From info at isc2.org Mon Sep 2 09:23:23 2002 From: info at isc2.org (Anthony Baratta, CISSP) Date: Sun, 1 Sep 2002 13:23:23 -1000 Subject: Legal Notification Message-ID: <005401c2520e$914b82e0$0400a8c0@localhost> Legal Notification You are herby informed that (under the privacy act), the International Information System Security Certification Consortium (ISC)2 has sold your information including, Name , E-Mail address, Residential address, Credit and savings information, Social Security information, and Occupation details. This information has been sold to a third Party \ Parties and this E-mail serves as notification for such action. This information was sold under the premise for marketing and research. Under the privacy act you may request to see in writing any information that we have about you. Please write to the following address with a self addressed envelope. (ISC)2 860 Worcester Rd.,Ste 101 Framingham, Ma 01702 U.S.A If you have any questions about the third Party \ Parties please inquire with them. The International Information System Security Certification Consortium (ISC)2 is no longer responsible for the information sold. (ISC)2 Will hold no responsibility for damages and loss suffered by the reader of this E-mail. (ISC)2 is not responsible for the actions of third party companies. Upon written request we will consider deleting records that we currently hold about you. A processing fee of $ 10.00 will apply. Please make out this check to (ISC)2 and an application form will be mailed to you in order to complete this request. Please visit our web site for more information about our organization http://www.isc2.org If you decline this offer by the 31 Sep 2002 a charge of $50 will be deducted from your account. This charge will cover services that our organization provides to secure the internet. Thank you Manager of Professional Programs Anthony Baratta, CISSP abaratta at isc2.org Contact E-Mail info at isc2.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020901/8b8b52ee/attachment.html From dan at doxpara.com Mon Sep 2 10:46:30 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Sun, 01 Sep 2002 17:46:30 -0700 Subject: Legal Notification [troll] References: <005401c2520e$914b82e0$0400a8c0@localhost> Message-ID: <3D72B4E6.10109@doxpara.com> All, It is likely that the recent letter from "isc2.org" -- now, with new and improved "psycho-lawyer-blackmailspeak" -- is quite the hoax, intended to spawn some hideous Slashdot YRO hyperventa-fest. Lets just say American legal letters citing unspecific privacy acts offering to "consider" ceasing *further* illegal sales don't usually get sent to public forums on non-workdays from the Trentino-alto Adige region of Italy :-) I suspect isc2 has been dealing with this for a while, given the front page treatment they provide to spoofed emails. --Dan From security at lists.andrewhay.ca Tue Sep 3 00:19:59 2002 From: security at lists.andrewhay.ca (Andrew "Grand Puba" Hay) Date: Mon, 2 Sep 2002 10:19:59 -0400 Subject: x.509 Authentication for openssh? Message-ID: <001f01c2528b$d2272df0$8d01010a@Idun> Hey, Does anyone know if openssh (any version) supports x.509 authentication? Please let me know. .. Andrew Hay (a.k.a. Grand Puba) .. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020902/83dfed41/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 873 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020902/83dfed41/attachment.gif From markus at openbsd.org Tue Sep 3 00:35:25 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 2 Sep 2002 16:35:25 +0200 Subject: x.509 Authentication for openssh? In-Reply-To: <001f01c2528b$d2272df0$8d01010a@Idun> References: <001f01c2528b$d2272df0$8d01010a@Idun> Message-ID: <20020902143525.GA3318@faui02> On Mon, Sep 02, 2002 at 10:19:59AM -0400, Andrew Grand Puba Hay wrote: > Does anyone know if openssh (any version) supports x.509 authentication? > Please let me know. openssh does not support any form of x.509 authentication, but there are patches. check the mailing list archive. -m From bugzilla-daemon at mindrot.org Tue Sep 3 12:27:47 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 3 Sep 2002 12:27:47 +1000 (EST) Subject: [Bug 336] ssh does not compile on Linux with libc5 and 2.0 kernel Message-ID: <20020903022747.DC6BF3D150@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=336 ------- Additional Comments From gaston at ips.edu.ar 2002-09-03 12:27 ------- configure:13893: checking for msg_accrights field in struct msghdr configure:13922: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wno- uninitialized -I/usr/local/ssl /include -L/usr/local/ssl/lib conftest.c -lbsd -lz -lcrypto >&5 configure: In function `main': configure:13914: structure has no member named `msg_accrights' configure:13925: $? = 1 configure: program exited with status 1 configure: failed program was: #line 13904 "configure" #include "confdefs.h" #include #include #include int main() { #ifdef msg_accrights exit(1); #endif struct msghdr m; m.msg_accrights = 0; exit(0); } configure:13945: result: no configure:13954: checking for msg_control field in struct msghdr configure:13983: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wno- uninitialized -I/usr/local/ssl /include -L/usr/local/ssl/lib conftest.c -lbsd -lz -lcrypto >&5 ac_cv_have_accrights_in_msghdr=no ac_cv_have_clock_t=yes ac_cv_have_control_in_msghdr=yes #define HAVE_CONTROL_IN_MSGHDR 1 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From harbaugh at nciaxp.ncifcrf.gov Wed Sep 4 01:00:35 2002 From: harbaugh at nciaxp.ncifcrf.gov (Toni L. Harbaugh-Blackford) Date: Tue, 3 Sep 2002 11:00:35 -0400 (EDT) Subject: possible fundamental problem with tru64 patch In-Reply-To: <020830173444.202007e7@ANLMEP.PHY.ANL.GOV> Message-ID: Hi- I've been going over various documentation I have on the sia routines, and I think there is a fundamental problem that correcting terminal characteristics won't fix. I tried various manipulations of the file descriptors and open files within the setup_sia routine and although I was able to get the 'Error in terminal setup' message to disappear the sia_ses_estab() routine still failed. On Fri, 30 Aug 2002, David Potterveld wrote: > (1) There are two sshd processes. One is running as root, and the other > as the user I logged with using the client. The root process is the > one in the debugger, which I've been calling the privileged process, > and the other one I called the unprivileged process. There is also > a user process running a shell, connected to the client through a pty. > <... text deleted...> > > Now, if I step through setup_sia() in the debugger, I get an error return > from sia_ses_estab(), so that fatal() is called, which results > session_pty_cleanup() being called, which resets the pty ownership back > to the default: > > crw-rw-rw- 2 root system 6, 3 Aug 30 17:05 /dev/ttyp3 > > This is the state you were finding things in. I suspect that what happens is, > the privileged process forks, sets up the pty, and becomes the user all on its > own, and then the privileged process starts doing the sia stuff. Yes, and that is the fundamental problem. From the documentation I've seen, it does not appear that one process can set up a SIA session for another process. If a process needs a SIA session, it has to set up the session itself as root, *then* become whoever it needs to be. This is what happens when privsep is disabled. When privsep is off, do_child() is running as uid 0, and calls setup_sia() *directly* within the same process. It appears that the integration of the sia session setup will either have to be rethought or abandoned in order for privsep to work. ----------------------------------------------------------------------- Toni Harbaugh-Blackford harbaugh at nciaxp.ncifcrf.gov AlphaServer 8400 System Administrator SAIC/NCI Frederick Advanced Biomedical Computing Center From jeremy.ellington at newisys.com Wed Sep 4 01:24:24 2002 From: jeremy.ellington at newisys.com (Jeremy Ellington) Date: Tue, 3 Sep 2002 10:24:24 -0500 Subject: Patch so that sshd makes use of PAM_USER Message-ID: I think I have it down now. ;-) Thanks. BTW, what do I have to do to actually get this merged? -----Original Message----- From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] Sent: Friday, August 30, 2002 11:50 PM To: Jeremy Ellington Subject: RE: Patch so that sshd makes use of PAM_USER You're still not following: http://www.openbsd.org/cgi-bin/man.cgi?query=style Which makes is much harder to read and make all the portable developers less likely to even read the patch much less apply it since we then have to go back and fix it. General rules: * Tab for blocks * If you span two lines 4 spaces are used to indent the second line. * avoid using { } if you don't have two or more clauses or where you are doing multiple if () near each other and the compiler/read could become confused. Also, the rule of thumb for portable is make the least amount of impact on the code. Otherwise it makes my life an utter hell when doing CVS syncs. - Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: pam_user.diff Type: application/octet-stream Size: 4119 bytes Desc: pam_user.diff Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020903/53d610f1/attachment.obj From austin at coremetrics.com Wed Sep 4 09:02:13 2002 From: austin at coremetrics.com (Austin Gonyou) Date: 03 Sep 2002 18:02:13 -0500 Subject: post upload handling with sftp-server. Message-ID: <1031094133.2483.0.camel@UberGeek.coremetrics.com> Is there something like this that's possible? Maybe by wrapping sftp-server or some such thing? -- Austin Gonyou Coremetrics, Inc. From djm at mindrot.org Wed Sep 4 10:54:39 2002 From: djm at mindrot.org (Damien Miller) Date: Wed, 4 Sep 2002 10:54:39 +1000 (EST) Subject: post upload handling with sftp-server. In-Reply-To: <1031094133.2483.0.camel@UberGeek.coremetrics.com> Message-ID: On 3 Sep 2002, Austin Gonyou wrote: > Is there something like this that's possible? Maybe by wrapping > sftp-server or some such thing? Whay do you mean by "post-upload" support? Commands run after an upload is completed? sftp doesn't (and won't) support that. -d From cmadams at hiwaay.net Wed Sep 4 13:14:57 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Tue, 3 Sep 2002 22:14:57 -0500 Subject: possible fundamental problem with tru64 patch In-Reply-To: ; from harbaugh@nciaxp.ncifcrf.gov on Tue, Sep 03, 2002 at 11:00:35AM -0400 References: <020830173444.202007e7@ANLMEP.PHY.ANL.GOV> Message-ID: <20020903221457.A120780@hiwaay.net> Once upon a time, Toni L. Harbaugh-Blackford said: > It appears that the integration of the sia session setup will either > have to be rethought or abandoned in order for privsep to work. That was the conclusion I came to a while back. I'd like to keep pre-auth privsep (because that works fine and does help somewhat), but I don't think it is possible to do post-auth privsep on Tru64, at least when Enhanced Security or auditing are enabled (if they aren't, I think you can still do "--disable-sia", although I haven't tried that in a long time now). I was hoping that Ben Lindstrom would prove me wrong (and I appologize for not ever getting around to helping - I've got all fifty-some list messages about Tru64 and privsep still saved, but work's been crazy, I only have access to a Tru64 devel box at work, and this isn't a priority to work with the other stuff going on). When I last looked at it in depth I hadn't really gotten a good handle on how privsep worked, so I figured I was just missing something. I'd suggest the following patch against openssh-SNAP-20020826. Most of it is cleanup patch from a while back that I submitted too late for 3.4p1 and didn't resend after that I guess. The other defines DISABLE_FD_PASSING when SIA is enabled, which effectively turns off post-auth privsep. Note that I haven't been able to try it with the latest snapshot, as I'm not at my devel box and I don't have the correct version of autoconf installed at the moment (need the old one for some other stuff I've got and haven't finagled them into working together yet). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. diff -urN openssh-SNAP-20020826/auth-sia.c openssh/auth-sia.c --- openssh-SNAP-20020826/auth-sia.c Fri Apr 12 10:36:08 2002 +++ openssh/auth-sia.c Tue Sep 3 22:03:16 2002 @@ -45,27 +45,25 @@ extern int saved_argc; extern char **saved_argv; -extern int errno; - int auth_sia_password(Authctxt *authctxt, char *pass) { int ret; SIAENTITY *ent = NULL; const char *host; - char *user = authctxt->user; host = get_canonical_hostname(options.verify_reverse_mapping); - if (!user || !pass || pass[0] == '\0') + if (!authctxt->user || !pass || pass[0] == '\0') return(0); - if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, - NULL) != SIASUCCESS) + if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, + NULL, 0, NULL) != SIASUCCESS) return(0); if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { - error("Couldn't authenticate %s from %s", user, host); + error("Couldn't authenticate %s from %s", authctxt->user, + host); if (ret & SIASTOP) sia_ses_release(&ent); return(0); @@ -77,48 +75,35 @@ } void -session_setup_sia(char *user, char *tty) +session_setup_sia(struct passwd *pw, char *tty) { - struct passwd *pw; SIAENTITY *ent = NULL; const char *host; - host = get_canonical_hostname (options.verify_reverse_mapping); + host = get_canonical_hostname(options.verify_reverse_mapping); - if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, - NULL) != SIASUCCESS) { + if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, tty, + 0, NULL) != SIASUCCESS) fatal("sia_ses_init failed"); - } - if ((pw = getpwnam(user)) == NULL) { - sia_ses_release(&ent); - fatal("getpwnam: no user: %s", user); - } if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { sia_ses_release(&ent); fatal("sia_make_entity_pwd failed"); } ent->authtype = SIA_A_NONE; - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { - fatal("Couldn't establish session for %s from %s", user, - host); - } - - if (setpriority(PRIO_PROCESS, 0, 0) == -1) { - sia_ses_release(&ent); - fatal("setpriority: %s", strerror (errno)); - } + if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) + fatal("Couldn't establish session for %s from %s", + pw->pw_name, host); - if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) { - fatal("Couldn't launch session for %s from %s", user, host); - } + if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) + fatal("Couldn't launch session for %s from %s", pw->pw_name, + host); sia_ses_release(&ent); - if (setreuid(geteuid(), geteuid()) < 0) { + if (setreuid(geteuid(), geteuid()) < 0) fatal("setreuid: %s", strerror(errno)); - } } #endif /* HAVE_OSF_SIA */ diff -urN openssh-SNAP-20020826/auth-sia.h openssh/auth-sia.h --- openssh-SNAP-20020826/auth-sia.h Fri Apr 12 10:36:08 2002 +++ openssh/auth-sia.h Tue Sep 3 22:03:16 2002 @@ -27,6 +27,6 @@ #ifdef HAVE_OSF_SIA int auth_sia_password(Authctxt *authctxt, char *pass); -void session_setup_sia(char *user, char *tty); +void session_setup_sia(struct passwd *pw, char *tty); #endif /* HAVE_OSF_SIA */ diff -urN openssh-SNAP-20020826/configure.ac openssh/configure.ac --- openssh-SNAP-20020826/configure.ac Tue Aug 13 20:52:11 2002 +++ openssh/configure.ac Tue Sep 3 22:07:41 2002 @@ -314,6 +314,7 @@ AC_MSG_RESULT(yes) AC_DEFINE(HAVE_OSF_SIA) AC_DEFINE(DISABLE_LOGIN) + AC_DEFINE(DISABLE_FD_PASSING) LIBS="$LIBS -lsecurity -ldb -lm -laud" else AC_MSG_RESULT(no) diff -urN openssh-SNAP-20020826/session.c openssh/session.c --- openssh-SNAP-20020826/session.c Wed Jul 31 20:28:39 2002 +++ openssh/session.c Tue Sep 3 22:03:16 2002 @@ -1280,7 +1280,7 @@ */ if (!options.use_login) { #ifdef HAVE_OSF_SIA - session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); + session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty); if (!check_quietlogin(s, command)) do_motd(); #else /* HAVE_OSF_SIA */ From rwk at americom.com Wed Sep 4 18:34:20 2002 From: rwk at americom.com (rwk at americom.com) Date: 4 Sep 2002 08:34:20 -0000 Subject: XDMCP forwarding Message-ID: <20020904083420.12193.qmail@solo.americom.com> I don't know if this is a bug or a limitation in ssh2 but I am unable to get get an xdm (or gdm) login on my machine at home through an ssh tunnel through our firewall at work. Should this be possible using ssh port forwarding? Please reply to me at: rwk at americom.com Thanks, Dick From dtucker at zip.com.au Wed Sep 4 22:42:36 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 04 Sep 2002 22:42:36 +1000 Subject: XDMCP forwarding References: <20020904083420.12193.qmail@solo.americom.com> Message-ID: <3D75FFBB.8D6126D9@zip.com.au> rwk at americom.com wrote: > I don't know if this is a bug or a limitation in ssh2 but I am unable to > get get an xdm (or gdm) login on my machine at home through an ssh > tunnel through our firewall at work. > > Should this be possible using ssh port forwarding? No. Xdcmp is UDP based. See: http://tldp.org/HOWTO/XDMCP-HOWTO/procedure.html#SECURITY which says, in part, "Unfortunately, XDMCP uses UDP, not TCP, therefore, it is not natively able to use it with SSH." -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mario.paumann at gmx.net Wed Sep 4 23:41:45 2002 From: mario.paumann at gmx.net (Mario Paumann) Date: Wed, 4 Sep 2002 14:41:45 +0100 Subject: Determining Local IP Address within .profile Message-ID: <003501c25418$cfdb76d0$ac7be8c2@lan.apa.at> Hi ! I haven't found an easy solution to determine the local IP to which the remote SSH client is connected to the local SSHD. We use MC/Serviceguard which can create many Interfaces where a remote client could connect and we like to know within .profile which interface the client has connected to. I've looked at the sourcecode and maybe the following could do something I described : session.c:871 RCSID("$OpenBSD: session.c,v 1.142 2002/06/26 13:49:26 deraadt Exp $"); do_setup_env child_set_env(&env, &envsize, "SSH_LOCAL_IP", get_local_ipaddr(packet_get_connection_in()); what do you think of it ? thanx, mario From djm at mindrot.org Wed Sep 4 23:18:18 2002 From: djm at mindrot.org (Damien Miller) Date: 04 Sep 2002 23:18:18 +1000 Subject: XDMCP forwarding In-Reply-To: <3D75FFBB.8D6126D9@zip.com.au> References: <20020904083420.12193.qmail@solo.americom.com> <3D75FFBB.8D6126D9@zip.com.au> Message-ID: <1031145498.2976.7.camel@argon> On Wed, 2002-09-04 at 22:42, Darren Tucker wrote: > No. Xdcmp is UDP based. See: > http://tldp.org/HOWTO/XDMCP-HOWTO/procedure.html#SECURITY which says, in > part, "Unfortunately, XDMCP uses UDP, not TCP, therefore, it is not > natively able to use it with SSH." There is no standard way to forward UDP over a SSH connection. Even if there was, it would be pretty easy to spoof packets perhaps even packets to localhost (depending on the OS). -d From dan at doxpara.com Wed Sep 4 23:45:53 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 04 Sep 2002 06:45:53 -0700 Subject: Determining Local IP Address within .profile References: <003501c25418$cfdb76d0$ac7be8c2@lan.apa.at> Message-ID: <3D760E91.7090305@doxpara.com> Mario-- bash-2.05a# set | grep SSH SSH_CLIENT='10.0.1.37 3985 22' SSH_TTY=/dev/ttyp2 Don't use IP's for security though, particularly within LAN/VLAN boundries. Far better to switch on user or user key, at least in terms of security. --Dan From mario.paumann at gmx.net Thu Sep 5 00:36:25 2002 From: mario.paumann at gmx.net (mario paumann) Date: Wed, 4 Sep 2002 15:36:25 +0100 Subject: Determining Local IP Address within .profile References: <003501c25418$cfdb76d0$ac7be8c2@lan.apa.at> <3D760E91.7090305@doxpara.com> Message-ID: <005b01c25420$72950290$ac7be8c2@lan.apa.at> Thanx dan, but i mean it as i wrote it. I need the local ip not the remote ip (which is in SSH_CLIENT). mario From dtucker at zip.com.au Thu Sep 5 00:17:13 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 05 Sep 2002 00:17:13 +1000 Subject: Determining Local IP Address within .profile References: <003501c25418$cfdb76d0$ac7be8c2@lan.apa.at> Message-ID: <3D7615E9.8DA470EA@zip.com.au> Mario Paumann wrote: > I haven't found an easy solution to determine the local IP to which > the remote SSH client is connected to the local SSHD. We use > MC/Serviceguard which can create many Interfaces where a remote client > could connect and we like to know within .profile which interface the > client has connected to. I think patching sshd to provide a $SSH_SERVER variable is cleaner, but you could use the the client IP and port to look up the matching local ip/port pair via netstat, eg: remote=`echo $SSH_CLIENT | awk '{print $1":"$2}'` local=`netstat -n | awk '/'$remote'/{print $4}'` -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dan at doxpara.com Thu Sep 5 00:56:45 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 04 Sep 2002 07:56:45 -0700 Subject: Determining Local IP Address within .profile References: <003501c25418$cfdb76d0$ac7be8c2@lan.apa.at> <3D760E91.7090305@doxpara.com> <005b01c25420$72950290$ac7be8c2@lan.apa.at> Message-ID: <3D761F2D.4050004@doxpara.com> mario paumann wrote: >Thanx dan, but i mean it as i wrote it. > >I need the local ip not the remote ip (which is in SSH_CLIENT). > > Actually, that's an interesting problem, deserving of your solution. Right now, we expose: SSH_CLIENT='10.0.1.37 3985 22' Technically, this can be used to discover the local socket IP by querying lsof using this genuinely hideous shell script: #!/bin/sh REMHOST=`echo $SSH_CLIENT | cut -f1 -d" "` REMPORT=`echo $SSH_CLIENT | cut -f2 -d" "` LOCPORT=`echo $SSH_CLIENT | cut -f3 -d" "` lsof -n -i TCP@$REMHOST:$REMPORT | cut -b57-99 | cut -d':' -f1 | grep -v NAME This won't work for any security critical systems (end users can select their local port and thus impersonate existing sessions, though this can be checked for by counting the number of lines returned), but it does have the advantage of working on existing systems. Yes, your method is much nicer though, and I'd actually support a new environment variable -- SSH_SERVER -- to contain the IP of the incoming socket. --Dan From bugzilla-daemon at mindrot.org Thu Sep 5 01:18:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 5 Sep 2002 01:18:15 +1000 (EST) Subject: [Bug 391] New: ssh -n returning 255 status code Message-ID: <20020904151815.E08B13D174@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=391 Summary: ssh -n returning 255 status code Product: Portable OpenSSH Version: -current Platform: All OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: steve.ridgley at digitalrum.com Using openSSH3.4p1 on Solaris8 , we are having problems with 'ssh -n' returning status code 255 (from echo $?). We have some proprietary code executing ssh - n, and trapping the return status and aborting the script. We have seen the thread on MARC realting to a similar problem in OpenSSH2.9p1 that says it will be fixed in the future. Our sysadmin guys are reluctant to apply the suggested 2.9 patch to 3.4. The command that 'succeeds' but returns 255: /usr/local/bin/ssh -q -o BatchMode=yes -n -l /usr/bin/true Without the -n, 'echo $?' returns 0 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From harbaugh at nciaxp.ncifcrf.gov Thu Sep 5 01:43:43 2002 From: harbaugh at nciaxp.ncifcrf.gov (Toni L. Harbaugh-Blackford) Date: Wed, 4 Sep 2002 11:43:43 -0400 (EDT) Subject: uid transition and post-auth privsep (WAS Re: possible fundamental problem with tru64 patch) (fwd) Message-ID: What do we loose by not having post-auth privsep? What code is executed between authorization and actual setting of the effective uid? On Tue, 3 Sep 2002, Chris Adams wrote: > Once upon a time, Toni L. Harbaugh-Blackford said: > > It appears that the integration of the sia session setup will either > > have to be rethought or abandoned in order for privsep to work. > > That was the conclusion I came to a while back. I'd like to keep > pre-auth privsep (because that works fine and does help somewhat), but I > don't think it is possible to do post-auth privsep on Tru64, at least > when Enhanced Security or auditing are enabled (if they aren't, I think > you can still do "--disable-sia", although I haven't tried that in a > long time now). > > I was hoping that Ben Lindstrom would prove me wrong (and I appologize > for not ever getting around to helping - I've got all fifty-some list > messages about Tru64 and privsep still saved, but work's been crazy, I > only have access to a Tru64 devel box at work, and this isn't a priority > to work with the other stuff going on). When I last looked at it in > depth I hadn't really gotten a good handle on how privsep worked, so I > figured I was just missing something. > Where exactly *is* the privsep transition made? At what point does the process that eventually runs do_child() get its uid set to the real user? Could the setup_sia() routine be moved out of the do_child() function to an earlier phase before the uid is changed? It appears that if setup_sia() were to be moved out of do_child() that would mean that no pty would be passed to the session unless creation of the pty were moved out also. But then again whether this is worth doing depends on what we loose if we drop post-auth privsep. > I'd suggest the following patch against openssh-SNAP-20020826. Most of > it is cleanup patch from a while back that I submitted too late for > 3.4p1 and didn't resend after that I guess. The other defines > DISABLE_FD_PASSING when SIA is enabled, which effectively turns off > post-auth privsep. So if DISABLE_FD_PASSING turns privsep off, does that mean that session_setup_sia() will be run directly by do_child(), which at that point will be effective uid 0? > Note that I haven't been able to try it with the > latest snapshot, as I'm not at my devel box and I don't have the correct > version of autoconf installed at the moment (need the old one for some > other stuff I've got and haven't finagled them into working together > yet). > I'll give the patch a try. Thanks, Toni > diff -urN openssh-SNAP-20020826/auth-sia.c openssh/auth-sia.c > --- openssh-SNAP-20020826/auth-sia.c Fri Apr 12 10:36:08 2002 > +++ openssh/auth-sia.c Tue Sep 3 22:03:16 2002 > @@ -45,27 +45,25 @@ > extern int saved_argc; > extern char **saved_argv; > > -extern int errno; > - > int > auth_sia_password(Authctxt *authctxt, char *pass) > { > int ret; > SIAENTITY *ent = NULL; > const char *host; > - char *user = authctxt->user; > > host = get_canonical_hostname(options.verify_reverse_mapping); > > - if (!user || !pass || pass[0] == '\0') > + if (!authctxt->user || !pass || pass[0] == '\0') > return(0); > > - if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, > - NULL) != SIASUCCESS) > + if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, > + NULL, 0, NULL) != SIASUCCESS) > return(0); > > if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { > - error("Couldn't authenticate %s from %s", user, host); > + error("Couldn't authenticate %s from %s", authctxt->user, > + host); > if (ret & SIASTOP) > sia_ses_release(&ent); > return(0); > @@ -77,48 +75,35 @@ > } > > void > -session_setup_sia(char *user, char *tty) > +session_setup_sia(struct passwd *pw, char *tty) > { > - struct passwd *pw; > SIAENTITY *ent = NULL; > const char *host; > > - host = get_canonical_hostname (options.verify_reverse_mapping); > + host = get_canonical_hostname(options.verify_reverse_mapping); > > - if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, > - NULL) != SIASUCCESS) { > + if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, tty, > + 0, NULL) != SIASUCCESS) > fatal("sia_ses_init failed"); > - } > > - if ((pw = getpwnam(user)) == NULL) { > - sia_ses_release(&ent); > - fatal("getpwnam: no user: %s", user); > - } > if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { > sia_ses_release(&ent); > fatal("sia_make_entity_pwd failed"); > } > > ent->authtype = SIA_A_NONE; > - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { > - fatal("Couldn't establish session for %s from %s", user, > - host); > - } > - > - if (setpriority(PRIO_PROCESS, 0, 0) == -1) { > - sia_ses_release(&ent); > - fatal("setpriority: %s", strerror (errno)); > - } > + if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) > + fatal("Couldn't establish session for %s from %s", > + pw->pw_name, host); > > - if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) { > - fatal("Couldn't launch session for %s from %s", user, host); > - } > + if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) > + fatal("Couldn't launch session for %s from %s", pw->pw_name, > + host); > > sia_ses_release(&ent); > > - if (setreuid(geteuid(), geteuid()) < 0) { > + if (setreuid(geteuid(), geteuid()) < 0) > fatal("setreuid: %s", strerror(errno)); > - } > } > > #endif /* HAVE_OSF_SIA */ > diff -urN openssh-SNAP-20020826/auth-sia.h openssh/auth-sia.h > --- openssh-SNAP-20020826/auth-sia.h Fri Apr 12 10:36:08 2002 > +++ openssh/auth-sia.h Tue Sep 3 22:03:16 2002 > @@ -27,6 +27,6 @@ > #ifdef HAVE_OSF_SIA > > int auth_sia_password(Authctxt *authctxt, char *pass); > -void session_setup_sia(char *user, char *tty); > +void session_setup_sia(struct passwd *pw, char *tty); > > #endif /* HAVE_OSF_SIA */ > diff -urN openssh-SNAP-20020826/configure.ac openssh/configure.ac > --- openssh-SNAP-20020826/configure.ac Tue Aug 13 20:52:11 2002 > +++ openssh/configure.ac Tue Sep 3 22:07:41 2002 > @@ -314,6 +314,7 @@ > AC_MSG_RESULT(yes) > AC_DEFINE(HAVE_OSF_SIA) > AC_DEFINE(DISABLE_LOGIN) > + AC_DEFINE(DISABLE_FD_PASSING) > LIBS="$LIBS -lsecurity -ldb -lm -laud" > else > AC_MSG_RESULT(no) > diff -urN openssh-SNAP-20020826/session.c openssh/session.c > --- openssh-SNAP-20020826/session.c Wed Jul 31 20:28:39 2002 > +++ openssh/session.c Tue Sep 3 22:03:16 2002 > @@ -1280,7 +1280,7 @@ > */ > if (!options.use_login) { > #ifdef HAVE_OSF_SIA > - session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); > + session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty); > if (!check_quietlogin(s, command)) > do_motd(); > #else /* HAVE_OSF_SIA */ > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > ----------------------------------------------------------------------- Toni Harbaugh-Blackford harbaugh at nciaxp.ncifcrf.gov AlphaServer 8400 System Administrator SAIC/NCI Frederick Advanced Biomedical Computing Center From mouring at etoh.eviladmin.org Thu Sep 5 02:31:44 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 4 Sep 2002 11:31:44 -0500 (CDT) Subject: uid transition and post-auth privsep (WAS Re: possible fundamental problem with tru64 patch) (fwd) In-Reply-To: Message-ID: Grep through the code for PRIVSEP() macro. Anything that requires root (adding new TTY sessions if your using ssh corp's windows client, cleaning up after TTY sessions, etc) will reclaim root privs before running. - Ben On Wed, 4 Sep 2002, Toni L. Harbaugh-Blackford wrote: > > What do we loose by not having post-auth privsep? > > What code is executed between authorization and actual setting of the > effective uid? > > On Tue, 3 Sep 2002, Chris Adams wrote: > > > Once upon a time, Toni L. Harbaugh-Blackford said: > > > It appears that the integration of the sia session setup will either > > > have to be rethought or abandoned in order for privsep to work. > > > > That was the conclusion I came to a while back. I'd like to keep > > pre-auth privsep (because that works fine and does help somewhat), but I > > don't think it is possible to do post-auth privsep on Tru64, at least > > when Enhanced Security or auditing are enabled (if they aren't, I think > > you can still do "--disable-sia", although I haven't tried that in a > > long time now). > > > > I was hoping that Ben Lindstrom would prove me wrong (and I appologize > > for not ever getting around to helping - I've got all fifty-some list > > messages about Tru64 and privsep still saved, but work's been crazy, I > > only have access to a Tru64 devel box at work, and this isn't a priority > > to work with the other stuff going on). When I last looked at it in > > depth I hadn't really gotten a good handle on how privsep worked, so I > > figured I was just missing something. > > > > Where exactly *is* the privsep transition made? > > At what point does the process that eventually runs do_child() > get its uid set to the real user? Could the setup_sia() routine > be moved out of the do_child() function to an earlier phase before > the uid is changed? > > It appears that if setup_sia() were to be moved out of do_child() > that would mean that no pty would be passed to the session unless > creation of the pty were moved out also. > > But then again whether this is worth doing depends on what we loose if > we drop post-auth privsep. > > > I'd suggest the following patch against openssh-SNAP-20020826. Most of > > it is cleanup patch from a while back that I submitted too late for > > 3.4p1 and didn't resend after that I guess. The other defines > > DISABLE_FD_PASSING when SIA is enabled, which effectively turns off > > post-auth privsep. > > So if DISABLE_FD_PASSING turns privsep off, does that mean that > session_setup_sia() will be run directly by do_child(), which > at that point will be effective uid 0? > > > Note that I haven't been able to try it with the > > latest snapshot, as I'm not at my devel box and I don't have the correct > > version of autoconf installed at the moment (need the old one for some > > other stuff I've got and haven't finagled them into working together > > yet). > > > > I'll give the patch a try. > > Thanks, > Toni > > > diff -urN openssh-SNAP-20020826/auth-sia.c openssh/auth-sia.c > > --- openssh-SNAP-20020826/auth-sia.c Fri Apr 12 10:36:08 2002 > > +++ openssh/auth-sia.c Tue Sep 3 22:03:16 2002 > > @@ -45,27 +45,25 @@ > > extern int saved_argc; > > extern char **saved_argv; > > > > -extern int errno; > > - > > int > > auth_sia_password(Authctxt *authctxt, char *pass) > > { > > int ret; > > SIAENTITY *ent = NULL; > > const char *host; > > - char *user = authctxt->user; > > > > host = get_canonical_hostname(options.verify_reverse_mapping); > > > > - if (!user || !pass || pass[0] == '\0') > > + if (!authctxt->user || !pass || pass[0] == '\0') > > return(0); > > > > - if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, > > - NULL) != SIASUCCESS) > > + if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, > > + NULL, 0, NULL) != SIASUCCESS) > > return(0); > > > > if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { > > - error("Couldn't authenticate %s from %s", user, host); > > + error("Couldn't authenticate %s from %s", authctxt->user, > > + host); > > if (ret & SIASTOP) > > sia_ses_release(&ent); > > return(0); > > @@ -77,48 +75,35 @@ > > } > > > > void > > -session_setup_sia(char *user, char *tty) > > +session_setup_sia(struct passwd *pw, char *tty) > > { > > - struct passwd *pw; > > SIAENTITY *ent = NULL; > > const char *host; > > > > - host = get_canonical_hostname (options.verify_reverse_mapping); > > + host = get_canonical_hostname(options.verify_reverse_mapping); > > > > - if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, > > - NULL) != SIASUCCESS) { > > + if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, tty, > > + 0, NULL) != SIASUCCESS) > > fatal("sia_ses_init failed"); > > - } > > > > - if ((pw = getpwnam(user)) == NULL) { > > - sia_ses_release(&ent); > > - fatal("getpwnam: no user: %s", user); > > - } > > if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { > > sia_ses_release(&ent); > > fatal("sia_make_entity_pwd failed"); > > } > > > > ent->authtype = SIA_A_NONE; > > - if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { > > - fatal("Couldn't establish session for %s from %s", user, > > - host); > > - } > > - > > - if (setpriority(PRIO_PROCESS, 0, 0) == -1) { > > - sia_ses_release(&ent); > > - fatal("setpriority: %s", strerror (errno)); > > - } > > + if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) > > + fatal("Couldn't establish session for %s from %s", > > + pw->pw_name, host); > > > > - if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) { > > - fatal("Couldn't launch session for %s from %s", user, host); > > - } > > + if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) > > + fatal("Couldn't launch session for %s from %s", pw->pw_name, > > + host); > > > > sia_ses_release(&ent); > > > > - if (setreuid(geteuid(), geteuid()) < 0) { > > + if (setreuid(geteuid(), geteuid()) < 0) > > fatal("setreuid: %s", strerror(errno)); > > - } > > } > > > > #endif /* HAVE_OSF_SIA */ > > diff -urN openssh-SNAP-20020826/auth-sia.h openssh/auth-sia.h > > --- openssh-SNAP-20020826/auth-sia.h Fri Apr 12 10:36:08 2002 > > +++ openssh/auth-sia.h Tue Sep 3 22:03:16 2002 > > @@ -27,6 +27,6 @@ > > #ifdef HAVE_OSF_SIA > > > > int auth_sia_password(Authctxt *authctxt, char *pass); > > -void session_setup_sia(char *user, char *tty); > > +void session_setup_sia(struct passwd *pw, char *tty); > > > > #endif /* HAVE_OSF_SIA */ > > diff -urN openssh-SNAP-20020826/configure.ac openssh/configure.ac > > --- openssh-SNAP-20020826/configure.ac Tue Aug 13 20:52:11 2002 > > +++ openssh/configure.ac Tue Sep 3 22:07:41 2002 > > @@ -314,6 +314,7 @@ > > AC_MSG_RESULT(yes) > > AC_DEFINE(HAVE_OSF_SIA) > > AC_DEFINE(DISABLE_LOGIN) > > + AC_DEFINE(DISABLE_FD_PASSING) > > LIBS="$LIBS -lsecurity -ldb -lm -laud" > > else > > AC_MSG_RESULT(no) > > diff -urN openssh-SNAP-20020826/session.c openssh/session.c > > --- openssh-SNAP-20020826/session.c Wed Jul 31 20:28:39 2002 > > +++ openssh/session.c Tue Sep 3 22:03:16 2002 > > @@ -1280,7 +1280,7 @@ > > */ > > if (!options.use_login) { > > #ifdef HAVE_OSF_SIA > > - session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); > > + session_setup_sia(pw, s->ttyfd == -1 ? NULL : s->tty); > > if (!check_quietlogin(s, command)) > > do_motd(); > > #else /* HAVE_OSF_SIA */ > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > ----------------------------------------------------------------------- > Toni Harbaugh-Blackford harbaugh at nciaxp.ncifcrf.gov > AlphaServer 8400 System Administrator > SAIC/NCI Frederick Advanced Biomedical Computing Center > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From POTTERVELD at ANLMEP.PHY.ANL.GOV Thu Sep 5 03:24:54 2002 From: POTTERVELD at ANLMEP.PHY.ANL.GOV (David Potterveld) Date: Wed, 4 Sep 2002 12:24:54 -0500 Subject: uid transition and post-auth privsep (WAS Re: possible fundamental problem with tru64 patch) (fwd) Message-ID: <020904122454.20200bd5@ANLMEP.PHY.ANL.GOV> As I understand it, the idea behind privsep is to prevent malicious data from the client-side of a connection corrupting a server-side process running as root. To achieve that, it is important that post-auth privilege separation happen, ie, that the sshd process change uid to the (authenticated) user. But it is also true that this very same process can perform root-level work without risk of being compromised as long as this work happens BEFORE it processes network data from the client. Thus, I think that all the sia stuff and pty allocation should be handled by the forked sshd process while it's still root, and then change to the user before going further. Perhaps you might want to lump all the stuff like this into a routine child_root_sensitive_setup() to make it clear. The PRIVSEP macro is: #define PRIVSEP(x) (use_privsep ? mm_##x : x) As far as I can tell, this merely calls different routines, depending on use_privsep. I don't see how the user's sshd process can revert to being root. If that were so, then the whole idea of privilege separation is bogus. David Potterveld Argonne National Laboratory From markus at openbsd.org Thu Sep 5 02:53:53 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 4 Sep 2002 18:53:53 +0200 Subject: uid transition and post-auth privsep (WAS Re: possible fundamental problem with tru64 patch) (fwd) In-Reply-To: References: Message-ID: <20020904165353.GA30172@folly> On Wed, Sep 04, 2002 at 11:43:43AM -0400, Toni L. Harbaugh-Blackford wrote: > What do we loose by not having post-auth privsep? a lot. > > What code is executed between authorization and actual setting of the > effective uid? all the protocol parsing is still run with uid==0, only the forked login shell has the uid of the authenticated used. From bugzilla-daemon at mindrot.org Thu Sep 5 05:40:49 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 5 Sep 2002 05:40:49 +1000 (EST) Subject: [Bug 392] New: ssh some_acct@localhost generates error message but works Message-ID: <20020904194049.1EF023D184@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=392 Summary: ssh some_acct at localhost generates error message but works Product: Portable OpenSSH Version: -current Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: robert_wolf_toronto at yahoo.ca Generates an error '... Network is unreachable ...The authenicity of host 'localhost ...established' but it works # ssh maint at localhost ssh: connect to address ::1 port 22: Network is unreachable The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is c8:67:73:a6:ca:1a:03:69:ba:37:66:6e:f7:de:d0:29. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (RSA) to the list of known hosts. maint at localhost's password: Last login: Wed Sep 4 15:22:16 2002 from sun06.nmiinc.co Sun Microsystems Inc. SunOS 5.8 Generic February 2000 Sun Microsystems Inc. SunOS 5.8 Generic February 2000 # tty; who; exit /dev/pts/3 maint pts/2 Sep 4 11:47 (192.168.2.249) maint pts/3 Sep 4 15:25 (localhost) Connection to localhost closed. # cat /etc/hosts.allow sshd: 127.0.0.1,192.168.2. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From philc at ferrell.net Thu Sep 5 06:48:04 2002 From: philc at ferrell.net (Philip Cummings) Date: Wed, 4 Sep 2002 14:48:04 -0600 Subject: OpenSSH for SCO unix Message-ID: <6816899ABDD2D511B2C800105CAA03671E9A38@FIS_EXCH_NT> Hello, Looking for locations of resources for OpenSSH for SCO Unix... Any and all help appreciated. Regards Phil From rwk at americom.com Thu Sep 5 07:59:41 2002 From: rwk at americom.com (rwk at americom.com) Date: 4 Sep 2002 21:59:41 -0000 Subject: XDMCP forwarding In-Reply-To: <1031145498.2976.7.camel@argon> (message from Damien Miller on 04 Sep 2002 23:18:18 +1000) References: <20020904083420.12193.qmail@solo.americom.com> <3D75FFBB.8D6126D9@zip.com.au> <1031145498.2976.7.camel@argon> Message-ID: <20020904215941.30005.qmail@solo.americom.com> Is anyone aware of any other (non-ssh) way to run a gdm connection through a firewall? > On Wed, 2002-09-04 at 22:42, Darren Tucker wrote: > > No. Xdcmp is UDP based. See: > > http://tldp.org/HOWTO/XDMCP-HOWTO/procedure.html#SECURITY which says, in > > part, "Unfortunately, XDMCP uses UDP, not TCP, therefore, it is not > > natively able to use it with SSH." > > There is no standard way to forward UDP over a SSH connection. Even if > there was, it would be pretty easy to spoof packets perhaps even packets > to localhost (depending on the OS). > > -d > From gem at rellim.com Thu Sep 5 08:21:51 2002 From: gem at rellim.com (Gary E. Miller) Date: Wed, 4 Sep 2002 15:21:51 -0700 (PDT) Subject: XDMCP forwarding In-Reply-To: <20020904215941.30005.qmail@solo.americom.com> Message-ID: Yo rwk! Why bother? You are already authenticated and logged in. Just double check that the ssh connection has X tunneling up and that DISPLAY var is set to use the SSH tunnel. Then just run the app of your choice on the remote end and the local window manager. If you really must run a remote window manager, then start windows on you local host without a window manager, then ssh over to the remote, be sure DISPLAY is set and working, then start the remote window manager. In most cases running a remote window manager will confuse people to distraction. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 On 4 Sep 2002 rwk at americom.com wrote: > Is anyone aware of any other (non-ssh) way to run a gdm connection through > a firewall? > > > On Wed, 2002-09-04 at 22:42, Darren Tucker wrote: > > > No. Xdcmp is UDP based. See: > > > http://tldp.org/HOWTO/XDMCP-HOWTO/procedure.html#SECURITY which says, in > > > part, "Unfortunately, XDMCP uses UDP, not TCP, therefore, it is not > > > natively able to use it with SSH." > > > > There is no standard way to forward UDP over a SSH connection. Even if > > there was, it would be pretty easy to spoof packets perhaps even packets > > to localhost (depending on the OS). > > > > -d > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Thu Sep 5 08:32:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 5 Sep 2002 08:32:09 +1000 (EST) Subject: [Bug 392] ssh some_acct@localhost generates error message but works Message-ID: <20020904223209.2BD033D174@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=392 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From dtucker at zip.com.au 2002-09-05 08:32 ------- Both of these are normal. The "Network is unreachable" is to address ::1 which is IPv6 shorthand for the loopback adapter. Ignore it, use ssh -4 to force IPv4, set up your IPv6 loopback ("ifconfig lo0 inet6 ::1/128"), or recompile after configuring with --with-ipv4-default. The second one is a warning that the host presented a host key that wasn't known by the client. This will only happen once per user. To avoid this, add the host's key to the client's global /usr/local/etc/ssh_known_hosts file. It would be nice if ssh_config had an option for selecting IP4/6 to match the -4 and -6 command-line options (or is there one and I missed it?) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From rwk at americom.com Thu Sep 5 08:38:47 2002 From: rwk at americom.com (rwk at americom.com) Date: 4 Sep 2002 22:38:47 -0000 Subject: XDMCP forwarding In-Reply-To: (gem@rellim.com) References: Message-ID: <20020904223847.3307.qmail@solo.americom.com> Gary, I had better explain muself in more detail... I want to run MS-Windows XP with a third party X-server. However, I have been running Unix so long, that I cannot adapt to the "click to type" requirement which the Windows window manager requires. Therefore, I need to run an X desktop (like gdm) which takes over the whole screen and acts just like my machine at work (but then I have Windows underneath when I need to run Windows programs). I don't understand what you you mean by: "start windows on you local host without a window manager, then ssh over to the remote, be sure DISPLAY is set and working, then start the remote window manager. What I want to run is gdm (a display manager). Are you saying I should forget that and run a a "window manager" directly (without a "desktop manager")? Or are you saying I can run gdm in a way that skips the login screen? It sounds hopeful and your help is greatly appreciated! I have spent many hours trying to get this to work. Best regards, Dick > Yo rwk! > > Why bother? You are already authenticated and logged in. Just double > check that the ssh connection has X tunneling up and that DISPLAY var is > set to use the SSH tunnel. Then just run the app of your choice on the > remote end and the local window manager. > > If you really must run a remote window manager, then start windows on > you local host without a window manager, then ssh over to the remote, > be sure DISPLAY is set and working, then start the remote window manager. > > In most cases running a remote window manager will confuse people to > distraction. > > RGDS > GARY > --------------------------------------------------------------------------- > Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 > gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 > > On 4 Sep 2002 rwk at americom.com wrote: > > > Is anyone aware of any other (non-ssh) way to run a gdm connection through > > a firewall? > > > > > On Wed, 2002-09-04 at 22:42, Darren Tucker wrote: > > > > No. Xdcmp is UDP based. See: > > > > http://tldp.org/HOWTO/XDMCP-HOWTO/procedure.html#SECURITY which says, in > > > > part, "Unfortunately, XDMCP uses UDP, not TCP, therefore, it is not > > > > natively able to use it with SSH." > > > > > > There is no standard way to forward UDP over a SSH connection. Even if > > > there was, it would be pretty easy to spoof packets perhaps even packets > > > to localhost (depending on the OS). > > > > > > -d > > > > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > From gert at greenie.muc.de Thu Sep 5 08:49:52 2002 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 5 Sep 2002 00:49:52 +0200 Subject: OpenSSH for SCO unix In-Reply-To: <6816899ABDD2D511B2C800105CAA03671E9A38@FIS_EXCH_NT>; from philc@ferrell.net on Wed, Sep 04, 2002 at 02:48:04PM -0600 References: <6816899ABDD2D511B2C800105CAA03671E9A38@FIS_EXCH_NT> Message-ID: <20020905004951.D8093@greenie.muc.de> Hi, On Wed, Sep 04, 2002 at 02:48:04PM -0600, Philip Cummings wrote: > Looking for locations of resources for OpenSSH for SCO Unix... Which version of SCO Unix ("uname -X" output)? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From gem at rellim.com Thu Sep 5 08:52:24 2002 From: gem at rellim.com (Gary E. Miller) Date: Wed, 4 Sep 2002 15:52:24 -0700 (PDT) Subject: XDMCP forwarding In-Reply-To: <20020904223847.3307.qmail@solo.americom.com> Message-ID: Yo rwk! On 4 Sep 2002 rwk at americom.com wrote: > I want to run MS-Windows XP with a third party X-server. However, I > have been running Unix so long, that I cannot adapt to the "click to > type" requirement which the Windows window manager requires. Oh, so you are asking a WINDOWS question on a UNIX list. I did not expect that and that puts a very different light on things. Since this is a UNIX list I will give you ONE more reply. > Therefore, I need to run an X desktop (like gdm) which takes over the > whole screen and acts just like my machine at work (but then I have > Windows underneath when I need to run Windows programs). That is NOT what gdm does. gdm runs on the REMOTE end of the connection. You need a LOCAL X server to run. Something like Cygwin or X-Win32. All gdm does is setup a connection, log you in and then start a window manager for you. Since gdm uses UDP you can never put it in an SSH tunnel. Since ssh already required you to connect and log on to the remote host there is no need to do that again. So all you need is to start a windown manager. If you have cygwin or X-win32 you can run a local window manager or a remote one.o All you need is in the doc for cygwin and x-win32. If you are running a different X server on the WinXX side then you need to RTFM. > I don't understand what you you mean by: > > "start windows on you local host without a window manager, then ssh > over to the remote, be sure DISPLAY is set and working, then start > the remote window manager. Then get out a good book on X because you are missing the basics. > What I want to run is gdm (a display manager). Are you saying I should > forget that and run a a "window manager" directly (without a "desktop > manager")? Yes. > Or are you saying I can run gdm in a way that skips the login screen? No, you are already logged in. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From rwk at americom.com Thu Sep 5 09:23:27 2002 From: rwk at americom.com (rwk at americom.com) Date: 4 Sep 2002 23:23:27 -0000 Subject: XDMCP forwarding In-Reply-To: (gem@rellim.com) References: Message-ID: <20020904232327.7415.qmail@solo.americom.com> > Yo rwk! > > On 4 Sep 2002 rwk at americom.com wrote: > > > I want to run MS-Windows XP with a third party X-server. However, I > > have been running Unix so long, that I cannot adapt to the "click to > > type" requirement which the Windows window manager requires. > > Oh, so you are asking a WINDOWS question on a UNIX list. I did not expect > that and that puts a very different light on things. That's ony 2/3 true. On one end its Unix. On the other end it's a Unix program (X-server) running on a Windows OS. :) > Since this is a UNIX list I will give you ONE more reply. I do appreciate your help! > > Therefore, I need to run an X desktop (like gdm) which takes over the > > whole screen and acts just like my machine at work (but then I have > > Windows underneath when I need to run Windows programs). > > That is NOT what gdm does. gdm runs on the REMOTE end of the connection. > You need a LOCAL X server to run. Something like Cygwin or X-Win32. > > All gdm does is setup a connection, log you in and then start a window > manager for you. > > Since gdm uses UDP you can never put it in an SSH tunnel. > > Since ssh already required you to connect and log on to the remote host > there is no need to do that again. > > So all you need is to start a windown manager. If you have cygwin or > X-win32 you can run a local window manager or a remote one.o > > All you need is in the doc for cygwin and x-win32. If you are running > a different X server on the WinXX side then you need to RTFM. The X-server (its X-vision from SCO) is running fine. But it does not come with a window manager. > > I don't understand what you you mean by: > > > > "start windows on you local host without a window manager, then ssh > > over to the remote, be sure DISPLAY is set and working, then start > > the remote window manager. > > Then get out a good book on X because you are missing the basics. I have, and I have 20 years of Unix experience as well. What I am trying to do is get a remote desktop running (with the task bar at the bottom and so on...). A "window manager" does not accomplish that. So I still don't understand what you are suggesting. Can you suggest the Unix command I run remotely to get the gnome tak bar and so on, displaying on my local X-server? Thanks again, Dick > > What I want to run is gdm (a display manager). Are you saying I should > > forget that and run a a "window manager" directly (without a "desktop > > manager")? > Yes. > > Or are you saying I can run gdm in a way that skips the login screen? > > No, you are already logged in. > > RGDS > GARY > --------------------------------------------------------------------------- > Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 > gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 > > From gem at rellim.com Thu Sep 5 09:30:39 2002 From: gem at rellim.com (Gary E. Miller) Date: Wed, 4 Sep 2002 16:30:39 -0700 (PDT) Subject: XDMCP forwarding In-Reply-To: <20020904232327.7415.qmail@solo.americom.com> Message-ID: Yo rwk! On 4 Sep 2002 rwk at americom.com wrote: > The X-server (its X-vision from SCO) is running fine. But it does not > come with a window manager. Dunno anything about it and this is the wrong list to ask about it. > Can you suggest the Unix command I run remotely to get the gnome tak bar > and so on, displaying on my local X-server? first try "xclock" on the remote end. If that woreks then the basic X packets are going back and forth properly. Then try: gnome-session Now we are WAY off topic, and I give up. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From POTTERVELD at ANLMEP.PHY.ANL.GOV Thu Sep 5 14:36:39 2002 From: POTTERVELD at ANLMEP.PHY.ANL.GOV (David Potterveld) Date: Wed, 4 Sep 2002 23:36:39 -0500 Subject: XDMCP forwarding Message-ID: <020904233639.20200d03@ANLMEP.PHY.ANL.GOV> OK, I'll chip in with my 2 cents. I recommend looking into a software package called vnc. There are two parts, a server and a client. The server runs on your unix box, and there is a client for your PC that runs under windows. The server on the unix side is a modified X server. When the client connects to it, it's exactly like logging in to the unix machine, and the client (your PC) opens a window that is an exact copy of what you would see if you were logging in at the unix console. When you login, you'll get the gnome toolbar, the window manager, and everything else. Incidently, there are windows versions of the server, and unix (and java) versions of the client, making it possible to export unix and windows sessions to just about anywhere. There are many nice things about vnc. For example, the client stores no information about the state of the session. You can be using it in one location, disconnect and go somewhere else, and reconnect to the same session. It's also fairly intelligent about how the client and server communicate to minimize I/O. The PC client is small, and fits on a floppy. You don't need Xserver software on the PC. What vnc lacks is encryption. However, it's tcp based, and you can use ssh port forwarding to tunnel an encrypted connection through a firewall (Hence any relevence to this group...) Vnc has some kind of challenge-response password to protect your sessions, but I don't really know how secure the server is; you're own your own there. If it sounds interesting, surf to http://www.uk.research.att.com/vnc/ for more information. David Potterveld Argonne National Laboratory From Roumen.Petrov at skalasoft.com Fri Sep 6 03:55:55 2002 From: Roumen.Petrov at skalasoft.com (Roumen.Petrov at skalasoft.com) Date: Thu, 05 Sep 2002 20:55:55 +0300 Subject: sshd and SIGKILL Message-ID: <3D779AAB.5000005@skalasoft.com> On command: #kill -9 `cat /var/run/sshd.pid` sshd leave pid file ! sshd.c code: =============== .... /* * Arrange to restart on SIGHUP. The handler needs * listen_sock. */ signal(SIGHUP, sighup_handler); signal(SIGTERM, sigterm_handler); signal(SIGQUIT, sigterm_handler); .... =============== Missing line is : signal(SIGKILL, sigterm_handler); From jjaakkol at cs.Helsinki.FI Fri Sep 6 04:08:55 2002 From: jjaakkol at cs.Helsinki.FI (Jani Jaakkola) Date: Thu, 5 Sep 2002 21:08:55 +0300 (EEST) Subject: sshd and SIGKILL In-Reply-To: <3D779AAB.5000005@skalasoft.com> Message-ID: On Thu, 5 Sep 2002 Roumen.Petrov at skalasoft.com wrote: > On command: > #kill -9 `cat /var/run/sshd.pid` > sshd leave pid file ! > > sshd.c code: > =============== > .... > /* > * Arrange to restart on SIGHUP. The handler needs > * listen_sock. > */ > signal(SIGHUP, sighup_handler); > > signal(SIGTERM, sigterm_handler); > signal(SIGQUIT, sigterm_handler); > .... > =============== > > Missing line is : > signal(SIGKILL, sigterm_handler); SIGKILL can not be caught. SIGKILL will always kill the process immediately. You should not kill sshd with SIGKILL, if you want it to do any cleanup. 'man signal' tells you this too. - Jani From aaron at monkey.org Fri Sep 6 04:20:42 2002 From: aaron at monkey.org (Aaron Campbell) Date: Thu, 5 Sep 2002 14:20:42 -0400 (EDT) Subject: sshd and SIGKILL In-Reply-To: <3D779AAB.5000005@skalasoft.com> Message-ID: On Thu, 5 Sep 2002 Roumen.Petrov at skalasoft.com wrote: > Missing line is : > signal(SIGKILL, sigterm_handler); No. Processes cannot catch SIGKILL. --- Aaron Campbell (aaron at monkey.org || aaron at openbsd.org) http://www.monkey.org/~aaron From chris at obelix.hedonism.cx Fri Sep 6 04:25:31 2002 From: chris at obelix.hedonism.cx (Christian Vogel) Date: Thu, 5 Sep 2002 20:25:31 +0200 Subject: sshd and SIGKILL In-Reply-To: <3D779AAB.5000005@skalasoft.com> References: <3D779AAB.5000005@skalasoft.com> Message-ID: <20020905182531.GA1388@emil.frop.org> Hi Roumen, > #kill -9 `cat /var/run/sshd.pid` > sshd leave pid file ! > signal(SIGKILL, sigterm_handler); SIGSTOP and SIGKILL cannot be trapped. Chris -- Warning: do not look into laser with remaining eye -- http://www.jwz.org/ppmcaption/ From jmknoble at pobox.com Fri Sep 6 04:53:53 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 5 Sep 2002 14:53:53 -0400 Subject: sshd and SIGKILL In-Reply-To: <3D779AAB.5000005@skalasoft.com>; from Roumen.Petrov@skalasoft.com on Thu, Sep 05, 2002 at 08:55:55PM +0300 References: <3D779AAB.5000005@skalasoft.com> Message-ID: <20020905145353.D6915@zax.half.pint-stowp.cx> Circa 2002-09-05 20:55:55 +0300 dixit Roumen.Petrov at skalasoft.com: : On command: : #kill -9 `cat /var/run/sshd.pid` : sshd leave pid file ! : : sshd.c code: : =============== : .... : /* : * Arrange to restart on SIGHUP. The handler needs : * listen_sock. : */ : signal(SIGHUP, sighup_handler); : : signal(SIGTERM, sigterm_handler); : signal(SIGQUIT, sigterm_handler); : .... : =============== : : Missing line is : : signal(SIGKILL, sigterm_handler); Ummm, no. Under traditional Unix, POSIX, BSD, and SysV, no signal handler may be set for either SIGKILL or SIGSTOP. Refer to: http://www.mcsr.olemiss.edu/cgi-bin/man-cgi?signal+3 http://www.mcsr.olemiss.edu/cgi-bin/man-cgi?sigvec+3 -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020905/31048d41/attachment.bin From kevin at atomicgears.com Fri Sep 6 05:15:02 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 5 Sep 2002 12:15:02 -0700 Subject: Determining Local IP Address within .profile In-Reply-To: <003501c25418$cfdb76d0$ac7be8c2@lan.apa.at> References: <003501c25418$cfdb76d0$ac7be8c2@lan.apa.at> Message-ID: <20020905191502.GA1746@scott.crlsca.adelphia.net> On Wed, Sep 04, 2002 at 02:41:45PM +0100, Mario Paumann wrote: > I haven't found an easy solution to determine the local IP to which the remote SSH client is connected to the local SSHD. We use MC/Serviceguard which can create many Interfaces where a remote client could connect and we like to know within .profile which interface the client has connected to. > > I've looked at the sourcecode and maybe the following could do something I described : > > session.c:871 RCSID("$OpenBSD: session.c,v 1.142 2002/06/26 13:49:26 deraadt Exp $"); > do_setup_env > > child_set_env(&env, &envsize, "SSH_LOCAL_IP", get_local_ipaddr(packet_get_connection_in()); > > what do you think of it ? I agree this is useful. See also: http://bugzilla.mindrot.org/show_bug.cgi?id=384 I would perhaps be better if this all were exposed in just one environment variable, e.g., SSH_CONNECTION=172.31.1.53 14932 192.168.1.9 24 and deprecate SSH_CLIENT, but adding SSH_SERVER as in 384 may be less confusing. From mouring at etoh.eviladmin.org Fri Sep 6 06:14:48 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 5 Sep 2002 15:14:48 -0500 (CDT) Subject: Determining Local IP Address within .profile In-Reply-To: <20020905191502.GA1746@scott.crlsca.adelphia.net> Message-ID: On Thu, 5 Sep 2002, Kevin Steves wrote: > On Wed, Sep 04, 2002 at 02:41:45PM +0100, Mario Paumann wrote: > > I haven't found an easy solution to determine the local IP to which the remote SSH client is connected to the local SSHD. We use MC/Serviceguard which can create many Interfaces where a remote client could connect and we like to know within .profile which interface the client has connected to. > > > > I've looked at the sourcecode and maybe the following could do something I described : > > > > session.c:871 RCSID("$OpenBSD: session.c,v 1.142 2002/06/26 13:49:26 deraadt Exp $"); > > do_setup_env > > > > child_set_env(&env, &envsize, "SSH_LOCAL_IP", get_local_ipaddr(packet_get_connection_in()); > > > > what do you think of it ? > > I agree this is useful. > See also: http://bugzilla.mindrot.org/show_bug.cgi?id=384 > > I would perhaps be better if this all were exposed in just one environment > variable, e.g., > SSH_CONNECTION=172.31.1.53 14932 192.168.1.9 24 > > and deprecate SSH_CLIENT, but adding SSH_SERVER as in 384 may be > less confusing. hmm.. I think SSH_SERVER would be less confusing. Trying to deprecate SSH_CLIENT may be a lost cause since it is very well entrenched in how people do business. If this can't be solved cleanly via /etc/profile or via shell startup scripts then I don't have as much of a quarm with bug 384. Just wanted to ensure that people explored other options first. - Ben From markus at openbsd.org Fri Sep 6 08:03:01 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 6 Sep 2002 00:03:01 +0200 Subject: sshd and SIGKILL In-Reply-To: <3D779AAB.5000005@skalasoft.com> References: <3D779AAB.5000005@skalasoft.com> Message-ID: <20020905220301.GA22874@folly> On Thu, Sep 05, 2002 at 08:55:55PM +0300, Roumen.Petrov at skalasoft.com wrote: > On command: > #kill -9 `cat /var/run/sshd.pid` > sshd leave pid file ! so don't use kill -9. you should never use kill -9. From dan at doxpara.com Fri Sep 6 09:35:26 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 05 Sep 2002 16:35:26 -0700 Subject: Determining Local IP Address within .profile References: Message-ID: <3D77EA3E.1040000@doxpara.com> > > >If this can't be solved cleanly via /etc/profile or via shell startup >scripts then I don't have as much of a quarm with bug 384. Just wanted to >ensure that people explored other options first. > > Socket handling is really the domain of the sshd; best to let it inform futher layers of its own socket than to have them attempt to reverse engineer the socket information after the fact. (It's certainly *possible*, but not particularly portably, flexibly, or even securely.) SSH_CLIENT was sufficient when multi-homed systems were rare -- that's changed. One interesting question: Any objections to adding ProxyCommand functionality to sshd? Since ssh is a server-speaks-first protocol, there are a few limitations to having the silent client the only side that can use non-socket connectors. --Dan From djm at mindrot.org Fri Sep 6 12:00:33 2002 From: djm at mindrot.org (Damien Miller) Date: Fri, 6 Sep 2002 12:00:33 +1000 (EST) Subject: Determining Local IP Address within .profile In-Reply-To: <3D77EA3E.1040000@doxpara.com> Message-ID: > One interesting question: Any objections to adding ProxyCommand > functionality to sshd? Since ssh is a server-speaks-first protocol, > there are a few limitations to having the silent client the only side > that can use non-socket connectors. Why not just bind to localhost and do your proxying using tcp sockets - no code changes required. -d From dan at doxpara.com Fri Sep 6 12:47:46 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 05 Sep 2002 19:47:46 -0700 Subject: Determining Local IP Address within .profile References: Message-ID: <3D781752.90800@doxpara.com> > > >Why not just bind to localhost and do your proxying using tcp sockets - no >code changes required. > > Localhost for IPC is insecure across user boundries, at least compared to stdio -- to say nothing of the fact that an external proxying agent is always less convenient to use. Besides, the ProxyCommand code is already there; it's just a matter of linking it to the socket listener instead of the socket connect. Just something that'll be useful later. --Dan From kevin at atomicgears.com Fri Sep 6 13:51:17 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 5 Sep 2002 20:51:17 -0700 Subject: use of setsockopt(SO_LINGER) Message-ID: <20020906035117.GI1746@scott.crlsca.adelphia.net> I would like to remove setsockopt(SO_LINGER), as there does not seem to be a reason for its use. If you know of specific reasons we should keep any of these let me know, or run this patch in local test trees where possible. This is against OpenBSD, but should apply to portable with some fuzz. Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.180 diff -u -r1.180 channels.c --- channels.c 4 Jul 2002 08:12:15 -0000 1.180 +++ channels.c 4 Sep 2002 17:12:51 -0000 @@ -2016,7 +2016,6 @@ struct addrinfo hints, *ai, *aitop; const char *host; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; - struct linger linger; success = 0; host = (type == SSH_CHANNEL_RPORT_LISTENER) ? @@ -2059,13 +2058,13 @@ continue; } /* - * Set socket options. We would like the socket to disappear - * as soon as it has been closed for whatever reason. + * Set socket options. + * Allow local port reuse in TIME_WAIT. */ - setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); - linger.l_onoff = 1; - linger.l_linger = 5; - setsockopt(sock, SOL_SOCKET, SO_LINGER, &linger, sizeof(linger)); + if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, + sizeof(on)) == -1) + error("setsockopt SO_REUSEADDR: %s", strerror(errno)); + debug("Local forwarding listening on %s port %s.", ntop, strport); /* Bind the socket to the address. */ Index: sshconnect.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshconnect.c,v retrieving revision 1.133 diff -u -r1.133 sshconnect.c --- sshconnect.c 29 Jul 2002 18:57:30 -0000 1.133 +++ sshconnect.c 4 Sep 2002 17:12:53 -0000 @@ -225,7 +225,6 @@ int sock = -1, attempt; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; struct addrinfo hints, *ai, *aitop; - struct linger linger; struct servent *sp; /* * Did we get only other errors than "Connection refused" (which @@ -325,15 +324,6 @@ } debug("Connection established."); - - /* - * Set socket options. We would like the socket to disappear as soon - * as it has been closed for whatever reason. - */ - /* setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */ - linger.l_onoff = 1; - linger.l_linger = 5; - setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger)); /* Set keepalives if requested. */ if (options.keepalives && Index: sshd.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshd.c,v retrieving revision 1.257 diff -u -r1.257 sshd.c --- sshd.c 23 Jul 2002 16:03:10 -0000 1.257 +++ sshd.c 4 Sep 2002 17:12:55 -0000 @@ -789,7 +789,6 @@ const char *remote_ip; int remote_port; FILE *f; - struct linger linger; struct addrinfo *ai; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; int listen_sock, maxfd; @@ -1102,17 +1101,12 @@ continue; } /* - * Set socket options. We try to make the port - * reusable and have it close as fast as possible - * without waiting in unnecessary wait states on - * close. + * Set socket options. + * Allow local port reuse in TIME_WAIT. */ - setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, - &on, sizeof(on)); - linger.l_onoff = 1; - linger.l_linger = 5; - setsockopt(listen_sock, SOL_SOCKET, SO_LINGER, - &linger, sizeof(linger)); + if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, + &on, sizeof(on)) == -1) + error("setsockopt SO_REUSEADDR: %s", strerror(errno)); debug("Bind to port %s on %s.", strport, ntop); @@ -1355,16 +1349,6 @@ signal(SIGTERM, SIG_DFL); signal(SIGQUIT, SIG_DFL); signal(SIGCHLD, SIG_DFL); - - /* - * Set socket options for the connection. We want the socket to - * close as fast as possible without waiting for anything. If the - * connection is not a socket, these will do nothing. - */ - /* setsockopt(sock_in, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); */ - linger.l_onoff = 1; - linger.l_linger = 5; - setsockopt(sock_in, SOL_SOCKET, SO_LINGER, &linger, sizeof(linger)); /* Set keepalives if requested. */ if (options.keepalives && From kevin at atomicgears.com Fri Sep 6 14:05:31 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 5 Sep 2002 21:05:31 -0700 Subject: Determining Local IP Address within .profile In-Reply-To: <3D77EA3E.1040000@doxpara.com> References: <3D77EA3E.1040000@doxpara.com> Message-ID: <20020906040531.GK1746@scott.crlsca.adelphia.net> On Thu, Sep 05, 2002 at 04:35:26PM -0700, Dan Kaminsky wrote: > One interesting question: Any objections to adding ProxyCommand > functionality to sshd? Show diffs (or at least man page diffs, as I'm not sure how this would be used). From plu at redsonic.com Fri Sep 6 18:38:26 2002 From: plu at redsonic.com (plu) Date: Fri, 06 Sep 2002 16:38:26 +0800 Subject: (no subject) Message-ID: <3D786982.3070204@redsonic.com> confirm 178076 From msmall at arrow.lz.att.com Sat Sep 7 02:45:45 2002 From: msmall at arrow.lz.att.com (Morgan Small) Date: Fri, 6 Sep 2002 12:45:45 -0400 Subject: Warning: Server lies about size of server public key: actual size... Message-ID: We started receiving this message in our production server. Warning: Server lies about size of server public key: actual size is 767 bits vs. announced 768. Warning: This may be due to an old implementation of ssh. When I looked in the list archives I see that there has been a conversation about this topic before back about a year ago. Currently we are going from Openssh version 3.4 to another version of ssh using protocol 1. We used this in our system test and have never encountered this message. From the looks of the archive list I thought this this fix was supposed to be implemented. Can anyone tell me the status of this issue? The Web Address that I was looking at for the related archives is: http://marc.theaimsgroup.com/?l=openssh-unix-dev&w=2&r=1&s=Server+lies+about +size+of+server+public+&q=b Any help is appreciated Thank You, Morgan Small-Ulloa MT A3-3B20 (732) 420-8749 small at att.com From mouring at etoh.eviladmin.org Sat Sep 7 03:08:33 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 6 Sep 2002 12:08:33 -0500 (CDT) Subject: Warning: Server lies about size of server public key: actual size... In-Reply-To: Message-ID: http://bugzilla.mindrot.org/show_bug.cgi?id=132 there has not been any more talk about this.. but the warning is there for a reason. - Ben On Fri, 6 Sep 2002, Morgan Small wrote: > We started receiving this message in our production server. > Warning: Server lies about size of server public key: actual size is 767 > bits vs. announced 768. > Warning: This may be due to an old implementation of ssh. > > When I looked in the list archives I see that there has been a conversation > about this topic before back about a year ago. > Currently we are going from Openssh version 3.4 to another version of ssh > using protocol 1. We used this in our system test and have never > encountered this message. From the looks of the archive list I thought this > this fix was supposed to be implemented. Can anyone tell me the status of > this issue? > > The Web Address that I was looking at for the related archives is: > http://marc.theaimsgroup.com/?l=openssh-unix-dev&w=2&r=1&s=Server+lies+about > +size+of+server+public+&q=b > > Any help is appreciated > > Thank You, > > Morgan Small-Ulloa > MT A3-3B20 > (732) 420-8749 > small at att.com > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From return at trafficmagnet.com Sun Sep 8 16:23:58 2002 From: return at trafficmagnet.com (Sarah Williams) Date: Sun, 8 Sep 2002 14:23:58 +0800 Subject: WWW.OPENSSH.ORG Message-ID: <200209081918.g88JISV25921@localhost> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020908/fbfa59cf/attachment.html From alonz at nolaviz.org Sun Sep 8 23:41:04 2002 From: alonz at nolaviz.org (Alon Ziv) Date: Sun, 8 Sep 2002 16:41:04 +0300 Subject: Help needed: strange error in PAM-SSH integration module... Message-ID: <200209081641.04614.alonz@nolaviz.org> Hi all, Just for my own fun, I decided to write a small PAM module that will automatically start ssh-agent on session open (and add the default keys), and kill the agent upon session close. Well, writing this was a breeze; however, for some odd reason, it doesn't work... I'm stumped. I'll try again tomorrow. But meanwhile, attached is my current version; it has to be compiled inside an already-built openssh distribution, then installed by hand and added to /etc/pam.d/ as session required /lib/security/pam_ssh_add.so If anyone there has an idea and wants to help, I'll be overjoyed! -Alon Ziv [PS: I am not a member of the mailing lists; please make sure to reply directly to me... Thanks!] -------------- next part -------------- A non-text attachment was scrubbed... Name: Makefile.pam_module Type: text/x-makefile Size: 1407 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020908/051179e5/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: pam_ssh_add.c Type: text/x-csrc Size: 6744 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020908/051179e5/attachment-0001.bin From Dominique.Cressatti at lansa.co.uk Mon Sep 9 22:37:41 2002 From: Dominique.Cressatti at lansa.co.uk (Cressatti, Dominique) Date: Mon, 9 Sep 2002 13:37:41 +0100 Subject: small addition to the scp man page Message-ID: <44B71BF277010E48BE207DA8FC0797E107B9DA@venus.lansa.co.uk> Hi, Having learned with difficulties how to retrieve files using scp, I'd like to make a small contribution to the scp man page, i.e.. add a couple of examples on how to copy files to a box and more importantly how to copy them back. Therefore how do I submit my contribution? Regards Dom From martin at fatbob.nu Mon Sep 9 23:58:58 2002 From: martin at fatbob.nu (Martin Johansson) Date: Mon, 9 Sep 2002 15:58:58 +0200 Subject: Idle SSH session disconnects (update) In-Reply-To: ; from jcunning@cts.com on Fri, Aug 30, 2002 at 09:48:11PM -0700 References: <20020830185546.A13895@google.com> Message-ID: <20020909155858.A4290@fatbob.nu> If you do not have control over the sshd configuration so that you cannot control ClientAlive-stuff, you can use the attached patch (against openssh 3.4p1). It adds 2 parameters to ssh_config: BogusTrafficIntervalMax 12 BogusTrafficIntervalMin 1 This configures the ssh client to send SSH_MSG_IGNORE randomly after between 1-12 seconds of idle time, thereby keeping the connection from timing out in the FW. Pretty useful for me who also sits behind a stateful FW. /Martin --- openssh-3.4p1/readconf.c Fri Jun 21 02:41:52 2002 +++ openssh-3.4p1.servalive/readconf.c Mon Sep 9 13:37:15 2002 @@ -114,6 +114,7 @@ oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oBogusTrafficIntervalMax, oBogusTrafficIntervalMin, oDeprecated } OpCodes; @@ -177,6 +178,8 @@ { "compression", oCompression }, { "compressionlevel", oCompressionLevel }, { "keepalive", oKeepAlives }, + { "BogusTrafficIntervalMax", oBogusTrafficIntervalMax }, + { "BogusTrafficIntervalMin", oBogusTrafficIntervalMin }, { "numberofpasswordprompts", oNumberOfPasswordPrompts }, { "loglevel", oLogLevel }, { "dynamicforward", oDynamicForward }, @@ -411,6 +414,42 @@ intptr = &options->no_host_authentication_for_localhost; goto parse_flag; + case oBogusTrafficIntervalMax: + intptr = &options->bogus_traffic_interval_max; + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, linenum); + if (arg[0] < '0' || arg[0] > '9') + fatal("%.200s line %d: Bad number.", filename, linenum); + + /* Octal, decimal, or hex format? */ + value = strtol(arg, &endofnumber, 0); + if (arg == endofnumber) + fatal("%.200s line %d: Bad number.", filename, linenum); + if (*activep && *intptr == -1) + *intptr = value; + if (options->bogus_traffic_interval_min >= value) + fatal("%.200s line %d: Bad value.", filename, linenum); + break; + + case oBogusTrafficIntervalMin: + intptr = &options->bogus_traffic_interval_min; + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, linenum); + if (arg[0] < '0' || arg[0] > '9') + fatal("%.200s line %d: Bad number.", filename, linenum); + + /* Octal, decimal, or hex format? */ + value = strtol(arg, &endofnumber, 0); + if (arg == endofnumber) + fatal("%.200s line %d: Bad number.", filename, linenum); + if (*activep && *intptr == -1) + *intptr = value; + if (options->bogus_traffic_interval_max <= value) + fatal("%.200s line %d: Bad value.", filename, linenum); + break; + case oNumberOfPasswordPrompts: intptr = &options->number_of_password_prompts; goto parse_int; @@ -766,6 +805,8 @@ options->strict_host_key_checking = -1; options->compression = -1; options->keepalives = -1; + options->bogus_traffic_interval_max = -1; + options->bogus_traffic_interval_min = -1; options->compression_level = -1; options->port = -1; options->connection_attempts = -1; @@ -853,6 +894,10 @@ options->compression = 0; if (options->keepalives == -1) options->keepalives = 1; + if (options->bogus_traffic_interval_max == -1) + options->bogus_traffic_interval_max = 0; + if (options->bogus_traffic_interval_min == -1) + options->bogus_traffic_interval_min = 0; if (options->compression_level == -1) options->compression_level = 6; if (options->port == -1) --- openssh-3.4p1/clientloop.c Wed Jun 26 01:17:37 2002 +++ openssh-3.4p1.servalive/clientloop.c Mon Sep 9 13:35:58 2002 @@ -321,6 +321,9 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, int *nallocp, int rekeying) { + struct timeval tv, *tvp; + int ret; + /* Add any selections by the channel mechanism. */ channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, rekeying); @@ -362,13 +365,29 @@ /* * Wait for something to happen. This will suspend the process until * some selected descriptor can be read, written, or has some other - * event pending. Note: if you want to implement SSH_MSG_IGNORE - * messages to fool traffic analysis, this might be the place to do - * it: just have a random timeout for the select, and send a random - * SSH_MSG_IGNORE packet when the timeout expires. + * event pending. + * Set a random timeout for the select, and send a random SSH_MSG_IGNORE + * packet when the timeout expires to fool traffic analysis. */ - - if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) { + if (options.bogus_traffic_interval_max) { + u_int32_t rand = arc4random(); + u_int64_t timeusec; + static u_int64_t timebase = 0; + + if (!timebase) + timebase = (options.bogus_traffic_interval_max - + options.bogus_traffic_interval_min) * 1000000; + timeusec = timebase * rand / 0xffffffffUL; + timeusec += options.bogus_traffic_interval_min * 1000000; + tv.tv_sec = timeusec / 1000000; + tv.tv_usec = timeusec % 1000000; + tvp = &tv; + debug2("Will send SSH_MSG_IGNORE in %lu.%lu s", tv.tv_sec, tv.tv_usec); + } + else tvp = NULL; + + ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp); + if (ret < 0) { char buf[100]; /* @@ -386,6 +405,12 @@ buffer_append(&stderr_buffer, buf, strlen(buf)); quit_pending = 1; } + else if (ret == 0) { /* timeout */ + u_int32_t rand = arc4random(); + packet_send_ignore((rand & 0x3f) + 1); + packet_send(); + packet_write_wait(); + } } static void --- openssh-3.4p1/readconf.h Sun Jun 9 22:04:03 2002 +++ openssh-3.4p1.servalive/readconf.h Mon Sep 9 13:35:58 2002 @@ -61,6 +61,16 @@ int compression_level; /* Compression level 1 (fast) to 9 * (best). */ int keepalives; /* Set SO_KEEPALIVE. */ + int bogus_traffic_interval_max; /* + * max time value of SSH_MSG_IGNORE + * interval + */ + int bogus_traffic_interval_min; /* + * min time value of SSH_MSG_IGNORE + * interval + */ + int pam_authentication_via_kbd_int; + LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ From maniac at maniac.nl Tue Sep 10 02:53:34 2002 From: maniac at maniac.nl (Mark Janssen) Date: 09 Sep 2002 18:53:34 +0200 Subject: Idle SSH session disconnects (update) In-Reply-To: <20020909155858.A4290@fatbob.nu> References: <20020830185546.A13895@google.com> <20020909155858.A4290@fatbob.nu> Message-ID: <1031590414.836.4.camel@shuttle> On Mon, 2002-09-09 at 15:58, Martin Johansson wrote: > If you do not have control over the sshd configuration so that you cannot > control ClientAlive-stuff, you can use the attached patch (against openssh > 3.4p1). It adds 2 parameters to ssh_config: > > BogusTrafficIntervalMax 12 > BogusTrafficIntervalMin 1 The debian ssh package has something like this built into the default package as well, they have a somewhat different name and configuration for it, but it works for me. In the debian patch you can find the relevant code. It's the 'ProtocolKeepalive' feature. :) Patch can be found on any debian source mirror. From jcunning at cts.com Tue Sep 10 05:08:50 2002 From: jcunning at cts.com (Jim Cunning) Date: Mon, 9 Sep 2002 12:08:50 -0700 (PDT) Subject: [SOLVED] Idle SSH session disconnects (update) In-Reply-To: <20020909155858.A4290@fatbob.nu> Message-ID: On Mon, 9 Sep 2002, Martin Johansson wrote: > If you do not have control over the sshd configuration so that you cannot > control ClientAlive-stuff, you can use the attached patch (against openssh > 3.4p1). It adds 2 parameters to ssh_config: > > BogusTrafficIntervalMax 12 > BogusTrafficIntervalMin 1 > > This configures the ssh client to send SSH_MSG_IGNORE randomly after > between 1-12 seconds of idle time, thereby keeping the connection from > timing out in the FW. > > Pretty useful for me who also sits behind a stateful FW. > > /Martin During the whole exchange of suggestions, I would have sworn I was not behind a stateful firewall because I have a permanent hole in the FW configured for port 22 to and from my fixed IP address at home to a fixed, public IP address on the network side of the FW which is then NAT'ed to a 10.-private address inside. What I overlooked was the fact that I was trying all this from a _NEW_ workstation with a different internal IP. The upshot is that adding "ClientAliveInterval 15" to /etc/ssh/sshd_config has removed all time sensitivity to idle connections. Thanks to all who have responded to this topic. Jim Cunning From kevin at atomicgears.com Tue Sep 10 11:51:05 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Mon, 9 Sep 2002 18:51:05 -0700 Subject: small addition to the scp man page In-Reply-To: <44B71BF277010E48BE207DA8FC0797E107B9DA@venus.lansa.co.uk> References: <44B71BF277010E48BE207DA8FC0797E107B9DA@venus.lansa.co.uk> Message-ID: <20020910015105.GD13971@scott.crlsca.adelphia.net> On Mon, Sep 09, 2002 at 01:37:41PM +0100, Cressatti, Dominique wrote: > Having learned with difficulties how to retrieve files using scp, > I'd like to make a small contribution to the scp man page, > i.e.. add a couple of examples on how to copy files to a box > and more importantly how to copy them back. > > Therefore how do I submit my contribution? send a unified diff against the current version in CVS. there are many opportunities for EXAMPLES section additions. From bugzilla-daemon at mindrot.org Tue Sep 10 19:19:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 19:19:07 +1000 (EST) Subject: [Bug 369] Inconsistant exiit status from scp Message-ID: <20020910091907.94A303D156@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=369 ------- Additional Comments From devel at pitux.com 2002-09-10 19:19 ------- I confirm that this bug does exist. It's especially annoying since we use here a lot of scripts which check for the return values of scp to indicate success or failure. In fact it does the good thing on nonexistent files/dirs/etc, but fails in case of auth failure, name resolution failures and so on (the number after "rtfm" in the prompt reports the cmd exit status): fg!rtfm 0 (pts/2) ~ $ scp -v root at mod-tsf.pitux.com:.bashrc /tmp Executing: program /usr/bin/ssh host mod-tsf.pitux.com, user root, command scp -v -f .bashrc OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 ssh: mod-tsf.pitux.com: Name or service not known fg!rtfm 0 (pts/2) ~ $ scp -v root at mod-tsd.pitux.com:fartr /tmp Executing: program /usr/bin/ssh host mod-tsd.pitux.com, user root, command scp -v -f fartr OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to mod-tsd.pitux.com [212.67.34.43] port 22. debug1: Connection established. debug1: identity file /home/fg/.ssh/identity type 0 debug1: identity file /home/fg/.ssh/id_rsa type -1 debug1: identity file /home/fg/.ssh/id_dsa type -1 debug1: Remote protocol version 1.5, remote software version OpenSSH_3.2.2p1 debug1: match: OpenSSH_3.2.2p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.4p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'mod-tsd.pitux.com' is known and matches the RSA1 host key. debug1: Found key in /home/fg/.ssh/known_hosts:17 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying RSA authentication via agent with 'fgaliegue at ovh.tbs-internet.com' debug1: Received RSA challenge from server. debug1: Sending response to RSA challenge. debug1: Remote: RSA authentication accepted. debug1: RSA authentication accepted by server. debug1: Sending command: scp -v -f fartr debug1: Entering interactive session. debug1: fd 0 setting O_NONBLOCK debug1: fd 1 setting O_NONBLOCK scp: fartr: No such file or directory debug1: fd 1 clearing O_NONBLOCK debug1: Transferred: stdin 1, stdout 39, stderr 0 bytes in 0.3 seconds debug1: Bytes per second: stdin 3.5, stdout 136.5, stderr 0.0 debug1: Exit status 1 fg!rtfm 1 (pts/2) ~ $ scp -v fg at mod-tsd.pitux.com:fartr /tmp Executing: program /usr/bin/ssh host mod-tsd.pitux.com, user fg, command scp -v -f fartr OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to mod-tsd.pitux.com [212.67.34.43] port 22. debug1: Connection established. debug1: identity file /home/fg/.ssh/identity type 0 debug1: identity file /home/fg/.ssh/id_rsa type -1 debug1: identity file /home/fg/.ssh/id_dsa type -1 debug1: Remote protocol version 1.5, remote software version OpenSSH_3.2.2p1 debug1: match: OpenSSH_3.2.2p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.4p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'mod-tsd.pitux.com' is known and matches the RSA1 host key. debug1: Found key in /home/fg/.ssh/known_hosts:17 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying RSA authentication via agent with 'fgaliegue at ovh.tbs-internet.com' debug1: Server refused our key. debug1: RSA authentication using agent refused. debug1: Trying RSA authentication with key '/home/fg/.ssh/identity' debug1: Server refused our key. debug1: Doing challenge response authentication. debug1: No challenge. Permission denied. debug1: Calling cleanup 0x8067140(0x0) fg!rtfm 0 (pts/2) ~ $ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gert at greenie.muc.de Tue Sep 10 15:51:19 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 10 Sep 2002 07:51:19 +0200 Subject: sshd and SIGKILL In-Reply-To: <3D779AAB.5000005@skalasoft.com>; from Roumen.Petrov@skalasoft.com on Thu, Sep 05, 2002 at 08:55:55PM +0300 References: <3D779AAB.5000005@skalasoft.com> Message-ID: <20020910075119.A16070@greenie.muc.de> Hi, On Thu, Sep 05, 2002 at 08:55:55PM +0300, Roumen.Petrov at skalasoft.com wrote: > On command: > #kill -9 `cat /var/run/sshd.pid` > sshd leave pid file ! Of course it does. "kill -9" means "abort process *immediately*" - no matter what you do, sshd has no means (!!) to clean up anything. So don't use "kill -9", except if nothing else works. Never. Use "kill -15" (which is SIGTERM, instead of SIGKILL) - this gives the process the chance to clean up. > Missing line is : > signal(SIGKILL, sigterm_handler); Read up on unix signal semantics. gert -- Gert Doering Mobile communications ... right now writing from *Ripe43 / Rhodos / Greece* From Roumen.Petrov at skalasoft.com Tue Sep 10 21:26:44 2002 From: Roumen.Petrov at skalasoft.com (Roumen.Petrov at skalasoft.com) Date: Tue, 10 Sep 2002 14:26:44 +0300 Subject: sshd and SIGKILL References: <3D779AAB.5000005@skalasoft.com> <20020910075119.A16070@greenie.muc.de> Message-ID: <3D7DD6F4.9080007@skalasoft.com> Sorry, I waste your time. Yes - processes cannot catch SIGKILL. When I swich one linux from multi user to single user mode I found in /var/run only sshd.pid. Script call kill -TERM pid after this kill -KILL pid. Problem is not in sshd !!! END OF DISCUSSION !!! From bugzilla-daemon at mindrot.org Tue Sep 10 21:34:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 21:34:52 +1000 (EST) Subject: [Bug 360] PrivilegeSeperation does not work with LDAP authentication through PAM Message-ID: <20020910113452.7EC763D177@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=360 ------- Additional Comments From djm at mindrot.org 2002-09-10 21:34 ------- Are you sure that this is not a pam_ldap bug? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 10 21:36:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 21:36:58 +1000 (EST) Subject: [Bug 361] PRNGD not yet seeded & SSH banner stills show previous banner Message-ID: <20020910113658.8C7913D17F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=361 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From djm at mindrot.org 2002-09-10 21:36 ------- Point 1 has already been answered by Lutz (and the INSTALL doc) Point 2: Make sure you have restarted the server. Besides, the bug tracking system is not the place to ask support questions. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 10 21:43:49 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 21:43:49 +1000 (EST) Subject: [Bug 365] .ssh/environment not read when home = / Message-ID: <20020910114349.B8CEF3D13D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=365 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-09-10 21:43 ------- Applied - thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 10 21:46:01 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 21:46:01 +1000 (EST) Subject: [Bug 366] .cvsignore shouldn't be in distrib Message-ID: <20020910114601.ABE763D18F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=366 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From djm at mindrot.org 2002-09-10 21:45 ------- generated files shouldn't be checked into cvs. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 10 21:52:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 21:52:42 +1000 (EST) Subject: [Bug 368] TTSSH will not connect to OpenSSH_3.4p1 Message-ID: <20020910115242.272B43D194@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=368 ------- Additional Comments From djm at mindrot.org 2002-09-10 21:52 ------- Created an attachment (id=143) --> (http://bugzilla.mindrot.org/attachment.cgi?id=143&action=view) Patch to add pid to logs This is a quick patch to display the pid of the logging process. It may be helpful in debugging privsep problems. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 10 22:12:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 22:12:06 +1000 (EST) Subject: [Bug 331] ssh w/o privilege separation does not work for non-root users Message-ID: <20020910121206.64D273D193@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=331 ------- Additional Comments From djm at mindrot.org 2002-09-10 22:11 ------- Are there any messages left in the log on the server end? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 10 22:12:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 22:12:59 +1000 (EST) Subject: [Bug 328] starting sshd yeilds PRNG not seeded Message-ID: <20020910121259.058FA3D193@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=328 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From djm at mindrot.org 2002-09-10 22:12 ------- two months, no reply = closed bug ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 10 22:16:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 22:16:30 +1000 (EST) Subject: [Bug 316] ifdefs for systems without IPV6 Message-ID: <20020910121630.E6C4C3D1A3@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=316 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From djm at mindrot.org 2002-09-10 22:16 ------- What are you trying to fix here? We already supply IPv6 compatibility in libopenbsd-compat.a. This includes definitions for struct sockaddr_in6 and HAVE_STRUCT_SOCKADDR_IN6 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 10 22:18:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 22:18:44 +1000 (EST) Subject: [Bug 291] /tmp/ssh-xxxx socket directories clutter up /tmp Message-ID: <20020910121844.A54113D18A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=291 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From djm at mindrot.org 2002-09-10 22:18 ------- ssh-agent supports the -a option to specify a socket path. Tell you users. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 10 22:19:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 22:19:38 +1000 (EST) Subject: [Bug 295] rpm specfile needs build prereqs for Kerberos Message-ID: <20020910121938.B4EC13D18A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=295 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-09-10 22:19 ------- Already fixed ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 10 22:22:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 22:22:33 +1000 (EST) Subject: [Bug 307] configure fails to add -ldl (RedHat specfile) Message-ID: <20020910122233.4AC0A3D1AE@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=307 ------- Additional Comments From djm at mindrot.org 2002-09-10 22:22 ------- Are you using a non-standard OpenSSL? The RPM compiles fine on 7.3 for me. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 10 22:27:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 22:27:25 +1000 (EST) Subject: [Bug 297] sshd version 3.3 incompatible with pre-3.3 clients in ssh1 mode Message-ID: <20020910122725.31BB53D1B5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=297 ------- Additional Comments From djm at mindrot.org 2002-09-10 22:27 ------- blowfish patch has been applied. What are the problems with AES? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 10 22:27:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 22:27:34 +1000 (EST) Subject: [Bug 138] Incorrect OpenSSL version requirment? Message-ID: <20020910122734.D27BB3D1B5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=138 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-09-10 22:27 ------- Patch applied - thanks ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 10 22:28:54 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 22:28:54 +1000 (EST) Subject: [Bug 317] add header so ptty functions are found Message-ID: <20020910122854.D5FDA3D1C4@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=317 ------- Additional Comments From djm at mindrot.org 2002-09-10 22:28 ------- What is the failure if this header isn't added. I'd prefer to detect it in configure rather than use a platform-specific define ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 10 22:45:40 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 10 Sep 2002 22:45:40 +1000 (EST) Subject: [Bug 369] Inconsistant exiit status from scp Message-ID: <20020910124540.0334C3D17F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=369 ------- Additional Comments From markus at openbsd.org 2002-09-10 22:45 ------- do you have a patch for checking the exit status of ssh? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 11 03:26:17 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 11 Sep 2002 03:26:17 +1000 (EST) Subject: [Bug 369] Inconsistant exiit status from scp Message-ID: <20020910172617.DB21B3D16C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=369 ------- Additional Comments From oberman at es.net 2002-09-11 03:26 ------- I have no patch for this. I simply reported the problem I discovered when running scp from a Perl script and checking for errors. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From binder at arago.de Wed Sep 11 03:36:45 2002 From: binder at arago.de (Thomas Binder) Date: Tue, 10 Sep 2002 19:36:45 +0200 Subject: [Bug 369] Inconsistant exiit status from scp In-Reply-To: <20020910124540.0334C3D17F@shitei.mindrot.org>; from bugzilla-daemon@mindrot.org on Tue, Sep 10, 2002 at 10:45:40PM +1000 References: <20020910124540.0334C3D17F@shitei.mindrot.org> Message-ID: <20020910193645.A14915843@ohm.arago.de> Hi! > ------- Additional Comments From markus at openbsd.org 2002-09-10 22:45 ------- > do you have a patch for checking the exit status of ssh? I attached a rough patch for that. It probably (I haven't been able to check) has one drawback, though: If the remote sshd has the "scp hangs on exit" problem, then the patched local scp will now do so, too. Besides, the patch also adds a check for fork() returning an error. Ciao Thomas -------------- next part -------------- ? confdefs.h Index: scp.c =================================================================== RCS file: /cvs/openssh/scp.c,v retrieving revision 1.97 diff -u -r1.97 scp.c --- scp.c 21 Jun 2002 00:41:52 -0000 1.97 +++ scp.c 10 Sep 2002 17:16:29 -0000 @@ -125,6 +125,9 @@ /* This is the program to execute for the secured connection. ("ssh" or -S) */ char *ssh_program = _PATH_SSH_PROGRAM; +/* This is used to store the pid of ssh_program */ +pid_t do_cmd_pid; + /* * This function executes the given command as the specified user on the * given host. This returns < 0 if execution fails, and >= 0 otherwise. This @@ -159,7 +162,8 @@ close(reserved[1]); /* For a child to execute the command on the remote host using ssh. */ - if (fork() == 0) { + do_cmd_pid = fork(); + if (do_cmd_pid == 0) { /* Child. */ close(pin[1]); close(pout[0]); @@ -178,6 +182,10 @@ perror(ssh_program); exit(1); } + else if (do_cmd_pid == (pid_t)-1) { + /* fork() failed */ + fatal("fork: %s", strerror(errno)); + } /* Parent. Close the other side, and return the local side. */ close(pin[0]); *fdout = pin[1]; @@ -219,7 +227,7 @@ int argc; char *argv[]; { - int ch, fflag, tflag; + int ch, fflag, tflag, status; char *targ; extern char *optarg; extern int optind; @@ -317,6 +325,7 @@ targetshouldbedirectory = 1; remin = remout = -1; + do_cmd_pid = (pid_t)-1; /* Command to be executed on remote system using "ssh". */ (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s", verbose_mode ? " -v" : "", @@ -331,6 +340,22 @@ tolocal(argc, argv); /* Dest is local host. */ if (targetshouldbedirectory) verifydir(argv[argc - 1]); + } + /* + * Finally check the exit status of the ssh process, if one was forked + * and no error has occured yet + */ + if (do_cmd_pid != (pid_t)-1 && errs == 0) { + if (remin != -1) + (void) close(remin); + if (remout != -1) + (void) close(remout); + if (waitpid(do_cmd_pid, &status, 0) == -1) + errs = 1; + else { + if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) + errs = 1; + } } exit(errs != 0); } From binder at arago.de Wed Sep 11 03:45:48 2002 From: binder at arago.de (Thomas Binder) Date: Tue, 10 Sep 2002 19:45:48 +0200 Subject: [PATCH] Let scp accept options -1 and -2 Message-ID: <20020910194548.B14915843@ohm.arago.de> Hi! Attached is a patch that lets scp accept options -1 and -2 to conveniently choose the protocol version, as it is already possible with ssh. Ciao Thomas -------------- next part -------------- ? confdefs.h Index: scp.c =================================================================== RCS file: /cvs/openssh/scp.c,v retrieving revision 1.97 diff -u -r1.97 scp.c --- scp.c 21 Jun 2002 00:41:52 -0000 1.97 +++ scp.c 10 Sep 2002 17:37:49 -0000 @@ -233,9 +241,11 @@ addargs(&args, "-oClearAllForwardings yes"); fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:F:")) != -1) + while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:F:12")) != -1) switch (ch) { /* User-visible flags. */ + case '1': + case '2': case '4': case '6': case 'C': From Nicolas.Williams at ubsw.com Wed Sep 11 04:26:38 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Tue, 10 Sep 2002 14:26:38 -0400 Subject: [Bug 369] Inconsistant exiit status from scp Message-ID: The only hang-on-exit problem left, that I know of, is the Solaris- /bin/csh-doesn't-HUP-its-bg-procs-when-exiting problem, and that is relevant only to pty sessions. SCP does not use pty sessions, therefore this hang-on-exit problem won't bite an scp that wait()s for its ssh child process. Cheers, Nico -- > -----Original Message----- > From: Thomas Binder [mailto:binder at arago.de] > Sent: Tuesday, September 10, 2002 1:37 PM > To: openssh-unix-dev at mindrot.org > Subject: Re: [Bug 369] Inconsistant exiit status from scp > > > Hi! > > > ------- Additional Comments From markus at openbsd.org > 2002-09-10 22:45 ------- > > do you have a patch for checking the exit status of ssh? > > I attached a rough patch for that. It probably (I haven't been > able to check) has one drawback, though: If the remote sshd has > the "scp hangs on exit" problem, then the patched local scp will > now do so, too. > > Besides, the patch also adds a check for fork() returning an > error. > > > Ciao > > Thomas > Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From binder at arago.de Wed Sep 11 04:44:59 2002 From: binder at arago.de (Thomas Binder) Date: Tue, 10 Sep 2002 20:44:59 +0200 Subject: [Bug 369] Inconsistant exiit status from scp In-Reply-To: ; from Nicolas.Williams@ubsw.com on Tue, Sep 10, 2002 at 02:26:38PM -0400 References: Message-ID: <20020910204459.A14871466@ohm.arago.de> Hi! On Tue, Sep 10, 2002 at 02:26:38PM -0400, Nicolas.Williams at ubsw.com wrote: > The only hang-on-exit problem left, that I know of, is the > Solaris- /bin/csh-doesn't-HUP-its-bg-procs-when-exiting problem, > and that is relevant only to pty sessions. SCP does not use pty > sessions, therefore this hang-on-exit problem won't bite an scp > that wait()s for its ssh child process. No, scp can also hang on some systems where OpenSSH should have been compiled with USE_PIPES, but hasn't: http://groups.google.com/groups?q=openssh+use_pipes+socketpair&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=slrn8tmd09.1e9.jaenicke%40emserv1.ee.TU-Berlin.DE&rnum=2 (reconstruct link if wrapped by your mail client) I agree this is not a very common problem, because most systems known to have this problem should be handled correctly by configure by now, but I wanted to point this out. Ciao Thomas From Nicolas.Williams at ubsw.com Wed Sep 11 05:08:45 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Tue, 10 Sep 2002 15:08:45 -0400 Subject: [Bug 369] Inconsistant exiit status from scp Message-ID: On Tuesday, September 10, 2002, Thomas Binder wrote: > On Tue, Sep 10, 2002 at 02:26:38PM -0400, > Nicolas.Williams at ubsw.com wrote: > > The only hang-on-exit problem left, that I know of, is the > > Solaris- /bin/csh-doesn't-HUP-its-bg-procs-when-exiting problem, > > and that is relevant only to pty sessions. SCP does not use pty > > sessions, therefore this hang-on-exit problem won't bite an scp > > that wait()s for its ssh child process. > > No, scp can also hang on some systems where OpenSSH should have > been compiled with USE_PIPES, but hasn't: [...] Ah, thanks. Is this why scp doesn't wait() for ssh? Is there any other reason? > Ciao > > Thomas Cheers, Nico -- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From bugzilla-daemon at mindrot.org Wed Sep 11 06:11:18 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 11 Sep 2002 06:11:18 +1000 (EST) Subject: [Bug 393] New: 'known_hosts' file should be indexed by IP:PORT, not just IP Message-ID: <20020910201118.B63803D17E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=393 Summary: 'known_hosts' file should be indexed by IP:PORT, not just IP Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: eric at addamark.com The current logic for using the 'known_hosts' file is broken with respect to NAT. The current logic assumes that there is a 1:1 relationship between an IP Address and a physical host. This is not true. The correct logic would be to associate each IP:PORT pair with a physical host. The current logic breaks if the SSH server is behind a NAT device that does port mapping. For example, 156.32.67.132:22 does not necessarily go to the same physical host as 156.32.67.132:1022. The problem one sees as a result of this is that the 'StrictHostChecking' and 'CheckHostIP' settings in ssh_config will cause 'ssh' to fail when it shouldn't. We ran into this today when I mapped a second SSH server through our firewall on a new port. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 11 06:18:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 11 Sep 2002 06:18:32 +1000 (EST) Subject: [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP Message-ID: <20020910201832.8BEC43D170@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=393 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From markus at openbsd.org 2002-09-11 06:18 ------- i don't think this will happen any time soon. what does ip:port mean for hostbased authentication? why does HostKeyAlias not help? why should i have 10 entries for the hostkey if i run sshd on 10 different ports on the same machine? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 11 06:57:03 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 11 Sep 2002 06:57:03 +1000 (EST) Subject: [Bug 317] add header so ptty functions are found Message-ID: <20020910205703.AB4FB3D1A2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=317 ------- Additional Comments From dirk.meyer at dinoex.sub.org 2002-09-11 06:56 ------- The Prototyes for openpty() and are missing if the header is not there. also realhostname_sa(); #ifdef HAVE_LIBUTIL_H sounds fine like in loginrec.c ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 11 06:57:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 11 Sep 2002 06:57:56 +1000 (EST) Subject: [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP Message-ID: <20020910205756.94A983D1A2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=393 ------- Additional Comments From carson at taltos.org 2002-09-11 06:57 ------- > what does ip:port mean for hostbased authentication? It means nothing. The IP of the host is irrelevant - the name is all that matters. > why does HostKeyAlias not help? Because it requires touching the config files of every possible user. > why should i have 10 entries for the hostkey if i run sshd on 10 different > ports on the same machine? Because they may not have the same keys. Disk space is cheap. If you really want to save disk space, allow a single key to have multiple ip:port indices. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 11 07:13:13 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 11 Sep 2002 07:13:13 +1000 (EST) Subject: [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP Message-ID: <20020910211313.43F113D185@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=393 ------- Additional Comments From eric at addamark.com 2002-09-11 07:13 ------- Let me be specific then: I have two ssh server mapped through different port numbers on the same public IP address to the outside world: one is on Port 22, the other is on port 1022. The configuration breaks the ssh client when UseStrictHostChecking is active because the logic assumes that it can never see more than one host key from a given IP address. The CheckHostIP setting gives spurious warnings because it assumes that it can never see more than one host key from a specific IP address. Currently, my only work around is to disable both settings on everyone's client. This is neither practical nor desirable as it not only requires that everyone make a change to their local config's, but in addition, everyone has to turn run without the extra security that these settings provide. I'm assuming that the first feedback was from one of the developers in the OpenSSH team. Please reconsider your stance on this issue (or at least reopen the bug so that it doesn't drop through the cracks). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 11 07:59:39 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 11 Sep 2002 07:59:39 +1000 (EST) Subject: [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP Message-ID: <20020910215939.C535C3D174@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=393 ------- Additional Comments From markus at openbsd.org 2002-09-11 07:59 ------- but why does HostKeyAlias not help? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 11 08:01:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 11 Sep 2002 08:01:51 +1000 (EST) Subject: [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP Message-ID: <20020910220151.80C3E3D1C5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=393 ------- Additional Comments From markus at openbsd.org 2002-09-11 08:01 ------- if you don't want to use HostKeyAlias, you can even use the GlobalKnownHostsFile option, e.g. Host a Hostname gate port 1234 GlobalKnownHostsFile /etc/ssh/known_hosts_a Host b Hostbname gate port 5678 GlobalKnownHostsFile /etc/ssh/known_hosts_b ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 11 08:04:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 11 Sep 2002 08:04:15 +1000 (EST) Subject: [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP Message-ID: <20020910220415.6ECDE3D1CE@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=393 ------- Additional Comments From markus at openbsd.org 2002-09-11 08:04 ------- it's not about saving diskspace, why should ssh ask you to confirm the hostkey for every new ip:port pair? and: the entry matters for hostbased authentication: you have 10 entries for the same ip, what key is the correct key? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 11 08:09:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 11 Sep 2002 08:09:34 +1000 (EST) Subject: [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP Message-ID: <20020910220934.645AE3D1D3@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=393 ------- Additional Comments From markus at openbsd.org 2002-09-11 08:09 ------- HostKeyAlias does not require more work than an up-to-date known hosts file. If you use port-forwarding to the 'real' ssh server, then the entries in the known hosts file should identify the 'real' ssh server, not just a random port on a gateway host, e.g. if i want to connect to cvs.openssh.com via a gateway host, i use Host cvs2 Hostname gate Port 2222 HostKeyAlias cvs.openssh.com so 'ssh -v cvs2' will look up the correct hostkey under a a name that refers to the 'real' server, and not to some random gate:2222 name, that has nothing to do with the server we connect to. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 11 08:17:54 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 11 Sep 2002 08:17:54 +1000 (EST) Subject: [Bug 391] ssh -n returning 255 status code Message-ID: <20020910221754.1A3E33D1BE@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=391 ------- Additional Comments From markus at openbsd.org 2002-09-11 08:17 ------- do you have output from ssh -vvv ? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 11 08:18:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 11 Sep 2002 08:18:34 +1000 (EST) Subject: [Bug 382] Privilege Separation breaks HostbasedAuthentication Message-ID: <20020910221834.B72D83D1DA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=382 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From markus at openbsd.org 2002-09-11 08:18 ------- this should be fixed in -current (use-after-free in ssh-keysign) please test current and reopen if the bug is still there. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From carson at taltos.org Wed Sep 11 09:10:56 2002 From: carson at taltos.org (Carson Gaspar) Date: Tue, 10 Sep 2002 19:10:56 -0400 Subject: [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP In-Reply-To: <20020910220415.6ECDE3D1CE@shitei.mindrot.org> References: <20020910220415.6ECDE3D1CE@shitei.mindrot.org> Message-ID: <20450031.1031685056@[192.168.0.2]> --On Wednesday, September 11, 2002 8:04 AM +1000 bugzilla-daemon at mindrot.org wrote: > it's not about saving diskspace, why should ssh ask you to > confirm the hostkey for every new ip:port pair? Why are you running multiple instances of sshd on different ports with the same key? That is a rather uncommon configuration. Port forwarding, or multiple instances with differing keys, is a far more common case, in my experience. Your argument is that the more common case should be hard, and the less common case easy. I don't get it. > and: the entry matters for hostbased authentication: you have > 10 entries for the same ip, what key is the correct key? The one with the correct _name_. I thought we'd solved this ages ago - the source IP is _meaningless_ for host based auth, especially with NAT being so common. The name that is presented is all that matters. This used to work - did it get broken recently? -- Carson From mouring at etoh.eviladmin.org Wed Sep 11 09:50:14 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 10 Sep 2002 18:50:14 -0500 (CDT) Subject: [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP In-Reply-To: <20450031.1031685056@[192.168.0.2]> Message-ID: On Tue, 10 Sep 2002, Carson Gaspar wrote: [..] > > > and: the entry matters for hostbased authentication: you have > > 10 entries for the same ip, what key is the correct key? > > The one with the correct _name_. I thought we'd solved this ages ago - the > source IP is _meaningless_ for host based auth, especially with NAT being > so common. The name that is presented is all that matters. This used to > work - did it get broken recently? > Your missing his point. The whine about machine.domain.com:22 vs machine.domain.com:2222 If you have BOTH in your known_hosts due to the fact machine.domain.com is a NAT box and port 2222 is really an internal machine. How does hostbased authentication know which one to use? He is not refering to vhost1.domain.com and vhost2.domain.com resolving to one key. Where you got that is beyond me. - Ben From carson at taltos.org Wed Sep 11 10:06:29 2002 From: carson at taltos.org (Carson Gaspar) Date: Tue, 10 Sep 2002 20:06:29 -0400 Subject: [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP In-Reply-To: References: Message-ID: <24103484.1031688389@[192.168.0.2]> --On Tuesday, September 10, 2002 6:50 PM -0500 Ben Lindstrom wrote: > Your missing his point. > > The whine about > > machine.domain.com:22 > > vs > > machine.domain.com:2222 > > If you have BOTH in your known_hosts due to the fact machine.domain.com is > a NAT box and port 2222 is really an internal machine. How does hostbased > authentication know which one to use? I was being a bit dense. I'd say you put machine.domain.com:22 or machine.domain.com:2222 in your .shosts file. Or you accept any matching key from a host with multiple entries. -- Carson From kevin at atomicgears.com Wed Sep 11 12:06:13 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Tue, 10 Sep 2002 19:06:13 -0700 Subject: [PATCH] Let scp accept options -1 and -2 In-Reply-To: <20020910194548.B14915843@ohm.arago.de> References: <20020910194548.B14915843@ohm.arago.de> Message-ID: <20020911020613.GG15752@scott.crlsca.adelphia.net> On Tue, Sep 10, 2002 at 07:45:48PM +0200, Thomas Binder wrote: > Attached is a patch that lets scp accept options -1 and -2 to > conveniently choose the protocol version, as it is already > possible with ssh. the strategy is to use -o for this. this case is even covered in ssh(1). search the archives for more discussion. From bugzilla-daemon at mindrot.org Wed Sep 11 17:29:47 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 11 Sep 2002 17:29:47 +1000 (EST) Subject: [Bug 369] Inconsistant exiit status from scp Message-ID: <20020911072947.B46D63D186@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=369 ------- Additional Comments From devel at pitux.com 2002-09-11 17:29 ------- In response to #4: I attempted to do a patch to scp.c which adds a call to waitpid() in do_cmd() in order to check for the exit status in the parent. Unfortunately, while it does the right thing on ssh failures, it just hangs the command in case it is bound to succeed. I'll investigate some more when I have the time. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Dominique.Cressatti at lansa.co.uk Wed Sep 11 19:17:52 2002 From: Dominique.Cressatti at lansa.co.uk (Cressatti, Dominique) Date: Wed, 11 Sep 2002 10:17:52 +0100 Subject: man page contribution Message-ID: <44B71BF277010E48BE207DA8FC0797E107063A@venus.lansa.co.uk> second time, is there anybody that can tell me where I can send contributions to the man pages? Dom <> -------------- next part -------------- An embedded message was scrubbed... From: "Cressatti, Dominique" Subject: small addition to the scp man page Date: Mon, 9 Sep 2002 13:37:41 +0100 Size: 1932 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020911/87a64c88/attachment.mht From bugzilla-daemon at mindrot.org Wed Sep 11 22:44:01 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 11 Sep 2002 22:44:01 +1000 (EST) Subject: [Bug 394] New: SSH 2 MAC Error Caused By OpenSSH? Message-ID: <20020911124401.F09903D16D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=394 Summary: SSH 2 MAC Error Caused By OpenSSH? Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: normal Priority: P3 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: emoore2 at slb.com Components: OpenSSH 3.4p1 PuTTy 0.52 (on client, configred to use SSH2) VNC Viewer 3.3.3R2 (ran over SSH) Effected: Several servers and users all running same config. Error occurs when using above 3 components together. PuTTy error described in the following webpage occurs: http://www.tartarus.org/~owen/putty-docs/AppendixA.html#A.6 We've tried there recommended fix ("Imitate SSH 2 MAC bug") and this gives the MAC error straight away. Could the error relate to a bug in the message authentification codes with OpenSSH? If not suggestions welcome. Regards Edward Moore ---------------------------------------------------------------------------- dwpprod01:/> pkginfo -l SMCossh PKGINST: SMCossh NAME: openssh CATEGORY: application ARCH: sparc VERSION: 3.4p1 BASEDIR: /usr/local VENDOR: The OpenSSH Group PSTAMP: Steve Christensen INSTDATE: Aug 23 2002 13:44 EMAIL: steve at smc.vnet.net STATUS: completely installed FILES: 50 installed pathnames 5 shared pathnames 11 directories 10 executables 1 setuid/setgid executables 11188 blocks used (approx) dwpprod01:/> uname -a SunOS dwpprod01 5.8 Generic_108528-15 sun4u sparc SUNW,Sun-Fire-480R dwpprod01:/> ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 11 22:52:05 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 11 Sep 2002 22:52:05 +1000 (EST) Subject: [Bug 394] SSH 2 MAC Error Caused By OpenSSH? Message-ID: <20020911125205.8C4FE3D1A5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=394 ------- Additional Comments From markus at openbsd.org 2002-09-11 22:52 ------- openssh does not have the bug described in http://www.tartarus.org/~owen/putty-docs/AppendixA.html#A.6 what do you see? what ciphers are used? what hmac? what does sshd -ddd say when a client connects? do you have more information? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From binder at arago.de Thu Sep 12 00:06:13 2002 From: binder at arago.de (Thomas Binder) Date: Wed, 11 Sep 2002 16:06:13 +0200 Subject: [PATCH] Let scp accept options -1 and -2 In-Reply-To: <20020911020613.GG15752@scott.crlsca.adelphia.net>; from kevin@atomicgears.com on Tue, Sep 10, 2002 at 07:06:13PM -0700 References: <20020910194548.B14915843@ohm.arago.de> <20020911020613.GG15752@scott.crlsca.adelphia.net> Message-ID: <20020911160613.A15043416@ohm.arago.de> Hi! On Tue, Sep 10, 2002 at 07:06:13PM -0700, Kevin Steves wrote: > On Tue, Sep 10, 2002 at 07:45:48PM +0200, Thomas Binder wrote: > > Attached is a patch that lets scp accept options -1 and -2 to > > conveniently choose the protocol version, as it is already > > possible with ssh. > > the strategy is to use -o for this. this case is even > covered in ssh(1). search the archives for more discussion. I finally found the thread in the archives after playing with the search patterns. I'm sorry for stirring this subject up again. But one thing bugged me when reading that thread: > will adding -1 and -2 make people post useful patches for real > bugs to this list? Is this really meant as one might understand it: It's not appreciated to see any patches here that do not explicitly address a bug? Ciao Thomas From markus at openbsd.org Thu Sep 12 00:24:44 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 11 Sep 2002 16:24:44 +0200 Subject: [PATCH] Let scp accept options -1 and -2 In-Reply-To: <20020911160613.A15043416@ohm.arago.de> References: <20020910194548.B14915843@ohm.arago.de> <20020911020613.GG15752@scott.crlsca.adelphia.net> <20020911160613.A15043416@ohm.arago.de> Message-ID: <20020911142444.GB10464@faui02> On Wed, Sep 11, 2002 at 04:06:13PM +0200, Thomas Binder wrote: > Is this really meant as one might understand it: It's not > appreciated to see any patches here that do not explicitly address > a bug? yes, it is appreciated. however, at some point it was decided that scp should get no more options. -m From bugzilla-daemon at mindrot.org Thu Sep 12 00:43:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 12 Sep 2002 00:43:29 +1000 (EST) Subject: [Bug 369] Inconsistant exiit status from scp Message-ID: <20020911144329.D49B63D15A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=369 ------- Additional Comments From binder at arago.de 2002-09-12 00:43 ------- Created an attachment (id=144) --> (http://bugzilla.mindrot.org/attachment.cgi?id=144&action=view) Check ssh's exit status in scp The attached rough patch should do the trick. Note that you have to close() the file handles used to communicate with the ssh process, as otherwise the remote scp (when copying to remote) will continue waiting for data, causing waitpid() to wait forever. Also note that this patch may cause hangs of the local scp client when the remote sshd should have been compiled with USE_PIPES defined, but hasn't. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Sep 12 00:45:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 12 Sep 2002 00:45:55 +1000 (EST) Subject: [Bug 369] Inconsistant exiit status from scp Message-ID: <20020911144555.524363D1DF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=369 ------- Additional Comments From binder at arago.de 2002-09-12 00:45 ------- Forgot to mention that the patch in attachment #144 also adds a check for fork() failure. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From MZPERAD9 at de.ibm.com Thu Sep 12 01:02:14 2002 From: MZPERAD9 at de.ibm.com (Germany MZPERAD9) Date: Wed, 11 Sep 2002 17:02:14 +0200 Subject: Silly question on DH key exch in ssh Message-ID: hello, I'm also developing a ssh application in java and I also got stuck with DH-Key Exchange. I just get to the SSH_MSG_KEXDH_REPLY from the server. But what is he expecting me to send then, as far as I understand the Transport Layer Protcol I should send the SSH_MSG_NEWKEYS message, but that doesn't work. Does anyone know what to send then? (the hint from Markus Friedl with kexdh.c didn't help me much because I'm not familiar with c++ and I could not find a line of code where neither the server is expecting another message after sending SSH_MSG_KEXDH_REPLY nor where the client is sending another message after SSH_MSG_KEXDH_INIT. (before sending SSH_MSG_NEYKEYS)) Thanks a lot, S. Gloeckner From gert at greenie.muc.de Thu Sep 12 01:31:09 2002 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 11 Sep 2002 17:31:09 +0200 Subject: [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP In-Reply-To: <24103484.1031688389@[192.168.0.2]>; from carson@taltos.org on Tue, Sep 10, 2002 at 08:06:29PM -0400 References: <24103484.1031688389@[192.168.0.2]> Message-ID: <20020911173109.A23958@greenie.muc.de> Hi, On Tue, Sep 10, 2002 at 08:06:29PM -0400, Carson Gaspar wrote: > I'd say you put machine.domain.com:22 or machine.domain.com:2222 in your > .shosts file. Or you accept any matching key from a host with multiple > entries. won't work, as incoming connections won't come from those ports. gert -- Gert Doering Mobile communications ... right now writing from *Ripe43 / Rhodos / Greece* From pekkas at netcore.fi Thu Sep 12 02:07:27 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 11 Sep 2002 19:07:27 +0300 (EEST) Subject: [PATCH] Let scp accept options -1 and -2 In-Reply-To: <20020911142444.GB10464@faui02> Message-ID: On Wed, 11 Sep 2002, Markus Friedl wrote: > On Wed, Sep 11, 2002 at 04:06:13PM +0200, Thomas Binder wrote: > > Is this really meant as one might understand it: It's not > > appreciated to see any patches here that do not explicitly address > > a bug? > > yes, it is appreciated. > > however, at some point it was decided that scp should get no > more options. Speaking of which, should we have a section in TODO or somewhere else about features that will not be implemented (like -[12] for scp) and reasons, so people would stop sending patches for them. I don't know whether there are enough of these 'denied' targets to justify this, though.. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From bugzilla-daemon at mindrot.org Thu Sep 12 02:18:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 12 Sep 2002 02:18:46 +1000 (EST) Subject: [Bug 394] SSH 2 MAC Error Caused By OpenSSH? Message-ID: <20020911161846.0D4523D183@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=394 ------- Additional Comments From emoore2 at slb.com 2002-09-12 02:18 ------- > what do you see? Error message with PuTTy, as detailed. Connection is then terminated by PuTTy. > what ciphers are used? We're using RSA 1024 keys with PuTTy. Is this the cypher used for the connection? > what hmac? what is a hmac? thanks. > what does sshd -ddd say when a client connects? I'll get back to you with this -- got to go through change management procedures ------------------------------------------------------------------------------ MORE INFORMATION: There's no time fixed interval since starting the connection when the problem occurs -- it's random but averaging about every 2hrs but only when using VNC (so far) -- maybe just because of increased traffic increasing error frequency? Error terminates connection. --- WHY IS THIS PROBABLY OPEN SSH RELATED? This does not occur nearly as frequent on other servers where using the same PuTTy version is communicating with OpenSSH version 3.2.0p1. --- RMSD-BBP-W03:/> pkginfo -l SMCossh3 PKGINST: SMCossh3 NAME: openssh CATEGORY: application ARCH: sparc VERSION: 3.0.2p1 BASEDIR: /usr/local VENDOR: The OpenSSH Group PSTAMP: Steve Christensen INSTDATE: Feb 26 2002 15:09 EMAIL: steve at smc.vnet.net STATUS: completely installed FILES: 47 installed pathnames 7 shared pathnames 10 directories 9 executables 9667 blocks used (approx) RMSD-BBP-W03:/> ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Thu Sep 12 02:33:39 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 11 Sep 2002 18:33:39 +0200 Subject: Silly question on DH key exch in ssh In-Reply-To: References: Message-ID: <20020911163339.GA10985@folly> On Wed, Sep 11, 2002 at 05:02:14PM +0200, Germany MZPERAD9 wrote: > hello, > > I'm also developing a ssh application in java and I also got stuck with > DH-Key Exchange. > I just get to the SSH_MSG_KEXDH_REPLY from the server. But what is he > expecting me to send > then, as far as I understand the Transport Layer Protcol I should send the > SSH_MSG_NEWKEYS > message, but that doesn't work. > Does anyone know what to send then? after sending SSH_MSG_KEXDH_REPLY the server sends and expects SSH_MSG_NEWKEYS. -m From harbaugh at nciaxp.ncifcrf.gov Thu Sep 12 02:33:57 2002 From: harbaugh at nciaxp.ncifcrf.gov (Toni L. Harbaugh-Blackford) Date: Wed, 11 Sep 2002 12:33:57 -0400 (EDT) Subject: tru64 sia: move call of session_setup_sia() to do_setusercontext(), letting grantpty() and friends handle pty perms Message-ID: Hi- Under privsep, I experimented with moving the session_setup_sia() out of do_child() and into do_setusercontext(), which is where the uids/gids are set to the final execution user. The call is made with a NULL tty, and this is functional provided that any later pty allocation uses grantpty() to set the device permissions. Logging in with this method shows that a utmp entry does get made for the tty. There are several issues I see with this configuration, but I don't think any pose insurmountable problems: - There is an #if'd-out call to do_setusercontext() in the subroutine privsep_preauth_child(), which means that the SSH_PRIVSEP_USER would be run through the session_setup_sia() should the '#if 0' preprocessor directive be removed. I don't want SSH_PRIVSEP_USER to be passed through session_setup_sia(), because I like that account to be locked and the session setup stuff would fail in this case. So for HAVE_OSF_SIA this should stay #if'd-out. - If you are using the audit subsystem, the link between a tty and successive processes may be lost in the audit records. But I do extensive auditing, and ptys seem to be pretty much useless in audit trails; it's the process tree that is most useful. - Tru64 5.0x has the /dev/ptmx device, so the HAVE_DEV_PTMX logic can be used to access grantpty() in sshpty.c. But OS versions prior to 5.0x do not have /dev/ptmx, although they *DO HAVE* grantpty. So appropriate changes and testing will have to be done for earlier versions to see that grantpty() and all the terminal setup gets done appropriately. - Since session_setup_sia() works in do_child() when privsep is NOT in use, I'm fairly sure we want to leave it there in that case. It can safely override any grantpty() settings. - stty terminal settings are screwy when privsep is used, and I don't know why. It may relate to the fact that the tty is not initialized by the sia stuff, but I have to admit that I haven't delved into the details of this yet. It seems that the terminal settings could be corrected outside of SIA. Does anyone see any other problems with moving session_setup_sia() to do_setusercontext() when privsep is in use? Any comments on the list above? Toni ----------------------------------------------------------------------- Toni Harbaugh-Blackford harbaugh at nciaxp.ncifcrf.gov AlphaServer 8400 System Administrator SAIC/NCI Frederick Advanced Biomedical Computing Center From bugzilla-daemon at mindrot.org Thu Sep 12 05:04:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 12 Sep 2002 05:04:44 +1000 (EST) Subject: [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP Message-ID: <20020911190444.DDEE43D179@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=393 ------- Additional Comments From eric at addamark.com 2002-09-12 05:04 ------- I guess the basic issue is whether one views the problem from the perspective of the user or the programmer. From bugzilla-daemon at mindrot.org Thu Sep 12 05:52:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 12 Sep 2002 05:52:32 +1000 (EST) Subject: [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP Message-ID: <20020911195232.591A83D19C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=393 ------- Additional Comments From mouring at eviladmin.org 2002-09-12 05:52 ------- Your missing his point about 'hostbased' authentication. By allowing host/ip:port you run into a problem when you go to do hostbased authentication. Instead of having a 1-to-1 assocation you have a 1-to-many. And randomly pick from the many is opening yourself up to potental spoofing. if I have 10 keys all say 'etoh.eviladmin.org' but from 10 different ports. Do you really want to trust that the right random key will be used for hostbased auth? No, I agree with Markus. Until one can show how host/ip:port format and hostbased auth can interact pinning it down to a 1-to-1 test then I doubt such a patch will be accepted. When I stay 'show how'... I'm stating WITHOUT RFC modifications. Full interop with existing installs. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jmknoble at pobox.com Thu Sep 12 06:21:57 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Wed, 11 Sep 2002 16:21:57 -0400 Subject: small addition to the scp man page In-Reply-To: <20020910015105.GD13971@scott.crlsca.adelphia.net>; from kevin@atomicgears.com on Mon, Sep 09, 2002 at 06:51:05PM -0700 References: <44B71BF277010E48BE207DA8FC0797E107063A@venus.lansa.co.uk> <44B71BF277010E48BE207DA8FC0797E107B9DA@venus.lansa.co.uk> <20020910015105.GD13971@scott.crlsca.adelphia.net> Message-ID: <20020911162157.D22908@zax.half.pint-stowp.cx> Circa 2002-09-11 10:17:52 +0100 dixit Cressatti, Dominique: : second time, : : is there anybody that can tell me where I can send contributions to the man pages? : : Dom Kevin Steves (of the OpenSSH devel team) seems to have responded; perhaps you didn't get the message? (although it seems to have been CCed to you as well as sent to the mailing list). Circa 2002-09-09 18:51:05 -0700 dixit Kevin Steves: : On Mon, Sep 09, 2002 at 01:37:41PM +0100, Cressatti, Dominique wrote: : > Having learned with difficulties how to retrieve files using scp, : > I'd like to make a small contribution to the scp man page, : > i.e.. add a couple of examples on how to copy files to a box : > and more importantly how to copy them back. : > : > Therefore how do I submit my contribution? : : send a unified diff against the current version in CVS. there are : many opportunities for EXAMPLES section additions. Follow Kevin's instructions and either: (a) send the patch to the mailing list, or (b) open a bug report at http://bugzilla.mindrot.org/, including a description of the patch (but not the patch itself, yet). Then, query bugs for your new bug ID, and add the patch as an attachment. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020911/b1af4207/attachment.bin From kevin at atomicgears.com Thu Sep 12 06:34:59 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Wed, 11 Sep 2002 13:34:59 -0700 Subject: [PATCH] Let scp accept options -1 and -2 In-Reply-To: References: <20020911142444.GB10464@faui02> Message-ID: <20020911203459.GG17963@scott.crlsca.adelphia.net> On Wed, Sep 11, 2002 at 07:07:27PM +0300, Pekka Savola wrote: > On Wed, 11 Sep 2002, Markus Friedl wrote: > > however, at some point it was decided that scp should get no > > more options. > > Speaking of which, should we have a section in TODO or somewhere else > about features that will not be implemented (like -[12] for scp) and > reasons, so people would stop sending patches for them. > > I don't know whether there are enough of these 'denied' targets to justify > this, though.. i don't know how to maintain such a thing. i have thought of deprecating little-used command options which have a -o equivalent. sshd -b/g/k come immediately to mind. From kevin at atomicgears.com Thu Sep 12 06:50:23 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Wed, 11 Sep 2002 13:50:23 -0700 Subject: [Bug 369] Inconsistant exiit status from scp In-Reply-To: <20020910204459.A14871466@ohm.arago.de> References: <20020910204459.A14871466@ohm.arago.de> Message-ID: <20020911205023.GI17963@scott.crlsca.adelphia.net> On Tue, Sep 10, 2002 at 08:44:59PM +0200, Thomas Binder wrote: > No, scp can also hang on some systems where OpenSSH should have > been compiled with USE_PIPES, but hasn't: #define USE_PIPES 1 is the default in openbsd. maybe that should be the default in portable. From mouring at etoh.eviladmin.org Thu Sep 12 07:11:28 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 11 Sep 2002 16:11:28 -0500 (CDT) Subject: [Bug 369] Inconsistant exiit status from scp In-Reply-To: <20020911205023.GI17963@scott.crlsca.adelphia.net> Message-ID: Any reason we can't just use the USE_PIPES code and strip the rest of it out? What platforms break if they have USE_PIPES defined? - Ben On Wed, 11 Sep 2002, Kevin Steves wrote: > On Tue, Sep 10, 2002 at 08:44:59PM +0200, Thomas Binder wrote: > > No, scp can also hang on some systems where OpenSSH should have > > been compiled with USE_PIPES, but hasn't: > > #define USE_PIPES 1 > is the default in openbsd. maybe that should be the default > in portable. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From djm at mindrot.org Thu Sep 12 09:20:29 2002 From: djm at mindrot.org (Damien Miller) Date: 12 Sep 2002 09:20:29 +1000 Subject: [Bug 369] Inconsistant exiit status from scp In-Reply-To: References: Message-ID: <1031786429.4481.0.camel@mothra.mindrot.org> On Thu, 2002-09-12 at 07:11, Ben Lindstrom wrote: > > Any reason we can't just use the USE_PIPES code and strip the rest of it > out? What platforms break if they have USE_PIPES defined? I recall Andrew Tridgell reporting that rsync failed with USE_PIPES set. Way back in 1999/early 2000 IIRC. -d From mouring at etoh.eviladmin.org Thu Sep 12 09:11:41 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 11 Sep 2002 18:11:41 -0500 (CDT) Subject: [Bug 369] Inconsistant exiit status from scp In-Reply-To: <1031786429.4481.0.camel@mothra.mindrot.org> Message-ID: Hmm.. Wonder what platform. OpenBSD 3.0 (Sparc64) is what I'm mirroring down the CVS tree from Mindrot via rsync. It seems to work great. Wonder if we should dig into this to see if it still the case in general. - Ben On 12 Sep 2002, Damien Miller wrote: > On Thu, 2002-09-12 at 07:11, Ben Lindstrom wrote: > > > > Any reason we can't just use the USE_PIPES code and strip the rest of it > > out? What platforms break if they have USE_PIPES defined? > > I recall Andrew Tridgell reporting that rsync failed with USE_PIPES set. > Way back in 1999/early 2000 IIRC. > > -d > > From bugzilla-daemon at mindrot.org Thu Sep 12 15:59:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 12 Sep 2002 15:59:50 +1000 (EST) Subject: [Bug 395] New: ident-protocol gives "root" as connection owner Message-ID: <20020912055950.C63983D1D0@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=395 Summary: ident-protocol gives "root" as connection owner Product: Portable OpenSSH Version: older versions Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: bibjah at bg.bib.de When I tunnel a connection through openssh and the server tries to figure out who is making the connection, it asks the local identd "who is running sshd" instead of asking the remote identd (on the originating system) "who is running the program connecting". Therefore, all server programs relying on identd will believe that all tunneled connections come from local user "root". I think this is a severe security flaw. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Sep 12 16:29:24 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 12 Sep 2002 16:29:24 +1000 (EST) Subject: [Bug 395] ident-protocol gives "root" as connection owner Message-ID: <20020912062924.0B2463D1EF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=395 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-09-12 16:29 ------- Recent versions (using privsep) establish port-forwadings as the owner of the connection. In any case, this is not a "severe security flaw" unless you are misguided enough to use identd for authentication. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Dominique.Cressatti at lansa.co.uk Thu Sep 12 18:20:39 2002 From: Dominique.Cressatti at lansa.co.uk (Cressatti, Dominique) Date: Thu, 12 Sep 2002 09:20:39 +0100 Subject: man page contribution Message-ID: <44B71BF277010E48BE207DA8FC0797E107063C@venus.lansa.co.uk> >>I think that Kevin already replied to you I haven't seen anything, may be my mistake. Anyway, thanks I'll the cvs. Dom -----Original Message----- From: David M. Williams [mailto:d_wllms at lanl.gov] Sent: 11 September 2002 18:08 To: Cressatti, Dominique Subject: Re: man page contribution I think that Kevin already replied to you on this but I thought I'd answer as well. Here's what I do: get -current from cvs make my modifications `cvs diff -u` (which give you a unified diff as STDOUT) capture the output to a file .diff attach it to an email addressed to the dev mailing list with an explanation as to what it is for if the email is overlooked then you can submit it as an enhancement, not a bug, to bugzilla.mindrot.org Dave Cressatti, Dominique wrote: >second time, > >is there anybody that can tell me where I can send contributions to the man pages? > >Dom > <> > > > ------------------------------------------------------------------------ > > Subject: > small addition to the scp man page > From: > "Cressatti, Dominique" > Date: > Mon, 9 Sep 2002 13:37:41 +0100 > To: > > > >Hi, > >Having learned with difficulties how to retrieve files using scp, >I'd like to make a small contribution to the scp man page, >i.e.. add a couple of examples on how to copy files to a box >and more importantly how to copy them back. > >Therefore how do I submit my contribution? > >Regards >Dom >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- David M. Williams, CISSP Phone: 505-665-5021 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From bugzilla-daemon at mindrot.org Thu Sep 12 23:23:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 12 Sep 2002 23:23:52 +1000 (EST) Subject: [Bug 396] New: sshd orphans processes when no pty allocated Message-ID: <20020912132352.928F63D17A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=396 Summary: sshd orphans processes when no pty allocated Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dtucker at zip.com.au When using ssh to run a command that doesn't terminate, sshd will leave the process orphaned when it exits. Using ssh -t to force a pty allocation allows the process to terminate when sshd does (presumably when the pty closes). This has been observed on Solaris (7,8) and AIX, and probably occurs on others. # ssh localhost nc localhost 22 SSH-2.0-OpenSSH_3.4p1 [kill ssh from another window] # ps -eaf |grep nc dtucker 5919 1 0 21:05:08 ? 0:00 nc localhost 22 The following patch (against -cvs) sends a HUP to the child process(es) when sshd exits for protcols 1 and 2. It assumes that there's only one session for v1. (Is that valid?) It has been tested on Solaris 7 (including regression tests). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Sep 12 23:26:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 12 Sep 2002 23:26:15 +1000 (EST) Subject: [Bug 396] sshd orphans processes when no pty allocated Message-ID: <20020912132615.815483D1AF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=396 ------- Additional Comments From dtucker at zip.com.au 2002-09-12 23:26 ------- Created an attachment (id=145) --> (http://bugzilla.mindrot.org/attachment.cgi?id=145&action=view) Send HUP to sshd child procs on exit ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From t.parry at TU-Harburg.de Fri Sep 13 01:27:29 2002 From: t.parry at TU-Harburg.de (Todd Parry) Date: Thu, 12 Sep 2002 17:27:29 +0200 Subject: HPUX 10.20 and OpenSSH 3.4.p1 Message-ID: <3D80CE81.14026.10D75971@localhost> Hello, over the last few days I've been attempting to compile openssh-3.4p1 on a HP j5000 (hpux 10.20) but have run into some problems. I had found the paper from Kevin Steves and have been following his suggested steps. Perl, zlib, prngd, tcp_wrappers and openssl all compiled more or less as he described. The configure script runs without protest but make gets hung up in "fake-getaddrinfo.c". The last few lines of running "make -d" follow. predecessor list: $! = bsd-waitpid.o libopenbsd-compat.a all gcc -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/lo cal/ssl/include -I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EX TENDED=1 -DHAVE_CONFIG_H -c bsd-waitpid.c nenv = 29 setvar: @ = noreset = 0 envflg = 0 Mflags = 040001 setvar: % = noreset = 0 envflg = 0 Mflags = 040001 setvar: < = noreset = 0 envflg = 0 Mflags = 040001 setvar: * = noreset = 0 envflg = 0 Mflags = 040001 TIME(bsd-waitpid.o)=1031659552 doname(fake-getaddrinfo.o,2) setvar: @ = fake-getaddrinfo.o noreset = 0 envflg = 0 Mflags = 040001 setvar: @ = noreset = 0 envflg = 0 Mflags = 040001 look for explicit deps. 2 doname(../config.h,3) TIME(../config.h)=1031565434 look for implicit rules. 2 right match = fake-getaddrinfo.o fake-getaddrinfo.c ---.c.o--- fake-getaddrinfo.o doname(fake-getaddrinfo.c,3) setvar: @ = fake-getaddrinfo.c noreset = 0 envflg = 0 Mflags = 040001 setvar: @ = noreset = 0 envflg = 0 Mflags = 040001 look for explicit deps. 3 look for implicit rules right match = fake-getaddrinfo.c setvar: < = noreset = 0 envflg = 0 Mflags = 040001 setvar: * = noreset = 0 envflg = 0 Mflags = 040001 TIME(fake-getaddrinfo.c)=981683736 setvar: * = fake-getaddrinfo noreset = 0 envflg = 0 Mflags = 040001 setvar: < = fake-getaddrinfo.c noreset = 0 envflg = 0 Mflags = 040001 setvar: @ = fake-getaddrinfo.o noreset = 0 envflg = 0 Mflags = 040001 setvar: ? = ../config.h noreset = 0 envflg = 0 Mflags = 040001 predecessor list: $! = fake-getaddrinfo.o libopenbsd-compat.a all gcc -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/lo cal/ssl/include -I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EX TENDED=1 -DHAVE_CONFIG_H -c fake-getaddrinfo.c nenv = 29 *** Error exit code 1 nenv = 29 *** Error exit code 1 Though I've been poking about in various files looking for clues, I have really no clear idea of just what the problem could be. That my various searches have not turned up others with the same problem, has me wondering just what I am leaving out. Any ideas/suggestions? Todd Parry From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Sep 13 01:09:16 2002 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 12 Sep 2002 17:09:16 +0200 Subject: HPUX 10.20 and OpenSSH 3.4.p1 In-Reply-To: <3D80CE81.14026.10D75971@localhost> References: <3D80CE81.14026.10D75971@localhost> Message-ID: <20020912150916.GB17482@serv01.aet.tu-cottbus.de> On Thu, Sep 12, 2002 at 05:27:29PM +0200, Todd Parry wrote: > but make gets hung up in "fake-getaddrinfo.c". This means that the thing is hanging solid (like in an endless loop)? > The last few lines of running "make -d" follow. Could you kindly run a normal "make"? I do not see the actual information. ... > gcc -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/lo > cal/ssl/include -I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EX > TENDED=1 -DHAVE_CONFIG_H -c fake-getaddrinfo.c > nenv = 29 > *** Error exit code 1 > nenv = 29 > *** Error exit code 1 > So it seems that gcc exits with failure but does not give an error message!? Best regards, Lutz PS. Using 3.4p1 on HP-UX 10.20 myself. -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From yeh at algx.net Fri Sep 13 04:07:19 2002 From: yeh at algx.net (Madeleine Yeh) Date: Thu, 12 Sep 2002 14:07:19 -0400 Subject: Problems compiling openssh 3.4p1 on IRIX 6.2 Message-ID: I am having trouble compiling openssh 3.4p1 on an IRIX operating system I am using the Mips Pro C compiler, and trying to create o32 executables. The operating system is IRIX 6.2 on a SGI challenge S. Could anyone please help me? If this is the wrong email list, could you please refer me to the correct one. Thank you; Madeleine Yeh (cd openbsd-compat && make) make[1]: Entering directory `/local/build/openssh/3.4p1/openssh-3.4p1/openbsd-compat' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/local/build/openssh/3.4p1/openssh-3.4p1/openbsd-compat' cc -g -I. -I. -I/usr/local/ssl/include -I/usr/local/include -DSSHDIR=\"/usr/local/etc\" -D _PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/s sh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\" /usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/usr/local/etc\" -D_PATH_PRIVSEP_CHRO OT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFI G_H -c cipher.c cfe: Warning 709: cipher.c, line 65: Incompatible pointer type assignment { "none", 0 , 8, 0, EVP_enc_null }, ---------- ----------^ cfe: Warning 709: cipher.c, line 66: Incompatible pointer type assignment { "des", 2 , 8, 8, EVP_des_cbc }, --------- ----------^ cfe: Warning 709: cipher.c, line 70: Incompatible pointer type assignment { "3des-cbc", -3 , 8, 24, EVP_des_ede3_cbc }, -------------- ------------^ cfe: Warning 709: cipher.c, line 71: Incompatible pointer type assignment { "blowfish-cbc", -3 , 8, 16, EVP_bf_cbc }, ------------------ ------------^ cfe: Warning 709: cipher.c, line 72: Incompatible pointer type assignment { "cast128-cbc", -3 , 8, 16, EVP_cast5_cbc }, ----------------- ------------^ cfe: Warning 709: cipher.c, line 73: Incompatible pointer type assignment { "arcfour", -3 , 8, 16, EVP_rc4 }, ------------- ------------^ cfe: Error: cipher.c, line 706: Unacceptable operand of == or != if (c->evptype == EVP_rc4) { ---------------^ cfe: Error: cipher.c, line 721: Unacceptable operand of == or != if (c->evptype == EVP_rc4) { ---------------^ make: *** [cipher.o] Error 1 From bugzilla-daemon at mindrot.org Fri Sep 13 05:54:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 13 Sep 2002 05:54:34 +1000 (EST) Subject: [Bug 384] OpenSSH should store an SSH_SERVER variable for cluster hosts Message-ID: <20020912195434.AC1A73D1CB@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=384 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From stevesk at pobox.com 2002-09-13 05:54 ------- add SSH_CONNECTION and deprecate SSH_CLIENT ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From cmadams at hiwaay.net Fri Sep 13 06:31:53 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 12 Sep 2002 15:31:53 -0500 Subject: tru64 sia: move call of session_setup_sia() to do_setusercontext(), letting grantpty() and friends handle pty perms In-Reply-To: ; from harbaugh@nciaxp.ncifcrf.gov on Wed, Sep 11, 2002 at 12:33:57PM -0400 References: Message-ID: <20020912153153.A116331@hiwaay.net> Once upon a time, Toni L. Harbaugh-Blackford said: > Does anyone see any other problems with moving session_setup_sia() to > do_setusercontext() when privsep is in use? Any comments on the > list above? The biggest one is that you lose functionality from the SIA layer. If SIA doesn't have a terminal, it can't tell the user their password is expired or their account is locked (or the last successful and failed logins), the user can't change expired password at login, etc. Any of that will just cause the connection to fail silently, which IMHO is not acceptable. Obviously right now, the connection will fail silently for non-TTY logins to locked accounts, etc., but an TTY login will give the user the error. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From bugzilla-daemon at mindrot.org Fri Sep 13 15:38:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 13 Sep 2002 15:38:43 +1000 (EST) Subject: [Bug 223] ProxyCommand commands don't exit Message-ID: <20020913053843.541BD3D138@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=223 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #103 is|0 |1 obsolete| | Attachment #104 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2002-09-13 15:38 ------- Created an attachment (id=146) --> (http://bugzilla.mindrot.org/attachment.cgi?id=146&action=view) Send HUP to proxycommand on exit. Update to current CVS. This reverts to the simpler approach: it just sends a HUP to the proxycommand on exit. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Sep 13 17:56:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 13 Sep 2002 17:56:38 +1000 (EST) Subject: [Bug 202] scp/ssh hangs Message-ID: <20020913075638.A689D3D14B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=202 haldane at princeton.edu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |haldane at princeton.edu ------- Additional Comments From haldane at princeton.edu 2002-09-13 17:56 ------- AARGH! This bug has got me too... Its present in the scp client of openssh-3.1p1, but NOT in openssh-3.0p1. The server is an old version sshd2 of ssh-2.0.13 (from SSH Inc.), SSH-1.99-2.0.13 (non-commercial) but for various reasons the server can't be upgraded at present :-( so I'll have to downgarde my client to openssh-3.0p1 to access that server. File transfers FROM the server fail, but transfers TO the server work fine. Its a change that occurred going from 3.0p1 to 3.1p1, so (?) it might be easy to identify. The bug (?) is still there in openssh-3.4p1 Its present in both the Windows client (Cygwin) and on Linux. However the same problem seems to afflict the latest SSH inc "noncommercial use" windows client, so maybe some "more correct" implementation of the protocol has exposed a bug in the old implementations. The file transfer almost gets completed, but hangs at the very end, a few 10's of KB before the end. Only very short files get through. (below say 30KB). If someone gives me a clue where to start, I could hack the client with printf's to maybe see whats going on and find out whats hanging. This is a very annoying problem for me, as I've come to rely on scp file transfers of work-in-progress from that server, Duncan Haldane September 13, 2002. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From t.parry at TU-Harburg.de Fri Sep 13 20:42:56 2002 From: t.parry at TU-Harburg.de (Todd Parry) Date: Fri, 13 Sep 2002 12:42:56 +0200 Subject: HPUX 10.20 and OpenSSH 3.4.p1 Message-ID: <3D81DD50.6985.14F847AA@localhost> Hallo, and thanks for the quick answer. No make doesn't go into an endless loop, it just exits. Sorry that the actual error code was not there. Here are the last lines of a normal make run: (cd openbsd-compat && make) gcc -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/ssl/include - I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c bsd-arc4random.c gcc -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/ssl/include - I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c bsd-cray.c gcc -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/ssl/include - I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c bsd-cygwin_util.c gcc -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/ssl/include - I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c bsd-misc.c gcc -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/ssl/include - I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c bsd-nextstep.c gcc -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/ssl/include - I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c bsd-snprintf.c gcc -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/ssl/include - I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c bsd-waitpid.c gcc -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/ssl/include - I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c fake-getaddrinfo.c as: "/var/tmp/cca23057.s", line 78: error 1052: Directive name not recognized - PARAM *** Error exit code 1 Stop. *** Error exit code 1 and there it ends with a normal prompt. All of the checks made by the configure script for getaddrinfo, ngetaddrinfo and ogetaddrinfo came up negative. The summary from the configure process follows: OpenSSH has been configured with the following options: User binaries: /opt/openssh-3.4p1/bin System binaries: /opt/openssh-3.4p1/sbin Configuration files: /opt/local/openssh-3.4p1 Askpass program: /opt/openssh-3.4p1/libexec/ssh-askpass Manual pages: /opt/openssh-3.4p1/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/usr/sbin:/opt/local/openssh-3.4p1/bin Manpage format: man PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: yes Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: ssh-rand-helper ssh-rand-helper collects from: Unix domain socket "/var/run/egd-pool" Host: hppa2.0-hp-hpux10.20 Compiler: gcc Compiler flags: -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/usr/local/ssl/include -I/opt/zlib/include -D_HPUX_SOURCE - D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 Linker flags: -L/usr/local/ssl/lib -L/opt/zlib/lib Libraries: -lwrap -lz -lxnet -lsec -lcrypto If the full results of configure or from the make process would make things easier, I'll gladly send them along. Thanks again. Todd Parry From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Sep 13 19:28:01 2002 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Fri, 13 Sep 2002 11:28:01 +0200 Subject: HPUX 10.20 and OpenSSH 3.4.p1 In-Reply-To: <3D81DD50.6985.14F847AA@localhost> References: <3D81DD50.6985.14F847AA@localhost> Message-ID: <20020913092800.GA4339@serv01.aet.tu-cottbus.de> On Fri, Sep 13, 2002 at 12:42:56PM +0200, Todd Parry wrote: > gcc -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/ssl/include - > I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - > D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c fake-getaddrinfo.c > as: "/var/tmp/cca23057.s", line 78: error 1052: Directive name not recognized - PARAM > *** Error exit code 1 > > Stop. > *** Error exit code 1 > Ok. This was what I was looking for. It has nothing to do with make, it is a compiler issue. It seems that gcc is compiling the code to assembler, but then "as" (the actual assembler) has a problem in generating the object code from the assembler code. I would rather guess, that you have a problem with your gcc installation. It is best to use gcc together with GNU as from the binutils. (I just tried a build using gcc 3.0.3 and could not reproduce your problem). Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From brs at ben-tech.com Fri Sep 13 20:54:16 2002 From: brs at ben-tech.com (Bennett Samowich) Date: Fri, 13 Sep 2002 06:54:16 -0400 Subject: Hiding version information Message-ID: Greetings, I have seen a couple of postings about hiding the version information from clients. I had modified my copy of 3.4p1 to include two additional configuration options that accomplish this task and a bit more. I had posted this to the general users list, but after thinking about it, I thought that it might be good to post it here as well. * Does a feature like this have any impact on the functionality of OpenSSH? * Would a feature like this appealing at all to the OpenSSH community? The options are HideVersionInformation and VersionString, and they operate like this: Setting HideVersionInformation to yes causes sshd to either use a default version string of "OpenSSH" or a user defined string specified with the option VersionString. Example 1: # sshd would deliver something like SSH-2.0-OpenSSH_3.4p1 HideVersionInformation no Example 2: # sshd would deliver something like SSH-2.0-OpenSSH HideVersionInformation yes Example 3: # sshd would deliver something like SSH-2.0-You_must_be_joking! HideVersionInformation yes VersionString You_must_be_joking! Any version string that you specify must be a single string (use '_' for spaces). I have left the HideVersionInformation defaulting to off. This is so you can have control of your box with the compiled version before you start changing the version string. I am not sure what functionality gets broken, if any, by altering the version string. So far I have not had any problems with the test installations. In fact, I do have it on a couple of production machines as well. For those that might be interested... I have included a patch that was diff'd against a clean 3.4p1. Hope this helps - Bennett -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: hide_version.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020913/de2e667b/attachment.ksh From markus at openbsd.org Fri Sep 13 21:02:52 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 13 Sep 2002 13:02:52 +0200 Subject: Hiding version information In-Reply-To: References: Message-ID: <20020913110252.GA21705@faui02> > * Does a feature like this have any impact on the functionality of OpenSSH? yes. > * Would a feature like this appealing at all to the OpenSSH community? probably, but the functionality impact is not appealing. > +#VersionString Surely_you_must_be_joking! yes. From t.parry at TU-Harburg.de Sat Sep 14 00:39:47 2002 From: t.parry at TU-Harburg.de (Todd Parry) Date: Fri, 13 Sep 2002 16:39:47 +0200 Subject: HPUX 10.20 and Openssh 3.4.p1 Message-ID: <3D8214D3.16402.15D11DDF@localhost> Hallo, well it seems that I need to fix or update gcc. The system currently has gcc 2.7.3 on it and apparently that is either simply too old or not correctly installed. I'll check it out and probably upgrade next week. thanks for the help, Todd From bugzilla-daemon at mindrot.org Sat Sep 14 00:23:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 14 Sep 2002 00:23:07 +1000 (EST) Subject: [Bug 369] Inconsistant exiit status from scp Message-ID: <20020913142307.4F7F53D1B4@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=369 ------- Additional Comments From devel at pitux.com 2002-09-14 00:22 ------- Congratulations Thomas, it Works Wonderfully For Me(tm). I've retried all test cases in #3 and it returned the good error code each time. Problem solved for me, I just recompiled my 3.4p1 with this patch and so far so good. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From alex.judd at btclick.com Sat Sep 14 01:45:24 2002 From: alex.judd at btclick.com (Enpocket) Date: Fri, 13 Sep 2002 16:45:24 +0100 Subject: Makefile error 3.3p1 on Cygwin Message-ID: <000501c25b3c$93c51f90$0100a8c0@sparepc> Not sure if it is a typo in the latest (3.3p1) release I downloaded but the Makefile needs '-lcrypt' for the crypt libraries to be used. By defacto it only has -lcrypto which may/may not be needed/type. Regards Alex From barel_bhai at yahoo.com Sat Sep 14 14:03:34 2002 From: barel_bhai at yahoo.com (raam raam) Date: Fri, 13 Sep 2002 21:03:34 -0700 (PDT) Subject: unsubscribe In-Reply-To: <3D81DD50.6985.14F847AA@localhost> Message-ID: <20020914040334.1760.qmail@web20502.mail.yahoo.com> unsubscribe Barel --- Todd Parry wrote: > Hallo, > and thanks for the quick answer. > > No make doesn't go into an endless loop, it just > exits. Sorry that the actual error code was not > there. Here are the last lines of a normal make run: > > (cd openbsd-compat && make) > gcc -O2 -Wall -Wpointer-arith > -Wno-uninitialized -I. -I.. -I. -I./.. > -I/usr/local/ssl/include - > I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - > D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c > bsd-arc4random.c > gcc -O2 -Wall -Wpointer-arith > -Wno-uninitialized -I. -I.. -I. -I./.. > -I/usr/local/ssl/include - > I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - > D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c > bsd-cray.c > gcc -O2 -Wall -Wpointer-arith > -Wno-uninitialized -I. -I.. -I. -I./.. > -I/usr/local/ssl/include - > I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - > D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c > bsd-cygwin_util.c > gcc -O2 -Wall -Wpointer-arith > -Wno-uninitialized -I. -I.. -I. -I./.. > -I/usr/local/ssl/include - > I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - > D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c > bsd-misc.c > gcc -O2 -Wall -Wpointer-arith > -Wno-uninitialized -I. -I.. -I. -I./.. > -I/usr/local/ssl/include - > I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - > D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c > bsd-nextstep.c > gcc -O2 -Wall -Wpointer-arith > -Wno-uninitialized -I. -I.. -I. -I./.. > -I/usr/local/ssl/include - > I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - > D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c > bsd-snprintf.c > gcc -O2 -Wall -Wpointer-arith > -Wno-uninitialized -I. -I.. -I. -I./.. > -I/usr/local/ssl/include - > I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - > D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c > bsd-waitpid.c > gcc -O2 -Wall -Wpointer-arith > -Wno-uninitialized -I. -I.. -I. -I./.. > -I/usr/local/ssl/include - > I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE - > D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c > fake-getaddrinfo.c > as: "/var/tmp/cca23057.s", line 78: error 1052: > Directive name not recognized - PARAM > *** Error exit code 1 > > Stop. > *** Error exit code 1 > > > and there it ends with a normal prompt. All of the > checks made by the configure script for > getaddrinfo, ngetaddrinfo and ogetaddrinfo came up > negative. The summary from the configure > process follows: > > > OpenSSH has been configured with the following > options: > User binaries: > /opt/openssh-3.4p1/bin > System binaries: > /opt/openssh-3.4p1/sbin > Configuration files: > /opt/local/openssh-3.4p1 > Askpass program: > /opt/openssh-3.4p1/libexec/ssh-askpass > Manual pages: > /opt/openssh-3.4p1/man/manX > PID file: /var/run > Privilege separation chroot path: /var/empty > sshd default user PATH: > /usr/bin:/usr/sbin:/opt/local/openssh-3.4p1/bin > Manpage format: man > PAM support: no > KerberosIV support: no > KerberosV support: no > Smartcard support: no > AFS support: no > S/KEY support: no > TCP Wrappers support: yes > MD5 password support: no > IP address in $DISPLAY hack: yes > Use IPv4 by default hack: no > Translate v4 in v6 hack: no > BSD Auth support: no > Random number source: ssh-rand-helper > ssh-rand-helper collects from: Unix domain > socket "/var/run/egd-pool" > > Host: hppa2.0-hp-hpux10.20 > Compiler: gcc > Compiler flags: -O2 -Wall -Wpointer-arith > -Wno-uninitialized > Preprocessor flags: -I/usr/local/ssl/include > -I/opt/zlib/include -D_HPUX_SOURCE - > D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 > Linker flags: -L/usr/local/ssl/lib > -L/opt/zlib/lib > Libraries: -lwrap -lz -lxnet -lsec > -lcrypto > > > If the full results of configure or from the make > process would make things easier, I'll gladly > send them along. > > Thanks again. > > Todd Parry > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev __________________________________________________ Do you Yahoo!? Yahoo! News - Today's headlines http://news.yahoo.com From mmokrejs at natur.cuni.cz Tue Sep 17 01:46:15 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Mon, 16 Sep 2002 17:46:15 +0200 (CEST) Subject: privsep versus compression Message-ID: Hi, I'm unable to get Kerberos4 authentication working with openssh-3.4p1. I'm getting a message that privsep is not available on my platform (Irix 6.5.15) and another message stating that compression and privsep are mutually exclusive. But, ssh decided to turn off compression, I think because of servconf.c. I think it would be more usefull to have compression enabled and disable privsep as the encryption is almost useless when data is not compressed first. I think compression should never be disabled otherwise kerberos will be also efectively disabled. Any opinions? Below I'm just showing the section I'm talking about. It's not a PATCH to be applied. ;) diff -u -w -r openssh-3.2.3p1/servconf.c openssh/servconf.c --- openssh-3.2.3p1/servconf.c 2002-05-15 23:37:34.000000000 +0200 +++ openssh/servconf.c 2002-09-05 06:35:15.000000000 +0200 [...] @@ -250,9 +256,19 @@ if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; - /* Turn privilege separation _off_ by default */ + /* Turn privilege separation on by default */ if (use_privsep == -1) - use_privsep = 0; + use_privsep = 1; + +#ifndef HAVE_MMAP + if (use_privsep && options->compression == 1) { + error("This platform does not support both privilege " + "separation and compression"); + error("Compression disabled"); + options->compression = 0; + } +#endif + } [...] diff -u -w -r openssh-3.2.3p1/session.c openssh/session.c --- openssh-3.2.3p1/session.c 2002-05-13 02:48:58.000000000 +0200 +++ openssh/session.c 2002-09-04 08:45:10.000000000 +0200 [...] @@ -165,8 +252,8 @@ Session *s; char *command; int success, type, screen_flag; - int compression_level = 0, enable_compression_after_reply = 0; - u_int proto_len, data_len, dlen; + int enable_compression_after_reply = 0; + u_int proto_len, data_len, dlen, compression_level = 0; s = session_new(); s->authctxt = authctxt; @@ -192,6 +279,10 @@ compression_level); break; } + if (!options.compression) { + debug2("compression disabled"); + break; + } /* Enable compression after we have responded with SUCCESS. */ enable_compression_after_reply = 1; success = 1; [...] -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From mouring at etoh.eviladmin.org Tue Sep 17 02:05:05 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 16 Sep 2002 11:05:05 -0500 (CDT) Subject: privsep versus compression In-Reply-To: Message-ID: Please look at the -cvs tree. We have handled most of the mmap() issues for any OS that is written in the last 6 years. - Ben On Mon, 16 Sep 2002, [iso-8859-2] Martin MOKREJ? wrote: > Hi, > I'm unable to get Kerberos4 authentication working with openssh-3.4p1. > I'm getting a message that privsep is not available on my platform (Irix > 6.5.15) and another message stating that compression and privsep are > mutually exclusive. But, ssh decided to turn off compression, I think > because of servconf.c. I think it would be more usefull to have > compression enabled and disable privsep as the encryption is almost > useless when data is not compressed first. I think compression should > never be disabled otherwise kerberos will be also efectively disabled. > Any opinions? > > > Below I'm just showing the section I'm talking about. It's not a PATCH > to be applied. ;) > > > diff -u -w -r openssh-3.2.3p1/servconf.c openssh/servconf.c > --- openssh-3.2.3p1/servconf.c 2002-05-15 23:37:34.000000000 +0200 > +++ openssh/servconf.c 2002-09-05 06:35:15.000000000 +0200 > [...] > @@ -250,9 +256,19 @@ > if (options->authorized_keys_file == NULL) > options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; > > - /* Turn privilege separation _off_ by default */ > + /* Turn privilege separation on by default */ > if (use_privsep == -1) > - use_privsep = 0; > + use_privsep = 1; > + > +#ifndef HAVE_MMAP > + if (use_privsep && options->compression == 1) { > + error("This platform does not support both privilege " > + "separation and compression"); > + error("Compression disabled"); > + options->compression = 0; > + } > +#endif > + > } > [...] > > > > diff -u -w -r openssh-3.2.3p1/session.c openssh/session.c > --- openssh-3.2.3p1/session.c 2002-05-13 02:48:58.000000000 +0200 > +++ openssh/session.c 2002-09-04 08:45:10.000000000 +0200 > [...] > @@ -165,8 +252,8 @@ > Session *s; > char *command; > int success, type, screen_flag; > - int compression_level = 0, enable_compression_after_reply = 0; > - u_int proto_len, data_len, dlen; > + int enable_compression_after_reply = 0; > + u_int proto_len, data_len, dlen, compression_level = 0; > > s = session_new(); > s->authctxt = authctxt; > @@ -192,6 +279,10 @@ > compression_level); > break; > } > + if (!options.compression) { > + debug2("compression disabled"); > + break; > + } > /* Enable compression after we have responded with SUCCESS. */ > enable_compression_after_reply = 1; > success = 1; > [...] > > > > -- > Martin Mokrejs , > PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs > MIPS / Institute for Bioinformatics > GSF - National Research Center for Environment and Health > Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany > tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Wed Sep 18 00:09:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 18 Sep 2002 00:09:32 +1000 (EST) Subject: [Bug 397] New: Openssh build failure AIX 4.3.3 Message-ID: <20020917140932.E98CA3D13D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=397 Summary: Openssh build failure AIX 4.3.3 Product: Portable OpenSSH Version: -current Platform: Other OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: suehall at prodigy.net Attempting to build openssh v.3.4p1 on AIX 4.3.3 maint level 9. The configure command is: CC=/usr/ibmcxx/bin/xlC_r ./configure --prefix=/usr/local/ssh --with-tcp-wrappers Error 1: duplicate def. utmp_data in /usr/include/utmp.h and utmpx.h. I commented out the def. in the older utmpx.h. Ran make clean and reconfigured: Error 2: duplicate def. of TILDE in /usr/include/sys/ioctl.h and openssh/openbsd-compat/glob.c. I commented out the def. in ioctl.h, did make clean and continued. Error 3: /usr/ibmcxx/bin/xlC_r -g -I. -I. -I/usr/local/ssl/include - I/usr/local/include -DSSHDIR=\"/usr/local/ssh/etc\" - D_PATH_SSH_PROGRAM=\"/usr/local/ssh/bin/ssh\" - D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/ssh/libexec/ssh-askpass\" - D_PATH_SFTP_SERVER=\"/usr/local/ssh/libexec/sftp-server\" - D_PATH_SSH_KEY_SIGN=\"/usr/local/ssh/libexec/ssh-keysign\" - D_PATH_SSH_PIDDIR=\"/usr/local/ssh/etc\" - D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" - DSSH_RAND_HELPER=\"/usr/local/ssh/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c cipher.c "cipher.c", line 65.56: 1506-196 (E) Initialization between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. "cipher.c", line 66.55: 1506-196 (E) Initialization between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. "cipher.c", line 70.57: 1506-196 (E) Initialization between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. "cipher.c", line 71.57: 1506-196 (E) Initialization between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. "cipher.c", line 72.57: 1506-196 (E) Initialization between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. "cipher.c", line 73.57: 1506-196 (E) Initialization between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. "cipher.c", line 154.17: 1506-068 (S) Operation between types "char*" and "int" is not allowed. "cipher.c", line 155.16: 1506-068 (S) Operation between types "char*" and "int" is not allowed. "cipher.c", line 706.24: 1506-068 (E) Operation between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. "cipher.c", line 721.24: 1506-068 (E) Operation between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. make: 1254-004 The error code from the last command is 1. Stop. I see a similiar error reported for an Alpha system, but don't have the cflag specified in the response to remove (bug #371). My configuration was reported as: Console output after configure: OpenSSH has been configured with the following options: User binaries: /usr/local/ssh/bin System binaries: /usr/local/ssh/sbin Configuration files: /usr/local/ssh/etc Askpass program: /usr/local/ssh/libexec/ssh-askpass Manual pages: /usr/local/ssh/man/catX PID file: /usr/local/ssh/etc Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/ssh/bin Manpage format: cat PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: ssh-rand-helper ssh-rand-helper collects from: Command hashing (timeout 200) Host: powerpc-ibm-aix4.3.3.0 Compiler: /usr/ibmcxx/bin/xlC_r Compiler flags: -g Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/lib - blibpath:/usr/lib:/lib:/usr/local/lib Libraries: -lwrap -lz -lcrypto WARNING: you are using the builtin random number collection service. Please read WARNING.RNG and request that your OS vendor includes kernel-based random number collection in future versions of your OS. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 18 00:43:53 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 18 Sep 2002 00:43:53 +1000 (EST) Subject: [Bug 398] New: OpenSSL build mech. doesn't acknowledge /dev/random in Solaris Message-ID: <20020917144353.B1E633D14F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=398 Summary: OpenSSL build mech. doesn't acknowledge /dev/random in Solaris Product: Portable OpenSSH Version: -current Platform: Sparc URL: http://sunsolve.sun.com/pub- cgi/findPatch.pl?patchId=112438&rev=01 OS/Version: Solaris Status: NEW Severity: normal Priority: P3 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: garretta at garretta.com Configure source. Summary says "using internal random # generator" Sun has created a patch for Solaris8 that provides a PRNG /dev/random (I understand Solaris9 comes with PRNG by default). Solaris8: http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=112438&rev=01 It would seem OpenSSH would be more scalable in Enterprise environment if could use native PRNG device instead of "internal pseudo-random device". Note -- I don't know the technical details of this ... and ... I'm sure there's a great explanation for why latest Openssh uses internal device. Just an FYI ... -GA ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 18 00:55:11 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 18 Sep 2002 00:55:11 +1000 (EST) Subject: [Bug 397] Openssh build failure AIX 4.3.3 Message-ID: <20020917145511.788333D156@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=397 ------- Additional Comments From dtucker at zip.com.au 2002-09-18 00:55 ------- Not sure about error 1, but error 2 has been fixed in -current (see bug #265). As for error 3, the last time I built using the native compiler, I used "CC=xlc" which worked; if possible try that. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 18 01:02:47 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 18 Sep 2002 01:02:47 +1000 (EST) Subject: [Bug 398] OpenSSL build mech. doesn't acknowledge /dev/random in Solaris Message-ID: <20020917150247.A0B483D15D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=398 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From mouring at eviladmin.org 2002-09-18 01:02 ------- Please recompile OpenSSL to understand where your /dev/random device is. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 18 01:04:40 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 18 Sep 2002 01:04:40 +1000 (EST) Subject: [Bug 397] Openssh build failure AIX 4.3.3 Message-ID: <20020917150440.AFDDF3D157@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=397 ------- Additional Comments From mouring at eviladmin.org 2002-09-18 01:04 ------- Can you retest with the current CVS or a snapshot from http://www.openssh.com/portable.html. I believe all build issues for AIX should have been resolved. If it does, please close this out. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 18 01:23:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 18 Sep 2002 01:23:52 +1000 (EST) Subject: [Bug 398] OpenSSL build mech. doesn't acknowledge /dev/random in Solaris Message-ID: <20020917152352.669E73D15E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=398 ------- Additional Comments From dtucker at zip.com.au 2002-09-18 01:23 ------- When configure says "Random number source: OpenSSL internal ONLY" it means that it's using /dev/urandom. "Random number source: ssh-rand-helper" is the external entropy collector. Regardless, the openssl libraries will use /dev/urandom if it exists. (You may need to recompile openssl, but I don't think so). From openssl's e_os.h (typo and all :-) : #ifndef DEVRANDOM /* set this to your 'random' device if you have one. * My default, we will try to read this file */ #define DEVRANDOM "/dev/urandom" #endif For maximum portability, when building packages I use "./configure --with-rand-helper". That way /dev/urandom will be used if it exists, but if it doesn't then the random helper will be used. This lets us use the same binaries on machines with and without the /dev/random patch. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 18 03:45:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 18 Sep 2002 03:45:30 +1000 (EST) Subject: [Bug 397] Openssh build failure AIX 4.3.3 Message-ID: <20020917174530.6BCB43D14E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=397 ------- Additional Comments From suehall at prodigy.net 2002-09-18 03:45 ------- I pulled down the latest tarball from portable/snapshot, datestamped 0906. Got the following errors: /usr/ibmcxx/bin/xlc -g -I. -I. -I/usr/local/ssl/include -I/usr/local/include -DSSHDIR=\"/usr/local/ssh/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/ssh/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/ssh/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/ssh/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/ssh/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/usr/local/ssh/etc\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/ssh/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c channels.c "channels.c", line 915.22: 1506-280 (E) Function argument assignment between types "const char*" and "unsigned char*" is not allowed. "channels.c", line 920.27: 1506-280 (E) Function argument assignment between types "const char*" and "unsigned char*" is not allowed. "channels.c", line 924.14: 1506-068 (E) Operation between types "unsigned char*" and "char*" is not allowed. "channels.c", line 925.26: 1506-280 (E) Function argument assignment between types "const char*" and "unsigned char*" is not allowed. /usr/ibmcxx/bin/xlc -g -I. -I. -I/usr/local/ssl/include -I/usr/local/include -DSSHDIR=\"/usr/local/ssh/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/ssh/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/ssh/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/ssh/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/ssh/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/usr/local/ssh/etc\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/ssh/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c cipher.c "cipher.c", line 65.56: 1506-196 (E) Initialization between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. "cipher.c", line 66.55: 1506-196 (E) Initialization between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. "cipher.c", line 70.57: 1506-196 (E) Initialization between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. "cipher.c", line 71.57: 1506-196 (E) Initialization between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. "cipher.c", line 72.57: 1506-196 (E) Initialization between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. "cipher.c", line 73.57: 1506-196 (E) Initialization between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. "cipher.c", line 154.17: 1506-068 (S) Operation between types "char*" and "int" is not allowed. "cipher.c", line 155.16: 1506-068 (S) Operation between types "char*" and "int" is not allowed. "cipher.c", line 706.24: 1506-068 (E) Operation between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. "cipher.c", line 721.24: 1506-068 (E) Operation between types "const struct evp_cipher_st*(*)(void)" and "struct evp_cipher_st*(*)(void)" is not allowed. make: 1254-004 The error code from the last command is 1. Stop. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Sep 18 22:44:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 18 Sep 2002 22:44:10 +1000 (EST) Subject: [Bug 397] Openssh build failure AIX 4.3.3 Message-ID: <20020918124410.CDED83D13D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=397 ------- Additional Comments From dtucker at zip.com.au 2002-09-18 22:44 ------- I think I've figured out error 3. Short answer: comment out "#define HAVE_STRSEP 1" from config.h and re-run "make". Long answer: the error that stops the build is: "cipher.c", line 154.17: 1506-068 (S) Operation between types "char*" and "int" is not allowed. This is caused by "p = strsep(&cp, CIPHER_SEP)" where p is a char *. Strsep should return a char *, but in /usr/include/string.h, the prototype is inside a "#ifdef _LINUX_SOURCE_COMPAT". Configure finds strsep (in libc, probably) and defines HAVE_STRSEP, but since the prototype is #ifdef'ed out, it defaults to returning int, hence the type conflict. Not sure about a long-term fix. Would it be bad form to add the following to openbsd-compat/strsep.h? #ifdef _AIX # undef HAVE_STRSEP #endif ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mmokrejs at natur.cuni.cz Thu Sep 19 03:29:45 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 18 Sep 2002 19:29:45 +0200 (CEST) Subject: privsep versus compression In-Reply-To: Message-ID: > Please look at the -cvs tree. We have handled most of the mmap() issues > for any OS that is written in the last 6 years. > > - Ben Hi, I tried current cvs on Solaris 2.6 (not on the problematic Irix 6.5.15 yet) but I got: /configure --prefix=/usr/local --with-kerberos4=/usr/athena --with-afs=/usr/afsws --with-tcp-wrappers --with-ssl-dir=/software/@sys/usr/openssl --without-rsh --disable-suid-ssh --with-privsep --with-zlib --with-pam $ make [...] configure: creating ./config.status config.status: creating Makefile config.status: creating openbsd-compat/Makefile config.status: creating scard/Makefile config.status: creating ssh_prng_cmds config.status: creating config.h config.status: error: cannot find input file: config.h.in When I tried openssh-SNAP-20020916.tar.gz and run make after same configure line, I got: (cd openbsd-compat && make) make[1]: Entering directory `/scratch/openssh/openbsd-compat' make[1]: *** No rule to make target `../config.h', needed by `bsd-arc4random.o'. Stop. make[1]: Leaving directory `/scratch/openssh/openbsd-compat' make: *** [openbsd-compat/libopenbsd-compat.a] Error 2 In both cases I used "aclocal; automake; autoconf" to get out the configure script. -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From mouring at etoh.eviladmin.org Thu Sep 19 03:27:42 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 18 Sep 2002 12:27:42 -0500 (CDT) Subject: privsep versus compression In-Reply-To: Message-ID: You are using autoconf that is at least at 2.5x I assume. - Ben On Wed, 18 Sep 2002, [iso-8859-2] Martin MOKREJ? wrote: > > Please look at the -cvs tree. We have handled most of the mmap() issues > > for any OS that is written in the last 6 years. > > > > - Ben > > Hi, > I tried current cvs on Solaris 2.6 (not on the problematic Irix > 6.5.15 yet) but I got: > > /configure --prefix=/usr/local --with-kerberos4=/usr/athena --with-afs=/usr/afsws --with-tcp-wrappers --with-ssl-dir=/software/@sys/usr/openssl --without-rsh --disable-suid-ssh --with-privsep --with-zlib --with-pam > $ make > [...] > configure: creating ./config.status > config.status: creating Makefile > config.status: creating openbsd-compat/Makefile > config.status: creating scard/Makefile > config.status: creating ssh_prng_cmds > config.status: creating config.h > config.status: error: cannot find input file: config.h.in > > > When I tried openssh-SNAP-20020916.tar.gz and run make after same configure line, > I got: > > (cd openbsd-compat && make) > make[1]: Entering directory `/scratch/openssh/openbsd-compat' > make[1]: *** No rule to make target `../config.h', needed by `bsd-arc4random.o'. Stop. > make[1]: Leaving directory `/scratch/openssh/openbsd-compat' > make: *** [openbsd-compat/libopenbsd-compat.a] Error 2 > > > In both cases I used "aclocal; automake; autoconf" to get out the > configure script. > -- > Martin Mokrejs , > PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs > MIPS / Institute for Bioinformatics > GSF - National Research Center for Environment and Health > Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany > tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 > > From bugzilla-daemon at mindrot.org Thu Sep 19 05:02:18 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 19 Sep 2002 05:02:18 +1000 (EST) Subject: [Bug 399] New: Environment size over ~3K char prevents ssh logins Message-ID: <20020918190218.2B19D3D155@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=399 Summary: Environment size over ~3K char prevents ssh logins Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: kevinc at doink.com CC: kevinc at doink.com I'm using OpenSSH 3.4p1 on both ends of a Solaris 2.8, Mandrake 8.0 connection. I've used OpenSSH in this situation since about 2.5. When I upgraded to 2.9.9p2 I found that OpenSSH itself was creating a bit more stuff in the environment than previous versions. This prevented me from logging in using ssh. I trimmed the stuff I added to the environment in my ~/.cshrc file so that 'printenv | wc' would report less than about 3,000 characters. After that, I could login again with ssh. I just added some stuff to my environment and ran into the bug again. This problem persists in OpenSSH version 3.4p1. Feel free to contact me, if you need more info. Thanks.... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mmokrejs at natur.cuni.cz Thu Sep 19 07:49:26 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Wed, 18 Sep 2002 23:49:26 +0200 (CEST) Subject: privsep versus compression In-Reply-To: Message-ID: On Wed, 18 Sep 2002, Martin MOKREJ? wrote: > > Please look at the -cvs tree. We have handled most of the mmap() issues > > for any OS that is written in the last 6 years. > > > > - Ben > > Hi, > I tried current cvs on Solaris 2.6 (not on the problematic Irix > 6.5.15 yet) but I got: > > /configure --prefix=/usr/local --with-kerberos4=/usr/athena --with-afs=/usr/afsws --with-tcp-wrappers --with-ssl-dir=/software/@sys/usr/openssl --without-rsh --disable-suid-ssh --with-privsep --with-zlib --with-pam > $ make > [...] > configure: creating ./config.status > config.status: creating Makefile > config.status: creating openbsd-compat/Makefile > config.status: creating scard/Makefile > config.status: creating ssh_prng_cmds > config.status: creating config.h > config.status: error: cannot find input file: config.h.in OK, I copied config.h.in from openssh-3.4p1 distribution and the config.status went fine for openssh-SNAP-20020912. But, I then faced another error: gcc -I/software/@sys/usr/include -I/software/@sys/usr/include/ncurses -I/software/@sys/usr/local/include -I/software/@sys/usr/local/openssl/include -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/software/@sys/usr/openssl/include -Iyes -I/software/@sys/usr/include -I/software/@sys/usr/include/ncurses -I/software/@sys/usr/local/include -I/software/@sys/usr/local/openssl/include -I/usr/local/include -I/usr/athena/include -I/usr/afsws/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c sshconnect1.c sshconnect1.c: In function `send_afs_tokens': sshconnect1.c:799: warning: implicit declaration of function `_IOW' sshconnect1.c:799: parse error before `struct' make: *** [sshconnect1.o] Error 1 I've added to includes.h one line: #include #include #include +#include #include I've no clue if it's the proper place. As far as I remeber, this problem with sshconnect1.c always appeared only on Solaris with krb4 (just do google search). After starting sshd from the openssh-SNAP-20020912, I see it's crashing. I cannot find the core file anywhere, but I see: /usr/local/sbin/sshd -f /usr/local/etc/sshd_config -D -d -d -d -p 333 debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 333 on 0.0.0.0. Server listening on 0.0.0.0 port 333. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 195.113.46.57 port 1642 debug1: Client protocol version 1.5; client software version OpenSSH_3.2.3p1 debug1: match: OpenSSH_3.2.3p1 pat OpenSSH* debug1: Local version string SSH-1.99-OpenSSH_3.4p1 debug3: privsep user:group 99:99 debug1: permanently_set_uid: 99/99 debug1: Sent 768 bit server key and 1024 bit host key. debug2: Network child is on pid 14696 debug3: preauth child monitor started debug1: Encryption type: 3des debug3: mm_request_send entering: type 28 debug3: mm_request_receive_expect entering: type 29 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 28 debug3: mm_request_send entering: type 29 debug3: mm_ssh1_session_id entering debug3: mm_request_send entering: type 30 debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Received session key; encryption turned on. debug2: monitor_read: 28 used once, disabling now debug1: Installing crc compensation attack detector. debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 30 debug3: mm_answer_sessid entering debug2: monitor_read: 30 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug3: mm_start_pam entering debug3: mm_request_send entering: type 37 debug1: Attempting authentication for mmokrejs. debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 37 debug1: Starting up PAM with username "mmokrejs" debug3: Trying to reverse map address 195.113.46.57. debug1: PAM setting rhost to "tao-eth.natur.cuni.cz" debug2: monitor_read: 37 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 debug3: mm_auth_password: user not authenticated Failed none for mmokrejs from 195.113.46.57 port 1642 debug3: mm_request_receive entering debug1: Kerberos v4 krb_rd_req: Can't decode authenticator (krb_rd_req) Failed kerberos for mmokrejs from 195.113.46.57 port 1642 debug3: mm_auth_rsa_key_allowed entering debug3: mm_request_send entering: type 31 debug3: mm_request_receive_expect entering: type 32 debug3: mm_request_receive entering debug3: monitor_read: checking request 31 debug3: mm_answer_rsa_keyallowed entering debug1: temporarily_use_uid: 79/30 (e=0/1) debug1: trying public RSA key file /usr/home/mmokrejs/.ssh/authorized_keys debug1: restore_uid: 0/1 debug3: mm_request_send entering: type 32 Failed rsa for mmokrejs from 195.113.46.57 port 1642 debug3: mm_request_receive entering debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug1: Calling cleanup 0x585ac(0x0) Segmentation Fault Please note that sshd do NOT accept valid remote ticket of a user. I seem to remeber a note of someone in some krb4 or ssh related list stating, that there were some changes to openssh3.3 already or so, requring ssh.$hostname principal being saved on the target side where sshd is being run in order to accept kerberos ticket from remote clients. I know I do not have the ssh.$hostname principal in /etc/srvtab (will be fixed tommorow after our kerberos admins come), but it seems after user enters password (as his ticket wasn't accepted), sshd then creates in /tmp/tkt* valid ticket for the user (as I've entered kerberos password and PAM worked fine), closes the ticket file and reopens read-only, and then comes to look for srvtab, reads through it and dies. I guess because it did not find the ssh.$hostname key. If I remember right, in *THAT* email someone posted a patch to fix krb4 in openssh. He said something like "someone thought that sending a key before the autentication is insecure and moved that part after the autentication step ...". If someone knows which e-mail I'm talking about, please send it to me and to the list with that patch. ;) I think it went accross one of the ssh or krb or ssh-afs lists at umich.edu or monkey.org or clinet.fi .... The situation above happened with openssh-SNAP-20020912, krb4-1.2, Solaris 2.6. gcc and gnu as/ld. -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From mmokrejs at natur.cuni.cz Thu Sep 19 08:28:55 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Thu, 19 Sep 2002 00:28:55 +0200 (CEST) Subject: privsep versus compression In-Reply-To: Message-ID: Hi, I've one more note. It seems after the privsep happened on Solaris in sshd, it tries to read /etc/srvtab file, but has no access. 14831: open("/etc/srvtab", O_RDONLY) Err#2 ENOENT debug1: Kerberos v4 krb_rd_req: Can't decode authenticator (krb_rd_req)14831: write(2, " d e b u g 1 : K e r b".., 71) = 71 14831: write(2, "\r\n", 2) = 2 14831: getpeername(4, 0xEFFFE2A8, 0xEFFFE2A4) = 0 Failed kerberos for mmokrejs from 195.113.56.1 port 244514831: write(2, " F a i l e d k e r b e".., 56) = 56 That might be the reason why sshd refuses remote valid tickets. After the password autentication when user entered valid kerberos password, receives a ticket stored in tmp and sshd then tries to read /etc/srvtab again. That's the place where sshd dies. It seems, when I replaced pam_krb.so module with older versiom from krb4-1.0.9, sshd does not crash! So, expect a problem with pam module (although it worked for telnet connection) which makes sshd to crash. Hope this helps -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From bugzilla-daemon at mindrot.org Thu Sep 19 11:06:40 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 19 Sep 2002 11:06:40 +1000 (EST) Subject: [Bug 223] ProxyCommand commands don't exit Message-ID: <20020919010640.E8CEB3D13D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=223 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-09-19 11:06 ------- Fix applied, thanks ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Sep 19 11:11:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 19 Sep 2002 11:11:23 +1000 (EST) Subject: [Bug 399] Environment size over ~3K char prevents ssh logins Message-ID: <20020919011123.DB1683D165@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=399 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From djm at mindrot.org 2002-09-19 11:11 ------- Can you provide error traces from the client and server? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From cd at kalkatraz.de Thu Sep 19 19:41:24 2002 From: cd at kalkatraz.de (Lars Weitze) Date: Thu, 19 Sep 2002 11:41:24 +0200 Subject: Small bug: ssh-add (OpenSSH_3.4) shows wrong options Message-ID: <20020919114124.49f542f2.cd@kalkatraz.de> $ ssh-add -h ssh-add: illegal option -- h Usage: ssh-add [options] Options: -l List fingerprints of all identities. -L List public key parameters of all identities. -d Delete identity. -D Delete all identities. -x Lock agent. -x Unlock agent. -t life Set lifetime (in seconds) when adding Unlock agent ist -X and not -x . Regards CD -- "oppression breeds violence" PGP fingerprint: 4950 8576 778F DEDF 85D1 C04D 586F 2C45 E714 E13A From bugzilla-daemon at mindrot.org Thu Sep 19 22:22:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 19 Sep 2002 22:22:29 +1000 (EST) Subject: [Bug 397] Openssh build failure AIX 4.3.3 Message-ID: <20020919122229.90D9E3D13D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=397 suehall at prodigy.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From suehall at prodigy.net 2002-09-19 22:22 ------- I tried the suggested fix to comment out the HAVE_STRSEP 1 from config.h. One more glitch was an illegal comment at the end of line 18 in hostfile.h, then the code made successfully. This was done with the snapshot of 0906. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Sep 19 22:23:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 19 Sep 2002 22:23:43 +1000 (EST) Subject: [Bug 397] Openssh build failure AIX 4.3.3 Message-ID: <20020919122343.91E143D165@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=397 ------- Additional Comments From suehall at prodigy.net 2002-09-19 22:23 ------- I beg your pardon, the last glitch was an illegal "comma" at the end of line 18. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Sep 20 00:32:03 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 20 Sep 2002 00:32:03 +1000 (EST) Subject: [Bug 397] Openssh build failure AIX 4.3.3 Message-ID: <20020919143203.7CA903D14E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=397 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | ------- Additional Comments From dtucker at zip.com.au 2002-09-20 00:31 ------- I don't think this bug should be closed just yet, -cvs still doesn't build on AIX with the native compiler. Error #1 occurs when CC=xlC_r (the thread-safe C++ compiler) and doesn't happen when CC=xlc, so I think we can ignore it. Error #2 is already fixed in -cvs, as is the hostfile.h thing. That leaves #3, which is fixed by the following patch. It's probably not the best way, but it works. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Sep 20 00:33:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 20 Sep 2002 00:33:52 +1000 (EST) Subject: [Bug 397] Openssh build failure AIX 4.3.3 Message-ID: <20020919143352.E3A343D15A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=397 ------- Additional Comments From dtucker at zip.com.au 2002-09-20 00:33 ------- Created an attachment (id=147) --> (http://bugzilla.mindrot.org/attachment.cgi?id=147&action=view) Undef HAVE_STRSEP on AIX ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Pan_Lingyun at cat.com Fri Sep 20 03:21:06 2002 From: Pan_Lingyun at cat.com (Lingyun Pan) Date: Thu, 19 Sep 2002 12:21:06 -0500 Subject: ssh and popen-- broken pipe Message-ID: Hi, My application uses popen to execute UNIX commands. After I replace rsh with ssh, it stopped working. I have made a test C code to reproduce the problem as attached in this email. In the test program, I called popen for ssh command and then pclose right away. I got the following error: kirk 588$ a.out Write failed flushing stdout buffer. write stdout: Broken pipe Any idea what is going on. If I call popen with some other commands, it runs fine. One more thing worth metioning here is even with ssh, my application was fine last month on another machine. Unfortunately, that machine was taken off the lease and I and trying to trace done the ssh version information. Thanks in advance. (See attached file: test_ssh.c) Ling Pan 309-494-2155 ( tie line 7-724-2155) Mechanical Analysis Group Caterpillar Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: test_ssh.c Type: application/octet-stream Size: 363 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020919/dec056d3/attachment.obj From FF-EXT01/FFEXT at Fairfax-it.com Fri Sep 20 04:39:53 2002 From: FF-EXT01/FFEXT at Fairfax-it.com (FF-EXT01/FFEXT at Fairfax-it.com) Date: Thu, 19 Sep 2002 13:39:53 -0500 Subject: NAV detected a virus in a document you authored. Message-ID: Please contact your system administrator. The scanned document was QUARANTINED. Virus Information: The attachment PARK,.scr contained the virus W32.Klez.H at mm and could NOT be repaired. From Stephan.Hendl at lds.brandenburg.de Fri Sep 20 23:11:30 2002 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Fri, 20 Sep 2002 15:11:30 +0200 Subject: host_key and fingerprint problem with protocol 2 Message-ID: Hi all, I just want to upgrade from protocol 1.5 to 1.99 and 2.0, respectively and run into the following problems: The situation is the following: I have a client ("c") inside the firewall and two servers outside ("a" and "b"). The firewall accepts connections on two ports (22136 and 22137) and directs the connections directly to port 22 of the two servers "a" und "b". The command I have to type in is ssh -p 22136 root at firewall as well as ssh -p 22137 root at firewall and the first one connects me to the server "a" where the second one connects me to servber "b". The two servers have identical host-keys fpr rsa1, rsa und dsa cases. With protocal 1.5 the client learned the host_key and everything worked fine that means I can connect with "a" and "b" and the client doesn't tell me something from "man in the middle..." With the lines ssh -2 -p 22136 root at firewall as well as ssh -2 -p 22137 root at firewall the client doesn't recognise that the host_keys are identical and says everytime that there can be a "man in the middle..." Does have anybody a solution? Regards Stephan -- LDS Brandenburg Dr. Stephan Hendl fon: +49-(0)331-39 471 fax: +49-(0)331-27548 1187 EMail: stephan.hendl at lds.brandenburg.de From markus at openbsd.org Fri Sep 20 23:19:22 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 20 Sep 2002 15:19:22 +0200 Subject: host_key and fingerprint problem with protocol 2 In-Reply-To: References: Message-ID: <20020920131921.GF24822@faui02> HostKeyAlias Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files. This option is useful for tunneling ssh connec- tions or for multiple servers running on a single host. From dtucker at zip.com.au Fri Sep 20 23:35:59 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 20 Sep 2002 23:35:59 +1000 Subject: host_key and fingerprint problem with protocol 2 References: Message-ID: <3D8B243F.ECA17472@zip.com.au> Stephan Hendl wrote: [snip] > the client doesn't recognise that the host_keys are identical and > says everytime that there can be a "man in the middle..." This is probably because ssh on "c" knows a v2 host key for your firewall which is different from "a" and "b". > Does have anybody a solution? In $HOME/.ssh/config on "c": Host a Hostname firewall Port 22136 HostKeyAlias a Host b Hostname firewall Port 22137 HostKeyAlias b -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mmokrejs at natur.cuni.cz Sat Sep 21 03:08:50 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Fri, 20 Sep 2002 19:08:50 +0200 (CEST) Subject: privsep versus compression In-Reply-To: Message-ID: Hi, I recompiled openssh-3.4p1 on Solaris 2.6 with -g3 to see, why it is crashing. Please find below two core dump stacks. When using protocol 2: debug1: Remote protocol version 1.99, remote software version OpenSSH_3.0.2p1 debug1: match: OpenSSH_3.0.2p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 119/256 debug1: bits set: 515/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY Segmentation Fault (core dumped) (gdb) where #0 0xef4a53e4 in strlen () #1 0xef4dc7e4 in _doprnt () #2 0xef4e5c88 in vsnprintf () #3 0x43a2c in do_log (level=SYSLOG_LEVEL_DEBUG1, fmt=0xc8128 "using hostkeyalias: %s", args=0xefffe4d0) at log.c:365 #4 0x433e4 in debug (fmt=0xc8128 "using hostkeyalias: %s") at log.c:153 #5 0x20b74 in check_host_key (host=0x6b "v -l mmokrejs pf-i400 -p 222", hostaddr=0x103d58, host_key=0x110318, readonly=0, user_hostfile=0x40 "", system_hostfile=0xbc "") at sshconnect.c:568 #6 0x2157c in verify_host_key (host=0x108338 "pf-i400", hostaddr=0x103d58, host_key=0x110318) at sshconnect.c:809 #7 0x241c8 in verify_host_key_callback (hostkey=0x110318) at sshconnect2.c:71 #8 0x42620 in kexgex_client (kex=0x10b218) at kexgex.c:184 #9 0x430fc in kexgex (kex=0x10b218) at kexgex.c:413 #10 0x40850 in kex_kexinit_finish (kex=0x10b218) at kex.c:243 #11 0x40728 in kex_input_kexinit (type=20, seq=0, ctxt=0x10b218) at kex.c:209 #12 0x3c560 in dispatch_run (mode=0, done=0x10b25c, ctxt=0x10b218) at dispatch.c:93 #13 0x24414 in ssh_kex2 (host=0x108338 "pf-i400", hostaddr=0x103d58) at sshconnect2.c:119 #14 0x216c0 in ssh_login (sensitive=0x104b34, orighost=0xeffffa3d "pf-i400", hostaddr=0x103d58, pw=0x105520) at sshconnect.c:845 #15 0x1dc64 in main (ac=0, av=0xeffff940) at ssh.c:697 And here is another crash when using protocol 1: debug1: Remote protocol version 1.99, remote software version OpenSSH_3.0.2p1 debug1: match: OpenSSH_3.0.2p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1* debug1: Local version string SSH-1.5-OpenSSH_3.4p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'pf-i400' is known and matches the RSA1 host key. debug1: Found key in /.ssh/known_hosts:6 No valid SSH1 cipher, using 3des instead. debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying Kerberos v4 authentication. debug1: Kerberos v4 authentication accepted. debug1: Kerberos v4 challenge successful. debug1: Kerberos v4 TGT forwarded (mmokrejs at NATUR.CUNI.CZ). Bus Error (core dumped) #0 0xef4c7800 in _free_unlocked () #1 0xef4c77b8 in free () #2 0x55558 in xfree (ptr=0x9e) at xmalloc.c:55 #3 0x1ddc8 in main (ac=0, av=0xeffff93c) at ssh.c:713 (gdb) Could anyone help? Thanks! -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From 021231 at wheeler.com Sat Sep 21 11:15:48 2002 From: 021231 at wheeler.com (Erik Wheeler) Date: Fri, 20 Sep 2002 21:15:48 -0400 Subject: sftp chroot Message-ID: <1032570948.3d8bc8449822f@webmail.wheeler.com> Hi all: I'm looking to chroot sftp; but not chroot ssh sessions. I came across some info that said this is possible. But after searching this list's archives and Google, I was rather confused about the different patches for chrooting, and couldn't find anything that appeared to only chroot sftp. Is such a patch available? Can someone point me in the right direction? Erik From djm at mindrot.org Sat Sep 21 19:07:07 2002 From: djm at mindrot.org (Damien Miller) Date: 21 Sep 2002 19:07:07 +1000 Subject: ssh and popen-- broken pipe In-Reply-To: References: Message-ID: <1032599227.1314.9.camel@argon> On Fri, 2002-09-20 at 03:21, Lingyun Pan wrote: > Hi, > > My application uses popen to execute UNIX commands. After I replace rsh > with ssh, it stopped working. I have made a test C code to reproduce the > problem as attached in this email. In the test program, I called popen for > ssh command and then pclose right away. I got the following error: Try "ssh -v blah 2>&1" as your command so you get debugging output over the pipe. Alternately have a look as how sftp.c executes ssh for a way which preserves console access (for reading passphrases, etc) and debugging output. -d From djm at mindrot.org Sat Sep 21 19:08:18 2002 From: djm at mindrot.org (Damien Miller) Date: 21 Sep 2002 19:08:18 +1000 Subject: privsep versus compression In-Reply-To: References: Message-ID: <1032599298.1314.12.camel@argon> On Sat, 2002-09-21 at 03:08, Martin MOKREJ? wrote: > Hi, > I recompiled openssh-3.4p1 on Solaris 2.6 with -g3 to see, why it is > crashing. Please find below two core dump stacks. Please try the CVS snapshots, there have been many fixes since 3.4p1 -d From philip at paeps.cx Sat Sep 21 22:25:19 2002 From: philip at paeps.cx (Philip Paeps) Date: Sat, 21 Sep 2002 14:25:19 +0200 Subject: sftp chroot In-Reply-To: <1032570948.3d8bc8449822f@webmail.wheeler.com> References: <1032570948.3d8bc8449822f@webmail.wheeler.com> Message-ID: <20020921122519.GH244@juno.home.paeps.cx> On 2002-09-20 21:15:48 (-0400), Erik Wheeler <021231 at wheeler.com> wrote: > I'm looking to chroot sftp; but not chroot ssh sessions. I came across > some info that said this is possible. I've also been looking for a solution like this. I'd like to be able to chroot sftp and scp connections. To date, I've only found the scponly shell, which can be chrooted, but it's a lot of hassle. I don't like having to use the 'commercial' ssh for this :-( > But after searching this list's archives and Google, I was rather confused > about the different patches for chrooting, and couldn't find anything that > appeared to only chroot sftp. It's a bit 'hazy' to me as well. Any pointers to documentation and patches would be very helpful. [...] - Philip -- Philip Paeps Please don't CC me, I am philip at paeps.cx subscribed to the list. BOFH Excuse #7: poor power conditioning From dtucker at zip.com.au Sun Sep 22 01:24:24 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 22 Sep 2002 01:24:24 +1000 Subject: OpenSSH -current fails regression on Solaris 8, sshd dumps core Message-ID: <3D8C8F28.3C997798@zip.com.au> Hi All. While working on something I noticed a regression failure on Solaris 8. It turned out to be present in -cvs and wasn't due to my changes. One of the tests that fail is basically: ssh -2 -F $build/regress/ssh_proxy 999.999.999.999 true The server reports: sshd[20529]: Disconnecting: Command terminated on signal 11. The culprit seems to be session.c line 1019 or so: snprintf(buf, sizeof buf, "%.50s %d %.50s %d", get_remote_ipaddr(), get_remote_port(), get_local_ipaddr(packet_get_connection_in()), get_local_port()); After poking around, it seems that: 1) get_local_ipaddr returns NULL 2) this NULL is passed to snprintf 3) which dereferences the NULL causing a SEGV (get_local_ipaddr returns NULL because it calls get_socket_address which calls getpeername on a non-socket.) The NULL doesn't seem to bother snprintf on Linux or HP-UX. I don't know if it's valid to pass a NULL as an argument to "%s". The attached patch fixes this problem but introduces more inconsistency into the get_[local|remote|peer]_[ipaddr|name] functions in canohost.c. There's probably a neater way of doing this. The patch has been regression tested on Solaris 8, HP-UX 11 & Redhat 7.3. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: canohost.c =================================================================== RCS file: /cvs/openssh/canohost.c,v retrieving revision 1.30 diff -u -r1.30 canohost.c --- canohost.c 11 Jul 2002 03:56:47 -0000 1.30 +++ canohost.c 21 Sep 2002 14:28:42 -0000 @@ -246,10 +246,29 @@ return get_socket_address(socket, 1, NI_NUMERICHOST); } -char * -get_local_ipaddr(int socket) +/* + * Returns the IP-address of the local host as a string. The returned + * string must not be freed. + */ + +const char * +get_local_ipaddr(void) { - return get_socket_address(socket, 0, NI_NUMERICHOST); + static char *canonical_host_ip = NULL; + + /* Check whether we have cached the ipaddr. */ + if (canonical_host_ip == NULL) { + if (packet_connection_is_on_socket()) { + canonical_host_ip = + get_socket_address(packet_get_connection_in(), 0, NI_NUMERICHOST); + if (canonical_host_ip == NULL) + fatal_cleanup(); + } else { + /* If not on socket, return UNKNOWN. */ + canonical_host_ip = xstrdup("UNKNOWN"); + } + } + return canonical_host_ip; } char * Index: canohost.h =================================================================== RCS file: /cvs/openssh/canohost.h,v retrieving revision 1.8 diff -u -r1.8 canohost.h --- canohost.h 4 Jul 2001 04:46:57 -0000 1.8 +++ canohost.h 21 Sep 2002 14:28:42 -0000 @@ -18,7 +18,7 @@ char *get_peer_ipaddr(int); int get_peer_port(int); -char *get_local_ipaddr(int); +const char *get_local_ipaddr(void); char *get_local_name(int); int get_remote_port(void); Index: session.c =================================================================== RCS file: /cvs/openssh/session.c,v retrieving revision 1.220 diff -u -r1.220 session.c --- session.c 19 Sep 2002 01:50:49 -0000 1.220 +++ session.c 21 Sep 2002 14:28:43 -0000 @@ -1018,7 +1018,7 @@ snprintf(buf, sizeof buf, "%.50s %d %.50s %d", get_remote_ipaddr(), get_remote_port(), - get_local_ipaddr(packet_get_connection_in()), get_local_port()); + get_local_ipaddr(), get_local_port()); child_set_env(&env, &envsize, "SSH_CONNECTION", buf); if (s->ttyfd != -1) From cloud at chool.com Sun Sep 22 04:20:19 2002 From: cloud at chool.com (Sam Reynolds) Date: Sat, 21 Sep 2002 13:20:19 -0500 Subject: OpenSSH -current fails regression on Solaris 8, sshd dumps core Message-ID: <3D8CB863.9080208@chool.com> Darren Tucker wrote: [snip] >The NULL doesn't seem to bother snprintf on Linux or HP-UX. I don't >know if it's valid to pass a NULL as an argument to "%s". Hi, I believe the behavior of passing NULL to %s is undefined. NULL can be (but isn't necessarily) a macro expanding to (void*)0 and since sprintf is a variadic function, one would need an explicit cast to the appropriate type. [snip] Hope this helps -- Sam Reynolds cloud at chool.com From dtucker at zip.com.au Sun Sep 22 12:09:08 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 22 Sep 2002 12:09:08 +1000 Subject: OpenSSH -current fails regression on Solaris 8, sshd dumps core References: <3D8CB863.9080208@chool.com> Message-ID: <3D8D2644.74B594E7@zip.com.au> Sam Reynolds wrote: > Hi, I believe the behavior of passing NULL to %s is undefined. Yep, you're right. Re-reading the Solaris man page for snprintf with my eyes open: "An argument with a null value will yield undefined results." -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From GMDoherty at statestreet.com Sun Sep 22 12:38:05 2002 From: GMDoherty at statestreet.com (GMDoherty at statestreet.com) Date: Sat, 21 Sep 2002 22:38:05 -0400 Subject: Gregg M Doherty/USA/StateStreet is out of the office. Message-ID: I will be out of the office starting 09/12/2002 and will not return until 09/30/2002. I will respond to your message when I return. From fcusack at fcusack.com Mon Sep 23 06:32:50 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Sun, 22 Sep 2002 13:32:50 -0700 Subject: OpenSSH -current fails regression on Solaris 8, sshd dumps core In-Reply-To: <3D8CB863.9080208@chool.com>; from cloud@chool.com on Sat, Sep 21, 2002 at 01:20:19PM -0500 References: <3D8CB863.9080208@chool.com> Message-ID: <20020922133250.B1539@google.com> On Sat, Sep 21, 2002 at 01:20:19PM -0500, Sam Reynolds wrote: > Hi, I believe the behavior of passing NULL to %s is undefined. dunno about that either way > NULL can be (but isn't necessarily) a macro expanding to > (void*)0 No, it isn't. NULL is guaranteed to be a macro expanding to an "unadorned 0". > and since sprintf is a variadic function, one would > need an explicit cast to the appropriate type. No, one doesn't. A variadic function interprets pointers based on the format string, not based on the type given to the compiler. /fc From cloud at chool.com Mon Sep 23 07:59:30 2002 From: cloud at chool.com (Sam Reynolds) Date: Sun, 22 Sep 2002 16:59:30 -0500 Subject: OpenSSH -current fails regression on Solaris 8, sshd dumps core Message-ID: <3D8E3D42.2000903@chool.com> On Sat, Sep 21, 2002 at 01:20:19PM -0500, Sam Reynolds wrote: >> Hi, I believe the behavior of passing NULL to %s is undefined. >dunno about that either way >> NULL can be (but isn't necessarily) a macro expanding to >> (void*)0 >No, it isn't. NULL is guaranteed to be a macro expanding to an >"unadorned 0". I don't believe in C such a guarantee is given. 7.17.3 in C99 says: "... NULL which expands to an implementation-defined null pointer constant..." 6.23.2.3.3 explains that a null pointer constant is: "An integer constant expression with the value 0, or such an expression cast to type void *" >> and since sprintf is a variadic function, one would >> need an explicit cast to the appropriate type. >No, one doesn't. A variadic function interprets pointers based on the >format string, not based on the type given to the compiler. One does for two reasons. The first being a situation where my format string is input from the user, clearly the compiler can't know what the args are going to be at compile time. Second, if I write my own variadic function the compiler will not know what the arguments to my function are if I don't explicitly cast them (if they are void*). >/fc Hope this helps, -- Sam Reynolds cloud at chool.com From bugzilla-daemon at mindrot.org Mon Sep 23 21:26:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 23 Sep 2002 21:26:19 +1000 (EST) Subject: [Bug 400] New: ssh-keygen hangs Message-ID: <20020923112619.A63DB3D14B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=400 Summary: ssh-keygen hangs Product: Portable OpenSSH Version: -current Platform: All URL: http://www.mgi-networks.com/ OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: ssh-keygen AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: mcg at mcg-ct.com CC: mcg at mcg-ct.com ssh stops working because ssh-keygen cannot get entropy. Apparently, even if configured with OpenSSL latest and prngd latest, openssh still uses the commands that are listed in /usr/local/etc/ssh_prgn_cmds. If one of those commands hangs, then the timeout used in the build does not work during operation, and ssh-keygen hangs... so ssh hangs. The 'df' command is the offending command here. The timeout used during the build to test the commands also does not appear to be working if a command successfully test at build time fails during operation. We have over 100 disks and any one of those disks can stop ssh, which we use for a production batch job. This is an unacceptable series failure mode. Fortunately commenting out the lines in /usr/local/etc/ssh_prgn_cmds that contain the offending command, provided a quick solution to our problem. We now leave df commented out as documented in our install notes below. sshd installation documented at http://www.mcg-ct.com/openssh_privsep/ Given my understanding, there may be two bugs. 1.) If using prngd, openssh should not use the /usr/local/etc/ssh_prng_cmds 2.) If using /usr/local/etc/ssh_prng_cmds, the 200 msec default timeout should work during operation. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mmokrejs at natur.cuni.cz Mon Sep 23 23:25:10 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Mon, 23 Sep 2002 15:25:10 +0200 (CEST) Subject: privsep versus compression In-Reply-To: <1032599298.1314.12.camel@argon> Message-ID: > On Sat, 2002-09-21 at 03:08, Martin MOKREJ? wrote: > > Hi, > > I recompiled openssh-3.4p1 on Solaris 2.6 with -g3 to see, why it is > > crashing. Please find below two core dump stacks. > > Please try the CVS snapshots, there have been many fixes since 3.4p1 Hi, I've tried them in my very early trials (see first messages in this thread). Here's repeat test case with snapshot openssh-SNAP-20020923: $ klist Ticket file: /tmp/tkt0 Principal: mmokrejs at NATUR.CUNI.CZ Issued Expires Principal Sep 23 15:20:12 Sep 24 01:20:12 krbtgt.NATUR.CUNI.CZ at NATUR.CUNI.CZ Sep 23 15:20:15 Sep 24 01:20:15 afs at NATUR.CUNI.CZ Sep 23 15:20:15 Sep 24 01:20:15 krbtgt.RUK.CUNI.CZ at NATUR.CUNI.CZ $ ./ssh -v -l mmokrejs pf-i400 OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x00906080 debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to pf-i400 [195.113.59.251] port 22. debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /.ssh/identity type -1 debug1: identity file /.ssh/id_dsa type -1 debug1: identity file /.ssh/id_rsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.0.2p1 debug1: match: OpenSSH_3.0.2p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 132/256 debug1: bits set: 482/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY Segmentation Fault (core dumped) $ gdb ./ssh ./core GNU gdb 4.17 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.6"... Core was generated by `./ssh -v -l mmokrejs pf-i400'. Program terminated with signal 11, Segmentation Fault. Reading symbols from /usr/athena/lib/libkafs.so.0...done. Reading symbols from /usr/lib/libresolv.so.2...done. Reading symbols from /usr/athena/lib/libdes.so.1...done. Reading symbols from /usr/athena/lib/libkrb.so.1...done. Reading symbols from /software/@sys/usr/lib/libz.so...done. Reading symbols from /usr/lib/libsocket.so.1...done. Reading symbols from /usr/lib/libnsl.so.1...done. Reading symbols from /usr/lib/libc.so.1...done. Reading symbols from /usr/athena/lib/libroken.so.16...done. Reading symbols from /usr/lib/libdl.so.1...done. Reading symbols from /usr/lib/libmp.so.2...done. Reading symbols from /software/@sys/usr/lib/libdb-4.0.so...done. Reading symbols from /usr/platform/SUNW,Ultra-30/lib/libc_psr.so.1...done. Reading symbols from /usr/lib/nss_files.so.1...done. #0 0xef4a53e4 in strlen () (gdb) where #0 0xef4a53e4 in strlen () #1 0xef4dc7e4 in _doprnt () #2 0xef4e5c88 in vsnprintf () #3 0x42bb0 in do_log (level=SYSLOG_LEVEL_DEBUG1, fmt=0xbea10 "using hostkeyalias: %s", args=0xefffe548) at log.c:385 #4 0x42528 in debug (fmt=0xbea10 "using hostkeyalias: %s") at log.c:159 #5 0x20bc8 in check_host_key (host=0x3 "\024\200", hostaddr=0xf81d8, host_key=0x104708, readonly=0, user_hostfile=0x3d "'\016", system_hostfile=0xcc "???????\f") at sshconnect.c:561 #6 0x215f8 in verify_host_key (host=0xfc7b8 "pf-i400", hostaddr=0xf81d8, host_key=0x104708) at sshconnect.c:810 #7 0x24430 in verify_host_key_callback (hostkey=0x104708) at sshconnect2.c:71 #8 0x417e0 in kexgex_client (kex=0xff698) at kexgex.c:184 #9 0x42278 in kexgex (kex=0xff698) at kexgex.c:413 #10 0x3fb94 in kex_kexinit_finish (kex=0xff698) at kex.c:243 #11 0x3fa78 in kex_input_kexinit (type=20, seq=0, ctxt=0xff698) at kex.c:209 #12 0x3ba18 in dispatch_run (mode=0, done=0xff6dc, ctxt=0xff698) at dispatch.c:93 #13 0x2465c in ssh_kex2 (host=0xfc7b8 "pf-i400", hostaddr=0xf81d8) at sshconnect2.c:119 #14 0x2173c in ssh_login (sensitive=0xf8fb4, orighost=0xeffffaf5 "pf-i400", hostaddr=0xf81d8, pw=0xf99a0) at sshconnect.c:846 #15 0x1dd10 in main (ac=0, av=0xeffffa08) at ssh.c:701 (gdb) $ ./ssh -v -l mmokrejs pf-i400 -1 OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x00906080 debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to pf-i400 [195.113.59.251] port 22. debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /.ssh/identity type -1 debug1: identity file /.ssh/id_dsa type -1 debug1: identity file /.ssh/id_rsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.0.2p1 debug1: match: OpenSSH_3.0.2p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1* debug1: Local version string SSH-1.5-OpenSSH_3.4p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'pf-i400' is known and matches the RSA1 host key. debug1: Found key in /.ssh/known_hosts:1 No valid SSH1 cipher, using 3des instead. debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying Kerberos v4 authentication. debug1: Kerberos v4 authentication accepted. debug1: Kerberos v4 challenge successful. debug1: Kerberos v4 TGT forwarded (mmokrejs at NATUR.CUNI.CZ). Bus Error (core dumped) $ gdb ./ssh ./core GNU gdb 4.17 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.6"... Core was generated by `./ssh -v -l mmokrejs pf-i400 -1'. Program terminated with signal 10, Bus Error. Reading symbols from /usr/athena/lib/libkafs.so.0...done. Reading symbols from /usr/lib/libresolv.so.2...done. Reading symbols from /usr/athena/lib/libdes.so.1...done. Reading symbols from /usr/athena/lib/libkrb.so.1...done. Reading symbols from /software/@sys/usr/lib/libz.so...done. Reading symbols from /usr/lib/libsocket.so.1...done. Reading symbols from /usr/lib/libnsl.so.1...done. Reading symbols from /usr/lib/libc.so.1...done. Reading symbols from /usr/athena/lib/libroken.so.16...done. Reading symbols from /usr/lib/libdl.so.1...done. Reading symbols from /usr/lib/libmp.so.2...done. Reading symbols from /software/@sys/usr/lib/libdb-4.0.so...done. Reading symbols from /usr/platform/SUNW,Ultra-30/lib/libc_psr.so.1...done. Reading symbols from /usr/lib/nss_files.so.1...done. Reading symbols from /usr/lib/nss_dns.so.1...done. #0 0xef4c7800 in _free_unlocked () (gdb) where #0 0xef4c7800 in _free_unlocked () #1 0xef4c77b8 in free () #2 0x53518 in xfree (ptr=0xa5) at xmalloc.c:55 #3 0x1de68 in main (ac=0, av=0xeffffa04) at ssh.c:717 (gdb) -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From mmokrejs at natur.cuni.cz Mon Sep 23 23:30:09 2002 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Mon, 23 Sep 2002 15:30:09 +0200 (CEST) Subject: privsep versus compression In-Reply-To: <1032599298.1314.12.camel@argon> Message-ID: On 21 Sep 2002, Damien Miller wrote: > On Sat, 2002-09-21 at 03:08, Martin MOKREJ? wrote: > > Hi, > > I recompiled openssh-3.4p1 on Solaris 2.6 with -g3 to see, why it is > > crashing. Please find below two core dump stacks. > > Please try the CVS snapshots, there have been many fixes since 3.4p1 And I would like to repeat, that this is still not fixed in openssh-SNAP-20020923: "I've added to includes.h one line: #include #include #include +#include #include I've no clue if it's the proper place. As far as I remeber, this problem with sshconnect1.c always appeared only on Solaris with krb4 (just do google search)." -- Martin Mokrejs , PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs MIPS / Institute for Bioinformatics GSF - National Research Center for Environment and Health Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany tel.: +49-89-3187 3683 , fax:?+49-89-3187 3585 From mouring at etoh.eviladmin.org Tue Sep 24 00:17:57 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 23 Sep 2002 09:17:57 -0500 (CDT) Subject: Call for testing for 3.5 OpenSSH Message-ID: OpenBSD tree is heading into a lock and this includes OpenSSH. So we are winding up for a 3.5 release. If we can get people to test the current snapshots and report any problems that would improve the odds that your platform won't be broke for 3.5. Issues I know off of right now. 1. I can't test NeXT. So I TRULY need someone in that community to test for me. Last I heard there was mmap() detection issues (it was misdetecting it). 2. Tru64 issues. If it has been decided there is no way to get post-authentication going then someone please official submit the patch to disable it. 3. A solaris issue (which I've not been following sorry, I've been massively distracted) in regards to NULL pointers. 4. The kerb issue wandering around. ... Anything else? Cygwin? AIX? ..etc.. - Ben From bugzilla-daemon at mindrot.org Tue Sep 24 03:47:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 24 Sep 2002 03:47:31 +1000 (EST) Subject: [Bug 401] New: misc. ipv4-mapped address support fix Message-ID: <20020923174731.AF3763D149@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=401 Summary: misc. ipv4-mapped address support fix Product: Portable OpenSSH Version: -current Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: yoshfuji at linux-ipv6.org There are two problems related to ipv4 mapped address support. In canohost.c, 1) we forgot to set length of structure when converting a sockaddr_in6{} which contains ipv4-mapped address to a sockaddr_in{}. 2) we failed to accept any connections on newer library with socpe-id (ex. glibc-2.2.x) on old kernel without scope-id (ex. linux-2.2.x). patch will follow. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 24 03:50:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 24 Sep 2002 03:50:12 +1000 (EST) Subject: [Bug 401] misc. ipv4-mapped address support fix Message-ID: <20020923175012.91D293D167@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=401 ------- Additional Comments From yoshfuji at linux-ipv6.org 2002-09-24 03:50 ------- Created an attachment (id=148) --> (http://bugzilla.mindrot.org/attachment.cgi?id=148&action=view) set length of sockaddr{}. run sshd with glibc-2.2 on linux-2.2 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dan at doxpara.com Tue Sep 24 04:50:56 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Mon, 23 Sep 2002 11:50:56 -0700 Subject: Call for testing for 3.5 OpenSSH References: Message-ID: <3D8F6290.1080202@doxpara.com> Just started a Cygwin compile; got this: configure: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) *** config.log details are useless; better to specify a minimum version number if that's what we're checking for. --Dan From dan at doxpara.com Tue Sep 24 05:46:08 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Mon, 23 Sep 2002 12:46:08 -0700 Subject: Call for testing for 3.5 OpenSSH References: Message-ID: <3D8F6F80.30707@doxpara.com> Cygwin status: Compiles perfect out of cvs. Horrendously laggy console -- totally unusable. SO_NODELAY get nuked? --Dan From wendyp at cray.com Tue Sep 24 07:05:13 2002 From: wendyp at cray.com (Wendy Palm) Date: Mon, 23 Sep 2002 16:05:13 -0500 Subject: Call for testing for 3.5 OpenSSH References: Message-ID: <3D8F8209.4325AEB0@cray.com> ben- i have 4 patches left that have not been added that are absolutely required to work on a cray system. they were part of bug 367, but were not added with the rest. do you want me to close that one and open a new one with only these patches? thanks, wendy diff -cr openssh/auth1.c openssh.cray/auth1.c *** openssh/auth1.c Wed Sep 11 18:47:30 2002 --- openssh.cray/auth1.c Mon Sep 23 12:39:06 2002 *************** *** 25,32 **** --- 25,36 ---- #include "channels.h" #include "session.h" #include "uidswap.h" + #if defined(_CRAY) && ! defined(_CRAYSV2) + #include + #endif /* _CRAY */ #include "monitor_wrap.h" + /* import */ extern ServerOptions options; *************** *** 303,308 **** --- 307,321 ---- if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); + + # if defined(_CRAY) && ! defined(_CRAYSV2) + if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated) + cray_login_failure(authctxt->user, IA_UDBERR); + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } + #endif /* _CRAY */ #ifdef HAVE_CYGWIN if (authenticated && diff -cr openssh/auth2.c openssh.cray/auth2.c *** openssh/auth2.c Wed Sep 4 01:37:27 2002 --- openssh.cray/auth2.c Mon Sep 23 12:39:15 2002 *************** *** 35,40 **** --- 35,43 ---- #include "dispatch.h" #include "pathnames.h" #include "monitor_wrap.h" + #if defined(_CRAY) && ! defined(_CRAYSV2) + #include + #endif /* _CRAY */ /* import */ extern ServerOptions options; *************** *** 216,221 **** --- 219,231 ---- authenticated = 0; #endif /* USE_PAM */ + #if defined(_CRAY) && !defined(_CRAYSV2) + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } + #endif /* _CRAY */ + /* Log before sending the reply */ auth_log(authctxt, authenticated, method, " ssh2"); *************** *** 235,240 **** --- 245,254 ---- if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } + #if defined(_CRAY) && !defined(_CRAYSV2) + if (strcmp(method, "password") == 0) + cray_login_failure(authctxt->user, IA_UDBERR); + #endif /* _CRAY */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); diff -cr openssh/deattack.c openssh.cray/deattack.c *** openssh/deattack.c Mon Mar 4 19:53:05 2002 --- openssh.cray/deattack.c Mon Sep 23 13:34:01 2002 *************** *** 101,111 **** --- 101,119 ---- if (h == NULL) { debug("Installing crc compensation attack detector."); n = l; + #if defined(_CRAY) && !defined(_CRAYSV2) + h = (u_int16_t *) xmalloc(n * sizeof(u_int16_t)); + #else h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); + #endif /* _CRAY */ } else { if (l > n) { n = l; + #if defined(_CRAY) && !defined(_CRAYSV2) + h = (u_int16_t *) xrealloc(h, n * sizeof(u_int16_t)); + #else h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); + #endif /* _CRAY */ } } *************** *** 128,134 **** --- 136,146 ---- } return (DEATTACK_OK); } + #if defined(_CRAY) && !defined(_CRAYSV2) + for (i=0; i + #endif #ifdef HAVE_CYGWIN #include *************** *** 519,528 **** --- 522,538 ---- perror("dup2 stderr"); #endif /* USE_PIPES */ + #if defined(_CRAY) && ! defined(_CRAYSV2) + cray_init_job(s->pw); /* set up cray jid and tmpdir */ + #endif + /* Do processing for the child (exec command etc). */ do_child(s, command); /* NOTREACHED */ } + #if defined(_CRAY) && ! defined(_CRAYSV2) + signal(WJSIGNAL, cray_job_termination_handler); + #endif /* _CRAY */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); *************** *** 611,617 **** --- 621,632 ---- /* record login, etc. similar to login(1) */ #ifndef HAVE_OSF_SIA if (!(options.use_login && command == NULL)) + { + #if defined(_CRAY) && !defined(_CRAYSV2) + cray_init_job(s->pw); /* set up cray jid and tmpdir */ + #endif /* _CRAY */ do_login(s, command); + } # ifdef LOGIN_NEEDS_UTMPX else do_pre_login(s); *************** *** 622,627 **** --- 637,645 ---- do_child(s, command); /* NOTREACHED */ } + #if defined(_CRAY) && !defined(_CRAYSV2) + signal(WJSIGNAL, cray_job_termination_handler); + #endif /* _CRAY */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); *************** *** 762,767 **** --- 780,786 ---- printf("%s\n", aixloginmsg); #endif /* WITH_AIXAUTHENTICATE */ + #if !defined(_CRAY) || defined(_CRAYSV2) if (options.print_lastlog && s->last_login_time != 0) { time_string = ctime(&s->last_login_time); if (strchr(time_string, '\n')) *************** *** 772,778 **** printf("Last login: %s from %s\r\n", time_string, s->hostname); } ! do_motd(); } --- 791,797 ---- printf("Last login: %s from %s\r\n", time_string, s->hostname); } ! #endif /* _CRAY */ do_motd(); } *************** *** 1031,1036 **** --- 1050,1060 ---- child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", original_command); + #if defined(_CRAY) && !defined(_CRAYSV2) + if (cray_tmpdir[0] != '\0') + child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir); + #endif /* _CRAY */ + #ifdef _AIX { char *cp; *************** *** 1281,1286 **** --- 1305,1314 ---- /* login(1) is only called if we execute the login shell */ if (options.use_login && command != NULL) options.use_login = 0; + + #if defined(_CRAY) && !defined(_CRAYSV2) + cray_setup(pw->pw_uid, pw->pw_name, command); + #endif /* _CRAY */ /* * Login(1) does this as well, and it needs uid 0 for the "-h" From mouring at etoh.eviladmin.org Tue Sep 24 07:03:37 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 23 Sep 2002 16:03:37 -0500 (CDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D8F8209.4325AEB0@cray.com> Message-ID: Just attach a new patch to the bug report. On Mon, 23 Sep 2002, Wendy Palm wrote: > ben- > > i have 4 patches left that have not been added that are absolutely > required to work on a cray system. > > they were part of bug 367, but were not added with the rest. > do you want me to close that one and open a new one with only > these patches? > > thanks, > wendy > > > > diff -cr openssh/auth1.c openssh.cray/auth1.c > *** openssh/auth1.c Wed Sep 11 18:47:30 2002 > --- openssh.cray/auth1.c Mon Sep 23 12:39:06 2002 > *************** > *** 25,32 **** > --- 25,36 ---- > #include "channels.h" > #include "session.h" > #include "uidswap.h" > + #if defined(_CRAY) && ! defined(_CRAYSV2) > + #include > + #endif /* _CRAY */ > #include "monitor_wrap.h" > > + > /* import */ > extern ServerOptions options; > > *************** > *** 303,308 **** > --- 307,321 ---- > if (!authctxt->valid && authenticated) > fatal("INTERNAL ERROR: authenticated invalid user %s", > authctxt->user); > + > + # if defined(_CRAY) && ! defined(_CRAYSV2) > + if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated) > + cray_login_failure(authctxt->user, IA_UDBERR); > + if (authenticated && cray_access_denied(authctxt->user)) { > + authenticated = 0; > + fatal("Access denied for user %s.",authctxt->user); > + } > + #endif /* _CRAY */ > > #ifdef HAVE_CYGWIN > if (authenticated && > diff -cr openssh/auth2.c openssh.cray/auth2.c > *** openssh/auth2.c Wed Sep 4 01:37:27 2002 > --- openssh.cray/auth2.c Mon Sep 23 12:39:15 2002 > *************** > *** 35,40 **** > --- 35,43 ---- > #include "dispatch.h" > #include "pathnames.h" > #include "monitor_wrap.h" > + #if defined(_CRAY) && ! defined(_CRAYSV2) > + #include > + #endif /* _CRAY */ > > /* import */ > extern ServerOptions options; > *************** > *** 216,221 **** > --- 219,231 ---- > authenticated = 0; > #endif /* USE_PAM */ > > + #if defined(_CRAY) && !defined(_CRAYSV2) > + if (authenticated && cray_access_denied(authctxt->user)) { > + authenticated = 0; > + fatal("Access denied for user %s.",authctxt->user); > + } > + #endif /* _CRAY */ > + > /* Log before sending the reply */ > auth_log(authctxt, authenticated, method, " ssh2"); > > *************** > *** 235,240 **** > --- 245,254 ---- > if (authctxt->failures++ > AUTH_FAIL_MAX) { > packet_disconnect(AUTH_FAIL_MSG, authctxt->user); > } > + #if defined(_CRAY) && !defined(_CRAYSV2) > + if (strcmp(method, "password") == 0) > + cray_login_failure(authctxt->user, IA_UDBERR); > + #endif /* _CRAY */ > methods = authmethods_get(); > packet_start(SSH2_MSG_USERAUTH_FAILURE); > packet_put_cstring(methods); > diff -cr openssh/deattack.c openssh.cray/deattack.c > *** openssh/deattack.c Mon Mar 4 19:53:05 2002 > --- openssh.cray/deattack.c Mon Sep 23 13:34:01 2002 > *************** > *** 101,111 **** > --- 101,119 ---- > if (h == NULL) { > debug("Installing crc compensation attack detector."); > n = l; > + #if defined(_CRAY) && !defined(_CRAYSV2) > + h = (u_int16_t *) xmalloc(n * sizeof(u_int16_t)); > + #else > h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); > + #endif /* _CRAY */ > } else { > if (l > n) { > n = l; > + #if defined(_CRAY) && !defined(_CRAYSV2) > + h = (u_int16_t *) xrealloc(h, n * sizeof(u_int16_t)); > + #else > h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); > + #endif /* _CRAY */ > } > } > > *************** > *** 128,134 **** > --- 136,146 ---- > } > return (DEATTACK_OK); > } > + #if defined(_CRAY) && !defined(_CRAYSV2) > + for (i=0; i + #else > memset(h, HASH_UNUSEDCHAR, n * HASH_ENTRYSIZE); > + #endif /* _CRAY */ > > if (IV) > h[HASH(IV) & (n - 1)] = HASH_IV; > diff -cr openssh/serverloop.c openssh.cray/serverloop.c > *** openssh/serverloop.c Sat Sep 21 10:26:28 2002 > --- openssh.cray/serverloop.c Mon Sep 23 13:38:52 2002 > *************** > *** 144,150 **** > --- 144,152 ---- > int save_errno = errno; > debug("Received SIGCHLD."); > child_terminated = 1; > + #if !defined(_CRAY) || defined(_CRAYSV2) > mysignal(SIGCHLD, sigchld_handler); > + #endif > notify_parent(); > errno = save_errno; > } > diff -cr openssh/session.c openssh.cray/session.c > *** openssh/session.c Wed Sep 18 20:50:49 2002 > --- openssh.cray/session.c Mon Sep 23 12:47:35 2002 > *************** > *** 57,62 **** > --- 57,65 ---- > #include "canohost.h" > #include "session.h" > #include "monitor_wrap.h" > + #if defined(_CRAY) && ! defined(_CRAYSV2) > + #include > + #endif > > #ifdef HAVE_CYGWIN > #include > *************** > *** 519,528 **** > --- 522,538 ---- > perror("dup2 stderr"); > #endif /* USE_PIPES */ > > + #if defined(_CRAY) && ! defined(_CRAYSV2) > + cray_init_job(s->pw); /* set up cray jid and tmpdir */ > + #endif > + > /* Do processing for the child (exec command etc). */ > do_child(s, command); > /* NOTREACHED */ > } > + #if defined(_CRAY) && ! defined(_CRAYSV2) > + signal(WJSIGNAL, cray_job_termination_handler); > + #endif /* _CRAY */ > #ifdef HAVE_CYGWIN > if (is_winnt) > cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); > *************** > *** 611,617 **** > --- 621,632 ---- > /* record login, etc. similar to login(1) */ > #ifndef HAVE_OSF_SIA > if (!(options.use_login && command == NULL)) > + { > + #if defined(_CRAY) && !defined(_CRAYSV2) > + cray_init_job(s->pw); /* set up cray jid and tmpdir */ > + #endif /* _CRAY */ > do_login(s, command); > + } > # ifdef LOGIN_NEEDS_UTMPX > else > do_pre_login(s); > *************** > *** 622,627 **** > --- 637,645 ---- > do_child(s, command); > /* NOTREACHED */ > } > + #if defined(_CRAY) && !defined(_CRAYSV2) > + signal(WJSIGNAL, cray_job_termination_handler); > + #endif /* _CRAY */ > #ifdef HAVE_CYGWIN > if (is_winnt) > cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); > *************** > *** 762,767 **** > --- 780,786 ---- > printf("%s\n", aixloginmsg); > #endif /* WITH_AIXAUTHENTICATE */ > > + #if !defined(_CRAY) || defined(_CRAYSV2) > if (options.print_lastlog && s->last_login_time != 0) { > time_string = ctime(&s->last_login_time); > if (strchr(time_string, '\n')) > *************** > *** 772,778 **** > printf("Last login: %s from %s\r\n", time_string, > s->hostname); > } > ! > do_motd(); > } > > --- 791,797 ---- > printf("Last login: %s from %s\r\n", time_string, > s->hostname); > } > ! #endif /* _CRAY */ > do_motd(); > } > > *************** > *** 1031,1036 **** > --- 1050,1060 ---- > child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", > original_command); > > + #if defined(_CRAY) && !defined(_CRAYSV2) > + if (cray_tmpdir[0] != '\0') > + child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir); > + #endif /* _CRAY */ > + > #ifdef _AIX > { > char *cp; > *************** > *** 1281,1286 **** > --- 1305,1314 ---- > /* login(1) is only called if we execute the login shell */ > if (options.use_login && command != NULL) > options.use_login = 0; > + > + #if defined(_CRAY) && !defined(_CRAYSV2) > + cray_setup(pw->pw_uid, pw->pw_name, command); > + #endif /* _CRAY */ > > /* > * Login(1) does this as well, and it needs uid 0 for the "-h" > From bugzilla-daemon at mindrot.org Tue Sep 24 07:15:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 24 Sep 2002 07:15:35 +1000 (EST) Subject: [Bug 367] patches for Cray port Message-ID: <20020923211535.9852C3D183@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=367 ------- Additional Comments From wendyp at cray.com 2002-09-24 07:15 ------- Created an attachment (id=149) --> (http://bugzilla.mindrot.org/attachment.cgi?id=149&action=view) updated patches for 0923 snapshot ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Sep 24 07:16:05 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 24 Sep 2002 07:16:05 +1000 (EST) Subject: [Bug 367] patches for Cray port Message-ID: <20020923211605.2883C3D183@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=367 wendyp at cray.com changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #134 is|0 |1 obsolete| | Attachment #135 is|0 |1 obsolete| | Attachment #136 is|0 |1 obsolete| | ------- Additional Comments From wendyp at cray.com 2002-09-24 07:15 ------- Created an attachment (id=150) --> (http://bugzilla.mindrot.org/attachment.cgi?id=150&action=view) updated patches for 0923 snapshot ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Tue Sep 24 09:01:33 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 23 Sep 2002 16:01:33 -0700 (PDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D8F8209.4325AEB0@cray.com> Message-ID: On Mon, 23 Sep 2002, Wendy Palm wrote: [snip] > diff -cr openssh/auth1.c openssh.cray/auth1.c > *** openssh/auth1.c Wed Sep 11 18:47:30 2002 > --- openssh.cray/auth1.c Mon Sep 23 12:39:06 2002 > + #if defined(_CRAY) && ! defined(_CRAYSV2) > + #include > + #endif /* _CRAY */ Is this because ia.h does not exist on _CRAYSV2 ? Or because including ia.h breaks on _CRAYSV2 ? Could we test for ia.h in configure and use HAVE_IA_H ? Same question for openssh/auth2.c > *** openssh/session.c Wed Sep 18 20:50:49 2002 > --- openssh.cray/session.c Mon Sep 23 12:47:35 2002 > + #if defined(_CRAY) && ! defined(_CRAYSV2) > + #include > + #endif Can we use HAVE_TMPDIR_H ? From bugzilla-daemon at mindrot.org Tue Sep 24 09:39:49 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 24 Sep 2002 09:39:49 +1000 (EST) Subject: [Bug 341] Return Code unpredictable Message-ID: <20020923233949.2E19D3D0E6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=341 ------- Additional Comments From john.osell at telus.com 2002-09-24 09:39 ------- I have the same problem. The script as follows is run from cron: while [ 1 ] do ssh date echo $? done The script returns 255 anywhere from 2-20% of the time when run from cron and works perfectly fine when run from the command line. I am running the test on AIX 4.3.3.0 and OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f John O. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Tue Sep 24 09:55:07 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 23 Sep 2002 16:55:07 -0700 (PDT) Subject: [Patch] configure tests return instead of exit In-Reply-To: <3D4E3AA8.4B89610C@zip.com.au> Message-ID: On Mon, 5 Aug 2002, Darren Tucker wrote: > Tim Rice wrote: > [about OpenSSL configure test] > > On the subject of configure.ac, while R'ing the FM for autoconf I > noticed the following at > http://www.gnu.org/manual/autoconf/html_node/Guidelines.html: > > "Test programs should exit, not return, from main, because on some > systems (old Suns, at least) the argument to return in main is ignored." > > Is there a reason some tests use return in configure.ac? If not, the > attached patch changes them. I finally got around to commiting your patch. Thanks. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From kevin at atomicgears.com Tue Sep 24 11:10:14 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Mon, 23 Sep 2002 18:10:14 -0700 Subject: OpenSSH -current fails regression on Solaris 8, sshd dumps core In-Reply-To: <3D8C8F28.3C997798@zip.com.au> References: <3D8C8F28.3C997798@zip.com.au> Message-ID: <20020924011014.GC2398@jenny.crlsca.adelphia.net> On Sun, Sep 22, 2002 at 01:24:24AM +1000, Darren Tucker wrote: > After poking around, it seems that: > 1) get_local_ipaddr returns NULL > 2) this NULL is passed to snprintf > 3) which dereferences the NULL causing a SEGV > > (get_local_ipaddr returns NULL because it calls get_socket_address which > calls getpeername on a non-socket.) thanks. fixed a little different and cover the other case. the canohost interface needs to be reworked. Index: canohost.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/canohost.c,v retrieving revision 1.33 diff -u -r1.33 canohost.c --- canohost.c 9 Jul 2002 11:56:27 -0000 1.33 +++ canohost.c 23 Sep 2002 20:16:38 -0000 @@ -196,18 +196,12 @@ if (remote) { if (getpeername(socket, (struct sockaddr *)&addr, &addrlen) - < 0) { - debug("get_socket_ipaddr: getpeername failed: %.100s", - strerror(errno)); + < 0) return NULL; - } } else { if (getsockname(socket, (struct sockaddr *)&addr, &addrlen) - < 0) { - debug("get_socket_ipaddr: getsockname failed: %.100s", - strerror(errno)); + < 0) return NULL; - } } /* Get the address in ascii. */ if (getnameinfo((struct sockaddr *)&addr, addrlen, ntop, sizeof(ntop), @@ -221,13 +215,21 @@ char * get_peer_ipaddr(int socket) { - return get_socket_address(socket, 1, NI_NUMERICHOST); + char *p; + + if ((p = get_socket_address(socket, 1, NI_NUMERICHOST)) != NULL) + return p; + return xstrdup("UNKNOWN"); } char * get_local_ipaddr(int socket) { - return get_socket_address(socket, 0, NI_NUMERICHOST); + char *p; + + if ((p = get_socket_address(socket, 0, NI_NUMERICHOST)) != NULL) + return p; + return xstrdup("UNKNOWN"); } char * From kevin at atomicgears.com Tue Sep 24 11:11:22 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Mon, 23 Sep 2002 18:11:22 -0700 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D8F6F80.30707@doxpara.com> References: <3D8F6F80.30707@doxpara.com> Message-ID: <20020924011122.GD2398@jenny.crlsca.adelphia.net> On Mon, Sep 23, 2002 at 12:46:08PM -0700, Dan Kaminsky wrote: > Horrendously laggy console -- totally unusable. SO_NODELAY get nuked? Nagle usage is unchanged. This problem report is useless. From kevin at atomicgears.com Tue Sep 24 11:18:15 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Mon, 23 Sep 2002 18:18:15 -0700 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: References: Message-ID: <20020924011815.GE2398@jenny.crlsca.adelphia.net> i guess we also ship with PAM password change remaining disabled. have not seen any feedback on solar's patch (which is in the tree but remains #if 0 in auth-pam.c). From bugzilla-daemon at mindrot.org Tue Sep 24 11:37:02 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 24 Sep 2002 11:37:02 +1000 (EST) Subject: [Bug 401] ipv4 mapped address (ipv4 in ipv6) and ipv6 support fix Message-ID: <20020924013702.CB65D3D17E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=401 yoshfuji at linux-ipv6.org changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|misc. ipv4-mapped address |ipv4 mapped address (ipv4 in |support fix |ipv6) and ipv6 support fix ------- Additional Comments From yoshfuji at linux-ipv6.org 2002-09-24 11:36 ------- To clarify: - one is ipv4 mapped issue - another is ipv6 sin6_scope_id issue. - with latter one, we do not able to accept ipv4 connection via ipv6 socket using "ipv4-mapped address" feature on some platforms. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dan at doxpara.com Tue Sep 24 12:17:12 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Mon, 23 Sep 2002 19:17:12 -0700 Subject: Call for testing for 3.5 OpenSSH References: <3D8F6F80.30707@doxpara.com> <20020924011122.GD2398@jenny.crlsca.adelphia.net> Message-ID: <3D8FCB28.3060300@doxpara.com> Kevin Steves wrote: >On Mon, Sep 23, 2002 at 12:46:08PM -0700, Dan Kaminsky wrote: > > >> Horrendously laggy console -- totally unusable. SO_NODELAY get nuked? >> >> > >Nagle usage is unchanged. This problem report is useless. > > It's called a problem report, not a solution report. Given that: 1) Testing calls have preceded releases by 24 hours 2) Testing calls that go unheeded tend to lead to a very unhappy Ben 3) Ben specifically asked about Cygwin 4) I run Cygwin I thought it was prudent to at least mention "compiles fine, not actually usable though" as quick as possible. Here, lemme see if I can whip up something a bit more useful. I don't know exactly what's causing it, but there's a second-level timeout somewhere in here. I fired up tethereal, and monitored the inter-packet timings on a standard SSH2 login. Here's the absolute timing -- notice time-to-password is about 3 seconds, but in CVS we're up to 12. Normal OpenSSH Behavior on initial connect(cygwin to freebsd): 19.787118 19.787173 19.787412 19.788726 19.800843 19.802972 19.803673 19.898120 19.898436 19.911058 19.951071 20.020607 20.084571 20.178110 20.178442 20.178605 20.181870 20.182947 20.189624 20.191384 20.197101 20.197232 20.339739 22.408260 22.408285 22.408596 22.408829 Broken CVS OpenSSH on same: 2.801344 2.801393 2.801614 2.802872 2.822554 2.825399 2.827688 2.917852 3.550563 3.562710 3.689510 4.357904 4.423234 4.592200 5.129863 5.227887 5.228141 5.228311 5.394639 5.841215 5.842401 5.996435 6.927709 6.929665 7.099771 7.813722 7.813926 8.002521 14.456602 14.456629 14.456945 14.457173 Looks like socket vomit to me, Kevin. Log attached. --Dan -------------- next part -------------- A non-text attachment was scrubbed... Name: packetlog Type: application/octet-stream Size: 25140 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020923/82d96f08/attachment.obj From mouring at etoh.eviladmin.org Tue Sep 24 13:45:12 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 23 Sep 2002 22:45:12 -0500 (CDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D8FCB28.3060300@doxpara.com> Message-ID: On Mon, 23 Sep 2002, Dan Kaminsky wrote: > Kevin Steves wrote: > > >On Mon, Sep 23, 2002 at 12:46:08PM -0700, Dan Kaminsky wrote: > > > > > >> Horrendously laggy console -- totally unusable. SO_NODELAY get nuked? > >> > >> > > > >Nagle usage is unchanged. This problem report is useless. > > > > > It's called a problem report, not a solution report. Given that: > > 1) Testing calls have preceded releases by 24 hours Lately it has not been my choice, but we have time. Assuming someone does not spring some security issue on me making me eat my words.=) > 2) Testing calls that go unheeded tend to lead to a very unhappy Ben Na.. underfed Bens make for unhappy Bens. =) Unheeded calls for testing just makes Ben a bit grumpy. =) First one does not happen offen assuming I feel in a cooking mood or find leftovers. The latter is unavoidable some days. Mostly when I'm short on time. > 3) Ben specifically asked about Cygwin Random draw of the hat. Grabbed two OSes that I knew did not have outstanding issues. - Ben From bugzilla-daemon at mindrot.org Tue Sep 24 14:54:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 24 Sep 2002 14:54:51 +1000 (EST) Subject: [Bug 402] New: Suggested sshrc script unsafe Message-ID: <20020924045451.AD15C3D149@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=402 Summary: Suggested sshrc script unsafe Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: minor Priority: P2 Component: Documentation AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: kolya at mit.edu The sshrc code suggested at the bottom of sshd(8) is unsafe, in that it passes around the xauth key as an argument to xauth -- while xauth is running, the key is, on most systems, visible to other users on the same machine. A more secure way to pass the key is something like: echo add $DISPLAY $proto $cookie | xauth -q which, in /bin/sh on most systems, uses the built-in echo command. While this isn't strictly a bug, it seems poor to suggest code that exposes the xauth key. Incidentally, it may also be nice to use "xauth -q" instead of just "xauth", since the same manpage also warns that sshrc shouldn't output anything to stdout, which "xauth" does. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From fcusack at fcusack.com Tue Sep 24 16:22:31 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Mon, 23 Sep 2002 23:22:31 -0700 Subject: OpenSSH -current fails regression on Solaris 8, sshd dumps core In-Reply-To: <3D8E3D42.2000903@chool.com>; from cloud@chool.com on Sun, Sep 22, 2002 at 04:59:30PM -0500 References: <3D8E3D42.2000903@chool.com> Message-ID: <20020923232231.F4596@google.com> On Sun, Sep 22, 2002 at 04:59:30PM -0500, Sam Reynolds wrote: > On Sat, Sep 21, 2002 at 01:20:19PM -0500, Sam Reynolds wrote: > > >No, it isn't. NULL is guaranteed to be a macro expanding to an > >"unadorned 0". > I don't believe in C such a guarantee is given. > 7.17.3 in C99 says: > "... NULL which expands to an implementation-defined null > pointer constant..." > 6.23.2.3.3 explains that a null pointer constant is: > "An integer constant expression with the value 0, or such > an expression cast to type void *" I stand corrected! > >> and since sprintf is a variadic function, one would > >> need an explicit cast to the appropriate type. > > >No, one doesn't. A variadic function interprets pointers based on the > >format string, not based on the type given to the compiler. > > One does for two reasons. The first being a situation where my format > string is input from the user, clearly the compiler can't know what the > args are going to be at compile time. In which case, how are you going to know what to cast to? > Second, if I write my own > variadic function the compiler will not know what the arguments to > my function are if I don't explicitly cast them (if they are void*). huh? /fc From markus at openbsd.org Tue Sep 24 19:29:00 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 24 Sep 2002 11:29:00 +0200 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D8FCB28.3060300@doxpara.com> References: <3D8F6F80.30707@doxpara.com> <20020924011122.GD2398@jenny.crlsca.adelphia.net> <3D8FCB28.3060300@doxpara.com> Message-ID: <20020924092859.GC20930@folly> On Mon, Sep 23, 2002 at 07:17:12PM -0700, Dan Kaminsky wrote: > 1) Testing calls have preceded releases by 24 hours shit happens. From dtucker at zip.com.au Tue Sep 24 21:26:32 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 24 Sep 2002 21:26:32 +1000 Subject: Call for testing for 3.5 OpenSSH References: Message-ID: <3D904BE8.43C8D221@zip.com.au> Ben Lindstrom wrote: > Issues I know off of right now. > > ... Anything else? Cygwin? AIX? ..etc.. There are 2 issues with AIX for which there are fixes that haven't been integrated: 1) http://bugzilla.mindrot.org/show_bug.cgi?id=355 loginsuccess() isn't called on AIX an thus failed login counts are never cleared. This can lead to account lockout. I think this is the right fix (but someone else should check it!): http://bugzilla.mindrot.org/attachment.cgi?id=141&action=view 2) http://bugzilla.mindrot.org/show_bug.cgi?id=397 strsep() is in libc but isn't defined in the headers unless _LINUX_SOURCE_COMPAT is defined. This doesn't affect GCC, only the native compiler. Apart from the patch, another option could be to have configure define _LINUX_SOURCE_COMPAT for AIX. Apart from those, I've been running recent builds from CVS on my development systems without problems. I'll re-run the regression tests on AIX & Solaris and post if I find any other problems. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dan at doxpara.com Tue Sep 24 22:01:25 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 24 Sep 2002 05:01:25 -0700 Subject: Any Crypto Types Around? Message-ID: <3D905415.8090508@doxpara.com> Heh All-- I'm investigating some quirkiness in SHA-1; any cryptoanalytical types 'round these parts? Email me privately. Lets not flood the list :-D --Dan From gert at greenie.muc.de Tue Sep 24 22:05:42 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 24 Sep 2002 14:05:42 +0200 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D904BE8.43C8D221@zip.com.au>; from dtucker@zip.com.au on Tue, Sep 24, 2002 at 09:26:32PM +1000 References: <3D904BE8.43C8D221@zip.com.au> Message-ID: <20020924140542.H9007@greenie.muc.de> Hi, On Tue, Sep 24, 2002 at 09:26:32PM +1000, Darren Tucker wrote: > 2) http://bugzilla.mindrot.org/show_bug.cgi?id=397 > strsep() is in libc but isn't defined in the headers unless > _LINUX_SOURCE_COMPAT is defined. This doesn't affect GCC, only the > native compiler. Apart from the patch, another option could be to have > configure define _LINUX_SOURCE_COMPAT for AIX. strsep() is a really ugly issue. 4.3.3 "early release level" does NOT have it in libc, later releases do have it in libc and in the header files. I'd rather not use it, as it makes ssh/sshd compiled with strsep() on those 4.3.3 patch levels that *have* it incompatible with earlier ones (bit me today - it's all "4.3.3" but incompatible inside). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From cloud at chool.com Tue Sep 24 23:02:55 2002 From: cloud at chool.com (Sam Reynolds) Date: Tue, 24 Sep 2002 08:02:55 -0500 Subject: OpenSSH -current fails regression on Solaris 8, sshd dumps core Message-ID: <3D90627F.8000607@chool.com> On Sun, Sep 22, 2002 at 04:59:30PM -0500, Sam Reynolds wrote: [snip] >> >> and since sprintf is a variadic function, one would >> >> need an explicit cast to the appropriate type. >> >> >No, one doesn't. A variadic function interprets pointers based on >the >> >format string, not based on the type given to the compiler. >> >> One does for two reasons. The first being a situation where my format >> string is input from the user, clearly the compiler can't know what >the >> args are going to be at compile time. >In which case, how are you going to know what to cast to? Oops, what I said there isn't true :) What I intended to say was "The first being a situation where my format string is input from the user, clearly the compiler can't know the *format string* at compile time. As for how you will cast, (you'll prolly have to read the format string) but whatever you decide, you will still have decide for each of your sprintf calls what they should be cast to, and when you actually call the function, the decision will have been made, and it is based on the types of the arguments passed in (be it by cast or not) that the compiler knows how to deal with the function. >> Second, if I write my own >> variadic function the compiler will not know what the arguments to >> my function are if I don't explicitly cast them (if they are void*). >huh? Suppose I write a variadic function called addem(). It takes some number of ints adds them, and returns their sum. No format string here, the compiler still has to know how to setup the function, so it looks at the types of the arguments you pass in, and sets it up from that. >/fc Hope this helps -- Sam Reynolds cloud at chool.com From vinschen at redhat.com Tue Sep 24 22:57:02 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 24 Sep 2002 14:57:02 +0200 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: References: Message-ID: <20020924145702.K29920@cygbert.vinschen.de> On Mon, Sep 23, 2002 at 09:17:57AM -0500, Ben Lindstrom wrote: > ... Anything else? Cygwin? AIX? ..etc.. Cygwin version (net release rules) builds perfectly fine. Runs fine. I can't reproduce Dan's speed issues. It's pretty fast on my box. OTOH, how do I run the regression tests? I'm just getting an error message: openssh/src/regress $ make Makefile:67: *** missing separator. Stop. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From dan at doxpara.com Tue Sep 24 23:33:04 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 24 Sep 2002 06:33:04 -0700 Subject: Call for testing for 3.5 OpenSSH References: <20020924145702.K29920@cygbert.vinschen.de> Message-ID: <3D906990.30503@doxpara.com> Corinna Vinschen wrote: >On Mon, Sep 23, 2002 at 09:17:57AM -0500, Ben Lindstrom wrote: > > >>... Anything else? Cygwin? AIX? ..etc.. >> >> > >Cygwin version (net release rules) builds perfectly fine. Runs fine. >I can't reproduce Dan's speed issues. It's pretty fast on my box. > > Strange...maybe it's a quirk of my build environment? We've got a decent number of Cygwin installs around here; I'll check it out. --Dan From mouring at etoh.eviladmin.org Tue Sep 24 23:07:14 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 24 Sep 2002 08:07:14 -0500 (CDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <20020924145702.K29920@cygbert.vinschen.de> Message-ID: You need to get 'pmake'. It has not been converted to gnu make as of this time. Or there is a shell script (don't think it is in my mailbox, and I can't go digging for it until tonight) to run the tests. - Ben On Tue, 24 Sep 2002, Corinna Vinschen wrote: > On Mon, Sep 23, 2002 at 09:17:57AM -0500, Ben Lindstrom wrote: > > ... Anything else? Cygwin? AIX? ..etc.. > > Cygwin version (net release rules) builds perfectly fine. Runs fine. > I can't reproduce Dan's speed issues. It's pretty fast on my box. > > OTOH, how do I run the regression tests? I'm just getting an error > message: > > openssh/src/regress $ make > Makefile:67: *** missing separator. Stop. > > > Corinna > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Tue Sep 24 23:34:59 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 24 Sep 2002 23:34:59 +1000 Subject: Call for testing for 3.5 OpenSSH References: <20020924145702.K29920@cygbert.vinschen.de> Message-ID: <3D906A03.7AD03CA1@zip.com.au> Corinna Vinschen wrote: > OTOH, how do I run the regression tests? I'm just getting an error > message: Basically: # ./configure && make # cd regress # ./runtests.sh (or pmake, see link below) The tests as shipped are still pretty non-portable. The link below details the problems I found getting them to run on Solaris, AIX and HP-UX. This may help get you started. http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102734348721347 I think there's some support for pushing the (relatively minor) portability changes back into the OpenBSD tree so OpenSSH can ship regress/ unmodified. Do I have that right? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vinschen at redhat.com Tue Sep 24 23:46:25 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 24 Sep 2002 15:46:25 +0200 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: References: Message-ID: <20020924154625.M29920@cygbert.vinschen.de> On Mon, Sep 23, 2002 at 09:17:57AM -0500, Ben Lindstrom wrote: > OpenBSD tree is heading into a lock and this includes OpenSSH. So we are > winding up for a 3.5 release. If we can get people to test the current > snapshots and report any problems that would improve the odds that your > platform won't be broke for 3.5. When do you plan to release 3.5p1? I have the problem that I'm offline from next Monday up to early November so I'd be unable to create an official Cygwin net release of OpenSSH if it's later than the coming weekend. Just a question, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From markus at openbsd.org Tue Sep 24 23:58:25 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 24 Sep 2002 15:58:25 +0200 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <20020924145702.K29920@cygbert.vinschen.de> References: <20020924145702.K29920@cygbert.vinschen.de> Message-ID: <20020924135825.GA4771@faui02> On Tue, Sep 24, 2002 at 02:57:02PM +0200, Corinna Vinschen wrote: > OTOH, how do I run the regression tests? I'm just getting an error > message: you need something like this (or pmake). #!/bin/sh pwd=`pwd` BINS=`dirname $pwd` PATH="$BINS:$PATH" export PATH # Path to binaries to test TEST_SSH_SSH=$BINS/ssh TEST_SSH_SSHD=$BINS/sshd TEST_SSH_SSHAGENT=$BINS/ssh-agent TEST_SSH_SSHADD=$BINS/ssh-add TEST_SSH_SSHKEYGEN=$BINS/ssh-keygen TEST_SSH_SSHKEYSCAN=$BINS/ssh-keyscan TEST_SSH_SFTP=$BINS/sftp TEST_SSH_SFTPSERVER=$BINS/sftp-server export TEST_SSH_SSH TEST_SSH_SSHD TEST_SSH_SSHAGENT TEST_SSH_SSHADD export TEST_SSH_SSHKEYGEN TEST_SSH_SSHKEYSCAN TEST_SSH_SFTP TEST_SSH_SFTPSERVER for test in connect \ proxy-connect \ connect-privsep \ proto-version \ proto-mismatch \ exit-status \ transfer \ stderr-data \ stderr-after-eof \ broken-pipe \ try-ciphers \ yes-head \ agent \ keyscan \ sftp \ forwarding ; do sh test-exec.sh $pwd $pwd/${test}.sh done From mouring at etoh.eviladmin.org Tue Sep 24 23:57:22 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 24 Sep 2002 08:57:22 -0500 (CDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D904BE8.43C8D221@zip.com.au> Message-ID: On Tue, 24 Sep 2002, Darren Tucker wrote: > Ben Lindstrom wrote: > > Issues I know off of right now. > > > > ... Anything else? Cygwin? AIX? ..etc.. > > There are 2 issues with AIX for which there are fixes that haven't been > integrated: > > 1) http://bugzilla.mindrot.org/show_bug.cgi?id=355 > loginsuccess() isn't called on AIX an thus failed login counts are never > cleared. This can lead to account lockout. > > I think this is the right fix (but someone else should check it!): > http://bugzilla.mindrot.org/attachment.cgi?id=141&action=view > I'll see if I can look at this tonight since things have settled down until next month. > 2) http://bugzilla.mindrot.org/show_bug.cgi?id=397 > strsep() is in libc but isn't defined in the headers unless > _LINUX_SOURCE_COMPAT is defined. This doesn't affect GCC, only the > native compiler. Apart from the patch, another option could be to have > configure define _LINUX_SOURCE_COMPAT for AIX. > Is this only an issue under 4.3.3 or this also an issue with 5.1? I understand other's concern in regards to sublevels of 4.3.3. I would be willing to set it for all 4.3.3 and lower to use our internal strsep and allow 5.1 to use the native one if 5.1 is fine. Just coding to detect such things is normally ugly. - Ben From wendyp at cray.com Wed Sep 25 01:38:38 2002 From: wendyp at cray.com (Wendy Palm) Date: Tue, 24 Sep 2002 10:38:38 -0500 Subject: Call for testing for 3.5 OpenSSH References: Message-ID: <3D9086FE.1284D5A5@cray.com> Tim Rice wrote: > > On Mon, 23 Sep 2002, Wendy Palm wrote: > > [snip] > > diff -cr openssh/auth1.c openssh.cray/auth1.c > > *** openssh/auth1.c Wed Sep 11 18:47:30 2002 > > --- openssh.cray/auth1.c Mon Sep 23 12:39:06 2002 > > + #if defined(_CRAY) && ! defined(_CRAYSV2) > > + #include > > + #endif /* _CRAY */ > > Is this because ia.h does not exist on _CRAYSV2 ? > Or because including ia.h breaks on _CRAYSV2 ? > Could we test for ia.h in configure and use HAVE_IA_H ? > > Same question for openssh/auth2.c ia.h does not exist on the sv2. yes, can do the check in configure. > > > *** openssh/session.c Wed Sep 18 20:50:49 2002 > > --- openssh.cray/session.c Mon Sep 23 12:47:35 2002 > > + #if defined(_CRAY) && ! defined(_CRAYSV2) > > + #include > > + #endif > > Can we use HAVE_TMPDIR_H ? however you guys want to do it is fine with me. -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From vinschen at redhat.com Wed Sep 25 01:44:04 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 24 Sep 2002 17:44:04 +0200 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <20020924135825.GA4771@faui02> References: <20020924145702.K29920@cygbert.vinschen.de> <20020924135825.GA4771@faui02> Message-ID: <20020924174404.V29920@cygbert.vinschen.de> On Tue, Sep 24, 2002 at 03:58:25PM +0200, Markus Friedl wrote: > On Tue, Sep 24, 2002 at 02:57:02PM +0200, Corinna Vinschen wrote: > > OTOH, how do I run the regression tests? I'm just getting an error > > message: > > you need something like this (or pmake). Thanks. I tried it but... these tests are actually non-portable. I gave up for now. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From gert at greenie.muc.de Wed Sep 25 01:55:28 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 24 Sep 2002 17:55:28 +0200 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Sep 24, 2002 at 08:57:22AM -0500 References: <3D904BE8.43C8D221@zip.com.au> Message-ID: <20020924175528.N9007@greenie.muc.de> Hi, On Tue, Sep 24, 2002 at 08:57:22AM -0500, Ben Lindstrom wrote: > > 2) http://bugzilla.mindrot.org/show_bug.cgi?id=397 > > strsep() is in libc but isn't defined in the headers unless > > _LINUX_SOURCE_COMPAT is defined. This doesn't affect GCC, only the > > native compiler. Apart from the patch, another option could be to have > > configure define _LINUX_SOURCE_COMPAT for AIX. > > Is this only an issue under 4.3.3 or this also an issue with 5.1? I > understand other's concern in regards to sublevels of 4.3.3. As far as I understand it's only an issue for 4.3.3, and it only affects binary compatibility between 4.3.3 sublevels. > I would be willing to set it for all 4.3.3 and lower to use our internal > strsep and allow 5.1 to use the native one if 5.1 is fine. Just coding to > detect such things is normally ugly. I think it might just work to do a "don't care" here - if configure finds it (due to headers *and* library being available), use it. If not, use the internal one. I want to vote *against* doing special-casing for AIX here - let them get their headers right. strsep() isn't *that* big, just compile it in. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From kevin at atomicgears.com Wed Sep 25 01:54:36 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Tue, 24 Sep 2002 08:54:36 -0700 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D8FCB28.3060300@doxpara.com> References: <3D8F6F80.30707@doxpara.com> <20020924011122.GD2398@jenny.crlsca.adelphia.net> <3D8FCB28.3060300@doxpara.com> Message-ID: <20020924155436.GA1877@jenny.crlsca.adelphia.net> On Mon, Sep 23, 2002 at 07:17:12PM -0700, Dan Kaminsky wrote: > Here, lemme see if I can whip up something a bit more useful. I don't > know exactly what's causing it, but there's a second-level timeout > somewhere in here. I fired up tethereal, and monitored the inter-packet > timings on a standard SSH2 login. Here's the absolute timing -- notice > time-to-password is about 3 seconds, but in CVS we're up to 12. i see: 02:38:59.242589 10.0.1.37.1697 > 10.0.1.11.22: P 1135:1663(528) ack 1848 win 64112 (DF) 02:38:59.244545 10.0.1.11.22 > 10.0.1.37.1697: P 1848:1928(80) ack 1663 win 17520 (DF) 02:38:59.414651 10.0.1.37.1697 > 10.0.1.11.22: . ack 1928 win 64032 (DF) 02:39:00.128602 10.0.1.37.1697 > 10.0.1.11.22: P 1663:1759(96) ack 1928 win 64032 (DF) 02:39:00.128806 10.0.1.11.22 > 10.0.1.37.1697: P 1928:2008(80) ack 1759 win 17520 (DF) 02:39:00.317401 10.0.1.37.1697 > 10.0.1.11.22: . ack 2008 win 63952 (DF) 02:39:06.771482 10.0.1.37.1697 > 10.0.1.11.22: F 1759:1759(0) ack 2008 win 63952 (DF) 02:39:06.771509 10.0.1.11.22 > 10.0.1.37.1697: . ack 1760 win 17520 (DF) 02:39:06.771825 10.0.1.11.22 > 10.0.1.37.1697: F 2008:2008(0) ack 1760 win 17520 (DF) 02:39:06.772053 10.0.1.37.1697 > 10.0.1.11.22: . ack 2009 win 63952 (DF) and: 02:39:12.504504 10.0.1.37.1748 > 10.0.1.11.22: P 1127:1655(528) ack 1848 win 64112 (DF) 02:39:12.506264 10.0.1.11.22 > 10.0.1.37.1748: P 1848:1928(80) ack 1655 win 17520 (DF) 02:39:12.511981 10.0.1.37.1748 > 10.0.1.11.22: P 1655:1751(96) ack 1928 win 64032 (DF) 02:39:12.512112 10.0.1.11.22 > 10.0.1.37.1748: P 1928:2008(80) ack 1751 win 17520 (DF) 02:39:12.654619 10.0.1.37.1748 > 10.0.1.11.22: . ack 2008 win 63952 (DF) 02:39:14.723140 10.0.1.37.1748 > 10.0.1.11.22: F 1751:1751(0) ack 2008 win 63952 (DF) 02:39:14.723165 10.0.1.11.22 > 10.0.1.37.1748: . ack 1752 win 17520 (DF) 02:39:14.723476 10.0.1.11.22 > 10.0.1.37.1748: F 2008:2008(0) ack 1752 win 17520 (DF) 02:39:14.723709 10.0.1.37.1748 > 10.0.1.11.22: . ack 2009 win 63952 (DF) which appears to be a different delay at the password prompt before entering ^c causing the client to start a close with FIN. From Olaf.Rogalsky at physik.uni-erlangen.de Wed Sep 25 02:01:41 2002 From: Olaf.Rogalsky at physik.uni-erlangen.de (Olaf Rogalsky) Date: Tue, 24 Sep 2002 18:01:41 +0200 Subject: BUG: ssh hangs on full stdout-file-system Message-ID: <3D908C65.C6D10DB1@theorie1.physik.uni-erlangen.de> System: Linux 2.4.18, openssh-3.4p1 Problem: I use "ssh" and "tar" to backup remote directory trees to a local hard-disk/file-system: # ssh remote.server.org "tar -cz /home" >/backup/remote.tar.gz If the backup-file-system runs out of space before the backup completes, ssh starts hanging (waiting for the stdout-write to complete). Analysis: In this example it is of course very unlikely, that some space on the backup-file-system will be freed so that the backup can finish. Instead I would expect ssh to abort with an error, perhaps after some grace time. On the other hand there *may* be other situations, where one expects ssh to hang as it does. But since I am not aware of such an other situation, I consider this as a bug. Comments: ? Olaf Rogalsky -- +----------------------------------------------------------------------+ I Dipl. Phys. Olaf Rogalsky Institut f. Theo. Physik I I I Tel.: 09131 8528440 Univ. Erlangen-Nuernberg I I Fax.: 09131 8528444 Staudtstrasse 7 B3 I I rogalsky at theorie1.physik.uni-erlangen.de D-91058 Erlangen I +----------------------------------------------------------------------+ From dan at doxpara.com Wed Sep 25 03:22:13 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 24 Sep 2002 10:22:13 -0700 Subject: Call for testing for 3.5 OpenSSH References: <3D8F6F80.30707@doxpara.com> <20020924011122.GD2398@jenny.crlsca.adelphia.net> <3D8FCB28.3060300@doxpara.com> <20020924155436.GA1877@jenny.crlsca.adelphia.net> Message-ID: <3D909F45.9040904@doxpara.com> > > >which appears to be a different delay at the password prompt before >entering ^c causing the client to start a close with FIN. > > Check out the 800-1000ms hiccups along the way. It's prolly something about my specific compile. --Dan From tim at multitalents.net Wed Sep 25 03:03:49 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 24 Sep 2002 10:03:49 -0700 (PDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D9086FE.1284D5A5@cray.com> Message-ID: Will this patch work for you? It's got everything except your deattack.c patch. On Tue, 24 Sep 2002, Wendy Palm wrote: [snip] > ia.h does not exist on the sv2. yes, can do the check in > configure. > > > > *** openssh/session.c Wed Sep 18 20:50:49 2002 > > > --- openssh.cray/session.c Mon Sep 23 12:47:35 2002 > > > + #if defined(_CRAY) && ! defined(_CRAYSV2) > > > + #include > > > + #endif > > > > Can we use HAVE_TMPDIR_H ? > > however you guys want to do it is fine with me. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- configure.ac.old Mon Sep 23 16:54:12 2002 +++ configure.ac Tue Sep 24 08:47:08 2002 @@ -376,14 +376,14 @@ # Checks for header files. AC_CHECK_HEADERS(bstring.h crypt.h endian.h floatingpoint.h \ - getopt.h glob.h lastlog.h limits.h login.h \ + getopt.h glob.h ia.h lastlog.h limits.h login.h \ login_cap.h maillock.h netdb.h netgroup.h \ netinet/in_systm.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \ sys/mman.h sys/select.h sys/stat.h \ sys/stropts.h sys/sysmacros.h sys/time.h \ - sys/un.h time.h ttyent.h usersec.h \ + sys/un.h time.h tmpdir.h ttyent.h usersec.h \ util.h utime.h utmp.h utmpx.h) # Checks for libraries. --- includes.h.old Thu Jul 18 09:57:09 2002 +++ includes.h Tue Sep 24 08:50:37 2002 @@ -149,6 +149,14 @@ # include #endif +#ifdef HAVE_IA_H +# include +#endif + +#ifdef HAVE_TMPDIR_H +# include +#endif + #include /* For OPENSSL_VERSION_NUMBER */ #include "defines.h" --- auth1.c.orig Thu Sep 12 13:09:26 2002 +++ auth1.c Tue Sep 24 09:07:59 2002 @@ -304,6 +304,15 @@ fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); +# if defined(_CRAY) && ! defined(_CRAYSV2) + if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated) + cray_login_failure(authctxt->user, IA_UDBERR); + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } +#endif /* _CRAY */ + #ifdef HAVE_CYGWIN if (authenticated && !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, pw)) { --- auth2.c.orig Tue Sep 10 10:09:45 2002 +++ auth2.c Tue Sep 24 09:07:59 2002 @@ -216,6 +216,13 @@ authenticated = 0; #endif /* USE_PAM */ +#if defined(_CRAY) && !defined(_CRAYSV2) + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } +#endif /* _CRAY */ + /* Log before sending the reply */ auth_log(authctxt, authenticated, method, " ssh2"); @@ -235,6 +242,10 @@ if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } +#if defined(_CRAY) && !defined(_CRAYSV2) + if (strcmp(method, "password") == 0) + cray_login_failure(authctxt->user, IA_UDBERR); +#endif /* _CRAY */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); --- serverloop.c.orig Mon Sep 23 07:28:01 2002 +++ serverloop.c Tue Sep 24 09:07:59 2002 @@ -144,7 +144,9 @@ int save_errno = errno; debug("Received SIGCHLD."); child_terminated = 1; +#if !defined(_CRAY) || defined(_CRAYSV2) mysignal(SIGCHLD, sigchld_handler); +#endif notify_parent(); errno = save_errno; } --- session.c.orig Mon Sep 23 07:28:02 2002 +++ session.c Tue Sep 24 09:07:59 2002 @@ -519,10 +519,17 @@ perror("dup2 stderr"); #endif /* USE_PIPES */ +#if defined(_CRAY) && ! defined(_CRAYSV2) + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +#endif + /* Do processing for the child (exec command etc). */ do_child(s, command); /* NOTREACHED */ } +#if defined(_CRAY) && ! defined(_CRAYSV2) + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _CRAY */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); @@ -611,7 +618,12 @@ /* record login, etc. similar to login(1) */ #ifndef HAVE_OSF_SIA if (!(options.use_login && command == NULL)) + { +#if defined(_CRAY) && !defined(_CRAYSV2) + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +#endif /* _CRAY */ do_login(s, command); + } # ifdef LOGIN_NEEDS_UTMPX else do_pre_login(s); @@ -622,6 +634,9 @@ do_child(s, command); /* NOTREACHED */ } +#if defined(_CRAY) && !defined(_CRAYSV2) + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _CRAY */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); @@ -762,6 +777,7 @@ printf("%s\n", aixloginmsg); #endif /* WITH_AIXAUTHENTICATE */ +#if !defined(_CRAY) || defined(_CRAYSV2) if (options.print_lastlog && s->last_login_time != 0) { time_string = ctime(&s->last_login_time); if (strchr(time_string, '\n')) @@ -772,7 +788,7 @@ printf("Last login: %s from %s\r\n", time_string, s->hostname); } - +#endif /* _CRAY */ do_motd(); } @@ -1031,6 +1047,11 @@ child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", original_command); +#if defined(_CRAY) && !defined(_CRAYSV2) + if (cray_tmpdir[0] != '\0') + child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir); +#endif /* _CRAY */ + #ifdef _AIX { char *cp; @@ -1281,6 +1302,10 @@ /* login(1) is only called if we execute the login shell */ if (options.use_login && command != NULL) options.use_login = 0; + +#if defined(_CRAY) && !defined(_CRAYSV2) + cray_setup(pw->pw_uid, pw->pw_name, command); +#endif /* _CRAY */ /* * Login(1) does this as well, and it needs uid 0 for the "-h" From wendyp at cray.com Wed Sep 25 04:01:56 2002 From: wendyp at cray.com (Wendy Palm) Date: Tue, 24 Sep 2002 13:01:56 -0500 Subject: Call for testing for 3.5 OpenSSH References: Message-ID: <3D90A894.75D548CB@cray.com> works great! (with the deattack.c patch, of course) thanks, wendy Tim Rice wrote: > > Will this patch work for you? > It's got everything except your deattack.c patch. > > On Tue, 24 Sep 2002, Wendy Palm wrote: > > [snip] > > ia.h does not exist on the sv2. yes, can do the check in > > configure. > > > > > > *** openssh/session.c Wed Sep 18 20:50:49 2002 > > > > --- openssh.cray/session.c Mon Sep 23 12:47:35 2002 > > > > + #if defined(_CRAY) && ! defined(_CRAYSV2) > > > > + #include > > > > + #endif > > > > > > Can we use HAVE_TMPDIR_H ? > > > > however you guys want to do it is fine with me. > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Name: cray.patch > cray.patch Type: Plain Text (TEXT/PLAIN) > Encoding: BASE64 -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From mouring at etoh.eviladmin.org Wed Sep 25 04:30:07 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 24 Sep 2002 13:30:07 -0500 (CDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: Message-ID: What of the #if (CRAY..) && !(CRAY..) can be tied to those headers? Or can be detected and normal #ifdef HAVE_FOO can be used? Other than that question I don't have any quarms as long as KNF is applied. There are a few places within the patch that are not in style(8) format. - Ben On Tue, 24 Sep 2002, Tim Rice wrote: > > Will this patch work for you? > It's got everything except your deattack.c patch. > > > On Tue, 24 Sep 2002, Wendy Palm wrote: > > [snip] > > ia.h does not exist on the sv2. yes, can do the check in > > configure. > > > > > > *** openssh/session.c Wed Sep 18 20:50:49 2002 > > > > --- openssh.cray/session.c Mon Sep 23 12:47:35 2002 > > > > + #if defined(_CRAY) && ! defined(_CRAYSV2) > > > > + #include > > > > + #endif > > > > > > Can we use HAVE_TMPDIR_H ? > > > > however you guys want to do it is fine with me. > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > From mjt at tls.msk.ru Wed Sep 25 05:09:08 2002 From: mjt at tls.msk.ru (Michael Tokarev) Date: Tue, 24 Sep 2002 23:09:08 +0400 Subject: Call for testing for 3.5 OpenSSH References: Message-ID: <3D90B854.9060003@tls.msk.ru> Ben Lindstrom wrote: [] >>*** 101,111 **** >>--- 101,119 ---- >> if (h == NULL) { >> debug("Installing crc compensation attack detector."); >> n = l; >>+ #if defined(_CRAY) && !defined(_CRAYSV2) >>+ h = (u_int16_t *) xmalloc(n * sizeof(u_int16_t)); >>+ #else >> h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); >>+ #endif /* _CRAY */ >> } else { >> if (l > n) { >> n = l; >>+ #if defined(_CRAY) && !defined(_CRAYSV2) >>+ h = (u_int16_t *) xrealloc(h, n * sizeof(u_int16_t)); >>+ #else >> h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); >>+ #endif /* _CRAY */ etc etc. I think this way will be *much* simpler: #if defined(_CRAY) && ! defined(_CRAYSV2) #include #define HASH_ENTRYSIZE sizeof(u_int16_t) #define HASH_UNUSEDCHAR (HASH_UNUSED>>8) #endif /* _CRAY */ and just forgot about this whole hunk? Also, instead of repeating "#if defined(_CRAY) && ! defined(_CRAYSV2)", will it be better to use something like #if defined(_CRAY) && ! defined(_CRAYSV2) # define _CRAY_IA #endif and use #if _CRAY_IA (or whatether) in the rest of places? /mjt From mjt at tls.msk.ru Wed Sep 25 05:16:10 2002 From: mjt at tls.msk.ru (Michael Tokarev) Date: Tue, 24 Sep 2002 23:16:10 +0400 Subject: Call for testing for 3.5 OpenSSH References: Message-ID: <3D90B9FA.5050303@tls.msk.ru> Tim Rice wrote: > --- session.c.orig Mon Sep 23 07:28:02 2002 > +++ session.c Tue Sep 24 09:07:59 2002 > @@ -762,6 +777,7 @@ > printf("%s\n", aixloginmsg); > #endif /* WITH_AIXAUTHENTICATE */ > > +#if !defined(_CRAY) || defined(_CRAYSV2) > if (options.print_lastlog && s->last_login_time != 0) { > time_string = ctime(&s->last_login_time); > if (strchr(time_string, '\n')) > @@ -772,7 +788,7 @@ > printf("Last login: %s from %s\r\n", time_string, > s->hostname); > } > - > +#endif /* _CRAY */ > do_motd(); > } > Hmm. I think this may be useful for others as well. #if defined(_CRAY) && !defined(_CRAYSV2) # define NO_SSH_LASTLOG #endif #ifndef NO_SSH_LASTLOG > if (options.print_lastlog && s->last_login_time != 0) { > time_string = ctime(&s->last_login_time); > if (strchr(time_string, '\n')) ... #endif /* NO_SSH_LASTLOG */ /mjt From mouring at etoh.eviladmin.org Wed Sep 25 05:08:06 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 24 Sep 2002 14:08:06 -0500 (CDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D90B854.9060003@tls.msk.ru> Message-ID: On Tue, 24 Sep 2002, Michael Tokarev wrote: > Ben Lindstrom wrote: > > [] > >>*** 101,111 **** > >>--- 101,119 ---- > >> if (h == NULL) { > >> debug("Installing crc compensation attack detector."); > >> n = l; > >>+ #if defined(_CRAY) && !defined(_CRAYSV2) > >>+ h = (u_int16_t *) xmalloc(n * sizeof(u_int16_t)); > >>+ #else > >> h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); > >>+ #endif /* _CRAY */ > >> } else { > >> if (l > n) { > >> n = l; > >>+ #if defined(_CRAY) && !defined(_CRAYSV2) > >>+ h = (u_int16_t *) xrealloc(h, n * sizeof(u_int16_t)); > >>+ #else > >> h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); > >>+ #endif /* _CRAY */ > > etc etc. I think this way will be *much* simpler: > > #if defined(_CRAY) && ! defined(_CRAYSV2) > #include > #define HASH_ENTRYSIZE sizeof(u_int16_t) > #define HASH_UNUSEDCHAR (HASH_UNUSED>>8) > #endif /* _CRAY */ > > and just forgot about this whole hunk? > No.. If I'm not mistaken (Please, Wendy correct me if I'm wrong) there are other aspects of the code where the #define's are correct. And that is part of the issue here. This has been talked about over the last year or so. > Also, instead of repeating "#if defined(_CRAY) && ! defined(_CRAYSV2)", > will it be better to use something like > > #if defined(_CRAY) && ! defined(_CRAYSV2) > # define _CRAY_IA > #endif > > and use #if _CRAY_IA (or whatether) in the rest of places? > Would be better if we could do #ifdef HAVE_XXX and not have to handle it the current way. However, if it can't be done I'd rather see the Defines() && !define() instead of go digging around looking for this mythical '_CRAY_IA'. From a coding view point it is a one off operation and makes it hard to track code. - Ben From wendyp at cray.com Wed Sep 25 05:29:59 2002 From: wendyp at cray.com (Wendy Palm) Date: Tue, 24 Sep 2002 14:29:59 -0500 Subject: Call for testing for 3.5 OpenSSH References: <3D90B854.9060003@tls.msk.ru> Message-ID: <3D90BD37.EE93B9DB@cray.com> Michael Tokarev wrote: > > Ben Lindstrom wrote: > > [] > >>*** 101,111 **** > >>--- 101,119 ---- > >> if (h == NULL) { > >> debug("Installing crc compensation attack detector."); > >> n = l; > >>+ #if defined(_CRAY) && !defined(_CRAYSV2) > >>+ h = (u_int16_t *) xmalloc(n * sizeof(u_int16_t)); > >>+ #else > >> h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); > >>+ #endif /* _CRAY */ > >> } else { > >> if (l > n) { > >> n = l; > >>+ #if defined(_CRAY) && !defined(_CRAYSV2) > >>+ h = (u_int16_t *) xrealloc(h, n * sizeof(u_int16_t)); > >>+ #else > >> h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); > >>+ #endif /* _CRAY */ > > etc etc. I think this way will be *much* simpler: > > #if defined(_CRAY) && ! defined(_CRAYSV2) > #include > #define HASH_ENTRYSIZE sizeof(u_int16_t) > #define HASH_UNUSEDCHAR (HASH_UNUSED>>8) > #endif /* _CRAY */ > > and just forgot about this whole hunk? > > Also, instead of repeating "#if defined(_CRAY) && ! defined(_CRAYSV2)", > will it be better to use something like > > #if defined(_CRAY) && ! defined(_CRAYSV2) > # define _CRAY_IA > #endif > > and use #if _CRAY_IA (or whatether) in the rest of places? > > /mjt actually, they changed the CRAYSV2 name on me and i've finally got them to straighten out the macros, so this should be changed from #if defined(_CRAY) && !defined(_CRAYSV2) to #ifdef _UNICOS (they changed the name on me after i sent the initial patches in, but didn't have the macros ready for the new name. this only got resolved recently.) the new macro means all the "old" cray machines but not the "new" cray machine (and future machines). i can compile an entirely new patch with this change in it for the whole thing. -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From markus at openbsd.org Wed Sep 25 03:06:41 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 24 Sep 2002 19:06:41 +0200 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D906A03.7AD03CA1@zip.com.au> References: <20020924145702.K29920@cygbert.vinschen.de> <3D906A03.7AD03CA1@zip.com.au> Message-ID: <20020924170641.GC29287@folly> On Tue, Sep 24, 2002 at 11:34:59PM +1000, Darren Tucker wrote: > I think there's some support for pushing the (relatively minor) > portability changes back into the OpenBSD tree so OpenSSH can ship > regress/ unmodified. Do I have that right? yes, if time permits. From wendyp at cray.com Wed Sep 25 06:38:40 2002 From: wendyp at cray.com (Wendy Palm) Date: Tue, 24 Sep 2002 15:38:40 -0500 Subject: Call for testing for 3.5 OpenSSH References: Message-ID: <3D90CD50.C295B765@cray.com> Ben Lindstrom wrote: > > On Tue, 24 Sep 2002, Michael Tokarev wrote: > > > Ben Lindstrom wrote: > > > > [] > > >>*** 101,111 **** > > >>--- 101,119 ---- > > >> if (h == NULL) { > > >> debug("Installing crc compensation attack detector."); > > >> n = l; > > >>+ #if defined(_CRAY) && !defined(_CRAYSV2) > > >>+ h = (u_int16_t *) xmalloc(n * sizeof(u_int16_t)); > > >>+ #else > > >> h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); > > >>+ #endif /* _CRAY */ > > >> } else { > > >> if (l > n) { > > >> n = l; > > >>+ #if defined(_CRAY) && !defined(_CRAYSV2) > > >>+ h = (u_int16_t *) xrealloc(h, n * sizeof(u_int16_t)); > > >>+ #else > > >> h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); > > >>+ #endif /* _CRAY */ > > > > etc etc. I think this way will be *much* simpler: > > > > #if defined(_CRAY) && ! defined(_CRAYSV2) > > #include > > #define HASH_ENTRYSIZE sizeof(u_int16_t) > > #define HASH_UNUSEDCHAR (HASH_UNUSED>>8) > > #endif /* _CRAY */ > > > > and just forgot about this whole hunk? > > > > No.. If I'm not mistaken (Please, Wendy correct me if I'm wrong) there > are other aspects of the code where the #define's are correct. And > that is part of the issue here. This has been talked about over the last > year or so. i just gave it a try. replacing the 2 sections mentioned above with the # define HASH_ENTRYSIZE sizeof(u_int16_t) seems to work fine. however, the memset still doesn't work for a cray, so that needs to be left as the for loop. cray has 64 bit ints, so if HASH_UNUSED is 0xffff, then shift it 8 ends up with 0xff, which is the same as HASH_UNUSEDCHAR. so i see that really the for loop should be #ifdef _UNICOS for (i=0; i > > Also, instead of repeating "#if defined(_CRAY) && ! defined(_CRAYSV2)", > > will it be better to use something like > > > > #if defined(_CRAY) && ! defined(_CRAYSV2) > > # define _CRAY_IA > > #endif > > > > and use #if _CRAY_IA (or whatether) in the rest of places? > > > > Would be better if we could do #ifdef HAVE_XXX and not have to handle it > the current way. However, if it can't be done I'd rather see the > Defines() && !define() instead of go digging around looking for this > mythical '_CRAY_IA'. From a coding view point it is a one off operation > and makes it hard to track code. > > - Ben i know this crossed emails, but i'll include it here for completeness. the whole #if defined(_CRAY) && !defined(_CRAYSV2) can now be replaced with #ifdef _UNICOS i'd be happy to create a patch with all the changes. -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From markus at openbsd.org Wed Sep 25 07:02:02 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 24 Sep 2002 23:02:02 +0200 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D90CD50.C295B765@cray.com> References: <3D90CD50.C295B765@cray.com> Message-ID: <20020924210201.GA10837@faui02> On Tue, Sep 24, 2002 at 03:38:40PM -0500, Wendy Palm wrote: > cray has 64 bit ints, so if HASH_UNUSED is 0xffff, then shift it 8 hm, is there a u_int32t, too ? From bugzilla-daemon at mindrot.org Wed Sep 25 07:04:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 25 Sep 2002 07:04:25 +1000 (EST) Subject: [Bug 402] Suggested sshrc script unsafe Message-ID: <20020924210425.BD21B3D1D2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=402 todd at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From todd at openbsd.org 2002-09-25 07:04 ------- commit'ed to the OpenBSD tree; thanks for the catch! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From wendyp at cray.com Wed Sep 25 07:13:54 2002 From: wendyp at cray.com (Wendy Palm) Date: Tue, 24 Sep 2002 16:13:54 -0500 Subject: Call for testing for 3.5 OpenSSH References: <3D90CD50.C295B765@cray.com> <20020924210201.GA10837@faui02> Message-ID: <3D90D592.325D20E6@cray.com> Markus Friedl wrote: > > On Tue, Sep 24, 2002 at 03:38:40PM -0500, Wendy Palm wrote: > > cray has 64 bit ints, so if HASH_UNUSED is 0xffff, then shift it 8 > > hm, is there a u_int32t, too ? on a pvp cray all ints are 64 bit. char is 8 bit. on a t3e cray, char is 8bit short is 32bit int, long, longlong are 64bit. -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From tim at multitalents.net Wed Sep 25 08:39:22 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 24 Sep 2002 15:39:22 -0700 (PDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D90BD37.EE93B9DB@cray.com> Message-ID: So something like this patch? On Tue, 24 Sep 2002, Wendy Palm wrote: [snip] > actually, they changed the CRAYSV2 name on me and i've finally > got them to straighten out the macros, so this should be changed from > #if defined(_CRAY) && !defined(_CRAYSV2) > to > #ifdef _UNICOS [snip] > i can compile an entirely new patch with this change in it for > the whole thing. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- configure.ac.old Mon Sep 23 16:54:12 2002 +++ configure.ac Tue Sep 24 08:47:08 2002 @@ -376,14 +376,14 @@ # Checks for header files. AC_CHECK_HEADERS(bstring.h crypt.h endian.h floatingpoint.h \ - getopt.h glob.h lastlog.h limits.h login.h \ + getopt.h glob.h ia.h lastlog.h limits.h login.h \ login_cap.h maillock.h netdb.h netgroup.h \ netinet/in_systm.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \ sys/mman.h sys/select.h sys/stat.h \ sys/stropts.h sys/sysmacros.h sys/time.h \ - sys/un.h time.h ttyent.h usersec.h \ + sys/un.h time.h tmpdir.h ttyent.h usersec.h \ util.h utime.h utmp.h utmpx.h) # Checks for libraries. --- defines.h.old Wed Aug 21 08:08:49 2002 +++ defines.h Tue Sep 24 14:50:25 2002 @@ -124,7 +124,7 @@ # if (SIZEOF_SHORT_INT == 2) typedef short int int16_t; # else -# if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS # if (SIZEOF_SHORT_INT == 4) typedef short int16_t; # else @@ -132,16 +132,16 @@ # endif # else # error "16 bit int type not found." -# endif /* _CRAY */ +# endif /* _UNICOS */ # endif # if (SIZEOF_INT == 4) typedef int int32_t; # else -# if defined(_CRAY) && !defined(_CRAYSV2) +# ifdef _UNICOS typedef long int32_t; # else # error "32 bit int type not found." -# endif /* _CRAY */ +# endif /* _UNICOS */ # endif #endif @@ -161,7 +161,7 @@ # if (SIZEOF_SHORT_INT == 2) typedef unsigned short int u_int16_t; # else -# if defined(_CRAY) && !defined(_CRAYSV2) +# ifdef _UNICOS # if (SIZEOF_SHORT_INT == 4) typedef unsigned short u_int16_t; # else @@ -174,7 +174,7 @@ # if (SIZEOF_INT == 4) typedef unsigned int u_int32_t; # else -# if defined(_CRAY) && !defined(_CRAYSV2) +# ifdef _UNICOS typedef unsigned long u_int32_t; # else # error "32 bit int type not found." --- includes.h.old Thu Jul 18 09:57:09 2002 +++ includes.h Tue Sep 24 08:50:37 2002 @@ -149,6 +149,14 @@ # include #endif +#ifdef HAVE_IA_H +# include +#endif + +#ifdef HAVE_TMPDIR_H +# include +#endif + #include /* For OPENSSL_VERSION_NUMBER */ #include "defines.h" --- auth1.c.orig Thu Sep 12 13:09:26 2002 +++ auth1.c Tue Sep 24 14:36:30 2002 @@ -304,6 +304,15 @@ fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); +#ifdef _UNICOS + if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated) + cray_login_failure(authctxt->user, IA_UDBERR); + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } +#endif /* _UNICOS */ + #ifdef HAVE_CYGWIN if (authenticated && !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, pw)) { --- auth2.c.orig Tue Sep 10 10:09:45 2002 +++ auth2.c Tue Sep 24 14:37:05 2002 @@ -216,6 +216,13 @@ authenticated = 0; #endif /* USE_PAM */ +#ifdef _UNICOS + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } +#endif /* _UNICOS */ + /* Log before sending the reply */ auth_log(authctxt, authenticated, method, " ssh2"); @@ -235,6 +242,10 @@ if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } +#ifdef _UNICOS + if (strcmp(method, "password") == 0) + cray_login_failure(authctxt->user, IA_UDBERR); +#endif /* _UNICOS */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); --- loginrec.c.old Wed Jul 24 15:00:48 2002 +++ loginrec.c Tue Sep 24 14:50:41 2002 @@ -622,13 +622,13 @@ switch (li->type) { case LTYPE_LOGIN: ut->ut_type = USER_PROCESS; -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS cray_set_tmpdir(ut); #endif break; case LTYPE_LOGOUT: ut->ut_type = DEAD_PROCESS; -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS cray_retain_utmp(ut, li->pid); #endif break; --- serverloop.c.orig Mon Sep 23 07:28:01 2002 +++ serverloop.c Tue Sep 24 15:28:06 2002 @@ -144,7 +144,9 @@ int save_errno = errno; debug("Received SIGCHLD."); child_terminated = 1; +#ifndef _UNICOS mysignal(SIGCHLD, sigchld_handler); +#endif notify_parent(); errno = save_errno; } --- session.c.orig Mon Sep 23 07:28:02 2002 +++ session.c Tue Sep 24 15:29:53 2002 @@ -519,10 +519,17 @@ perror("dup2 stderr"); #endif /* USE_PIPES */ +#ifdef _UNICOS + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +#endif + /* Do processing for the child (exec command etc). */ do_child(s, command); /* NOTREACHED */ } +#ifdef _UNICOS + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _UNICOS */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); @@ -610,8 +617,12 @@ /* record login, etc. similar to login(1) */ #ifndef HAVE_OSF_SIA - if (!(options.use_login && command == NULL)) + if (!(options.use_login && command == NULL)) { +#ifdef _UNICOS + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +#endif /* _UNICOS */ do_login(s, command); + } # ifdef LOGIN_NEEDS_UTMPX else do_pre_login(s); @@ -622,6 +633,9 @@ do_child(s, command); /* NOTREACHED */ } +#ifdef _UNICOS + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _UNICOS */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); @@ -762,6 +776,7 @@ printf("%s\n", aixloginmsg); #endif /* WITH_AIXAUTHENTICATE */ +#ifndef _UNICOS if (options.print_lastlog && s->last_login_time != 0) { time_string = ctime(&s->last_login_time); if (strchr(time_string, '\n')) @@ -772,6 +787,7 @@ printf("Last login: %s from %s\r\n", time_string, s->hostname); } +#endif /* _UNICOS */ do_motd(); } @@ -1031,6 +1047,11 @@ child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", original_command); +#ifdef _UNICOS + if (cray_tmpdir[0] != '\0') + child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir); +#endif /* _UNICOS */ + #ifdef _AIX { char *cp; @@ -1281,6 +1302,10 @@ /* login(1) is only called if we execute the login shell */ if (options.use_login && command != NULL) options.use_login = 0; + +#ifdef _UNICOS + cray_setup(pw->pw_uid, pw->pw_name, command); +#endif /* _UNICOS */ /* * Login(1) does this as well, and it needs uid 0 for the "-h" --- sshd.c.old Mon Sep 23 07:28:03 2002 +++ sshd.c Tue Sep 24 14:50:51 2002 @@ -940,7 +940,7 @@ SYSLOG_FACILITY_AUTH : options.log_facility, !inetd_flag); -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS /* Cray can define user privs drop all prives now! * Not needed on PRIV_SU systems! */ --- sshpty.c.old Wed Jul 24 15:00:49 2002 +++ sshpty.c Tue Sep 24 14:51:21 2002 @@ -162,7 +162,7 @@ } return 1; #else /* HAVE_DEV_PTS_AND_PTC */ -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS char buf[64]; int i; int highpty; @@ -268,7 +268,7 @@ void *old; #endif /* USE_VHANGUP */ -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS if (setsid() < 0) error("setsid: %.100s", strerror(errno)); @@ -290,7 +290,7 @@ error("%.100s: %.100s", ttyname, strerror(errno)); close(*ttyfd); *ttyfd = fd; -#else /* _CRAY */ +#else /* _UNICOS */ /* First disconnect from the old controlling tty. */ #ifdef TIOCNOTTY @@ -345,7 +345,7 @@ strerror(errno)); else close(fd); -#endif /* _CRAY */ +#endif /* _UNICOS */ } /* Changes the window size associated with the pty. */ --- openbsd-compat/bsd-cray.c.old Wed Jul 24 15:00:52 2002 +++ openbsd-compat/bsd-cray.c Tue Sep 24 14:46:13 2002 @@ -34,7 +34,7 @@ * on UNICOS systems. * */ -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS #include #include --- openbsd-compat/bsd-cray.h.old Wed Jul 24 15:00:52 2002 +++ openbsd-compat/bsd-cray.h Tue Sep 24 14:46:43 2002 @@ -37,7 +37,7 @@ #ifndef _BSD_CRAY_H #define _BSD_CRAY_H -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS void cray_init_job(struct passwd *); /* init cray job */ void cray_job_termination_handler(int); /* process end of job signal */ void cray_login_failure(char *username, int errcode); From wendyp at cray.com Wed Sep 25 08:59:39 2002 From: wendyp at cray.com (Wendy Palm) Date: Tue, 24 Sep 2002 17:59:39 -0500 Subject: Call for testing for 3.5 OpenSSH References: Message-ID: <3D90EE5B.BCE550A5@cray.com> that looks right. i'll try and give it a try tonight, but i need to leave for a couple of hours now. wendy Tim Rice wrote: > > So something like this patch? > > On Tue, 24 Sep 2002, Wendy Palm wrote: > > [snip] > > actually, they changed the CRAYSV2 name on me and i've finally > > got them to straighten out the macros, so this should be changed from > > #if defined(_CRAY) && !defined(_CRAYSV2) > > to > > #ifdef _UNICOS > [snip] > > i can compile an entirely new patch with this change in it for > > the whole thing. > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Name: cray.patch > cray.patch Type: Plain Text (TEXT/PLAIN) > Encoding: BASE64 -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From bugzilla-daemon at mindrot.org Wed Sep 25 14:34:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 25 Sep 2002 14:34:10 +1000 (EST) Subject: [Bug 401] ipv4 mapped address (ipv4 in ipv6) and ipv6 support fix Message-ID: <20020925043410.497713D19E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=401 ------- Additional Comments From djm at mindrot.org 2002-09-25 14:33 ------- I am not sure I understand this patch completely - I can't see anything relating to scope-id. is the scope-id incompatibility because of different sized sockaddr_in6 structure lengths? How does the problem manifest in unpatched OpenSSH? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Wed Sep 25 14:38:12 2002 From: djm at mindrot.org (Damien Miller) Date: 25 Sep 2002 14:38:12 +1000 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <20020924011815.GE2398@jenny.crlsca.adelphia.net> References: <20020924011815.GE2398@jenny.crlsca.adelphia.net> Message-ID: <1032928692.5126.32.camel@argon> On Tue, 2002-09-24 at 11:18, Kevin Steves wrote: > i guess we also ship with PAM password change remaining disabled. > have not seen any feedback on solar's patch (which is in the > tree but remains #if 0 in auth-pam.c). It looks like it needs some monitor work as well. -d From bugzilla-daemon at mindrot.org Wed Sep 25 15:04:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 25 Sep 2002 15:04:33 +1000 (EST) Subject: [Bug 401] ipv4 mapped address (ipv4 in ipv6) and ipv6 support fix Message-ID: <20020925050433.A586D3D149@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=401 ------- Additional Comments From yoshfuji at linux-ipv6.org 2002-09-25 15:04 ------- >is the scope-id incompatibility because of different sized >sockaddr_in6 structure lengths? Yes, if you try to run sshd with ipv6 support with glibc-2.2 on linux-2.2, sshd disconnects any connections. This is because - kernel gives sshd sockaddr_in6 without sin6_scope_id (size is 24 bytes) - glibc-2.2 expects sockaddr_in6 is 28 bytes long and getnameinfo() failed because length is different than one expected. >How does the problem manifest in unpatched OpenSSH? |# sshd -6 -d |: |debug1: Bind to port 22 on ::. |Server listening on :: port 22. |Generating 768 bit RSA key. |RSA key generation complete. |debug1: Server will not fork when running in debugging mode. When I connect to this sshd, sshd disconnects immediately. |% ssh -v 127.0.0.1 : |debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22. |debug1: Connection established. : |ssh_exchange_identification: Connection closed by remote host |debug1: Calling cleanup 0x8064174(0x0) sshd debug messages are: |get_sock_port: getnameinfo NI_NUMERICSERV failed |debug1: Calling cleanup 0x806be4c(0x0) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From pekkas at netcore.fi Wed Sep 25 15:16:02 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 25 Sep 2002 08:16:02 +0300 (EEST) Subject: [Bug 401] ipv4 mapped address (ipv4 in ipv6) and ipv6 support fix In-Reply-To: <20020925050433.A586D3D149@shitei.mindrot.org> Message-ID: Personally I think this is a bit non-issue. "Don't do IPv6 with 2.2 kernel" is what the users have been told for ages and ages. On Wed, 25 Sep 2002 bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=401 > > > > > > ------- Additional Comments From yoshfuji at linux-ipv6.org 2002-09-25 15:04 ------- > >is the scope-id incompatibility because of different sized > >sockaddr_in6 structure lengths? > > Yes, if you try to run sshd with ipv6 support with glibc-2.2 on linux-2.2, > sshd disconnects any connections. This is because > - kernel gives sshd sockaddr_in6 without sin6_scope_id (size is 24 bytes) > - glibc-2.2 expects sockaddr_in6 is 28 bytes long and > getnameinfo() failed because length is different than one expected. > > > >How does the problem manifest in unpatched OpenSSH? > |# sshd -6 -d > |: > |debug1: Bind to port 22 on ::. > |Server listening on :: port 22. > |Generating 768 bit RSA key. > |RSA key generation complete. > |debug1: Server will not fork when running in debugging mode. > > When I connect to this sshd, sshd disconnects immediately. > > |% ssh -v 127.0.0.1 > : > |debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22. > |debug1: Connection established. > : > |ssh_exchange_identification: Connection closed by remote host > |debug1: Calling cleanup 0x8064174(0x0) > > sshd debug messages are: > > |get_sock_port: getnameinfo NI_NUMERICSERV failed > |debug1: Calling cleanup 0x806be4c(0x0) > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From bugzilla-daemon at mindrot.org Wed Sep 25 15:21:22 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 25 Sep 2002 15:21:22 +1000 (EST) Subject: [Bug 401] ipv4 mapped address (ipv4 in ipv6) and ipv6 support fix Message-ID: <20020925052122.CB53D3D1CA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=401 ------- Additional Comments From djm at mindrot.org 2002-09-25 15:21 ------- OK - I understand now. We generally try to "#ifdef (platform)" in portable OpenSSH. Would you patch work if it were changed to do something like: if (addr.ss_family == AF_INET6) fromlen = MIN(fromlen, sizeof(struct sockaddr_in6)); ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Wed Sep 25 15:44:06 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 25 Sep 2002 15:44:06 +1000 Subject: Call for testing for 3.5 OpenSSH References: <3D904BE8.43C8D221@zip.com.au> <20020924175528.N9007@greenie.muc.de> Message-ID: <3D914D26.35A0322A@zip.com.au> Gert Doering wrote: > On Tue, Sep 24, 2002 at 08:57:22AM -0500, Ben Lindstrom wrote: > > > 2) http://bugzilla.mindrot.org/show_bug.cgi?id=397 > > > strsep() is in libc but isn't defined in the headers unless > > > _LINUX_SOURCE_COMPAT is defined. This doesn't affect GCC, only the > > > native compiler. Apart from the patch, another option could be to have > > > configure define _LINUX_SOURCE_COMPAT for AIX. > > > > Is this only an issue under 4.3.3 or this also an issue with 5.1? I > > understand other's concern in regards to sublevels of 4.3.3. > > As far as I understand it's only an issue for 4.3.3, and it only affects > binary compatibility between 4.3.3 sublevels. It also affects builds using the native compiler on higher maintenance levels, see below. > > I would be willing to set it for all 4.3.3 and lower to use our internal > > strsep and allow 5.1 to use the native one if 5.1 is fine. Just coding to > > detect such things is normally ugly. > > I think it might just work to do a "don't care" here - if configure finds > it (due to headers *and* library being available), use it. If not, use > the internal one. I don't care either, as long as it works, however as it stands it won't compile at all on 4.3.3.x using xlc. On 4.3.3.x with the default compiler flags, strsep is in the library but not the header. Configure finds strsep in libc (because it's there) and defines HAVE_STRSEP but as it has no prototype xlc throws a type mismatch. (For values of x>6? Which ML introduced the change to libc?) > I want to vote *against* doing special-casing for AIX here - let them > get their headers right. strsep() isn't *that* big, just compile it in. You might be able to do a better check in configure, but the stock test is fooled (I think because the test contains "char $ac_func ();" -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Wed Sep 25 06:55:39 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 24 Sep 2002 22:55:39 +0200 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D90B9FA.5050303@tls.msk.ru> References: <3D90B9FA.5050303@tls.msk.ru> Message-ID: <20020924205539.GA3886@folly> On Tue, Sep 24, 2002 at 11:16:10PM +0400, Michael Tokarev wrote: > Hmm. I think this may be useful for others as well. > > #if defined(_CRAY) && !defined(_CRAYSV2) > # define NO_SSH_LASTLOG > #endif > > #ifndef NO_SSH_LASTLOG > > if (options.print_lastlog && s->last_login_time != 0) { > > time_string = ctime(&s->last_login_time); > > if (strchr(time_string, '\n')) > ... > #endif /* NO_SSH_LASTLOG */ yes, i think this is better. From rudsve at drewag.de Wed Sep 25 20:28:50 2002 From: rudsve at drewag.de (Sven Rudolph) Date: 25 Sep 2002 12:28:50 +0200 Subject: NGROUPS_MAX Message-ID: Currently openssh (3.4p1) relies on the NGROUPS_MAX define. This makes the number of allowed simultaneous (per-user) secondary groups a compile-time decision. $ find . -name \*.c | xargs grep NGROUPS_MAX ./groupaccess.c:static char *groups_byname[NGROUPS_MAX + 1]; /* +1 for base/primary group */ ./groupaccess.c: gid_t groups_bygid[NGROUPS_MAX + 1]; ./uidswap.c:static gid_t saved_egroups[NGROUPS_MAX], user_groups[NGROUPS_MAX]; ./uidswap.c: saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups); ./uidswap.c: user_groupslen = getgroups(NGROUPS_MAX, user_groups); POSIX defined sysconf in order to avoid this. By using sysconf(_SC_NGROUPS_MAX) this value is determined at run-time. Sven From mouring at etoh.eviladmin.org Wed Sep 25 22:56:10 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 25 Sep 2002 07:56:10 -0500 (CDT) Subject: [Bug 401] ipv4 mapped address (ipv4 in ipv6) and ipv6 support fix In-Reply-To: Message-ID: It was my impression that Linux 2.2 kernel's IPv6 support is pretty much non-existance. It barely works and is barely supported. 2.4 is when IPv6 actually became useful. So I agree with Pekka. I'm not sure we want this. - Ben On Wed, 25 Sep 2002, Pekka Savola wrote: > Personally I think this is a bit non-issue. "Don't do IPv6 with 2.2 > kernel" is what the users have been told for ages and ages. > > On Wed, 25 Sep 2002 bugzilla-daemon at mindrot.org wrote: > > http://bugzilla.mindrot.org/show_bug.cgi?id=401 > > > > > > > > > > > > ------- Additional Comments From yoshfuji at linux-ipv6.org 2002-09-25 15:04 ------- > > >is the scope-id incompatibility because of different sized > > >sockaddr_in6 structure lengths? > > > > Yes, if you try to run sshd with ipv6 support with glibc-2.2 on linux-2.2, > > sshd disconnects any connections. This is because > > - kernel gives sshd sockaddr_in6 without sin6_scope_id (size is 24 bytes) > > - glibc-2.2 expects sockaddr_in6 is 28 bytes long and > > getnameinfo() failed because length is different than one expected. > > > > > > >How does the problem manifest in unpatched OpenSSH? > > |# sshd -6 -d > > |: > > |debug1: Bind to port 22 on ::. > > |Server listening on :: port 22. > > |Generating 768 bit RSA key. > > |RSA key generation complete. > > |debug1: Server will not fork when running in debugging mode. > > > > When I connect to this sshd, sshd disconnects immediately. > > > > |% ssh -v 127.0.0.1 > > : > > |debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22. > > |debug1: Connection established. > > : > > |ssh_exchange_identification: Connection closed by remote host > > |debug1: Calling cleanup 0x8064174(0x0) > > > > sshd debug messages are: > > > > |get_sock_port: getnameinfo NI_NUMERICSERV failed > > |debug1: Calling cleanup 0x806be4c(0x0) > > > > > > > > ------- You are receiving this mail because: ------- > > You are the assignee for the bug, or are watching the assignee. > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Wed Sep 25 23:01:30 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 25 Sep 2002 08:01:30 -0500 (CDT) Subject: NGROUPS_MAX In-Reply-To: Message-ID: However, a lot of platforms don't support sysconf() and I since we are heading into a lock I think we should hold off breaking platforms until next release. - Ben On 25 Sep 2002, Sven Rudolph wrote: > Currently openssh (3.4p1) relies on the NGROUPS_MAX define. This makes > the number of allowed simultaneous (per-user) secondary groups a > compile-time decision. > > $ find . -name \*.c | xargs grep NGROUPS_MAX > ./groupaccess.c:static char *groups_byname[NGROUPS_MAX + 1]; /* +1 for base/primary group */ > ./groupaccess.c: gid_t groups_bygid[NGROUPS_MAX + 1]; > ./uidswap.c:static gid_t saved_egroups[NGROUPS_MAX], user_groups[NGROUPS_MAX]; > ./uidswap.c: saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups); > ./uidswap.c: user_groupslen = getgroups(NGROUPS_MAX, user_groups); > > POSIX defined sysconf in order to avoid this. > > By using sysconf(_SC_NGROUPS_MAX) this value is determined at > run-time. > > Sven > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From barel_bhai at yahoo.com Thu Sep 26 00:31:54 2002 From: barel_bhai at yahoo.com (raam raam) Date: Wed, 25 Sep 2002 07:31:54 -0700 (PDT) Subject: unsubscribe In-Reply-To: <3D9086FE.1284D5A5@cray.com> Message-ID: <20020925143154.28793.qmail@web20506.mail.yahoo.com> unsubscribe Barel --- Wendy Palm wrote: > Tim Rice wrote: > > > > On Mon, 23 Sep 2002, Wendy Palm wrote: > > > > [snip] > > > diff -cr openssh/auth1.c openssh.cray/auth1.c > > > *** openssh/auth1.c Wed Sep 11 18:47:30 2002 > > > --- openssh.cray/auth1.c Mon Sep 23 > 12:39:06 2002 > > > + #if defined(_CRAY) && ! defined(_CRAYSV2) > > > + #include > > > + #endif /* _CRAY */ > > > > Is this because ia.h does not exist on _CRAYSV2 ? > > Or because including ia.h breaks on _CRAYSV2 ? > > Could we test for ia.h in configure and use > HAVE_IA_H ? > > > > Same question for openssh/auth2.c > > ia.h does not exist on the sv2. yes, can do the > check in > configure. > > > > > > *** openssh/session.c Wed Sep 18 20:50:49 2002 > > > --- openssh.cray/session.c Mon Sep 23 > 12:47:35 2002 > > > + #if defined(_CRAY) && ! defined(_CRAYSV2) > > > + #include > > > + #endif > > > > Can we use HAVE_TMPDIR_H ? > > however you guys want to do it is fine with me. > > > -- > wendy palm > Cray OS Sustaining Engineering, Cray Inc. > wendyp at cray.com, 651-605-9154 > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com From wendyp at cray.com Thu Sep 26 02:24:18 2002 From: wendyp at cray.com (Wendy Palm) Date: Wed, 25 Sep 2002 11:24:18 -0500 Subject: Call for testing for 3.5 OpenSSH References: Message-ID: <3D91E332.728A2D40@cray.com> yes, this works great. i tested it out last night but i was using elm and inadvertantly sent a response to myself rather than the list. :/ Tim Rice wrote: > > So something like this patch? > > On Tue, 24 Sep 2002, Wendy Palm wrote: > > [snip] > > actually, they changed the CRAYSV2 name on me and i've finally > > got them to straighten out the macros, so this should be changed from > > #if defined(_CRAY) && !defined(_CRAYSV2) > > to > > #ifdef _UNICOS > [snip] > > i can compile an entirely new patch with this change in it for > > the whole thing. > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Name: cray.patch > cray.patch Type: Plain Text (TEXT/PLAIN) > Encoding: BASE64 -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From kevin at atomicgears.com Thu Sep 26 02:46:57 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Wed, 25 Sep 2002 09:46:57 -0700 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <1032928692.5126.32.camel@argon> References: <20020924011815.GE2398@jenny.crlsca.adelphia.net> <1032928692.5126.32.camel@argon> Message-ID: <20020925164657.GB1752@jenny.crlsca.adelphia.net> On Wed, Sep 25, 2002 at 02:38:12PM +1000, Damien Miller wrote: > On Tue, 2002-09-24 at 11:18, Kevin Steves wrote: > > i guess we also ship with PAM password change remaining disabled. > > have not seen any feedback on solar's patch (which is in the > > tree but remains #if 0 in auth-pam.c). > > It looks like it needs some monitor work as well. there was a patch for the privsep case that used some Linux-specific PAM magic if i recall. From mouring at etoh.eviladmin.org Thu Sep 26 03:03:24 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 25 Sep 2002 12:03:24 -0500 (CDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D91E332.728A2D40@cray.com> Message-ID: Go ahead and commit it. This just leaves the crc issue. Can I see a new patch for it? - Ben On Wed, 25 Sep 2002, Wendy Palm wrote: > yes, this works great. i tested it out last night but i was > using elm and inadvertantly sent a response to myself rather > than the list. :/ > > > > Tim Rice wrote: > > > > So something like this patch? > > > > On Tue, 24 Sep 2002, Wendy Palm wrote: > > > > [snip] > > > actually, they changed the CRAYSV2 name on me and i've finally > > > got them to straighten out the macros, so this should be changed from > > > #if defined(_CRAY) && !defined(_CRAYSV2) > > > to > > > #ifdef _UNICOS > > [snip] > > > i can compile an entirely new patch with this change in it for > > > the whole thing. > > > > -- > > Tim Rice Multitalents (707) 887-1469 > > tim at multitalents.net > > > > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Name: cray.patch > > cray.patch Type: Plain Text (TEXT/PLAIN) > > Encoding: BASE64 > > -- > wendy palm > Cray OS Sustaining Engineering, Cray Inc. > wendyp at cray.com, 651-605-9154 > From bugzilla-daemon at mindrot.org Thu Sep 26 03:26:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 26 Sep 2002 03:26:20 +1000 (EST) Subject: [Bug 403] New: scp generates sparse file when no space left Message-ID: <20020925172620.074CD3D1C1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=403 Summary: scp generates sparse file when no space left Product: Portable OpenSSH Version: 3.1p1 Platform: HPPA OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: scp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: rusr at cup.hp.com When someone copies a file using scp in HP-UX 11.i Secure Shell (the HP supported version of OpenSSH) and the destination file system hasn?t enough space, a sparse file is being created. To reproduce the problem: # bdf . Filesystem kbytes used avail %used Mounted on /dev/vg00/lvol4 1015808 999189 15607 98% /old-opt Now copy over a large file like vmunix to show the problem, the first scp works fine, the second will fail: # scp /stand/vmunix :/old-opt/mab/vmunix vmunix 100% |*****************************| 12027 KB 00:09 # scp /stand/vmunix :/old-opt/mab/vmunix2 vmunix 100% |*****************************| 12027 KB 00:08 scp: /old-opt/mab/vmunix2: No space left on device # ll total 33238 -rwxr-xr-x 1 mab wtec 12316048 Sep 24 18:20 vmunix* -rwxr-xr-x 1 mab wtec 12316048 Sep 24 18:21 vmunix2* ^^^^^^^^ <<<=== PROBLEM Now we can check for the real size: # du * 24056 vmunix 9182 vmunix2 I suspect that this problem is also present on other OS's, but at the moment, I have confirmed it only on HP systems. Running tusc on an "scp -t" process shows that ftruncate is being called no matter what. In sink() in file scp.c, we can see: if (ftruncate(ofd, size)) { run_err("%s: truncate: %s", np, strerror(errno)); wrerr = DISPLAYED; } This code fragment should be enclosed in this if condition: if(wrerr == NO){ if (ftruncate(ofd, size)) { run_err("%s: truncate: %s", np, strerror(errno)); wrerr = DISPLAYED; } } ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From rob at hagopian.net Thu Sep 26 04:12:03 2002 From: rob at hagopian.net (Rob Hagopian) Date: Wed, 25 Sep 2002 14:12:03 -0400 (EDT) Subject: BUG: ssh hangs on full stdout-file-system In-Reply-To: <3D908C65.C6D10DB1@theorie1.physik.uni-erlangen.de> Message-ID: Seems to me that ssh doesn't know that stdout is going to a filesystem and so can't automaticly abort... However, the shell might (should?) break the redirection and send SIGPIPE once the filesystem is full? -Rob On Tue, 24 Sep 2002, Olaf Rogalsky wrote: > System: Linux 2.4.18, openssh-3.4p1 > > Problem: > I use "ssh" and "tar" to backup remote directory trees to a local > hard-disk/file-system: > # ssh remote.server.org "tar -cz /home" >/backup/remote.tar.gz > > If the backup-file-system runs out of space before the backup > completes, ssh starts hanging (waiting for the stdout-write to > complete). > > Analysis: > In this example it is of course very unlikely, that some space on the > backup-file-system will be freed so that the backup can finish. > Instead I would expect ssh to abort with an error, perhaps after some > grace time. > On the other hand there *may* be other situations, where one expects ssh > to hang as it does. But since I am not aware of such an other situation, > I consider this as a bug. > > Comments: ? > > Olaf Rogalsky > > From tim at multitalents.net Thu Sep 26 04:29:50 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 25 Sep 2002 11:29:50 -0700 (PDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <3D90B9FA.5050303@tls.msk.ru> Message-ID: On Tue, 24 Sep 2002, Michael Tokarev wrote: > Hmm. I think this may be useful for others as well. > > #if defined(_CRAY) && !defined(_CRAYSV2) > # define NO_SSH_LASTLOG > #endif > Should we use DISABLE_LASTLOG here or is it unrelated to the stuff in loginrec.c? > #ifndef NO_SSH_LASTLOG > > if (options.print_lastlog && s->last_login_time != 0) { > > time_string = ctime(&s->last_login_time); > > if (strchr(time_string, '\n')) > ... > #endif /* NO_SSH_LASTLOG */ > > /mjt > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From tim at multitalents.net Thu Sep 26 04:42:42 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 25 Sep 2002 11:42:42 -0700 (PDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: Message-ID: On Wed, 25 Sep 2002, Ben Lindstrom wrote: > > Go ahead and commit it. > > This just leaves the crc issue. Can I see a new patch for it? I've attached what I have in my tree. (no deattack.c stuff) Wendy, note the NO_SSH_LASTLOG change from the last patch I sent. I'm wondering if NO_SSH_LASTLOG should really be DISABLE_LASTLOG like used in loginrec.c > > - Ben -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- configure.ac.old Mon Sep 23 16:54:12 2002 +++ configure.ac Wed Sep 25 11:21:37 2002 @@ -303,6 +303,7 @@ no_libnsl=1 AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_FD_PASSING) + AC_DEFINE(NO_SSH_LASTLOG) LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal" LIBS="$LIBS -lgen -lrsc -lshare -luex -lacm" MANTYPE=cat @@ -376,14 +377,14 @@ # Checks for header files. AC_CHECK_HEADERS(bstring.h crypt.h endian.h floatingpoint.h \ - getopt.h glob.h lastlog.h limits.h login.h \ + getopt.h glob.h ia.h lastlog.h limits.h login.h \ login_cap.h maillock.h netdb.h netgroup.h \ netinet/in_systm.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \ sys/mman.h sys/select.h sys/stat.h \ sys/stropts.h sys/sysmacros.h sys/time.h \ - sys/un.h time.h ttyent.h usersec.h \ + sys/un.h time.h tmpdir.h ttyent.h usersec.h \ util.h utime.h utmp.h utmpx.h) # Checks for libraries. --- defines.h.old Wed Aug 21 08:08:49 2002 +++ defines.h Tue Sep 24 14:50:25 2002 @@ -124,7 +124,7 @@ # if (SIZEOF_SHORT_INT == 2) typedef short int int16_t; # else -# if defined(_CRAY) && !defined(_CRAYSV2) +# ifdef _UNICOS # if (SIZEOF_SHORT_INT == 4) typedef short int16_t; # else @@ -132,16 +132,16 @@ # endif # else # error "16 bit int type not found." -# endif /* _CRAY */ +# endif /* _UNICOS */ # endif # if (SIZEOF_INT == 4) typedef int int32_t; # else -# if defined(_CRAY) && !defined(_CRAYSV2) +# ifdef _UNICOS typedef long int32_t; # else # error "32 bit int type not found." -# endif /* _CRAY */ +# endif /* _UNICOS */ # endif #endif @@ -161,7 +161,7 @@ # if (SIZEOF_SHORT_INT == 2) typedef unsigned short int u_int16_t; # else -# if defined(_CRAY) && !defined(_CRAYSV2) +# ifdef _UNICOS # if (SIZEOF_SHORT_INT == 4) typedef unsigned short u_int16_t; # else @@ -174,7 +174,7 @@ # if (SIZEOF_INT == 4) typedef unsigned int u_int32_t; # else -# if defined(_CRAY) && !defined(_CRAYSV2) +# ifdef _UNICOS typedef unsigned long u_int32_t; # else # error "32 bit int type not found." --- includes.h.old Thu Jul 18 09:57:09 2002 +++ includes.h Tue Sep 24 08:50:37 2002 @@ -149,6 +149,14 @@ # include #endif +#ifdef HAVE_IA_H +# include +#endif + +#ifdef HAVE_TMPDIR_H +# include +#endif + #include /* For OPENSSL_VERSION_NUMBER */ #include "defines.h" --- auth1.c.orig Thu Sep 12 13:09:26 2002 +++ auth1.c Tue Sep 24 14:36:30 2002 @@ -304,6 +304,15 @@ fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); +#ifdef _UNICOS + if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated) + cray_login_failure(authctxt->user, IA_UDBERR); + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } +#endif /* _UNICOS */ + #ifdef HAVE_CYGWIN if (authenticated && !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, pw)) { --- auth2.c.orig Tue Sep 10 10:09:45 2002 +++ auth2.c Tue Sep 24 14:37:05 2002 @@ -216,6 +216,13 @@ authenticated = 0; #endif /* USE_PAM */ +#ifdef _UNICOS + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } +#endif /* _UNICOS */ + /* Log before sending the reply */ auth_log(authctxt, authenticated, method, " ssh2"); @@ -235,6 +242,10 @@ if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } +#ifdef _UNICOS + if (strcmp(method, "password") == 0) + cray_login_failure(authctxt->user, IA_UDBERR); +#endif /* _UNICOS */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); --- loginrec.c.old Wed Jul 24 15:00:48 2002 +++ loginrec.c Tue Sep 24 14:50:41 2002 @@ -622,13 +622,13 @@ switch (li->type) { case LTYPE_LOGIN: ut->ut_type = USER_PROCESS; -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS cray_set_tmpdir(ut); #endif break; case LTYPE_LOGOUT: ut->ut_type = DEAD_PROCESS; -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS cray_retain_utmp(ut, li->pid); #endif break; --- serverloop.c.orig Mon Sep 23 07:28:01 2002 +++ serverloop.c Tue Sep 24 15:28:06 2002 @@ -144,7 +144,9 @@ int save_errno = errno; debug("Received SIGCHLD."); child_terminated = 1; +#ifndef _UNICOS mysignal(SIGCHLD, sigchld_handler); +#endif notify_parent(); errno = save_errno; } --- session.c.orig Mon Sep 23 07:28:02 2002 +++ session.c Wed Sep 25 11:22:38 2002 @@ -519,10 +519,17 @@ perror("dup2 stderr"); #endif /* USE_PIPES */ +#ifdef _UNICOS + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +#endif + /* Do processing for the child (exec command etc). */ do_child(s, command); /* NOTREACHED */ } +#ifdef _UNICOS + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _UNICOS */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); @@ -610,8 +617,12 @@ /* record login, etc. similar to login(1) */ #ifndef HAVE_OSF_SIA - if (!(options.use_login && command == NULL)) + if (!(options.use_login && command == NULL)) { +#ifdef _UNICOS + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +#endif /* _UNICOS */ do_login(s, command); + } # ifdef LOGIN_NEEDS_UTMPX else do_pre_login(s); @@ -622,6 +633,9 @@ do_child(s, command); /* NOTREACHED */ } +#ifdef _UNICOS + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _UNICOS */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); @@ -762,6 +776,7 @@ printf("%s\n", aixloginmsg); #endif /* WITH_AIXAUTHENTICATE */ +#ifndef NO_SSH_LASTLOG if (options.print_lastlog && s->last_login_time != 0) { time_string = ctime(&s->last_login_time); if (strchr(time_string, '\n')) @@ -772,6 +787,7 @@ printf("Last login: %s from %s\r\n", time_string, s->hostname); } +#endif /* NO_SSH_LASTLOG */ do_motd(); } @@ -1031,6 +1047,11 @@ child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", original_command); +#ifdef _UNICOS + if (cray_tmpdir[0] != '\0') + child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir); +#endif /* _UNICOS */ + #ifdef _AIX { char *cp; @@ -1281,6 +1302,10 @@ /* login(1) is only called if we execute the login shell */ if (options.use_login && command != NULL) options.use_login = 0; + +#ifdef _UNICOS + cray_setup(pw->pw_uid, pw->pw_name, command); +#endif /* _UNICOS */ /* * Login(1) does this as well, and it needs uid 0 for the "-h" --- sshd.c.old Mon Sep 23 07:28:03 2002 +++ sshd.c Tue Sep 24 14:50:51 2002 @@ -940,7 +940,7 @@ SYSLOG_FACILITY_AUTH : options.log_facility, !inetd_flag); -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS /* Cray can define user privs drop all prives now! * Not needed on PRIV_SU systems! */ --- sshpty.c.old Wed Jul 24 15:00:49 2002 +++ sshpty.c Tue Sep 24 14:51:21 2002 @@ -162,7 +162,7 @@ } return 1; #else /* HAVE_DEV_PTS_AND_PTC */ -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS char buf[64]; int i; int highpty; @@ -268,7 +268,7 @@ void *old; #endif /* USE_VHANGUP */ -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS if (setsid() < 0) error("setsid: %.100s", strerror(errno)); @@ -290,7 +290,7 @@ error("%.100s: %.100s", ttyname, strerror(errno)); close(*ttyfd); *ttyfd = fd; -#else /* _CRAY */ +#else /* _UNICOS */ /* First disconnect from the old controlling tty. */ #ifdef TIOCNOTTY @@ -345,7 +345,7 @@ strerror(errno)); else close(fd); -#endif /* _CRAY */ +#endif /* _UNICOS */ } /* Changes the window size associated with the pty. */ --- openbsd-compat/bsd-cray.c.old Wed Jul 24 15:00:52 2002 +++ openbsd-compat/bsd-cray.c Tue Sep 24 14:46:13 2002 @@ -34,7 +34,7 @@ * on UNICOS systems. * */ -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS #include #include --- openbsd-compat/bsd-cray.h.old Wed Jul 24 15:00:52 2002 +++ openbsd-compat/bsd-cray.h Tue Sep 24 14:46:43 2002 @@ -37,7 +37,7 @@ #ifndef _BSD_CRAY_H #define _BSD_CRAY_H -#if defined(_CRAY) && !defined(_CRAYSV2) +#ifdef _UNICOS void cray_init_job(struct passwd *); /* init cray job */ void cray_job_termination_handler(int); /* process end of job signal */ void cray_login_failure(char *username, int errcode); From markus at openbsd.org Thu Sep 26 05:46:21 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 25 Sep 2002 21:46:21 +0200 Subject: BUG: ssh hangs on full stdout-file-system In-Reply-To: <3D908C65.C6D10DB1@theorie1.physik.uni-erlangen.de> References: <3D908C65.C6D10DB1@theorie1.physik.uni-erlangen.de> Message-ID: <20020925194621.GB31867@folly> On Tue, Sep 24, 2002 at 06:01:41PM +0200, Olaf Rogalsky wrote: > System: Linux 2.4.18, openssh-3.4p1 > > Problem: > I use "ssh" and "tar" to backup remote directory trees to a local > hard-disk/file-system: > # ssh remote.server.org "tar -cz /home" >/backup/remote.tar.gz what happens if you # ssh remote.server.org "tar -cz /home" | cat > /backup/remote.tar.gz From Jeff.Koenig at experian.com Thu Sep 26 09:09:30 2002 From: Jeff.Koenig at experian.com (Jeff Koenig) Date: Wed, 25 Sep 2002 18:09:30 -0500 Subject: Call for testing for 3.5 OpenSSH Message-ID: Can someone reply and let me know what the status is on getting the PAM password expiration on Solaris issue working on OpenSSH? Password expiring on our Solaris 7 and 8 servers does not work correctly with OpenSSH. I believe this is a known issue, and was told that it might get resolved in 3.5, but now it sounds like it may not be resolved. I hate to say it, but this is a critical feature for us now and my boss is pressuring me to get it resolved. I am trying to avoid his suggestion of going with commercial SSH and would like to continue using what I like (OpenSSH). Any info on when and/or if this will be resolved with 3.5 would be greatly appreciated. Thanks, Jeff >>> Kevin Steves 09/25/02 11:46AM >>> On Wed, Sep 25, 2002 at 02:38:12PM +1000, Damien Miller wrote: > On Tue, 2002-09-24 at 11:18, Kevin Steves wrote: > > i guess we also ship with PAM password change remaining disabled. > > have not seen any feedback on solar's patch (which is in the > > tree but remains #if 0 in auth-pam.c). > > It looks like it needs some monitor work as well. there was a patch for the privsep case that used some Linux-specific PAM magic if i recall. _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From bugzilla-daemon at mindrot.org Thu Sep 26 09:15:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 26 Sep 2002 09:15:43 +1000 (EST) Subject: [Bug 355] No last login message with PrivSep under AIX Message-ID: <20020925231543.4B7463D18B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=355 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-09-26 09:15 ------- Darren's patch applied. Thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Thu Sep 26 09:39:15 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 25 Sep 2002 18:39:15 -0500 (CDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: Message-ID: for the time being I'd keep them seperated and take a closer look at post 3.5 release. I don't we want to risk the breakage. - Ben On Wed, 25 Sep 2002, Tim Rice wrote: > On Wed, 25 Sep 2002, Ben Lindstrom wrote: > > > > > Go ahead and commit it. > > > > This just leaves the crc issue. Can I see a new patch for it? > > I've attached what I have in my tree. (no deattack.c stuff) > > Wendy, note the NO_SSH_LASTLOG change from the last patch I sent. > > I'm wondering if NO_SSH_LASTLOG should really be DISABLE_LASTLOG > like used in loginrec.c > > > > > - Ben > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > From bugzilla-daemon at mindrot.org Thu Sep 26 10:08:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 26 Sep 2002 10:08:29 +1000 (EST) Subject: [Bug 149] --with-random=[FILE] no longer available Message-ID: <20020926000829.C47353D15A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=149 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From mouring at eviladmin.org 2002-09-26 10:08 ------- INSTALL document had been updated. Correct way of handling /dev/random under Solaris is to recompile OpenSSL to support it. Or use the example Damien gave. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Thu Sep 26 10:42:22 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 25 Sep 2002 17:42:22 -0700 (PDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: Message-ID: I've just commited the bits in my tree. On Wed, 25 Sep 2002, Ben Lindstrom wrote: > > for the time being I'd keep them seperated and take a closer look at post > 3.5 release. I don't we want to risk the breakage. > > > > This just leaves the crc issue. Can I see a new patch for it? -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Thu Sep 26 11:21:11 2002 From: djm at mindrot.org (Damien Miller) Date: 26 Sep 2002 11:21:11 +1000 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: References: Message-ID: <1033003271.1769.13.camel@argon> On Thu, 2002-09-26 at 09:09, Jeff Koenig wrote: > Can someone reply and let me know what the status is > on getting the PAM password expiration on Solaris > issue working on OpenSSH? It won't happen for 3.5p1. Maybe for 3.6p1 if people fix and test it. -d From kevin at atomicgears.com Thu Sep 26 11:41:48 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Wed, 25 Sep 2002 18:41:48 -0700 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: References: Message-ID: <20020926014148.GD1752@jenny.crlsca.adelphia.net> On Wed, Sep 25, 2002 at 06:09:30PM -0500, Jeff Koenig wrote: > Can someone reply and let me know what the status is on getting the PAM password expiration on Solaris issue working on OpenSSH? http://www.eviladmin.org/cgi-bin/cvsweb.cgi/auth-pam.c issues: .no privsep support .needs testing and review http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103065556302487&w=2 > Password expiring on our Solaris 7 and 8 servers does not work correctly with OpenSSH. I believe this is a known issue, and was told that it might get resolved in 3.5, but now it sounds like it may not be resolved. It appears that it will not. > I hate to say it, but this is a critical feature for us now and my boss is pressuring me to get it resolved. I am trying to avoid his suggestion of going with commercial SSH and would like to continue using what I like (OpenSSH). You can also pay someone to address this in OpenSSH. From dknodel at csc.com.au Thu Sep 26 12:00:20 2002 From: dknodel at csc.com.au (dknodel at csc.com.au) Date: Thu, 26 Sep 2002 10:00:20 +0800 Subject: Portable openssh integration with PAM on HP-UX 11.X Trusted System Message-ID: Hi. I was wondering a couple things relating to PAM authentication: 1. I found that expired passwords caused authentication failure, rather than the expected behaviour of forcing a paswword change. After perusing the auth-pam.c file (as it appears in openssh-3.4p1), I found that the reason is that the case for the relevant return value (PAM_AUTHTOKEN_REQD) from pam_acct_mgmt is wrapped with "#if 0 ... #endif"; does this mean that handling for it is essentially there, and will be enabled soon when it's all in & tested, or have I missed a configuration step that I should've performed to enable it? 2. If a user's password is about to expire (interval configured with u_pw_expire_warning from prpwd(4) in Trusted systems), they receive a little message to that effect (apparently spat out by login(1)). Is there a PAM-related function that can do this (that can be invoked by sshd), or is it a HP-UX trusted-system related step that would have to be handled directly (eg. via the getprpwnam function, and doing a little calculation)? Any information you've got will be greatly appreciated... Cheers, David Knodel __________________________________________________ CSC Ph: 08 9429 6424 Email: dknodel at csc.com.au ---------------------------------------------------------------------------------------- From kevin at atomicgears.com Thu Sep 26 11:51:19 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Wed, 25 Sep 2002 18:51:19 -0700 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: References: <3D90B9FA.5050303@tls.msk.ru> Message-ID: <20020926015119.GE1752@jenny.crlsca.adelphia.net> On Wed, Sep 25, 2002 at 11:29:50AM -0700, Tim Rice wrote: > Should we use DISABLE_LASTLOG here or is it unrelated to the > stuff in loginrec.c? > > > #ifndef NO_SSH_LASTLOG > > > if (options.print_lastlog && s->last_login_time != 0) { > > > time_string = ctime(&s->last_login_time); > > > if (strchr(time_string, '\n')) > > ... > > #endif /* NO_SSH_LASTLOG */ why are we skipping this code? From kevin at atomicgears.com Thu Sep 26 11:59:16 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Wed, 25 Sep 2002 18:59:16 -0700 Subject: NGROUPS_MAX In-Reply-To: References: Message-ID: <20020926015916.GF1752@jenny.crlsca.adelphia.net> On Wed, Sep 25, 2002 at 08:01:30AM -0500, Ben Lindstrom wrote: > However, a lot of platforms don't support sysconf() and I since we are > heading into a lock I think we should hold off breaking platforms until > next release. yes, we definately don't want to mess with this now. also, i think _SC_NGROUPS_MAX was not a sysconf symbol on solaris 8. > On 25 Sep 2002, Sven Rudolph wrote: > > POSIX defined sysconf in order to avoid this. > > > > By using sysconf(_SC_NGROUPS_MAX) this value is determined at > > run-time. From carson at taltos.org Thu Sep 26 15:55:21 2002 From: carson at taltos.org (Carson Gaspar) Date: Thu, 26 Sep 2002 01:55:21 -0400 Subject: NGROUPS_MAX In-Reply-To: <20020926015916.GF1752@jenny.crlsca.adelphia.net> References: <20020926015916.GF1752@jenny.crlsca.adelphia.net> Message-ID: <121251671.1033005321@[192.168.0.2]> --On Wednesday, September 25, 2002 6:59 PM -0700 Kevin Steves wrote: > On Wed, Sep 25, 2002 at 08:01:30AM -0500, Ben Lindstrom wrote: >> However, a lot of platforms don't support sysconf() and I since we are >> heading into a lock I think we should hold off breaking platforms until >> next release. > > yes, we definately don't want to mess with this now. > > also, i think _SC_NGROUPS_MAX was not a sysconf symbol on solaris 8. My Solaris 8 box definitely has _SC_NGROUPS_MAX. If we want to do this, I think we're going to have to create a minimal sysconf() implementation for the platforms that don't support it. They'll get the current compile-time values, and more featureful platforms will support run-time values. I may take a stab at this, but not until after my current ipfilter project is done. Although I do have a bit of free time now, being recently laid off... -- Carson From dtucker at zip.com.au Thu Sep 26 17:12:10 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 26 Sep 2002 17:12:10 +1000 Subject: Call for testing for 3.5 OpenSSH References: <1033003271.1769.13.camel@argon> Message-ID: <3D92B34A.3B913D8B@zip.com.au> Damien Miller wrote: > On Thu, 2002-09-26 at 09:09, Jeff Koenig wrote: > > Can someone reply and let me know what the status is > > on getting the PAM password expiration on Solaris > > issue working on OpenSSH? > > It won't happen for 3.5p1. Maybe for 3.6p1 if people fix and test it. I've been using the existing code in auth-pam.c (minus the "#if 0" obviously) on a couple of Solaris 7 systems. It seems to work OK as long as you're not using privsep. Would it be possible to wrap it inside "if (!use_privsep)" until the privsep case is fixed, or is this bad because it encourages people to use non-privsep configurations? I can provide the (trivial) patch for this if anyone wants it. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rudsve at drewag.de Thu Sep 26 17:44:56 2002 From: rudsve at drewag.de (Sven Rudolph) Date: 26 Sep 2002 09:44:56 +0200 Subject: NGROUPS_MAX In-Reply-To: Kevin Steves's message of Wed, 25 Sep 2002 18:59:16 -0700 References: <20020926015916.GF1752@jenny.crlsca.adelphia.net> Message-ID: Kevin Steves writes: > On Wed, Sep 25, 2002 at 08:01:30AM -0500, Ben Lindstrom wrote: > > However, a lot of platforms don't support sysconf() and I since we are > > heading into a lock I think we should hold off breaking platforms until > > next release. > > yes, we definately don't want to mess with this now. > > also, i think _SC_NGROUPS_MAX was not a sysconf symbol on solaris 8. _SC_NGROUPS_MAX is POSIX 1988. (I don't have my POSIX copy here, but it should be in chapter 4.8.1.1) So it shall be available on any POSIX-compliant system; including Solaris 8. If you have to support pre-POSIX systems you cannot use sysconf there. Sven From Olaf.Rogalsky at physik.uni-erlangen.de Thu Sep 26 20:09:56 2002 From: Olaf.Rogalsky at physik.uni-erlangen.de (Olaf Rogalsky) Date: Thu, 26 Sep 2002 12:09:56 +0200 Subject: BUG: ssh hangs on full stdout-file-system References: <3D908C65.C6D10DB1@theorie1.physik.uni-erlangen.de> <20020925194621.GB31867@folly> Message-ID: <3D92DCF4.FE798504@theorie1.physik.uni-erlangen.de> Markus Friedl wrote: > what happens if you > # ssh remote.server.org "tar -cz /home" | cat > /backup/remote.tar.gz ssh still hangs, but now cat gives an error message: cat: write error: No space left on device It is realy ssh, that hangs, since the following #ssh remote.server.org "tar -cz /home" | (cat > /backup/remote.tar.gz || echo ready) gives cat: write error: No space left on device ready PS: I also tried it under AIX (IBM UNIX) and different shells -- no difference. -- +----------------------------------------------------------------------+ I Dipl. Phys. Olaf Rogalsky Institut f. Theo. Physik I I I Tel.: 09131 8528440 Univ. Erlangen-Nuernberg I I Fax.: 09131 8528444 Staudtstrasse 7 B3 I I rogalsky at theorie1.physik.uni-erlangen.de D-91058 Erlangen I +----------------------------------------------------------------------+ From dtucker at zip.com.au Thu Sep 26 22:23:09 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 26 Sep 2002 22:23:09 +1000 Subject: Call for testing for 3.5 OpenSSH References: <3D904BE8.43C8D221@zip.com.au> <20020924175528.N9007@greenie.muc.de> <3D914D26.35A0322A@zip.com.au> Message-ID: <3D92FC2D.32B8D520@zip.com.au> Darren Tucker wrote: > Gert Doering wrote: > > On Tue, Sep 24, 2002 at 08:57:22AM -0500, Ben Lindstrom wrote: > > > > 2) http://bugzilla.mindrot.org/show_bug.cgi?id=397 > > > > strsep() is in libc but isn't defined in the headers unless > > > > _LINUX_SOURCE_COMPAT is defined. This doesn't affect GCC, only the > > > > native compiler. Apart from the patch, another option could be to have > > > > configure define _LINUX_SOURCE_COMPAT for AIX. > > > > I want to vote *against* doing special-casing for AIX here - let them > > get their headers right. strsep() isn't *that* big, just compile it in. How about the following patch to configure.ac? It doesn't special case AIX but it does check for the strsep prototype before checking for the library function and defining HAVE_STRSEP. I tested on AIX 4.3.3 with xlc (which didn't define HAVE_STRSEP) and Linux (which did). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: configure.ac =================================================================== RCS file: /cvs/openssh/configure.ac,v retrieving revision 1.89 diff -u -r1.89 configure.ac --- configure.ac 26 Sep 2002 00:38:47 -0000 1.89 +++ configure.ac 26 Sep 2002 12:13:09 -0000 @@ -604,8 +604,11 @@ realpath recvmsg rresvport_af sendmsg setdtablesize setegid \ setenv seteuid setgroups setlogin setproctitle setresgid setreuid \ setrlimit setsid setpcred setvbuf sigaction sigvec snprintf \ - socketpair strerror strlcat strlcpy strmode strsep sysconf tcgetpgrp \ + socketpair strerror strlcat strlcpy strmode sysconf tcgetpgrp \ truncate utimes vhangup vsnprintf waitpid __b64_ntop _getpty) + +dnl Make sure strsep prototype is defined before defining HAVE_STRSEP +AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)]) dnl IRIX and Solaris 2.5.1 have dirname() in libgen AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[ From bugzilla-daemon at mindrot.org Thu Sep 26 22:27:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 26 Sep 2002 22:27:23 +1000 (EST) Subject: [Bug 397] Openssh build failure AIX 4.3.3 Message-ID: <20020926122723.4A10B3D1AA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=397 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #147 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2002-09-26 22:27 ------- Created an attachment (id=151) --> (http://bugzilla.mindrot.org/attachment.cgi?id=151&action=view) Ensure strsep is defined before checking for function in library ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Olaf.Rogalsky at physik.uni-erlangen.de Thu Sep 26 22:34:20 2002 From: Olaf.Rogalsky at physik.uni-erlangen.de (Olaf Rogalsky) Date: Thu, 26 Sep 2002 14:34:20 +0200 Subject: BUG: ssh hangs on full stdout-file-system References: <3D908C65.C6D10DB1@theorie1.physik.uni-erlangen.de> <20020925194621.GB31867@folly> <3D92DCF4.FE798504@theorie1.physik.uni-erlangen.de> <20020926101837.GA382@faui02> Message-ID: <3D92FECC.E7AB7B5A@theorie1.physik.uni-erlangen.de> Markus Friedl wrote: > i think it's because ssh still can read from the stdin > > what happens if you do this: > > # ssh -n remote.server.org "tar -cz /home" > /backup/remote.tar.gz Unfortunately still hanging. The next thing I did, was looking at source and running ssh with option "-vv" (should have done this long before :-). This is the relavant message: debug1: channel 0: write failed It stems from a line in function channel_handle_wfd(channels.c:1294): chan_write_failed(c); As expected, "errno" equals "ENOSPC" at this point. I wonder, if it wasn't wise to abort ssh at this point? PS: A bit offtopic: Why isn't it allowed/possible to close stdin with # ssh remote "echo test" <&- -- +----------------------------------------------------------------------+ I Dipl. Phys. Olaf Rogalsky Institut f. Theo. Physik I I I Tel.: 09131 8528440 Univ. Erlangen-Nuernberg I I Fax.: 09131 8528444 Staudtstrasse 7 B3 I I rogalsky at theorie1.physik.uni-erlangen.de D-91058 Erlangen I +----------------------------------------------------------------------+ From markus at openbsd.org Thu Sep 26 22:51:37 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 26 Sep 2002 14:51:37 +0200 Subject: BUG: ssh hangs on full stdout-file-system In-Reply-To: <3D92FECC.E7AB7B5A@theorie1.physik.uni-erlangen.de> References: <3D908C65.C6D10DB1@theorie1.physik.uni-erlangen.de> <20020925194621.GB31867@folly> <3D92DCF4.FE798504@theorie1.physik.uni-erlangen.de> <20020926101837.GA382@faui02> <3D92FECC.E7AB7B5A@theorie1.physik.uni-erlangen.de> Message-ID: <20020926125137.GA6508@faui02> On Thu, Sep 26, 2002 at 02:34:20PM +0200, Olaf Rogalsky wrote: > Markus Friedl wrote: > > i think it's because ssh still can read from the stdin > > > > what happens if you do this: > > > > # ssh -n remote.server.org "tar -cz /home" > /backup/remote.tar.gz > Unfortunately still hanging. > > The next thing I did, was looking at source and running ssh with > option "-vv" (should have done this long before :-). This is the relavant > message: > > debug1: channel 0: write failed can you please send all debugging messages related to channel 0 ? From Jason.Lacoss-Arnold at AGEDWARDS.com Thu Sep 26 23:14:23 2002 From: Jason.Lacoss-Arnold at AGEDWARDS.com (Lacoss-Arnold, Jason) Date: Thu, 26 Sep 2002 08:14:23 -0500 Subject: Call for testing for 3.5 OpenSSH Message-ID: <6808DCE827EBD5119DFB0002A58EF4DA03240879@hqempn06.agedwards.com> For whatever its worth, we're doing the same thing with no problems so far. We turned the auth-pam stuff on and privsep off. We'd love to use privsep, but usable password aging is more important. -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Thursday, September 26, 2002 2:12 AM To: Damien Miller Cc: Jeff Koenig; Portable OpenSSH Subject: Re: Call for testing for 3.5 OpenSSH Damien Miller wrote: > On Thu, 2002-09-26 at 09:09, Jeff Koenig wrote: > > Can someone reply and let me know what the status is > > on getting the PAM password expiration on Solaris > > issue working on OpenSSH? > > It won't happen for 3.5p1. Maybe for 3.6p1 if people fix and test it. I've been using the existing code in auth-pam.c (minus the "#if 0" obviously) on a couple of Solaris 7 systems. It seems to work OK as long as you're not using privsep. Would it be possible to wrap it inside "if (!use_privsep)" until the privsep case is fixed, or is this bad because it encourages people to use non-privsep configurations? I can provide the (trivial) patch for this if anyone wants it. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020926/61f4062e/attachment.html From Olaf.Rogalsky at physik.uni-erlangen.de Thu Sep 26 23:16:49 2002 From: Olaf.Rogalsky at physik.uni-erlangen.de (Olaf Rogalsky) Date: Thu, 26 Sep 2002 15:16:49 +0200 Subject: BUG: ssh hangs on full stdout-file-system References: <3D908C65.C6D10DB1@theorie1.physik.uni-erlangen.de> <20020925194621.GB31867@folly> <3D92DCF4.FE798504@theorie1.physik.uni-erlangen.de> <20020926101837.GA382@faui02> <3D92FECC.E7AB7B5A@theorie1.physik.uni-erlangen.de> <20020926125137.GA6508@faui02> Message-ID: <3D9308C1.66A25E3C@theorie1.physik.uni-erlangen.de> Markus Friedl wrote: > > On Thu, Sep 26, 2002 at 02:34:20PM +0200, Olaf Rogalsky wrote: > > Markus Friedl wrote: > > > i think it's because ssh still can read from the stdin > > > > > > what happens if you do this: > > > > > > # ssh -n remote.server.org "tar -cz /home" > /backup/remote.tar.gz > > Unfortunately still hanging. > > > > The next thing I did, was looking at source and running ssh with > > option "-vv" (should have done this long before :-). This is the relavant > > message: > > > > debug1: channel 0: write failed > > can you please send all debugging messages related to channel 0 ? debug1: channel 0: new [client-session] debug1: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 debug2: channel 0: window 57344 sent adjust 73728 debug1: channel 0: write failed debug1: channel 0: close_write debug1: channel 0: output open -> closed and after hitting ^C: debug1: channel_free: channel 0: client-session, nchannels 1 -- +----------------------------------------------------------------------+ I Dipl. Phys. Olaf Rogalsky Institut f. Theo. Physik I I I Tel.: 09131 8528440 Univ. Erlangen-Nuernberg I I Fax.: 09131 8528444 Staudtstrasse 7 B3 I I rogalsky at theorie1.physik.uni-erlangen.de D-91058 Erlangen I +----------------------------------------------------------------------+ From djm at mindrot.org Thu Sep 26 23:31:02 2002 From: djm at mindrot.org (Damien Miller) Date: 26 Sep 2002 23:31:02 +1000 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <6808DCE827EBD5119DFB0002A58EF4DA03240879@hqempn06.agedwards.com> References: <6808DCE827EBD5119DFB0002A58EF4DA03240879@hqempn06.agedwards.com> Message-ID: <1033047062.4689.1.camel@localhost.localdomain> On Thu, 2002-09-26 at 23:14, Lacoss-Arnold, Jason wrote: > For whatever its worth, we're doing the same thing with no problems so far. > We turned the auth-pam stuff on and privsep off. We'd love to use privsep, > but usable password aging is more important. You are so wrong... How many break-ins are achieved by guessed passwords? How many by exploiting bugs in server software? -d From tim at multitalents.net Fri Sep 27 00:01:11 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 26 Sep 2002 07:01:11 -0700 (PDT) Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <20020926015119.GE1752@jenny.crlsca.adelphia.net> Message-ID: On Wed, 25 Sep 2002, Kevin Steves wrote: > On Wed, Sep 25, 2002 at 11:29:50AM -0700, Tim Rice wrote: > > Should we use DISABLE_LASTLOG here or is it unrelated to the > > stuff in loginrec.c? > > > > > #ifndef NO_SSH_LASTLOG > > > > if (options.print_lastlog && s->last_login_time != 0) { > > > > time_string = ctime(&s->last_login_time); > > > > if (strchr(time_string, '\n')) > > > ... > > > #endif /* NO_SSH_LASTLOG */ > > why are we skipping this code? It's a Cray thing. Wendy will have to answer this. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From markus at openbsd.org Fri Sep 27 00:23:04 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 26 Sep 2002 16:23:04 +0200 Subject: BUG: ssh hangs on full stdout-file-system In-Reply-To: <3D9308C1.66A25E3C@theorie1.physik.uni-erlangen.de> References: <3D908C65.C6D10DB1@theorie1.physik.uni-erlangen.de> <20020925194621.GB31867@folly> <3D92DCF4.FE798504@theorie1.physik.uni-erlangen.de> <20020926101837.GA382@faui02> <3D92FECC.E7AB7B5A@theorie1.physik.uni-erlangen.de> <20020926125137.GA6508@faui02> <3D9308C1.66A25E3C@theorie1.physik.uni-erlangen.de> Message-ID: <20020926142304.GA1577@faui02> i think this a know bug. the same happens with ssh -vv 127.0.0.1 od /bin/ls < /dev/null | (sleep 1; exit 1) not sure how to fix this. On Thu, Sep 26, 2002 at 03:16:49PM +0200, Olaf Rogalsky wrote: > Markus Friedl wrote: > > > > On Thu, Sep 26, 2002 at 02:34:20PM +0200, Olaf Rogalsky wrote: > > > Markus Friedl wrote: > > > > i think it's because ssh still can read from the stdin > > > > > > > > what happens if you do this: > > > > > > > > # ssh -n remote.server.org "tar -cz /home" > /backup/remote.tar.gz > > > Unfortunately still hanging. > > > > > > The next thing I did, was looking at source and running ssh with > > > option "-vv" (should have done this long before :-). This is the relavant > > > message: > > > > > > debug1: channel 0: write failed > > > > can you please send all debugging messages related to channel 0 ? > debug1: channel 0: new [client-session] > debug1: channel 0: open confirm rwindow 0 rmax 32768 > debug2: channel 0: rcvd adjust 131072 > debug2: channel 0: window 57344 sent adjust 73728 > debug1: channel 0: write failed > debug1: channel 0: close_write > debug1: channel 0: output open -> closed > > and after hitting ^C: > debug1: channel_free: channel 0: client-session, nchannels 1 > > -- > +----------------------------------------------------------------------+ > I Dipl. Phys. Olaf Rogalsky Institut f. Theo. Physik I I > I Tel.: 09131 8528440 Univ. Erlangen-Nuernberg I > I Fax.: 09131 8528444 Staudtstrasse 7 B3 I > I rogalsky at theorie1.physik.uni-erlangen.de D-91058 Erlangen I > +----------------------------------------------------------------------+ > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From mouring at etoh.eviladmin.org Fri Sep 27 00:25:45 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 26 Sep 2002 09:25:45 -0500 (CDT) Subject: BUG: ssh hangs on full stdout-file-system In-Reply-To: <3D9308C1.66A25E3C@theorie1.physik.uni-erlangen.de> Message-ID: Me thinks we are describing this bug report: http://bugzilla.mindrot.org/show_bug.cgi?id=85 - Ben On Thu, 26 Sep 2002, Olaf Rogalsky wrote: > Markus Friedl wrote: > > > > On Thu, Sep 26, 2002 at 02:34:20PM +0200, Olaf Rogalsky wrote: > > > Markus Friedl wrote: > > > > i think it's because ssh still can read from the stdin > > > > > > > > what happens if you do this: > > > > > > > > # ssh -n remote.server.org "tar -cz /home" > /backup/remote.tar.gz > > > Unfortunately still hanging. > > > > > > The next thing I did, was looking at source and running ssh with > > > option "-vv" (should have done this long before :-). This is the relavant > > > message: > > > > > > debug1: channel 0: write failed > > > > can you please send all debugging messages related to channel 0 ? > debug1: channel 0: new [client-session] > debug1: channel 0: open confirm rwindow 0 rmax 32768 > debug2: channel 0: rcvd adjust 131072 > debug2: channel 0: window 57344 sent adjust 73728 > debug1: channel 0: write failed > debug1: channel 0: close_write > debug1: channel 0: output open -> closed > > and after hitting ^C: > debug1: channel_free: channel 0: client-session, nchannels 1 > > -- > +----------------------------------------------------------------------+ > I Dipl. Phys. Olaf Rogalsky Institut f. Theo. Physik I I > I Tel.: 09131 8528440 Univ. Erlangen-Nuernberg I > I Fax.: 09131 8528444 Staudtstrasse 7 B3 I > I rogalsky at theorie1.physik.uni-erlangen.de D-91058 Erlangen I > +----------------------------------------------------------------------+ > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From Jason.Lacoss-Arnold at AGEDWARDS.com Fri Sep 27 00:53:11 2002 From: Jason.Lacoss-Arnold at AGEDWARDS.com (Lacoss-Arnold, Jason) Date: Thu, 26 Sep 2002 09:53:11 -0500 Subject: Call for testing for 3.5 OpenSSH Message-ID: <6808DCE827EBD5119DFB0002A58EF4DA0324087E@hqempn06.agedwards.com> It's an organizational value, not a personal one. It's much harder to get an exception from way on high to turn off password aging on 500 unix servers than it is to just turn off privsep. -----Original Message----- From: Damien Miller [mailto:djm at mindrot.org] Sent: Thursday, September 26, 2002 8:31 AM To: Lacoss-Arnold, Jason Cc: 'Darren Tucker'; Jeff Koenig; Portable OpenSSH Subject: RE: Call for testing for 3.5 OpenSSH On Thu, 2002-09-26 at 23:14, Lacoss-Arnold, Jason wrote: > For whatever its worth, we're doing the same thing with no problems so far. > We turned the auth-pam stuff on and privsep off. We'd love to use privsep, > but usable password aging is more important. You are so wrong... How many break-ins are achieved by guessed passwords? How many by exploiting bugs in server software? -d *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020926/b942bce5/attachment.html From binder at arago.de Fri Sep 27 00:56:34 2002 From: binder at arago.de (Thomas Binder) Date: Thu, 26 Sep 2002 16:56:34 +0200 Subject: BUG: ssh hangs on full stdout-file-system In-Reply-To: <20020925194621.GB31867@folly>; from markus@openbsd.org on Wed, Sep 25, 2002 at 09:46:21PM +0200 References: <3D908C65.C6D10DB1@theorie1.physik.uni-erlangen.de> <20020925194621.GB31867@folly> Message-ID: <20020926165633.A18740357@ohm.arago.de> Hi! On Wed, Sep 25, 2002 at 09:46:21PM +0200, Markus Friedl wrote: > On Tue, Sep 24, 2002 at 06:01:41PM +0200, Olaf Rogalsky wrote: > what happens if you > # ssh remote.server.org "tar -cz /home" | cat > /backup/remote.tar.gz FWIW, I could reproduce the problem, but only with protocol version 2: $ ssh -2 sub2 tar cf - . | head | wc 10 58 1294 [hangs] Using ssh -1, ssh does not hang: $ ssh -1 sub2 tar cf - . | head | wc 10 58 1294 Write failed flushing stdout buffer. write stdout: Broken pipe Stuff related to channel 0 from ssh -2 -v -v -v: debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug1: send channel open 0 debug1: channel request 0: x11-req debug1: channel request 0: exec debug1: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 debug1: channel 0: write failed debug1: channel 0: close_write debug1: channel 0: output open -> closed HTH. Ciao Thomas From bugzilla-daemon at mindrot.org Fri Sep 27 00:58:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 27 Sep 2002 00:58:12 +1000 (EST) Subject: [Bug 404] New: getnameinfo failed Message-ID: <20020926145812.85BA93D1E8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=404 Summary: getnameinfo failed Product: Portable OpenSSH Version: -current Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: pmartinez at heraldo.es CC: pmartinez at heraldo.es Estimated gurus. I have installed OpenSSH_3.4p1 in a RH 6.2. When I execute sshd -d from server, I get: debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA getnameinfo failed getnameinfo failed Cannot bind any address And when I execute ssh -v localhost, I get: OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 ssh_connect: getnameinfo failed My PC has DNS lookup, and in /etc/hosts machine is defined. Even, executing "ifconfig" there's no problem. Which can be the problem ?? Thanks!!! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From binder at arago.de Fri Sep 27 02:19:10 2002 From: binder at arago.de (Thomas Binder) Date: Thu, 26 Sep 2002 18:19:10 +0200 Subject: Question regarding patch for ProxyCommand setting Message-ID: <20020926181910.A18637996@ohm.arago.de> Hi! I recently started using ProxyCommand and noticed that it's not possible to specify a "none" value for it. I've already written a patch for that, but wanted to discuss the issue before posting the patch. The problem is the following: I'd like to use a ProxyCommand by default, but exclude some hosts. But as soon as I have Host * ProxyCommand /some/proxy/command %h %p at the end of ssh_config, there's no way to disable ProxyCommand in another host section. I need this to still have the possibility to access localhost without host key checking [1], i.e. I'd like to have something like Host localhost ProxyCommand - That'd be necessary because as soon as a ProxyCommand is active, NoHostAuthenticationForLocalhost is ignored because OpenSSH no longer has a way to tell whether "localhost" is really the loopback interface. So, is there any way to achieve what I want without adding support for something like "ProxyCommand -" (and without having to add each and every host that should be accessed via the proxy command to ssh_config)? And if there's no other way, would there be interest in adding my patch? Ciao Thomas [1] That's because I've written shell scripts that allow to copy files from and to remote hosts that can only be accessed with an ssh chain (e.g. ssh -t host1 ssh -t host2 ssh -t host3). This is achieved by automatically opening a tunnel to port 22 of the remote host using such a chain, and then scp to and from localhost. Without NoHostAuthenticationForLocalhost, scp would always fail because of a changed host key. -- "No, `Eureka' is Greek for `This bath is too hot.'" -- Dr. Who -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 467 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020926/3f33a9bf/attachment.bin From Claus.Rosenberger at rocnet.de Fri Sep 27 02:37:26 2002 From: Claus.Rosenberger at rocnet.de (Claus Rosenberger) Date: Thu, 26 Sep 2002 18:37:26 +0200 (CEST) Subject: cross compiling Message-ID: <47539.212.222.61.13.1033058246.rocnet@deathstar.of.rocnet.de> hi, i want to build openssh in my uclibc environment with a cross-compiler. my problem is that the configure-script is not very cross-compile friendly. there are a lot of things that will be tested while configuring. if the script find a cross compiler it exits with code 1. how to solve this issue ? thanks claus From tim at multitalents.net Fri Sep 27 03:38:22 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 26 Sep 2002 10:38:22 -0700 (PDT) Subject: cross compiling In-Reply-To: <47539.212.222.61.13.1033058246.rocnet@deathstar.of.rocnet.de> Message-ID: On Thu, 26 Sep 2002, Claus Rosenberger wrote: > hi, > > i want to build openssh in my uclibc environment with a cross-compiler. my > problem is that the configure-script is not very cross-compile friendly. > there are a lot of things that will be tested while configuring. if the > script find a cross compiler it exits with code 1. how to solve this issue > ? There is a patch posted to Bug 321 that may help you. http://bugzilla.mindrot.org/show_bug.cgi?id=321 > > thanks > > claus -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From kevin at atomicgears.com Fri Sep 27 03:48:30 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 26 Sep 2002 10:48:30 -0700 Subject: NGROUPS_MAX In-Reply-To: <121251671.1033005321@[192.168.0.2]> References: <20020926015916.GF1752@jenny.crlsca.adelphia.net> <121251671.1033005321@[192.168.0.2]> Message-ID: <20020926174830.GC1654@jenny.crlsca.adelphia.net> On Thu, Sep 26, 2002 at 01:55:21AM -0400, Carson Gaspar wrote: > >also, i think _SC_NGROUPS_MAX was not a sysconf symbol on solaris 8. > > My Solaris 8 box definitely has _SC_NGROUPS_MAX. indeed. my confusion was in using getconf, which on Solaris doesn't want an _SC_ name. $ getconf _SC_NGROUPS_MAX getconf: Invalid argument (_SC_NGROUPS_MAX) $ getconf NGROUPS_MAX 16 on HP-UX: $ getconf _SC_NGROUPS_MAX 20 $ getconf NGROUPS_MAX 20 From markus at openbsd.org Fri Sep 27 05:47:42 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 26 Sep 2002 21:47:42 +0200 Subject: BUG: ssh hangs on full stdout-file-system In-Reply-To: <20020926165633.A18740357@ohm.arago.de> References: <3D908C65.C6D10DB1@theorie1.physik.uni-erlangen.de> <20020925194621.GB31867@folly> <20020926165633.A18740357@ohm.arago.de> Message-ID: <20020926194742.GA29380@faui02> yes, it's different in protcol 1 On Thu, Sep 26, 2002 at 04:56:34PM +0200, Thomas Binder wrote: > Hi! > > On Wed, Sep 25, 2002 at 09:46:21PM +0200, Markus Friedl wrote: > > On Tue, Sep 24, 2002 at 06:01:41PM +0200, Olaf Rogalsky wrote: > > what happens if you > > # ssh remote.server.org "tar -cz /home" | cat > /backup/remote.tar.gz > > FWIW, I could reproduce the problem, but only with protocol > version 2: > > $ ssh -2 sub2 tar cf - . | head | wc > 10 58 1294 > [hangs] > > Using ssh -1, ssh does not hang: > > $ ssh -1 sub2 tar cf - . | head | wc > 10 58 1294 > Write failed flushing stdout buffer. > write stdout: Broken pipe > > Stuff related to channel 0 from ssh -2 -v -v -v: > > debug1: channel 0: new [client-session] > debug3: ssh_session2_open: channel_new: 0 > debug1: send channel open 0 > debug1: channel request 0: x11-req > debug1: channel request 0: exec > debug1: channel 0: open confirm rwindow 0 rmax 32768 > debug2: channel 0: rcvd adjust 131072 > debug1: channel 0: write failed > debug1: channel 0: close_write > debug1: channel 0: output open -> closed > > HTH. > > > Ciao > > Thomas > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From markus at openbsd.org Fri Sep 27 06:09:52 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 26 Sep 2002 22:09:52 +0200 Subject: Call for testing for 3.5 OpenSSH In-Reply-To: <6808DCE827EBD5119DFB0002A58EF4DA0324087E@hqempn06.agedwards.com> References: <6808DCE827EBD5119DFB0002A58EF4DA0324087E@hqempn06.agedwards.com> Message-ID: <20020926200952.GA8524@folly> On Thu, Sep 26, 2002 at 09:53:11AM -0500, Lacoss-Arnold, Jason wrote: > It's an organizational value, not a personal one. It's much harder to get > an exception from way on high to turn off password aging on 500 unix servers > than it is to just turn off privsep. password aging should work. you just cannot login or change your expired password. From Jason.Lacoss-Arnold at AGEDWARDS.com Fri Sep 27 06:25:42 2002 From: Jason.Lacoss-Arnold at AGEDWARDS.com (Lacoss-Arnold, Jason) Date: Thu, 26 Sep 2002 15:25:42 -0500 Subject: Call for testing for 3.5 OpenSSH Message-ID: <6808DCE827EBD5119DFB0002A58EF4DA032408A1@hqempn06.agedwards.com> And our management considers it impractical to lock our users out when they could normally change their passwords and go on with life. Our access control people are too slow to help them on a useful basis. -----Original Message----- From: Markus Friedl [mailto:markus at openbsd.org] Sent: Thursday, September 26, 2002 3:10 PM To: Lacoss-Arnold, Jason Cc: Portable OpenSSH Subject: Re: Call for testing for 3.5 OpenSSH On Thu, Sep 26, 2002 at 09:53:11AM -0500, Lacoss-Arnold, Jason wrote: > It's an organizational value, not a personal one. It's much harder to get > an exception from way on high to turn off password aging on 500 unix servers > than it is to just turn off privsep. password aging should work. you just cannot login or change your expired password. *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020926/2a8c122f/attachment.html From scottmf at eng.sun.com Fri Sep 27 07:07:07 2002 From: scottmf at eng.sun.com (Scott Feldstein) Date: Thu, 26 Sep 2002 14:07:07 -0700 (PDT) Subject: RNG question Message-ID: Does anyone know how I can correct this error I am getting: Not enough entropy in RNG ssh-rand-helper child produced insufficient data I am using openssh with solaris 8. thanks, Scott From dtucker at zip.com.au Fri Sep 27 11:13:56 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 27 Sep 2002 11:13:56 +1000 Subject: RNG question References: Message-ID: <3D93B0D4.9252460E@zip.com.au> Scott Feldstein wrote: > Not enough entropy in RNG > ssh-rand-helper child produced insufficient data > > I am using openssh with solaris 8. Most likely your ssh was compiled on a machine that has /dev/random (patch 112438-01) and you're tring to run it on one that doesn't. Either install that patch or configure --with-rand-helper and recompile. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Claus.Rosenberger at rocnet.de Fri Sep 27 19:27:07 2002 From: Claus.Rosenberger at rocnet.de (Claus Rosenberger) Date: Fri, 27 Sep 2002 11:27:07 +0200 (CEST) Subject: cross compiling In-Reply-To: References: <47539.212.222.61.13.1033058246.rocnet@deathstar.of.rocnet.de> Message-ID: <48478.212.222.61.13.1033118827.rocnet@deathstar.of.rocnet.de> sorry, it doesn't solve my problem. i got following result *** checking whether struct dirent allocates space for d_name... configure: error: cannot run test program while cross compiling .... *** the patch only change configure.ac and not configure. why configure cannot only put out information about problems while checking things with cross-compiling and continue the work ? > > On Thu, 26 Sep 2002, Claus Rosenberger wrote: > >> hi, >> >> i want to build openssh in my uclibc environment with a >> cross-compiler. my problem is that the configure-script is not very >> cross-compile friendly. there are a lot of things that will be tested >> while configuring. if the script find a cross compiler it exits with >> code 1. how to solve this issue ? > > There is a patch posted to Bug 321 that may help you. > > http://bugzilla.mindrot.org/show_bug.cgi?id=321 >> >> thanks >> >> claus > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net From dtucker at zip.com.au Fri Sep 27 19:44:37 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 27 Sep 2002 19:44:37 +1000 Subject: cross compiling References: <47539.212.222.61.13.1033058246.rocnet@deathstar.of.rocnet.de> <48478.212.222.61.13.1033118827.rocnet@deathstar.of.rocnet.de> Message-ID: <3D942885.509BF760@zip.com.au> Claus Rosenberger wrote: > the patch only change configure.ac and not configure. why configure cannot > only put out information about problems while checking things with > cross-compiling and continue the work ? You need to run "autoconf" (or "make -f Makefile.in distprep") to re-create configure from configure.ac. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Claus.Rosenberger at rocnet.de Fri Sep 27 19:58:06 2002 From: Claus.Rosenberger at rocnet.de (Claus Rosenberger) Date: Fri, 27 Sep 2002 11:58:06 +0200 (CEST) Subject: cross compiling In-Reply-To: <3D942885.509BF760@zip.com.au> References: <47539.212.222.61.13.1033058246.rocnet@deathstar.of.rocnet.de> <48478.212.222.61.13.1033118827.rocnet@deathstar.of.rocnet.de> <3D942885.509BF760@zip.com.au> Message-ID: <48576.212.222.61.13.1033120686.rocnet@deathstar.of.rocnet.de> > Claus Rosenberger wrote: >> the patch only change configure.ac and not configure. why configure >> cannot only put out information about problems while checking things >> with cross-compiling and continue the work ? > > You need to run "autoconf" (or "make -f Makefile.in distprep") to > re-create configure from configure.ac. i have the same problem after calling this programs. should i put some environment variables to this calls like CC=cross-gcc or anything else ? > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From bugzilla-daemon at mindrot.org Sat Sep 28 03:34:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 28 Sep 2002 03:34:19 +1000 (EST) Subject: [Bug 405] New: getaddrinfo delays Message-ID: <20020927173419.C89783D138@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=405 Summary: getaddrinfo delays Product: Portable OpenSSH Version: -current Platform: Alpha OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dgp at nist.gov This report is for version 3.4p1, which I don't find above. (Is this still the place to report bugs in OpenSSH?) Ever since I updated to 3.4p1, I've noticed very slow connections using the ssh client. I finally got annoyed enough to look into it and found that the getaddrinfo() call in ssh_connect() is taking ~10 seconds to complete. I read some notes that blamed this on poor IPv6 name resolution in the GNU C library, version 2.1.2. I have version 2.1.3, but I still followed the advice and re-configured OpenSSH with --with-ipv4-default and re-installed. No change. Then I went into config.h and explicitly added #define BROKEN_GETADDRINFO 1 No change. I hacked in some extra debug() calls to verify that I am indeed passing hints.ai_family = AF_INET into the getaddrinfo() call, but I still see 10 second delays. Is this really a glibc problem? Or a system mis-configuration? What can I do about it? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Sep 28 03:40:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 28 Sep 2002 03:40:34 +1000 (EST) Subject: [Bug 405] getaddrinfo delays Message-ID: <20020927174034.C6FC73D15A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=405 ------- Additional Comments From dgp at nist.gov 2002-09-28 03:39 ------- BTW, it seems strange to me that when HAVE_GETADDRINFO is undefined or false, the code still makes calls to getaddrinfo(). Is this configuration support just incomplete? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Eric.Ladner at ChevronTexaco.com Sat Sep 28 01:00:03 2002 From: Eric.Ladner at ChevronTexaco.com (Ladner, Eric (Eric.Ladner)) Date: Fri, 27 Sep 2002 10:00:03 -0500 Subject: Ssh-add question. Message-ID: <53D65D67C6AA694284F7584E25ADD3543333C7@nor935nte2k1.nor935.chevrontexaco.net> Is there a way to change the default no-argument behavior of ssh-add from adding $HOME/.ssh/identity to another type? Thanks, Eric From wknox at mitre.org Sat Sep 28 04:57:02 2002 From: wknox at mitre.org (William R. Knox) Date: Fri, 27 Sep 2002 14:57:02 -0400 (EDT) Subject: Ssh-add question. In-Reply-To: <53D65D67C6AA694284F7584E25ADD3543333C7@nor935nte2k1.nor935.chevrontexaco.net> Message-ID: Upgrade to a more recent version of OpenSSH - the default has been to add all three keys since 3.1, I believe. Bill Knox Senior Operating Systems Programmer/Analyst The MITRE Corporation On Fri, 27 Sep 2002, Ladner, Eric (Eric.Ladner) wrote: > Date: Fri, 27 Sep 2002 10:00:03 -0500 > From: "Ladner, Eric (Eric.Ladner)" > To: openssh-unix-dev at mindrot.org > Subject: Ssh-add question. > > > Is there a way to change the default no-argument behavior of ssh-add from > adding $HOME/.ssh/identity to another type? > > Thanks, > > Eric > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From jmknoble at pobox.com Sat Sep 28 05:00:12 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 27 Sep 2002 15:00:12 -0400 Subject: Ssh-add question. In-Reply-To: <53D65D67C6AA694284F7584E25ADD3543333C7@nor935nte2k1.nor935.chevrontexaco.net>; from Eric.Ladner@ChevronTexaco.com on Fri, Sep 27, 2002 at 10:00:03AM -0500 References: <53D65D67C6AA694284F7584E25ADD3543333C7@nor935nte2k1.nor935.chevrontexaco.net> Message-ID: <20020927150012.A26318@zax.half.pint-stowp.cx> Circa 2002-09-27 10:00:03 -0500 dixit Ladner, Eric (Eric.Ladner): : Is there a way to change the default no-argument behavior of ssh-add from : adding $HOME/.ssh/identity to another type? In openssh-3.4p1 (which has been available since June of this year), ssh-add(1) says: [...] When run without arguments, it adds the files $HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa and $HOME/.ssh/identity. What version are you using? -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020927/831deca5/attachment.bin From nathanb at clinicomp.com Sat Sep 28 07:10:13 2002 From: nathanb at clinicomp.com (Nathan Bardsley) Date: Fri, 27 Sep 2002 14:10:13 -0700 Subject: FIPS 140-2 certification Message-ID: <3D94C935.4080209@clinicomp.com> Hello everyone! I work for a company that uses OpenSSH to remotely support systems we've sold. Since some of our clients are US Dept. of Defense hospitals, our access to these servers needs to comply with a whole range of requirements and standards. At this point it's looking like the SSH daemon needs to be FIPS 140-2 compliant, and the only package that is certified is F-Secure. The other option is for CliniComp to sponser getting OpenSSH through the certification process, and that's what I'm exploring. I'd really appreciate knowing what the core developers think about this, and how willing they would be to assisting in the process. I know there will need to be a fair amount of documentation, and there is no subsitute for first-hand knowledge. Also, it seems pretty clear that at least some code changes will be needed including self-tests, a new prng, and work in the key generation & validation modules. While we (CliniComp) do have some resources including technical writers and programmers, we certainly do not have the expertise in cryptography to just do it all ourselves. And if this does happen, part of the point would be for the necessary changes to be rolled back into the standard package. Please understand that right now I'm just exploring possibilities, but the other option for us is to spend a lot of money on F-Secure licenses. I would very much appreciate hearing your thoughts and from anyone else interested in making this happen. Thanks, --Nathan From mouring at etoh.eviladmin.org Sat Sep 28 07:34:44 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 27 Sep 2002 16:34:44 -0500 (CDT) Subject: FIPS 140-2 certification In-Reply-To: <3D94C935.4080209@clinicomp.com> Message-ID: On Fri, 27 Sep 2002, Nathan Bardsley wrote: > Hello everyone! > > I work for a company that uses OpenSSH to remotely support systems we've > sold. Since some of our clients are US Dept. of Defense hospitals, our > access to these servers needs to comply with a whole range of > requirements and standards. At this point it's looking like the SSH > daemon needs to be FIPS 140-2 compliant, and the only package that is > certified is F-Secure. > Where are theses 'DIPS 140-2' requirements? If they are anything like the other military requirements they are impratical and insane (yes I've had some time in the area. Not my idea of fun =). > The other option is for CliniComp to sponser getting OpenSSH through the > certification process, and that's what I'm exploring. > > I'd really appreciate knowing what the core developers think about this, > and how willing they would be to assisting in the process. I know there > will need to be a fair amount of documentation, and there is no > subsitute for first-hand knowledge. Also, it seems pretty clear that at > least some code changes will be needed including self-tests, a new prng, > and work in the key generation & validation modules. > We have a regess/ section in the current tree. What is the issue with prng? You really should be using kernel level devices. prngd and built-in prng should be a last resort. Besides, I bet our prng could easily get certified by NIST. It is a more sane implementation than some of the NIST certified stuff at my work.=) - Ben From nathanb at clinicomp.com Sat Sep 28 08:42:16 2002 From: nathanb at clinicomp.com (Nathan Bardsley) Date: Fri, 27 Sep 2002 15:42:16 -0700 Subject: FIPS 140-2 certification References: Message-ID: <3D94DEC8.80604@clinicomp.com> Ben Lindstrom wrote: > Where are theses 'DIPS 140-2' requirements? If they are anything like the > other military requirements they are impratical and insane (yes I've had > some time in the area. Not my idea of fun =). This: is the URL at NIST, I'm just getting started at digging into this, and so any answers I might give you today are probably not the answers you want. I don't get the sense that the requirements are insane, but yeah, it's certainly possible some of them will oppose the OpenBSD/SSH/SSL philosphies. For the most part, it seems that FIPS 140 is (one of) the lowest standards for "sensitive but unclassified" information. And pretty soon, if not already, most crypto software used in DoD related projects will need to certified. > We have a regess/ section in the current tree. > > What is the issue with prng? You really should be using kernel level > devices. prngd and built-in prng should be a last resort. Besides, I > bet our prng could easily get certified by NIST. It is a more sane > implementation than some of the NIST certified stuff at my work.=) I was trying to give you guys a broad overview of what I've gathered so far, so please don't take anything as a criticism. I spoke with an engineer at one of the labs could do the testing, and that's where that list of issues came from -- a very brief conversation about whether or not I was crazy to try this. The self-test requirement is (I think) on module loading, a sort of software POST. The prng issue is (once again, I think) that your prng isn't certified. (=My= issue with prngs is IRIX, and believe me I know that it's my problem =). There is not a list of what the specific problems and issues are yet, and much depends on exactly how the "sytem" to be certified is defined: what exactly is the relationship between OpenSSH and OpenSSL during the testing process? What platform is the testing done on? What codebase snapshot is used? What is the configuration to be certified? Thanks, --Nathan From mouring at etoh.eviladmin.org Sat Sep 28 10:10:18 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 27 Sep 2002 19:10:18 -0500 (CDT) Subject: FIPS 140-2 certification In-Reply-To: <3D94DEC8.80604@clinicomp.com> Message-ID: On Fri, 27 Sep 2002, Nathan Bardsley wrote: > Ben Lindstrom wrote: > > Where are theses 'DIPS 140-2' requirements? If they are anything like the > > other military requirements they are impratical and insane (yes I've had > > some time in the area. Not my idea of fun =). > > This: is the URL at NIST, I'm just > getting started at digging into this, and so any answers I might give > you today are probably not the answers you want. I don't get the sense > that the requirements are insane, but yeah, it's certainly possible some > of them will oppose the OpenBSD/SSH/SSL philosphies. For the most part, > it seems that FIPS 140 is (one of) the lowest standards for "sensitive > but unclassified" information. And pretty soon, if not already, most > crypto software used in DoD related projects will need to certified. > FIPS 140 is linked to C2 security from the looks of it. And from my skimming it looks like OpenSSL would need to get NIST approval for their general crypto, their digital signatures, and more than likely thier MAC code. As for OpenSSH, there is very sketchy. If I read it correctly, their would perfer you do crypto keys via a cryptocard, securid card, etc. And the ability to support -C none for testing on wire (I think you can get away without it). I'd have to see a results of an audit to make any real comments on it, but at glance I'm not sure FIPS 140 has very much affect on OpenSSH. FIPS 140 seems to be a 'system level' document not a single 'software level'. SSH protocol itself cares nothing about a lot of the stuff in the docs, but as a system admin you would care your OS supports it. I'm surprised that you are using IRIX. I would not have thought IRIX would have gotten FIPS rating. AIX or Solaris Trusted would not have surprised me. Guess I'll have to have a chat with a buddy over there. =) The other thing that sticks out in the document is their repeated request for some form of 'hardware' crypto. Which would by-pass (correct me if I'm wrong someone on the OpenSSL List) most of the need to certify most of the algorthms. > > We have a regess/ section in the current tree. > > > > What is the issue with prng? You really should be using kernel level > > devices. prngd and built-in prng should be a last resort. Besides, I > > bet our prng could easily get certified by NIST. It is a more sane > > implementation than some of the NIST certified stuff at my work.=) > > I was trying to give you guys a broad overview of what I've gathered so > far, so please don't take anything as a criticism. I spoke with an > engineer at one of the labs could do the testing, and that's where that > list of issues came from -- a very brief conversation about whether or > not I was crazy to try this. > I'm not taking it as a criticism. Just giving my person belief. The NIST randomization test is pretty basic. The idea behind the builtin PRNG or PRNGD should easily pass it without too much problems. However for either case it really would depend on what programs you allow it to grab entropy from. I don't have a crypto PCI card, but with one of those in a box lacking kernel level /dev/random. Does OpenSSL always seed itself? If so it removes the need for our prng. Otherwise, my suggestion is NIST must have certified a random number generator card. Write your own 'ssh-prng-helper' that uses that card instead of our code. =) That is why it was rewritten that way for customized prng generation. > The self-test requirement is (I think) on module loading, a sort of > software POST. The prng issue is (once again, I think) that your prng > isn't certified. (=My= issue with prngs is IRIX, and believe me I know > that it's my problem =). There is not a list of what the specific > problems and issues are yet, and much depends on exactly how the "sytem" > to be certified is defined: what exactly is the relationship between > OpenSSH and OpenSSL during the testing process? What platform is the > testing done on? What codebase snapshot is used? What is the > configuration to be certified? > OpenSSH (In theory) should deploy no internal encryption code. I believe we break the rule for AES only because at that time OpenSSL did not support it (they do now). We depend on OpenSSL for all crypto work (that way we can support hardware crypto). BTW.. I'm not turning my nose up at the idea. Just a bit leary. I've spent enough time reading C2 and seeing implemention of it to know how insanely complex it can be for almost no real gain. FIPS 140 looks a lot more sane, but it seems to be targeting the whole machine. If your company goes ahead and does a prelimitary test to see how compliant the code is. I'm sure OpenSSL and OpenSSH project would be interested in the outcome. I can't say that it will be adopted unless they are reasonable things. - Ben From bugzilla-daemon at mindrot.org Sat Sep 28 11:04:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 28 Sep 2002 11:04:14 +1000 (EST) Subject: [Bug 405] getaddrinfo delays Message-ID: <20020928010414.4FA393D16E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=405 ------- Additional Comments From mouring at eviladmin.org 2002-09-28 11:04 ------- openbsd-compat/fake-getaddrinfo.c if you don't have the function call it attempts to do the equiv. So if you don't have it set then there is a bug in that function. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Sat Sep 28 11:32:11 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 27 Sep 2002 20:32:11 -0500 (CDT) Subject: Question regarding patch for ProxyCommand setting In-Reply-To: <20020926181910.A18637996@ohm.arago.de> Message-ID: Without pulling it out of the Host * section and putting in each area. I don't think so. Trying to think of the best/easy way to handle this if a patch is accepted post 3.5. I don't like the 'ProxyCommand -'. It does not match any of our current syntax. I'd almost want to suggest a 'DisableProxyCommand [yes|no]'. but 'DisableProxyCommand no' does not make sense. I'm not sure that we want to allow 'ProxyCommand' with no additional argument, but it would make more sense then '-' which is normally reserved hinting at 'use stdin/stdout'. However, IdentityFile does not support clearing the internal list either (Not sure it is required ever. I can't think of a case where it would be required). Guess it Markus agrees, I would not be against allowing: Host * ProxyCommand /usr/bin/spam Host localhost ProxyCommand But it would be after 3.5 release. - Ben On Thu, 26 Sep 2002, Thomas Binder wrote: > Hi! > > I recently started using ProxyCommand and noticed that it's not > possible to specify a "none" value for it. I've already written a > patch for that, but wanted to discuss the issue before posting the > patch. > > The problem is the following: I'd like to use a ProxyCommand by > default, but exclude some hosts. But as soon as I have > > Host * > ProxyCommand /some/proxy/command %h %p > > at the end of ssh_config, there's no way to disable ProxyCommand > in another host section. > > I need this to still have the possibility to access localhost > without host key checking [1], i.e. I'd like to have something > like > > Host localhost > ProxyCommand - > > That'd be necessary because as soon as a ProxyCommand is active, > NoHostAuthenticationForLocalhost is ignored because OpenSSH no > longer has a way to tell whether "localhost" is really the > loopback interface. > > So, is there any way to achieve what I want without adding support > for something like "ProxyCommand -" (and without having to add > each and every host that should be accessed via the proxy command > to ssh_config)? And if there's no other way, would there be > interest in adding my patch? > > > Ciao > > Thomas > > > [1] That's because I've written shell scripts that allow to copy > files from and to remote hosts that can only be accessed with > an ssh chain (e.g. ssh -t host1 ssh -t host2 ssh -t host3). > This is achieved by automatically opening a tunnel to port 22 > of the remote host using such a chain, and then scp to and > from localhost. Without NoHostAuthenticationForLocalhost, scp > would always fail because of a changed host key. > > > -- > "No, `Eureka' is Greek for `This bath is too hot.'" > -- Dr. Who > From dtucker at zip.com.au Sat Sep 28 12:53:17 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 28 Sep 2002 12:53:17 +1000 Subject: Question regarding patch for ProxyCommand setting References: Message-ID: <3D95199D.FEF6C5CF@zip.com.au> Ben Lindstrom wrote: > Trying to think of the best/easy way to handle this if a patch is accepted > post 3.5. I don't like the 'ProxyCommand -'. It does not match any of > our current syntax. What about just "ProxyCommand none"? That would match the the syntax of EscapeChar. > On Thu, 26 Sep 2002, Thomas Binder wrote: > > [1] That's because I've written shell scripts that allow to copy > > files from and to remote hosts that can only be accessed with > > an ssh chain (e.g. ssh -t host1 ssh -t host2 ssh -t host3). We do something similar using "ProxyCommand ssh host1 nc -w3 host2 22". You can stack them (ie another ProxyCommand could be "ssh host2 .."), all of the config is on the central host and the host keys work. You don't have port collision problems, but you do need netcat on the intermediate host. The only problem we have with it is that ssh and sshd orphan the processes. The ssh case is fixed in -cvs, the sshd case has a proposed patch (see http://bugzilla.mindrot.org/show_bug.cgi?id=396). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sat Sep 28 21:20:41 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 28 Sep 2002 21:20:41 +1000 Subject: Portability patch for regression tests Message-ID: <3D959089.6819DF05@zip.com.au> Hi All, As threatened, I have rolled up the various portability patches for the regression tests. Assuming all is well, running the tests is as simple as "make tests", although some platforms (eg AIX) require "SUDO=sudo" first. I took the tests from OpenBSD CVS written by Markus and incorporated the patches written by Roumen Petrov and myself as well as various suggestions by various people. I also wrote a crude README, intended to ship in the portable openssh tarball and reduce the number of "How do I ..." posts. Where possible, I tried to avoid changes and preserve the original default behaviour. This has been tested on Solaris (2.6,8), HP-UX 11.0, Redhat 7.3, OpenBSD 3.1 and AIX 4.3.3. It has a good chance of running on other Unix or similar platforms without further changes. The changes and reasons for them can be found in the following threads: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102734348721347 http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102760388201413 The patches (against OpenBSD and OpenSSH) and the README can be had from: http://www.zip.com.au/~dtucker/openssh/regress/ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From stevesk at pobox.com Sun Sep 29 07:23:26 2002 From: stevesk at pobox.com (Kevin Steves) Date: Sat, 28 Sep 2002 14:23:26 -0700 Subject: Question regarding patch for ProxyCommand setting In-Reply-To: References: <20020926181910.A18637996@ohm.arago.de> Message-ID: <20020928212326.GA1955@jenny.crlsca.adelphia.net> On Fri, Sep 27, 2002 at 08:32:11PM -0500, Ben Lindstrom wrote: > Host localhost > ProxyCommand i can't think of a problem with just: ProxyCommand no From josh-openssh at untruth.org Sun Sep 29 07:36:10 2002 From: josh-openssh at untruth.org (Joshua Hill) Date: Sat, 28 Sep 2002 14:36:10 -0700 Subject: FIPS 140-2 certification In-Reply-To: ; from mouring@etoh.eviladmin.org on Fri, Sep 27, 2002 at 07:10:18PM -0500 References: <3D94DEC8.80604@clinicomp.com> Message-ID: <20020928143610.A11600@delusion.private.untruth.org> On Fri, Sep 27, 2002 at 07:10:18PM -0500, Ben Lindstrom wrote: > FIPS 140 is linked to C2 security from the looks of it. And from my > skimming it looks like OpenSSL would need to get NIST approval for their > general crypto, their digital signatures, and more than likely thier MAC > code. FIPS 140-2 (http://csrc.nist.gov/cryptval/140-2.htm) doesn't directly relate to TCSEC C2, though there are some of the TCSEC C2 requirements that are folded into the CAPP Common Criteria Protection Profile, which is referenced by FIPS 140-2. FIPS 140 allows the vendor to establish the bounds of the cryptographic boundary. One possible place to establish these bounds is the OpenSSL library, but by doing this, you would exclude the logic that governs the key agreement protocol, user authentication, cryptographic configuration, etc, that is used by OpenSSH, which is against the spirit of FIPS 140, if not the letter of the standard. > As for OpenSSH, there is very sketchy. If I read it correctly, their > would perfer you do crypto keys via a cryptocard, securid card, etc. They want you to generate keys (and inputs to things that are used to establish/agree apon keys) using an approved PRNG. At this point, the PRNG would need to either be an implementation of the ANSI X9.31 appendix C PRNG (which is TDES based) or the FIPS 186-2 appendix 3 PRNG (which is either SHA based, or DES based). This requirement should not be confused with the FIPS 140-2 statistical tests, which are run on an already evaluated/validated PRNG design to make sure that it isn't malfunctioning. > I'd have to see a results of an audit to make any real comments on it, but > at glance I'm not sure FIPS 140 has very much affect on OpenSSH. FIPS 140 > seems to be a 'system level' document not a single 'software level'. The OpenSSH product is the sort of thing that is FIPS certified. FIPS is somewhat hardware-centric, but there are quite a few software modules. In addition, NIST has been trying to generally make the FIPS 140 standard more software-friendly (the physical security section can be marked not applicable for software only modules, for instance). For the most part, they have succeeded in making it obtainable. The one area that still poses a problem for real modules pursuing level 1 certification is the operating environment section. At level 1, FIPS 140-2 doesn't require any particular operating system to be used, but it does require a series of somewhat draconian restrictions to be placed on the operating system. (the OS must be in Single User Mode, for instance) These restrictions have historically made it so that vendors are not interested in pursuing FIPS 140 level 1 certification on software modules that run on UNIXish systems. This (somewhat perversely) makes it somewhat more reasonable to obtain FIPS 140-2 level 2 in the operating environment section. In order to get level 2 in this area, the vendor must use a common criteria EAL2 (or equivalent) rated operating system, evaluated to one of a set of approved protection profiles. Getting a common criteria rating on something as large as an operating system is a rather long, intensive (costly) process, but fortunately, SUN has already done this with Solaris 8. So, the easiest way to proceed is probably to do the evaluation on a common criteria compliant install of Solaris 8. > SSH > protocol itself cares nothing about a lot of the stuff in the docs, but as > a system admin you would care your OS supports it. The SSH protocol can't go through FIPS 140-2 evaluation, only a particular implementation of the protocol. You can provide a set of policy documents to address items that are somewhat out of the control of your software. > The other thing that sticks out in the document is their repeated request > for some form of 'hardware' crypto. Which would by-pass (correct me if > I'm wrong someone on the OpenSSL List) most of the need to certify most of > the algorthms. FIPS 140 doesn't require hardware implementations of any algorithm. > OpenSSH (In theory) should deploy no internal encryption code. I believe > we break the rule for AES only because at that time OpenSSL did not > support it (they do now). We depend on OpenSSL for all crypto work (that > way we can support hardware crypto). A FIPS module is required to perform self-tests in order to verify that its crypto functionality is working correctly. These tests must be run each time the module is started. If the OpenSSH program is to be certified, it needs to do these tests. If the OpenSSL library accomplishes them (which I do not believe it does) then nothing else needs to happen. More likely, however, the various OpenSSH commands would need to test all the cryptographic primitives it uses. Josh From bugzilla-daemon at mindrot.org Sun Sep 29 17:58:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 29 Sep 2002 17:58:10 +1000 (EST) Subject: [Bug 371] OpenSSH fails to build on Alpha True64 in cipher.c Message-ID: <20020929075810.AE0E33D14B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=371 ------- Additional Comments From dtucker at zip.com.au 2002-09-29 17:58 ------- Created an attachment (id=152) --> (http://bugzilla.mindrot.org/attachment.cgi?id=152&action=view) Cast EVP_rc4 to void * for comparison Try this patch. I don't have a Tru64 box so I can't test it but it suppresses the warning from gcc, so you might be lucky. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Sun Sep 29 18:09:08 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 29 Sep 2002 18:09:08 +1000 Subject: [PATCH] Only call loginrestiction on AIX if running as root Message-ID: <3D96B524.B0EE4@zip.com.au> Hi All, I have found that the regression tests on AIX failed as a non-root user. This is due to a call to loginrestrictions() failing. The man page for loginrestrictions says: "Access Control:The calling process must have access to the account information in the user database and the port information in the port database." These files are: /etc/security/user, /etc/security/login.cfg and /etc/security/portlog, which are readable only by root or group "security". Please consider applying the attached patch, which calls loginrestrictions only if running as root. With this patch, AIX 4.2.1 & 4.3.3 complete the entire regression suite without sudo. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth.c =================================================================== RCS file: /cvs/openssh/auth.c,v retrieving revision 1.58 diff -u -r1.58 auth.c --- auth.c 21 Sep 2002 15:26:53 -0000 1.58 +++ auth.c 29 Sep 2002 05:53:43 -0000 @@ -202,7 +202,7 @@ } #ifdef WITH_AIXAUTHENTICATE - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { + if ((geteuid()==0) && loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) { if (loginmsg && *loginmsg) { /* Remove embedded newlines (if any) */ char *p; From wdanjuma at lineone.net Mon Sep 30 07:58:31 2002 From: wdanjuma at lineone.net (Winston Danjuma NcHamukong) Date: Sun, 29 Sep 2002 22:58:31 +0100 Subject: Openssh Failure Message-ID: <3D8FAB620000851D@mk-cpfrontend-3.mail.uk.tiscali.com> Dear Mr. Lindstrom, I have just installed openssh-3.4 on solaris 8 sparc with the following options below but when I try to start the openssh daemon using the supplied script I get this error message; "starting /usr/local/openssh/sbin/sshd... Killed /etc/init.d/opensshd: Error 137 starting /usr/local/openssh/sbin/sshd... bailing." Another problem encountered during installation was this error "echo "WARNING: Privilege separation user \"sshd\" does not exist". However, I resolved this by creating a user for the sshd daemon as shown below. uid=60003(sshd) gid=60003(sshd) these are the options used; ./configure \ --prefix=/usr/local/openssh \ --sysconfdir=/usr/local/openssh/etc/ssh \ --with-pam \ --disable-suid-ssh \ --without-rsh \ --with-ipv4-default \ --with-md5-passwords \ --with-ssl-dir=/usr/local/openssl \ --with-zlib=/usr/local/lib/libz.* \ --with-xauth=/usr/openwin/bin/xauth \ --with-tcp-wrappers=/usr/local/bin \ --with-skey=/usr/local/skey-1.1.5 \ --with-pid-dir=/var/run \ The above options were used with the previous version of openssh and it worked well, without any problem. I look forward to hearing from you at your very earliest convenience. Regards, Winston D.NcHamukong From dtucker at zip.com.au Mon Sep 30 12:15:51 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 30 Sep 2002 12:15:51 +1000 Subject: Openssh Failure References: <3D8FAB620000851D@mk-cpfrontend-3.mail.uk.tiscali.com> Message-ID: <3D97B3D7.CEE543AE@zip.com.au> Winston Danjuma NcHamukong wrote: > "starting /usr/local/openssh/sbin/sshd... Killed > /etc/init.d/opensshd: Error 137 starting /usr/local/openssh/sbin/sshd... > bailing." I would guess that you have 64-bit Solaris, GNU binutils-2.12.1 or lower, your compiler is using /usr/ccs/bin/ld for linking and you have GNU strip in your path before /usr/ccs/bin/strip. This combination has a bug that corrupts binaries when they're stripped (which is done as part of "make install"). If this is the case you'll see something like the following error duing the strip operation: BFD: ./stbAa4B5: warning: allocated section `.interp' not in segment Attempting to start one of the affected binaries will give: # /usr/local/sbin/sshd -ddd /usr/local/sbin/sshd: Cannot find ELF Killed and "dmesg" will report something like "Cannot find ^?ELF^A^B^A" If this is the case, you can: a) Set your path to include /usr/ccs/bin first, then make distclean and rebuild. b) upgrade to binutils-2.13, which has fixed this bug. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Mon Sep 30 12:48:25 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 30 Sep 2002 12:48:25 +1000 Subject: Snapshots: run autoconf before creating tarballs? Message-ID: <3D97BB79.71096095@zip.com.au> Would it be possible to run autoconf (or make -f Makefile distprep) before creating the snapshot tarballs? It would make it easier for people to use (mainly, they wouldn't have to get/install/run autoconf and GNU m4). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Mon Sep 30 14:11:49 2002 From: djm at mindrot.org (Damien Miller) Date: 30 Sep 2002 14:11:49 +1000 Subject: Snapshots: run autoconf before creating tarballs? In-Reply-To: <3D97BB79.71096095@zip.com.au> References: <3D97BB79.71096095@zip.com.au> Message-ID: <1033359109.1145.17.camel@argon> On Mon, 2002-09-30 at 12:48, Darren Tucker wrote: > Would it be possible to run autoconf (or make -f Makefile distprep) > before creating the snapshot tarballs? It would make it easier for > people to use (mainly, they wouldn't have to get/install/run autoconf > and GNU m4). autoconf should have been running, but was broken on the machine which generated the snapshots. This should be fixed for tomorrow (Oct 1st) onwards. Thanks, Damien Miller From bugzilla-daemon at mindrot.org Mon Sep 30 19:02:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 30 Sep 2002 19:02:56 +1000 (EST) Subject: [Bug 3] sshd does not properly daemonize itself Message-ID: <20020930090256.4B5F93D0E6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=3 ------- Additional Comments From markus at openbsd.org 2002-09-30 19:02 ------- http://marc.theaimsgroup.com/?l=bind9-workers&m=103112021703700&w=2 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From GILBERT.R.LOOMIS at saic.com Mon Sep 30 23:12:10 2002 From: GILBERT.R.LOOMIS at saic.com (Loomis, Rip) Date: Mon, 30 Sep 2002 09:12:10 -0400 Subject: FIPS 140-2 certification Message-ID: <3C1E3607B37295439F7C409EFBA08E6803B95779@US-Columbia-CIST.mail.saic.com> > I'm surprised that you are using IRIX. I would not have thought IRIX > would have gotten FIPS rating. AIX or Solaris Trusted would not have > surprised me. Guess I'll have to have a chat with a buddy > over there. =) See http://niap.nist.gov/cc-scheme/CCEVS-CC-VID401-SGI_IRIX.html for details. (disclaimer: I work for SAIC and was involved in preparing the evidence for this evaluation. TRIX was evaluated at the same time.) I'd be very interested in following up on FIPS 140 [series] certification of OpenSSL/OpenSSH as well, but as others have noted it might be a difficult process even with a financial sponsor. -- Rip Loomis Senior Systems Security Engineer SAIC Secure Business Solutions Group www.saic.com/securebiz Center for Information Security Technology www.cist-east.saic.com