.uk (James Campbell) Date: Fri, 28 Jun 2002 14:12:45 +0100 (BST) Subject: Solaris packaging Message-ID: <200206281312.OAA16533@nps.ph.bham.ac.uk> Hi Ben, Just a few things on openssh 3.4p1 Solaris package. 1) Solaris naming convention would be OPENssh for package 2) Need to add the "sed" edit of X11Forwarding for ssh_config also 3) I prefer sym links as default (I suppose thats personal) 4) Need to provide "response" file so that dont need interaction to install!! - I do all install via jumpstart scripts etc. otherwise you get: Adding package OPENssh.... Interactive request script supplied by package pkgadd: ERROR: request script did not complete successfully Installation of was suspended (interaction required). No changes were made to the system. cheers Jim From cmadams at hiwaay.net Sat Jun 29 00:00:57 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 28 Jun 2002 09:00:57 -0500 Subject: No TTY prealloc; Tru64 can't do post-auth privsep In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, Jun 27, 2002 at 07:01:12PM -0500 References: <20020627125354.B102947@hiwaay.net> Message-ID: <20020628090057.C277862@hiwaay.net> Once upon a time, Ben Lindstrom said: > can I get the manpages for the sia_*() functions used? http://www.tru64unix.compaq.com/docs/base_doc/DOCUMENTATION/V51A_HTML/MAN/MAN3/0695____.HTM For general info on the SIA architecture (which is kind of like PAM): http://www.tru64unix.compaq.com/docs/base_doc/DOCUMENTATION/V51A_HTML/ARH95DTE/CSPRGXXX.HTM which is part of http://www.tru64unix.compaq.com/docs/base_doc/DOCUMENTATION/V51A_HTML/ARH95DTE/TITLE.HTM -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. > On Thu, 27 Jun 2002, Chris Adams wrote: > > Well, after digging around and thinking some more, I'm giving up on the > > idea of preallocating a TTY to get post-auth privsep working on Tru64. > > I don't think it will work, because just allocating a TTY doesn't fix > > the problem - there's no valid way to tie that TTY back to the client > > process (because it hasn't requested a TTY yet and may not ever do so). > > The problem is that the Tru64 session setup routines may require a TTY > > for interaction with the client (changing expired passwords for example) > > or for notifying the client that the account is locked, expired, etc. > > The interactive cases obviously don't work on non-TTY logins right now, > > but I don't want to break them for the TTY cases too where they > > currently work. > > > > Just add Tru64 to the set of platforms that can't do post-auth privsep > > (I still don't think it should be flagged as BROKEN_FD_PASSING because > > FD passing does work on Tru64, but whatever). From tim at multitalents.net Sat Jun 29 00:15:09 2002 From: tim at multitalents.net (Tim Rice) Date: Fri, 28 Jun 2002 07:15:09 -0700 (PDT) Subject: Solaris packaging In-Reply-To: <200206281312.OAA16533@nps.ph.bham.ac.uk> Message-ID: On Fri, 28 Jun 2002, James Campbell wrote: > Hi Ben, > Just a few things on openssh 3.4p1 Solaris package. > 1) Solaris naming convention would be OPENssh for package > 2) Need to add the "sed" edit of X11Forwarding for ssh_config also Create a config.local in your build dir with PKGNAME=OPENssh X11_FORWARDING=yes > 3) I prefer sym links as default (I suppose thats personal) It is. > 4) Need to provide "response" file so that dont need interaction > to install!! - I do all install via jumpstart scripts etc. > otherwise you get: Are you saying that buildpkg.sh should create a response file? > Adding package OPENssh.... > Interactive request script supplied by package > pkgadd: ERROR: request script did not complete successfully > > Installation of was suspended (interaction required). > No changes were made to the system. > > cheers > Jim > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Sat Jun 29 00:09:37 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 28 Jun 2002 09:09:37 -0500 (CDT) Subject: Solaris packaging In-Reply-To: <200206281312.OAA16533@nps.ph.bham.ac.uk> Message-ID: On Fri, 28 Jun 2002, James Campbell wrote: > Hi Ben, > Just a few things on openssh 3.4p1 Solaris package. > 1) Solaris naming convention would be OPENssh for package We are not Sun. We don't call our selves 'OPENssh'. > 2) Need to add the "sed" edit of X11Forwarding for ssh_config also Patch? > 3) I prefer sym links as default (I suppose thats personal) So do I.. but as a collective choice we decided to mirror Sun's choice of hardlinks. > 4) Need to provide "response" file so that dont need interaction > to install!! - I do all install via jumpstart scripts etc. > otherwise you get: I don't use this feature. Provide a patch. Otherwise it will be added at the 101th thing on my list of things to do. Which at this rate will be two years to get to.=) - Ben From mouring at etoh.eviladmin.org Sat Jun 29 01:00:07 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 28 Jun 2002 10:00:07 -0500 (CDT) Subject: No TTY prealloc; Tru64 can't do post-auth privsep In-Reply-To: <20020628090057.C277862@hiwaay.net> Message-ID: > > For general info on the SIA architecture (which is kind of like PAM): > > http://www.tru64unix.compaq.com/docs/base_doc/DOCUMENTATION/V51A_HTML/ARH95DTE/CSPRGXXX.HTM > Ok.. This explains a lot. It looks and smells a lot like BSD_AUTH or PAM. So maybe this whole hell will go away if we treet it like BSD_AUTH/PAM by privsepifying it. Since it seems to be updating kernelt ables not inserting stuff into the actually login session. Can you try this patch and make note of the one XXX question in auth-sia.c. Index: auth-sia.c =================================================================== RCS file: /var/cvs/openssh/auth-sia.c,v retrieving revision 1.7 diff -u -r1.7 auth-sia.c --- auth-sia.c 12 Apr 2002 15:36:08 -0000 1.7 +++ auth-sia.c 28 Jun 2002 15:05:28 -0000 @@ -77,7 +77,7 @@ } void -session_setup_sia(char *user, char *tty) +setup_sia(char *user, char *tty) { struct passwd *pw; SIAENTITY *ent = NULL; @@ -116,6 +116,7 @@ sia_ses_release(&ent); + /* XXX: Should this be be around a if (!use_privsep) ? */ if (setreuid(geteuid(), geteuid()) < 0) { fatal("setreuid: %s", strerror(errno)); } Index: monitor.c =================================================================== RCS file: /var/cvs/openssh/monitor.c,v retrieving revision 1.22 diff -u -r1.22 monitor.c --- monitor.c 27 Jun 2002 00:12:58 -0000 1.22 +++ monitor.c 28 Jun 2002 15:05:34 -0000 @@ -120,6 +120,10 @@ int mm_answer_pam_start(int, Buffer *); #endif +#ifdef HAVE_OSF_SIA +int mm_answer_setup_sia(int, Buffer *); +#endif + static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -154,6 +158,9 @@ {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, +#ifdef HAVE_OSF_SIA + (MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia), +#endif #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif @@ -196,6 +203,9 @@ {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, #endif +#ifdef HAVE_OSF_SIA + (MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia), +#endif #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif @@ -716,6 +726,22 @@ auth_method = "skey"; return (authok != 0); +} +#endif + +#ifdef HAVE_OSF_SIA +int +mm_answer_setup_sia(int socket, Buffer *m) +{ + char *user, *tty; + + user = buffer_get_string(m, NULL); + tty = buffer_get_string(m, NULL); + + setup_sia(user, tty); + + xfree(user); + xfree(tty); } #endif Index: monitor.h =================================================================== RCS file: /var/cvs/openssh/monitor.h,v retrieving revision 1.8 diff -u -r1.8 monitor.h --- monitor.h 11 Jun 2002 16:42:49 -0000 1.8 +++ monitor.h 28 Jun 2002 15:05:37 -0000 @@ -50,6 +50,7 @@ MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, MONITOR_REQ_PAM_START, + MONITOR_REQ_SETUP_SIA, MONITOR_REQ_TERM }; From brhamon at cisco.com Sat Jun 29 01:13:59 2002 From: brhamon at cisco.com (Brian Hamon) Date: Fri, 28 Jun 2002 10:13:59 -0500 Subject: auto login and logout In-Reply-To: <71383200D43DD51196540002A5519F4A03E33E71@corp-exc1.enteras ys.com> Message-ID: <4.3.2.7.2.20020628100406.01cdcb40@3rdclass.cisco.com> If the switches support RSA Authentication, run an agent on the client side and use it. Since most ssh-enabled appliances seem to implement only password-based authentication, you must resort to other (less secure) means. PuTTY allows the password to be passed on the command line (plink.exe). If you must use OpenSSH, the only thing left to do is to modify the source code to allow OpenSSH to write the password prompt over stdout and read the password from stdin. This bypasses some security measures in OpenSSH, so be sure to mark your changed version appropriately. With this change, you can parse the child-to-parent pipe for the password prompt, and send the cleartext password down the parent-to-child pipe. At 07:32 AM 6/28/2002, Karpowicz, Theresa wrote: >I am a test engineer, testing SSH server implementation of SSH into one of >our switches. > > >How can I automate the login and logout of an SSH client from the command >line? >I have in a script file the following, but I get prompted for the password. >How can I automate the password and the exit. > > >ssh2 -l $1 $2 (ssh2 -l ) > > > >Theresa C. Karpowicz >Software Engineer > >Enterasys Networks >Phone: (800) 332-9401 x41263 >Email: terryk@enterasys.com >www: http://www.enterasys.com/ > From mouring at etoh.eviladmin.org Sat Jun 29 01:07:06 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 28 Jun 2002 10:07:06 -0500 (CDT) Subject: No TTY prealloc; Tru64 can't do post-auth privsep In-Reply-To: Message-ID: Sorry new patch.. I forgot to add in the actually privsep call. Index: auth-sia.c =================================================================== RCS file: /var/cvs/openssh/auth-sia.c,v retrieving revision 1.7 diff -u -r1.7 auth-sia.c --- auth-sia.c 12 Apr 2002 15:36:08 -0000 1.7 +++ auth-sia.c 28 Jun 2002 15:17:12 -0000 @@ -77,7 +77,7 @@ } void -session_setup_sia(char *user, char *tty) +setup_sia(char *user, char *tty) { struct passwd *pw; SIAENTITY *ent = NULL; @@ -116,6 +116,7 @@ sia_ses_release(&ent); + /* XXX: Should this be be around a if (!use_privsep) ? */ if (setreuid(geteuid(), geteuid()) < 0) { fatal("setreuid: %s", strerror(errno)); } Index: monitor.c =================================================================== RCS file: /var/cvs/openssh/monitor.c,v retrieving revision 1.22 diff -u -r1.22 monitor.c --- monitor.c 27 Jun 2002 00:12:58 -0000 1.22 +++ monitor.c 28 Jun 2002 15:17:18 -0000 @@ -120,6 +120,10 @@ int mm_answer_pam_start(int, Buffer *); #endif +#ifdef HAVE_OSF_SIA +int mm_answer_setup_sia(int, Buffer *); +#endif + static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -154,6 +158,9 @@ {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, +#ifdef HAVE_OSF_SIA + (MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia), +#endif #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif @@ -196,6 +203,9 @@ {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, #endif +#ifdef HAVE_OSF_SIA + (MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia), +#endif #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif @@ -716,6 +726,22 @@ auth_method = "skey"; return (authok != 0); +} +#endif + +#ifdef HAVE_OSF_SIA +int +mm_answer_setup_sia(int socket, Buffer *m) +{ + char *user, *tty; + + user = buffer_get_string(m, NULL); + tty = buffer_get_string(m, NULL); + + setup_sia(user, tty); + + xfree(user); + xfree(tty); } #endif Index: monitor.h =================================================================== RCS file: /var/cvs/openssh/monitor.h,v retrieving revision 1.8 diff -u -r1.8 monitor.h --- monitor.h 11 Jun 2002 16:42:49 -0000 1.8 +++ monitor.h 28 Jun 2002 15:17:21 -0000 @@ -50,6 +50,7 @@ MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, MONITOR_REQ_PAM_START, + MONITOR_REQ_SETUP_SIA, MONITOR_REQ_TERM }; Index: session.c =================================================================== RCS file: /var/cvs/openssh/session.c,v retrieving revision 1.208 diff -u -r1.208 session.c --- session.c 26 Jun 2002 13:51:06 -0000 1.208 +++ session.c 28 Jun 2002 15:17:30 -0000 @@ -1269,7 +1269,7 @@ */ if (!options.use_login) { #ifdef HAVE_OSF_SIA - session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); + PRIVSEP(setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty)); if (!check_quietlogin(s, command)) do_motd(); #else /* HAVE_OSF_SIA */ From carl at bl.echidna.id.au Sat Jun 29 01:25:05 2002 From: carl at bl.echidna.id.au (Carl Brewer) Date: Sat, 29 Jun 2002 01:25:05 +1000 Subject: auto login and logout References: <4.3.2.7.2.20020628100406.01cdcb40@3rdclass.cisco.com> Message-ID: <3D1C7FD1.8010807@bl.echidna.id.au> Brian Hamon wrote: > If the switches support RSA Authentication, run an agent on the client > side and use it. Since most ssh-enabled appliances seem to implement > only password-based authentication, you must resort to other (less > secure) means. > > PuTTY allows the password to be passed on the command line (plink.exe). > > If you must use OpenSSH, the only thing left to do is to modify the > source code to allow OpenSSH to write the password prompt over stdout > and read the password from stdin. This bypasses some security measures > in OpenSSH, so be sure to mark your changed version appropriately. With > this change, you can parse the child-to-parent pipe for the password > prompt, and send the cleartext password down the parent-to-child pipe. Insane. Use expect. > At 07:32 AM 6/28/2002, Karpowicz, Theresa wrote: > >> I am a test engineer, testing SSH server implementation of SSH into >> one of our switches. >> >> >> How can I automate the login and logout of an SSH client from the >> command line? >> I have in a script file the following, but I get prompted for the >> password. >> How can I automate the password and the exit. >> >> >> ssh2 -l $1 $2 (ssh2 -l ) >> >> >> >> Theresa C. Karpowicz >> Software Engineer >> >> Enterasys Networks >> Phone: (800) 332-9401 x41263 >> Email: terryk@enterasys.com >> www: http://www.enterasys.com/ >> > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From vf5 at cad.gatech.edu Sat Jun 29 01:35:00 2002 From: vf5 at cad.gatech.edu (Vincent Fox) Date: Fri, 28 Jun 2002 11:35:00 -0400 Subject: hostbased authentication problem in 3.4 Message-ID: <20020628153500.GA18644@cad.gatech.edu> I am seeing the same issues as another recent post, hostbased authentication in 3.4p1 not seeming to work. I tried the ssh-keysign.c patch posted, didn't seem to fix the problem. Details: Solaris 7, OpenSSH 3.4p1, OpenSSL 0.9.6d Key from client ssh_host_rsa_key.pub copied to server /etc/ssh/ssh_known_hosts2 with comma-separated client hostnames added to front and a blank space before rest of key entry. debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2 debug3: check_host_in_hostfile: match line 1 debug2: check_key_in_hostfiles: key ok for bester.cad.gatech.edu debug3: mm_answer_keyallowed: key 1323b0 is allowed debug3: mm_append_debug: Appending debug messages for child debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug3: mm_send_debug: Sending debug: Accepted for bester.cad.gatech.edu [130.20 7.84.20] by /etc/ssh/shosts.equiv. debug3: mm_key_verify entering debug3: mm_request_send entering: type 22 debug3: monitor_read: checking request 22 ssh_rsa_verify: RSA_verify failed: error:04077068:lib(4):func(119):reason(104) debug1: ssh_rsa_verify: signature incorrect debug3: mm_answer_keyverify: key 132398 signature unverified debug3: mm_request_send entering: type 23 Failed hostbased for vf5 from 130.207.84.20 port 33083 ssh2 debug3: mm_request_receive entering debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY debug3: mm_request_receive_expect entering: type 23 debug3: mm_request_receive entering debug2: userauth_hostbased: authenticated 0 Failed hostbased for vf5 from 130.207.84.20 port 33083 ssh2 debug1: userauth-request for user vf5 service ssh-connection method keyboard-int eractive debug1: attempt 3 failures 3 debug2: input_userauth_request: try method keyboard-interactive Still getting an error from ssh_rsa_verify. Additionally I note in the debug output that despite trying to set in sshd_config the variable AuthorizedKeysFile /etc/ssh/authorized_keys that ssh -d -d -d output does not show it checking that file at all. I had to move it to /etc/ssh/ssh_known_hosts2 to get even this far. -- "Who needs horror movies when we have Microsoft"? -- Christine Comaford, PC Week, 27/9/95 From bugzilla-daemon at mindrot.org Sat Jun 29 01:41:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 01:41:15 +1000 (EST) Subject: [Bug 319] New: Privilege Separation failing on OSF1 v5.1 Message-ID: <20020628154115.4AEB8E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=319 Summary: Privilege Separation failing on OSF1 v5.1 Product: Portable OpenSSH Version: -current Platform: Alpha OS/Version: OSF/1 Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wadelljs at bp.com I build Version 3.4p1 using --with-tcp-wrappers on both IRIX 6.5.15 and OSF1 v5.1. Priv Separation works fine on IRIX and connecting as root on OSF1. Normal user fails on OSF as follows running sshd -d -d -d Messages from connecting machine aku445 IRIX64 ssh -X aku214 debug3: Trying to reverse map address 161.99.65.161. cannot set login uid 202: error Not owner. Couldn't establish session for wadelljs from aku445 debug1: Calling cleanup 0x12005153c(0x140030728) debug3: mm_request_send entering: type 27 debug1: Calling cleanup 0x120068074(0x0) debug1: channel_free: channel 0: server-session, nchannels 2 debug3: channel_free: status: The following connections are open: #0 server-session (t10 r0 i0/0 o0/0 fd -1/-1) From jfurman at opentext.com Sat Jun 29 01:45:40 2002 From: jfurman at opentext.com (John Furman) Date: Fri, 28 Jun 2002 11:45:40 -0400 Subject: Chroot v3.4p1 Message-ID: Greetings! I am working on a patch that will support a "ChrootUsers" option in the v3.4p1 config file. I am wondering if there are already plans to support a chroot option on the go? Regards, _________________________________________ Open Text Corporation - HMS Division. John Furman Network Security Officer jfurman at opentext.com www.opentext.com/hms Voc: 519.888.7111 x2361 Fax: 888.450.2547 From carson at taltos.org Sat Jun 29 01:45:29 2002 From: carson at taltos.org (Carson Gaspar) Date: Fri, 28 Jun 2002 11:45:29 -0400 Subject: Solaris packaging In-Reply-To: <200206281312.OAA16533@nps.ph.bham.ac.uk> References: <200206281312.OAA16533@nps.ph.bham.ac.uk> Message-ID: <264122427.1025264729@[172.25.113.221]> --On Friday, June 28, 2002 2:12 PM +0100 James Campbell wrote: > 4) Need to provide "response" file so that dont need interaction > to install!! - I do all install via jumpstart scripts etc. > otherwise you get: _You_ need to provide a response file, based on your answers to the request script's questions. My answers to the request script wouldn't be very useful to you, unless we think alike. A response file can be generated from a request script using the packaging tools (do a "man pkgask"). Now, if the request script is doing something naughty, such that the response file doesn't work properly, submit a bug report. -- Carson From bugzilla-daemon at mindrot.org Sat Jun 29 02:27:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 02:27:30 +1000 (EST) Subject: [Bug 306] ssh on Tru64 returns " Name does not resolv to supplied parameters" Message-ID: <20020628162730.D6AE2E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=306 joa at maths.lth.se changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From joa at maths.lth.se 2002-06-29 02:27 ------- I had the same problem, but I figured out that getaddrinfo(host, strport, &hints, &aitop) (in ssh_connect) returns EAI_NONAME if hints.ai_family is AF_UNSPEC, even if both host and strport is valid. If I run configure with --with-ipv4-default then family is set to AF_INET and everything seems to work. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 29 02:59:36 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 02:59:36 +1000 (EST) Subject: [Bug 319] Privilege Separation failing on OSF1 v5.1 Message-ID: <20020628165936.02397E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=319 ------- Additional Comments From mouring at eviladmin.org 2002-06-29 02:59 ------- Created an attachment (id=120) Sounds like an SIA issue w/ privsep. Does this fix it? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Sat Jun 29 03:03:15 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 28 Jun 2002 12:03:15 -0500 (CDT) Subject: AIX usrinfo() cleanup. In-Reply-To: <3D1949CD.B4225432@zip.com.au> Message-ID: Can we do this? Or should we drop the whole char *tty; ? There will be no way of setting the TTY= correctly while using privsep (Mainly for multiple streams over single session). The only thing we really could do is do: In do_setusercontext() if (use_privsep) aix_usrinfo(pw, NULL); and back in the old spot put: if (!use_privsep) aix_usrinfo(pw, s->ttyfd == -1 ? NULL : s->tty); that should allow users who need TTY set to at least have a working OpenSSH. Maybe add in a line to INSTALL or README about this issue. I'm more in favor of totally dumping TTY= setting until someone screams. - Ben Index: session.c =================================================================== RCS file: /var/cvs/openssh/session.c,v retrieving revision 1.208 diff -u -r1.208 session.c --- session.c 26 Jun 2002 13:51:06 -0000 1.208 +++ session.c 28 Jun 2002 17:07:11 -0000 @@ -1210,7 +1210,7 @@ # endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ # ifdef _AIX /* XXX: Disable tty setting. Enabled if required later */ - aix_usrinfo(pw, &tty, -1); + aix_usrinfo(pw, NULL); # endif /* _AIX */ /* Permanently switch to the desired uid. */ permanently_set_uid(pw); #else /* HAVE_OSF_SIA */ Index: openbsd-compat/port-aix.c =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/port-aix.c,v retrieving revision 1.3 diff -u -r1.3 port-aix.c --- openbsd-compat/port-aix.c 21 Jun 2002 00:01:19 -0000 1.3 +++ openbsd-compat/port-aix.c 28 Jun 2002 17:07:11 -0000 @@ -11,13 +11,11 @@ * actually use this and die if it's not set */ void -aix_usrinfo(struct passwd *pw, char *tty, int ttyfd) +aix_usrinfo(struct passwd *pw, char *tty) { u_int i; char *cp=NULL; - if (ttyfd == -1) - tty[0] = '\0'; cp = xmalloc(22 + strlen(tty) + 2 * strlen(pw->pw_name)); i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", pw->pw_name, 0, pw->pw_name, 0, tty, 0, 0); Index: openbsd-compat/port-aix.h =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/port-aix.h,v retrieving revision 1.4 diff -u -r1.4 port-aix.h --- openbsd-compat/port-aix.h 21 Jun 2002 00:01:19 -0000 1.4 +++ openbsd-compat/port-aix.h 28 Jun 2002 17:07:11 -0000 @@ -1,5 +1,5 @@ #ifdef _AIX -void aix_usrinfo(struct passwd *pw, char *tty, int ttyfd); +void aix_usrinfo(struct passwd *pw, char *tty); #endif /* _AIX */ From ssklar at stanford.edu Sat Jun 29 03:28:12 2002 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Fri, 28 Jun 2002 10:28:12 -0700 Subject: AIX usrinfo() cleanup. In-Reply-To: References: Message-ID: At 12:03 PM -0500 6/28/02, Ben Lindstrom wrote: >Can we do this? Or should we drop the whole char *tty; ? There will >be no way of setting the TTY= correctly while using privsep (Mainly for >multiple streams over single session). Forgive a stupid question, but what is the implication of this? My possibiily incorrect understanding is that if it isn't set by OpenSSH, it can be set by "login" if UseLogin is set to yes. Sorry, but I'd like to understand what changes I might have to expect. Thanks, -S- > >The only thing we really could do is do: > >In do_setusercontext() > >if (use_privsep) > aix_usrinfo(pw, NULL); > >and back in the old spot put: > >if (!use_privsep) > aix_usrinfo(pw, s->ttyfd == -1 ? NULL : s->tty); > > >that should allow users who need TTY set to at least have a working >OpenSSH. Maybe add in a line to INSTALL or README about this issue. > >I'm more in favor of totally dumping TTY= setting until someone screams. > >- Ben > > >Index: session.c >=================================================================== >RCS file: /var/cvs/openssh/session.c,v >retrieving revision 1.208 >diff -u -r1.208 session.c >--- session.c 26 Jun 2002 13:51:06 -0000 1.208 >+++ session.c 28 Jun 2002 17:07:11 -0000 >@@ -1210,7 +1210,7 @@ > # endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) >|| defined(WITH_IRIX_ARRAY) */ > # ifdef _AIX > /* XXX: Disable tty setting. Enabled if required later */ >- aix_usrinfo(pw, &tty, -1); >+ aix_usrinfo(pw, NULL); > # endif /* _AIX */ > /* Permanently switch to the desired uid. */ > permanently_set_uid(pw); > #else /* HAVE_OSF_SIA */ >Index: openbsd-compat/port-aix.c >=================================================================== >RCS file: /var/cvs/openssh/openbsd-compat/port-aix.c,v >retrieving revision 1.3 >diff -u -r1.3 port-aix.c >--- openbsd-compat/port-aix.c 21 Jun 2002 00:01:19 -0000 1.3 >+++ openbsd-compat/port-aix.c 28 Jun 2002 17:07:11 -0000 >@@ -11,13 +11,11 @@ > * actually use this and die if it's not set > */ > void >-aix_usrinfo(struct passwd *pw, char *tty, int ttyfd) >+aix_usrinfo(struct passwd *pw, char *tty) > { > u_int i; > char *cp=NULL; > >- if (ttyfd == -1) >- tty[0] = '\0'; > cp = xmalloc(22 + strlen(tty) + 2 * strlen(pw->pw_name)); > i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", pw->pw_name, 0, > pw->pw_name, 0, tty, 0, 0); >Index: openbsd-compat/port-aix.h >=================================================================== >RCS file: /var/cvs/openssh/openbsd-compat/port-aix.h,v >retrieving revision 1.4 >diff -u -r1.4 port-aix.h >--- openbsd-compat/port-aix.h 21 Jun 2002 00:01:19 -0000 1.4 >+++ openbsd-compat/port-aix.h 28 Jun 2002 17:07:11 -0000 >@@ -1,5 +1,5 @@ > #ifdef _AIX > >-void aix_usrinfo(struct passwd *pw, char *tty, int ttyfd); >+void aix_usrinfo(struct passwd *pw, char *tty); > > #endif /* _AIX */ > > >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Sandor W. Sklar - Unix Systems Administrator - Stanford University ITSS Non impediti ratione cogitationis. http://whippet.stanford.edu/~ssklar/ From mouring at etoh.eviladmin.org Sat Jun 29 03:33:41 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 28 Jun 2002 12:33:41 -0500 (CDT) Subject: AIX usrinfo() cleanup. In-Reply-To: Message-ID: On Fri, 28 Jun 2002, Sandor W. Sklar wrote: > At 12:03 PM -0500 6/28/02, Ben Lindstrom wrote: > >Can we do this? Or should we drop the whole char *tty; ? There will > >be no way of setting the TTY= correctly while using privsep (Mainly for > >multiple streams over single session). > > Forgive a stupid question, but what is the implication of this? My > possibiily incorrect understanding is that if it isn't set by > OpenSSH, it can be set by "login" if UseLogin is set to yes. > > Sorry, but I'd like to understand what changes I might have to expect. > > Thanks, > -S- > The issue is by time usrinfo() is called we have lost root privs. The temporary solution for 3.4 was to set everything but TTY= since we don't know it at that time. If one needs TTY= it can easily be added back into do_child(). That is my current question. Outside the simple clean up of passing the TTY only instead of both tty and ttyfd. (since we can do the same things by doing 's->ttyfd == -1 ? NULL : s->tty' Should we add in a non-privsep case where TTY= will be set in do_child(). That way people who need TTY can still run OpenSSH without uselogin. We are refering to usrinfo() setting TTY=. So unless you have older applications that require it. You will not be affected either way. From bugzilla-daemon at mindrot.org Sat Jun 29 05:13:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 05:13:50 +1000 (EST) Subject: [Bug 319] Privilege Separation failing on OSF1 v5.1 Message-ID: <20020628191350.DC339E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=319 ------- Additional Comments From wadelljs at bp.com 2002-06-29 05:13 ------- Give a link error /usr/bin/ld: Unresolved: mm_setup_sia Cound not find a reference to the symbol anywhere? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 29 06:02:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 06:02:59 +1000 (EST) Subject: [Bug 319] Privilege Separation failing on OSF1 v5.1 Message-ID: <20020628200259.48C2DE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=319 ------- Additional Comments From mouring at eviladmin.org 2002-06-29 06:02 ------- Steve VanDevender and I are working through this patch. I missed a few parts of it. It is better, but still having issues. I'll repost it when I have something in better condition. - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Sat Jun 29 06:27:03 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 28 Jun 2002 15:27:03 -0500 (CDT) Subject: Newer OSF patch. Message-ID: It still is not right, but thanks to Steve we have gotten this far.. The issue seems to be here: debug3: entering: type 26 debug3: entering debug1: session_new: init debug1: session_new: session 0 debug3: entering: type 26 : sendmsg(12): Invalid argument debug1: Calling cleanup 0x1200365c0(0x14000d9d8) debug1: session_pty_cleanup: session 0 release /dev/ttyp4 debug1: Calling cleanup 0x12003dc60(0x0) : recvmsg: expected received 1 got 0 debug1: Calling cleanup 0x12004bec0(0x0) debug1: channel_free: channel 0: server-session, nchannels 1 debug3: channel_free: status: The following connections are open: #0 server-session (t10 r0 i0/0 o0/0 fd -1/-1) debug3: channel_close_fds: channel 0: r -1 w -1 e -1 debug1: Calling cleanup 0x12003dc60(0x0) So I believe (I'm still checking with Steve VanDevender) that SIA is working, and we are now hitting a new issue. But unsure yet. I WISH COMPILER COMPANIES WOULD SUPPORT __func__!!! Tracing code from just debug data without it sucks. Mainly when it's used all over the place now.=( Current patch: Index: auth-sia.c =================================================================== RCS file: /var/cvs/openssh/auth-sia.c,v retrieving revision 1.7 diff -u -r1.7 auth-sia.c --- auth-sia.c 12 Apr 2002 15:36:08 -0000 1.7 +++ auth-sia.c 28 Jun 2002 20:29:00 -0000 @@ -77,7 +77,7 @@ } void -session_setup_sia(char *user, char *tty) +setup_sia(char *user, char *tty) { struct passwd *pw; SIAENTITY *ent = NULL; @@ -86,9 +86,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { + NULL) != SIASUCCESS) fatal("sia_ses_init failed"); - } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); @@ -100,25 +99,22 @@ } ent->authtype = SIA_A_NONE; - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { + if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) fatal("Couldn't establish session for %s from %s", user, host); - } if (setpriority(PRIO_PROCESS, 0, 0) == -1) { sia_ses_release(&ent); fatal("setpriority: %s", strerror (errno)); } - if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) { + if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) fatal("Couldn't launch session for %s from %s", user, host); - } sia_ses_release(&ent); - if (setreuid(geteuid(), geteuid()) < 0) { + /* XXX: Should this be be around a if (!use_privsep) ? */ + if (setreuid(geteuid(), geteuid()) < 0) fatal("setreuid: %s", strerror(errno)); - } } - #endif /* HAVE_OSF_SIA */ Index: auth-sia.h =================================================================== RCS file: /var/cvs/openssh/auth-sia.h,v retrieving revision 1.3 diff -u -r1.3 auth-sia.h --- auth-sia.h 12 Apr 2002 15:36:08 -0000 1.3 +++ auth-sia.h 28 Jun 2002 20:29:00 -0000 @@ -27,6 +27,6 @@ #ifdef HAVE_OSF_SIA int auth_sia_password(Authctxt *authctxt, char *pass); -void session_setup_sia(char *user, char *tty); +void setup_sia(char *user, char *tty); #endif /* HAVE_OSF_SIA */ Index: monitor.c =================================================================== RCS file: /var/cvs/openssh/monitor.c,v retrieving revision 1.22 diff -u -r1.22 monitor.c --- monitor.c 27 Jun 2002 00:12:58 -0000 1.22 +++ monitor.c 28 Jun 2002 20:29:09 -0000 @@ -120,6 +120,10 @@ int mm_answer_pam_start(int, Buffer *); #endif +#ifdef HAVE_OSF_SIA +int mm_answer_setup_sia(int, Buffer *); +#endif + static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -154,6 +158,9 @@ {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, +#ifdef HAVE_OSF_SIA + {MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia}, +#endif #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif @@ -196,6 +203,9 @@ {MONITOR_REQ_SKEYQUERY, MON_ISAUTH, mm_answer_skeyquery}, {MONITOR_REQ_SKEYRESPOND, MON_AUTH, mm_answer_skeyrespond}, #endif +#ifdef HAVE_OSF_SIA + {MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia}, +#endif #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif @@ -716,6 +726,22 @@ auth_method = "skey"; return (authok != 0); +} +#endif + +#ifdef HAVE_OSF_SIA +int +mm_answer_setup_sia(int socket, Buffer *m) +{ + char *user, *tty; + + user = buffer_get_string(m, NULL); + tty = buffer_get_string(m, NULL); + + setup_sia(user, tty); + + xfree(user); + xfree(tty); } #endif Index: monitor.h =================================================================== RCS file: /var/cvs/openssh/monitor.h,v retrieving revision 1.8 diff -u -r1.8 monitor.h --- monitor.h 11 Jun 2002 16:42:49 -0000 1.8 +++ monitor.h 28 Jun 2002 20:29:09 -0000 @@ -50,6 +50,7 @@ MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, MONITOR_REQ_PAM_START, + MONITOR_REQ_SETUP_SIA, MONITOR_REQ_TERM }; Index: monitor_wrap.c =================================================================== RCS file: /var/cvs/openssh/monitor_wrap.c,v retrieving revision 1.13 diff -u -r1.13 monitor_wrap.c --- monitor_wrap.c 27 Jun 2002 00:23:03 -0000 1.13 +++ monitor_wrap.c 28 Jun 2002 20:29:12 -0000 @@ -649,6 +649,24 @@ s->ttyfd = -1; } +#ifdef HAVE_OSF_SIA +void +mm_setup_sia(char *name, char *tty) +{ + Buffer m; + + debug3("mm_setup_sia: entering"); + + buffer_init(&m); + buffer_put_cstring(&m, name); + buffer_put_cstring(&m, tty); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SETUP_SIA, &m); + + buffer_free(&m); +} +#endif + #ifdef USE_PAM void mm_start_pam(char *user) Index: monitor_wrap.h =================================================================== RCS file: /var/cvs/openssh/monitor_wrap.h,v retrieving revision 1.6 diff -u -r1.6 monitor_wrap.h --- monitor_wrap.h 13 May 2002 01:07:42 -0000 1.6 +++ monitor_wrap.h 28 Jun 2002 20:29:12 -0000 @@ -59,6 +59,10 @@ void mm_start_pam(char *); #endif +#ifdef HAVE_OSF_SIA +void mm_setup_sia(char *, char *); +#endif + void mm_terminate(void); int mm_pty_allocate(int *, int *, char *, int); void mm_session_pty_cleanup2(void *); Index: session.c =================================================================== RCS file: /var/cvs/openssh/session.c,v retrieving revision 1.208 diff -u -r1.208 session.c --- session.c 26 Jun 2002 13:51:06 -0000 1.208 +++ session.c 28 Jun 2002 20:29:24 -0000 @@ -57,6 +57,7 @@ #include "canohost.h" #include "session.h" #include "monitor_wrap.h" +#include "auth-sia.h" #ifdef HAVE_CYGWIN #include @@ -1269,7 +1270,7 @@ */ if (!options.use_login) { #ifdef HAVE_OSF_SIA - session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); + PRIVSEP(setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty)); if (!check_quietlogin(s, command)) do_motd(); #else /* HAVE_OSF_SIA */ From bugzilla-daemon at mindrot.org Sat Jun 29 06:44:01 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 06:44:01 +1000 (EST) Subject: [Bug 319] Privilege Separation failing on OSF1 v5.1 Message-ID: <20020628204401.66CFCE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=319 ------- Additional Comments From wadelljs at bp.com 2002-06-29 06:43 ------- Thanks, ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gert at greenie.muc.de Sat Jun 29 06:58:56 2002 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 28 Jun 2002 22:58:56 +0200 Subject: AIX usrinfo() cleanup. In-Reply-To: ; from mouring@etoh.eviladmin.org on Fri, Jun 28, 2002 at 12:03:15PM -0500 References: <3D1949CD.B4225432@zip.com.au> Message-ID: <20020628225856.D17901@greenie.muc.de> Hi, On Fri, Jun 28, 2002 at 12:03:15PM -0500, Ben Lindstrom wrote: > I'm more in favor of totally dumping TTY= setting until someone screams. If you ask me: drop it, and throw out junky code. If someone besides us needs usrinfo (and we do not use TTY=) they will complain. It should be mentioned in a README nonetheless (so that people running into "it works with rlogin but not with ssh" have a chance to guess why) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From bugzilla-daemon at mindrot.org Sat Jun 29 07:44:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 07:44:30 +1000 (EST) Subject: [Bug 311] Compile fails on MIPS Linux (Cobalt Raq2) - SCM_RIGHTS undeclared Message-ID: <20020628214430.BD0B0E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=311 ------- Additional Comments From matt at primefactor.com 2002-06-29 07:44 ------- I applied the patch and recompiled. When it got to monitor_fdpass.c it output the following: gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. - I/usr/local/ssl/include -DSSHDIR=\"/usr/local/etc\" - D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" - D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" - D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" - D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" - D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" - DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c monitor_fdpass.c In file included from monitor_fdpass.c:27: /usr/include/linux/socket.h:41: warning: `AF_UNSPEC' redefined /usr/include/socketbits.h:55: warning: this is the location of the previous definition /usr/include/linux/socket.h:42: warning: `AF_UNIX' redefined /usr/include/socketbits.h:56: warning: this is the location of the previous definition /usr/include/linux/socket.h:43: warning: `AF_INET' redefined /usr/include/socketbits.h:59: warning: this is the location of the previous definition /usr/include/linux/socket.h:44: warning: `AF_AX25' redefined /usr/include/socketbits.h:60: warning: this is the location of the previous definition /usr/include/linux/socket.h:45: warning: `AF_IPX' redefined /usr/include/socketbits.h:61: warning: this is the location of the previous definition /usr/include/linux/socket.h:46: warning: `AF_APPLETALK' redefined /usr/include/socketbits.h:62: warning: this is the location of the previous definition /usr/include/linux/socket.h:47: warning: `AF_NETROM' redefined /usr/include/socketbits.h:63: warning: this is the location of the previous definition /usr/include/linux/socket.h:48: warning: `AF_BRIDGE' redefined /usr/include/socketbits.h:64: warning: this is the location of the previous definition /usr/include/linux/socket.h:49: warning: `AF_AAL5' redefined /usr/include/socketbits.h:65: warning: this is the location of the previous definition /usr/include/linux/socket.h:50: warning: `AF_X25' redefined /usr/include/socketbits.h:66: warning: this is the location of the previous definition /usr/include/linux/socket.h:54: warning: `AF_MAX' redefined /usr/include/socketbits.h:72: warning: this is the location of the previous definition /usr/include/linux/socket.h:57: warning: `PF_UNSPEC' redefined /usr/include/socketbits.h:36: warning: this is the location of the previous definition /usr/include/linux/socket.h:58: warning: `PF_UNIX' redefined /usr/include/socketbits.h:37: warning: this is the location of the previous definition /usr/include/linux/socket.h:59: warning: `PF_INET' redefined /usr/include/socketbits.h:40: warning: this is the location of the previous definition /usr/include/linux/socket.h:60: warning: `PF_AX25' redefined /usr/include/socketbits.h:41: warning: this is the location of the previous definition /usr/include/linux/socket.h:61: warning: `PF_IPX' redefined /usr/include/socketbits.h:42: warning: this is the location of the previous definition /usr/include/linux/socket.h:62: warning: `PF_APPLETALK' redefined /usr/include/socketbits.h:43: warning: this is the location of the previous definition /usr/include/linux/socket.h:63: warning: `PF_NETROM' redefined /usr/include/socketbits.h:44: warning: this is the location of the previous definition /usr/include/linux/socket.h:64: warning: `PF_BRIDGE' redefined /usr/include/socketbits.h:45: warning: this is the location of the previous definition /usr/include/linux/socket.h:65: warning: `PF_AAL5' redefined /usr/include/socketbits.h:46: warning: this is the location of the previous definition /usr/include/linux/socket.h:66: warning: `PF_X25' redefined /usr/include/socketbits.h:47: warning: this is the location of the previous definition /usr/include/linux/socket.h:70: warning: `PF_MAX' redefined /usr/include/socketbits.h:52: warning: this is the location of the previous definition /usr/include/linux/socket.h:96: warning: `IPTOS_MINCOST' redefined /usr/include/netinet/ip.h:191: warning: this is the location of the previous definition /usr/include/linux/socket.h:116: warning: `TCP_NODELAY' redefined /usr/include/netinet/tcp.h:158: warning: this is the location of the previous definition /usr/include/linux/socket.h:117: warning: `TCP_MAXSEG' redefined /usr/include/netinet/tcp.h:159: warning: this is the location of the previous definition In file included from /usr/include/sys/uio.h:29, from monitor_fdpass.c:30: /usr/include/iovec.h:37: warning: `UIO_MAXIOV' redefined /usr/include/linux/uio.h:24: warning: this is the location of the previous definition In file included from monitor_fdpass.c:27: /usr/include/linux/socket.h:9: redefinition of `struct sockaddr' /usr/include/linux/socket.h:14: redefinition of `struct linger' /usr/include/linux/socket.h:26: redefinition of `struct msghdr' In file included from /usr/include/sys/uio.h:29, from monitor_fdpass.c:30: /usr/include/iovec.h:42: redefinition of `struct iovec' make: *** [monitor_fdpass.o] Error 1 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 29 07:46:39 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 07:46:39 +1000 (EST) Subject: [Bug 138] Incorrect OpenSSL version requirment? Message-ID: <20020628214639.4AD3BE904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=138 ------- Additional Comments From rob at adso.com.pl 2002-06-29 07:46 ------- Created an attachment (id=121) Patch for openssh 3.4p1, which corrects problems with blowfish + ssh1 + OpenSSL 0.9.5a ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 29 07:49:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 07:49:58 +1000 (EST) Subject: [Bug 311] Compile fails on MIPS Linux (Cobalt Raq2) - SCM_RIGHTS undeclared Message-ID: <20020628214958.B647FE902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=311 ------- Additional Comments From matt at primefactor.com 2002-06-29 07:49 ------- I believe that this Cobalt system is based on Red Hat. I'm using the following Cobalt RPMs for glibc: glibc-2.0.7-29.4C2 glibc-debug-2.0.7-29.4C2 glibc-devel-2.0.7-29.4C2 glibc-profile-2.0.7-29.4C2 Cobalt has been supplying updates. In fact, I just installed a glibc update from them only a few weeks ago. I'll double check my glibc packages against the Red Hat one that you mentioned and see if there are any other discrepancies. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 29 08:46:37 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 08:46:37 +1000 (EST) Subject: [Bug 311] Compile fails on MIPS Linux (Cobalt Raq2) - SCM_RIGHTS undeclared Message-ID: <20020628224637.BF750E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=311 ------- Additional Comments From jmknoble at pobox.com 2002-06-29 08:46 ------- Yuck. (Sigh. Who would have thought that including something in /usr/include/linux/ would totally conflict with stuff in glibc's header files?) It's my opinion your vendor's glibc-devel package is broken; SCM_RIGHTS really ought to be defined in one of the glibc headers. I'd recommend filing a bug report with Cobalt (especially since SCM_RIGHTS is defined in the headers in glibc-devel-2.0.7-29.4 on my Red Hat Linux 5.2/x86 system. Please try the newly attached patch (against a clean source tree). Note that it's a workaround and probably ought not to go into the main OpenSSH source.... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 29 08:48:11 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 08:48:11 +1000 (EST) Subject: [Bug 311] Compile fails on MIPS Linux (Cobalt Raq2) - SCM_RIGHTS undeclared Message-ID: <20020628224811.C33FEE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=311 ------- Additional Comments From jmknoble at pobox.com 2002-06-29 08:48 ------- Created an attachment (id=122) Second-round patch for working around missing SCM_RIGHTS in Cobalt/glibc-2.0.7 headers ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From alfw at SLAC.Stanford.EDU Sat Jun 29 08:58:09 2002 From: alfw at SLAC.Stanford.EDU (Alf Wachsmann) Date: Fri, 28 Jun 2002 15:58:09 -0700 (PDT) Subject: Bug in AFS token forwarding Message-ID: There is a bug in the code for getting AFS tokens in function send_afs_tokens() in sshconnect1.c Here is how the bug manifests itself: If I have an AFS token that is still valid _and_ one that was valid but is now expired then AFS token forwarding ignores both tokens instead of forwarding the still valid one. I can reproduce this problem on Red Hat Linux 7.2 systems with OpenSSH-3.4p1 (and probably all older versions) compiled with KTH-Krb4-1.1.1 (this is where the k_pioctl() function comes from; see below). I am using OpenAFS-1.2.5. The same happens on Solaris 8 (OpenSSH-3.4p1, KTH-Krb4-1.1.1, IBM/Transarc ASF). Here is the cause for the bug: The problem is that k_pioctl() returns error code ENOTCONN for _all_ tokens it finds if there is an expired token present. The loop has to continue in this case although the _data_ returned by k_pioctl() is invalid. This invalidness can be checked by comparing the length of the "ClearToken" component with the size of the ClearToken struct. In OpenSSH-3.4p1 this condition is checked in sshconnect1.c line 814. But it is wrong to "break" out of the loop because of this condition. Jumping to the next token is the correct behavior. I have attached a (not nicely formatted) patch that fixes this problem. -- Alf. ----------------------------------------------------------------------- Alf Wachsmann | e-mail: alfw at slac.stanford.edu SLAC Computing Service | Phone: +1-650-926-4802 2575 Sand Hill Road, M/S 97 | FAX: +1-650-926-3329 Menlo Park, CA 94025, USA | Office: Bldg. 50/323 ----------------------------------------------------------------------- http://www.slac.stanford.edu/~alfw (PGP) ----------------------------------------------------------------------- -------------- next part -------------- --- sshconnect1.c.orig Fri Jun 28 13:25:51 2002 +++ sshconnect1.c Fri Jun 28 13:23:56 2002 @@ -797,7 +797,8 @@ parms.in_size = sizeof(i); parms.out = buf; parms.out_size = sizeof(buf); - if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0) + k_pioctl(0, VIOCGETTOK, &parms, 0); + if(errno == EDOM) break; p = buf; @@ -811,8 +812,7 @@ /* Get clear token. */ memcpy(&len, p, sizeof(len)); - if (len != sizeof(struct ClearToken)) - break; + if (len == sizeof(struct ClearToken)) { p += sizeof(len); memcpy(&ct, p, len); p += len; @@ -848,6 +848,7 @@ debug("AFS token for cell %s rejected.", server_cell); else if (type != SSH_SMSG_SUCCESS) packet_disconnect("Protocol error on AFS token response: %d", type); + } } } From florin at sgi.com Sat Jun 29 09:06:56 2002 From: florin at sgi.com (Florin Andrei) Date: 28 Jun 2002 16:06:56 -0700 Subject: RPMs and initscripts on RH 6.x Message-ID: <1025305616.13524.98.camel@stantz.corp.sgi.com> Why the OpenSSH RPMs depend on initscripts >= 5 for RH6x? I just rebuilt the 3.4p1 packages on Red Hat 6.1 (yeah, i know), using initscripts-4.some.version.or.the.other (whatever was the last update to that package) and it worked just fine. Of course, i had to tweak the spec, otherwise it would refuse to budge, but AFAICT it's working fine now. I suggest to downgrade the dependency in the spec file. -- Florin Andrei "You can get excited about just any subject if you study it enough. It's the deep knowledge that makes a topic interesting." - Larry McVoy From bugzilla-daemon at mindrot.org Sat Jun 29 09:34:47 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 09:34:47 +1000 (EST) Subject: [Bug 311] Compile fails on MIPS Linux (Cobalt Raq2) - SCM_RIGHTS undeclared Message-ID: <20020628233447.72F6FE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=311 ------- Additional Comments From matt at primefactor.com 2002-06-29 09:34 ------- I applied the latest patch and can now compile without problems. Thanks for the help. I'll contact Cobalt about the issue with glibc headers. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From alfw at SLAC.Stanford.EDU Sat Jun 29 09:57:12 2002 From: alfw at SLAC.Stanford.EDU (Alf Wachsmann) Date: Fri, 28 Jun 2002 16:57:12 -0700 (PDT) Subject: Bug in AFS token forwarding In-Reply-To: Message-ID: On Fri, 28 Jun 2002, Alf Wachsmann wrote: > Here is the cause for the bug: > The problem is that k_pioctl() returns error code ENOTCONN for _all_ > tokens it finds if there is an expired token present. A slight correction: it is not k_pioctl() returning the ENOTCONN (it just returns -1) but the "errno" function. And "errno" returns "EDOM" if all tokens are listed. -- Alf. ----------------------------------------------------------------------- Alf Wachsmann | e-mail: alfw at slac.stanford.edu SLAC Computing Service | Phone: +1-650-926-4802 2575 Sand Hill Road, M/S 97 | FAX: +1-650-926-3329 Menlo Park, CA 94025, USA | Office: Bldg. 50/323 ----------------------------------------------------------------------- http://www.slac.stanford.edu/~alfw (PGP) ----------------------------------------------------------------------- From bugzilla-daemon at mindrot.org Sat Jun 29 10:06:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 10:06:44 +1000 (EST) Subject: [Bug 320] New: Cannot build 3.4p1 Message-ID: <20020629000644.80DE2E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=320 Summary: Cannot build 3.4p1 Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: critical Priority: P1 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: russel at russel.org.uk I downloaded openssh-3.4p1.tar.gz from one of the London, UK mirrors, untared it, configured it with "./configure --prefix=/usr/local/pkg/openssh-3.4p1" and then tried to make and got: gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/include -DSSHDIR=\"/usr/local/pkg/openssh-3.4p1/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/pkg/openssh-3.4p1/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/pkg/openssh-3.4p1/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/pkg/openssh-3.4p1/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/pkg/openssh-3.4p1/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/pkg/openssh-3.4p1/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c cipher.c cipher.c:65: warning: initialization from incompatible pointer type cipher.c:66: warning: initialization from incompatible pointer type cipher.c:70: warning: initialization from incompatible pointer type cipher.c:71: warning: initialization from incompatible pointer type cipher.c:72: warning: initialization from incompatible pointer type cipher.c:73: warning: initialization from incompatible pointer type cipher.c: In function `cipher_get_keyiv': cipher.c:610: `__func__' undeclared (first use in this function) cipher.c:610: (Each undeclared identifier is reported only once cipher.c:610: for each function it appears in.) cipher.c: In function `cipher_set_keyiv': cipher.c:667: `__func__' undeclared (first use in this function) cipher.c: In function `cipher_get_keycontext': cipher.c:706: warning: comparison of distinct pointer types lacks a cast cipher.c: In function `cipher_set_keycontext': cipher.c:721: warning: comparison of distinct pointer types lacks a cast make: *** [cipher.o] Error 1 It may be that I have done something wrong but it may also be that there is a problem with the tgz file. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 29 10:59:22 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 10:59:22 +1000 (EST) Subject: [Bug 321] New: configure does not work when cross compiling Message-ID: <20020629005922.7DD27E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=321 Summary: configure does not work when cross compiling Product: Portable OpenSSH Version: -current Platform: MIPS OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: chua at ayrnetworks.com configure does not work when cross compiling because of the AC_TRY_RUN macro without cross-compilation parameters. Most of these can be resolved by relatively safe guesses, changing them to AC_TRY_LINK, or runtime detection. Attached is a patch that allows Openssh 3.4p1 to cross-compile. --- openssh-3.4p1/configure.ac Tue Jun 25 15:35:16 2002 +++ openssh-3.4p1.ayr/configure.ac Fri Jun 28 14:21:34 2002 @@ -463,20 +463,6 @@ ] ) -AC_MSG_CHECKING([whether struct dirent allocates space for d_name]) -AC_TRY_RUN( - [ -#include -#include -int main(void){struct dirent d;return(sizeof(d.d_name)<=sizeof(char));} - ], - [AC_MSG_RESULT(yes)], - [ - AC_MSG_RESULT(no) - AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) - ] -) - # Check whether user wants S/Key support SKEY_MSG="no" AC_ARG_WITH(skey, @@ -505,6 +491,10 @@ [ AC_MSG_RESULT(no) AC_MSG_ERROR([** Incomplete or missing s/key libraries.]) + ] + [ + AC_MSG_RESULT(no) + AC_MSG_ERROR([** Incomplete or missing s/key libraries.]) ]) fi ] @@ -597,6 +587,7 @@ AC_MSG_RESULT(yes) AC_DEFINE(HAVE_MMAP_ANON_SHARED) ], + [ AC_MSG_RESULT(no) ], [ AC_MSG_RESULT(no) ] ) fi @@ -626,6 +617,7 @@ } ], [ ac_cv_have_broken_dirname="no" ], + [ ac_cv_have_broken_dirname="yes" ], [ ac_cv_have_broken_dirname="yes" ] ) LIBS="$save_LIBS" @@ -670,6 +662,10 @@ AC_MSG_RESULT(no) AC_DEFINE(BROKEN_SNPRINTF) AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor]) + ], + [ + AC_MSG_RESULT(assuming no) + AC_DEFINE(BROKEN_SNPRINTF) ] ) fi @@ -784,6 +780,10 @@ [ AC_MSG_RESULT(no) AC_MSG_ERROR(Your OpenSSL headers do not match your library) + ], + [ + AC_MSG_RESULT(yes) + AC_MSG_WARN(Not sure, hoping so) ] ) @@ -813,6 +813,13 @@ # Default to use of the rand helper if OpenSSL doesn't # seed itself USE_RAND_HELPER=yes + ], + [ + AC_MSG_RESULT(no) + # Default to use of the rand helper if OpenSSL doesn't + # seed itself + USE_RAND_HELPER=yes + AC_MSG_WARN(Not sure, assuming no) ] ) @@ -1417,7 +1424,8 @@ #else main() { exit(0); } #endif - ], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ] + ], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ], + [ AC_DEFINE(BROKEN_SNPRINTF) ] ) fi AC_SUBST(NO_SFTP) @@ -1523,13 +1531,16 @@ dnl make sure we're using the real structure members and not defines AC_CACHE_CHECK([for msg_accrights field in struct msghdr], ac_cv_have_accrights_in_msghdr, [ - AC_TRY_RUN( + AC_TRY_COMPILE( [ #include #include #include + ], + [ int main() { #ifdef msg_accrights +#error "msg_accrights is a macro" exit(1); #endif struct msghdr m; @@ -1547,13 +1558,16 @@ AC_CACHE_CHECK([for msg_control field in struct msghdr], ac_cv_have_control_in_msghdr, [ - AC_TRY_RUN( + AC_TRY_COMPILE( [ #include #include #include + ], + [ int main() { #ifdef msg_control +#error "msg_control is a macro" exit(1); #endif struct msghdr m; @@ -1860,20 +1874,17 @@ if test -z "$no_dev_ptmx" ; then if test "x$disable_ptmx_check" != "xyes" ; then - AC_CHECK_FILE("/dev/ptmx", - [ - AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX) - have_dev_ptmx=1 - ] - ) + if test -f "/dev/ptc" ; then + AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX) + have_dev_ptmx=1 + fi fi fi -AC_CHECK_FILE("/dev/ptc", - [ - AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) - have_dev_ptc=1 - ] -) + +if test -f "/dev/ptc" ; then + AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) + have_dev_ptc=1 +fi # Options from here on. Some of these are preset by platform above AC_ARG_WITH(mantype, --- openssh-3.4p1/sftp-glob.c Tue Feb 12 19:10:33 2002 +++ openssh-3.4p1.ayr/sftp-glob.c Fri Jun 28 14:02:44 2002 @@ -78,12 +78,9 @@ * Solaris defines dirent->d_name as a one byte array and expects * you to hack around it. */ -#ifdef BROKEN_ONE_BYTE_DIRENT_D_NAME - strlcpy(ret->d_name, od->dir[od->offset++]->filename, MAXPATHLEN); -#else strlcpy(ret->d_name, od->dir[od->offset++]->filename, - sizeof(ret->d_name)); -#endif + (sizeof(ret->d_name) <= sizeof(char))? + MAXPATHLEN: sizeof(ret->d_name)); #ifdef __GNU_LIBRARY__ /* * Idiot glibc uses extensions to struct dirent for readdir with ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 29 11:00:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 11:00:14 +1000 (EST) Subject: [Bug 321] configure does not work when cross compiling Message-ID: <20020629010014.2D22CE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=321 ------- Additional Comments From chua at ayrnetworks.com 2002-06-29 11:00 ------- Created an attachment (id=123) configure.ac diff ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jun 29 11:00:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 29 Jun 2002 11:00:46 +1000 (EST) Subject: [Bug 321] configure does not work when cross compiling Message-ID: <20020629010046.34162E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=321 ------- Additional Comments From chua at ayrnetworks.com 2002-06-29 11:00 ------- Created an attachment (id=124) sftp-glob.c diff ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Sat Jun 29 13:44:16 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 28 Jun 2002 22:44:16 -0500 (CDT) Subject: Privsep for osf/1 .. still need a bit of help Message-ID: This privsepifies OSF/1 SIA, but I'm still being told the same error occurs. I'm stumped. Without an OSF/1 box near me I can't do too much more help unless someone can either tell me what is wrong or show me why SIA is failing in their logs. (And tell me if it's different w/ or w/out this patch) - Ben Index: auth-sia.c =================================================================== RCS file: /var/cvs/openssh/auth-sia.c,v retrieving revision 1.7 diff -u -r1.7 auth-sia.c --- auth-sia.c 12 Apr 2002 15:36:08 -0000 1.7 +++ auth-sia.c 29 Jun 2002 03:19:18 -0000 @@ -77,7 +77,7 @@ } void -session_setup_sia(char *user, char *tty) +setup_sia(char *user, char *tty) { struct passwd *pw; SIAENTITY *ent = NULL; @@ -86,9 +86,8 @@ host = get_canonical_hostname (options.verify_reverse_mapping); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { + NULL) != SIASUCCESS) fatal("sia_ses_init failed"); - } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); @@ -100,25 +99,22 @@ } ent->authtype = SIA_A_NONE; - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { + if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) fatal("Couldn't establish session for %s from %s", user, host); - } if (setpriority(PRIO_PROCESS, 0, 0) == -1) { sia_ses_release(&ent); fatal("setpriority: %s", strerror (errno)); } - if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) { + if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) fatal("Couldn't launch session for %s from %s", user, host); - } sia_ses_release(&ent); - if (setreuid(geteuid(), geteuid()) < 0) { + /* XXX: Should this be be around a if (!use_privsep) ? */ + if (setreuid(geteuid(), geteuid()) < 0) fatal("setreuid: %s", strerror(errno)); - } } - #endif /* HAVE_OSF_SIA */ Index: auth-sia.h =================================================================== RCS file: /var/cvs/openssh/auth-sia.h,v retrieving revision 1.3 diff -u -r1.3 auth-sia.h --- auth-sia.h 12 Apr 2002 15:36:08 -0000 1.3 +++ auth-sia.h 29 Jun 2002 03:19:18 -0000 @@ -27,6 +27,6 @@ #ifdef HAVE_OSF_SIA int auth_sia_password(Authctxt *authctxt, char *pass); -void session_setup_sia(char *user, char *tty); +void setup_sia(char *user, char *tty); #endif /* HAVE_OSF_SIA */ Index: monitor.c =================================================================== RCS file: /var/cvs/openssh/monitor.c,v retrieving revision 1.22 diff -u -r1.22 monitor.c --- monitor.c 27 Jun 2002 00:12:58 -0000 1.22 +++ monitor.c 29 Jun 2002 03:19:27 -0000 @@ -120,6 +120,10 @@ int mm_answer_pam_start(int, Buffer *); #endif +#ifdef HAVE_OSF_SIA +int mm_answer_setup_sia(int, Buffer *); +#endif + static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -176,6 +180,9 @@ {MONITOR_REQ_PTY, 0, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef HAVE_OSF_SIA + {MONITOR_REQ_SETUP_SIA, 0, mm_answer_setup_sia}, +#endif {0, 0, NULL} }; @@ -206,6 +213,9 @@ {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, {MONITOR_REQ_TERM, 0, mm_answer_term}, +#ifdef HAVE_OSF_SIA + {MONITOR_REQ_SETUP_SIA, MON_ONCE, mm_answer_setup_sia}, +#endif {0, 0, NULL} }; @@ -307,10 +317,16 @@ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); +#ifdef HAVE_OSF_SIA + monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1); +#endif } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); +#ifdef HAVE_OSF_SIA + monitor_permit(mon_dispatch, MONITOR_REQ_SETUP_SIA, 1); +#endif } if (!no_pty_flag) { monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); @@ -716,6 +732,22 @@ auth_method = "skey"; return (authok != 0); +} +#endif + +#ifdef HAVE_OSF_SIA +int +mm_answer_setup_sia(int socket, Buffer *m) +{ + char *user, *tty; + + user = buffer_get_string(m, NULL); + tty = buffer_get_string(m, NULL); + + setup_sia(user, tty); + + xfree(user); + xfree(tty); } #endif Index: monitor.h =================================================================== RCS file: /var/cvs/openssh/monitor.h,v retrieving revision 1.8 diff -u -r1.8 monitor.h --- monitor.h 11 Jun 2002 16:42:49 -0000 1.8 +++ monitor.h 29 Jun 2002 03:19:27 -0000 @@ -50,6 +50,7 @@ MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, MONITOR_REQ_PAM_START, + MONITOR_REQ_SETUP_SIA, MONITOR_REQ_TERM }; Index: monitor_wrap.c =================================================================== RCS file: /var/cvs/openssh/monitor_wrap.c,v retrieving revision 1.13 diff -u -r1.13 monitor_wrap.c --- monitor_wrap.c 27 Jun 2002 00:23:03 -0000 1.13 +++ monitor_wrap.c 29 Jun 2002 03:19:30 -0000 @@ -649,6 +649,24 @@ s->ttyfd = -1; } +#ifdef HAVE_OSF_SIA +void +mm_setup_sia(char *name, char *tty) +{ + Buffer m; + + debug3("%s entering", __func__); + + buffer_init(&m); + buffer_put_cstring(&m, name); + buffer_put_cstring(&m, tty); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SETUP_SIA, &m); + + buffer_free(&m); +} +#endif + #ifdef USE_PAM void mm_start_pam(char *user) Index: monitor_wrap.h =================================================================== RCS file: /var/cvs/openssh/monitor_wrap.h,v retrieving revision 1.6 diff -u -r1.6 monitor_wrap.h --- monitor_wrap.h 13 May 2002 01:07:42 -0000 1.6 +++ monitor_wrap.h 29 Jun 2002 03:19:30 -0000 @@ -59,6 +59,10 @@ void mm_start_pam(char *); #endif +#ifdef HAVE_OSF_SIA +void mm_setup_sia(char *, char *); +#endif + void mm_terminate(void); int mm_pty_allocate(int *, int *, char *, int); void mm_session_pty_cleanup2(void *); Index: session.c =================================================================== RCS file: /var/cvs/openssh/session.c,v retrieving revision 1.208 diff -u -r1.208 session.c --- session.c 26 Jun 2002 13:51:06 -0000 1.208 +++ session.c 29 Jun 2002 03:19:42 -0000 @@ -57,6 +57,7 @@ #include "canohost.h" #include "session.h" #include "monitor_wrap.h" +#include "auth-sia.h" #ifdef HAVE_CYGWIN #include @@ -1269,7 +1270,7 @@ */ if (!options.use_login) { #ifdef HAVE_OSF_SIA - session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); + PRIVSEP(setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty)); if (!check_quietlogin(s, command)) do_motd(); #else /* HAVE_OSF_SIA */ From bugzilla-daemon at mindrot.org Sun Jun 30 05:18:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 30 Jun 2002 05:18:26 +1000 (EST) Subject: [Bug 322] New: Anon shared MMAP test fails wrongly under FreeBSD Message-ID: <20020629191826.20FD6E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=322 Summary: Anon shared MMAP test fails wrongly under FreeBSD Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: FreeBSD Status: NEW Severity: minor Priority: P3 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: chris at by-design.net Under FreeBSD, /usr/include/sys/mman.h does not include /usr/include/sys/types.h. The OpenSSH test for anonymous shared memory maps includes mman.h without including types.h and the test code snippet compile fails. I'll report the omission to the FreeBSD folks, but changing the snippet in configure to include will allow FreeBSD folks to use compression and privilege separation until then. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Jun 30 05:23:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 30 Jun 2002 05:23:50 +1000 (EST) Subject: [Bug 323] New: arp -n flag doesn't exist under Solaris, ssh_prng_cmds still uses it Message-ID: <20020629192350.A2E9DE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=323 Summary: arp -n flag doesn't exist under Solaris, ssh_prng_cmds still uses it Product: Portable OpenSSH Version: -current Platform: All OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: chris at by-design.net The Solaris arp command does not support the -n flag to avoid using the nameserver to resolve IP addresses when printing the arp table. If there is a private IP address in use AND the internal DNS server doesn't have a zone for the private address space then the SSH prng code will hang for an indeterminate period of time (usually longer than a person will wait). SSH tests for the existence of the -n flag by trying 'arp -a -n'. Unfortunately, Solaris' arp program interprets the second flag, -n, as a hostname and basically ignores it. FIX: Test by using "arp -n -a" or "arp -an". ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Jun 30 05:40:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 30 Jun 2002 05:40:19 +1000 (EST) Subject: [Bug 323] arp -n flag doesn't exist under Solaris, ssh_prng_cmds still uses it Message-ID: <20020629194019.72CFEE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=323 ------- Additional Comments From luc at suryo.com 2002-06-30 05:40 ------- A better solution is to install the pacthes that will support /dev/random and /dev/urandom. Then recompile openssl and then openssh. Solaris 8: 112438-01 patch for Sparc 112439-01 patch for x86 Solaris 9: has standard /dev/random and /dev/urandom Not sure if one can apply the Solaris 8 patch to Solaris 2.6 (near end of life) and Solaris 7. More info (Sparc) here below http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches%2F112438&zone_32=%2Fdev%2Frandom ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kevin at atomicgears.com Sun Jun 30 05:38:35 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Sat, 29 Jun 2002 12:38:35 -0700 Subject: privilege separation breaks dns lookups In-Reply-To: <20020626232631.F26954@chiark.greenend.org.uk> References: <20020626232631.F26954@chiark.greenend.org.uk> Message-ID: <20020629193835.GG1757@jenny.crlsca.adelphia.net> On Wed, Jun 26, 2002 at 11:26:31PM +0100, Tony Finch wrote: > When the unprivileged child has chrooted it can no longer open > /etc/resolv.conf, so if the resolver hasn't yet initialized itself then > dns lookups will not be possible. This is unfortunately what normally > happens, but sshd falls back gracefully. can you try this? Index: sshd.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshd.c,v retrieving revision 1.253 diff -u -r1.253 sshd.c --- sshd.c 28 Jun 2002 23:05:06 -0000 1.253 +++ sshd.c 29 Jun 2002 19:38:40 -0000 @@ -49,6 +49,8 @@ #include #include +#include + #include "ssh.h" #include "ssh1.h" #include "ssh2.h" @@ -1363,6 +1365,15 @@ setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0) error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); + + /* + * Initialize the resolver. This may not happen automatically + * before privsep chroot(). + */ + if ((_res.options & RES_INIT) == 0) { + debug("res_init()"); + res_init(); + } /* * Register our connection. This turns encryption off because we do From bugzilla-daemon at mindrot.org Sun Jun 30 05:57:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 30 Jun 2002 05:57:00 +1000 (EST) Subject: [Bug 322] Anon shared MMAP test fails wrongly under FreeBSD Message-ID: <20020629195700.6C06AE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=322 gert at greenie.muc.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From gert at greenie.muc.de 2002-06-30 05:56 ------- *** This bug has been marked as a duplicate of 303 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Jun 30 05:57:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 30 Jun 2002 05:57:06 +1000 (EST) Subject: [Bug 303] conftest fails to determine mmap anon shared Message-ID: <20020629195706.79894E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=303 gert at greenie.muc.de changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chris at by-design.net ------- Additional Comments From gert at greenie.muc.de 2002-06-30 05:57 ------- *** Bug 322 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kevin at atomicgears.com Sun Jun 30 06:10:15 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Sat, 29 Jun 2002 13:10:15 -0700 Subject: fd passing pty handling Message-ID: <20020629201015.GJ1757@jenny.crlsca.adelphia.net> We don't currently support SVR4-style fd passing which involves I_SENDFD/I_RECVFD ioctls. I'm not sure if that might help some p platforms with privsep. Some platforms that use STREAMS ptys use a set-uid root helper to handle the privileged portions of pty creation. grantpt(3) has a bit more info. on Solaris 8 it's: /usr/lib/pt_chmod on HP-UX it's: /usr/lbin/chgpt Perhaps this may be useful to support. Someone want to investigate that? From carlah at oc-net.com Sun Jun 30 08:32:26 2002 From: carlah at oc-net.com (Carla Koerner Hein) Date: Sat, 29 Jun 2002 15:32:26 -0700 Subject: TO SYMMETRY AND ASYMMETRY-----NOW ADD SUPERSYMMETRY Message-ID: <000701c21fbc$d8cfb980$35ee68cf@Koerner> Open Letter to Developers, Is there any way you can cut through the mob scene at Homeland Defense with a powerful new encryption/decryption formula? The government cryptography bunch are stuck in symmetry and asymmetry and are deaf/dumb/blind to supersymmetry. When it's so easy to line up a supersymmetrical hypercube fractal-to-fractal, pair-to-pair, quantum-to-quantum and slice through all the mathematical protocols using set-to-set precision, it's clear that perfect internet or banking security can be accomplished in minutes----not months, years, decades. Cheesh!! To date, 40-bit encryption is standard and 120-bit is called "deep encryption". It isn't! On a supersymmetrical hypercube that is merely 7 X 7, set-to-set. That's childsplay in supersymmetry. Try 8 X 8 (256-bit), 9 X 9 (512-bit), or 10 X 10-bit (1,024-bit) set-to-set encryption/decryption. That's not multiplication---that's powers of ten expressed in multiple progressions. The worst thing that can happen is that some Third World power can discover that supersymmetrical hypercubes work anywhere, for anybody, who is smart enough to employ set-to-set calculations. Whenever the Washington bureaucrats discover that every "Top Secret" file coded in 120-bit encryption has been hacked by an outsider with 1,024-bit decryption and coredumped on the Internet for worldwide inspection and derision----it's too late! I give up! I'd be happy to discuss hypercubes, set-to-set calculation or any aspect of supersymmetrical encryption/decryption with anyone who can jolt the Homeland Defense boys to attention. Can you do it? Carla Koerner Hein Voice (714) 821-5778 Call Me! I need feedback! Fax (714) 821-6216 carlah at oc-net.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020629/b507506d/attachment.html From bugzilla-daemon at mindrot.org Sun Jun 30 09:17:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 30 Jun 2002 09:17:46 +1000 (EST) Subject: [Bug 324] New: privsep break KRB4 auth, KRB4 TGT forwarding and AFS token forwarding Message-ID: <20020629231746.67067E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=324 Summary: privsep break KRB4 auth, KRB4 TGT forwarding and AFS token forwarding Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jan.iven at cern.ch Since all of KRB4/KRB5 authentication (in protocol 1), TGT and AFS token forwarding are priviledged operations, all fail with privsep. The attached patch seems to fix this at least for KRB4 auth, KRB4 TGTs and AFS tokens (cannot try KRB5 here). Please review and consider for future inclusion. Thanks, Jan ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Jun 30 09:19:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 30 Jun 2002 09:19:58 +1000 (EST) Subject: [Bug 324] privsep break KRB4 auth, KRB4 TGT forwarding and AFS token forwarding Message-ID: <20020629231958.C4A99E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=324 ------- Additional Comments From jan.iven at cern.ch 2002-06-30 09:19 ------- Created an attachment (id=125) KRB4/KRB5/AFS with privsep ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Jun 30 09:37:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 30 Jun 2002 09:37:42 +1000 (EST) Subject: [Bug 325] New: PermitRootLogin forced-commands-only & privsep - not working together Message-ID: <20020629233742.BC44CE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=325 Summary: PermitRootLogin forced-commands-only & privsep - not working together Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jfm at bitfactor.com After upgrading to the latest OpenSSH version 3.4p1, a couple of my backup scripts failed w/ "Permission denied.". After, I disabled privsep w/ "UsePrivilegeSeparation no", the backup scripts started working again. Of course, I would like to re-enable privsep. If additional information from me would be helpful, please don't hesitate to ask. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Jun 30 11:08:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 30 Jun 2002 11:08:58 +1000 (EST) Subject: [Bug 322] Anon shared MMAP test fails wrongly under FreeBSD Message-ID: <20020630010858.2226DE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=322 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED ------- Additional Comments From mouring at eviladmin.org 2002-06-30 11:08 ------- already solve in CVS tree ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From vinschen at redhat.com Sun Jun 30 23:43:07 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Sun, 30 Jun 2002 15:43:07 +0200 Subject: privilege separation breaks dns lookups In-Reply-To: <20020629193835.GG1757@jenny.crlsca.adelphia.net> References: <20020626232631.F26954@chiark.greenend.org.uk> <20020629193835.GG1757@jenny.crlsca.adelphia.net> Message-ID: <20020630154307.B12869@cygbert.vinschen.de> On Sat, Jun 29, 2002 at 12:38:35PM -0700, Kevin Steves wrote: > On Wed, Jun 26, 2002 at 11:26:31PM +0100, Tony Finch wrote: > > When the unprivileged child has chrooted it can no longer open > > /etc/resolv.conf, so if the resolver hasn't yet initialized itself then > > dns lookups will not be possible. This is unfortunately what normally > > happens, but sshd falls back gracefully. > > can you try this? Please don't do this w/o checking for existence of the resolver lib. See below. Corinna > Index: sshd.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/sshd.c,v > retrieving revision 1.253 > diff -u -r1.253 sshd.c > --- sshd.c 28 Jun 2002 23:05:06 -0000 1.253 > +++ sshd.c 29 Jun 2002 19:38:40 -0000 > @@ -49,6 +49,8 @@ > #include > #include > #ifdef HAVE_RESOLV_H > +#include > + #endif > #include "ssh.h" > #include "ssh1.h" > #include "ssh2.h" > @@ -1363,6 +1365,15 @@ > setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, > sizeof(on)) < 0) > error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); #ifdef HAVE_RESOLV_H > + > + /* > + * Initialize the resolver. This may not happen automatically > + * before privsep chroot(). > + */ > + if ((_res.options & RES_INIT) == 0) { > + debug("res_init()"); > + res_init(); > + } #endif > > /* > * Register our connection. This turns encryption off because we do > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From des at ofug.org Wed Jun 26 23:40:30 2002 From: des at ofug.org (Dag-Erling Smorgrav) Date: 26 Jun 2002 15:40:30 +0200 Subject: Full FreeBSD patchset Message-ID: A non-text attachment was scrubbed... Name: openssh.diff Type: text/x-patch Size: 49208 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020626/8f94fb5b/attachment.bin From seth at kokos.cz Fri Jun 28 04:21:14 2002 From: seth at kokos.cz (seth at kokos.cz) Date: Thu, 27 Jun 2002 20:21:14 +0200 Subject: (no subject) Message-ID: <5136896824.20020627202114@kokos.cz> Hi Phil, answer to your questions: > Which specific Slackware? Too embarrassed to say? Really, really don't know exactly. :) Installed approx. 5 yeras ago (maybe 4.5, 4.6, maybe 5.0 ... who knows now ... ) > Which OpenSSL? 0.9.6a? 0.9.6b? 0.9.6c? 0.9.6d? Only info I found is 0.9.6. Let's suppose it's 0.9.6. ;) > How about telling me how long you're going to leave this machine > running such an old system? Slackware 8.1 is out now. Be sure > to get the "patches" directory, which includes OpenSSH 3.4p1. As long as it will be able to make it's job. :) First, it's working 5 years with only minor problems (patching from time to time). Second, I now have not regular access to HW of this machine so complete re-installing with new version is not possible. Nobody other will do that. It's configured and tuned. It's working. That's the point. We know it's old. Doesn't matter. Speak francly I expected answer of type - upgrade kernel to version bla bla bla or list of versions and components required for successfull compilation. Let's look at problematic code in file monitor_fdpass.c: (really don't know what's going on in code ... looks like it has something to do with patching last security bug ???? because of talking about UsePrivilegeSeparation inside the method )