From binder at arago.de Tue Apr 1 00:36:52 2003 From: binder at arago.de (Thomas Binder) Date: Mon, 31 Mar 2003 16:36:52 +0200 Subject: OpenSSH 3.6 released In-Reply-To: <20030331124859.GA4497@folly> References: <20030331124859.GA4497@folly> Message-ID: <20030331143651.GA1766525@ohm.arago.de> Hi! On Mon, Mar 31, 2003 at 02:48:59PM +0200, Markus Friedl wrote: > Changes since OpenSSH 3.5: > ============================ > [...] > * scp(1) supports add -1 and -2. Well, I thought that - according to Markus - "it was decided that scp should get no more options". Why that change in opinion? Ciao Thomas From markus at openbsd.org Tue Apr 1 02:00:32 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 31 Mar 2003 18:00:32 +0200 Subject: OpenSSH 3.6 released In-Reply-To: <20030331143651.GA1766525@ohm.arago.de> References: <20030331124859.GA4497@folly> <20030331143651.GA1766525@ohm.arago.de> Message-ID: <20030331160031.GA19532@folly> On Mon, Mar 31, 2003 at 04:36:52PM +0200, Thomas Binder wrote: > Hi! > > On Mon, Mar 31, 2003 at 02:48:59PM +0200, Markus Friedl wrote: > > Changes since OpenSSH 3.5: > > ============================ > > [...] > > * scp(1) supports add -1 and -2. > > Well, I thought that - according to Markus - "it was decided that > scp should get no more options". Why that change in opinion? because we want to get real bug reports. e.g., that openssh 3.6 does not interop with ssh.com 2.4 -m From markus at openbsd.org Tue Apr 1 04:30:41 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 31 Mar 2003 20:30:41 +0200 Subject: OpenSSH 3.6 released (fwd) Message-ID: <20030331183041.GA15057@folly> -------------- next part -------------- An embedded message was scrubbed... From: Marc-Christian Petersen Subject: Re: OpenSSH 3.6 released Date: Mon, 31 Mar 2003 18:50:18 +0200 Size: 3785 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030331/7da804d0/attachment.mht From des at ofug.org Tue Apr 1 06:23:54 2003 From: des at ofug.org (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Mon, 31 Mar 2003 22:23:54 +0200 Subject: resource leak in ssh1 challenge-response authentication In-Reply-To: <20030331135844.GA18977@folly> (Markus Friedl's message of "Mon, 31 Mar 2003 15:58:44 +0200") References: <20030331135844.GA18977@folly> Message-ID: Markus Friedl writes: > similar code should be in auth2_challenge_stop()... The problem doesn't seem to occur with ssh2, according to the person who reported it to me. I haven't looked very closely though. DES -- Dag-Erling Sm?rgrav - des at ofug.org From mouring at etoh.eviladmin.org Tue Apr 1 06:58:30 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 31 Mar 2003 14:58:30 -0600 (CST) Subject: OpenSSH 3.6 released (fwd) Message-ID: Did glibc add strnvis() support and decided to put it under some odd header? I don't run 2.3.1 glibc at this moment (but I've heard it has broken a lot of code bases). - Ben ---------- Forwarded message ---------- Date: Mon, 31 Mar 2003 21:24:50 +0200 From: Marc-Christian Petersen To: Ben Lindstrom Cc: secureshell at securityfocus.com Subject: Re: OpenSSH 3.6 released On Monday 31 March 2003 22:20, Ben Lindstrom wrote: Hi Ben, > > gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. > > -DSSHDIR=\"/etc/openssh\" -D_PATH_SSH_PROGRAM=\"/opt/openssh/bin/ssh\" > > -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/openssh/libexec/ssh-askpass\" > > -D_PATH_SFTP_SERVER=\"/opt/openssh/libexec/sftp-server\" > > -D_PATH_SSH_KEY_SIGN=\"/opt/openssh/libexec/ssh-keysign\" > > -D_PATH_SSH_PIDDIR=\"/var/run\" > > -D_PATH_PRIVSEP_CHROOT_DIR=\"/opt/openssh/chroot\" > > -DSSH_RAND_HELPER=\"/opt/openssh/libexec/ssh-rand-helper\" > > -DHAVE_CONFIG_H -c log.c > > log.c: In function `do_log': > > log.c:391: warning: implicit declaration of function `strnvis' > > log.c:391: `VIS_OCTAL' undeclared (first use in this function) > > log.c:391: (Each undeclared identifier is reported only once > > log.c:391: for each function it appears in.) > > make: *** [log.o] Error 1 > > And this platform is......... hmm, I was quite sure that I've written this into my mail but it seems it isn't in :-( Distribution: Debian SID OS: Linux Platform: x86 GCC: v2.95.4 and v3.2.3 glibc: v2.3.1 -- ciao, Marc From bugzilla-daemon at mindrot.org Tue Apr 1 06:48:31 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 1 Apr 2003 06:48:31 +1000 (EST) Subject: [Bug 498] make ssh default identity configuration more user-friendly in cygwin Message-ID: <20030331204831.E39F39424F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=498 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From cjwatson at debian.org Tue Apr 1 07:48:09 2003 From: cjwatson at debian.org (Colin Watson) Date: Mon, 31 Mar 2003 22:48:09 +0100 Subject: OpenSSH 3.6 released (fwd) In-Reply-To: Message-ID: In article , Ben Lindstrom wrote: >Did glibc add strnvis() support and decided to put it under some odd >header? > >I don't run 2.3.1 glibc at this moment (but I've heard it has broken a lot >of code bases). strnvis() isn't in glibc 2.3.1 (at least version 2.3.1-15 of the Debian package, which I'm currently running). OpenSSH 3.6 compiled fine for me on the same platform. I haven't tested it yet but there were no problems with a CVS build from 20030312. -- Colin Watson [cjwatson at chiark.greenend.org.uk] From bugzilla-daemon at mindrot.org Tue Apr 1 07:50:14 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 1 Apr 2003 07:50:14 +1000 (EST) Subject: [Bug 526] potential ssh-keysign segfault if pktype == KEY_UNSPEC Message-ID: <20030331215014.A276C94256@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=526 Summary: potential ssh-keysign segfault if pktype == KEY_UNSPEC Product: Portable OpenSSH Version: 3.6p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: cjwatson at debian.org gcc warns: gcc -O2 -g -Wall -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -D__FILE_OFFSET_BITS=64 -DHAVE_MMAP_ANON_SHARED -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/bin/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-keysign.c ssh-keysign.c: In function `valid_request': ssh-keysign.c:58: warning: `key' might be used uninitialized in this function Looking at the code, indeed, key is only initialized if pktype != KEY_UNSPEC, but if pktype == KEY_UNSPEC then fail will be non-zero and key_free() in the following code may fire depending on what happens to be on the stack, possibly causing a segfault: if (fail && key != NULL) key_free(key); else *ret = key; I suggest explicitly initializing key to NULL. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From stuge-openssh-unix-dev at cdy.org Tue Apr 1 07:53:09 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Mon, 31 Mar 2003 23:53:09 +0200 Subject: OpenSSH 3.6 released (fwd) In-Reply-To: References: Message-ID: <20030331215309.GF10001@foo.birdnet.se> On Mon, Mar 31, 2003 at 02:58:30PM -0600, Ben Lindstrom wrote: > > Did glibc add strnvis() support and decided to put it under some odd > header? > > I don't run 2.3.1 glibc at this moment (but I've heard it has broken a > lot of code bases). I run glibc 2.3.1 and I don't seem to have either strnvis() or strvis() in my system. $ nm /usr/lib/libc.a|grep 'strn\?vis' $ nm /lib/libc-2.3.1.so|grep 'strn\?vis' $ man strnvis No manual entry for strnvis $ man strvis No manual entry for strvis Asking Google about strnvis, I get twelve OpenBSD links and two NetBSD. //Peter From ayamura at ayamura.org Tue Apr 1 09:53:33 2003 From: ayamura at ayamura.org (Ayamura KIKUCHI) Date: Tue, 01 Apr 2003 08:53:33 +0900 Subject: basename() in libgen Message-ID: <863cl3um82.wl@sea.ayamura.org> IRIX 6.5 has the basename() function in libgen. SYNOPSIS cc [flag ...] file ... -lgen [library ...] #include char *basename (char *path); -- ayamura From openssh-unix-dev at thewrittenword.com Wed Apr 2 02:54:09 2003 From: openssh-unix-dev at thewrittenword.com (Albert Chin) Date: Tue, 1 Apr 2003 10:54:09 -0600 Subject: basename() in libgen In-Reply-To: <863cl3um82.wl@sea.ayamura.org> References: <863cl3um82.wl@sea.ayamura.org> Message-ID: <20030401165409.GA64514@spuckler.il.thewrittenword.com> On Tue, Apr 01, 2003 at 08:53:33AM +0900, Ayamura KIKUCHI wrote: > IRIX 6.5 has the basename() function in libgen. > > SYNOPSIS > cc [flag ...] file ... -lgen [library ...] > > #include > char *basename (char *path); Fixed with the patch below. -- albert chin (china at thewrittenword.com) -- snip snip --- configure.ac.orig 2003-04-01 10:07:27.116989000 -0600 +++ configure.ac 2003-04-01 10:41:59.273282000 -0600 @@ -604,7 +583,7 @@ dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS(\ - arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename bcopy \ + arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \ bindresvport_sa clock fchmod fchown freeaddrinfo futimes \ gai_strerror getaddrinfo getcwd getgrouplist getnameinfo getopt \ getpeereid _getpty getrlimit getrusage getttyent glob inet_aton \ @@ -617,6 +596,7 @@ sysconf tcgetpgrp truncate utimes vhangup vsnprintf waitpid \ ) +AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) dnl Make sure strsep prototype is defined before defining HAVE_STRSEP From markus at openbsd.org Wed Apr 2 06:21:47 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 1 Apr 2003 22:21:47 +0200 Subject: OpenSSH 3.6.1 released Message-ID: <20030401202147.GA4338@folly> OpenSSH 3.6.1 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters. We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18 For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu Changes since OpenSSH 3.6: ========================== * The 'kex guesses' bugfix from OpenSSH 3.6 triggers a bug in a few other SSH v2 implementations and causes connections to stall. OpenSSH 3.6.1 disables this bugfix when interoperating with these implementations. Changes between OpenSSH 3.5 and OpenSSH 3.6: ============================================ * RSA blinding is now used by ssh(1), sshd(8) and ssh-agent(1). in order to avoid potential timing attacks against the RSA keys. Older versions of OpenSSH have been using RSA blinding in ssh-keysign(1) only. Please note that there is no evidence that the SSH protocol is vulnerable to the OpenSSL/TLS timing attack described in http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf * ssh-agent(1) optionally requires user confirmation if a key gets used, see '-c' in ssh-add(1). * sshd(8) now handles PermitRootLogin correctly when UsePrivilegeSeparation is enabled. * sshd(8) now removes X11 cookies when a session gets closed. * ssh-keysign(8) is disabled by default and only enabled if the new EnableSSHKeysign option is set in the global ssh_config(5) file. * ssh(1) and sshd(8) now handle 'kex guesses' correctly (key exchange guesses). * ssh(1) no longer overwrites SIG_IGN. This matches behaviour from rsh(1) and is used by backup tools. * setting ProxyCommand to 'none' disables the proxy feature, see ssh_config(5). * scp(1) supports add -1 and -2. * scp(1) supports bandwidth limiting. * sftp(1) displays a progressmeter. * sftp(1) has improved error handling for scripting. Checksums: ========== - MD5 (openssh-3.6.1p1.tar.gz) = d4c2c88b883f097fe88e327cbb4b2e2a - MD5 (openssh-3.6.1.tgz) = aa2acd2be17dc3fd514a1e09336aab51 Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom. From rsalmon at tulane.edu Wed Apr 2 06:27:18 2003 From: rsalmon at tulane.edu (Rene Salmon) Date: Tue, 1 Apr 2003 14:27:18 -0600 Subject: basename() in libgen Message-ID: Hello, I found this post on the list archives and I am having this exact same problem. I am trying to compile and install openssh-3.6p1 on an IRIX 6.5.18 box and I get the "basename libgen" error message. gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/include -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/local/opt/openssh-3.6p1/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/opt/openssh-3.6p1/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/opt/openssh-3.6p1/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/opt/openssh-3.6p1/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/etc/ssh\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/opt/openssh-3.6p1/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c msg.c gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/include -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/local/opt/openssh-3.6p1/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/opt/openssh-3.6p1/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/opt/openssh-3.6p1/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/opt/openssh-3.6p1/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/etc/ssh\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/opt/openssh-3.6p1/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c progressmeter.c In file included from progressmeter.c:66: /usr/include/libgen.h:35: conflicting types for `basename' openbsd-compat/basename.h:9: previous declaration of `basename' gmake: *** [progressmeter.o] Error 1 I tried to apply the patch below on the configure.ac file but that did not help I still get same errro message. >Fixed with the patch below. > >-- >albert chin (china at thewrittenword.com) > >-- snip snip >--- configure.ac.orig 2003-04-01 10:07:27.116989000 -0600 >+++ configure.ac 2003-04-01 10:41:59.273282000 -0600 >@@ -604,7 +583,7 @@ > > dnl Checks for library functions. Please keep in alphabetical order > AC_CHECK_FUNCS(\ >- arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename bcopy >\ >+ arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \ > bindresvport_sa clock fchmod fchown freeaddrinfo futimes \ > gai_strerror getaddrinfo getcwd getgrouplist getnameinfo getopt \ > getpeereid _getpty getrlimit getrusage getttyent glob inet_aton \ >@@ -617,6 +596,7 @@ > sysconf tcgetpgrp truncate utimes vhangup vsnprintf waitpid \ > ) > >+AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) > AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) > > dnl Make sure strsep prototype is defined before defining HAVE_STRSEP Any help would be greatly apreciated. Thank you in advanced. Rene From openssh-unix-dev at thewrittenword.com Wed Apr 2 06:29:38 2003 From: openssh-unix-dev at thewrittenword.com (Albert Chin) Date: Tue, 1 Apr 2003 14:29:38 -0600 Subject: basename() in libgen In-Reply-To: References: Message-ID: <20030401202938.GE69839@spuckler.il.thewrittenword.com> On Tue, Apr 01, 2003 at 02:27:18PM -0600, Rene Salmon wrote: > I tried to apply the patch below on the configure.ac file but that did not > help I still get same errro message. You need to regenerate ./configure with the autoconf tool. If you don't want to do this, after you ./configure, make sure HAVE_BASENAME is set in config.h. > >Fixed with the patch below. > > > >-- > >albert chin (china at thewrittenword.com) > > > >-- snip snip > >--- configure.ac.orig 2003-04-01 10:07:27.116989000 -0600 > >+++ configure.ac 2003-04-01 10:41:59.273282000 -0600 > >@@ -604,7 +583,7 @@ > > > > dnl Checks for library functions. Please keep in alphabetical order > > AC_CHECK_FUNCS(\ > >- arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename bcopy > >\ > >+ arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \ > > bindresvport_sa clock fchmod fchown freeaddrinfo futimes \ > > gai_strerror getaddrinfo getcwd getgrouplist getnameinfo getopt \ > > getpeereid _getpty getrlimit getrusage getttyent glob inet_aton \ > >@@ -617,6 +596,7 @@ > > sysconf tcgetpgrp truncate utimes vhangup vsnprintf waitpid \ > > ) > > > >+AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) > > AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) > > > > dnl Make sure strsep prototype is defined before defining HAVE_STRSEP > > > > > Any help would be greatly apreciated. Thank you in advanced. > > Rene > > -- albert chin (china at thewrittenword.com) From uf2hyey02 at sneakemail.com Wed Apr 2 07:42:57 2003 From: uf2hyey02 at sneakemail.com (uf2hyey02 at sneakemail.com) Date: Tue, 1 Apr 2003 23:42:57 +0200 Subject: openssh-3.6.1p1/README.privsep: typo Message-ID: <0106b5842210143TEL@relay6.alicomitalia.it> README.privsep: --------------- Privilege separation, or privsep, is method in OpenSSH by which ^^^^ operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege s/is method/is a method/ From rsalmon at tulane.edu Wed Apr 2 08:24:38 2003 From: rsalmon at tulane.edu (Rene Salmon) Date: Tue, 1 Apr 2003 16:24:38 -0600 Subject: basename() in libgen In-Reply-To: <20030401202938.GE69839@spuckler.il.thewrittenword.com> Message-ID: Hello, Thank you for the reply I generated a new ./configure file with autoconf but that did not work so I just edited the config.h file after running ./configure like you suggested and that did the trick. All I did was add this line to the config.h file: #define HAVE_BASENAME 1 Thank you for all your help Rene On Tue, 1 Apr 2003, Albert Chin wrote: > On Tue, Apr 01, 2003 at 02:27:18PM -0600, Rene Salmon wrote: > > I tried to apply the patch below on the configure.ac file but that did not > > help I still get same errro message. > > You need to regenerate ./configure with the autoconf tool. If you > don't want to do this, after you ./configure, make sure HAVE_BASENAME > is set in config.h. > > > >Fixed with the patch below. > > > > > >-- > > >albert chin (china at thewrittenword.com) > > > > > >-- snip snip > > >--- configure.ac.orig 2003-04-01 10:07:27.116989000 -0600 > > >+++ configure.ac 2003-04-01 10:41:59.273282000 -0600 > > >@@ -604,7 +583,7 @@ > > > > > > dnl Checks for library functions. Please keep in alphabetical order > > > AC_CHECK_FUNCS(\ > > >- arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename bcopy > > >\ > > >+ arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \ > > > bindresvport_sa clock fchmod fchown freeaddrinfo futimes \ > > > gai_strerror getaddrinfo getcwd getgrouplist getnameinfo getopt \ > > > getpeereid _getpty getrlimit getrusage getttyent glob inet_aton \ > > >@@ -617,6 +596,7 @@ > > > sysconf tcgetpgrp truncate utimes vhangup vsnprintf waitpid \ > > > ) > > > > > >+AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) > > > AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) > > > > > > dnl Make sure strsep prototype is defined before defining HAVE_STRSEP > > > > > > > > > > Any help would be greatly apreciated. Thank you in advanced. > > > > Rene > > > > > > -- > albert chin (china at thewrittenword.com) > From bugzilla-daemon at mindrot.org Wed Apr 2 08:32:45 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 2 Apr 2003 08:32:45 +1000 (EST) Subject: [Bug 83] PAM limits applied incorrectly (pam_session being called as non-root) Message-ID: <20030401223245.571D49420F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=83 ------- Additional Comments From misiek at pld.org.pl 2003-04-02 08:32 ------- Valid sshd config, valid limits.conf and with privseparation enabled I'm not allowed to login, with privseparation disabled I'm allowed to login :/ Maybe just ignore errors from pam if it's called with user rights? (but thats sounds bad for me). Anyway I can live with privseparation disabled. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Leakin at dfw.Nostrum.com Wed Apr 2 08:41:26 2003 From: Leakin at dfw.Nostrum.com (Lee Eakin) Date: Tue, 1 Apr 2003 16:41:26 -0600 Subject: minor cosmetic fix when using a proxy Message-ID: <20030401224126.GE24206@japh.itg.ti.com> First, apologies for not testing this before release. I've been spoiled by such a useful and stable tool. When using a proxy script to connect (I'm using the connect.c code found thru google) I get an error message trying to set TCP_NODELAY on a non-socket. I silenced the message by skipping the call to error only if errno == ENOTSOCK. There is probably a better way to handle this, maybe not calling set_nodelay when a proxy is in use? I just figured reporting it was better than keeping silent. Apply, mangle, or ignore as you see fit. See attached. -- Lee Eakin - leakin at dfw.nostrum.com I think our coffee machine is networked -- I keep seeing these dropped sugar packets all around it. -------------- next part -------------- diff -u misc.c.ORIG misc.c --- misc.c.ORIG Sun Dec 22 20:44:36 2002 +++ misc.c Mon Mar 31 15:40:18 2003 @@ -97,7 +97,9 @@ optlen = sizeof opt; if (getsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, &optlen) == -1) { - error("getsockopt TCP_NODELAY: %.100s", strerror(errno)); + if (errno != ENOTSOCK) { + error("getsockopt TCP_NODELAY: %.100s", strerror(errno)); + } return; } if (opt == 1) { From bugzilla-daemon at mindrot.org Wed Apr 2 11:19:28 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 2 Apr 2003 11:19:28 +1000 (EST) Subject: [Bug 522] terse message prompt when ssh-add fails Message-ID: <20030402011928.6957F94279@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=522 ------- Additional Comments From cjwatson at debian.org 2003-04-02 11:19 ------- I suggest "Bad passphrase for %.200s, try again" instead of "Bad passphrase, try again for %.200s". ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 2 12:53:12 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 2 Apr 2003 12:53:12 +1000 (EST) Subject: [Bug 527] Bad packet length on SunOS 4.1.3U1 Message-ID: <20030402025312.5947B9427E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=527 Summary: Bad packet length on SunOS 4.1.3U1 Product: Portable OpenSSH Version: 3.6p1 Platform: Sparc OS/Version: SunOS Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jsr at dexter.mi.org IP_TOS is undefined in packet.c. Setting it to 1 allows build to continue. When a Slackware Linux system running kernel 2.4.20 tries to slogin to the SunOS system, it disconnects with a bad packet length message. My "fix" to packet.c may be to blame. dex:/home/u/jsr(1)> slogin -v pontoon OpenSSH_3.6.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Applying options for * debug1: /usr/local/etc/ssh_config line 42: Deprecated option "FallBackToRsh" debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: Connecting to pontoon [192.168.200.30] port 22. debug1: Connection established. debug1: identity file /home/u/jsr/.ssh/identity type 0 debug1: identity file /home/u/jsr/.ssh/id_rsa type 1 debug1: identity file /home/u/jsr/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p1 debug1: match: OpenSSH_3.6.1p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'pontoon' is known and matches the RSA host key. debug1: Found key in /home/u/jsr/.ssh/known_hosts:85 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: /home/u/jsr/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 149 lastkey 0x8084fa0 hint 1 debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: channel 0: request pty-req debug1: channel 0: request shell debug1: channel 0: open confirm rwindow 0 rmax 32768 Last login: Tue Apr 1 21:38:59 2003 SunOS Release 4.1.3_U1 (EDCEN) #1: Wed Jun 10 22:54:45 EDT 1998 da8b 8996 0c22 f921 5ca3 5e07 1202 9e28 Disconnecting: Bad packet length 3666577814. debug1: Calling cleanup 0x8050cec(0x0) debug1: Calling cleanup 0x8058cd8(0x0) debug1: channel_free: channel 0: client-session, nchannels 1 debug1: Calling cleanup 0x805f8b4(0x0) dex:/home/u/jsr(2)> ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 2 14:00:35 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 2 Apr 2003 14:00:35 +1000 (EST) Subject: [Bug 527] Bad packet length on SunOS 4.1.3U1 Message-ID: <20030402040035.8436894281@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=527 ------- Additional Comments From jsr at dexter.mi.org 2003-04-02 14:00 ------- I see now that the bad packet length error is an artifact of my "fix." You probably just want to test for TP_TOS before packet_set_tos() near line 1316 in packet.c Sorry for the mis-fire. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 2 14:25:18 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 2 Apr 2003 14:25:18 +1000 (EST) Subject: [Bug 527] Bad packet length on SunOS 4.1.3U1 Message-ID: <20030402042518.92DF194282@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=527 ------- Additional Comments From mouring at eviladmin.org 2003-04-02 14:25 ------- #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) packet_set_tos(interactive); #endif If IP_TOS is not set. It shoud skip it at line 1349. I'm not seeing how it can get there. - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 2 14:47:29 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 2 Apr 2003 14:47:29 +1000 (EST) Subject: [Bug 528] ProxyCommand none breaks ssh Message-ID: <20030402044729.3A7AF9428C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=528 Summary: ProxyCommand none breaks ssh Product: Portable OpenSSH Version: 3.6p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: arjones at simultan.dyndns.org I'm actually running 3.6.1p1, but Bugzilla doesn't have an entry for it yet. :) Pardon me if i'm an idiot, but the documentation says i can set ProxyCommand to none in ssh_config, and i even see special provisions for that keyword in the source code, but it doesn't work. When i set it, i get the errors: /bin/sh: line 1: exec: none: not found ssh_exchange_identification: Connection closed by remote host I checked this, and this results from passing options.proxy_command = "none" to ssh_connect. Looks like You might need the following patch: --- sshconnect.c.orig 2003-04-02 06:51:28.000000000 +0200 +++ sshconnect.c 2003-04-02 06:53:42.000000000 +0200 @@ -258,7 +258,8 @@ port = SSH_DEFAULT_PORT; } /* If a proxy command is given, connect using it. */ - if (proxy_command != NULL) + if (proxy_command != NULL && + strcmp(options.proxy_command, "none") == 0) return ssh_proxy_connect(host, port, proxy_command); /* No proxy command. */ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 2 15:01:21 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 2 Apr 2003 15:01:21 +1000 (EST) Subject: [Bug 528] ProxyCommand none is sensitive to extra whitespace Message-ID: <20030402050121.60C0194293@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=528 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|ProxyCommand none breaks ssh|ProxyCommand none is | |sensitive to extra | |whitespace ------- Additional Comments From mouring at eviladmin.org 2003-04-02 15:01 ------- $ ssh '-oProxyCommand none ' localhost /bin/sh: none: not found ssh_exchange_identification: Connection closed by remote host $ ssh '-oProxyCommand none' localhost Enter passphrase for key '/home/mouring/.ssh/id_rsa': none works as suggested, but it sensitive to extra whitespaces. (summary clarified) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 2 17:24:53 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 2 Apr 2003 17:24:53 +1000 (EST) Subject: [Bug 496] add a timeout function to ssh-agent Message-ID: <20030402072453.699C894296@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=496 hauser at acm.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vinschen at redhat.com ------- Additional Comments From hauser at acm.org 2003-04-02 17:24 ------- Thanks to Corinna, I now can test it on the new cygwin version. Results: a) [ -S $SSH_AUTH_SOCK ] || eval `ssh-agent -t 900 -sa $SSH_AUTH_SOCK` doesn't ask for the lock password (as hinted in http://bugzilla.mindrot.org/show_bug.cgi?id=496#c3) what did I do wrong? b) If I manually add "ssh-add -x" I get asked for the lock password twice. This is unnecessary overhead - my screenlock also doesn't need to be configured manually each time I login. It should be possible to take a default password (e.g. the same one as the default identity .ssh/id_rsa has.) c) after the time-out, instead of trying to unlock by issuing "ssh-add -X" itself, the next ssh command will just no longer use my authorized_keys, but degrade the security level and ask for my server-side password d) the lock appears to take place after "elapsed seconds". It would be great if it also could be configured to only consider "idle seconds". ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From anza at hdy.jp Wed Apr 2 18:45:42 2003 From: anza at hdy.jp (NSjoho-) Date: Wed, 02 Apr 2003 17:45:42 +0900 Subject: =?ISO-2022-JP?B?GyRCIzQbKEI=?=/=?ISO-2022-JP?B?GyRCIzI5ZhsoQg==?= Message-ID: <20030402090330.CC65394297@shitei.mindrot.org> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030402/b8b5eaac/attachment.html From neb at quateams.com Wed Apr 2 02:08:44 2003 From: neb at quateams.com (Neb Bosworth) Date: Tue, 1 Apr 2003 11:08:44 -0500 Subject: ssh allowing root logins Message-ID: <006301c2f868$f8612b00$c0010c0a@blah> I have a problem w/ OpenSSH allowing root logins even though the PermitRootLogin directive in the conf file is set to "no". I double and triple checked that it was using the file I was editing with strings and just by adding a bogus line and sshd complaining about it. I then grabbed the latest source and built 3.6p1. It has the same problem. The host is running solaris 2.6. Anyone have any ideas? Thanks, -Neb From bugzilla-daemon at mindrot.org Wed Apr 2 21:52:17 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 2 Apr 2003 21:52:17 +1000 (EST) Subject: [Bug 529] sshd doesn't work correctly after SIGHUP Message-ID: <20030402115217.EF73F9421D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=529 Summary: sshd doesn't work correctly after SIGHUP Product: Portable OpenSSH Version: 3.6p1 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: postadal at suse.cz In portopenssh-3.6p1-vs-openbsd.diff.gz is bug in patch of sshd.c diff -ruN --exclude CVS ssh-openbsd-2003032600/sshd.c openssh-3.6p1/sshd.c --- ssh-openbsd-2003032600/sshd.c 2003-03-26 16:04:08.000000000 +1100 +++ openssh-3.6p1/sshd.c 2003-03-10 11:38:10.000000000 +1100 @@ -804,8 +821,23 @@ Key *key; int ret, key_used = 0; - /* Save argv. */ +#ifdef HAVE_SECUREWARE + (void)set_auth_parameters(ac, av); +#endif + __progname = get_progname(av[0]); + init_rng(); + + /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ + saved_argc = ac; saved_argv = av; + saved_argv = xmalloc(sizeof(*saved_argv) * ac); + for (i = 0; i < ac; i++) + saved_argv[i] = xstrdup(av[i]); + +#ifndef HAVE_SETPROCTITLE ------------------- If sshd uses to reload service after receive SIGHUP, it use execve to start sshd with same parameters, which are save in saved_argv (note: it is missing in older release, which caused problems, if some agrumends was passed to sshd throught command line)., therefore saved_argv must be terminated by a NULL pointer! Fixed version: saved_argv = xmalloc(sizeof(*saved_argv) * (ac + 1)); ^^^^^^^ for (i = 0; i < ac; i++) saved_argv[i] = xstrdup(av[i]); saved_argv[ac] = NULL; ^^^^^^^^^^^^^^^^^^^^^^ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 2 21:58:45 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 2 Apr 2003 21:58:45 +1000 (EST) Subject: [Bug 527] Bad packet length on SunOS 4.1.3U1 Message-ID: <20030402115845.134E394279@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=527 ------- Additional Comments From jsr at dexter.mi.org 2003-04-02 21:58 ------- The problem is slightly before that: packet.c: In function `packet_set_tos': packet.c:1325: `IP_TOS' undeclared (first use in this function) packet.c:1325: (Each undeclared identifier is reported only once packet.c:1325: for each function it appears in.) *** Error code 1 make: Fatal error: Command failed for target `packet.o' ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From entwicklung at heubach-edv.de Thu Apr 3 00:08:44 2003 From: entwicklung at heubach-edv.de (MH - Entwicklung) Date: Wed, 2 Apr 2003 16:08:44 +0200 Subject: sshd doesn't log failed login if user doesn't exist Message-ID: <008c01c2f921$5f76bf90$1800c80a@heubachedv.de> Hello, i'm running OpenSSH 3.4p1 on Debian Woody. Loggin is set to AUTH and INFO. When an exisiting user logs in or fails to log in, this is written to syslog. When a nonexisting user fails to log in there is no entry in syslog. Is this a bug? Regards Manfred From bugzilla-daemon at mindrot.org Thu Apr 3 00:26:23 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 00:26:23 +1000 (EST) Subject: [Bug 526] potential ssh-keysign segfault if pktype == KEY_UNSPEC Message-ID: <20030402142623.4912994279@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=526 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From markus at openbsd.org 2003-04-03 00:26 ------- thanks, fixed in 3.7 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 3 01:13:17 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 01:13:17 +1000 (EST) Subject: [Bug 527] Bad packet length on SunOS 4.1.3U1 Message-ID: <20030402151317.57BC99429D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=527 ------- Additional Comments From mouring at eviladmin.org 2003-04-03 01:13 ------- Created an attachment (id=267) --> (http://bugzilla.mindrot.org/attachment.cgi?id=267&action=view) patch to solve problem Apply this patch. It was forgotten in 3.6 release to ensure it does not try to compile packet_set_tos() if IP_TOS does not exist or is broken. This will go into the CVS tree soon. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 3 02:09:12 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 02:09:12 +1000 (EST) Subject: [Bug 527] Bad packet length on SunOS 4.1.3U1 Message-ID: <20030402160912.37BB19420E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=527 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2003-04-03 02:09 ------- Commited to CVS tree. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 3 03:03:27 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 03:03:27 +1000 (EST) Subject: [Bug 464] sshd seems to corrupt the wtmpx Message-ID: <20030402170327.EAFAA9420E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=464 pere at hungry.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pere at hungry.com ------- Additional Comments From pere at hungry.com 2003-04-03 03:03 ------- I see the same problem on IA64 HP/UX 11.22. Is there any workaround when openssl need to be 64 bit? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 3 03:23:12 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 03:23:12 +1000 (EST) Subject: [Bug 530] problems with port forwarding Message-ID: <20030402172312.522169420E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=530 Summary: problems with port forwarding Product: Portable OpenSSH Version: 3.5p1 Platform: ix86 OS/Version: FreeBSD Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: gilbert at student.math.hr Here is my problem. I'm not sure if it is a bug or a 'feature' but i don't know where else to ask. From bugzilla-daemon at mindrot.org Thu Apr 3 04:02:43 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 04:02:43 +1000 (EST) Subject: [Bug 531] Conflicting basename() on Irix Message-ID: <20030402180243.F2CA9942B2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=531 Summary: Conflicting basename() on Irix Product: Portable OpenSSH Version: 3.6p1 Platform: MIPS OS/Version: IRIX Status: NEW Severity: major Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: pere at hungry.com The OpenSSH v3.6p1 source fails to compile on Irix 6.5. I get the following error message: [...] checking for basename... no [...] cc-wrapper -g -I. -I. -I/local/lib -I/usr/local/include -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c progressmeter.c cc-1143 cc: ERROR File = /usr/include/libgen.h, Line = 35 Declaration is incompatible with "char *basename(const char *)" (declared at line 9 of "openbsd-compat/basename.h"). extern char *basename(char *); ^ 1 error detected in the compilation of "progressmeter.c". make: *** [progressmeter.o] Error 2 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 3 04:18:25 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 04:18:25 +1000 (EST) Subject: [Bug 531] Conflicting basename() on Irix Message-ID: <20030402181825.74EF0942B3@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=531 ------- Additional Comments From pere at hungry.com 2003-04-03 04:18 ------- This is from 'man 3 basename': cc [flag ...] file ... -lgen [library ...] #include char *basename (char *path); I guess configure should insert '-lgen' before testing for basename(). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 3 04:43:44 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 04:43:44 +1000 (EST) Subject: [Bug 528] ProxyCommand none is sensitive to extra whitespace Message-ID: <20030402184344.CEC51942B6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=528 ------- Additional Comments From arjones at simultan.dyndns.org 2003-04-03 04:43 ------- I'll just add one more comment. As i said, i included the command in ssh_config (the global one), and it did not have any extra space. The patch i included works (that is to say, i haven't run into any problems), and there was no extra space in the string comparison i wrote. I think that means that the option is being imported from the configuration file properly, and that something besides extra white space is at fault. Could these be two different bugs? I'll let You guys sort it out now, since i obviously don't know much about the OpenSSH code. :) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Anthony.Iano-Fletcher at dcb.cit.nih.gov Thu Apr 3 07:25:42 2003 From: Anthony.Iano-Fletcher at dcb.cit.nih.gov (Anthony R Iano-Fletcher) Date: Wed, 2 Apr 2003 16:25:42 -0500 Subject: broken ssh-keysign for openssh 3.6.1p1 on Solaris 8 Message-ID: <20030402212542.GA17907@cosy.cit.nih.gov> The latter versions of openssh (3.4,3.5 and 3.6.1) all seem to suffer from a broken ssh-keysign binary. This causes HostbasedAuthentication to fail. We have installed 3.6.1p1 on a Solaris 8 machine using openssl-0.9.6i. This fails thusly ssh server <......some \digits removed - a key perhaps?> ssh_keysign: no reply key_sign failed a at server's password For version 3.4p1 we patched ssh-keysign.c and it worked as expected. When we use the same ssh-keysign with the 3.6.1 distribution it also works as expected. Have other people noticed this? Is it so on other OSes? Is there a patch anyway? openssh was configured: ./configure --with-libs=-lresolv --sysconfdir=/etc/ssh --with-pam Anthony. -- Anthony R Iano-Fletcher Anthony.Iano-Fletcher at nih.gov http://cbel.cit.nih.gov/~arif CBEL, CIT, NIH, Bethesda, MD, USA. Phone: (+1) 301 402 1741. From tim at multitalents.net Thu Apr 3 07:42:12 2003 From: tim at multitalents.net (Tim Rice) Date: Wed, 2 Apr 2003 13:42:12 -0800 (PST) Subject: broken ssh-keysign for openssh 3.6.1p1 on Solaris 8 In-Reply-To: <20030402212542.GA17907@cosy.cit.nih.gov> References: <20030402212542.GA17907@cosy.cit.nih.gov> Message-ID: On Wed, 2 Apr 2003, Anthony R Iano-Fletcher wrote: > The latter versions of openssh (3.4,3.5 and 3.6.1) all seem to suffer > from a broken ssh-keysign binary. This causes HostbasedAuthentication to > fail. Did you add "EnableSSHKeysign yes" to your ssh_config ? [snip] -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Thu Apr 3 07:46:25 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 07:46:25 +1000 (EST) Subject: [Bug 528] ProxyCommand none is sensitive to extra whitespace Message-ID: <20030402214625.C3FFF94279@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=528 ------- Additional Comments From markus at openbsd.org 2003-04-03 07:46 ------- Created an attachment (id=268) --> (http://bugzilla.mindrot.org/attachment.cgi?id=268&action=view) fix trailing newlines are not stripped.... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From frank at MyCause.com Thu Apr 3 08:04:48 2003 From: frank at MyCause.com (Frank Adelstein) Date: Wed, 2 Apr 2003 17:04:48 -0500 Subject: TIOCSCTTY problem/fix Message-ID: <200304022204.h32M4m0w007244@MyCause.com> Perhaps this is a known problem, but I only found one instance of someone describing it on the net with no follow-up. I just installed openssh (3.6p1) on a linux system (running an old 2.0.34 kernel) with privilege separation disabled and get the following messages in /var/log/messages: Apr 2 15:48:34 ernestine sshd[6153]: error: ioctl(TIOCSCTTY): Operation not permitted Apr 2 15:48:34 ernestine sshd[6153]: error: open /dev/tty failed - could not set controlling tty: Device not configured The effect is that ^Z's are mostly ignored (but not by vi) and ^C kills the session, rather than a running program. After poking around the net and the code a bit, I found that changing line 318 in sshpty.c from: if (ioctl(*ttyfd, TIOCSCTTY, NULL) < 0) to if (ioctl(*ttyfd, TIOCSCTTY, 1) < 0) seems to fix things. Is this a known bug or something peculiar to my installation? Let me know if there is any further information I can provide. Thanks for any input. --Frank. From Anthony.Iano-Fletcher at dcb.cit.nih.gov Thu Apr 3 08:24:20 2003 From: Anthony.Iano-Fletcher at dcb.cit.nih.gov (Anthony R Iano-Fletcher) Date: Wed, 2 Apr 2003 17:24:20 -0500 Subject: broken ssh-keysign for openssh 3.6.1p1 on Solaris 8 In-Reply-To: References: <20030402212542.GA17907@cosy.cit.nih.gov> Message-ID: <20030402222420.GA18114@cosy.cit.nih.gov> Hello Tim > On Wed, 2 Apr 2003, Anthony R Iano-Fletcher wrote: > > > The latter versions of openssh (3.4,3.5 and 3.6.1) all seem to suffer > > from a broken ssh-keysign binary. This causes HostbasedAuthentication to > > fail. > > Did you add "EnableSSHKeysign yes" to your ssh_config ? > Thanks for the suggestion but I did set it and it doesn't seem to make a difference if I have it set or unset in my /etc/ssh/ssh_config file. In fact the \digits I get is very similar to the output of ssh-keysign when run on its own. Interestingly when I run ssh-keysign it produces output like: \151\147n\157r\151n\147 b\141\144 \160r\157\164\157 \1 and quits. When I run the working ssh-keysign from 3.4 it waits for input. This seems odd.... Anthony. -- Anthony R Iano-Fletcher Anthony.Iano-Fletcher at nih.gov http://cbel.cit.nih.gov/~arif CBEL, CIT, NIH, Bethesda, MD, USA. Phone: (+1) 301 402 1741. From bugzilla-daemon at mindrot.org Thu Apr 3 08:24:43 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 08:24:43 +1000 (EST) Subject: [Bug 532] Conflicting basename and dirname on solaris Message-ID: <20030402222443.8111F942C3@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=532 Summary: Conflicting basename and dirname on solaris Product: Portable OpenSSH Version: 3.6p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: benderm at raytheon.com While building openssh-3.6p1 or openssh-3.6.1p1 on Solaris 2.5.1 I get the following errors: -- In file included from progressmeter.c:66: /usr/include/libgen.h:26: conflicting types for `basename' openbsd-compat/basename.h:9: previous declaration of `basename' /usr/include/libgen.h:50: conflicting types for `dirname' openbsd-compat/dirname.h:3: previous declaration of `dirname' -- and the build fails. Based on information from the openssh-unix-dev mailing list, I edited config.h and added "#define HAVE_BASENAME 1" and "#define HAVE_DIRNAME 1". After doing this, the compile goes farther only to fail at the following point: -- gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o uidswap.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o kexdhs.o kexgexs.o auth-krb5.o auth-krb4.o loginrec.o auth-pam.o auth2-pam.o auth-sia.o md5crypt.o -L. -Lopenbsd-compat/ -L/usr/site/openssl/lib -R/usr/site/openssl/lib -L/usr/site/zlib/lib -R/usr/site/zlib/lib -L/usr/local/lib -R/usr/local/lib -lssh -lopenbsd-compat -lposix4 -lz -lsocket -lnsl -lcrypto auth.o: In function `secure_filename': /home/pancake/benderm/Zip/openssh-3.6.1p1/auth.c:453: undefined reference to `dirname' collect2: ld returned 1 exit status -- If I edit Makefile and add -lgen to LIBS, the compile finishes. It looks like the configure script needs to check for the existence of basename and dirname in libgen and adjust the Makefile and config.h accordingly. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From MPak at dotsconnect.com Thu Apr 3 14:13:39 2003 From: MPak at dotsconnect.com (MPak at dotsconnect.com) Date: Wed, 2 Apr 2003 23:13:39 -0500 Subject: password expiry patch Message-ID: Hello, Can "openssh-passexpire18.patch" be used on "openssh-3.6.1p1" for solaris? I have downloaded above patch from "http://www.zip.com.au/~dtucker/openssh/". It looks like I was not successful in applying it. Thanks.. From dtucker at zip.com.au Thu Apr 3 18:17:07 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 03 Apr 2003 18:17:07 +1000 Subject: password expiry patch References: Message-ID: <3E8BEE03.9C6A451E@zip.com.au> MPak at dotsconnect.com wrote: > Can "openssh-passexpire18.patch" be used on "openssh-3.6.1p1" for solaris? > I have downloaded above patch from > "http://www.zip.com.au/~dtucker/openssh/". It looks like I was not > successful in applying it. The patch against the CVS tree [1] will apply to 3.6.1p1 except for a harmless reject on version.h. You will need to apply with GNU patch -p0 and re-build configure with "autoreconf". After that it should build and work fine. The next time I re-do the patch I'll provide diffs against 3.6.1p1 instead of 3.5p1. [1] http://www.zip.com.au/~dtucker/openssh/openssh-passexpire18.patch -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Thu Apr 3 18:58:57 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 18:58:57 +1000 (EST) Subject: [Bug 530] problems with port forwarding Message-ID: <20030403085857.08D849420A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=530 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From dtucker at zip.com.au 2003-04-03 18:58 ------- This is a Feature. By default, port forwards listen only on the loopback interface, which means that only processes on the local machine can connect via the forward. You can see this with netstat: $ ssh -L 20022:127.0.0.1:22 myhost myhost> netstat -an Proto Recv-Q Send-Q Local Address Foreign Address State [snip] tcp 0 0 127.0.0.1:20022 0.0.0.0:* LISTEN As you saw, using -g (or GatewayPorts=yes) allows connections on any interface. This is known as a "wildcard binding" and shows a different "Local Address" in netstat: $ ssh -g -L 20022:127.0.0.1:22 myhost myhost> netstat -an Proto Recv-Q Send-Q Local Address Foreign Address State [snip] tcp 0 0 0.0.0.0:20022 0.0.0.0:* LISTEN Using GatewayPorts means that anyone who can connect to your machines can connect via your tunnel, which is why it defaults to listening on the loopback only. If you don't like the default you can put "GatewayPorts yes" in ssh_config. If different ssh software behaved differently, perhaps it has a different default or the config file had the equivalent of "GatewayPorts yes" set. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From nobuo at isl.rdc.toshiba.co.jp Thu Apr 3 19:19:50 2003 From: nobuo at isl.rdc.toshiba.co.jp (SAKIYAMA Nobuo) Date: 03 Apr 2003 18:19:50 +0900 Subject: minor cosmetic fix hwen using a proxy Message-ID: I think following patch is better for "TCP_NODELAY on a non-socket" bug. Nobuo Sakiyama diff -u packet.c.dist packet.c --- packet.c.dist Mon Dec 23 11:42:53 2002 +++ packet.c Thu Apr 3 18:06:12 2003 @@ -1344,6 +1344,7 @@ /* Only set socket options if using a socket. */ if (!packet_connection_is_on_socket()) + return; if (interactive) set_nodelay(connection_in); #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) From dtucker at zip.com.au Thu Apr 3 19:30:55 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 03 Apr 2003 19:30:55 +1000 Subject: [PATCH re-send]: Clean up logging of failed logins. Message-ID: <3E8BFF4F.64F361EE@zip.com.au> Hi All. This is a re-send of a patch I submitted before 3.6p1. As noted in a previous post, the logging of failed user logins is somewhat spread out. This patch creates a record_failed_login() function in sshlogin.c and moves the AIX and UNICOS code to it, eliminating 3 #ifdefs from the main code. It also provides an obvious place to add the code for any other platforms that support this. I've tested this on AIX 4.3.3. Wendy Palm was kind enough to test it on UNICOS (this patch includes the cast required to placate the Cray compiler). NOTE: this will call record_failed_login() in the case of a login attempt by a non-existant user. This is fine for AIX (loginfailed replaces the username with UNKNOWN_USER). I'm not sure if UNICOS does the same thing. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v retrieving revision 1.67 diff -u -r1.67 auth.c --- auth.c 18 Jan 2003 05:24:06 -0000 1.67 +++ auth.c 25 Feb 2003 09:52:31 -0000 @@ -268,13 +268,10 @@ get_remote_port(), info); -#ifdef WITH_AIXAUTHENTICATE if (authenticated == 0 && strcmp(method, "password") == 0) - loginfailed(authctxt->user, - get_canonical_hostname(options.verify_reverse_mapping), - "ssh"); -#endif /* WITH_AIXAUTHENTICATE */ - + record_failed_login(authctxt->user, + get_canonical_hostname(options.verify_reverse_mapping), + "ssh"); } /* @@ -496,11 +493,9 @@ if (pw == NULL) { log("Illegal user %.100s from %.100s", user, get_remote_ipaddr()); -#ifdef WITH_AIXAUTHENTICATE - loginfailed(user, + record_failed_login(user, get_canonical_hostname(options.verify_reverse_mapping), "ssh"); -#endif return (NULL); } if (!allowed_user(pw)) Index: auth1.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth1.c,v retrieving revision 1.79 diff -u -r1.79 auth1.c --- auth1.c 24 Feb 2003 00:59:27 -0000 1.79 +++ auth1.c 25 Feb 2003 09:45:10 -0000 @@ -311,8 +311,6 @@ authctxt->user); #ifdef _UNICOS - if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated) - cray_login_failure(authctxt->user, IA_UDBERR); if (authenticated && cray_access_denied(authctxt->user)) { authenticated = 0; fatal("Access denied for user %s.",authctxt->user); Index: auth2.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v retrieving revision 1.112 diff -u -r1.112 auth2.c --- auth2.c 24 Feb 2003 00:59:27 -0000 1.112 +++ auth2.c 25 Feb 2003 09:45:10 -0000 @@ -241,10 +241,6 @@ if (authctxt->failures++ > AUTH_FAIL_MAX) { packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } -#ifdef _UNICOS - if (strcmp(method, "password") == 0) - cray_login_failure(authctxt->user, IA_UDBERR); -#endif /* _UNICOS */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); Index: sshlogin.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/sshlogin.c,v retrieving revision 1.9 diff -u -r1.9 sshlogin.c --- sshlogin.c 1 Jan 2003 23:43:56 -0000 1.9 +++ sshlogin.c 28 Feb 2003 08:01:49 -0000 @@ -99,3 +99,15 @@ login_logout(li); login_free_entry(li); } + +/* Record a failed login attempt. */ +void +record_failed_login(const char *user, const char *host, const char *ttyname) +{ +#ifdef WITH_AIXAUTHENTICATE + loginfailed(user, host, ttyname); +#endif +#ifdef _UNICOS + cray_login_failure((char *)user, IA_UDBERR); +#endif /* _UNICOS */ +} From bugzilla-daemon at mindrot.org Thu Apr 3 20:31:09 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 20:31:09 +1000 (EST) Subject: [Bug 530] problems with port forwarding Message-ID: <20030403103109.9119394216@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=530 ------- Additional Comments From gilbert at student.math.hr 2003-04-03 20:31 ------- This ony partialy answers my question. I know about -g option, and it works O.K. for forwarding LOCAL port. But I wanted to forward port 20022 on my_host as a REMOTE port by connectin to my_host from some_host like this: some_host$ ssh -R 20022:my_other_host:22 user at my_host and it works only for local connections form my_host. Since the -g option doesn't help here, how do I get aorund this? Thx. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 3 20:44:04 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 20:44:04 +1000 (EST) Subject: [Bug 530] problems with port forwarding Message-ID: <20030403104404.5D5F8942BE@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=530 ------- Additional Comments From binder at arago.de 2003-04-03 20:44 ------- > Since the -g option doesn't help here, how do I get aorund this? Maybe by reading the docs, especially sshd_config(5)? -- snip -- GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should bind remote port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. The argument must be ``yes'' or ``no''. The default is ``no''. -- snap -- ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 3 21:09:58 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 21:09:58 +1000 (EST) Subject: [Bug 530] problems with port forwarding Message-ID: <20030403110958.DA51094209@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=530 ------- Additional Comments From dtucker at zip.com.au 2003-04-03 21:09 ------- Sorry, missed that. At the moment that's controlled by the server-side GatewayPorts (ie in sshd_config). There's a patch attached to bug #413 (attachment #229) that allows greater control over which interface a remote port forward listens on (subject to the server's Gatewayports setting). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 3 21:18:33 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 21:18:33 +1000 (EST) Subject: [Bug 530] problems with port forwarding Message-ID: <20030403111833.F0E8794209@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=530 ------- Additional Comments From gilbert at student.math.hr 2003-04-03 21:18 ------- > Maybe by reading the docs, especially sshd_config(5)? This only relates to allowing connections to forwarded ports on the server side, but I don't have root access on the machine and cant change sshd configuration. I'd like to set forwarding completely on the clinet side. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 3 22:17:41 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 3 Apr 2003 22:17:41 +1000 (EST) Subject: [Bug 530] problems with port forwarding Message-ID: <20030403121741.F408994208@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=530 ------- Additional Comments From binder at arago.de 2003-04-03 22:17 ------- > This only relates to allowing connections to forwarded ports > on the server side, but I don't have root access on the machine As you _are_ creating a forwarded port on the server side, this does relate to your problem. If you can't change the remote server's sshd_config, and can't convince the admin to change it (he'll maybe have a reason for not allowing gateway ports), there's nothing else you can do. It's a server option, not a client option. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Anthony.Iano-Fletcher at dcb.cit.nih.gov Fri Apr 4 05:39:07 2003 From: Anthony.Iano-Fletcher at dcb.cit.nih.gov (Anthony R Iano-Fletcher) Date: Thu, 3 Apr 2003 14:39:07 -0500 Subject: broken ssh-keysign for openssh 3.6.1p1 on Solaris 8 In-Reply-To: <20030402222420.GA18114@cosy.cit.nih.gov> References: <20030402212542.GA17907@cosy.cit.nih.gov> <20030402222420.GA18114@cosy.cit.nih.gov> Message-ID: <20030403193907.GA22105@cosy.cit.nih.gov> > Interestingly when I run ssh-keysign it produces output like: > \151\147n\157r\151n\147 b\141\144 \160r\157\164\157 \1 > and quits. When I run the working ssh-keysign from 3.4 it waits for > input. This seems odd.... As a followup we have just compiled openssh-3.6.1p1 on our linux box and the behaviour of ssh-keysign is different. If EnableSSHKeysign is not set to 'yes' in the ssh_config file then it complains and quits. If it set to 'yes' then it waits until I type something and then says: ssh_msg_recv: read: bad msg_len 1684300900 which seems reasonable. So it seems like a Solaris problem. Any ideas for where to look? Something is printing rubbish and killing ssh-keysign before it gets to the EnableSSHKeysign test. Anthony. -- Anthony R Iano-Fletcher Anthony.Iano-Fletcher at nih.gov http://cbel.cit.nih.gov/~arif CBEL, CIT, NIH, Bethesda, MD, USA. Phone: (+1) 301 402 1741. From tim at multitalents.net Fri Apr 4 07:09:42 2003 From: tim at multitalents.net (Tim Rice) Date: Thu, 3 Apr 2003 13:09:42 -0800 (PST) Subject: broken ssh-keysign for openssh 3.6.1p1 on Solaris 8 In-Reply-To: <20030403193907.GA22105@cosy.cit.nih.gov> References: <20030402212542.GA17907@cosy.cit.nih.gov> <20030402222420.GA18114@cosy.cit.nih.gov> <20030403193907.GA22105@cosy.cit.nih.gov> Message-ID: I am not able to duplicate this problem. I've tried on Solaris 8, UnixWare 7.1.1, Open Server 5.0.4, and Open Linux 3.1.1 Are you doing this as root or a regular user? On Thu, 3 Apr 2003, Anthony R Iano-Fletcher wrote: > > Interestingly when I run ssh-keysign it produces output like: > > \151\147n\157r\151n\147 b\141\144 \160r\157\164\157 \1 > > and quits. When I run the working ssh-keysign from 3.4 it waits for > > input. This seems odd.... > > As a followup we have just compiled openssh-3.6.1p1 on our linux box and > the behaviour of ssh-keysign is different. If EnableSSHKeysign is not > set to 'yes' in the ssh_config file then it complains and quits. If it > set to 'yes' then it waits until I type something and then says: > ssh_msg_recv: read: bad msg_len 1684300900 > which seems reasonable. > > So it seems like a Solaris problem. Any ideas for where to look? > Something is printing rubbish and killing ssh-keysign before it gets to > the EnableSSHKeysign test. > > Anthony. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From binder at arago.de Fri Apr 4 07:51:19 2003 From: binder at arago.de (Thomas Binder) Date: Thu, 3 Apr 2003 23:51:19 +0200 Subject: broken ssh-keysign for openssh 3.6.1p1 on Solaris 8 In-Reply-To: <20030402222420.GA18114@cosy.cit.nih.gov> References: <20030402212542.GA17907@cosy.cit.nih.gov> <20030402222420.GA18114@cosy.cit.nih.gov> Message-ID: <20030403215118.GA2285362@ohm.arago.de> Hi! On Wed, Apr 02, 2003 at 05:24:20PM -0500, Anthony R Iano-Fletcher wrote: > Interestingly when I run ssh-keysign it produces output like: > \151\147n\157r\151n\147 b\141\144 \160r\157\164\157 \1 > and quits. When I run the working ssh-keysign from 3.4 it waits for > input. This seems odd.... Have you tried truss -o /tmp/ssh-keysign.truss -v all -r all -w all ssh-keysign and spotted anything in the output file that could hint at what's going wrong?? Ciao Thomas From bugzilla-daemon at mindrot.org Fri Apr 4 08:19:07 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 4 Apr 2003 08:19:07 +1000 (EST) Subject: [Bug 530] problems with port forwarding Message-ID: <20030403221907.7FD3C9422E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=530 ------- Additional Comments From samuel at bcgreen.com 2003-04-04 08:19 ------- Easy solution: ssh my_host (login) myhost% ssh -g -L 44000:other_host:22 (login again) with the second ssh, you are forwarding the LOCAL port for my_host, using the ssh client. which is quite legal to make a server port. Job done. Note: the connection between myhost and other_host is NOT being encrypted. You are simply using ssh as a port redirection tool at this poing. If you're connecting to an ssh demon on other_host, this isn't a problem. If you're doing pretty much anything else, you'd probably want to do: my_host% ssh -g -L 44000:localhost:25 other_host That would forward an encrypted channel to other_host that then connects to it's port 25 locally. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 4 10:04:19 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 4 Apr 2003 10:04:19 +1000 (EST) Subject: [Bug 530] problems with port forwarding Message-ID: <20030404000419.156EF9420A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=530 gilbert at student.math.hr changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED ------- Additional Comments From gilbert at student.math.hr 2003-04-04 10:04 ------- > Note: the connection between myhost and other_host is NOT being encrypted Yea, I'm completely aware of that, and familiar with how port forwarding works. But acctually only forwarding remote ports works for me since I want to forward a port from a machine I can't reach from outside regulary. Anyway, I'm in good relations with the system root on myhost so we set GatewayPorts yes and restarted sshd, and it worked. Thanks all for the info and help. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From leonard.raphael at sonera.com Fri Apr 4 15:04:21 2003 From: leonard.raphael at sonera.com (Raphael Leonard) Date: Fri, 4 Apr 2003 08:04:21 +0300 Subject: I would like to unsuscribe from this list please help Message-ID: Hi! I would like unsuscribe from this list. Need more info please. Thanks in advance!!! Regards, //Leonard -----Original Message----- From: bugzilla-daemon at mindrot.org [mailto:bugzilla-daemon at mindrot.org] Sent: Fri 4.4.2003 3:04 To: openssh-unix-dev at mindrot.org Cc: Subject: [Bug 530] problems with port forwarding http://bugzilla.mindrot.org/show_bug.cgi?id=530 gilbert at student.math.hr changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED ------- Additional Comments From gilbert at student.math.hr 2003-04-04 10:04 ------- > Note: the connection between myhost and other_host is NOT being encrypted Yea, I'm completely aware of that, and familiar with how port forwarding works. But acctually only forwarding remote ports works for me since I want to forward a port from a machine I can't reach from outside regulary. Anyway, I'm in good relations with the system root on myhost so we set GatewayPorts yes and restarted sshd, and it worked. Thanks all for the info and help. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From paul.l.allen at boeing.com Fri Apr 4 15:49:23 2003 From: paul.l.allen at boeing.com (Paul L. Allen) Date: Thu, 03 Apr 2003 21:49:23 -0800 Subject: I would like to unsuscribe from this list please help References: Message-ID: <3E8D1CE3.802@boeing.com> Raphael Leonard wrote: > Hi! > I would like unsuscribe from this list. Need more info please. > Thanks in advance!!! > [...] > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev Everything you need to know about dealing with the mailing list is on the list's web page, the URL for which is appended to every message posted to the list. If I remember right, the stuff about unsubscribing is down at the bottom where you might have to scroll the page to see it. Paul Allen -- Boeing Phantom Works \ Paul L. Allen, (425) 865-3297 Math & Computing Technology \ paul.l.allen at boeing.com POB 3707 M/S 7L-40, Seattle, WA 98124-2207 \ Prototype Systems Group From bugzilla-daemon at mindrot.org Fri Apr 4 16:24:31 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 4 Apr 2003 16:24:31 +1000 (EST) Subject: [Bug 533] sshd failure on Tru64 (OSF/1) 5.1a Message-ID: <20030404062431.E47439420A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=533 Summary: sshd failure on Tru64 (OSF/1) 5.1a Product: Portable OpenSSH Version: 3.6p1 Platform: Alpha OS/Version: OSF/1 Status: NEW Severity: critical Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: darin_fisher at hotmail.com Somewhere between 3.5p1 and 3.6p1 sshd broke. 3.6.1p1 also fails the same way. It fails to allow connections. The following is the output from sshd -d : debug1: sshd version OpenSSH_3.6p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Bind to port 22 on 0.0.0.0 failed: Address already in use. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. get_sock_port: getnameinfo NI_NUMERICSERV failed debug1: Calling cleanup 0x12005c9c0(0x0) Port 22 is open and there is not another copy of sshd running. 3.5p1 works fine Os: Tru64 5.1a pk3 Platform: GS160, Alpha EV6.8 Generic install No options were passed to the configure process. Please let me know if I can be of anymore help. Darin Fisher darin_fisher at hotmail.com ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 4 16:49:22 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 4 Apr 2003 16:49:22 +1000 (EST) Subject: [Bug 533] sshd failure on Tru64 (OSF/1) 5.1a Message-ID: <20030404064922.09FE594244@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=533 ------- Additional Comments From dtucker at zip.com.au 2003-04-04 16:49 ------- Does it do the same thing if you specify a different port with -p? What does "netstat -an |grep 22" (or better yet "lsof -i :22") say? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 4 16:58:28 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 4 Apr 2003 16:58:28 +1000 (EST) Subject: [Bug 533] sshd failure on Tru64 (OSF/1) 5.1a Message-ID: <20030404065828.9113E94248@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=533 ------- Additional Comments From darin_fisher at hotmail.com 2003-04-04 16:58 ------- Same thing w/ the -p option Here are the outputs for -p and the netstat: azure:openssh-3.6p1# ./sshd -d -p 2222 debug1: sshd version OpenSSH_3.6p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 2222 on ::. Server listening on :: port 2222. debug1: Bind to port 2222 on 0.0.0.0. Bind to port 2222 on 0.0.0.0 failed: Address already in use. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. get_sock_port: getnameinfo NI_NUMERICSERV failed debug1: Calling cleanup 0x12005c9c0(0x0) azure:openssh-3.6p1# netstat -an | grep 22 tcp 0 0 10.1.12.21.1524 10.1.12.21.1822 ESTABLISHED tcp 19190 0 10.1.12.21.1822 10.1.12.21.1524 ESTABLISHED tcp 0 0 10.1.10.13.2272 10.1.10.132.1578 CLOSE_WAIT tcp 0 48 10.1.10.13.22 10.0.0.250.1981 ESTABLISHED tcp 2260 0 10.1.12.16.3671 10.1.12.16.1525 ESTABLISHED tcp 0 0 127.0.0.1.8883 127.0.0.1.2322 TIME_WAIT tcp 0 0 10.1.10.13.2222 10.1.10.157.4498 TIME_WAIT udp 0 0 10.1.10.13.2229 *.* udp 0 0 *.2230 *.* udp 0 0 *.2231 *.* ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 4 17:35:52 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 4 Apr 2003 17:35:52 +1000 (EST) Subject: [Bug 533] sshd failure on Tru64 (OSF/1) 5.1a Message-ID: <20030404073552.58C6094244@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=533 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From dtucker at zip.com.au 2003-04-04 17:35 ------- Hmm looks like it's listening on IPv6. Does adding "-4" to the sshd command line make a difference? Also, what is HAVE_GETNAMEINFO set to in config.h? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 4 19:11:57 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 4 Apr 2003 19:11:57 +1000 (EST) Subject: [Bug 533] sshd failure on Tru64 (OSF/1) 5.1a Message-ID: <20030404091157.9619C94244@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=533 ------- Additional Comments From darin_fisher at hotmail.com 2003-04-04 19:11 ------- config.h: /* Define to 1 if you have the `getnameinfo' function. */ #define HAVE_GETNAMEINFO 1 With the -4 option it works great. We are not using IPv6 on these systems?? Curious... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 4 20:21:44 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 4 Apr 2003 20:21:44 +1000 (EST) Subject: [Bug 533] sshd failure on Tru64 (OSF/1) 5.1a Message-ID: <20030404102144.A9A909420C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=533 ------- Additional Comments From dtucker at zip.com.au 2003-04-04 20:21 ------- Unless I'm reading the code in sshd.c wrong this means your system's socket() call is returning an IPv6 socket even though you're not using it. Perhaps someone more familar with IPv6 socket voodoo can figure out what's going on (and especially why it broke now). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 5 00:00:45 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 5 Apr 2003 00:00:45 +1000 (EST) Subject: [Bug 496] add a user-friendly timeout function to ssh-agent Message-ID: <20030404140045.D569794251@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=496 hauser at acm.org changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|add a timeout function to |add a user-friendly timeout |ssh-agent |function to ssh-agent ------- Additional Comments From hauser at acm.org 2003-04-05 00:00 ------- PuTTY's pageant.exe eventually will address this too http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/pageant-key-mgmt.html ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mjt at tls.msk.ru Sat Apr 5 00:13:39 2003 From: mjt at tls.msk.ru (Michael Tokarev) Date: Fri, 04 Apr 2003 18:13:39 +0400 Subject: Changing PAM service name in sshd_config, or running sshd as non-root References: <3E81D475.5030503@tls.msk.ru> <20030326202016.GA10577@crawfish.ais.com> Message-ID: <3E8D9313.50204@tls.msk.ru> Jim Knoble wrote: > Circa 2003-03-26 19:25:25 +0300 dixit Michael Tokarev: > > : Currently, openssh's PAM service name is a compile-time choice. > > [...] > > : So, that to say - why there is no e.g. PamServiceName configuration > : option in sshd_config? > > There is one, it's just called something different: > > ln -s /path/to/sshd /path/to/your-favorite-ssh-service-name > > OpenSSH's sshd uses the basename of argv[0] as the service name, as you > would know if you were to read the INSTALL file that accompanies > OpenSSH-3.5p1. In my /etc/pam.d/, there is no file named `sshd', but there is a file `ssh' (without trailing `d'). Yet sshd works. Well, that's may be due to the fact that I use openssh that comes with debian woody, i.e. openssh-3.4p1. Either way, it would be much more reliable if sshd will use e.g. PamServiceName from sshd_config. /mjt From steven at lugaru.com Sat Apr 5 00:48:01 2003 From: steven at lugaru.com (Steven Doerfler) Date: Fri, 04 Apr 2003 09:48:01 -0500 Subject: [Bug 69] Generalize SSH_ASKPASS Message-ID: <3.0.5.32.20030404094801.01c16198@127.0.0.1> At 09:20 AM 3/27/2003 +0000, David Woodhouse wrote: >On Wed, 2003-03-26 at 20:32, Jim Knoble wrote: >> If you want a separate behavior, that request should be explicit: >> either an explicit option to ssh-askpass (e.g., 'ssh-askpass --yesno') >> or (probably better) a separate program (e.g., 'ssh-confirm'). >> >> Care to come up with a specification? > >Hmmm. We really do have to be careful about backwards compatibility. So >a separate program probably accompanied by a separate environment >variable for it (SSH_CONFIRM?) is likely to be the best way forward. You could retain compatibility without introducing a new program by having ssh invoke ssh-askpass with an environment variable hinting at the type of request. For instance, SSH_ASKPASS_PROMPT_HINT=Y might indicate that this is a yes/no prompt. An ssh-askpass program could decide to show Yes/No buttons when it saw such an environment variable setting. An ssh-askpass program would be free to ignore such a hint and always require the user to type YES in a text box, so an old ssh-askpass would work with a future ssh that supplied an SSH_ASKPASS_PROMPT_HINT, or vice versa. Also, the read_passphrase() function that calls ssh-askpass receives a flag RP_ECHO that tells it whether echoing the user's response is appropriate. It uses this information when it prompts, but not when it calls an ssh-askpass program. The same environment variable could be used to pass this information along to any ssh-askpass program that wanted to make use of it. In more detail, if an ssh-askpass program noticed an SSH_ASKPASS_PROMPT_HINT environment variable whose value contained the letter E, it could choose to enable echoing when prompting for a line of text. If such an environment variable contained a letter Y, it could choose to display a Yes/No dialog (and output "yes" or "no" on stdout, just as now). Steven Doerfler From mandar at webchat.chatsystems.com Sat Apr 5 01:39:32 2003 From: mandar at webchat.chatsystems.com (mandar at webchat.chatsystems.com) Date: Fri, 4 Apr 2003 09:39:32 -0600 (CST) Subject: Anti-idle in OpenSSH client? Message-ID: Heya, Most of the windows ssh clients (putty, securecrt) have anti-idle features. They offer either a null packet or protocol no-op or user defined string to be sent over every x seconds. Is this possible or planned with the OpenSSH client? Our draconian firewall admins have started timing out ssh sessions. Yes I'm aware I could hack up a port forwarding dumb traffic process, but was looking for a more elegant solution like the windows clients have. e.g. a command line option to ssh that lets you anti-idle.. Discussion on how to implement this in the code is also welcome ;) Thanks - Mandar From dwmw2 at infradead.org Sat Apr 5 01:52:14 2003 From: dwmw2 at infradead.org (David Woodhouse) Date: Fri, 04 Apr 2003 16:52:14 +0100 Subject: Anti-idle in OpenSSH client? In-Reply-To: References: Message-ID: <1049471534.3377.9.camel@passion.cambridge.redhat.com> On Fri, 2003-04-04 at 16:39, mandar at webchat.chatsystems.com wrote: > Heya, > > Most of the windows ssh clients (putty, securecrt) have anti-idle > features. They offer either a null packet or protocol no-op or user > defined string to be sent over every x seconds. > > Is this possible or planned with the OpenSSH client? Our draconian > firewall admins have started timing out ssh sessions. Yes I'm aware I > could hack up a port forwarding dumb traffic process, but was looking for > a more elegant solution like the windows clients have. e.g. a command line > option to ssh that lets you anti-idle.. This would also be useful when using a ProxyCommand which connects via an HTTP proxy, which often have similar timeouts. -- dwmw2 From Anthony.Iano-Fletcher at dcb.cit.nih.gov Sat Apr 5 02:51:58 2003 From: Anthony.Iano-Fletcher at dcb.cit.nih.gov (Anthony R Iano-Fletcher) Date: Fri, 4 Apr 2003 11:51:58 -0500 Subject: broken ssh-keysign for openssh 3.6.1p1 on Solaris 8 - fixed In-Reply-To: References: <20030402212542.GA17907@cosy.cit.nih.gov> <20030402222420.GA18114@cosy.cit.nih.gov> <20030403193907.GA22105@cosy.cit.nih.gov> Message-ID: <20030404165158.GA25709@cosy.cit.nih.gov> > I am not able to duplicate this problem. > I've tried on Solaris 8, UnixWare 7.1.1, Open Server 5.0.4, and > Open Linux 3.1.1 wonderful. Useful to know. I have worked out what it is. We are configuring with AFS support. krb4 has a version of libdes.a which the configure script found and added to the list of libs to link against. There is a sysmbol name clash between libdes.a and libcrypto.a from openSSL and bang! ssh-keysign is broken. I have moved the Krb4 libdes.a out of the way and rerun the configure script and everything works now. There is just one fly in the ointment with the AFS options. The file radix.o has been left out of the Makefile.in and is needed for AFS support. Thanks for everyone's help. Anthony. -- Anthony R Iano-Fletcher Anthony.Iano-Fletcher at nih.gov http://cbel.cit.nih.gov/~arif CBEL, CIT, NIH, Bethesda, MD, USA. Phone: (+1) 301 402 1741. From maniac at maniac.nl Sat Apr 5 02:52:38 2003 From: maniac at maniac.nl (Mark Janssen) Date: 04 Apr 2003 18:52:38 +0200 Subject: Anti-idle in OpenSSH client? In-Reply-To: <1049471534.3377.9.camel@passion.cambridge.redhat.com> References: <1049471534.3377.9.camel@passion.cambridge.redhat.com> Message-ID: <1049475157.7935.26.camel@shuttle> On Fri, 2003-04-04 at 17:52, David Woodhouse wrote: > On Fri, 2003-04-04 at 16:39, mandar at webchat.chatsystems.com wrote: > > Heya, > > > > Most of the windows ssh clients (putty, securecrt) have anti-idle > > features. They offer either a null packet or protocol no-op or user > > defined string to be sent over every x seconds. > > > > Is this possible or planned with the OpenSSH client? Our draconian > > firewall admins have started timing out ssh sessions. Yes I'm aware I > > could hack up a port forwarding dumb traffic process, but was looking for > > a more elegant solution like the windows clients have. e.g. a command line > > option to ssh that lets you anti-idle.. > > This would also be useful when using a ProxyCommand which connects via > an HTTP proxy, which often have similar timeouts. There are various patches floating around that implement a feature to send null packets every x seconds... The debian packaged version of openssh includes one of these. Works perfectly. Search around bugzilla or the debian patch for openssh ;) -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl From guilbert at ee.nmt.edu Sat Apr 5 03:02:43 2003 From: guilbert at ee.nmt.edu (Jose Guilberto) Date: Fri, 4 Apr 2003 10:02:43 -0700 (MST) Subject: Ssh: packet_read: long wait Message-ID: Hello, When I run ssh between two computers I have a 3 second delay before I can login. I ran ssh with the verbose option and found out that the delay is in between the following lines: ... debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. (*** 3 second delay here ****) debug1: Doing challenge response authentication. debug1: No challenge. I read the source code for ssh and found out that my problem is in file "packet.c". It stays for 3 seconds in lines: /* Wait for some data to arrive. */ while (select(connection_in + 1, setp, NULL, NULL, NULL) == -1 && (errno == EAGAIN || errno == EINTR)) ; Any body has an idea about why this is happening? Thanks for your help. Jose Guilberto From bugzilla-daemon at mindrot.org Sat Apr 5 04:05:42 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 5 Apr 2003 04:05:42 +1000 (EST) Subject: [Bug 534] No option to use IPv6 connections by default Message-ID: <20030404180542.AB08B9422B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=534 Summary: No option to use IPv6 connections by default Product: Portable OpenSSH Version: 3.5p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P4 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: pio at cytrynka.infoland.int.pl There is no option neither in /etc/ssh/config nor $HOME/.ssh/config to use IPv6 by default while connecting to remote hosts. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 5 04:07:37 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 5 Apr 2003 04:07:37 +1000 (EST) Subject: [Bug 535] Wrong information in manual page about -6 option. Message-ID: <20030404180737.2518594272@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=535 Summary: Wrong information in manual page about -6 option. Product: Portable OpenSSH Version: 3.5p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: trivial Priority: P3 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: pio at cytrynka.infoland.int.pl man ssh: [...] -6 Forces ssh to use IPv6 addresses only. [...] While on my system it does not force it - it only use IPv6 by default, and if it is not available, then ssh fallbacks to IPv4. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From guilbert at ee.nmt.edu Sat Apr 5 04:20:45 2003 From: guilbert at ee.nmt.edu (Jose Guilberto) Date: Fri, 4 Apr 2003 11:20:45 -0700 (MST) Subject: Ssh: packet_read: long wait: Update Message-ID: I change my network configuration and now I don't have this problem any more. Jose Guilberto /***************************************************/ Hello, When I run ssh between two computers I have a 3 second delay before I can login. I ran ssh with the verbose option and found out that the delay is in between the following lines: ... debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. (*** 3 second delay here ****) debug1: Doing challenge response authentication. debug1: No challenge. I read the source code for ssh and found out that my problem is in file "packet.c". It stays for 3 seconds in lines: /* Wait for some data to arrive. */ while (select(connection_in + 1, setp, NULL, NULL, NULL) == -1 && (errno == EAGAIN || errno == EINTR)) ; Any body has an idea about why this is happening? Thanks for your help. Jose Guilberto From jmknoble at pobox.com Sat Apr 5 06:43:13 2003 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 4 Apr 2003 15:43:13 -0500 Subject: Changing PAM service name in sshd_config, or running sshd as non-root In-Reply-To: <3E8D9313.50204@tls.msk.ru> References: <3E81D475.5030503@tls.msk.ru> <20030326202016.GA10577@crawfish.ais.com> <3E8D9313.50204@tls.msk.ru> Message-ID: <20030404204313.GC19144@crawfish.ais.com> Circa 2003-04-04 18:13:39 +0400 dixit Michael Tokarev: : Jim Knoble wrote: : >OpenSSH's sshd uses the basename of argv[0] as the service name, as you : >would know if you were to read the INSTALL file that accompanies : >OpenSSH-3.5p1. : : In my /etc/pam.d/, there is no file named `sshd', but there is a file : `ssh' (without trailing `d'). Yet sshd works. Are you sure the file is not misnamed, and that sshd isn't falling through to another service, such as /etc/pam.d/other? : Well, that's may be due to the fact that I use openssh that comes with : debian woody, i.e. openssh-3.4p1. Then perhaps you should complain to the maintainer of the Debian package. Or perhaps you should unpack the source of the Debian package and analyze it yourself. If you're using anything except the source from ftp.openssh.com that you compiled yourself, then you should first contact the maintainer of your pre-compiled OpenSSH rather than complaining here. We have no way of knowing what subtle changes the Debian maintainer---or anyone else---has wrought in their prebuilt packages. : Either way, it would be much more reliable if sshd will use e.g. : PamServiceName from sshd_config. No. It would be much more reliable if system integrators didn't change the behavior of the software they package in subtle and mutually incompatible ways. See http://cr.yp.to/compatibility.html . -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) Stop the War on Freedom ... Start the War on Poverty! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 256 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030404/30af465e/attachment.bin From samuel at bcgreen.com Sat Apr 5 07:16:56 2003 From: samuel at bcgreen.com (Stephen Samuel) Date: Fri, 04 Apr 2003 13:16:56 -0800 Subject: I would like to unsuscribe from this list please help In-Reply-To: References: Message-ID: <3E8DF648.8050906@bcgreen.com> If you view all headers (how depends on your reader) there is list-unsubscribe header: ..... Precedence: bulk List-Unsubscribe: , List-Id: Development of portable OpenSSH ..... Raphael Leonard wrote: > Hi! > I would like unsuscribe from this list. Need more info please. > Thanks in advance!!! > > Regards, -- Stephen Samuel +1(604)876-0426 samuel at bcgreen.com http://www.bcgreen.com/~samuel/ Powerful committed communication, reaching through fear, uncertainty and doubt to touch the jewel within each person and bring it to life. From kstef at mtppi.org Sat Apr 5 08:44:18 2003 From: kstef at mtppi.org (Kevin Stefanik) Date: Fri, 4 Apr 2003 17:44:18 -0500 Subject: overload key signing function for opensc tokens... Message-ID: <200304041744.18411.kstef@mtppi.org> I wasn't having much luck getting a key and certificate stored on a hardware token to work until I made this fix. The ssh_rsa_sign key was not using either overloading. I used the rsa.meth way, instead of the engine. With this patch ssh-add works. I'm working on getting ssh to take a PIN, but when I put in a call to read_passphrase in the appropriate place, it muddies the waters for stdin, I think. I get errors in ssh_session2_open that it can't 'dup() in/out/err'. It seems as if stdin's been closed? Any fixes? Thanks, Kevin Stefanik -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-3.5p1-opensc_sc_sign.patch Type: text/x-diff Size: 518 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030404/0aa90633/attachment.bin From fcusack at fcusack.com Sat Apr 5 10:06:16 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Fri, 4 Apr 2003 16:06:16 -0800 Subject: Anti-idle in OpenSSH client? In-Reply-To: ; from mandar@webchat.chatsystems.com on Fri, Apr 04, 2003 at 09:39:32AM -0600 References: Message-ID: <20030404160616.A23135@google.com> On Fri, Apr 04, 2003 at 09:39:32AM -0600, mandar at webchat.chatsystems.com wrote: > Most of the windows ssh clients (putty, securecrt) have anti-idle > features. They offer either a null packet or protocol no-op or user > defined string to be sent over every x seconds. > > Is this possible or planned with the OpenSSH client? Our draconian > firewall admins have started timing out ssh sessions. Yes I'm aware I > could hack up a port forwarding dumb traffic process, but was looking for > a more elegant solution like the windows clients have. e.g. a command line > option to ssh that lets you anti-idle.. See ssh_config(5), look for KeepAlive. /fc From mandar at webchat.chatsystems.com Sat Apr 5 11:58:26 2003 From: mandar at webchat.chatsystems.com (mandar at webchat.chatsystems.com) Date: Fri, 4 Apr 2003 19:58:26 -0600 (CST) Subject: Anti-idle in OpenSSH client? In-Reply-To: <20030404160616.A23135@google.com> Message-ID: KeepAlive doesn't do the trick unfortunately - it merely sets SO_KEEPALIVE on the socket, and is also not configurable. It's actually meant as a way for ssh to know when the underlying network connection to the remote server has gone away, when set. I haven't yet been able to find the debian null packet patch that was previously reported on this list...I found some mention at: http://lists.debian.org/debian-user/2002/debian-user-200207/msg00255.html but haven't been able to track down this patch...any plans to include this in the official OpenSSH client release? If someone has a copy, an email or URL would be greatly appreciated ;) - Mandar On Fri, 4 Apr 2003, Frank Cusack wrote: > Date: Fri, 4 Apr 2003 16:06:16 -0800 > From: Frank Cusack > To: mandar at webchat.chatsystems.com > Cc: openssh-unix-dev at mindrot.org > Subject: Re: Anti-idle in OpenSSH client? > > On Fri, Apr 04, 2003 at 09:39:32AM -0600, mandar at webchat.chatsystems.com wrote: > > Most of the windows ssh clients (putty, securecrt) have anti-idle > > features. They offer either a null packet or protocol no-op or user > > defined string to be sent over every x seconds. > > > > Is this possible or planned with the OpenSSH client? Our draconian > > firewall admins have started timing out ssh sessions. Yes I'm aware I > > could hack up a port forwarding dumb traffic process, but was looking for > > a more elegant solution like the windows clients have. e.g. a command line > > option to ssh that lets you anti-idle.. > > See ssh_config(5), look for KeepAlive. > > /fc > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Sat Apr 5 12:26:06 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 05 Apr 2003 12:26:06 +1000 Subject: Anti-idle in OpenSSH client? References: Message-ID: <3E8E3EBE.20AB926C@zip.com.au> mandar at webchat.chatsystems.com wrote: > KeepAlive doesn't do the trick unfortunately - it merely sets > SO_KEEPALIVE on the socket, and is also not configurable. It's > actually meant as a way for ssh to know when the underlying > network connection to the remote server has gone away, when set. Well, you could crank your system-wide TCP keepalive timer up to 5 minutes (most default to 2 hours). [snip] > but haven't been able to track down this patch...any plans to > include this in the official OpenSSH client release? > > If someone has a copy, an email or URL would be greatly appreciated ;) I don't know if it's the one debian is using, but: http://www.sc.isc.tohoku.ac.jp/~hgot/sources/openssh-watchdog.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From fcusack at fcusack.com Sat Apr 5 13:36:59 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Fri, 4 Apr 2003 19:36:59 -0800 Subject: Anti-idle in OpenSSH client? In-Reply-To: ; from mandar@webchat.chatsystems.com on Fri, Apr 04, 2003 at 07:58:26PM -0600 References: <20030404160616.A23135@google.com> Message-ID: <20030404193659.A25039@google.com> On Fri, Apr 04, 2003 at 07:58:26PM -0600, mandar at webchat.chatsystems.com wrote: > > KeepAlive doesn't do the trick unfortunately - it merely sets > SO_KEEPALIVE on the socket Right, you have to tweak your system's stack to send KAs faster than the firewall idle timer. The default KA timer is 2 hours, most firewalls default session timer is 20m. > and is also not configurable. Not sure if the above addresses that. (I think it does.) > It's > actually meant as a way for ssh to know when the underlying > network connection to the remote server has gone away, when set. Right, but it works OK to keep sessions going over stateful firewalls. The ssh2 clientalive thing is only configurable on the server in openssh. I'm sure a patch would be welcome. /fc From maniac at maniac.nl Sat Apr 5 20:12:31 2003 From: maniac at maniac.nl (Mark Janssen) Date: 05 Apr 2003 12:12:31 +0200 Subject: Anti-idle in OpenSSH client? In-Reply-To: References: Message-ID: <1049537551.13944.1.camel@shuttle> On Fri, 2003-04-04 at 21:14, mandar at webchat.chatsystems.com wrote: > On 4 Apr 2003, Mark Janssen wrote: > > > There are various patches floating around that implement a feature to > > send null packets every x seconds... The debian packaged version of > > openssh includes one of these. Works perfectly. > > > > Search around bugzilla or the debian patch for openssh ;) > > > > Couldn't find one...a URL would help..thanks! Look for the 'protocolkeepalive' code in this patch: http://ftp.nl.debian.org/debian/pool/main/o/openssh/openssh_3.6p1-1.diff.gz It sends SSH Ignore packets every 300 (configurable) seconds -- Mark Janssen -- maniac(at)maniac.nl -- GnuPG Key Id: 357D2178 Unix / Linux, Open-Source and Internet Consultant @ SyConOS IT Maniac.nl Unix-God.Net|Org MarkJanssen.org|nl SyConOS.com|nl From djm at mindrot.org Sat Apr 5 20:59:46 2003 From: djm at mindrot.org (Damien Miller) Date: Sat, 05 Apr 2003 20:59:46 +1000 Subject: Anti-idle in OpenSSH client? In-Reply-To: <20030404160616.A23135@google.com> References: <20030404160616.A23135@google.com> Message-ID: <3E8EB722.40607@mindrot.org> Frank Cusack wrote: > On Fri, Apr 04, 2003 at 09:39:32AM -0600, mandar at webchat.chatsystems.com wrote: > >> Most of the windows ssh clients (putty, securecrt) have anti-idle >>features. They offer either a null packet or protocol no-op or user >>defined string to be sent over every x seconds. >> >> Is this possible or planned with the OpenSSH client? Our draconian >>firewall admins have started timing out ssh sessions. Yes I'm aware I >>could hack up a port forwarding dumb traffic process, but was looking for >>a more elegant solution like the windows clients have. e.g. a command line >>option to ssh that lets you anti-idle.. > > > See ssh_config(5), look for KeepAlive. Also see sshd_config, grep for ClientAliveInterval (this is protocol-level) From cjwatson at debian.org Sat Apr 5 21:27:23 2003 From: cjwatson at debian.org (Colin Watson) Date: Sat, 5 Apr 2003 12:27:23 +0100 Subject: Anti-idle in OpenSSH client? In-Reply-To: References: <20030404160616.A23135@google.com> Message-ID: <20030405112723.GA22772@riva.ucam.org> On Fri, Apr 04, 2003 at 07:58:26PM -0600, mandar at webchat.chatsystems.com wrote: > KeepAlive doesn't do the trick unfortunately - it merely sets > SO_KEEPALIVE on the socket, and is also not configurable. It's > actually meant as a way for ssh to know when the underlying > network connection to the remote server has gone away, when set. > > I haven't yet been able to find the debian null packet patch > that was previously reported on this list...I found some mention at: > > http://lists.debian.org/debian-user/2002/debian-user-200207/msg00255.html > > > but haven't been able to track down this patch... Here it is. It was originally written by Richard Kettlewell, with documentation by Matthew Vernon. I've hacked it out of the Debian patch, I think correctly, but it would probably need review. :) --- openssh-3.6.1p1.orig/clientloop.c +++ openssh-3.6.1p1/clientloop.c @@ -317,10 +317,14 @@ * one of the file descriptors). */ -static void +static int client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, int *nallocp, int rekeying) { + struct timeval tv, *tvp; + int n; + extern Options options; + /* Add any selections by the channel mechanism. */ channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, rekeying); @@ -349,7 +353,7 @@ /* clear mask since we did not call select() */ memset(*readsetp, 0, *nallocp); memset(*writesetp, 0, *nallocp); - return; + return 0; } else { FD_SET(connection_in, *readsetp); } @@ -368,7 +372,21 @@ * SSH_MSG_IGNORE packet when the timeout expires. */ - if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) { + /* + * We don't do the 'random' bit, but we want periodic ignored + * message anyway, so as to notice when the other ends TCP + * has given up during an outage. + */ + + if (options.protocolkeepalives > 0) { + tvp = &tv; + tv.tv_sec = options.protocolkeepalives; + tv.tv_usec = 0; + } else + tvp = 0; + + n = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp); + if (n < 0) { char buf[100]; /* @@ -380,12 +398,13 @@ memset(*writesetp, 0, *nallocp); if (errno == EINTR) - return; + return 0; /* Note: we might still have data in the buffers. */ snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno)); buffer_append(&stderr_buffer, buf, strlen(buf)); quit_pending = 1; } + return n == 0; } static void @@ -846,6 +865,7 @@ { fd_set *readset = NULL, *writeset = NULL; double start_time, total_time; + int timed_out; int max_fd = 0, max_fd2 = 0, len, rekeying = 0, nalloc = 0; char buf[100]; @@ -959,7 +979,7 @@ * available on one of the descriptors). */ max_fd2 = max_fd; - client_wait_until_can_do_something(&readset, &writeset, + timed_out = client_wait_until_can_do_something(&readset, &writeset, &max_fd2, &nalloc, rekeying); if (quit_pending) @@ -983,6 +1003,21 @@ if (quit_pending) break; + if(timed_out) { + /* + * Nothing is happening, so synthesize some + * bogus activity + */ + packet_start(compat20 + ? SSH2_MSG_IGNORE + : SSH_MSG_IGNORE); + packet_put_cstring(""); + packet_send(); + if (FD_ISSET(connection_out, writeset)) + packet_write_poll(); + continue; + } + if (!compat20) { /* Buffer data from stdin */ client_process_input(readset); --- openssh-3.6.1p1.orig/readconf.c +++ openssh-3.6.1p1/readconf.c @@ -81,6 +81,7 @@ RhostsRSAAuthentication yes StrictHostKeyChecking yes KeepAlives no + ProtocolKeepAlives 0 IdentityFile ~/.ssh/identity Port 22 EscapeChar ~ @@ -115,6 +116,7 @@ oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, + oProtocolKeepAlives, oDeprecated } OpCodes; @@ -188,6 +190,7 @@ { "clearallforwardings", oClearAllForwardings }, { "enablesshkeysign", oEnableSSHKeysign }, { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, + { "protocolkeepalives", oProtocolKeepAlives }, { NULL, oBadOption } }; @@ -415,6 +418,10 @@ intptr = &options->no_host_authentication_for_localhost; goto parse_flag; + case oProtocolKeepAlives: + intptr = &options->protocolkeepalives; + goto parse_int; + case oNumberOfPasswordPrompts: intptr = &options->number_of_password_prompts; goto parse_int; @@ -767,6 +774,7 @@ options->strict_host_key_checking = -1; options->compression = -1; options->keepalives = -1; + options->protocolkeepalives = -1; options->compression_level = -1; options->port = -1; options->connection_attempts = -1; @@ -855,6 +863,10 @@ options->compression = 0; if (options->keepalives == -1) options->keepalives = 1; + if (options->protocolkeepalives == -1){ + if (options->batch_mode == 1) /*in batch mode, default is 5mins */ + options->protocolkeepalives = 300; + else options->protocolkeepalives = 0;} if (options->compression_level == -1) options->compression_level = 6; if (options->port == -1) --- openssh-3.6.1p1.orig/readconf.h +++ openssh-3.6.1p1/readconf.h @@ -61,6 +61,7 @@ int compression_level; /* Compression level 1 (fast) to 9 * (best). */ int keepalives; /* Set SO_KEEPALIVE. */ + int protocolkeepalives; /* ssh-level keepalives */ LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ --- openssh-3.6.1p1.orig/ssh_config.5 +++ openssh-3.6.1p1/ssh_config.5 @@ -126,8 +126,13 @@ If set to .Dq yes , passphrase/password querying will be disabled. +In addition, the +.Cm ProtocolKeepAlives +option will both be set to 300 seconds by default. This option is useful in scripts and other batch jobs where no user -is present to supply the password. +is present to supply the password, +and where it is desirable to detect a +broken network swiftly. The argument must be .Dq yes or @@ -357,7 +362,12 @@ Specifies whether the system should send TCP keepalive messages to the other side. If they are sent, death of the connection or crash of one -of the machines will be properly noticed. +of the machines will be properly noticed. This option only uses TCP +keepalives (as opposed to using ssh level keepalives), so takes a long +time to notice when the connection dies. As such, you probably want +the +.Cm ProtocolKeepAlives +option as well. However, this means that connections will die if the route is down temporarily, and some people find it annoying. @@ -457,6 +467,13 @@ .Nm ssh tries version 2 and falls back to version 1 if version 2 is not available. +.It Cm ProtocolKeepAlives +Specifies the interval in seconds at which IGNORE packets will be sent to +the server during idle periods. Use this option in scripts to detect +when the network fails. The argument must be an integer. The default +is 0 (disabled), or 300 if the +.Cm BatchMode +option is set. .It Cm ProxyCommand Specifies the command to use to connect to the server. The command -- Colin Watson [cjwatson at flatline.org.uk] From bugzilla-daemon at mindrot.org Sun Apr 6 05:23:20 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 6 Apr 2003 05:23:20 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 Message-ID: <20030405192320.82D3B9423C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 Summary: no access to tty on Linux 2.0 Product: Portable OpenSSH Version: 3.6p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jfeise at ics.uci.edu On Linux kernel 2.0.36, upgraded from OpenSSH 3.5p1 to 3.6p1, now get the following error when I connect to the machine: Warning: no access to tty (Inappropriate ioctl for device). Thus no job control in this shell. This only happens for users with csh or tcsh as default shell. tcsh is the latest version, 6.12.00. If I run sshd -d, the error does not show up. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 6 10:40:43 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 6 Apr 2003 10:40:43 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 Message-ID: <20030406004043.122989420F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From dtucker at zip.com.au 2003-04-06 10:40 ------- This is probably a variant of the setsid/controlling tty wierdness that Solaris had (bug #245). Try adding "#define STREAMS_PUSH_ACQUIRES_CTTY 1" to config.h and recompiling. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 6 10:45:16 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 6 Apr 2003 10:45:16 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 Message-ID: <20030406004516.33A9494281@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 ------- Additional Comments From dtucker at zip.com.au 2003-04-06 10:45 ------- Also reported by Frank Adelstein (frank at MyCause dot com): [quote] Perhaps this is a known problem, but I only found one instance of someone describing it on the net with no follow-up. I just installed openssh (3.6p1) on a linux system (running an old 2.0.34 kernel) with privilege separation disabled and get the following messages in /var/log/messages: Apr 2 15:48:34 ernestine sshd[6153]: error: ioctl(TIOCSCTTY): Operation not permitted Apr 2 15:48:34 ernestine sshd[6153]: error: open /dev/tty failed - could not set controlling tty: Device not configured The effect is that ^Z's are mostly ignored (but not by vi) and ^C kills the session, rather than a running program. After poking around the net and the code a bit, I found that changing line 318 in sshpty.c from: if (ioctl(*ttyfd, TIOCSCTTY, NULL) < 0) to if (ioctl(*ttyfd, TIOCSCTTY, 1) < 0) seems to fix things. Is this a known bug or something peculiar to my installation? Let me know if there is any further information I can provide. Thanks for any input. [/quote] ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 6 11:25:04 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 6 Apr 2003 11:25:04 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 Message-ID: <20030406012504.075B69427D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 jfeise at ics.uci.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Additional Comments From jfeise at ics.uci.edu 2003-04-06 11:25 ------- Adding the STREAMS_PUSH_ACQUIRES_CTTY define works. Thanks for the help. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 6 11:42:10 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 6 Apr 2003 11:42:10 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 Message-ID: <20030406014210.1E68994220@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | ------- Additional Comments From dtucker at zip.com.au 2003-04-06 11:42 ------- Don't close the bug yet, we still need to fix the source. I don't think it's exactly the same as Solaris but a different problem with the same symptoms. I don't have a Linux 2.0 box handy to go digging into the root cause. Any volunteers, or do we rename STREAMS_PUSH_ACQUIRES_CTTY to something more generic and define it for Linux 2.0? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Sun Apr 6 18:31:43 2003 From: markus at openbsd.org (Markus Friedl) Date: Sun, 6 Apr 2003 10:31:43 +0200 Subject: overload key signing function for opensc tokens... In-Reply-To: <200304041744.18411.kstef@mtppi.org> References: <200304041744.18411.kstef@mtppi.org> Message-ID: <20030406083143.GB25001@folly> On Fri, Apr 04, 2003 at 05:44:18PM -0500, Kevin Stefanik wrote: > I wasn't having much luck getting a key and certificate stored on a hardware > token to work until I made this fix. The ssh_rsa_sign key was not using > either overloading. I used the rsa.meth way, instead of the engine. why does RSA_sign not use the overloaded methods? -m From bugzilla-daemon at mindrot.org Mon Apr 7 01:46:22 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 7 Apr 2003 01:46:22 +1000 (EST) Subject: [Bug 537] Identification should depend on port number Message-ID: <20030406154622.4F82F94208@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=537 Summary: Identification should depend on port number Product: Portable OpenSSH Version: 3.5p1 Platform: Other OS/Version: Linux Status: NEW Severity: minor Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: bugzilla.mindrot.org at tange.dk I run 2 completely seperate sshds on different ports. The sshds are used for different purposes and therefore use different configurations. Normally people will only connect to one of the the 2 sshds, but a few people need to connect to both. This makes sshd complain that the identifcations has changed - even though it has not. It would be nice if the identification is not only made on (name, IP address) but on (name, IP address, port number). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Apr 7 01:58:19 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 7 Apr 2003 01:58:19 +1000 (EST) Subject: [Bug 537] Identification should depend on port number Message-ID: <20030406155819.C6EF494213@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=537 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From markus at openbsd.org 2003-04-07 01:58 ------- did you check existing bugs? *** This bug has been marked as a duplicate of 454 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Apr 7 01:58:21 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 7 Apr 2003 01:58:21 +1000 (EST) Subject: [Bug 454] SSH doesn't consider distinguish ports for host-key verification Message-ID: <20030406155821.A200894217@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=454 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bugzilla.mindrot.org at tange.d | |k ------- Additional Comments From markus at openbsd.org 2003-04-07 01:58 ------- *** Bug 537 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gleblanc at linuxweasel.com Mon Apr 7 16:44:39 2003 From: gleblanc at linuxweasel.com (Gregory Leblanc) Date: 06 Apr 2003 23:44:39 -0700 Subject: Comments on Bugzilla In-Reply-To: <3E684C99.4B101943@zip.com.au> References: <3E684C99.4B101943@zip.com.au> Message-ID: <1049697878.23592.10.camel@gregdell> Hmm, I'm apparently not set to nomail on this list anymore, so I'm catching up on mail since January, when I started getting mail again. On Thu, 2003-03-06 at 23:39, Darren Tucker wrote: [snip] > 2) Notification email subjects. > Currently Bugzilla sends email notifications with subjects like: > [Bug bugno] New: Subject of bug (for a new bug) > [Bug bugno] Subject of bug (for changes to bug) [snip] There's a patch to add good threading support to bugzilla, by way of the In-Reply-To header. Check out http://bugzilla.mozilla.org/show_bug.cgi?id=31314 Greg -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030406/f721b6b9/attachment.bin From prod_ms at hotmail.com Mon Apr 7 17:11:31 2003 From: prod_ms at hotmail.com (MS) Date: Mon, 7 Apr 2003 08:11:31 +0100 Subject: Perca, mantenha ou ganhe peso com o programa nutricional mais vendido no mundo Message-ID: <20030407065921.5D9CC9420A@shitei.mindrot.org> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030407/ce559ff2/attachment.html From dtucker at zip.com.au Mon Apr 7 17:31:15 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 07 Apr 2003 17:31:15 +1000 Subject: OpenSSH 3.6.1p1 AIX installp/bff packages available. Message-ID: <3E912943.5011F6F6@zip.com.au> Hi All. New AIX packages of OpenSSH 3.6.1p1 are available for download at [1]. There are two tarballs, one for the as-distributed code and one with the password expiration patch. Each tarball contains binaries for AIX 4.x and AIX 5.x. The usual caveats apply (see page). These packages have been more popular than I ever thought they'd be. They are about to clock up the one thousandth download, so I'm offering a prize to thousandth downloader [2]. Note that this will probably be the last release I publish AIX packages for as I will no longer have access to AIX boxes to build them on. -Daz. [1] http://www.zip.com.au/~dtucker/openssh/ [2] A free copy of OpenSSH for AIX! :-) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From leonard.raphael at sonera.com Mon Apr 7 19:23:04 2003 From: leonard.raphael at sonera.com (Raphael Leonard) Date: Mon, 7 Apr 2003 12:23:04 +0300 Subject: unsuscribe me!! Message-ID: unsuscribe ###Please unsuscribe me from the list From pod at herald.ox.ac.uk Mon Apr 7 21:01:02 2003 From: pod at herald.ox.ac.uk (pod) Date: Mon, 07 Apr 2003 12:01:02 +0100 Subject: Changing PAM service name in sshd_config, or running sshd as non-root In-Reply-To: <20030404204313.GC19144@crawfish.ais.com> (message from Jim Knoble on Fri, 4 Apr 2003 15:43:13 -0500) References: <3E81D475.5030503@tls.msk.ru> <20030326202016.GA10577@crawfish.ais.com> <3E8D9313.50204@tls.msk.ru> <20030404204313.GC19144@crawfish.ais.com> Message-ID: >>>>> "JK" == Jim Knoble writes: JK> Are you sure the file is not misnamed, and that sshd isn't falling JK> through to another service, such as /etc/pam.d/other? The debian woody binary package 3.4p1-1 is built with CFLAGS that include -DSSHD_PAM_SERVICE="ssh". Doing this hardwires the PAM service name and it can no longer be changed by changing argv[0]. From markus at openbsd.org Mon Apr 7 21:19:09 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 7 Apr 2003 13:19:09 +0200 Subject: Changing PAM service name in sshd_config, or running sshd as non-root In-Reply-To: References: <3E81D475.5030503@tls.msk.ru> <20030326202016.GA10577@crawfish.ais.com> <3E8D9313.50204@tls.msk.ru> <20030404204313.GC19144@crawfish.ais.com> Message-ID: <20030407111909.GB4967@folly> On Mon, Apr 07, 2003 at 12:01:02PM +0100, pod wrote: > >>>>> "JK" == Jim Knoble writes: > > JK> Are you sure the file is not misnamed, and that sshd isn't falling > JK> through to another service, such as /etc/pam.d/other? > > The debian woody binary package 3.4p1-1 is built with CFLAGS that include > -DSSHD_PAM_SERVICE="ssh". Doing this hardwires the PAM service name and > it can no longer be changed by changing argv[0]. hm, then your vendor should fix this problem..... From martin at fatbob.nu Mon Apr 7 23:46:55 2003 From: martin at fatbob.nu (Martin Johansson) Date: Mon, 7 Apr 2003 15:46:55 +0200 Subject: Anti-idle in OpenSSH client? In-Reply-To: References: Message-ID: <20030407134655.GA10333@fatbob.nu> Hi! On Fri, Apr 04, 2003 at 09:39:32AM -0600, mandar at webchat.chatsystems.com wrote: > Is this possible or planned with the OpenSSH client? Our draconian > firewall admins have started timing out ssh sessions. Yes I'm aware I > could hack up a port forwarding dumb traffic process, but was looking for > a more elegant solution like the windows clients have. e.g. a command line > option to ssh that lets you anti-idle.. > > > Discussion on how to implement this in the code is also welcome ;) I have a patch for this, posted quite some time ago to this list. It sends SSH_MSH_IGNORE packets randomly within configurable upper and lower time limits in seconds. Set in ssh_config (or ~/.ssh/config): BogusTrafficIntervalMin n BogusTrafficIntervalMax n /Martin Here is the patch rediffed for 3.6.1p1: diff -ur openssh-3.6.1p1/clientloop.c openssh-3.6.1p1.alive/clientloop.c --- openssh-3.6.1p1/clientloop.c Tue Apr 1 13:43:39 2003 +++ openssh-3.6.1p1.alive/clientloop.c Mon Apr 7 14:48:13 2003 @@ -321,6 +321,9 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, int *nallocp, int rekeying) { + struct timeval tv, *tvp; + int ret; + /* Add any selections by the channel mechanism. */ channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, rekeying); @@ -362,13 +365,29 @@ /* * Wait for something to happen. This will suspend the process until * some selected descriptor can be read, written, or has some other - * event pending. Note: if you want to implement SSH_MSG_IGNORE - * messages to fool traffic analysis, this might be the place to do - * it: just have a random timeout for the select, and send a random - * SSH_MSG_IGNORE packet when the timeout expires. + * event pending. + * Set a random timeout for the select, and send a random SSH_MSG_IGNORE + * packet when the timeout expires to fool traffic analysis. */ - - if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) { + if (options.bogus_traffic_interval_max) { + u_int32_t rand = arc4random(); + u_int64_t timeusec; + static u_int64_t timebase = 0; + + if (!timebase) + timebase = (options.bogus_traffic_interval_max - + options.bogus_traffic_interval_min) * 1000000; + timeusec = timebase * rand / 0xffffffffUL; + timeusec += options.bogus_traffic_interval_min * 1000000; + tv.tv_sec = timeusec / 1000000; + tv.tv_usec = timeusec % 1000000; + tvp = &tv; + debug2("Will send SSH_MSG_IGNORE in %lu.%lu s", tv.tv_sec, tv.tv_usec); + } + else tvp = NULL; + + ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp); + if (ret < 0) { char buf[100]; /* @@ -386,6 +405,12 @@ buffer_append(&stderr_buffer, buf, strlen(buf)); quit_pending = 1; } + else if (ret == 0) { /* timeout */ + u_int32_t rand = arc4random(); + packet_send_ignore((rand & 0x3f) + 1); + packet_send(); + packet_write_wait(); + } } static void diff -ur openssh-3.6.1p1/readconf.c openssh-3.6.1p1.alive/readconf.c --- openssh-3.6.1p1/readconf.c Tue Apr 1 13:43:39 2003 +++ openssh-3.6.1p1.alive/readconf.c Mon Apr 7 14:49:30 2003 @@ -114,7 +114,7 @@ oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, + oEnableSSHKeysign, oBogusTrafficIntervalMin, oBogusTrafficIntervalMax, oDeprecated } OpCodes; @@ -188,6 +188,8 @@ { "clearallforwardings", oClearAllForwardings }, { "enablesshkeysign", oEnableSSHKeysign }, { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, + { "BogusTrafficIntervalMax", oBogusTrafficIntervalMax }, + { "BogusTrafficIntervalMin", oBogusTrafficIntervalMin }, { NULL, oBadOption } }; @@ -415,6 +417,42 @@ intptr = &options->no_host_authentication_for_localhost; goto parse_flag; + case oBogusTrafficIntervalMax: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, linenum); + if (arg[0] < '0' || arg[0] > '9') + fatal("%.200s line %d: Bad number.", filename, linenum); + + /* Octal, decimal, or hex format? */ + value = strtol(arg, &endofnumber, 0); + if (arg == endofnumber) + fatal("%.200s line %d: Bad number.", filename, linenum); + if (*activep && options->bogus_traffic_interval_max == -1) + options->bogus_traffic_interval_max = value; + if (options->bogus_traffic_interval_min != -1 && + options->bogus_traffic_interval_min >= value) + fatal("%.200s line %d: Bad value.", filename, linenum); + break; + + case oBogusTrafficIntervalMin: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", filename, linenum); + if (arg[0] < '0' || arg[0] > '9') + fatal("%.200s line %d: Bad number.", filename, linenum); + + /* Octal, decimal, or hex format? */ + value = strtol(arg, &endofnumber, 0); + if (arg == endofnumber) + fatal("%.200s line %d: Bad number.", filename, linenum); + if (*activep && options->bogus_traffic_interval_min == -1) + options->bogus_traffic_interval_min = value; + if (options->bogus_traffic_interval_max != -1 && + options->bogus_traffic_interval_max <= value) + fatal("%.200s line %d: Bad value.", filename, linenum); + break; + case oNumberOfPasswordPrompts: intptr = &options->number_of_password_prompts; goto parse_int; @@ -795,6 +833,8 @@ options->smartcard_device = NULL; options->enable_ssh_keysign = - 1; options->no_host_authentication_for_localhost = - 1; + options->bogus_traffic_interval_max = -1; + options->bogus_traffic_interval_min = -1; } /* @@ -855,6 +895,10 @@ options->compression = 0; if (options->keepalives == -1) options->keepalives = 1; + if (options->bogus_traffic_interval_max == -1) + options->bogus_traffic_interval_max = 0; + if (options->bogus_traffic_interval_min == -1) + options->bogus_traffic_interval_min = 0; if (options->compression_level == -1) options->compression_level = 6; if (options->port == -1) Only in openssh-3.6.1p1.alive/: readconf.c.orig Only in openssh-3.6.1p1.alive/: readconf.c.rej diff -ur openssh-3.6.1p1/readconf.h openssh-3.6.1p1.alive/readconf.h --- openssh-3.6.1p1/readconf.h Tue Apr 1 13:43:40 2003 +++ openssh-3.6.1p1.alive/readconf.h Mon Apr 7 14:48:13 2003 @@ -61,6 +61,16 @@ int compression_level; /* Compression level 1 (fast) to 9 * (best). */ int keepalives; /* Set SO_KEEPALIVE. */ + int bogus_traffic_interval_max; /* + * max time value of SSH_MSG_IGNORE + * interval + */ + int bogus_traffic_interval_min; /* + * min time value of SSH_MSG_IGNORE + * interval + */ + int pam_authentication_via_kbd_int; + LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ From mandar at webchat.chatsystems.com Tue Apr 8 00:14:30 2003 From: mandar at webchat.chatsystems.com (mandar at webchat.chatsystems.com) Date: Mon, 7 Apr 2003 09:14:30 -0500 (CDT) Subject: Anti-idle in OpenSSH client? In-Reply-To: <20030407134655.GA10333@fatbob.nu> Message-ID: Martin, Darren et al - thanks for the various patches :) They certainly fit my need.. I hope one day some form of the anti-idle stuff makes it to the main distrib... - Mandar From quellyn at lanl.gov Tue Apr 8 01:05:42 2003 From: quellyn at lanl.gov (Quellyn Snead) Date: 07 Apr 2003 09:05:42 -0600 Subject: Simon Wilkinson's GSS-API patch Message-ID: <1049727942.1603.57.camel@gallifrey.lanl.gov> Hi, I understand that Simon may be discontinuing his OpenSSH work. Does anyone know if someone plans to maintain the patch? Thank you, -- ******************************************************* Quellyn L. Snead UNIX Effort Team ( unixeffort at lanl.gov ) CCN-2 Enterprise Software Management Team Los Alamos National Laboratory (505) 667-4185 Schedule B ******************************************************* From dtucker at zip.com.au Tue Apr 8 01:29:53 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 08 Apr 2003 01:29:53 +1000 Subject: Anti-idle in OpenSSH client? References: Message-ID: <3E919971.476434A2@zip.com.au> mandar at webchat.chatsystems.com wrote: > Martin, Darren et al - thanks for the various patches :) They certainly > fit my need.. > > I hope one day some form of the anti-idle stuff makes it to the main > distrib... The fact that there's several different implementations out there certainly shows that there's a need for it. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From nectar at FreeBSD.org Tue Apr 8 01:31:25 2003 From: nectar at FreeBSD.org (Jacques A. Vidrine) Date: Mon, 7 Apr 2003 10:31:25 -0500 Subject: Simon Wilkinson's GSS-API patch In-Reply-To: <1049727942.1603.57.camel@gallifrey.lanl.gov> References: <1049727942.1603.57.camel@gallifrey.lanl.gov> Message-ID: <20030407153125.GA16609@madman.celabo.org> On Mon, Apr 07, 2003 at 09:05:42AM -0600, Quellyn Snead wrote: > Hi, > > I understand that Simon may be discontinuing his OpenSSH work. I hope that is not true. > Does > anyone know if someone plans to maintain the patch? I've been forward porting it with every release. (I also have some local modifications.) I'm sure there are others in my position. I think it might be easier to maintain if it were brought into the OpenSSH tree (I guess GSS-API support has been somewhat of a moving target, though). But in any case, I and others will have to pick up where Simon leaves off (if he does actually `leave off'). Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine at verio.net . nectar at FreeBSD.org . nectar at kth.se From deengert at anl.gov Tue Apr 8 01:47:58 2003 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 07 Apr 2003 10:47:58 -0500 Subject: Simon Wilkinson's GSS-API patch References: <1049727942.1603.57.camel@gallifrey.lanl.gov> <20030407153125.GA16609@madman.celabo.org> Message-ID: <3E919DAE.D18B68AD@anl.gov> I am in the same position, forward porting the patch. I too would like to see the patch added to the OpenSSH source. "Jacques A. Vidrine" wrote: > > On Mon, Apr 07, 2003 at 09:05:42AM -0600, Quellyn Snead wrote: > > Hi, > > > > I understand that Simon may be discontinuing his OpenSSH work. > > I hope that is not true. > > > Does > > anyone know if someone plans to maintain the patch? > > I've been forward porting it with every release. (I also have some > local modifications.) I'm sure there are others in my position. > > I think it might be easier to maintain if it were brought into the > OpenSSH tree (I guess GSS-API support has been somewhat of a moving > target, though). But in any case, I and others will have to pick up > where Simon leaves off (if he does actually `leave off'). > > Cheers, > -- > Jacques A. Vidrine http://www.celabo.org/ > NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos > jvidrine at verio.net . nectar at FreeBSD.org . nectar at kth.se > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From markus at openbsd.org Tue Apr 8 01:57:47 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 7 Apr 2003 17:57:47 +0200 Subject: Anti-idle in OpenSSH client? In-Reply-To: <3E919971.476434A2@zip.com.au> References: <3E919971.476434A2@zip.com.au> Message-ID: <20030407155747.GB18625@folly> On Tue, Apr 08, 2003 at 01:29:53AM +1000, Darren Tucker wrote: > The fact that there's several different implementations out there > certainly shows that there's a need for it. i plan to add sshd's ClientAliveInterval to ssh, using ignore messages instead of channel requests. i also plan to rename 'KeepAlive' to 'TCPKeepAlive' -m From smoogen at lanl.gov Tue Apr 8 02:17:18 2003 From: smoogen at lanl.gov (Stephen Smoogen) Date: Mon, 7 Apr 2003 10:17:18 -0600 (MDT) Subject: Simon Wilkinson's GSS-API patch In-Reply-To: <3E919DAE.D18B68AD@anl.gov> Message-ID: Since I don't know the history, and it didnt seem to clear when I read through the mindrot archives... what are the reasons for not having it in the tree? IETF approval? On Mon, 7 Apr 2003, Douglas E. Engert wrote: >I am in the same position, forward porting the patch. I too would like to >see the patch added to the OpenSSH source. > -- Stephen John Smoogen smoogen at lanl.gov Los Alamos National Labrador CCN-5 Sched 5/40 PH: 5-8058 Ta-03 SM-261 MailStop P208 DP 17U Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- From tom at avatar.itc.nrcs.usda.gov Tue Apr 8 02:34:44 2003 From: tom at avatar.itc.nrcs.usda.gov (Tom Rudnick) Date: Mon, 7 Apr 2003 10:34:44 -0600 (MDT) Subject: Anti-idle in OpenSSH client? In-Reply-To: from "mandar@webchat.chatsystems.com" at Apr 07, 2003 09:14:30 AM Message-ID: <200304071634.KAA26253@avatar.itc.nrcs.usda.gov> Mandar- Here's yet another patch for the same function. I posted this about 2yrs ago. It applies against 2.5.1,... I can rediff it for 3.6.1 if you're interested. I had pretty much given up the push to get it (or something like it) into the main code. After the ClientAlive feature was added, it gave another way of doing this, so I dropped it. Let me know if the attached patch is useful or not, and if you'd like a 3.6.1 version. Thanks, -Tom Rudnick > > > Martin, Darren et al - thanks for the various patches :) They certainly > fit my need.. > > I hope one day some form of the anti-idle stuff makes it to the main > distrib... > > - Mandar > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- ----------------/---------------------------------------------- Tom Rudnick | USDA Natural Resources Conservation Service Fort Collins,CO | tom at avatar.itc.nrcs.usda.gov (970) 295-5427 ** The 3rd Millennium started Jan 1, 2001. see: ** ** http://aa.usno.navy.mil/AA/faq/docs/millennium.html ** -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -------------- next part -------------- --- readconf.h 2001/03/11 01:49:20 1.21 +++ readconf.h 2001/03/23 21:47:36 @@ -61,6 +61,10 @@ int compression_level; /* Compression level 1 (fast) to 9 * (best). */ int keepalives; /* Set SO_KEEPALIVE. */ + time_t noop_msg_interval; /* Number of seconds between + * SSH_MSG_IGNORE packets to keep + * firewall connections from + * timing out */ LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ --- readconf.c 2001/03/22 01:24:05 1.42 +++ readconf.c 2001/03/23 21:47:37 @@ -110,7 +110,7 @@ oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, - oPreferredAuthentications + oPreferredAuthentications, oNoopMsgInterval } OpCodes; /* Textual representations of the tokens. */ @@ -173,6 +173,7 @@ { "numberofpasswordprompts", oNumberOfPasswordPrompts }, { "loglevel", oLogLevel }, { "preferredauthentications", oPreferredAuthentications }, + { "noopmsginterval", oNoopMsgInterval }, { NULL, 0 } }; @@ -387,6 +388,10 @@ intptr = &options->keepalives; goto parse_flag; + case oNoopMsgInterval: + intptr = &options->noop_msg_interval; + goto parse_int; + case oNumberOfPasswordPrompts: intptr = &options->number_of_password_prompts; goto parse_int; @@ -707,6 +712,7 @@ options->strict_host_key_checking = -1; options->compression = -1; options->keepalives = -1; + options->noop_msg_interval = -1; options->compression_level = -1; options->port = -1; options->connection_attempts = -1; @@ -791,6 +797,8 @@ options->compression = 0; if (options->keepalives == -1) options->keepalives = 1; + if (options->noop_msg_interval == -1) + options->noop_msg_interval = 0; if (options->compression_level == -1) options->compression_level = 6; if (options->port == -1) --- clientloop.c 2001/03/06 03:34:40 1.36 +++ clientloop.c 2001/03/23 21:47:37 @@ -365,6 +365,10 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp) { + struct timeval tv = {0}; + tv.tv_sec = options.noop_msg_interval; + /* Send a noop message at this frequency as a keepalive. */ + /* Add any selections by the channel mechanism. */ channel_prepare_select(readsetp, writesetp, maxfdp); @@ -403,7 +407,8 @@ * SSH_MSG_IGNORE packet when the timeout expires. */ - if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) { + switch (select((*maxfdp)+1, *readsetp, *writesetp, NULL, ((tv.tv_sec)?(&tv):NULL))) { + case -1: { char buf[100]; /* @@ -420,7 +425,24 @@ snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno)); buffer_append(&stderr_buffer, buf, strlen(buf)); quit_pending = 1; - } + + } + break; + + case 0: + /* Send a keepalive packet (SSH_MSG_IGNORE crashes + * some servers...). + */ + if(compat20) + packet_start(SSH2_MSG_IGNORE); + else + packet_start(SSH_MSG_IGNORE); + packet_send(); + break; + + default: + break; + } } void From quellyn at lanl.gov Tue Apr 8 02:34:48 2003 From: quellyn at lanl.gov (Quellyn Snead) Date: 07 Apr 2003 10:34:48 -0600 Subject: Simon Wilkinson's GSS-API patch In-Reply-To: References: Message-ID: <1049733288.1603.64.camel@gallifrey.lanl.gov> Could it possibly go in contrib ? Quellyn On Mon, 2003-04-07 at 10:17, Stephen Smoogen wrote: > Since I don't know the history, and it didnt seem to clear when I read > through the mindrot archives... what are the reasons for not having it > in the tree? IETF approval? > > On Mon, 7 Apr 2003, Douglas E. Engert wrote: > > >I am in the same position, forward porting the patch. I too would like to > >see the patch added to the OpenSSH source. > > -- ******************************************************* Quellyn L. Snead UNIX Effort Team ( unixeffort at lanl.gov ) CCN-2 Enterprise Software Management Team Los Alamos National Laboratory (505) 667-4185 Schedule B ******************************************************* From kstef at mtppi.org Tue Apr 8 03:25:12 2003 From: kstef at mtppi.org (Kevin Stefanik) Date: Mon, 7 Apr 2003 12:25:12 -0500 Subject: overload key signing function for opensc tokens... In-Reply-To: <20030406083143.GB25001@folly> References: <200304041744.18411.kstef@mtppi.org> <20030406083143.GB25001@folly> Message-ID: <200304071325.12304.kstef@mtppi.org> My best guess... openssl immediately uses the engine if RSA_FLAG_SIGN_VER flag is set - it doesn't check if there is an engine defined. In this case, in my debugging, rsa.engine is 0x0 and the ENGINE_get_RSA() called from RSA_sign call doesn't verify it before referencing an element of the structure, so it segfaults. Would a cleaner patch be to use the sc_get_engine() and assign an engine? That doesn't seem to be happening in sc_read_pubkey at the moment. In fact, I can't see that sc_get_engine is called anywhere. I'm currently using 0.9.7a, so shouldn't USE_ENGINE be undefined? What if there's no USE_ENGINE? I'll also make my way over to openssl to see if the RSA_sign should check for the engine or meth->rsa_sign instead of assuming the engine. Would that be the only needed fix? It works here. Thanks, Kevin On Sunday 06 April 2003 04:31 am, Markus Friedl wrote: > On Fri, Apr 04, 2003 at 05:44:18PM -0500, Kevin Stefanik wrote: > > I wasn't having much luck getting a key and certificate stored on a > > hardware token to work until I made this fix. The ssh_rsa_sign key was > > not using either overloading. I used the rsa.meth way, instead of the > > engine. > > why does RSA_sign not use the overloaded methods? > > -m From mouring at etoh.eviladmin.org Tue Apr 8 05:39:34 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 7 Apr 2003 14:39:34 -0500 (CDT) Subject: Simon Wilkinson's GSS-API patch In-Reply-To: <1049733288.1603.64.camel@gallifrey.lanl.gov> Message-ID: No. Patches don't belong in contrib. Either things are integrated into the main tree or left out. People expect that patches in contrib are supported and they bitch when they no longer apply to the tree. - Ben On 7 Apr 2003, Quellyn Snead wrote: > Could it possibly go in contrib ? > > Quellyn > > On Mon, 2003-04-07 at 10:17, Stephen Smoogen wrote: > > Since I don't know the history, and it didnt seem to clear when I read > > through the mindrot archives... what are the reasons for not having it > > in the tree? IETF approval? > > > > On Mon, 7 Apr 2003, Douglas E. Engert wrote: > > > > >I am in the same position, forward porting the patch. I too would like to > > >see the patch added to the OpenSSH source. > > > > -- > ******************************************************* > Quellyn L. Snead > UNIX Effort Team ( unixeffort at lanl.gov ) > CCN-2 Enterprise Software Management Team > Los Alamos National Laboratory > (505) 667-4185 Schedule B > ******************************************************* > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Tue Apr 8 06:42:50 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 8 Apr 2003 06:42:50 +1000 (EST) Subject: [Bug 538] Hanging while connecting Message-ID: <20030407204250.984AD9420C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=538 Summary: Hanging while connecting Product: Portable OpenSSH Version: 3.6p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: ao at infinet.com I'm running into the following problem continually. I'm unsure if its the ssh on the client side or the sshd on the server side, but here's what happens (with -v output): OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to ******** [***.***.***.***] port 22. debug1: Connection established. debug1: identity file /home/********/.ssh/identity type -1 debug1: identity file /home/********/.ssh/id_rsa type -1 debug1: identity file /home/********/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.4p1 Debian 1:3.4p1-1 debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug1: SSH2_MSG_KEXINIT sent Hangs here forever, or is OK and... debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 zlib debug1: kex: client->server aes128-cbc hmac-md5 zlib debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 124/256 debug1: bits set: 1577/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'alex' is known and matches the RSA host key. debug1: Found key in /home/miko/.ssh/known_hosts:8 debug1: bits set: 1570/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST hangs forever here instead. If I am lucky, about 1 in 30 connection attempts actually succeed. Does anyone have any idea what this problem might be? Thanks, Mike Harrold Email: mharrold(!!at!!)cas.org ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ble at pcc.edu Tue Apr 8 07:27:44 2003 From: ble at pcc.edu (Ben Le) Date: Mon, 07 Apr 2003 14:27:44 -0700 Subject: Connection refused Message-ID: <5.1.0.14.2.20030407142452.03ea4f38@mail.pcc.edu> Hi there, The installation of Openssl on my HP-UX 11.11 box went fine. When I execute 'ssh' command, the error shows: "ssh: connect to host testbox port 22: Connection refused". Can you point me the solution. Thanks. Ben __________________________________________ Benjamin Le Sr. Systems Administrator Information Technology Services Portland Community College Voice:(503)-977-4736 Fax:(503)-977-4987 Mailto:ble at pcc.edu http://www.pcc.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030407/0487ac65/attachment.html From markus at openbsd.org Tue Apr 8 07:32:00 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 7 Apr 2003 23:32:00 +0200 Subject: overload key signing function for opensc tokens... In-Reply-To: <200304071325.12304.kstef@mtppi.org> References: <200304041744.18411.kstef@mtppi.org> <20030406083143.GB25001@folly> <200304071325.12304.kstef@mtppi.org> Message-ID: <20030407213200.GA8412@folly> On Mon, Apr 07, 2003 at 12:25:12PM -0500, Kevin Stefanik wrote: > My best guess... openssl immediately uses the engine if RSA_FLAG_SIGN_VER flag > is set - it doesn't check if there is an engine defined. In this case, in > my debugging, rsa.engine is 0x0 and the ENGINE_get_RSA() called from > RSA_sign call doesn't verify it before referencing an element of the > structure, so it segfaults. > > Would a cleaner patch be to use the sc_get_engine() and assign an engine? > That doesn't seem to be happening in sc_read_pubkey at the moment. In fact, > I can't see that sc_get_engine is called anywhere. I'm currently using > 0.9.7a, so shouldn't USE_ENGINE be undefined? What if there's no USE_ENGINE? USE_ENGINE is for the 0.9.6-engine interface. in 0.9.7 the engine interface was removed. From stuge-openssh-unix-dev at cdy.org Tue Apr 8 08:51:14 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Tue, 8 Apr 2003 00:51:14 +0200 Subject: Connection refused In-Reply-To: <5.1.0.14.2.20030407142452.03ea4f38@mail.pcc.edu> References: <5.1.0.14.2.20030407142452.03ea4f38@mail.pcc.edu> Message-ID: <20030407225113.GB22610@foo.birdnet.se> On Mon, Apr 07, 2003 at 02:27:44PM -0700, Ben Le wrote: > Hi there, > The installation of Openssl on my HP-UX 11.11 box went fine. When I execute > 'ssh' command, the error shows: "ssh: connect to host testbox port 22: > Connection refused". Can you point me the solution. Thanks. As trivial as this may seem, make sure you have sshd running on testbox, and note that OpenSSL is not OpenSSH. OpenSSH depends on OpenSSL but they're two (very) different things. //Peter From godot at ulyssis.org Tue Apr 8 09:08:39 2003 From: godot at ulyssis.org (Danny De Cock) Date: Tue, 8 Apr 2003 01:08:39 +0200 (CEST) Subject: overload key signing function for opensc tokens... In-Reply-To: <20030407213200.GA8412@folly> Message-ID: hi, last year in november, I posted the diffs attached to this mail. the diffs refer to openssh-3.5p1, and work well in combination with openssl-0.9.7a, zlib-1.1.4, and the cvs-source for opensc. I have not yet inspected the new openssh release, but I do not expect significant issues when applying the same patches intelligently. I changed scard.h, scard-opensc.c, sshconnect2.c, ssh-rsa.c and the Makefile (which was produced by `./configure --with-opensc=/usr/local --with-ssl-dir=/usr/local/ssl`), as you may see in the attachment. the stuff works well given gemplus gpk 8k and gpk 16k cards. I have not tested any other cards. I do not claim that the changes I applied are clean (cfr. sshconnect2.c), but they do what I expect them to do, and as far as I am concerned, the patch can be considered stable. in order not to interfere with the original openssh-3.5p1, all my changes follow this structure: #if defined(SMARTCARD) && defined(USE_OPENSC) my code #else original code #endif feel free to produce comments, danny. On Mon, 7 Apr 2003, Markus Friedl wrote: > On Mon, Apr 07, 2003 at 12:25:12PM -0500, Kevin Stefanik wrote: > > My best guess... openssl immediately uses the engine if RSA_FLAG_SIGN_VER flag > > is set - it doesn't check if there is an engine defined. In this case, in > > my debugging, rsa.engine is 0x0 and the ENGINE_get_RSA() called from > > RSA_sign call doesn't verify it before referencing an element of the > > structure, so it segfaults. > > > > Would a cleaner patch be to use the sc_get_engine() and assign an engine? > > That doesn't seem to be happening in sc_read_pubkey at the moment. In fact, > > I can't see that sc_get_engine is called anywhere. I'm currently using > > 0.9.7a, so shouldn't USE_ENGINE be undefined? What if there's no USE_ENGINE? > USE_ENGINE is for the 0.9.6-engine interface. > > in 0.9.7 the engine interface was removed. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- ----------------------------------------------------------------------------- To be intoxicated is to feel sophisticated but not be able to say it. ----------------------------------------------------------------------------- Mail : Danny.DeCock at esat.kuleuven.ac.be WWW : http://ace.ulyssis.org/~godot godot at advalvas.be -------------- next part -------------- ===================== scard.h ===================== --- scard.h Thu Nov 14 22:52:17 2002 +++ original/openssh-3.5p1/scard.h Thu Jul 4 02:14:18 2002 @@ -37,8 +37,4 @@ void sc_close(void); int sc_put_key(Key *, const char *); -#if defined(SMARTCARD) && defined(USE_OPENSC) -int sc_sign(int type, u_char *m, unsigned int m_len, unsigned char *sigret, unsigned int *siglen, RSA *rsa); -#endif - #endif ===================== scard-opensc.c ===================== --- scard-opensc.c Thu Nov 14 23:51:06 2002 +++ original/openssh-3.5p1/scard-opensc.c Tue Apr 23 14:48:46 2002 @@ -185,99 +185,10 @@ return -1; } -#if defined(SMARTCARD) && defined(USE_OPENSC) -char * -get_pin (struct sc_pkcs15_object *obj) -{ - char buf[80]; - char *pincode; - struct sc_pkcs15_pin_info *pinfo = (struct sc_pkcs15_pin_info *) obj->data; - - sprintf (buf, "Enter PIN [%s]: ", obj->label); - while (1) - { - pincode = getpass (buf); - if (strlen (pincode) == 0) - return NULL; - if (strlen (pincode) < pinfo->min_length || - strlen (pincode) > pinfo->stored_length) - continue; - return pincode; - } -} -#endif - -int +static int sc_sign(int type, u_char *m, unsigned int m_len, unsigned char *sigret, unsigned int *siglen, RSA *rsa) { -#if defined(SMARTCARD) && defined(USE_OPENSC) - struct sc_pkcs15_object *key_obj; - int r; - struct sc_pkcs15_id id; - struct sc_pkcs15_object *objs[32]; - struct sc_pkcs15_object *key; - unsigned long flags = 0; - char *pincode; - struct sc_pkcs15_object *pin; - - r = sc_lock (card); - if (r) - { - error ("Unable to lock smartcard: %s", sc_strerror (r)); - goto err; - } - r = sc_pkcs15_get_objects (p15card, SC_PKCS15_TYPE_PRKEY, objs, 32); - if (r<0) - { - debug ("Unable to retrieve private keys: %s\n", - sc_strerror (r)); - return -1; - } - key = objs[0]; - if (key->auth_id.len) - { - r = sc_pkcs15_find_pin_by_auth_id (p15card, &key->auth_id, &pin); - if (r) - { - debug ("Unable to find PIN code for private key: %s\n", - sc_strerror (r)); - return -1; - } - pincode = get_pin (pin); - if (pincode == NULL) - { - return -1; - } - r = - sc_pkcs15_verify_pin (p15card, - (struct sc_pkcs15_pin_info *) pin->data, - (const u8 *) pincode, strlen (pincode)); - if (r) - { - debug ("PIN code verification failed: %s\n", - sc_strerror (r)); - return -1; - } - free (pincode); - debug ("PIN code correct.\n"); - } -// /* FIXME: check 'type' and modify flags accordingly */ - flags = SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_SHA1; - r = sc_pkcs15_compute_signature (p15card, key, flags, - m, m_len, sigret, RSA_size (rsa)); - if (r < 0) - { - error ("sc_pkcs15_compute_signature() failed: %s", sc_strerror (r)); - goto err; - } - sc_unlock (card); - *siglen = r; - return 1; -err: - sc_close (); - return 0; -#else struct sc_pkcs15_object *key_obj; int r; unsigned long flags = 0; @@ -301,7 +212,6 @@ err: sc_close(); return 0; -#endif } static int ===================== sshconnect2.c ===================== --- sshconnect2.c Thu Nov 14 22:35:18 2002 +++ original/openssh-3.5p1/sshconnect2.c Thu Oct 3 07:45:55 2002 @@ -167,12 +167,6 @@ int *batch_flag; /* flag in option struct that disables method */ }; -#if defined(SMARTCARD) && defined(USE_OPENSC) -static int -key_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, u_int *lenp, - u_char *data, u_int datalen); -#endif - void input_userauth_success(int, u_int32_t, void *); void input_userauth_failure(int, u_int32_t, void *); void input_userauth_banner(int, u_int32_t, void *); @@ -602,11 +596,7 @@ buffer_put_string(&b, blob, bloblen); /* generate signature */ -#if defined(SMARTCARD) && defined(USE_OPENSC) - ret = (key_sign_cb)(authctxt, k, &signature, &slen, -#else ret = (*sign_callback)(authctxt, k, &signature, &slen, -#endif buffer_ptr(&b), buffer_len(&b)); if (ret == -1) { xfree(blob); ===================== ssh-rsa.c ===================== --- ssh-rsa.c Thu Nov 14 22:35:21 2002 +++ original/openssh-3.5p1/ssh-rsa.c Wed Sep 4 08:39:49 2002 @@ -37,10 +37,6 @@ #include "compat.h" #include "ssh.h" -#if defined(SMARTCARD) && defined(USE_OPENSC) -#include "scard.h" -#endif - static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int , RSA *); /* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */ @@ -71,11 +67,7 @@ slen = RSA_size(key->rsa); sig = xmalloc(slen); -#if defined(SMARTCARD) && defined(USE_OPENSC) - ok = sc_sign(nid, digest, dlen, sig, &len, key->rsa); -#else ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa); -#endif memset(digest, 'd', sizeof(digest)); if (ok != 1) { ===================== Makefile ===================== --- Makefile Thu Nov 14 22:35:17 2002 +++ original/openssh-3.5p1/Makefile Thu Nov 14 22:37:12 2002 @@ -62,8 +62,7 @@ LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o dh.o dispatch.o fatal.o mac.o msg.o hostfile.o key.o kex.o kexdh.o kexgex.o log.o match.o misc.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o scard.o scard-opensc.o ssh-dss.o ssh-rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o monitor_wrap.o monitor_fdpass.o -#SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o -SSHOBJS= scard-opensc.o ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o +SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o From bugzilla-daemon at mindrot.org Tue Apr 8 09:02:48 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 8 Apr 2003 09:02:48 +1000 (EST) Subject: [Bug 538] Hanging while connecting Message-ID: <20030407230248.7C73C94263@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=538 ------- Additional Comments From dtucker at zip.com.au 2003-04-08 09:02 ------- Is there a firewall, packet filter or NAT device between client and server? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From sxw at inf.ed.ac.uk Tue Apr 8 10:16:45 2003 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Tue, 8 Apr 2003 01:16:45 +0100 (BST) Subject: Simon Wilkinson's GSS-API patch In-Reply-To: <1049727942.1603.57.camel@gallifrey.lanl.gov> Message-ID: > I understand that Simon may be discontinuing his OpenSSH work. Does > anyone know if someone plans to maintain the patch? Not at all. I'm currently dealing with a couple of major compatibility issues before releasing a patch for the new OpenSSH. Cheers, Simon. From bugzilla-daemon at mindrot.org Tue Apr 8 11:12:08 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 8 Apr 2003 11:12:08 +1000 (EST) Subject: [Bug 539] open() requires 3 arguments when using O_CREAT Message-ID: <20030408011208.09D029425B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=539 Summary: open() requires 3 arguments when using O_CREAT Product: Portable OpenSSH Version: 3.6p1 Platform: All OS/Version: All Status: NEW Severity: minor Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: matth at eecs.berkeley.edu In lastlog_openseek() in loginrec.c, the call to open(lastlog_file, filemode) should have a third parameter to specify the permissions if the file is created (0644?). If the log file does not exist, it will be created since O_CREAT was passed to open, but the permissions will be set to whatever garbage value is on the end of the stack. I've verified that this problem occurs on my system if lastlog_file does not exist. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Tue Apr 8 12:01:59 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 08 Apr 2003 12:01:59 +1000 Subject: OpenSSH compilation in AIX References: <200304071337.07351.philipp.marek@bmlv.gv.at> Message-ID: <3E922D97.C4FBA1A7@zip.com.au> [Note: CC to openssh-unix-dev added] "Ph. Marek" wrote: > I found you mail > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104970105603800&w=2 > where you claim that you've compiled openssh in AIX. That is correct, AIX 4.2.1, 4.3.3 and 5.1. > Not my situation is as follows: > openssh-3.6.1p1 > AIX 4.2 > gcc > /usr/bin/ld (AIX-binary) > > and upon linking of ssh I get "undefined symbol: .__inet_ntoa" and the same > with inet_aton, followed by "use -bloadmap". > If I use -bloadmap I get "cannot find or open libgcc.a" - which is available, > and I even tried to give its path via -L to the linker. > > Do you have any suggestions? inet_ntoa is part of libc.a (on AIX 4.2.1 anyway). The man page contains some conflicting information, though: "All applications containing the inet_ntoa subroutine must be compiled with _BSD set to a specific value. Acceptable values are 43 and 44. In addition, all socket applications must include the BSD libbsd.a library." I would suggest: a) Adding -lbsd to CFLAGS b) Installing all of the bos.adt filesets from your distribution media. After each you must run "make distclean" re-run "./configure". If those two things don't work please send me the config.h and config.log files generated by running "configure" and the output of "oslevel". -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jmknoble at pobox.com Tue Apr 8 15:52:08 2003 From: jmknoble at pobox.com (Jim Knoble) Date: Tue, 8 Apr 2003 01:52:08 -0400 Subject: [Bug 69] Generalize SSH_ASKPASS [LONG] In-Reply-To: <3.0.5.32.20030404094801.01c16198@127.0.0.1> Message-ID: <20030408055208.GP19144@crawfish.ais.com> Steven Doerfler and i seem to have had a discussion offlist about this. I'm not sure why i initially took it offlist (probably thinkographical error). Regardless, with Steven's permission, here are excerpts of the discussion. SUMMARY: Steven didn't realize that there would be an assumed default value for the proposed SSH_CONFIRM envariable (namely, ${libexecdir}/ssh-confirm), or that there is for SSH_ASKPASS (${libexecdir}/ssh-askpass). I didn't realize he didn't realize that. After enlightenment, we both seem to think that the proposed ssh-confirm/SSH_CONFIRM method is a suitable way for this to proceed. Anyone who sees something we missed, please speak up. I plan to begin work on patches against 3.7-current (i.e., OpenBSD CVS) end of this week. The ssh-confirm part of x11-ssh-askpass[*] will follow. [Sorry about the length; i tried to trim some, but there really wasn't that much irrelevant stuff in the discussion....] __________ [*] http://www.pobox.com/~jmknoble/software/x11-ssh-askpass/ ----- Forwarded message from Jim Knoble ----- Date: Fri, 4 Apr 2003 16:07:47 -0500 From: Jim Knoble Subject: Re: [Bug 69] Generalize SSH_ASKPASS To: Steven Doerfler Circa 2003-04-04 09:48:01 -0500 dixit Steven Doerfler: : You could retain compatibility without introducing a new program by : having ssh invoke ssh-askpass with an environment variable hinting : at the type of request. For instance, SSH_ASKPASS_PROMPT_HINT=Y : might indicate that this is a yes/no prompt. : : An ssh-askpass program could decide to show Yes/No buttons when it : saw such an environment variable setting. An ssh-askpass program : would be free to ignore such a hint and always require the user to : type YES in a text box, so an old ssh-askpass would work with a : future ssh that supplied an SSH_ASKPASS_PROMPT_HINT, or vice versa. How is this substantially different from ssh simply calling an ssh-confirm program directly? [...] SSH_ASKPASS_PROMPT_HINT merely creates an extra layer between ssh (which already knows whether it wants passphrase input or merely confirmation) and the actual helper programs. Why make it so complex? ----- End forwarded message ----- ----- Forwarded message from Steven Doerfler ----- Date: Fri, 04 Apr 2003 18:27:42 -0500 From: Steven Doerfler Subject: Re: [Bug 69] Generalize SSH_ASKPASS To: Jim Knoble At 04:07 PM 4/4/2003 -0500, Jim Knoble wrote: [...] >How is this substantially different from ssh simply calling an >ssh-confirm program directly? As the ssh-confirm idea has been proposed, ssh would only call an ssh-confirm program if the user had set an SSH_CONFIRM environment variable to point to this new program. That means users updating to this new version of ssh would discover that to get the same behavior as before, they now have to install a new program ssh-confirm and define a new environment variable SSH_CONFIRM to point to it. Without that, ssh wouldn't run an external program to ask for confirmation, as it does now. So some operations that now pop up an ssh-askpass window to ask for confirmation would presumably fail instead. [...] Even if ssh was clever enough to continue to use an SSH_ASKPASS variable for confirmation if no SSH_CONFIRM variable was defined, so that updating ssh wouldn't actually break things, the user would still need to add this additional SSH_CONFIRM variable to his settings to see the improved behavior. With what I suggested, the user need do no additional ssh configuration to get the improved behavior. It happens automatically as soon as the user has updated both his ssh and ssh-askpass programs. >SSH_ASKPASS_PROMPT_HINT merely creates an extra layer between ssh >(which already knows whether it wants passphrase input or merely >confirmation) and the actual helper programs. Why make it so complex? I think it's simpler than the SSH_CONFIRM approach. Perhaps I haven't explained it well, though; I'm not sure what extra layer you mean. >From the user's point of view, the change I proposed is simpler because the user doesn't have to engage with it; the two updated programs just cooperate to produce a more sensible result. With the SSH_CONFIRM approach, he does; he has to define a new setting to indicate that he not only wants passphrase prompts to work sensibly, but he wants sensible confirmation prompts too. If he doesn't define the new setting, he gets, at best, the current "type yes or no and I will replace your response with asterisks" silliness, and at worst some uses of ssh just fail after updating. The SSH_ASKPASS_PROMPT_HINT approach would also be simpler from the developer's point of view. The change required to ssh would be roughly three lines long. First, with either approach, you'd define a new flag so the confirm() function can tell read_passphrase() it wants confirmation, not a passphrase. Then with the SSH_ASKPASS_PROMPT_HINT approach, roughly one more line is sufficient: a setenv with contents conditioned on the flag bits. With the SSH_CONFIRM approach, read_passphrase() would need more substantial changes. The simplest method would be to generalize (and rename) the ssh_askpass() subroutine so it could call either program, then add new logic to read_passphrase() to look for the new variable and call the new ssh_askpass() with the right arguments. Similarly, the changes to all the implementations of the ssh-askpass program to prompt differently when appropriate would be no more work than writing a new set of ssh-confirm programs. And, of course, continuing to use the existing programs would still work fine under the SSH_ASKPASS_PROMPT_HINT scheme. ----- End forwarded message ----- ----- Forwarded message from Jim Knoble ----- Date: Mon, 7 Apr 2003 09:48:14 -0400 From: Jim Knoble Subject: Re: [Bug 69] Generalize SSH_ASKPASS To: Steven Doerfler Circa 2003-04-04 18:27:42 -0500 dixit Steven Doerfler: : As the ssh-confirm idea has been proposed, ssh would only call an : ssh-confirm program if the user had set an SSH_CONFIRM environment : variable to point to this new program. That's certainly not what i meant, whether or not it's what was implied by what i wrote. The intent was for ssh-confirm to behave the same way as ssh-askpass, i.e.: char *default_ssh_confirm = "/usr/local/libexec/ssh-confirm" char *ssh_confirm = getenv("SSH_CONFIRM"); if (!ssh_confirm) { ssh_confirm = default_ssh_confirm; } do_ssh_confirm_stuff(ssh_confirm); Until ssh-confirm programs are available, the default ssh-confirm might be a simple shell script that runs ssh-askpass: #!/bin/sh SSH_CONFIRM="${SSH_ASKPASS:- at libexecdir@/ssh-askpass}" exec "${SSH_CONFIRM}" "$@" with the expected substitution for '@libexecdir@'. Or, if you prefer something else: #!/bin/sh ConfirmationDialog() { exec xmessage \ -name 'ssh-confirm' \ -title 'SSH Confirmation Request' \ -xrm '*iconName: SSH-Confirm' \ -center \ -buttons Yes,No \ -default No \ -print \ "$@" } if [ $# -eq 0 ]; then ConfirmationDialog "" else ConfirmationDialog "$@" fi Simple and straightforward. If you don't like the idea of a shell script, a simple C program would suffice: #include #include #include #include #include char *default_ssh_askpass = "@libexecdir@/ssh-askpass"; int main(int argc, char **argv) { char *ssh_confirm = getenv("SSH_ASKPASS"); if (!ssh_confirm) { ssh_confirm = default_ssh_askpass; } argv[0] = ssh_confirm; if (-1 == execv(ssh_confirm, argv)) { fprintf(stderr, "%s: %s\n", ssh_confirm, strerror(errno)); exit(1); } /* not reached */ return(0); } Again, with the expected substitution for '@libexecdir@'. A similarly simple program would work for calling xmessage as an interim confirmation dialog. : That means users updating to this new version of ssh would discover : that to get the same behavior as before, they now have to install a : new program ssh-confirm and define a new environment variable : SSH_CONFIRM to point to it. [...] Nope. See above. : Each of the many implementations of ssh-askpass (pure X11, Gtk+, : MS-Windows, etc.) would mostly likely have to add an ssh-confirm : program so they could continue to work with this new version of ssh. Wouldn't have to, but ought to anyway. [...] : Even if ssh was clever enough to continue to use an SSH_ASKPASS : variable for confirmation if no SSH_CONFIRM variable was defined, so : that updating ssh wouldn't actually break things, the user would : still need to add this additional SSH_CONFIRM variable to his : settings to see the improved behavior. No need. ssh can be dumb. The interim default ssh-confirm script can be smart enough to handle substituting SSH_ASKPASS for SSH_CONFIRM. : With what I suggested, the user need do no additional ssh : configuration to get the improved behavior. It happens : automatically as soon as the user has updated both his ssh and : ssh-askpass programs. Same here, with no additional cruft in between, once ssh-confirm programs are available. : >SSH_ASKPASS_PROMPT_HINT merely creates an extra layer [...] : : I think it's simpler than the SSH_CONFIRM approach. Perhaps I haven't : explained it well, though; I'm not sure what extra layer you mean. I mean the extra layer that detects, parses, and acts on SSH_ASKPASS_PROMPT_HINT. What you're advocating is: ssh needs passphrase -> exec either SSH_ASKPASS or ssh-askpass -> if SSH_ASKPASS_PROMPT_HINT is set if SSH_ASKPASS_PROMPT_HINT caselessly contains 'y' build confirmation dialog display confirmation dialog and react to events else build passphrase dialog display passphrase dialog and react to events end if end if ssh needs confirmation -> set SSH_ASKPASS_PROMPT_HINT exec either SSH_ASKPASS or ssh-askpass -> if SSH_ASKPASS_PROMPT_HINT is set if SSH_ASKPASS_PROMPT_HINT caselessly contains 'y' build confirmation dialog display confirmation dialog and react to events else build passphrase dialog display passphrase dialog and react to events end if end if Whereas what i'm advocating is: ssh needs passphrase -> exec either SSH_ASKPASS or ssh-askpass -> build passphrase dialog display passphrase dialog and react to events ssh needs confirmation -> exec either SSH_CONFIRM or ssh-confirm -> build confirmation dialog display confirmation dialog and react to events See the difference? : >From the user's point of view, the change I proposed is simpler : because the user doesn't have to engage with it[...]. With the : SSH_CONFIRM approach, he does; he has to define a new setting to : indicate that he not only wants passphrase prompts to work sensibly, : but he wants sensible confirmation prompts too.[...] Nope ... your arguments center around the misinterpretation that the environment variable is necessary in order for this to work. It's not; it should act the same as the SSH_ASKPASS envariable. : The SSH_ASKPASS_PROMPT_HINT approach would also be simpler from the : developer's point of view. The change required to ssh would be : roughly three lines long. First, with either approach, you'd define : a new flag so the confirm() function can tell read_passphrase() it : wants confirmation, not a passphrase. Then with the : SSH_ASKPASS_PROMPT_HINT approach, roughly one more line is : sufficient: a setenv with contents conditioned on the flag bits. And every invocation of read_passphrase that requires confirmation must also be changed to include the flag. See also below. : With the SSH_CONFIRM approach, read_passphrase() would need more : substantial changes. The simplest method would be to generalize : (and rename) the ssh_askpass() subroutine so it could call either : program, then add new logic to read_passphrase() to look for the new : variable and call the new ssh_askpass() with the right arguments. This is not substantially different from the effort you mention above. Both require changes at the following levels: calls to read_passphrase(): - Add flag meaning "i want confirmation, not a passphrase" read_passphrase(): - Interpret flag meaning "i want confirmation, not a passphrase" - Add logic to act on flag. The only difference is: ssh_askpass(): - generalize to ssh_dialog(envariable_name, default_program) which is localized and simple. : Similarly, the changes to all the implementations of the ssh-askpass : program to prompt differently when appropriate would be no more work : than writing a new set of ssh-confirm programs. Not necessarily. There's quite a bit of "if..then..else" logic required to stuff both dialogs into one program, unless the programs are already sufficiently abstracted. Since i maintain one of them, i have a well-founded suspicion that they're not so abstracted. In the case of x11-ssh-askpass, in fact, it would be more straightforward to create a new source file containing a second main() for an ssh-confirm program, link it against the other objects containing low-level and utility routines, and have another program, than to figure out where the logic needs to be split in order to "become" ssh-askpass or ssh-confirm. That logic is moved up the food chain into ssh, where it belongs. And even if that turns out not to be the case, i argue that it's also not significantly more work to write a new ssh-confirm program than it is to graft it into the relevant flavor of ssh-askpass. : And, of course, continuing to use the existing programs would still : work fine under the SSH_ASKPASS_PROMPT_HINT scheme. They'll still continue to work. ----- End forwarded message ----- ----- Forwarded message from Steven Doerfler ----- Date: Mon, 07 Apr 2003 11:31:38 -0400 From: Steven Doerfler Subject: Re: [Bug 69] Generalize SSH_ASKPASS To: Jim Knoble At 09:48 AM 4/7/2003 -0400, Jim Knoble wrote: >That's certainly not what i meant[...]. The intent was for >ssh-confirm to behave the same way as ssh-askpass, i.e.: OK, I think I see the problem. The man page for ssh says it only runs an ssh-askpass program if there's an SSH_ASKPASS environment variable set (as well as DISPLAY being set, and other conditions). [See ENVIRONMENT -> SSH_ASKPASS in ssh(1).] I think we agree that it would be bad if ssh-confirm worked that way too, and didn't run ssh-confirm unless the user added an SSH_CONFIRM environment variable. But while the man page says ssh behaves that way, it actually doesn't, as you pointed out. [...] I hadn't noticed this until now. As long as ssh-confirm's behavior matches what the ssh code actually does for ssh-askpass, and not what the man page says it does (and as long as ssh packagers are careful to include an ssh-confirm script that redirects to ssh-askpass whenever appropriate when people simply update their ssh), the main objection I had doesn't apply. As to which is simpler code-wise, I'll defer to your judgment. ----- End forwarded message ----- ----- Forwarded message from Jim Knoble ----- Date: Mon, 7 Apr 2003 12:01:46 -0400 From: Jim Knoble Subject: Re: [Bug 69] Generalize SSH_ASKPASS To: Steven Doerfler Circa 2003-04-07 11:31:38 -0400 dixit Steven Doerfler: : OK, I think I see the problem. The man page for ssh says it only runs an : ssh-askpass program if there's an SSH_ASKPASS environment variable set (as : well as DISPLAY being set, and other conditions). [...] Does it really say that? {Checks...} Wow. Looks like the man page needs changed.... : I think we agree that it would be bad if ssh-confirm worked that way : too, and didn't run ssh-confirm unless the user added an SSH_CONFIRM : environment variable.[...] Confirmed. : As long as ssh-confirm's behavior matches what the ssh code actually : does for ssh-askpass, and not what the man page says it does (and as : long as ssh packagers are careful to include an ssh-confirm script : that redirects to ssh-askpass whenever appropriate when people : simply update their ssh) I would move this even further up the food chain and make the scriptlet part of OpenSSH proper ... the packagers are the ones liable to replace the script with the confirmation dialog program, not the other way around. : , the main objection I had doesn't apply. Cool. [...] ----- End forwarded message ----- ----- Forwarded message from Steven Doerfler ----- Date: Mon, 07 Apr 2003 12:26:37 -0400 From: Steven Doerfler Subject: Re: [Bug 69] Generalize SSH_ASKPASS To: Jim Knoble At 12:01 PM 4/7/2003 -0400, Jim Knoble wrote: >I would move this even further up the food chain and make the scriptlet >part of OpenSSH proper[...]. That sounds like the right way to do it. [...] ----- End forwarded message ----- -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) Stop the War on Freedom ... Start the War on Poverty! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 256 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030408/00a4592e/attachment.bin From info at web-space.jp Tue Apr 8 19:33:18 2003 From: info at web-space.jp (=?ISO-2022-JP?B?SUNDIBskQjt2NkhJdBsoQg==?=) Date: Tue, 08 Apr 2003 18:33:18 +0900 Subject: =?ISO-2022-JP?B?GyRCTCQ+NUJ6OS05cCIoGyhCUEMbJEIlOSU/JUMlVUpnPTgbKEI=?= Message-ID: <20030408092349.B926994208@shitei.mindrot.org> ? G&C CO.,LTD ICC ??? ?????????4-29-6 ?info at web-space.jp ----------------------------------------------------- ???????????????????????????? ??????????????????????? 1.????????????????????? ?http://web-space.jp/icc/kaijyo2 2.?????????????? ??????????????? ????????????????????????? ?????info at web-space.jp ??????PC?????????????? ??????????????????? ???????????????????? ????????????????????? ??????????URL?? ?http://web-space.jp/icc/ ????????????????????? ??Word?Excel?????????????????? ???????????? ????5???????????????? ????3?15??????????????? ???????1,500??2,500?? ??????????? ??????????? ????????????? ?????????????? ?????????????????????? ????????????????????? ??????????URL?? ?http://web-space.jp/icc/ ????????????????????? From ahaupt at ifh.de Tue Apr 8 23:37:04 2003 From: ahaupt at ifh.de (Andreas Haupt) Date: Tue, 8 Apr 2003 15:37:04 +0200 (MEST) Subject: Some problems with Heimdal and AFS Message-ID: Hello, My first problem is compilation against Heimdal. It does not work because of the following: /products/source/heimdal/heimdal-0.5.1/i386_linux24/lib/roken/../../../lib/roken/getprogname.c(.text+0xc): multiple definition of `get_progname' openbsd-compat//libopenbsd-compat.a(bsd-misc.o)(.text+0x0):/usr1/ahaupt/openssh-3.6.1p1/openbsd-compat/bsd-misc.c: first defined here /usr/bin/ld: Warning: size of symbol `get_progname' changed from 24 to 15 in getprogname.o After applying the heimdal patch from http://meta.cesnet.cz/software/heimdal/index.en.html which also applies perfectly for the 3.6.1 it works. Can't this code be integrated in the main tree? Another thing compilation on Solaris. As far as I can remember we have to add the following two lines in sshconnect1.c to get it work: #include #include Without it the following happens: sshconnect1.c: In function `send_afs_tokens': sshconnect1.c:799: warning: implicit declaration of function `_IOW' sshconnect1.c:799: parse error before `struct' It will be happy if this is fixed in one of the following versions. The last thing: in version 3.6.1 I have to add radix.o manually in the Makefile to SSHOBJS and SSHDOBJS. Greetings -- Andreas Haupt E-Mail: ahaupt at ifh.de DESY Zeuthen Platanenallee 6 15738 Zeuthen From markus at openbsd.org Wed Apr 9 00:07:43 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 8 Apr 2003 16:07:43 +0200 Subject: [Bug 69] Generalize SSH_ASKPASS [LONG] In-Reply-To: <20030408055208.GP19144@crawfish.ais.com> References: <3.0.5.32.20030404094801.01c16198@127.0.0.1> <20030408055208.GP19144@crawfish.ais.com> Message-ID: <20030408140743.GA29881@folly> On Tue, Apr 08, 2003 at 01:52:08AM -0400, Jim Knoble wrote: > Anyone who sees something we missed, please speak up. I plan to begin > work on patches against 3.7-current (i.e., OpenBSD CVS) end of this > week. The ssh-confirm part of x11-ssh-askpass[*] will follow. i don't like the idea of having two programs.... From ahaupt at ifh.de Tue Apr 8 23:37:04 2003 From: ahaupt at ifh.de (ahaupt at ifh.de) Date: Tue, 8 Apr 2003 14:37:04 +0100 Subject: Some problems with Heimdal and AFS Message-ID: Hello, My first problem is compilation against Heimdal. It does not work because of the following: /products/source/heimdal/heimdal-0.5.1/i386_linux24/lib/roken/../../../lib/r oken/getprogname.c(.text+0xc): multiple definition of `get_progname' openbsd-compat//libopenbsd-compat.a(bsd-misc.o)(.text+0x0):/usr1/ahaupt/open ssh-3.6.1p1/openbsd-compat/bsd-misc.c: first defined here /usr/bin/ld: Warning: size of symbol `get_progname' changed from 24 to 15 in getprogname.o After applying the heimdal patch from http://meta.cesnet.cz/software/heimdal/index.en.html which also applies perfectly for the 3.6.1 it works. Can't this code be integrated in the main tree? Another thing compilation on Solaris. As far as I can remember we have to add the following two lines in sshconnect1.c to get it work: #include #include Without it the following happens: sshconnect1.c: In function `send_afs_tokens': sshconnect1.c:799: warning: implicit declaration of function `_IOW' sshconnect1.c:799: parse error before `struct' It will be happy if this is fixed in one of the following versions. The last thing: in version 3.6.1 I have to add radix.o manually in the Makefile to SSHOBJS and SSHDOBJS. Greetings -- Andreas Haupt E-Mail: ahaupt at ifh.de DESY Zeuthen Platanenallee 6 15738 Zeuthen _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From kstef at mtppi.org Wed Apr 9 01:03:12 2003 From: kstef at mtppi.org (Kevin Stefanik) Date: Tue, 8 Apr 2003 10:03:12 -0500 Subject: overload key signing function for opensc tokens... In-Reply-To: References: Message-ID: <200304081103.12973.kstef@mtppi.org> Thanks, Danny. I had used some of your code and I think alot of this made it into the official version (at least it did the Mandrake sources) - I tried patching a few days back, but it wasn't clean. But using your sc_sign instead of RSA_sign eliminated the key specific overloading and effectively _required_ hardware tokens instead of making them just possible. But it was only needed due to a bug in openssl that's been fixed (untested) as of today's CVS. Now, the sc_sign is put in the smartcard key's meth-> structure and called for signing. The get_pin part of your code didn't seem to be in the official sources, though, and I've had problems getting it to work. It seems to close the STDIN_FILENO file handle and when ssh goes to open a session (ssh_session2_open), the dup() fails. I've tried using the ssh read_passphrase instead of get_pass, but the same thing happens. Any idea what that would happen? Cheers, Kevin On Monday 07 April 2003 07:08 pm, Danny De Cock wrote: > hi, > > last year in november, I posted the diffs attached to this mail. the > diffs refer to openssh-3.5p1, and work well in combination with > openssl-0.9.7a, zlib-1.1.4, and the cvs-source for opensc. I have not yet > inspected the new openssh release, but I do not expect significant issues > when applying the same patches intelligently. > > I changed scard.h, scard-opensc.c, sshconnect2.c, ssh-rsa.c and the > Makefile (which was produced by `./configure --with-opensc=/usr/local > --with-ssl-dir=/usr/local/ssl`), as you may see in the attachment. > > the stuff works well given gemplus gpk 8k and gpk 16k cards. I have not > tested any other cards. > > I do not claim that the changes I applied are clean (cfr. sshconnect2.c), > but they do what I expect them to do, and as far as I am concerned, the > patch can be considered stable. > > in order not to interfere with the original openssh-3.5p1, all my changes > follow this structure: > > #if defined(SMARTCARD) && defined(USE_OPENSC) > my code > #else > original code > #endif > > feel free to produce comments, danny. > > On Mon, 7 Apr 2003, Markus Friedl wrote: > > On Mon, Apr 07, 2003 at 12:25:12PM -0500, Kevin Stefanik wrote: > > > My best guess... openssl immediately uses the engine if > > > RSA_FLAG_SIGN_VER flag is set - it doesn't check if there is an engine > > > defined. In this case, in my debugging, rsa.engine is 0x0 and the > > > ENGINE_get_RSA() called from RSA_sign call doesn't verify it before > > > referencing an element of the structure, so it segfaults. > > > > > > Would a cleaner patch be to use the sc_get_engine() and assign an > > > engine? That doesn't seem to be happening in sc_read_pubkey at the > > > moment. In fact, I can't see that sc_get_engine is called anywhere. > > > I'm currently using 0.9.7a, so shouldn't USE_ENGINE be undefined? What > > > if there's no USE_ENGINE? > > > > USE_ENGINE is for the 0.9.6-engine interface. > > > > in 0.9.7 the engine interface was removed. > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From ble at pcc.edu Wed Apr 9 03:49:25 2003 From: ble at pcc.edu (Ben Le) Date: Tue, 08 Apr 2003 10:49:25 -0700 Subject: zlib/openssh help Message-ID: <5.1.0.14.2.20030408104812.03aaa9f8@mail.pcc.edu> The installation of zlib on my HP-UX 11.11 box went fine. When installed 'openssh', it's complaining "zlib is missing" with the following error: "configure: error: *** zlib missing - please install first or check config.log ***" Where does the zlib reside on the system? I can't find it anywhere. Thanks. __________________________________________ Benjamin Le Sr. Systems Administrator Information Technology Services Portland Community College Voice:(503)-977-4736 Fax:(503)-977-4987 Mailto:ble at pcc.edu http://www.pcc.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030408/4f434f73/attachment.html From wendyp at cray.com Wed Apr 9 04:01:13 2003 From: wendyp at cray.com (Wendy Palm) Date: Tue, 08 Apr 2003 13:01:13 -0500 Subject: zlib/openssh help References: <5.1.0.14.2.20030408104812.03aaa9f8@mail.pcc.edu> Message-ID: <3E930E69.9070805@cray.com> zlib is often put in /usr/local/lib/libz.a, unless you told it to go somewhere else with the --prefix= option. check your config.log file for a more complete error message. Ben Le wrote: > The installation of zlib on my HP-UX 11.11 box went fine. When installed > 'openssh', it's complaining "zlib is missing" with the following error: > > "configure: error: *** zlib missing - please install first or check > config.log ***" > > Where does the zlib reside on the system? I can't find it anywhere. Thanks. > > __________________________________________ > Benjamin Le > Sr. Systems Administrator > Information Technology Services > Portland Community College > Voice:(503)-977-4736 Fax:(503)-977-4987 > Mailto:ble at pcc.edu http://www.pcc.edu > > -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From no at nowhere.org Wed Apr 9 04:09:14 2003 From: no at nowhere.org (Kevin Taylor) Date: Tue, 08 Apr 2003 14:09:14 -0400 Subject: IRIX compilation and openbsd-compat/basename.h Message-ID: <3E93104A.3030700@nowhere.org> I was trying to compile openssh-3.6.1p1 on IRIX and ran across this error while compiling progressmeter.c: "/usr/include/libgen.h", line 35: error(1143): declaration is incompatible with "char *basename(const char *)" (declared at line 9 of "openbsd-compat/basename.h") extern char *basename(char *); ^ 1 error detected in the compilation of "progressmeter.c". *** Error code 2 (bu21) I commented this line in openbsd-compat/basename.h: char *basename(const char *path); and everything compiled fine. Kevin Taylor ktaylor at no-spammers.daac.gsfc.nasa.gov From libove at felines.org Wed Apr 9 04:24:10 2003 From: libove at felines.org (Jay Libove) Date: Tue, 8 Apr 2003 14:24:10 -0400 (EDT) Subject: OpenSSH 3.6.1p1 on NCR MP-RAS v4.3, several weird terminal problems Message-ID: I compiled OpenSSH 3.6.1p1 on NCR MP-RAS v4.3 (or at least "uname -a"'s output of 4.0.3.0 suggests v4.3, I'm not positive). I was able to compile zlib (1.1.4) and openssl (0.9.7a) with little trouble. OpenSSH took hand-hacking the includes.h file as follows: diff -cr openssh-3.6.1p1/includes.h openssh-3.6.1p1-customized/includes.h *** openssh-3.6.1p1/includes.h Sun Oct 20 20:50:26 2002 --- openssh-3.6.1p1-customized/includes.h Mon Apr 7 17:32:04 2003 *************** *** 104,110 **** --- 104,114 ---- #ifdef HAVE_SYS_TIME_H # include /* For timersub */ #endif + #define _XOPEN_SOURCE + #define _XOPEN_SOURCE_EXTENDED 1 #include + #undef _XOPEN_SOURCE_EXTENDED + #undef _XOPEN_SOURCE #ifdef HAVE_SYS_SELECT_H # include #endif Other than that, things *appeared* to compile and install fine. Then I logged in to this NCR MP-RAS machine using SSH (from Van Dyke's SecureCRT v4.0.4) and saw this: $ man ls | more Cannot reopen stdout: No such device or address $ PAGER=more $ export PAGER $ man ls Cannot reopen stdout: No such device or address Cannot reopen stdout: No such device or address Even worse than the pipe problem: Control-C ANYWHERE - at the command prompt, while a command is running, inside 'vi', anywhere - will kill the SSH connection completely! Ick... $ ssh -l username MP-RAS_host username at MP-RAS_host's password: ******** $ ^C Connection to MP-RAS_host closed by remote host. Connection to MP-RAS_host closed. One more thing: on exiting the shell normally (pressing Control-D), the SSH session does not fully close; I see "^D" displayed in the remote shell and the shell has exited, but the actual remote connection from the SSH client to the SSH server remains open until killed. $ ssh -l username MP-RAS_host username at MP-RAS_host's password: ******** $ ^D ~. to close it manually> There's no job control when logged in under SSH: $ ed ^Z ? q $ .. as compared to under telnet: $ ed ^Z [1] + Stopped $ fg ed q $ I logged in with telnet in another session (also from SecureCRT v4.0.4) and compared some things: * /dev/pts/xx have the same owner, group, and modes in the two sessions * environments differ slightly: + Only the telnet session has HZ=100 TIMEOUT=0 + The PATH is slighly different, with the SSH session adding the binary directory where OpenSSH is installed (/opt/openssh/bin), and also inserting /bin (which the telnet session lacked) SSH: PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/openssh/bin:/usr/ccs/bin Telnet: PATH=/usr/bin:/usr/sbin:/usr/ccs/bin + Only the SSH session contains: SSH_TTY=/dev/pts/xx SSH_CONNECTION="srcIP srcport dstIP dstport" SSH_CLIENT="srcIP srcport dstport" USER=jlibove + The MAIL variable in the SSH session has an extra '/' in it: MAIL=/var/mail//jlibove compared to the telnet session MAIL=/var/mail/jlibove None of these seem critical, though the MAIL setting does imply some additional misunderstanding of NCR MP-RAS' peculiarities in by the OpenSSH code. I compared the output of "stty -a", and found the only difference to be that the telnet session thought of itself as being on a 9600 baud terminal, while the SSH session thought of itself as 38400 baud. $ stty -a speed 38400 baud; rows = 34; columns = 80; ypixels = 0; xpixels = 0; intr = ^c; quit = ^|; erase = ^h; kill = ^u; eof = ^d; eol = ; eol2 = ; swtch = ; start = ^q; stop = ^s; susp = ^z; dsusp = ; rprnt = ^r; flush = ^o; werase = ^w; lnext = ^v; -parenb -parodd cs8 -cstopb hupcl cread -clocal -loblk -parext -ignbrk brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl -iuclc ixon -ixany -ixoff -imaxbel isig icanon -xcase echo echoe echok -echonl -noflsh -tostop echoctl -echoprt echoke -defecho -flusho -pendin iexten opost -olcuc onlcr -ocrnl -onocr -onlret -ofill -ofdel tab3 I have confirmed that these same problems occur when the client is OpenSSH v3.1p1 on a Linux machine, so it is not related to the SecureCRT client - it is definitely the way the OpenSSH code compiles/runs on the NCR MP-RAS server. Ideas and previous experience in getting OpenSSH to work correctly on NCR MP-RAS will be most welcome! Thanks -Jay Libove, CISSP libove at felines.org From bugzilla-daemon at mindrot.org Wed Apr 9 12:52:11 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 9 Apr 2003 12:52:11 +1000 (EST) Subject: [Bug 540] sshd [priv] has PPID 1 and is killed by ^C in terminal Message-ID: <20030409025211.BA89B94207@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=540 Summary: sshd [priv] has PPID 1 and is killed by ^C in terminal Product: Portable OpenSSH Version: 3.6p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: stuge-openssh-unix-dev at cdy.org Starting with 3.6 on one of my Linux systems running libc5, the privsep sshd process, marked with [priv] in the process name, has PPID 1 instead of that of the parent sshd. This is probably related to the fact that the [priv] sshd dies when I hit ^C almost anywhere when logged in. sshd dies when bash is running, sshd dies when vi is running but sshd doesn't die when joe is running. ^C means exit-without-save in joe, since it's remappable, joe might handle the signals differently than others. I bet this issue is related to what Mr. Libove sees on NCR MP-RAS. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From matthew at stairways.com.au Wed Apr 9 13:03:14 2003 From: matthew at stairways.com.au (Matthew Drayton) Date: Wed, 9 Apr 2003 11:03:14 +0800 Subject: [Bug 69] Generalize SSH_ASKPASS [LONG] In-Reply-To: <20030408055208.GP19144@crawfish.ais.com> Message-ID: > Anyone who sees something we missed, please speak up. I plan to begin > work on patches against 3.7-current (i.e., OpenBSD CVS) end of this > week. The ssh-confirm part of x11-ssh-askpass[*] will follow. In the process of developing a Mac OS X sftp client I have encountered a few issues with SSH_ASKPASS. Specifically: * I have to parse the prompt string to: - localize my SSH_ASKPASS program. - extract user, host, etc to integrate with the Mac OS X keychain. - determine if the prompt requires a yes/no response. * The user cannot cancel the connection attempt. The proposed SSH_CONFIRM protocol is a step in the right direction but IMO it doesn't go far enough. I think we can extend the existing SSH_ASKPASS without the need for a separate SSH_CONFIRM and still be compatible with existing SSH_ASKPASS programs. At present a SSH_ASKPASS program is feed one argument: the prompt to display to the user. I propose we extend this: argv[1] = prompt argv[2] = flags argv[3] = identifier ... where: prompt - prompt to display to the user. flags - indicates whether prompt requires a yes/no response, user input should be echoed, etc. identifer - unique identifier string for the passphrase. For example, org.openssh.password, org.openssh.passphrase. ... - identifier specific arguments. Some examples: * identifier = org.openssh.password argv[4] = user argv[5] = host argv[6] = attempt * identifier = org.openssh.passphrase argv[4] = key argv[5] = attempt * identifier = org.openssh.unknownhostkey argv[4] = host argv[5] = ip argv[6] = type argv[7] = fingerprint Existing SSH_ASKPASS programs should continue to work because the prompt argument ( argv[1] ) will be left unchanged. New SSH_ASKPASS programs will be able to take advantage of the additional arguments. There will be no need to parse the prompt to extract information. SSH_ASKPASS programs can determine if a yes/no response is required from the flag argument ( argv[2] ). They can also determine if user input should be echoed to the screen. Matthew. -- From bugzilla-daemon at mindrot.org Wed Apr 9 13:18:55 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 9 Apr 2003 13:18:55 +1000 (EST) Subject: [Bug 540] sshd [priv] doesn't give shell a tty and is killed by ^C too easily Message-ID: <20030409031855.78FEB94256@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=540 stuge-openssh-unix-dev at cdy.org changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|sshd [priv] has PPID 1 and |sshd [priv] doesn't give |is killed by ^C in terminal |shell a tty and is killed by | |^C too easily ------- Additional Comments From stuge-openssh-unix-dev at cdy.org 2003-04-09 13:18 ------- Unable to reproduce with sshd -d. sshd -d process tree: 30988 ? S 0:00 sshd -D 30990 p4 S 0:00 \_ -bash 31729 p4 S 0:00 \_ sshd: root at ttyp5 31733 p5 S 0:00 \_ -bash 31816 p5 R 0:00 \_ ps fx sshd -D process tree: 30988 ? S 0:00 sshd -D 30990 p4 S 0:00 \_ -bash 31825 p4 S 0:00 \_ openssh-3.6.1p1/sshd -D 31827 p5 S 0:00 \_ sshd: root at ttyp5 31829 ? S 0:00 \_ -bash 31835 ? R 0:00 \_ ps fx Note that the first two processes are common to the two attempts. Doh, this isn't about the PPID. It's about the tty. Also, using a 3.6.1 client, when logging out from this server, I get two messages: $ logout Connection to cdy.org closed by remote host. Connection to cdy.org closed. I get both of them when "exiting" using ^C as well. I only get the second message "Connection to ... closed." when I use the same client to connect to a different Linux system also running a 3.6.1 sshd but built against libc6. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 9 13:23:01 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 9 Apr 2003 13:23:01 +1000 (EST) Subject: [Bug 538] Hanging while connecting Message-ID: <20030409032301.5A65694256@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=538 ------- Additional Comments From djm at mindrot.org 2003-04-09 13:23 ------- Does the hostname that you are trying to connect to resolve to multiple addresses? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 9 14:01:48 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 9 Apr 2003 14:01:48 +1000 (EST) Subject: [Bug 540] sshd [priv] doesn't give shell a tty and is killed by ^C too easily Message-ID: <20030409040148.B16D494271@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=540 ------- Additional Comments From dtucker at zip.com.au 2003-04-09 14:01 ------- This is probably related to bug #536. Try the fix from there ("Try adding "#define STREAMS_PUSH_ACQUIRES_CTTY 1" to config.h and recompiling.") and if that's it please close this bug as a duplicate. I didn't look at the MP-RAS thing but it sounds like the same problem. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 9 14:32:31 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 9 Apr 2003 14:32:31 +1000 (EST) Subject: [Bug 540] sshd [priv] doesn't give shell a tty and is killed by ^C too easily Message-ID: <20030409043231.42AF094272@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=540 stuge-openssh-unix-dev at cdy.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From stuge-openssh-unix-dev at cdy.org 2003-04-09 14:32 ------- Sure is. From bugzilla-daemon at mindrot.org Wed Apr 9 14:32:33 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 9 Apr 2003 14:32:33 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 Message-ID: <20030409043233.083B794279@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 stuge-openssh-unix-dev at cdy.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |stuge-openssh-unix- | |dev at cdy.org ------- Additional Comments From stuge-openssh-unix-dev at cdy.org 2003-04-09 14:32 ------- *** Bug 540 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 9 14:40:39 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 9 Apr 2003 14:40:39 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 and 2.4+libc5 Message-ID: <20030409044039.9F27B9427F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 stuge-openssh-unix-dev at cdy.org changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|no access to tty on Linux |no access to tty on Linux |2.0 |2.0 and 2.4+libc5 ------- Additional Comments From stuge-openssh-unix-dev at cdy.org 2003-04-09 14:40 ------- Adding that this is not 2.0 specific, I see the same behavior on 2.4 with libc5. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jmknoble at pobox.com Wed Apr 9 15:54:50 2003 From: jmknoble at pobox.com (Jim Knoble) Date: Wed, 9 Apr 2003 01:54:50 -0400 Subject: [Bug 69] Generalize SSH_ASKPASS [LONG] In-Reply-To: <20030408140743.GA29881@folly> References: <3.0.5.32.20030404094801.01c16198@127.0.0.1> <20030408055208.GP19144@crawfish.ais.com> <20030408140743.GA29881@folly> Message-ID: <20030409055450.GQ19144@crawfish.ais.com> Circa 2003-04-08 16:07:43 +0200 dixit Markus Friedl: : i don't like the idea of having two programs.... Care to explain why? -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) Stop the War on Freedom ... Start the War on Poverty! From l.m.d.cranswick at dl.ac.uk Wed Apr 9 16:33:01 2003 From: l.m.d.cranswick at dl.ac.uk (Lachlan Cranswick) Date: Wed, 09 Apr 2003 02:33:01 -0400 Subject: error compiling portable openssh 3.6.1p1 on SGI IRIX 6.5x Message-ID: <2.2.32.20030409063301.0133020c@mserv1.dl.ac.uk> Hi, First checking out http://www.openbsd.org/errata.html Following is output and error from trying to compile the latest openssh on SGI IRIX (using cc). Previous versions of openssh have compiled cleanly on this system using the following configure options. Is there a quick fix for this? Cheers, Lachlan. ------------------------------------------------------- For SGI IRIX 6.5x 10151453 IP32 Using openssh 3.6.1p1 form http://www.openssh.com/portable.html and the following from a cshell: env CC=cc ./configure --build=mips-sgi-irix6.5 --with-tcp-wrappers --with-ldflags='-L/usr/local/lib' Then make: (cd openbsd-compat && make) make[1]: Entering directory `/web_disc/ccp14/ssh/openssh-3.6.1p1/openbsd-compat' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/web_disc/ccp14/ssh/openssh-3.6.1p1/openbsd-compat' cc -g -I. -I. -I/usr/local/ssl/include -I/usr/local/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bi n/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\ " -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/ empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c progressmeter.c cc-1143 cc: ERROR File = /usr/include/libgen.h, Line = 35 Declaration is incompatible with "char *basename(const char *)" (declared at line 9 of "openbsd-compat/basename.h"). extern char *basename(char *); ^ 1 error detected in the compilation of "progressmeter.c". make: *** [progressmeter.o] Error 2 ------------------------------------------------------- ----------------------- Lachlan M. D. Cranswick 30th March till 5th May 2003 - visiting: Maproom Rm 31 Geochemistry - Lamont-Doherty Earth Observatory of Columbia University PO Box 1000, 61 Route 9W Palisades, New York 10964-1000 USA Tel: (845) 365-8302; Fax: (845) 365-8155; E-mail: l.m.d.cranswick at dl.ac.uk After 6th May 2003: Neutron Program for Materials Research (NPMR), National Research Council (NRC), Building 459, Station 18, Chalk River Laboratories, Chalk River, Ontario, Canada, K0J 1J0 Tel: (613) 584-8811; Fax: (613) 584-4040 From bugzilla-daemon at mindrot.org Wed Apr 9 19:40:53 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 9 Apr 2003 19:40:53 +1000 (EST) Subject: [Bug 539] open() requires 3 arguments when using O_CREAT Message-ID: <20030409094053.A6C7294207@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=539 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-04-09 19:40 ------- fixed, thanks ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 9 21:53:52 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 9 Apr 2003 21:53:52 +1000 (EST) Subject: [Bug 528] ProxyCommand none is sensitive to extra whitespace Message-ID: <20030409115352.E1E8294207@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=528 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-04-09 21:53 ------- Slightly different fix applied ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From sb38 at orient-sky.com Wed Apr 9 23:54:19 2003 From: sb38 at orient-sky.com (=?iso-2022-jp?B?GyRCPlo1ck0tIzUyLyM5QGlLfDFfJVMlLyVBJWMlcyU5GyhC?=) Date: Wed, 9 Apr 2003 22:54:19 +0900 Subject: =?iso-2022-jp?B?GyRCTCQ+NUJ6OS05cCF2IzMyLzFfJFgkTjBsSmIhISEhISEhISEhISEbKEI=?= Message-ID: <200304091354.h39DsJd24058@orient-sky.com> $B!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!L$>5Bz9-9p!v(B $B!c;v6H5Bz$N$J$$G[?.$4MF5$j at lMQ(B $B:#8eITMW$NJ}$O(Bhttp://orient-sky.com/deny.htm$B$K$F$*4j$$?=$7>e$2(B $B$^$9!#(B $B(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(B $B!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#32/1_$X$N0lJb(B $B!!!!!!!!!y"f"f"f"f"f!z"f"f"f"f"f!y"f"f"f"f"f!z"f"f"f"f"f!y(B $B!zJ]>Z;v6H$KIT67$J$7!&J]>Z$KG:$s$G$$$k?M$O!"B?$$$+$i!#(B3$B at iK|$0$i(B $B!!$$M_$7$$?M$OBgB??t$@$+$i!"<+J,$GJ]>Z8\Ld$K$J$j!"(B2$B2/!"(B3$B2/!"(B5$B2/(B9$B at i(B $BK|1_3MF@Z5r$+$i!&>Z5r$OJ*E*>Z5r!&13$D$-$^$;$s!&qY$5$l$?$/$J$$(B $B?M$O>Z5r$r!*(B $B!!!!!!!z"f"f"f"f"f!y"f"f"f"f"f!z"f"f"f"f"f!y"f"f"f"f!z(B $B!!!!!!!!!!!!!!(B $B!!!!!!!!!!!!!!:#$+$i$G$bCY$/$"$j$^$;$s!*!*(B $B:#$, at d9%$N%A%c%s%9!*IT67$@$+$iDI$$Iw$N!VJ]>Z:_Bp8\Ld!aE9J^IT(B $BMW$N%3%s%S%KE9$N%*!<%J!<$HF1$8!W$K!*>Z5r3NG'>)Ne!">Z5rL5$7$O;v(B $BZ5r$r3NG'$7$F2<$5$$!#(B (I"$B>^6b#1#2#0K|1_%W%i%9(B=$B#7#4#4K|1_(I#$B$N8"Mx$r!*?M?t at hCe=g@)8B$K$D$-!"(B $B;j5^;qNA$r at A5a$7$F$/$@$5$$!*(B $B!!!!!!!!(B $B!!!!!!!!!|(B $B2?;v$b>Z5r$,0lHV$K;vZL@(B $B!!!|(B $B$=$NCf$G$bJ*E*>Z5r$,4V0c$$$J$$$N$O<~CN$NDL$j$G$9!#(B $BJ]>Zkz7t$GJ]>Z$NHa7`$rKI$0;v6H$G$9!#(B $BZ$N at UG$$O$9$Y$?Z$N%j%9%/$O0l at Z$"$j$^$;$s!"$40B?4$r!#(B $B8\Ld8xG'HV9f$r;H$&$N$G$"$J$?$NL>A0$OC/$K$bCN$i$l$:$K=PMh$^$9!#(B $B!|$3$A$i$+$i(B $B!!(Bhttp://orient-sky.com/ $B!!L5NA$N;qNA$4 at A5a$G$-$^$9!#(B $B!}8D?M!":_Bp!"7s6H$G!"#22/1_!"#32/1_!"#52/#9 at iK|1_$N<}F~Z(B $B!!5rM-$j$^$9!&8+$;$^$9!&2?;v$bqY$5$l$?$/$J$$0Y$K@'Hs!">Z5r$N3NG'(B $B!!!z(B--$B!z(B--$B!~(B--$B!z!!%M%C%H%P%V%k$NJx2u$N8=67!!!z(B--$B!~(B--$B!z(B--$B!~(B $B!|%M%C%H%S%8%M%9$G!V8D?M$NG/<}#5 at iK|1_0J2<$NJ}!9!W$O!V6%AhAjj6HpJs$G$9!#(B $B!!@5$K%M%C%H%P%V%k$NJx2u$r>]D'$7$?8=>]$G$9!#(B $B!!%9!<%Q!&E9$G$b!V%G%U%l!W$NGH$GGQ6H!"=L>.$N;~Be$G$9!#(B $B(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(!(B $B!!!!!z(B--$B!~(B--$B!zJ]>Z>Z7tH/9TJ]>Z0z$-Z>Z7t$GJ]>Z$NHa7`$r8*Be$o$j$9$k#1#5Z7t!a>Z7tJ]>Z%5!<%S%9(B $B!W$r>Z$7$F$$$k$N$OF|K\$GM#0l!"Ev(B $BJ]>ZZ>Z7t;v6H!I$O!">&9f!aJ]>Z:_Bp;v(B $B!!6H8\!!Ld!&J]>Z6(2qD9!JE9J^!";vL3=jITMW$N%3%s%S%KE9$N%*!<%J!<$H(B $B!!F1MM!K$O!"!!M=Dj!"4uK>!"L4Ey$r%*!<%P!<$7$?<}F~>Z5r$NM}M3$OC1=c(B $B!!$G$9!#(B $B!!%M%C%H%P%V%k!J<{MW$h$j6!5ku0];}!"IT7J5$BP:v!K$,M_$7$$?M$,!"%P%V%kJx(B $B!!2u#1#2G/0J>e7QB3$7$FA}2C$7$F$$$k$+$i$G$9!#(B $B!}6d9T$N6/@)E*2s<}!"B_$7=B$j!"@=IJ>&IJ$N%G%U%lDc2A3J6%Ah!&J]>Z(B $B!!?M$N:b;::9$72!$5$(!&J]>Z?M:DL3@7pJs!#(B $B!!$=$N$*Lr$KN)$A$?$$!VJ]>Z>Z7t$r!a?M=u$1J]>Z%5!<%S%9>&IJ!W$H$J$k(B $B!!$+$i$G$9!#(B $B!|$3$A$i$+$i(B $B!!(Bhttp://orient-sky.com/ $B!!L5NA$N;qNA$4 at A5a$G$-$^$9!#(B $B!!!!(B From ayamura at ayamura.org Thu Apr 10 00:26:42 2003 From: ayamura at ayamura.org (Ayamura KIKUCHI) Date: Wed, 09 Apr 2003 23:26:42 +0900 Subject: IRIX compilation and openbsd-compat/basename.h In-Reply-To: <3E93104A.3030700@nowhere.org> References: <3E93104A.3030700@nowhere.org> Message-ID: <86u1d7n3vh.wl@sea.ayamura.org> > I was trying to compile openssh-3.6.1p1 on IRIX and ran across this > error while compiling progressmeter.c: > > "/usr/include/libgen.h", line 35: error(1143): declaration is incompatible > with "char *basename(const char *)" (declared at line 9 of > "openbsd-compat/basename.h") > extern char *basename(char *); > ^ IRIX has the basename() function in libgen. Autoconf script under current cvs tree is not yet modified to detect it. --- openssh-3.6.1p/configure.ac.orig 2003-03-21 10:18:09.000000000 +0900 +++ openssh-3.6.1p/configure.ac 2003-04-09 23:12:09.041843000 +0900 @@ -619,6 +619,9 @@ AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) +dnl IRIX has basename() in libgen +AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) + dnl Make sure strsep prototype is defined before defining HAVE_STRSEP AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)]) -- ayamura From mouring at etoh.eviladmin.org Thu Apr 10 00:55:36 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 9 Apr 2003 09:55:36 -0500 (CDT) Subject: IRIX compilation and openbsd-compat/basename.h In-Reply-To: <86u1d7n3vh.wl@sea.ayamura.org> Message-ID: On Wed, 9 Apr 2003, Ayamura KIKUCHI wrote: > > I was trying to compile openssh-3.6.1p1 on IRIX and ran across this > > error while compiling progressmeter.c: > > > > "/usr/include/libgen.h", line 35: error(1143): declaration is incompatible > > with "char *basename(const char *)" (declared at line 9 of > > "openbsd-compat/basename.h") > > extern char *basename(char *); > > ^ > > IRIX has the basename() function in libgen. Autoconf script under > current cvs tree is not yet modified to detect it. > > --- openssh-3.6.1p/configure.ac.orig 2003-03-21 10:18:09.000000000 +0900 > +++ openssh-3.6.1p/configure.ac 2003-04-09 23:12:09.041843000 +0900 > @@ -619,6 +619,9 @@ > > AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) > > +dnl IRIX has basename() in libgen > +AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) > + This is not right... Nor has any other solution I've seen is right. basename needs to be checked in multiple places. We need to check libc and gen at this point. Otherwise it will break for other platforms. - Ben From bugzilla-daemon at mindrot.org Thu Apr 10 01:29:08 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 10 Apr 2003 01:29:08 +1000 (EST) Subject: [Bug 541] packet_set_interactive typo Message-ID: <20030409152908.E41D09428B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=541 Summary: packet_set_interactive typo Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: furrier at iglou.com Hi, In OpenSSH 3.6.1p1, the function packet_set_interactive() in packet.c appears to have changed from 3.5p1. It appears there may be a typographical error. Specifically, 3.6.1p1 shows: /* Only set socket options if using a socket. */ if (!packet_connection_is_on_socket()) if (interactive) set_nodelay(connection_in); when it is probably supposed to say: /* Only set socket options if using a socket. */ if (!packet_connection_is_on_socket()) return; if (interactive) set_nodelay(connection_in); In other words, it appears somebody accidentily deleted the "return" statement that was present (and functional) in 3.5p1. As such, the set_nodelay() only gets executed in 3.6.1p1 if the connection is NOT on a socket, which is likely not how it was meant to be written. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From openssh-unix-dev at thewrittenword.com Thu Apr 10 01:53:23 2003 From: openssh-unix-dev at thewrittenword.com (Albert Chin) Date: Wed, 9 Apr 2003 10:53:23 -0500 Subject: IRIX compilation and openbsd-compat/basename.h In-Reply-To: References: <86u1d7n3vh.wl@sea.ayamura.org> Message-ID: <20030409155323.GA72638@spuckler.il.thewrittenword.com> On Wed, Apr 09, 2003 at 09:55:36AM -0500, Ben Lindstrom wrote: > On Wed, 9 Apr 2003, Ayamura KIKUCHI wrote: > > > > I was trying to compile openssh-3.6.1p1 on IRIX and ran across this > > > error while compiling progressmeter.c: > > > > > > "/usr/include/libgen.h", line 35: error(1143): declaration is incompatible > > > with "char *basename(const char *)" (declared at line 9 of > > > "openbsd-compat/basename.h") > > > extern char *basename(char *); > > > ^ > > > > IRIX has the basename() function in libgen. Autoconf script under > > current cvs tree is not yet modified to detect it. > > > > --- openssh-3.6.1p/configure.ac.orig 2003-03-21 10:18:09.000000000 +0900 > > +++ openssh-3.6.1p/configure.ac 2003-04-09 23:12:09.041843000 +0900 > > @@ -619,6 +619,9 @@ > > > > AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) > > > > +dnl IRIX has basename() in libgen > > +AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) > > + > > This is not right... Nor has any other solution I've seen is right. > > basename needs to be checked in multiple places. We need to check libc > and gen at this point. > > Otherwise it will break for other platforms. AC_SEARCH_LIBS checks first with no libraries, then iterates over the list of libraries contained in the 2nd argument. The above patch compiles fine on Solaris 2.5.1-9/SPARC, IRIX 6.5, HP-UX 10.20-11i, Tru64 UNIX 4.0D, 5.1, AIX 4.3.2, AIX 5.1, and Redhat Linux 7.1. -- albert chin (china at thewrittenword.com) From bugzilla-daemon at mindrot.org Thu Apr 10 02:54:53 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 10 Apr 2003 02:54:53 +1000 (EST) Subject: [Bug 542] OpenSSH 3.6.1p1 - sftp exit codes and improved logging for scripting Message-ID: <20030409165453.108B894209@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=542 Summary: OpenSSH 3.6.1p1 - sftp exit codes and improved logging for scripting Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sftp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: magnus at mandarin.nu Overview description: When downloading files from a remote server that are: Non-readable (permission denied) Non-existing (no files on remote system) ... sftp client exit-code is 0 when running the following in a script: #!/bin/sh /usr/local/bin/sftp -v -oBatchMode=yes user at host < answerfile.txt 2> debug.log echo $? 0 Answerfile: cd /var/log/testlog/test_log get /var/log/testlog/test_log/test_log_2003-04-08.log Debug-log produced from running above: ...snip... debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). debug1: fd 4 setting O_NONBLOCK ...snip... Couldn't stat remote file: No such file or directory File "/var/log/testlog/test_log/test_log_2003-04-08.lo" not found. debug1: channel 0: read<=0 rfd 4 len 0 debug1: channel 0: read failed ...snip... debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 0 ...eof... And on permission denied: ...snip... debug1: Sending subsystem: sftp debug1: channel 0: request subsystem debug1: channel 0: open confirm rwindow 0 rmax 32768 Couldn't get handle: Permission denied debug1: channel 0: read<=0 rfd 4 len 0 ...snip... debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 0 ...eof... Excpected results: Shouldn't above return exit status of >0 on these errors ? Build date and platform: OpenSSH 3.6.1.p1, Solaris 9 sparc sun4u / GCC 3.1 Also, have you considered implementing better logging of transfers?, ex standard ftp "226 Transfer complete" to stdout, instead of having to run client in debug-mode, and perhaps a configfile to specify logpath and level. I read in changelog about improved logging for sftp but can't see that the man- pages are updated. What will -DTRACE=log accomplish exactly? Thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 10 03:07:28 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 10 Apr 2003 03:07:28 +1000 (EST) Subject: [Bug 542] OpenSSH 3.6.1p1 - sftp exit codes and improved logging for scripting Message-ID: <20030409170728.8EFBE94212@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=542 ------- Additional Comments From mouring at eviladmin.org 2003-04-10 03:07 ------- /usr/local/bin/sftp -v -oBatchMode=yes user at host -b answerfile.txt 2> debug.log use -b batch option. That is why it was created. It allows you to break when a command fails. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From v_t_m at seznam.cz Thu Apr 10 03:35:27 2003 From: v_t_m at seznam.cz (=?iso-8859-2?Q?V=E1clav=20Tomec?=) Date: Wed, 09 Apr 2003 19:35:27 +0200 (CEST) Subject: =?iso-8859-2?Q?SecurID=20authentication?= Message-ID: <10260.23092-3764-1308607147-1049909727@seznam.cz> Hello all, SecurID authentication for OpenSSH 3.6.1p1 is now available at http://sweb.cz/v_t_m/ Vaclav ______________________________________________________________________ Reklama: P?iprav se na nejp???ern?j?? z??itek v ?ivot? na http://ad2.seznam.cz/redir.cgi?instance=46466%26url=http://www.priserky.cz From libove at felines.org Thu Apr 10 04:16:21 2003 From: libove at felines.org (Jay Libove) Date: Wed, 9 Apr 2003 14:16:21 -0400 (EDT) Subject: OpenSSH 3.6.1p1 on NCR MP-RAS v4.3, several weird terminal proble ms In-Reply-To: References: Message-ID: I tried the suggested config.h modification of #define STREAMS_PUSH_ACQUIRES_CTTY 1 .. and it seems to have fixed all of the problems that I reported below (^C killing the session, logging out not fully closing the connection, lack of job control, and command line pipes being broken). So, in addition to the one includes.h diff that I included below to get the SSH rand helper to compile (or something prettier that accomplishes the same effect), something needs to add STREAMS_PUSH_ACQUIRES_CTTY for NCR MP-RAS systems. `uname` output on this system is not very conclusive: $ uname -a dwtest905 SMP090-5 4.0 3.0 4400 Pentium III(TM)-ISA/PCI This tells us the configured node name (dwtest905), something which is maybe a cluster name (SMP090-5), a release (4.0) and version (3.0), a hardware indicator (4400), and a processor/bus architecture (Pentium III(TM)-ISA/PCI). None of this screams "NCR", though the configure script seems to use the 4400 (as 3[34]00) as its indicator. Some better way of identifying the NCR MP-RAS platform might be in order too. Thanks for the assistance! -Jay Libove, CISSP Delta Air Lines libove at felines.org On Tue, 8 Apr 2003, Jay Libove wrote: > Date: Tue, 8 Apr 2003 14:24:10 -0400 > From: Jay Libove > To: openssh-unix-dev at mindrot.org > Subject: OpenSSH 3.6.1p1 on NCR MP-RAS v4.3, several weird terminal proble ms > > I compiled OpenSSH 3.6.1p1 on NCR MP-RAS v4.3 (or at least > "uname -a"'s output of 4.0.3.0 suggests v4.3, I'm not positive). > > I was able to compile zlib (1.1.4) and openssl (0.9.7a) with little > trouble. > > OpenSSH took hand-hacking the includes.h file as follows: > > diff -cr openssh-3.6.1p1/includes.h > openssh-3.6.1p1-customized/includes.h > *** openssh-3.6.1p1/includes.h Sun Oct 20 20:50:26 2002 > --- openssh-3.6.1p1-customized/includes.h Mon Apr 7 17:32:04 2003 > *************** > *** 104,110 **** > --- 104,114 ---- > #ifdef HAVE_SYS_TIME_H > # include /* For timersub */ > #endif > + #define _XOPEN_SOURCE > + #define _XOPEN_SOURCE_EXTENDED 1 > #include > + #undef _XOPEN_SOURCE_EXTENDED > + #undef _XOPEN_SOURCE > #ifdef HAVE_SYS_SELECT_H > # include > #endif > > Other than that, things *appeared* to compile and install fine. > > Then I logged in to this NCR MP-RAS machine using SSH (from Van Dyke's > SecureCRT v4.0.4) and saw this: > > $ man ls | more > Cannot reopen stdout: No such device or address > > $ PAGER=more > $ export PAGER > $ man ls > Cannot reopen stdout: No such device or address > Cannot reopen stdout: No such device or address > > > Even worse than the pipe problem: Control-C ANYWHERE - at the command > prompt, while a command is running, inside 'vi', anywhere - will kill > the > SSH connection completely! Ick... > > $ ssh -l username MP-RAS_host > username at MP-RAS_host's password: ******** > > $ ^C > Connection to MP-RAS_host closed by remote host. Connection to > MP-RAS_host > closed. > > > One more thing: on exiting the shell normally (pressing Control-D), the > SSH session does not fully close; I see "^D" displayed in the remote > shell > and the shell has exited, but the actual remote connection from the SSH > client to the SSH server remains open until killed. > > $ ssh -l username MP-RAS_host > username at MP-RAS_host's password: ******** > > $ ^D > there > for longer than I'm willing to be patient, until I enter ~. to close > it manually> > > > There's no job control when logged in under SSH: > > $ ed > ^Z > ? > q > $ > > .. as compared to under telnet: > > $ ed > ^Z > [1] + Stopped > $ fg > ed > q > $ > > > > I logged in with telnet in another session (also from SecureCRT v4.0.4) > and compared some things: > > * /dev/pts/xx have the same owner, group, and modes in the two sessions > * environments differ slightly: > + Only the telnet session has > HZ=100 > TIMEOUT=0 > + The PATH is slighly different, with the SSH session adding the > binary directory where OpenSSH is installed (/opt/openssh/bin), > and also inserting /bin (which the telnet session lacked) > SSH: > PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/openssh/bin:/usr/ccs/bin > Telnet: PATH=/usr/bin:/usr/sbin:/usr/ccs/bin > + Only the SSH session contains: > SSH_TTY=/dev/pts/xx > SSH_CONNECTION="srcIP srcport dstIP dstport" > SSH_CLIENT="srcIP srcport dstport" > USER=jlibove > + The MAIL variable in the SSH session has an extra '/' in it: > MAIL=/var/mail//jlibove > compared to the telnet session > MAIL=/var/mail/jlibove > > None of these seem critical, though the MAIL setting does imply some > additional misunderstanding of NCR MP-RAS' peculiarities in by the > OpenSSH > code. > > I compared the output of "stty -a", and found the only difference to be > that the telnet session thought of itself as being on a 9600 baud > terminal, while the SSH session thought of itself as 38400 baud. > > $ stty -a > speed 38400 baud; > rows = 34; columns = 80; ypixels = 0; xpixels = 0; > intr = ^c; quit = ^|; erase = ^h; kill = ^u; > eof = ^d; eol = ; eol2 = ; swtch = ; > start = ^q; stop = ^s; susp = ^z; dsusp = ; > rprnt = ^r; flush = ^o; werase = ^w; lnext = ^v; > -parenb -parodd cs8 -cstopb hupcl cread -clocal -loblk -parext > -ignbrk brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl -iuclc > ixon -ixany -ixoff -imaxbel > isig icanon -xcase echo echoe echok -echonl -noflsh > -tostop echoctl -echoprt echoke -defecho -flusho -pendin iexten > opost -olcuc onlcr -ocrnl -onocr -onlret -ofill -ofdel tab3 > > > > I have confirmed that these same problems occur when the client is > OpenSSH v3.1p1 on a Linux machine, so it is not related to the SecureCRT > client - it is definitely the way the OpenSSH code compiles/runs on the > NCR MP-RAS server. > > > Ideas and previous experience in getting OpenSSH to work correctly on > NCR > MP-RAS will be most welcome! > > Thanks > -Jay Libove, CISSP > libove at felines.org > From mouring at etoh.eviladmin.org Thu Apr 10 04:41:18 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 9 Apr 2003 13:41:18 -0500 (CDT) Subject: IRIX compilation and openbsd-compat/basename.h In-Reply-To: <20030409155323.GA72638@spuckler.il.thewrittenword.com> Message-ID: [..] > > This is not right... Nor has any other solution I've seen is right. > > > > basename needs to be checked in multiple places. We need to check libc > > and gen at this point. > > > > Otherwise it will break for other platforms. > > AC_SEARCH_LIBS checks first with no libraries, then iterates over the > list of libraries contained in the 2nd argument. > > The above patch compiles fine on Solaris 2.5.1-9/SPARC, IRIX 6.5, > HP-UX 10.20-11i, Tru64 UNIX 4.0D, 5.1, AIX 4.3.2, AIX 5.1, and Redhat > Linux 7.1. > However, if it exists in -lgen and we don't ensure that libgen is included (we are luckly right now because other stuff drags libgen in) or it is a hardcoded requirement. I'm saying the solution above is wrong because it is incomplete. It does not ensure we have libgen in the LIB=. =) Just because things work. Don't make them totally correct. - Ben From openssh-unix-dev at thewrittenword.com Thu Apr 10 04:55:05 2003 From: openssh-unix-dev at thewrittenword.com (Albert Chin) Date: Wed, 9 Apr 2003 13:55:05 -0500 Subject: IRIX compilation and openbsd-compat/basename.h In-Reply-To: References: <20030409155323.GA72638@spuckler.il.thewrittenword.com> Message-ID: <20030409185505.GA79040@spuckler.il.thewrittenword.com> On Wed, Apr 09, 2003 at 01:41:18PM -0500, Ben Lindstrom wrote: > [..] > > > This is not right... Nor has any other solution I've seen is right. > > > > > > basename needs to be checked in multiple places. We need to check libc > > > and gen at this point. > > > > > > Otherwise it will break for other platforms. > > > > AC_SEARCH_LIBS checks first with no libraries, then iterates over the > > list of libraries contained in the 2nd argument. > > > > The above patch compiles fine on Solaris 2.5.1-9/SPARC, IRIX 6.5, > > HP-UX 10.20-11i, Tru64 UNIX 4.0D, 5.1, AIX 4.3.2, AIX 5.1, and Redhat > > Linux 7.1. > > > > However, if it exists in -lgen and we don't ensure that libgen is included > (we are luckly right now because other stuff drags libgen in) or it is > a hardcoded requirement. > > I'm saying the solution above is wrong because it is incomplete. It does > not ensure we have libgen in the LIB=. AC_SEARCH_LIBS will add "-l[lib]" to LIBS. -- albert chin (china at thewrittenword.com) From markus at openbsd.org Thu Apr 10 07:08:07 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 9 Apr 2003 23:08:07 +0200 Subject: SecurID authentication In-Reply-To: <10260.23092-3764-1308607147-1049909727@seznam.cz> References: <10260.23092-3764-1308607147-1049909727@seznam.cz> Message-ID: <20030409210807.GC27249@folly> hi, why don't you use the kbd-interactive framework? see auth-bsdauth.c and auth-skey.c is there something missing in the framework? On Wed, Apr 09, 2003 at 07:35:27PM +0200, V?clav Tomec wrote: > Hello all, > > SecurID authentication for OpenSSH 3.6.1p1 is now available at > http://sweb.cz/v_t_m/ > > > Vaclav > > ______________________________________________________________________ > Reklama: > P?iprav se na nejp???ern?j?? z??itek v ?ivot? na http://ad2.seznam.cz/redir.cgi?instance=46466%26url=http://www.priserky.cz > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Thu Apr 10 10:18:14 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 10 Apr 2003 10:18:14 +1000 Subject: OpenSSH 3.6.1p1 on NCR MP-RAS v4.3, several weird terminal problems References:

Message-ID: <3E94B846.4E4BE7CA@zip.com.au> Jay Libove wrote: > I tried the suggested config.h modification of > > #define STREAMS_PUSH_ACQUIRES_CTTY 1 > > .. and it seems to have fixed all of the problems that I reported below > (^C killing the session, logging out not fully closing the connection, > lack of job control, and command line pipes being broken). This means that MP-RAS somehow re-acquires a controlling terminal after forking and calling setsid() the first time. In the Solaris case, a bug in the pty driver caused it to happen when pushing a STREAMS module (hence the #define name). Linux/glibc5 has the same symptoms but it doesn't have STREAMS so it must be acquiring it some other way (not honouring O_NOCTTY maybe?) What can you tell us about MP-RAS? Is it a SysV derivative? Should we just change the define to HAVE_BROKEN_O_NOCTTY. We could have configure do a run-tine test for it but it'd need a lot of the code from pty_allocate(). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Thu Apr 10 10:34:30 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 10 Apr 2003 10:34:30 +1000 (EST) Subject: [Bug 542] OpenSSH 3.6.1p1 - sftp exit codes and improved logging for scripting Message-ID: <20030410003430.5F2DA94299@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=542 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From djm at mindrot.org 2003-04-10 10:34 ------- RTFM (sftp manpage in this case): -b batchfile Batch mode reads a series of commands from an input batchfile instead of stdin. Since it lacks user interaction it should be used in conjunction with non-interactive authentication. sftp will abort if any of the following commands fail: get, put, rename, ln, rm, mkdir, chdir, ls, lchdir, chmod, chown, chgrp, lpwd and lmkdir. Termination on error can be suppressed on a command by command basis by prefixing the command with a ?-? character (For example, -rm /tmp/blah* ). And yes, -DTRACE=log in sftp-server will give you more logging. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 10 10:47:07 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 10 Apr 2003 10:47:07 +1000 (EST) Subject: [Bug 512] Hostbased authentication bypass PAM Message-ID: <20030410004707.C7606942A6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=512 yaccck at yahoo.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID Summary|Hostbased authentication |Hostbased authentication |bypass PAM |bypass PAM ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From yaccck at yahoo.com Thu Apr 10 11:38:34 2003 From: yaccck at yahoo.com (yack) Date: Wed, 9 Apr 2003 18:38:34 -0700 (PDT) Subject: sshd and pam , conversation Message-ID: <20030410013834.39839.qmail@web41304.mail.yahoo.com> I have setup openssh with hostbased authentication on linux (redhat). I want to allow/deny users based on a listfile, so i have a PAM module that does that, and it runs in the "account" section (oposed to pam_listfile.so, that uses the "auth" section - it wouldt work because with hostbased authentication openssh ignores the "auth" section). It's working perfectly, but i also want to display a message to those users that are denied login, so i modified pam_motd to work in "account" section, but i can't get the message to be printed. I can't make pam_motd to work in the "session" section either. There's a section: message.msg_style=PAM_TEXT_INFO; message.msg="blahblah.."; pam_get_item(pamh,PAM_CONV,&conversation); conversation->conv(1,&pmessage,&resp,conversation->appdata_ptr); etc. but apparently its ignored by PAM, any ideas? __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com From dtucker at zip.com.au Thu Apr 10 15:41:58 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 10 Apr 2003 15:41:58 +1000 Subject: OpenSSH compilation in AIX References: <200304071337.07351.philipp.marek@bmlv.gv.at> <3E922D97.C4FBA1A7@zip.com.au> <200304090930.03299.philipp.marek@bmlv.gv.at> Message-ID: <3E950426.769D1BEB@zip.com.au> "Ph. Marek" wrote: > > If those two things don't work please send me the config.h and > > config.log files generated by running "configure" and the output of > > "oslevel". > oslevel: 4.2.1.0 > > config.h is attached. I compared your vanilla config.h to one generated on my working machine. The main differences I can see are: You have the following headers which I don't have: My machine has this that yours doesn't: (this is owned by the bos.adt.include fileset). Also vaguely recall having linker problems with 4.2.1.0. I suggest: a) Upgrading the bos.rte.bind_cmds fileset [1] and possibly the bos.adt filesets. b) Finding and renaming those extra headers c) Reinstalling the bos.adt.* filesets. -Daz. [1] ftp://service.software.ibm.com/aix/fixes/v4/os/bos.rte.bind_cmds.4.2.1.11.bff Here are my relevant fileset levels: $ lslpp -l |egrep 'bos\.adt|bind_cmd' bos.adt.base 4.2.1.10 COMMITTED Base Application Development bos.adt.debug 4.2.1.0 COMMITTED Base Application Development bos.adt.graphics 4.2.1.4 COMMITTED Base Application Development bos.adt.include 4.2.1.25 COMMITTED Base Application Development bos.adt.lib 4.2.1.2 COMMITTED Base Application Development bos.adt.libm 4.2.1.1 COMMITTED Base Application Development bos.adt.prof 4.2.1.26 COMMITTED Base Profiling Support bos.adt.prt_tools 4.2.0.0 COMMITTED Printer Support Development bos.adt.samples 4.2.1.0 COMMITTED Base Operating System Samples bos.adt.sccs 4.2.0.0 COMMITTED SCCS Application Development bos.adt.syscalls 4.2.1.7 COMMITTED System Calls Application bos.adt.utils 4.2.1.2 COMMITTED Base Application Development bos.rte.bind_cmds 4.2.1.11 COMMITTED Binder and Loader Commands bos.adt.data 4.2.0.0 COMMITTED Base Application Development $ diff -b -B -d -u working-config.h broken-config.h [snip] /* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_BITYPES_H */ +#define HAVE_SYS_BITYPES_H 1 /* Define to 1 if you have the header file. */ /* #undef HAVE_SYS_BSDTTY_H */ /* Define to 1 if you have the header file. */ -/* #undef HAVE_SYS_CDEFS_H */ +#define HAVE_SYS_CDEFS_H 1 /* Define to 1 if you have the header file. */ #define HAVE_SYS_MMAN_H 1 @@ -803,7 +803,7 @@ #define HAVE_SYS_SELECT_H 1 /* Define to 1 if you have the header file. */ -#define HAVE_SYS_STAT_H 1 +/* #undef HAVE_SYS_STAT_H */ /* Define to 1 if you have the header file. */ #define HAVE_SYS_STROPTS_H 1 -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vherva at niksula.hut.fi Thu Apr 10 20:48:20 2003 From: vherva at niksula.hut.fi (Ville Herva) Date: Thu, 10 Apr 2003 13:48:20 +0300 Subject: Anti-idle in OpenSSH client? In-Reply-To: <20030407155747.GB18625@folly> References: <3E919971.476434A2@zip.com.au> <20030407155747.GB18625@folly> Message-ID: <20030410104820.GB412903@niksula.cs.hut.fi> On Mon, Apr 07, 2003 at 05:57:47PM +0200, you [Markus Friedl] wrote: > On Tue, Apr 08, 2003 at 01:29:53AM +1000, Darren Tucker wrote: > > The fact that there's several different implementations out there > > certainly shows that there's a need for it. > > i plan to add sshd's ClientAliveInterval to ssh, using ignore > messages instead of channel requests. What about the randomness? Isn't there some information exposed currently as to at what time and how many times the user for example presses keys? I think there was a proposed attack to record the relative timing of packets sent by ssh after each key press and to use that information to analyze what kind of password the user might have typed. Inserting random traffic to the stream might mitigate this information leak? Or has this been handled by other means? -- v -- v at iki.fi From vherva at niksula.hut.fi Thu Apr 10 20:52:47 2003 From: vherva at niksula.hut.fi (Ville Herva) Date: Thu, 10 Apr 2003 13:52:47 +0300 Subject: 3.6.1p1 SRPMS? Message-ID: <20030410105247.GC412903@niksula.cs.hut.fi> Are there plans to release a source RPM of 3.6.1p1? The latest at ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/SRPMS/ is 3.5p1-1... thanks, -- v -- v at iki.fi From john.tackman at hex.fi Wed Apr 9 17:53:45 2003 From: john.tackman at hex.fi (John Tackman) Date: Wed, 9 Apr 2003 10:53:45 +0300 Subject: installation problems v 5.6.1 Message-ID: Dear Alf, > please, I'm trying to install the newest version of ssh, but I fail > every time (see the output below) : > the output of the configure complained, that there's no openssl, but I > installed openssl before: > configure: WARNING: stddef.h: present but cannot be compiled > configure: WARNING: stddef.h: check for missing prerequisite headers? > configure: WARNING: stddef.h: proceeding with the > checking whether snprintf correctly terminates long strings... no > configure: WARNING: ****** Your snprintf() function is > broken, complain > to your vendor > configure: error: *** Can't find recent OpenSSL libcrypto (see > config.log for details) *** Ok, you have a couple of possibilities here. OpenSSH seems to be a bit picky about how the binutils package works, I recently ran into a problem where: a) OpenSSH 3.4p1 and 3.5p1 would neither accept OpenSSL0.9.7a but happily accepted 0.9.6i b) OpenSSH accepted no version of OpenSSL since it was compiled with a broken binutils package So, If you are installing from binary rpm packages, you might want to try the latest OpenSSH and OpenSSL and see if that works, if not. Then try latest OpenSSH and OpenSSL source packages but compile them AFTER you have made sure your binutils (ld,ar,as etc) are up to date as well as gcc (i got it working with binutils-030327 and gcc-3.2.2, then compiled OpenSSL 0.9.7a and then OpenSSH 3.5p1) My system was a Solaris8 running on sparc the config.log that's mentioned in the OpenSSL -message was warning about ELF being faulty, this led me onto the binutils package. -- John This transmission is intended only for the individual or entity to which it is addressed. The message may contain information that is private and confidential. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any distribution, dissemination or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by returning the e-mail and delete the original message. Thank You. The content of this message is not given or endorsed by HEX. HEX reserves the right to monitor all e-mail communications through its networks. The attachments have been scanned for viruses prior to leaving our e-mail server. HEX shall not be liable for any consequences of any virus being passed on. From fcusack at fcusack.com Fri Apr 11 05:43:08 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Thu, 10 Apr 2003 12:43:08 -0700 Subject: sshd and pam , conversation In-Reply-To: <20030410013834.39839.qmail@web41304.mail.yahoo.com>; from yaccck@yahoo.com on Wed, Apr 09, 2003 at 06:38:34PM -0700 References: <20030410013834.39839.qmail@web41304.mail.yahoo.com> Message-ID: <20030410124308.A30875@google.com> On Wed, Apr 09, 2003 at 06:38:34PM -0700, yack wrote: > denied login, so i modified pam_motd to work > in "account" section, but i can't get the > message to be printed. First of all, wrong list. You want the linux-pam or some other pam list. To answer your question, only the auth module can show messages to the user. /fc From Jay.Libove at delta.com Fri Apr 11 06:33:24 2003 From: Jay.Libove at delta.com (Libove, Jay) Date: Thu, 10 Apr 2003 16:33:24 -0400 Subject: OpenSSH 3.6.1p1 on NCR MP-RAS v4.3, several weird terminal problems Message-ID: <39DD1A44A9048A45AE2FD75DE9909B8E92DBBC@satlrccdlmb02.delta.rl.delta.com> Hi Darren - Cc: list - There's not much that I can tell you about NCR MP-RAS, other than that it is a SysV r4.3 derivative, and the hardest UNIX to port to that I've encountered since my Xenix 286 days. Here is an excerpt from the setsid() manual page: WARNING If the calling process is the last member of a pipeline started by a job control shell, the shell may make the calling process a process group leader. The other processes of the pipeline become members of that process group. In this case, the call to setsid will fail. For this reason, a process that calls setsid and expects to be part of a pipeline should always first fork; the parent should exit and the child should call setsid, thereby insuring that the process will work reliably when started by both job control shells and non-job control shells. I noticed in sshpty.c that the call to setsid() follows a section which will call ioctl(fd, TIOCNOTTY, NULL) #ifdef TIOCNOTTY. Looking in /usr/include/sys/*.h I find that termios.h and ttold.h #define TIOCNOTTY. termios.h will only #define TIOCNOTTY if all three of _SYS_TTOLD_H, _POSIX_SOURCE, and _XOPEN_SOURCE are not defined. ttold.h will only #define TIOCNOTTY if _SYS_TERMIOS_H is not defined. I do see termios.h included in the compile on this platform. I do not see ttold.h included. Therefore, I assume that the section in sshpty.c which would call ioctl() with TIOCNOTTY is NOT being executed. I did a test by commenting out the #ifdef TIOCNOTTY to ensure that the ioctl() call does happen, and took out the #define STREAMS_PUSH_ACQUIRES_CTTY. It did not fix the problem, so calling or not calling the ioctl() with TIOCNOTTY doesn't affect this problem. (Just casting about here). Regarding O_NOCTTY, the man page for open() describes O_NOCTTY as: O_NOCTTY If set and the file is a terminal, the terminal will not be allocated as the calling process's controlling terminal. If you have any specific questions regarding the platform, I'm happy to dig in manual pages, run tests, and report back. -Jay -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Wednesday, April 09, 2003 20:18 To: Jay Libove Cc: openssh-unix-dev at mindrot.org Subject: Re: OpenSSH 3.6.1p1 on NCR MP-RAS v4.3, several weird terminal problems Jay Libove wrote: > I tried the suggested config.h modification of > > #define STREAMS_PUSH_ACQUIRES_CTTY 1 > > .. and it seems to have fixed all of the problems that I reported below > (^C killing the session, logging out not fully closing the connection, > lack of job control, and command line pipes being broken). This means that MP-RAS somehow re-acquires a controlling terminal after forking and calling setsid() the first time. In the Solaris case, a bug in the pty driver caused it to happen when pushing a STREAMS module (hence the #define name). Linux/glibc5 has the same symptoms but it doesn't have STREAMS so it must be acquiring it some other way (not honouring O_NOCTTY maybe?) What can you tell us about MP-RAS? Is it a SysV derivative? Should we just change the define to HAVE_BROKEN_O_NOCTTY. We could have configure do a run-tine test for it but it'd need a lot of the code from pty_allocate(). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030410/76bd5a28/attachment.html From tim at multitalents.net Fri Apr 11 07:42:01 2003 From: tim at multitalents.net (Tim Rice) Date: Thu, 10 Apr 2003 14:42:01 -0700 (PDT) Subject: OpenSSH 3.6.1p1 on NCR MP-RAS v4.3, several weird terminal problems In-Reply-To: <39DD1A44A9048A45AE2FD75DE9909B8E92DBBC@satlrccdlmb02.delta.rl.delta.com> References: <39DD1A44A9048A45AE2FD75DE9909B8E92DBBC@satlrccdlmb02.delta.rl.delta.com> Message-ID: On Thu, 10 Apr 2003, Libove, Jay wrote: > Hi Darren - > > Cc: list - > > > > There's not much that I can tell you about NCR MP-RAS, other than that > it is a SysV r4.3 derivative, and the hardest UNIX to port to that I've ^^^^ I think you will find it's rally SysV 4.0 derivative and therfore shares much code with Solaris (also a SysV 4.0 derivative). Check uname -r -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From vherva at niksula.hut.fi Fri Apr 11 16:31:39 2003 From: vherva at niksula.hut.fi (Ville Herva) Date: Fri, 11 Apr 2003 09:31:39 +0300 Subject: 3.6.1p1 SRPMS? In-Reply-To: <20030410105247.GC412903@niksula.cs.hut.fi> References: <20030410105247.GC412903@niksula.cs.hut.fi> Message-ID: <20030411063139.GD412903@niksula.cs.hut.fi> On Thu, Apr 10, 2003 at 01:52:47PM +0300, you [Ville Herva] wrote: > Are there plans to release a source RPM of 3.6.1p1? The latest at > > ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/SRPMS/ > > is 3.5p1-1... As a couple of people pointed to me, the tar.gz does include .spec, so src.rpm is easy to build with rpm -ba (worked for me). It'd still be nice to have the src.rpm on the ftp site for completeness. -- v -- v at iki.fi From openssh at roumenpetrov.info Fri Apr 11 17:12:21 2003 From: openssh at roumenpetrov.info (openssh at roumenpetrov.info) Date: Fri, 11 Apr 2003 10:12:21 +0300 Subject: 3.6.1p1 SRPMS? References: <20030410105247.GC412903@niksula.cs.hut.fi> <20030411063139.GD412903@niksula.cs.hut.fi> Message-ID: <3E966AD5.5010909@roumenpetrov.info> Ville Herva wrote: >On Thu, Apr 10, 2003 at 01:52:47PM +0300, you [Ville Herva] wrote: > > >>Are there plans to release a source RPM of 3.6.1p1? The latest at >> >>ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/SRPMS/ >> >>is 3.5p1-1... >> >As a couple of people pointed to me, the tar.gz does include .spec, so >src.rpm is easy to build with rpm -ba (worked for me). It'd still be nice to >have the src.rpm on the ftp site for completeness. > I'm not sure, but might source rpm sould be different for most linux distributions and versions, i.e. spec file is not portable. As example SuSE src rpm contain x11-ssh-askpass and ... ;-) From philipp.marek at bmlv.gv.at Fri Apr 11 19:37:15 2003 From: philipp.marek at bmlv.gv.at (Ph. Marek) Date: Fri, 11 Apr 2003 11:37:15 +0200 Subject: OpenSSH compilation in AIX In-Reply-To: <3E93DA32.46E9F37C@zip.com.au> References: <200304071337.07351.philipp.marek@bmlv.gv.at> <200304091023.47234.philipp.marek@bmlv.gv.at> <3E93DA32.46E9F37C@zip.com.au> Message-ID: <200304111137.16078.philipp.marek@bmlv.gv.at> > The only problem I've had with gcc v3 is Perl. 2.95 should be fine for > OpenSSH. I found the problem. I've got some files in /usr/local/include - eg an arpa/inet.h, which had a #define inet_ntoa __inet_ntoa in it. After using CFLAGS=-I/usr/include ./configure ... to move /usr/include to a higher priority it compiled without problem. Thank you for your help! Regards, Phil From bugzilla-daemon at mindrot.org Fri Apr 11 20:16:07 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 11 Apr 2003 20:16:07 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 and 2.4+libc5 Message-ID: <20030411101607.E9C949420A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 ------- Additional Comments From afuerst at cogidata.com 2003-04-11 20:16 ------- * This error also happens on Linux Kernel 2.2.22, glibc 2.3.1 with openssh-3.6p1 and openssh-3.6.1p1. openssh-3.5p1 is the latest version running on this system. * It happens with users with "bash" as default shell. * sshd -d => works * #define STREAMS_PUSH_ACQUIRES_CTTY 1 => works * The workaround from "Frank Adelstein" does not work. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Bert.Deknuydt at esat.kuleuven.ac.be Fri Apr 11 21:45:06 2003 From: Bert.Deknuydt at esat.kuleuven.ac.be (Bert Deknuydt) Date: Fri, 11 Apr 2003 13:45:06 +0200 Subject: Patch for 'packet.c' in openssh-3.6.1p1 Message-ID: <16022.43714.279667.464980@gargle.gargle.HOWL> Hello, I just managed to compile openssh-3.6.1p1 on Ultrix/MIPS. One of the fixes needed for this is the following. It's because of: --- According to the Changelog - markus at cvs.openbsd.org 2002/12/10 19:26:50 [packet.c] move tos handling to packet_set_tos; ok provos/henning/deraadt --- This IP_TOS is now nicely stuffed in a function, but that function should be #defined away for systems without IP_TOS or with a broken implementation. Greetings, Bert diff -c packet.c packet.c.orig *** packet.c 2003-04-11 12:21:23.000000000 +0200 --- packet.c.orig 2003-04-11 13:31:58.000000000 +0200 *************** *** 1314,1321 **** return buffer_len(&output) < 128 * 1024; } - #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) - static void packet_set_tos(int interactive) { --- 1314,1319 ---- *************** *** 1330,1336 **** tos, strerror(errno)); } - #endif /* Informs that the current session is interactive. Sets IP flags for that. * / --- 1328,1333 ---- -- -------------- eMail Bert.Deknuydt at esat.kuleuven.ac.be --------------- B.DeKnuydt, PSI-KULeuven Tel. +32-16-321880 Kasteelpark Arenberg 10 /| | || B-3001 Leuven-Heverlee _,_)| 4_|_|| FLANDERS, BELGIUM / . Fax. +32-16-321838 -------------- http://www.esat.kuleuven.ac.be/~deknuydt -------------- From john at scl.co.uk Fri Apr 11 21:50:19 2003 From: john at scl.co.uk (John Sutton) Date: Fri, 11 Apr 2003 12:50:19 +0100 Subject: session recovery on change of IP Message-ID: <03041113311801.23378@diva.localdomain> Hi there Is it possible to configure ssh so that a session can continue/recover after a change of IP? I have a number of static IP dialup accounts and there is no problem using these because when my dialup connection timesout and later reconnects, it gets the same IP and so any existing ssh sessions are unaffected. However, these accounts with static IP's are metered (i.e. expensive ;-). Much better are the unmetered (here in the UK, either FRIACO or Surftime) dialups but these use dynamic IP's. So after a timeout and reconnect, existing sessions break ;-( Any solution? TIA *************************************************** John Sutton SCL Internet URL http://www.scl.co.uk/ Tel. +44 (0) 1239 711 888 *************************************************** From markus at openbsd.org Fri Apr 11 23:05:57 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 11 Apr 2003 15:05:57 +0200 Subject: session recovery on change of IP In-Reply-To: <03041113311801.23378@diva.localdomain> References: <03041113311801.23378@diva.localdomain> Message-ID: <20030411130557.GA28316@folly> you have to use some kind of ip tunneling, like ipsec or mobile ip. On Fri, Apr 11, 2003 at 12:50:19PM +0100, John Sutton wrote: > Hi there > > Is it possible to configure ssh so that a session can continue/recover > after a change of IP? > > I have a number of static IP dialup accounts and there is no problem using > these because when my dialup connection timesout and later reconnects, it > gets the same IP and so any existing ssh sessions are unaffected. > > However, these accounts with static IP's are metered (i.e. expensive ;-). > Much better are the unmetered (here in the UK, either FRIACO or Surftime) > dialups but these use dynamic IP's. So after a timeout and reconnect, > existing sessions break ;-( > > Any solution? > > TIA > > *************************************************** > John Sutton > SCL Internet > URL http://www.scl.co.uk/ > Tel. +44 (0) 1239 711 888 > *************************************************** > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Fri Apr 11 23:34:35 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 11 Apr 2003 08:34:35 -0500 (CDT) Subject: Patch for 'packet.c' in openssh-3.6.1p1 In-Reply-To: <16022.43714.279667.464980@gargle.gargle.HOWL> Message-ID: This has already been resolved in the --current tree. - Ben On Fri, 11 Apr 2003, Bert Deknuydt wrote: > > Hello, > > I just managed to compile openssh-3.6.1p1 on Ultrix/MIPS. One of the fixes > needed for this is the following. It's because of: > > --- According to the Changelog > - markus at cvs.openbsd.org 2002/12/10 19:26:50 > [packet.c] > move tos handling to packet_set_tos; ok provos/henning/deraadt > --- > > This IP_TOS is now nicely stuffed in a function, but that function should > be #defined away for systems without IP_TOS or with a broken implementation. > > Greetings, Bert > > diff -c packet.c packet.c.orig > *** packet.c 2003-04-11 12:21:23.000000000 +0200 > --- packet.c.orig 2003-04-11 13:31:58.000000000 +0200 > *************** > *** 1314,1321 **** > return buffer_len(&output) < 128 * 1024; > } > > - #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) > - > static void > packet_set_tos(int interactive) > { > --- 1314,1319 ---- > *************** > *** 1330,1336 **** > tos, strerror(errno)); > } > > - #endif > > /* Informs that the current session is interactive. Sets IP flags for that. * / > > --- 1328,1333 ---- > > > -- > -------------- eMail Bert.Deknuydt at esat.kuleuven.ac.be --------------- > B.DeKnuydt, PSI-KULeuven Tel. +32-16-321880 > Kasteelpark Arenberg 10 /| | || > B-3001 Leuven-Heverlee _,_)| 4_|_|| > FLANDERS, BELGIUM / . Fax. +32-16-321838 > -------------- http://www.esat.kuleuven.ac.be/~deknuydt -------------- > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From john at scl.co.uk Fri Apr 11 23:32:03 2003 From: john at scl.co.uk (John Sutton) Date: Fri, 11 Apr 2003 14:32:03 +0100 Subject: session recovery on change of IP In-Reply-To: <1050066010.30027.5.camel@imladris.demon.co.uk> References: <03041113311801.23378@diva.localdomain> <1050066010.30027.5.camel@imladris.demon.co.uk> Message-ID: <03041115133802.23378@diva.localdomain> On Fri, 11 Apr 2003, David Woodhouse wrote: > On Fri, 2003-04-11 at 12:50, John Sutton wrote: > > Is it possible to configure ssh so that a session can continue/recover > > after a change of IP? > > man screen > > Other than that, no. I can't see how using screen gets me any further? Surely screen just allows multiple sessions multiplexed into one tty stream (badly put but I think I know what I mean ;-). End result will be that *all* the sessions get broken on a change of IP? > > Any solution? > > Avoid changing the IP address you use for the connection, by tunnelling > from your dynamic dialup address to somewhere else, and effectively > giving yourself a static IP address? This is an intriguing notion... Markus Friedl (see other post) has suggested the same. I have limited experience with tunnelling protocols (I messed around with pptp bewteen linux and windoze boxes some years ago) but I can't immediately see how this could work. Surely to set up an IP tunnel of any sort you have got to have two "fixed" endpoints? OTOH, I can see how you *might* have a "lightweight, non-encrypted" tunnelling protocol which *is* impervious to change of IP. Then you could run an ssh session through this tunnel. Quite how the server end of the tunnel would recognise that this "new" connection was actually an existing connection which had changed it's IP and therefore be able to tie the 2 ends back together, I don't know... Does this make any sense? > This is being sent from an unmetered static IP dialup in the UK though. > Not that it's not expensive, mind you :) How expensive is that? The minimum I've found is ?51+vat per month (for 300 hours per month) single channel ISDN. I consider this *too* expensive so I've gone back to using a dynamic dialup for ?11+vat ;-( *************************************************** John Sutton SCL Internet URL http://www.scl.co.uk/ Tel. +44 (0) 1239 711 888 *************************************************** From schoolcrisis at cs.com Fri Apr 11 19:34:52 2003 From: schoolcrisis at cs.com (schoolcrisis at cs.com) Date: Fri, 11 Apr 2003 09:34:52 GMT Subject: American Flags, Pins, Stickers and more... Message-ID: An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030411/43825318/attachment.html From mouring at etoh.eviladmin.org Sat Apr 12 00:55:48 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 11 Apr 2003 09:55:48 -0500 (CDT) Subject: 3.6.1p1 SRPMS? In-Reply-To: <3E966AD5.5010909@roumenpetrov.info> Message-ID: On Fri, 11 Apr 2003 openssh at roumenpetrov.info wrote: > > Ville Herva wrote: > > >On Thu, Apr 10, 2003 at 01:52:47PM +0300, you [Ville Herva] wrote: > > > > > >>Are there plans to release a source RPM of 3.6.1p1? The latest at > >> > >>ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/SRPMS/ > >> > >>is 3.5p1-1... > >> > >As a couple of people pointed to me, the tar.gz does include .spec, so > >src.rpm is easy to build with rpm -ba (worked for me). It'd still be nice to > >have the src.rpm on the ftp site for completeness. > > > I'm not sure, but might source rpm sould be different for most linux > distributions and versions, i.e. spec file is not portable. > As example SuSE src rpm contain x11-ssh-askpass and ... ;-) > $ find . -name \*.spec | xargs md5 MD5 (./contrib/caldera/openssh.spec) = bdb467a8b7e3da934381bf003fd3a510 MD5 (./contrib/redhat/openssh.spec) = bdc746eb9207f3b60a7727c1e66c4665 MD5 (./contrib/suse/openssh.spec) = 298ff7d2cbabe755035878bbffccef20 Agreed. If Linux distros didn't quietly change/break things. Then we could have a single spec file. - Ben From schoolcrisis at cs.com Fri Apr 11 19:37:49 2003 From: schoolcrisis at cs.com (schoolcrisis at cs.com) Date: Fri, 11 Apr 2003 09:37:49 GMT Subject: American Flags, Pins, Stickers and more... Message-ID: An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030411/d862dbb3/attachment.html From chris at obelix.hedonism.cx Sat Apr 12 02:02:19 2003 From: chris at obelix.hedonism.cx (Christian Vogel) Date: Fri, 11 Apr 2003 18:02:19 +0200 Subject: session recovery on change of IP In-Reply-To: <03041115133802.23378@diva.localdomain>; from john@scl.co.uk on Fri, Apr 11, 2003 at 02:32:03PM +0100 References: <03041113311801.23378@diva.localdomain> <1050066010.30027.5.camel@imladris.demon.co.uk> <03041115133802.23378@diva.localdomain> Message-ID: <20030411180219.A5413@obelix.frop.org> Hi John, On Fri, Apr 11, 2003 at 02:32:03PM +0100, John Sutton wrote: > I can't see how using screen gets me any further? Surely screen just > allows multiple sessions multiplexed into one tty stream (badly put but > I think I know what I mean ;-). End result will be that *all* the > sessions get broken on a change of IP? When screen get's a sig-HUP it will detach the running screen-sessions. Later you can log in to this machine again and issue 'screen -r' which will reattach your session. Of course you can also detach the sessions yourself by typing . Chris -- "Anybody who has ever seen a photograph showing the kind of damage that a trout traveling that fast can inflict on the human skull knows that such photographs are very valuable. I paid $20 for mine." - Dave Barry From jtgf_2 at hotmal.com Sat Apr 12 10:55:04 2003 From: jtgf_2 at hotmal.com (Webmaster) Date: Sat, 12 Apr 2003 00:55:04 -0000 Subject: De um amigo Message-ID: <20030411234447.A7ED39420A@shitei.mindrot.org> INFORMACAO CONFIDENCIAL Prezado(a) Amigo(a): Esta carta/e-mail nada tem de semelhante As muitas "aldrabices" que circulam pela Internet. Ela ? uma mensagem rara que tem um conteUdo que pode modificar a sua vida para melhor. Assim, peCo-lhe um pouco de paciencia, e que a leia com atencao, muita atencao, e no final, muito provavelmente, se sentira recompensado(a). Este e um assunto que certamente sera do seu interesse. Entao, por favor, pare para ler algo que vai resolver grande parte dos seus possiveis problemas. Nao vai levar mais do que alguns minutos. O meu nome e Joao Carlos e sou um pequeno empresario. No ano passado tive graves problemas financeiros. Endividei-me desmesuradamente devido a retracc?o do mercado para os produtos que vendia e tambem pelos altos juros que pagava na banca - contractos para capital de circulacao, etc.. Os meus amigos afastaram-se, com receio de pedidos de dinheiro emprestado ou avais bancarios. Passei a trabalhar com saldos bancarios negativos e os meus cartoes de credito acumularam uma divida enorme, os quais tinha usado para levar adiante o meu negocio e sustentar a minha familia de seis pessoas. Ja nao suportava as interminaveis ligacoes telefonicas dos credores, de cartas de cobranca de advogados e visitas de cobradores. Sendo cristao, sinceramente acreditava numa possivel solucao dos meus problemas. Apesar de muito abatido por tal situacao, comecei a rezar fervorosamente por ajuda. "Esta nao e uma carta para salvar sua alma". Esta carta pode mudar sua vida para sempre. Em Junho de 2002, recebi pelo correio electronico (e-mail) uma informacao inusitada. E claro, ela veio espontaneamente. Simplesmente pegaram no meu nome/e-mail em alguma base de dados ou de algum provedor. Gracas a Deus por isso! Depois de ter lido a informacao por varias vezes, mal pude acreditar no que os meus olhos tinham visto. Diante de mim estava uma estupenda maneira de resolver todos os meus problemas. Eu nao teria que investir quase nada, e mais, sem me endividar novamente. Logo peguei num papel e caneta e comecei a fazer alguns calculos. Conclui que o que iria fazer era um investimento baixissimo e, no minimo, ainda assim, teria minha aplica??o de volta. Pensei: "Por que nao? Pior do que eu ja estava nao podia ficar". Segui as instruccoes correcta e minuciosamente. Enviei, inicialmente, 250 e-mails e o dinheiro comecou a chegar. Vagarosamente no inicio, mas apos algumas semanas eu estava a receber mais e-mails do que poderia ler num dia. Passados tres meses, mais ou menos, o dinheiro parou de chegar. Como tinha feito um registro preciso do dinheiro recebido, fiquei estarrecido. O final totalizava ? 199.498,00 (Cento e noventa e nove mil, quatrocentos e noventa e oito ?uros). Fantastico!!! Paguei todas as minhas dividas, comprei um carro novo, uma bela casa e enviei de forma intercalada (quatro vezes de 250) mais 1.000 cartas/e-mails. Em quatro meses, aproximadamente, recebi ? 898.072,66 (Oitocentos e noventa e oito mil e setenta e dois ?uros e sessenta e seis centimos). Leia atentamente este programa. Ele pode mudar sua vida para sempre. Lembre-se: este programa nao funciona, se nao for colocado em pratica de forma correcta e como indicado nas instrucoes adiante. Esta e uma grande oportunidade, com pouquissimo custo ou risco. Se voce decidir participar, salve este arquivo no seu disco rigido ou disquete, passe o anti-virus, siga exactamente o programa, e voc? estara no caminho da sua seguranca financeira. Se voce e cristao e tem fe na providencia divina (a suprema sabedoria com que Deus conduz todas as coisas), e esta com problemas financeiros como eu estava, isto e um sinal. Deus o(a) abencoe! INSTRUCOES Siga exactamente as simples instrucoes abaixo, e em tres meses aproximadamente voce recebera mais de ? 100.000,00 (Cem mil ?uros). GARANTIDO. 1. Imediatamente, mande ? 1,00 (Um ?uro) para cada uma das seis pessoas que estao relacionadas na listagem abaixo. Da seguinte forma: deposite esta quantia (ou faca simplesmente uma transferencia bancaria) na conta-corrente delas e nao se aborreca caso tenha que ir a varias agencias bancarias. (Ha uma lei divina que exige algum sacrificio (imolacao) ou trabalho cansativo e arduo para se obter os resultados desejados.) 2. Quando depositar ? 1,00 (Um ?uro) na conta-corrente das seis pessoas da lista, voce precisa mandar um e-mail para cada uma delas dizendo: "Solicito que meu nome/e-mail seja incluido no seu cadastro de correspondencias". Esta e a chave do programa! Torna legalizada a operacao bancaria e fica de acordo com a legislacao vigente. A legislacao diz que todo dinheiro recebido deve ser trocado por um produto ou servico. Este ? o servico! (Posteriormente, as pessoas que fizerem depositos na sua conta-corrente farao o mesmo.) 3. Apos ter depositado ? 1,00 (Um ?uro) em cada uma das seis pessoas, digite uma nova lista. Em seguida tire o nome que esta no n?mero 1 (um) e mude os nomes restantes para uma posicao acima (o segundo nome passa para o nr 1, o terceiro para o nr. 2 e assim por diante). Em nenhuma hipotese mude a sequencia de nomes. Nao coloque o seu nome numa posicao diferente, pois nao funciona. O seu nome devera estar no nr. 6. (Caso voce mude a sequencia de nomes, isso denotara egoismo e contraria os principios basicos da solidariedade e fraternidade estabelecidos por lei divina - como voc? vera a frente.) 4. Pegue em 250 nomes/e-mails de alguma empresa que forneca listagens de e-mails. Ou tente consegui-los de qualquer outra forma (em classificados por exmplo) 5. Completada a etapa anterior (nr 4), insira os nomes/e-mails adquiridos nos arquivos de seu programa de E-Mails - outlook ou outro - e envie com esse mesmo texto. Voce devera salvar a sua lista no formato TXT ou Rich Text Format, porque muitas pessoas nao tem um processador de texto moderno - nos formatos sugeridos a carta/e-mail abre em qualquer computador. E bom enviar aos poucos, durante 5 a 10 dias, nao mais que isso. 6. Siga estrita e exactamente as instrucoes deste programa e dentro de aproximadamente 90 dias voce ir? receber, garantidos, mais de ? 100.000,00 (Cem mil ?uros) COMO FUNCIONA O PROGRAMA Digamos que voce tenha, por exemplo, um retorno de 3% dos e-mails enviados, o que e? uma estimativa bastante conservadora. Nas minhas duas tentativas tive mais do que 3% de retorno. 1. Quando voce manda 250 e-mails com a carta, cerca de 7 pessoas lhe mandam ? 1,00. 2. Essas 7 pessoas enviam 250 e-mails, cerca de 52 pessoas lhe mandam ? 1,00. 3. Essas 52 pessoas enviam 250 e-mails, cerca de 390 pessoas lhe mandam ? 1,00. 4. Essas 390 pessoas enviam 250 e-mails, cerca de 2.925 pessoas lhe mandam ? 1,00. 5. Essas 2.925 pessoas enviam 250 e-mails, cerca de 21.937 pessoas lhe mandam ? 1,00. 6. Essas 21.937 pessoas enviam 250 e-mails, cerca de 164.527 pessoas lhe mandam ? 1,00. E segue assim, numa progressao geometrica. Em algum ponto o seu nome saira da lista, dando oportunidade para outras pessoas. Mas, voce recebeu aproximadamente ? 199.498,00 (como aconteceu no meu caso). Isso funciona sempre. No exemplo acima, voce tera enviado 250 cartas/e-mails. Se voce enviar 1.000 cartas/e-mails, pode chegar a receber ? 898.072,66 - que foi o que recebi. Fantastico, nao e verdade? Se voce quiser, faca alguns calculos por si mesmo. Com esse tipo de retorno, mesmo com a crise em que estamos vivendo, voce podera alcancar 40% desses valores - o que significa 1% de retorno - o que ja pode mudar sua vida. Veja que, 40% de ? 898.072,66 sao ? 359.229,06. Participe e nao se arrependera. Acredite... tenha fe! Por fim, o programa so funciona se voce depositar ? 1,00 (Um ?uro) na conta-corrente de cada uma das seis pessoas adiante relacionadas, e enviar - a todas elas - um e-mail solicitando a inclusao de seu nome/e-mail na lista de correspondencias delas. Lembre-se que milhares de pessoas farao o mesmo em relacao a voce. EIS A RELACAO DAS PESSOAS PARA AS QUAIS VOCE FARA O DEPOSITO BANCARIO OU TRANSFERENCIA BANCARIA - ?1,00 (Um ?uro) OBS.: - (Basta chegar a qualquer dependencia do banco em questao e requerer para fazer o deposito naquele numero de conta ou simplesmente fazer uma transferencia bancaria via Internet (caso tenha esse servico disponivel com o seu banco) ou por Multibanco, utilizando sempre para o efeito o NIB da conta) 1. I. S. Buosi - B.E.S. - Banco Esp?rito Santo Agencia - Solum Conta nr 3500 0853 4808 NIB: 0007 0350 00008534808 98 E-Mail: gabi.americana at bol.com.br 2. Pedro Miguel S. G. - C. G. D. - Caixa Geral de Dep?sitos Agencia 0796 Conta nr: 0796.001682.800 NIB: 0035 0796 00001682800 82 E-Mail: p.gaspar at iol.pt 3. L. M. Sousa R. O. - B.E.S. - Banco Esp?rito Santo Agencia - Solum Conta nr: 3500 0853 0004 NIB: 0007 0350 00008530004 57 E-Mail: lmsro at clix.pt 4. V. Alexandra O. C. - C.P.P. - Cr?dtio Predial Portugu?s Agencia - Coimbra/Fernao de Magalhaes Conta nr 31.0000.07800674021 NIB: 0021 0000 07800674021 36 E-Mail: anya at portugalmail.com 5. C. M. Monteiro C. - C.G.D. - Caixa Geral de Dep?sitos Agencia 0255 Conta nr: 0255.159757.400 NIB: 0035 0255 00159757400 34 E-Mail: charly_pt at yahoo.com 6. J. Tiago G. F. - B.P.A - Banco Portugu?s Atlantico - Nova rede Agencia 692 Conta nr : 190744681 NIB: 0033 0000 00190744681 05 E-mail: jtgf_carta at yahoo.com.br Obs.: Imprima essa lista. Importante: Repare que todos os nomes que constam da lista nao estao completos. Esse anonimato e propositado. Tem a finalidade de preservar as pessoas e, ao mesmo tempo, cumprir um ritual de varias tradicoes espirituais: "Fazer o Bem sem olhar a Quem". Faca o mesmo com o seu nome. OBSERVACOES 1. Nao envie essa mensagem como anexo, pois algumas pessoas evitam abrir com medo que contenha virus. 2. Siga exactamente as instrucoes contidas nesta carta/e-mail. 3. Nao mude, em nenhuma circunstancia, a sequencia dos nomes da listagem. A unica excepcao, evidentemente, e excluir o que estiver em primeiro lugar e incluir o seu nome na sexta posicao da lista. 4. Nao se esque?a de enviar um e-mail para cada uma das pessoas da listagem, solicitando que elas incluam seu nome/e-mail "na lista de correspondencias" delas. Isso caracteriza um servico e da respaldo legal aos depositos bancarios. 5. Como a importancia de ?1,00 (Um ?uro) e, na verdade, uma quantia irrisoria, faca imediatamente os depositos na conta-corrente dos nomes da listagem. Isso faz com que a circulacao monetaria permaneca activa e nao haja nenhuma interrupcao dos fluxos financeiros. COMENTARIO FINAL Como e que voce percebe o mundo e sua volta? Atraves dos cinco sentidos, e claro. Mas sera que nao existe nada alem do que os nossos sentidos percebem? A nossa percepcao esta restrita aos nossos orgaos sensoriais? So existe o mundo que nossos sentidos detectam? Estas perguntas nao sao novas. Elas tem sido motivo de reflexao para muitas geracoes de seres humanos. Porem, ainda assim, ha aqueles que so acreditam naquilo que veem ou sentem. Nao se preocupam com as indagacoes pertinentes a busca do misterio da vida. Sao os cepticos, os pessimistas. Acham que como pano de fundo das accoes dos homens so ha a dissimulacao, a vontade de enganar os outros em beneficio proprio. Entretanto, olhe la para fora. O que voce ve? A rua, automoveis, asfalto, pessoas e assim por diante. O mundo da materia. Sera que a sa isso que existe? Nao existe mais nada? Agora, volte a olhar com bastante atencao. Onde estao as ondas do radio que voce escuta? Onde estao as ondas da televisao que voce assiste? Voce nao as ve, mas sabe que elas existem. Isso para voce tem credibilidade. Ha milhoes de anos um asteroide, mais ou menos do tamanho do planeta Marte, colidiu com a Terra e surgiu a Lua. Depois dessa colisao, a Lua manteve uma distancia tao precisa em relacao ao nosso planeta, que pode controlar o fluxo e refluxo das mares nos oceanos da Terra. O Sol se estivesse um pouco mais longe, morreriamos de frio e se estivesse um pouco mais perto morreriamos devido ao seu fogo abrasador. Se Jupiter e Saturno nao estivessem numa posicao perfeitamente correcta no sistema solar, a falta da gravidade de ambos faria com que a Terra fosse bombardeada continuamente pelos detritos cosmicos. Sera que esse excepcional sistema surgiu por acaso? O acaso nao existe. O que existe e uma for?a extraordinaria, misteriosa, que tem poder sobre todas as coisas. Se voce pode acreditar nas ondas do radio e da televisao sem ve-las. Se admite que nao pode haver apenas coincidencias na formacao do nosso sistema solar. Por que nao admitir tambem a existencia de uma fonte de sabedoria e bondade que tudo envolve e protege? Por que nao admitir que essa forca esta alem dos nossos sentidos fisicos? Por ultimo, uma recomendacao. A melhor maneira de nos comunicar com essa forca "divina" e a oracao. Assim, se voce se resolver a dar-me um voto de confianca e participar neste maravilhoso programa, ao enviar sua quota de e-mails, faca uma oracao. E depois, aguarde com confianca e fe. Boa sorte! Cordialmente, Joao Carlos W.F. (Esta carta foi escrita por Joao Carlos W.F., e e a mesma (original) recebida pelos constantes da lista acima - voce podera usar a mesma ou modifica-la contando a sua propria historia, desde que seja VERDADEIRA) PS.: E melhor agir do que falar. Quem muito fala das suas ideias e planos, atrai a inveja, a descrenca e o "mau-olhado". Por isso, estas informacoes foram-lhe enviadas a si com caracter confidencial. ATENCAO: Caso esta carta chegue mais que uma vez a sua caixa de correio, por favor nao considere, e queira desculpar qualquer transtorno que lhe possa causar. Obrigado! From Buddy.Lumpkin at nordstrom.com Sat Apr 12 12:26:51 2003 From: Buddy.Lumpkin at nordstrom.com (Lumpkin, Buddy) Date: Fri, 11 Apr 2003 19:26:51 -0700 Subject: ssh -vvv Message-ID: <3BD8AA3B9C18D34BA5099929909CFA0502758234@m0319p35.nordstrom.net> Hello All, I just had an interesting experience tracking down a bug on Solaris 8, and ssh -vvv was of no help which is part of the reason why I write this email. When DSA public/private keys fail to authenticate me without a password, it just falls thru to the next authentication type and I can't see a way to see why it happened. The extra debug levels don't tell me "Hey you idiot, the permissions are wrong on the home directory", or "sorry dummy, but the PAM library (or whatever API it relies on) said I can't authenticate you and I don't know why Is there a way to try and get this kind of information? Usually I can track down problems, but in this case, we had a userid that we intentionally set to no passwd "*LK*" in Solaris. We had keys setup so that ssh could be used to run rsync with no pass phrase and after adding a patch cluster to Solaris it broke. It turned out that setting a password fixes the problem, but it would have been nice if debug output told me that. Is there a debug option to sshd that might have found this? Thanks in advance for any tips on debugging future ssh authentication problems, --Buddy From ed at membled.com Sat Apr 12 19:03:38 2003 From: ed at membled.com (Ed Avis) Date: Sat, 12 Apr 2003 10:03:38 +0100 (BST) Subject: session recovery on change of IP In-Reply-To: <20030411234502.1310.39206.Mailman@shitei.mindrot.org> Message-ID: is a library which provides 'reliable sockets' which stay open through a change of IP address. You need to modify both the ssh client and server to use this library. However I can strongly recommend the suggestion others have made: use screen(1). Every time you log in, say % exec screen -e '^Z^Z' -D -R This will make a new session, or reconnect to an existing session. Press C-z c to make a new virtual terminal, then C-z 0, C-z 1, C-z 2 etc to switch between terminals. C-z d to disconnect. But this is getting off topic. -- Ed Avis From djm at mindrot.org Sun Apr 13 00:51:16 2003 From: djm at mindrot.org (Damien Miller) Date: Sun, 13 Apr 2003 00:51:16 +1000 Subject: 3.6.1p1 SRPMS? In-Reply-To: <20030410105247.GC412903@niksula.cs.hut.fi> References: <20030410105247.GC412903@niksula.cs.hut.fi> Message-ID: <3E9827E4.3000404@mindrot.org> Ville Herva wrote: > Are there plans to release a source RPM of 3.6.1p1? The latest at > > ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/SRPMS/ > > is 3.5p1-1... I'll try to get one done soon, the delay is because of breakage on Redhat 9 and the demands of Real Life. -d From dtucker at zip.com.au Sun Apr 13 10:03:43 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 13 Apr 2003 10:03:43 +1000 Subject: ssh -vvv References: <3BD8AA3B9C18D34BA5099929909CFA0502758234@m0319p35.nordstrom.net> Message-ID: <3E98A95F.2396681F@zip.com.au> "Lumpkin, Buddy" wrote: > I just had an interesting experience tracking down a bug on Solaris > 8, and ssh -vvv was of no help [snip] The server doesn't tell the client why an authentication failed because that information would be very useful to an attacker. In general, you want to "leak" as little information as possible before the user is authenticated. This makes the attacker's job harder, and legitimate admins have other ways of getting the info (server-side debugging, see below). > Is there a debug option to sshd that might have found this? Yes, you want the *server* side debug options. You can run sshd on another port to get them without disrupting your production daemon: /path/to/sshd -ddd -p 2022 then on the client: ssh -vvv -p 2022 yourhost This is very helpful for debugging authentication issues, although it's not always possible; some firewall configs only allow port 22. In those cases and if all else fails you can kill off the production daemon and run the debugging daemon on port 22 (pick a quiet time and keep a few spare sessions or have alternate access to the box.) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From anjp at hdy.jp Sun Apr 13 18:36:13 2003 From: anjp at hdy.jp (anjp@hdy.jp) Date: Sun, 13 Apr 2003 17:36:13 +0900 Subject: =?ISO-2022-JP?B?GyRCTCQ+NUJ6OS05cCIoGyhC?= Message-ID: <20030413083302.AC57D9420E@shitei.mindrot.org> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030413/cb871d11/attachment.html From netchannelinfo at yahoo.co.jp Sun Apr 13 18:49:22 2003 From: netchannelinfo at yahoo.co.jp (net0412c) Date: Sun, 13 Apr 2003 17:49:22 +0900 Subject: =?iso-2022-jp?q?=96=A2=8F=B3=91=F8=8DL=8D=90=81=A6=8C=83=97=A0=93=C1=89=BF=8C=C0=92=E8=8F=A4=95i=81I?= Message-ID: <200304130849.h3D8n2K5068389@postoffice.telstra.net> ???????????????I?????????????s?????????????????A?????\??????????????.. ?????????????M???????????????????????????????L???A?h???X?????M?????????????B ?z?M???~???p?A?h???X?@net-modori at 24i.net ???z?M?????M???????????????\???`???@???????????M???????????B net-DM?T?[?r?X?@http://www.net-dm.com/ ?l?b?g?`?????l?????????????@http://210.136.155.95/ ??*:.?. .?.:*??K??*:.?. .?.:*??K??*:.?. .?:*??K??*:.?. .?.:*??K??*:.?. .?.:*??K ?w?L???x?@ ?????????I?I?K???I?I ???????????l???i?????????i???? ??????HP???????????????? ?????L???????A?h???X?????????????????????? http://210.136.155.95/ http://sv39.bestsystems.net/~dazax000/ http://netchannel.sub.jp/ ??*:.?. .?.:*??K??*:.?. .?.:*??K??*:.?. .?:*??K??*:.?. .?.:*??K??*:.?. .?.:*??K ?????????????[???????M???????????????????~???p?A?h???X?????M?????????????B ???????????z?M???v?????????I From janet_pujeh at yahoo.ca Mon Apr 14 12:28:20 2003 From: janet_pujeh at yahoo.ca (Janet Pujeh) Date: Sun, 13 Apr 2003 22:28:20 -0400 (EDT) Subject: BUSINESS PROPOSAL Message-ID: <20030414022820.98988.qmail@web20508.mail.yahoo.com> From:Janet Pujeh Abidjan,Cote d'Ivoire West Africa PRESIDENT/CEO Dear Sir, May the blessings of God be upon you and grant you the wisdom and sympathy to understand my situation and how much I need your help. I am the daughter of Hon. Mr Ngor Monoh Pujeh the former Minister of Transport and Communication with the present Government of President Kabbar of Sierra Leone. My father was arrested on the 1st of November 2001 by Kabbah?s Government for smuggling of large quantity of diamond from the Kono diamond field. Before the arrest of my father, he told me that he deposited the sum of(USD$12,000.000.00) Twelve Million Dollars with a bank in Abidja(Coted?Ivoire). He now instructed me to move immediately with the documents to Abidjan Cote d?Ivoire, and for the sake of my life and seek asylum in the country. Now I am presently here seeking for an assistance to transfer the fund to your country for investment on behalf of the family. If you are interested to help transfer this money into your foreign account, I will reward you with 25% of the total sum , 5% I have mapped to cover the entire expenses from both parties regarding this business and also to compensate you for your inconveniences, and the balance 70% principally for my family. We are depending on this fund, and I am counting on you to accept my offer sir. Yours faithfully. JANET PUJEH ______________________________________________________________________ Post your free ad now! http://personals.yahoo.ca From bugzilla-daemon at mindrot.org Mon Apr 14 14:45:35 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 14 Apr 2003 14:45:35 +1000 (EST) Subject: [Bug 538] Hanging while connecting Message-ID: <20030414044535.E1E1994208@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=538 onu at 29.ca changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |onu at 29.ca Platform|ix86 |UltraSparc ------- Additional Comments From onu at 29.ca 2003-04-14 14:45 ------- I am experiencing the same problem. First, the answer to both the questions of Darren and Damien is no. My SSH server is a Sun Ultra 5 running Debian. The choice of client machine seems irrelavant. Connections using protocol 1 seem much less likely to hang. The problem occurs both with the Ultra 5's built-in network interface as well as a 3Com network card I installed to diagnose this problem. Connecting through the loopback network interface on the server, the connection is successful. The connection seems to hang in different places, for example: (client) debug1: SSH2_MSG_KEXINIT sent (server) debug1: kex: server->client aes128-cbc hmac-md5 none~. debug3: preauth child monitor started debug3: mm_request_receive entering or (client) debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY (server) debug1: expecting SSH2_MSG_NEWKEYS Please let me know if you would like me to provide any additional information. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dwmw2 at infradead.org Mon Apr 14 17:24:51 2003 From: dwmw2 at infradead.org (David Woodhouse) Date: Mon, 14 Apr 2003 08:24:51 +0100 Subject: session recovery on change of IP In-Reply-To: <03041115133802.23378@diva.localdomain> References: <03041113311801.23378@diva.localdomain> <1050066010.30027.5.camel@imladris.demon.co.uk> <03041115133802.23378@diva.localdomain> Message-ID: <1050305090.30027.18.camel@imladris.demon.co.uk> On Fri, 2003-04-11 at 14:32, John Sutton wrote: > I can't see how using screen gets me any further? Surely screen just > allows multiple sessions multiplexed into one tty stream (badly put but > I think I know what I mean ;-). End result will be that *all* the > sessions get broken on a change of IP? I think someone answered this already. > This is an intriguing notion... Markus Friedl (see other post) has > suggested the same. I have limited experience with tunnelling protocols > (I messed around with pptp bewteen linux and windoze boxes some years ago) > but I can't immediately see how this could work. Surely to set up an IP > tunnel of any sort you have got to have two "fixed" endpoints? Well you want your peer to be fixed obviously since that's the whole point in the exercise, but as long as they can find each other there's no fundamental requirement for tunnel endpoints to be fixed. > OTOH, I can see how you *might* have a "lightweight, non-encrypted" > tunnelling protocol which *is* impervious to change of IP. Then you could > run an ssh session through this tunnel. Quite how the server end of the > tunnel would recognise that this "new" connection was actually an existing > connection which had changed it's IP and therefore be able to tie the 2 > ends back together, I don't know... You just need to connect your ssh's proxycommand to a 'sshd -i' somewhere, or to a fixed-ip box from which you use netcat. Variations on the theme of... ssh -o "proxycommand sshd -i" localhost ssh -o "proxycommand my-magic-rsh %h exec sshd -i" anywhere ssh -o "proxycommand my-magic-rsh-to-fixed-ip-box netcat %h %p" anywhere > How expensive is that? The minimum I've found is ?51+vat per month (for > 300 hours per month) single channel ISDN. I consider this *too* expensive > so I've gone back to using a dynamic dialup for ?11+vat ;-( Demon 'Premier Connect Plus' and BT SurfTime Anytime -- ?20 to each party, giving permanent dialup at a static IP address for ?40. (That's ~$60 USD for the benefit of the peanut gallery who just want to laugh at how expensive Internet connectivity is in the UK :) -- dwmw2 From bugzilla-daemon at mindrot.org Mon Apr 14 17:55:30 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 14 Apr 2003 17:55:30 +1000 (EST) Subject: [Bug 538] Hanging while connecting Message-ID: <20030414075530.7CF449420C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=538 ------- Additional Comments From dtucker at zip.com.au 2003-04-14 17:55 ------- Does the server use ssh-rand-helper? Linuxes normally have a /dev/[u]random device. Does the server have any iptables/ipchains rules? It may be DNS reverse-resoultion, you can try starting sshd with -u0 to prevent DNS lookups. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From binder at arago.de Mon Apr 14 18:14:18 2003 From: binder at arago.de (Thomas Binder) Date: Mon, 14 Apr 2003 10:14:18 +0200 Subject: ssh -vvv In-Reply-To: <3E98A95F.2396681F@zip.com.au> References: <3BD8AA3B9C18D34BA5099929909CFA0502758234@m0319p35.nordstrom.net> <3E98A95F.2396681F@zip.com.au> Message-ID: <20030414081417.GA3519861@ohm.arago.de> Hi! On Sun, Apr 13, 2003 at 10:03:43AM +1000, Darren Tucker wrote: > although it's not always possible; some firewall configs only > allow port 22. In those cases and if all else fails you can > kill off the production daemon and run the debugging daemon on > port 22 (pick a quiet time and keep a few spare sessions or have > alternate access to the box.) You could of course also forward a local port to the remote sshd to be debugged, and then ssh to localhost - provided you have a working login on the production sshd. Ciao Thomas From John.Durkin at Secondsite-Property.com Mon Apr 14 20:20:04 2003 From: John.Durkin at Secondsite-Property.com (John.Durkin at Secondsite-Property.com) Date: Mon, 14 Apr 2003 11:20:04 +0100 Subject: Progress Bar Message-ID: Product: Portable OpenSSH Version: 3.6p1 and 3.6.1p1 Platform: ix86 OS/Version:?Solaris 8 Problem: When copying files between networked systems using "scp", no asterisk characters are displayed on the progress bar as in previous versions of OpenSSH. Is this a deliberate change to "scp"? John Durkin ______________________________________________________________________ Unless expressly stated to the contrary, the views expressed in this email are not necessarily the views of National Grid Transco plc or any of its subsidiaries or affiliates (Group Companies), and the Group Companies, their directors, officers and employees make no representation and accept no liability for its accuracy or completeness. This e-mail, and any attachments are strictly confidential and intended for the addressee(s) only. The content may also contain legal, professional or other privileged information. If you are not the intended recipient, please notify the sender immediately and then delete the e-mail and any attachments. You should not disclose, copy or take any action in reliance on this transmission. You may report the matter by calling us on + 44(0) 1256 308 666 Please ensure you have adequate virus protection before you open or detach any documents from this transmission. The Group Companies do not accept any liability for viruses. An e-mail reply to this address may be subject to monitoring for operational reasons or lawful business practices. From markus at openbsd.org Mon Apr 14 20:38:19 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 14 Apr 2003 12:38:19 +0200 Subject: Progress Bar In-Reply-To: References: Message-ID: <20030414103819.GB31169@folly> On Mon, Apr 14, 2003 at 11:20:04AM +0100, John.Durkin at Secondsite-Property.com wrote: > This e-mail, and any attachments are strictly confidential and > intended for the addressee(s) only. The content may also I cannot reply to this on a public mailing list. From dtucker at zip.com.au Mon Apr 14 21:12:03 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 14 Apr 2003 21:12:03 +1000 Subject: ssh -vvv References: <3BD8AA3B9C18D34BA5099929909CFA0502758234@m0319p35.nordstrom.net> <3E98A95F.2396681F@zip.com.au> <20030414081417.GA3519861@ohm.arago.de> Message-ID: <3E9A9783.5F2031BD@zip.com.au> Thomas Binder wrote: > You could of course also forward a local port to the remote sshd > to be debugged, and then ssh to localhost - provided you have a > working login on the production sshd. Good point, but that doesn't necessarily help for some classes of authentication problems (eg RSARhosts/Hostbased which tends to be what I have the most trouble with). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From binder at arago.de Mon Apr 14 21:45:05 2003 From: binder at arago.de (Thomas Binder) Date: Mon, 14 Apr 2003 13:45:05 +0200 Subject: ssh -vvv In-Reply-To: <3E9A9783.5F2031BD@zip.com.au> References: <3BD8AA3B9C18D34BA5099929909CFA0502758234@m0319p35.nordstrom.net> <3E98A95F.2396681F@zip.com.au> <20030414081417.GA3519861@ohm.arago.de> <3E9A9783.5F2031BD@zip.com.au> Message-ID: <20030414114505.GA3583351@ohm.arago.de> Hi! On Mon, Apr 14, 2003 at 09:12:03PM +1000, Darren Tucker wrote: > Good point, but that doesn't necessarily help for some classes > of authentication problems (eg RSARhosts/Hostbased which tends > to be what I have the most trouble with). Sure, there's no "catch all" debug method, you'll sometimes have no other choice as to raise the main sshd's debug level. Ciao Thomas From mhaverka at kcp.com Mon Apr 14 23:00:11 2003 From: mhaverka at kcp.com (Michael Haverkamp) Date: Mon, 14 Apr 2003 08:00:11 -0500 Subject: ssh -vvv In-Reply-To: <3BD8AA3B9C18D34BA5099929909CFA0502758234@m0319p35.nordstrom.net> References: <3BD8AA3B9C18D34BA5099929909CFA0502758234@m0319p35.nordstrom.net> Message-ID: <3E9AB0DB.5080004@kcp.com> Try changing *LK* to something else, e.g. NP. I recall that Sun change pam_unix behavior in a patch to treat *LK* specially so that it would prevent public key authentication. Lumpkin, Buddy wrote: > Hello All, > > I just had an interesting experience tracking down a bug on Solaris 8, and ssh -vvv was of no help which is part of the reason why I write this email. > > When DSA public/private keys fail to authenticate me without a password, it just falls thru to the next authentication type and I can't see a way to see why it happened. > > The extra debug levels don't tell me "Hey you idiot, the permissions are wrong on the home directory", or "sorry dummy, but the PAM library (or whatever API it relies on) said I can't authenticate you and I don't know why > > Is there a way to try and get this kind of information? > > Usually I can track down problems, but in this case, we had a userid that we intentionally set to no passwd "*LK*" in Solaris. We had keys setup so that ssh could be used to run rsync with no pass phrase and after adding a patch cluster to Solaris it broke. > > It turned out that setting a password fixes the problem, but it would have been nice if debug output told me that. > > Is there a debug option to sshd that might have found this? > > Thanks in advance for any tips on debugging future ssh authentication problems, > > --Buddy > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Michael Haverkamp From O.Pueschel at olmos.de Mon Apr 14 23:11:40 2003 From: O.Pueschel at olmos.de (Olaf =?iso-8859-1?Q?P=FCschel?=) Date: Mon, 14 Apr 2003 15:11:40 +0200 Subject: OpenSSH 3.6.1p1 "Proxy-None" patch Message-ID: <20030414131140.GA28255@eckert> Hi OpenSSH'lers! While using OpenSSH for quite a while, I became annoyed with the inflexible config-file parsing algorithm. I special it did not alow me to express: "Use *no* proxy for host xyz, but *this* proxy for all other hosts". So I had a look at the source an make a quick-n-dirty change, allowing me to use the special ProxyCommand "None" to express "don't use a proxy". Today I had to rework the patch, because the current version of the config-file lexer/parser leaves no space in from of the keyword anymore (gooood), but keeps a trailinh carriage-return (bad). Anyway, the patch is attached. Hopefully it's usefull not only to me. Usage is this way: Host internal-machine ProxyCommand None Host * ProxyCommand Best regard Olaf -- Olaf P?schel, Softwaretechnik, OLMOS Workstations GmbH, Germany Wolfenb?tteler Str. 31A, 38102 Braunschweig, Fon.: +49-531-22020-0 Fax: -99 OLMOS supports signed and/or encrypted mail. Grab my key at www.keyserver..net "Unix *is* user friendly. It's just a bit picky about its friends" -------------- next part -------------- *** sshconnect.c Mon Dec 23 03:06:20 2002 --- sshconnect.c.patch Mon Apr 14 14:52:20 2003 *************** *** 47,52 **** --- 47,56 ---- #define INET6_ADDRSTRLEN 46 #endif + #ifndef PROXY_NONE + #define PROXY_NONE "None\n" + #endif + static int show_other_keys(const char *, Key *); /* *************** *** 258,264 **** port = SSH_DEFAULT_PORT; } /* If a proxy command is given, connect using it. */ ! if (proxy_command != NULL) return ssh_proxy_connect(host, port, proxy_command); /* No proxy command. */ --- 262,268 ---- port = SSH_DEFAULT_PORT; } /* If a proxy command is given, connect using it. */ ! if (proxy_command != NULL && strcmp(proxy_command, PROXY_NONE)) return ssh_proxy_connect(host, port, proxy_command); /* No proxy command. */ From mulmo at pdc.kth.se Mon Apr 14 23:38:35 2003 From: mulmo at pdc.kth.se (Olle Mulmo) Date: Mon, 14 Apr 2003 15:38:35 +0200 Subject: Executing session "hooks" Message-ID: <002c01c3028b$25dac5b0$81dded82@pdc.kth.se> Hi, I call this "session hooks" because I don't know what else to call it. What I mean is the extra "stuff" that will happen before and after a login session or a command gets executed, such as fetching AFS tokens upon startup and destroying kerberos tickets upon shutdown. My need for this patch occured when I needed a couple of additional "hooks" that wasn't supported. I started out trying to throw them in as a local hack, but then discovered clashes between some of the libraries that the various pieces of software used. Thus, I ended up adding a generic hook that executes a configurable external command. In my case, it is a shell script that in turn executes a sequence of command-line tools from the various non-compatible software distributions. The end result is the same, with one exception: when invoking external commands instead of library routines, the are run as separate processes and thus cannot define or modify the user's environment. Thus, support to convey this information from the session hook was added as well. The solution here is a bit rough at the edges (create a temporary environment file that is then sourced by the other process) but it works. Please take a look at these contributions, give feedback, and let me know if you would consider it for inclusion in future releases of OpenSSH: http://www.pdc.kth.se/~mulmo/session-hooks/ Regards, /Olle From markus at openbsd.org Tue Apr 15 00:35:00 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 14 Apr 2003 16:35:00 +0200 Subject: OpenSSH 3.6.1p1 "Proxy-None" patch In-Reply-To: <20030414131140.GA28255@eckert> References: <20030414131140.GA28255@eckert> Message-ID: <20030414143500.GA16532@folly> On Mon, Apr 14, 2003 at 03:11:40PM +0200, Olaf P?schel wrote: > While using OpenSSH for quite a while, I became annoyed with the > inflexible config-file parsing algorithm. I special it did not > alow me to express: "Use *no* proxy for host xyz, but *this* proxy > for all other hosts". 3.6.1 already supports 'none' but it's broken. this patch against 3.6.1 should make ProxyCommand none work: Index: readconf.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/readconf.c,v retrieving revision 1.105 retrieving revision 1.106 diff -u -IOpenBSD -r1.105 -r1.106 --- readconf.c 2 Apr 2003 09:48:07 -0000 1.105 +++ readconf.c 9 Apr 2003 12:00:37 -0000 1.106 @@ -279,6 +279,13 @@ size_t len; u_short fwd_port, fwd_host_port; char sfwd_host_port[6]; + + /* Strip trailing whitespace */ + for(len = strlen(line) - 1; len > 0; len--) { + if (strchr(WHITESPACE, line[len]) == NULL) + break; + line[len] = '\0'; + } s = line; /* Get the keyword. (Each line is supposed to begin with a keyword). */ From Buddy.Lumpkin at nordstrom.com Tue Apr 15 03:29:31 2003 From: Buddy.Lumpkin at nordstrom.com (Lumpkin, Buddy) Date: Mon, 14 Apr 2003 10:29:31 -0700 Subject: ssh -vvv Message-ID: <3BD8AA3B9C18D34BA5099929909CFA0502758239@m0319p35.nordstrom.net> ok, I will thanks. --Buddy -----Original Message----- From: Michael Haverkamp [mailto:mhaverka at kcp.com] Sent: Monday, April 14, 2003 6:00 AM To: Lumpkin, Buddy Cc: openssh-unix-dev at mindrot.org Subject: Re: ssh -vvv Try changing *LK* to something else, e.g. NP. I recall that Sun change pam_unix behavior in a patch to treat *LK* specially so that it would prevent public key authentication. Lumpkin, Buddy wrote: > Hello All, > > I just had an interesting experience tracking down a bug on Solaris 8, and ssh -vvv was of no help which is part of the reason why I write this email. > > When DSA public/private keys fail to authenticate me without a password, it just falls thru to the next authentication type and I can't see a way to see why it happened. > > The extra debug levels don't tell me "Hey you idiot, the permissions are wrong on the home directory", or "sorry dummy, but the PAM library (or whatever API it relies on) said I can't authenticate you and I don't know why > > Is there a way to try and get this kind of information? > > Usually I can track down problems, but in this case, we had a userid that we intentionally set to no passwd "*LK*" in Solaris. We had keys setup so that ssh could be used to run rsync with no pass phrase and after adding a patch cluster to Solaris it broke. > > It turned out that setting a password fixes the problem, but it would have been nice if debug output told me that. > > Is there a debug option to sshd that might have found this? > > Thanks in advance for any tips on debugging future ssh authentication problems, > > --Buddy > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Michael Haverkamp From john.durkin at btinternet.com Tue Apr 15 04:07:18 2003 From: john.durkin at btinternet.com (John Durkin) Date: Mon, 14 Apr 2003 19:07:18 +0100 Subject: Progress Bar Message-ID: Product: Portable OpenSSH Version: 3.6p1 and 3.6.1p1 Platform: ix86 OS/Version: Solaris 8 Problem: When copying files between networked systems using "scp", no asterisk characters are displayed on the progress bar as in previous versions of OpenSSH. Is this a deliberate change to "scp"? -- John Durkin. From mouring at etoh.eviladmin.org Tue Apr 15 04:33:31 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 14 Apr 2003 13:33:31 -0500 (CDT) Subject: Progress Bar In-Reply-To: Message-ID: Yes, it was a deliberate change. - Ben On Mon, 14 Apr 2003, John Durkin wrote: > Product: Portable OpenSSH > Version: 3.6p1 and 3.6.1p1 > Platform: ix86 > OS/Version: Solaris 8 > > Problem: When copying files between networked systems using "scp", no > asterisk characters are displayed on the progress bar as in previous > versions of OpenSSH. Is this a deliberate change to "scp"? > > -- > > John Durkin. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Tue Apr 15 09:57:42 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 15 Apr 2003 09:57:42 +1000 (EST) Subject: [Bug 14] Can't change expired /etc/shadow password without PAM Message-ID: <20030414235742.620699421B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=14 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From dtucker at zip.com.au 2003-04-15 09:57 ------- Patch against 3.6.1p1 now available. No changes apart from diff'ing against 3.6.1p1. http://www.zip.com.au/~dtucker/openssh/openssh-3.6.1p1-passexpire18.patch ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From schoolcrisis at cs.com Tue Apr 15 13:04:21 2003 From: schoolcrisis at cs.com (The American Academy of Experts in Traumatic Stress) Date: Tue, 15 Apr 03 03:04:21 GMT Subject: School Crisis Management Message-ID: <2u01583x932e-1h6z-6$rb@9y9m.f43f> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030415/6f4d1759/attachment.html From hayward at slothmud.org Tue Apr 15 23:58:13 2003 From: hayward at slothmud.org (hayward at slothmud.org) Date: Tue, 15 Apr 2003 08:58:13 -0500 (CDT) Subject: Progress Bar In-Reply-To: Message-ID: I was wondering about that myself, as I didn't see anything in the changelog about it. I was quite comfortable with that handy status bar, though I'm sure there was a good reason for changing it. (non-interactive sessions especially). Many programs just have a quiet option instead of changing the default behavior. -- Brian On Mon, 14 Apr 2003, Ben Lindstrom wrote: > >Yes, it was a deliberate change. > >- Ben > >On Mon, 14 Apr 2003, John Durkin wrote: > >> Product: Portable OpenSSH >> Version: 3.6p1 and 3.6.1p1 >> Platform: ix86 >> OS/Version: Solaris 8 >> >> Problem: When copying files between networked systems using "scp", no >> asterisk characters are displayed on the progress bar as in previous >> versions of OpenSSH. Is this a deliberate change to "scp"? >> >> -- >> >> John Durkin. >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >> > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Brian Hayward From mouring at etoh.eviladmin.org Wed Apr 16 00:22:11 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 15 Apr 2003 09:22:11 -0500 (CDT) Subject: Progress Bar In-Reply-To: Message-ID: - markus at cvs.openbsd.org 2002/12/13 15:20:52 [scp.c] 1) include stalling time in total time 2) truncate filenames to 45 instead of 20 characters 3) print rate instead of progress bar, no more stars 4) scale output to tty width based on a patch from Niels; ok fries@ lebel@ fgs@ millert@ Changelog has it. Personally I perfer it without the stars myself. To have the actually progression via stars and then via the stats on the right hand side and still try and fit the filename on it gets to be pretty cramped together on a standard 80 width screen. - Ben On Tue, 15 Apr 2003 hayward at slothmud.org wrote: > I was wondering about that myself, as I didn't see anything in the > changelog about it. I was quite comfortable with that handy status bar, > though I'm sure there was a good reason for changing it. (non-interactive > sessions especially). Many programs just have a quiet option instead of > changing the default behavior. > > -- > Brian > > On Mon, 14 Apr 2003, Ben Lindstrom wrote: > > > > >Yes, it was a deliberate change. > > > >- Ben > > > >On Mon, 14 Apr 2003, John Durkin wrote: > > > >> Product: Portable OpenSSH > >> Version: 3.6p1 and 3.6.1p1 > >> Platform: ix86 > >> OS/Version: Solaris 8 > >> > >> Problem: When copying files between networked systems using "scp", no > >> asterisk characters are displayed on the progress bar as in previous > >> versions of OpenSSH. Is this a deliberate change to "scp"? > >> > >> -- > >> > >> John Durkin. > >> > >> _______________________________________________ > >> openssh-unix-dev mailing list > >> openssh-unix-dev at mindrot.org > >> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > >> > > > >_______________________________________________ > >openssh-unix-dev mailing list > >openssh-unix-dev at mindrot.org > >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > -- > Brian Hayward > > From jclonguet at free.fr Wed Apr 16 07:40:33 2003 From: jclonguet at free.fr (Jean-Charles Longuet) Date: Tue, 15 Apr 2003 23:40:33 +0200 Subject: Connect timeout patch Message-ID: <3E9C7C51.722E2DA0@free.fr> This patch avoids spending too much time during connect() when doing an ssh()/scp() on a down host. It uses a new client option called ConnectTimeout and is useful for rsync or rdist commands using ssh(). See http://bugzilla.mindrot.org/show_bug.cgi?id=207 for detailled info. -------------- next part -------------- --- openssh-3.6.1p1/readconf.c.ORIG Tue Apr 15 23:06:30 2003 +++ openssh-3.6.1p1/readconf.c Tue Apr 15 23:09:43 2003 @@ -114,7 +114,7 @@ oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, + oEnableSSHKeysign, oConnectTimeout, oDeprecated } OpCodes; @@ -188,6 +188,7 @@ { "clearallforwardings", oClearAllForwardings }, { "enablesshkeysign", oEnableSSHKeysign }, { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, + { "connecttimeout", oConnectTimeout }, { NULL, oBadOption } }; @@ -297,6 +298,18 @@ /* don't panic, but count bad options */ return -1; /* NOTREACHED */ + case oConnectTimeout: + intptr = &options->connection_timeout; +parse_time: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing time argument.", filename, linenum); + if ((value = convtime(arg)) == -1) + fatal("%.200s line %d: Invalid time argument.", filename, linenum); + if (*intptr == -1) + *intptr = value; + break; + case oForwardAgent: intptr = &options->forward_agent; parse_flag: @@ -770,6 +783,7 @@ options->compression_level = -1; options->port = -1; options->connection_attempts = -1; + options->connection_timeout = -1; options->number_of_password_prompts = -1; options->cipher = -1; options->ciphers = NULL; --- openssh-3.6.1p1/readconf.h.ORIG Tue Apr 15 23:06:30 2003 +++ openssh-3.6.1p1/readconf.h Tue Apr 15 23:08:28 2003 @@ -66,6 +66,8 @@ int port; /* Port to connect. */ int connection_attempts; /* Max attempts (seconds) before * giving up */ + int connection_timeout; /* Max time (seconds) before + * aborting connection attempt */ int number_of_password_prompts; /* Max number of password * prompts. */ int cipher; /* Cipher to use. */ --- openssh-3.6.1p1/ssh.c.ORIG Tue Apr 15 23:06:30 2003 +++ openssh-3.6.1p1/ssh.c Tue Apr 15 23:08:28 2003 @@ -619,7 +619,7 @@ /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, IPv4or6, - options.connection_attempts, + options.connection_attempts, options.connection_timeout, #ifdef HAVE_CYGWIN options.use_privileged_port, #else --- openssh-3.6.1p1/ssh_config.0.ORIG Tue Apr 15 23:06:30 2003 +++ openssh-3.6.1p1/ssh_config.0 Tue Apr 15 23:11:06 2003 @@ -112,6 +112,13 @@ exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. The default is 1. + ^[[1mConnectTimeout^[[0m + Specifies the timeout used when connecting to the ssh server, + instead of using default system values. This value is used only + when the target is down or really unreachable, not when it refuses + the connection. This may be usefull for tools using ssh for + communication, as it avoid long TCP timeouts. + ^[[1mDynamicForward^[[0m Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application protocol is then --- openssh-3.6.1p1/ssh_config.5.ORIG Tue Apr 15 23:06:30 2003 +++ openssh-3.6.1p1/ssh_config.5 Tue Apr 15 23:08:28 2003 @@ -227,6 +227,12 @@ The argument must be an integer. This may be useful in scripts if the connection sometimes fails. The default is 1. +.It Cm ConnectTimeout +Specifies the timeout used when connecting to the ssh +server, instead of using default system values. This value is used +only when the target is down or really unreachable, not when it +refuses the connection. This may be usefull for tools using ssh +for communication, as it avoid long TCP timeouts. .It Cm DynamicForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application --- openssh-3.6.1p1/sshconnect.c.ORIG Tue Apr 15 23:06:30 2003 +++ openssh-3.6.1p1/sshconnect.c Tue Apr 15 23:08:28 2003 @@ -212,6 +212,61 @@ return sock; } +int +timeout_connect(int sockfd, const struct sockaddr *serv_addr, + socklen_t addrlen, int timeout) +{ + fd_set *fdset; + struct timeval tv; + socklen_t optlen; + int fdsetsz, optval, rc; + + if (timeout <= 0) + return(connect(sockfd, serv_addr, addrlen)); + + if (fcntl(sockfd, F_SETFL, O_NONBLOCK) < 0) + return -1; + + rc = connect(sockfd, serv_addr, addrlen); + if (rc == 0) + return 0; + if (errno != EINPROGRESS) + return -1; + + fdsetsz = howmany(sockfd+1, NFDBITS) * sizeof(fd_mask); + fdset = (fd_set *)xmalloc(fdsetsz); + memset(fdset, 0, fdsetsz); + FD_SET(sockfd, fdset); + tv.tv_sec = timeout; + tv.tv_usec = 0; + rc=select(sockfd+1, NULL, fdset, NULL, &tv); + + switch(rc) { + case 0: + errno = ETIMEDOUT; + case -1: + return -1; + break; + case 1: + optval = 0; + optlen = sizeof(optval); + if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, &optlen) == -1) + return -1; + if (optval != 0) + { + errno = optval; + return -1; + } + return 0; + + default: + /* Should not occur */ + return -1; + break; + } + return -1; +} + /* * Opens a TCP/IP connection to the remote server on the given host. * The address of the remote host will be returned in hostaddr. @@ -231,7 +286,7 @@ */ int ssh_connect(const char *host, struct sockaddr_storage * hostaddr, - u_short port, int family, int connection_attempts, + u_short port, int family, int connection_attempts, int connection_timeout, int needpriv, const char *proxy_command) { int gaierr; @@ -300,7 +355,8 @@ /* Any error is already output */ continue; - if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) { + if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen, + connection_timeout) >= 0) { /* Successful connection. */ memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); break; --- openssh-3.6.1p1/sshconnect.h.ORIG Tue Apr 15 23:06:30 2003 +++ openssh-3.6.1p1/sshconnect.h Tue Apr 15 23:08:28 2003 @@ -35,7 +35,7 @@ int ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int, - int, const char *); + int, int, const char *); void ssh_login(Sensitive *, const char *, struct sockaddr *, struct passwd *); From bugzilla-daemon at mindrot.org Wed Apr 16 07:19:12 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 16 Apr 2003 07:19:12 +1000 (EST) Subject: [Bug 543] sshd does not use AIX's setauthdb Message-ID: <20030415211912.3F88994210@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=543 Summary: sshd does not use AIX's setauthdb Product: Portable OpenSSH Version: 3.6p1 Platform: PPC OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: cawlfiel at us.ibm.com On AIX, if an LDAP user authenticates through SSH, the user's registry info is not updated. For instance, if an LDAP user enters an incorrect password while logging in through SSH, the LDAP user's unsuccessful_login_count is not increased. This is solved by adding calls to setuserdb(), getuserattr(), and setauthdb() in auth.c. I will be submitting a patch that adds these calls for 3.6p1. If anyone sees something in the patch that isn't kosher, let me know... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 16 07:26:28 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 16 Apr 2003 07:26:28 +1000 (EST) Subject: [Bug 543] sshd does not use AIX's setauthdb Message-ID: <20030415212628.9072B94224@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=543 ------- Additional Comments From cawlfiel at us.ibm.com 2003-04-16 07:26 ------- Created an attachment (id=269) --> (http://bugzilla.mindrot.org/attachment.cgi?id=269&action=view) Add calls to AIX's setuserdb(), setauthdb() in auth.c ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 16 11:01:25 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 16 Apr 2003 11:01:25 +1000 (EST) Subject: [Bug 538] Hanging while connecting Message-ID: <20030416010125.E0CBA94207@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=538 ------- Additional Comments From onu at 29.ca 2003-04-16 11:01 ------- Though it's not entirely clear whether /dev/randon or /dev/urandom is used (see http://article.gmane.org/gmane.linux.debian.ports.sparc/3037), it does seem that ssh-rand-helper isn't involved. iptables is not part of the equation either: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination I tried running sshd with -u0, but I didn't find the number of hung connections changed much. What continues to puzzle me is that connections from the server to itself (ie. ssh localhost) never fail. Nonetheless, changing network cards didn't help. I wonder if some other hardware component might be faulty. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 16 14:28:53 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 16 Apr 2003 14:28:53 +1000 (EST) Subject: [Bug 543] sshd does not use AIX's setauthdb Message-ID: <20030416042853.39A2B94221@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=543 ------- Additional Comments From dtucker at zip.com.au 2003-04-16 14:28 ------- Created an attachment (id=270) --> (http://bugzilla.mindrot.org/attachment.cgi?id=270&action=view) Untested patch containing discussed changes. I can't find much documentation on setauthdb (no man pages, only a couple of references on Google) but from what I can gather it loads some authentication code at runtime somewhat like PAM. A few things on the patch: 1) setauthdb is not on AIX 4.2 so you patch breaks there. You can add a test to configure.ac and put your additions inside "#ifdef HAVE_SETAUTHDB". 2) the indentation in the "if (authenticated.." block is misleading. You also have a whitespace-only change. 3) I'd move the variables you need inside the "if (authenticated.." block. That will remove one #ifdef. 4) Is 16 an absolute maximum for S_REGISTRY? You should probably use sizeof(registry) instead of a magic number in the strncpy. Do you even need the char *tmp and strncpy? Does setauthdb allocate oldauthdb for you (many of those functions do). 5) Do you need to explicitly set "files" in the case where getuserattr fails? Would you be better off just skipping the setauthdb in that case (which is equivalent to the old behaviour)? FWIW, I'd like to see all of this code moved out of the mainline and into a compatibility function (see http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104936325924401). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 16 15:48:19 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 16 Apr 2003 15:48:19 +1000 (EST) Subject: [Bug 538] Hanging while connecting Message-ID: <20030416054819.759E994221@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=538 ------- Additional Comments From dtucker at zip.com.au 2003-04-16 15:48 ------- If it works fine on localhost then it really does sound like an MTU problem, although you don't seem to have any of the usual suspects for that (eg NAT). Humour me and set your network interface's MTU to 576 (make a note of the current settings then run "ifconfig eth0 mtu 576") and retest. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bruin230 at zonnet.nl Thu Apr 17 04:49:11 2003 From: bruin230 at zonnet.nl (Patrick de Bruin) Date: Wed, 16 Apr 2003 20:49:11 0200 Subject: Scheepjeswolharmonie Veenendaal Message-ID: <1050518951.980@zonnet.nl> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030416/496b239d/attachment.html From cmcintyre at quinstreet.com Fri Apr 18 07:12:37 2003 From: cmcintyre at quinstreet.com (Chuck McIntyre) Date: Thu, 17 Apr 2003 14:12:37 -0700 Subject: pam_mkhomedir and priv separation Message-ID: <20030417211237.GR2102@quinstreet.com> Hello, I'm not sure if this has already been addressed, I looked through the archives and can't seem to find anything. I also did some Usenet searching and only found one article mentioning this, and it was in French. Anyway, the problem is that it appears as though when using privsep opensshd doesn't execute pam_session as root, and this causes pam_mkhomedir to fail. pam_mkhomedir creates a user's home directory if it doesn't exist (useful for ldap or other directory based auth schemes). This seems similar to bug 83 (http://bugzilla.mindrot.org/show_bug.cgi?id=83) but I am not a developer and I'm not sure if it's the same issue, can anyone comment on this? Is there a workaround aside from disabling privilege separation or making the parent directory (i.e. /home) world-writable (both of which do solve the issue)? Thanks, Chuck McIntyre I have attached the debugging information below, if it matters. --- from sshd -d -d -d --- debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 10.1.10.107 port 33304 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.4p1 debug2: Network child is on pid 4078 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 74:74 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 2048 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 145/256 debug1: bits set: 1565/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 1640/3191 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x80a4530(143) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user ldapguy service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for ldapguy debug3: mm_start_pam entering debug3: mm_request_send entering: type 37 debug3: monitor_read: checking request 37 debug1: Starting up PAM with username "ldapguy" debug3: Trying to reverse map address 10.1.10.107. debug1: PAM setting rhost to "atreus.quinstreet.net" debug2: monitor_read: 37 used once, disabling now debug3: mm_request_receive entering debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: try method none debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for ldapguy from 10.1.10.107 port 33304 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for ldapguy from 10.1.10.107 port 33304 ssh2 debug1: userauth-request for user ldapguy service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x809e008 debug1: temporarily_use_uid: 555/555 (e=0) debug1: trying public key file /opt/home/ldapguy/.ssh/authorized_keys debug1: restore_uid debug1: temporarily_use_uid: 555/555 (e=0) debug1: trying public key file /opt/home/ldapguy/.ssh/authorized_keys2 debug1: restore_uid debug3: mm_answer_keyallowed: key 0x809e008 is disallowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Failed publickey for ldapguy from 10.1.10.107 port 33304 ssh2 debug1: userauth-request for user ldapguy service ssh-connection method keyboard-interactive debug1: attempt 2 failures 2 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=ldapguy devs= debug1: kbdint_alloc: devices '' debug2: auth2_challenge_start: devices Failed keyboard-interactive for ldapguy from 10.1.10.107 port 33304 ssh2 debug1: userauth-request for user ldapguy service ssh-connection method password debug1: attempt 3 failures 3 debug2: input_userauth_request: try method password debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug1: PAM Password authentication accepted for user "ldapguy" debug3: mm_answer_authpassword: sending result 1 debug3: mm_request_send entering: type 11 debug3: mm_auth_password: user authenticated Accepted password for ldapguy from 10.1.10.107 port 33304 ssh2 debug3: mm_send_keystate: Sending new keys: 0x809f298 0x809ddc8 debug3: mm_newkeys_to_blob: converting 0x809f298 debug3: mm_newkeys_to_blob: converting 0x809ddc8 debug3: mm_send_keystate: New keys have been sent debug3: mm_send_keystate: Sending compression state debug3: mm_request_send entering: type 24 debug3: mm_send_keystate: Finished sending state debug2: pam_acct_mgmt() = 0 Accepted password for ldapguy from 10.1.10.107 port 33304 ssh2 debug1: monitor_child_preauth: ldapguy has been authenticated by privileged process debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 24 debug3: mm_request_receive entering debug3: mm_newkeys_from_blob: 0x8152a60(118) debug2: mac_init: found hmac-md5 debug3: mm_get_keystate: Waiting for second key debug3: mm_newkeys_from_blob: 0x8152a60(118) debug2: mac_init: found hmac-md5 debug3: mm_get_keystate: Getting compression state debug3: mm_get_keystate: Getting Network I/O buffers debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end debug2: User child is on pid 4079 debug3: mm_request_receive entering debug1: PAM establishing creds debug1: newkeys: mode 0 debug1: newkeys: mode 1 debug1: Entering interactive session for SSH2. debug1: fd 10 setting O_NONBLOCK debug1: fd 11 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: lastlog_openseek: Couldn't open /var/log/lastlog: Permission denied debug1: Allocating pty. debug3: mm_request_send entering: type 25 debug3: monitor_read: checking request 25 debug3: mm_answer_pty entering debug1: session_new: init debug1: session_new: session 0 debug3: mm_request_send entering: type 26 debug3: mm_answer_pty: tty /dev/pts/14 ptyfd 7 debug3: mm_request_receive entering debug3: mm_pty_allocate: waiting for MONITOR_ANS_PTY debug3: mm_request_receive_expect entering: type 26 debug3: mm_request_receive entering debug1: session_pty_req: session 0 alloc /dev/pts/14 debug3: tty_parse_modes: SSH2 n_bytes 256 debug3: tty_parse_modes: ospeed 38400 debug3: tty_parse_modes: ispeed 38400 debug3: tty_parse_modes: 1 3 debug3: tty_parse_modes: 2 28 debug3: tty_parse_modes: 3 127 debug3: tty_parse_modes: 4 21 debug3: tty_parse_modes: 5 4 debug3: tty_parse_modes: 6 0 debug3: tty_parse_modes: 7 0 debug3: tty_parse_modes: 8 17 debug3: tty_parse_modes: 9 19 debug3: tty_parse_modes: 10 26 debug3: tty_parse_modes: 12 18 debug3: tty_parse_modes: 13 23 debug3: tty_parse_modes: 14 22 debug3: tty_parse_modes: 18 15 debug3: tty_parse_modes: 30 1 debug3: tty_parse_modes: 31 0 debug3: tty_parse_modes: 32 0 debug3: tty_parse_modes: 33 0 debug3: tty_parse_modes: 34 0 debug3: tty_parse_modes: 35 0 debug3: tty_parse_modes: 36 1 debug3: tty_parse_modes: 37 0 debug3: tty_parse_modes: 38 1 debug3: tty_parse_modes: 39 0 debug3: tty_parse_modes: 40 0 debug3: tty_parse_modes: 41 1 debug3: tty_parse_modes: 50 1 debug3: tty_parse_modes: 51 1 debug3: tty_parse_modes: 52 0 debug3: tty_parse_modes: 53 1 debug3: tty_parse_modes: 54 1 debug3: tty_parse_modes: 55 1 debug3: tty_parse_modes: 56 0 debug3: tty_parse_modes: 57 0 debug3: tty_parse_modes: 58 0 debug3: tty_parse_modes: 59 1 debug3: tty_parse_modes: 60 1 debug3: tty_parse_modes: 61 1 debug3: tty_parse_modes: 62 0 debug3: tty_parse_modes: 70 1 debug3: tty_parse_modes: 71 0 debug3: tty_parse_modes: 72 1 debug3: tty_parse_modes: 73 0 debug3: tty_parse_modes: 74 0 debug3: tty_parse_modes: 75 0 debug3: tty_parse_modes: 90 1 debug3: tty_parse_modes: 91 1 debug3: tty_parse_modes: 92 0 debug3: tty_parse_modes: 93 0 debug1: server_input_channel_req: channel 0 request x11-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req x11-req debug1: x11_create_display_inet: Socket family 10 not supported debug1: fd 14 setting O_NONBLOCK debug2: fd 14 is O_NONBLOCK debug1: channel 1: new [X11 inet listener] debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: PAM setting tty to "/dev/pts/14" PAM session setup failed[6]: Permission denied debug1: Calling cleanup 0x805d290(0x809b700) debug3: mm_request_send entering: type 27 debug3: monitor_read: checking request 27 debug3: mm_answer_pty_cleanup entering debug1: session_by_tty: session 0 tty /dev/pts/14 debug3: mm_session_close: session 0 pid 4079 debug3: mm_session_close: tty /dev/pts/14 ptyfd 7 debug1: session_pty_cleanup: session 0 release /dev/pts/14 debug3: mm_request_receive entering debug1: Calling cleanup 0x8064020(0x0) debug1: channel_free: channel 0: server-session, nchannels 2 debug3: channel_free: status: The following connections are open: #0 server-session (t10 r0 i0/0 o0/0 fd -1/-1) debug3: channel_close_fds: channel 0: r -1 w -1 e -1 debug1: channel_free: channel 1: X11 inet listener, nchannels 1 debug3: channel_free: status: The following connections are open: debug3: channel_close_fds: channel 1: r 14 w 14 e -1 debug1: Calling cleanup 0x80549c0(0x0) debug1: Calling cleanup 0x8071110(0x0) debug1: Calling cleanup 0x80549c0(0x0) debug1: Calling cleanup 0x8071110(0x0) --- END sshd -d -d -d --- From maeder+news at mathconsult.ch Sat Apr 19 03:26:14 2003 From: maeder+news at mathconsult.ch (Roman Maeder) Date: Fri, 18 Apr 2003 19:26:14 +0200 Subject: openssh 3.5p1 problem with openssl 0.9.6i Message-ID: <6766.1050686774@sirius> you wrote: > I am using openssh 3.5p1 and I am having problems using the protocol 2 > of ssh with openssl 0.9.6i > It was working fine with openssl 0.9.6g. > I am using binary packages downloaded fron SunFreeware and I did not > changed any config file. > Both the machines are running Solaris 8. > > /usr/local/bin> ssh -2 -v -v -v test2 > ... > ... > debug1: Found key in /local_home/luca/.ssh/known_hosts:2 > debug1: bits set: 1594/3191 > RSA_public_decrypt failed: error:0407006A:rsa > routines:RSA_padding_check_PKCS1_type_1:block type is not 01 > debug1: ssh_rsa_verify: signature incorrect > key_verify failed for server_host_key > ... same problem here with Solaris 8 openssl 0.9.6i from Sunfreeware.com. I recompiled openssh-3.5p1 (and 3.6p1) with the same result. No more connecting into sshd (everything else is fine). My solution was to grab the new openssl 0.9.6j and compile it myself, then recompile openssh 3.6p1. Now everything is back in working order. Roman Maeder From bugzilla-daemon at mindrot.org Sat Apr 19 16:26:11 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 19 Apr 2003 16:26:11 +1000 (EST) Subject: [Bug 544] sshd w/privsep fails on Linux 2.0, mm_receive_fd: expected type 1 got 1074276337 Message-ID: <20030419062611.5C4929420A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=544 Summary: sshd w/privsep fails on Linux 2.0, mm_receive_fd: expected type 1 got 1074276337 Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dtucker at zip.com.au I'm attempting to reproduce some of the reported bugs on early Linuxes and I've found the following problem with privsep enabled (Debian slink, kernel 2.0.38, libc6 2.0.7). It seems to be related to file descriptor passing. $ ./sshd -ddd -p 2022 [snip] debug3: mm_answer_pty entering debug1: session_new: init debug1: session_new: session 0 debug3: mm_pty_allocate: waiting for MONITOR_ANS_PTY debug3: mm_request_receive_expect entering: type 26 debug3: mm_request_receive entering debug3: mm_request_send entering: type 26 mm_receive_fd: expected type 1 got 1074276337 It seems to be a bug in 2.0 kernels, cmsg_level and cmsg_type returned by recvmsg() make no sense. I built a test program (which I will attach) from code from monitor_fdpass.c. After the fd pass, a 2.0.38 kernel gives: (gdb) print *cmsg $1 = {cmsg_len = 16, cmsg_level = 134514016, cmsg_type = -1073742828, __cmsg_data = 0xbffffc08 "\005"} A 2.4.18 kernel gives: (gdb) print *cmsg $1 = {cmsg_len = 16, cmsg_level = 1, cmsg_type = 1, __cmsg_data = 0xbffff5fc "\a"} If you comment out the "if (cmsg->cmsg_type != SCM_RIGHTS)" test in mm_receive_fd(), privsep seems to work OK on 2.0 kernels. I will reduce the test program to an autoconf test, add "#ifndef BROKEN_CMSG_TYPE" and attach the resulting patch. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 19 16:33:34 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 19 Apr 2003 16:33:34 +1000 (EST) Subject: [Bug 544] sshd w/privsep fails on Linux 2.0, mm_receive_fd: expected type 1 got 1074276337 Message-ID: <20030419063334.2DFEF94218@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=544 ------- Additional Comments From dtucker at zip.com.au 2003-04-19 16:33 ------- Created an attachment (id=271) --> (http://bugzilla.mindrot.org/attachment.cgi?id=271&action=view) fdpasstest.c: test for descriptor-passing bug on Linux 2.0 Quick hacked-together test for fd passing bug. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Services at ywzc.net Sat Apr 19 18:36:26 2003 From: Services at ywzc.net (Lucy) Date: Sat, 19 Apr 2003 16:36:26 +0800 Subject: Hi Message-ID: <20030419082900.7BEDE9421E@shitei.mindrot.org> Email Marketing is one of the most effective and inexpensive ways to promote your products and services. We offer a complete Email Marketing solution with quality service and the lowest prices. The result is that you will enjoy more success. 1. Targeted Email Addresses We can supply targeted email addresses according to your requirements, which are compiled only on your order, such as region / country / field / occupation / Domain Name etc. We will customize your customer email addresses. * We have millions of email addresses in a wide variety of categories. 2. Targeted Mailing If you are worried about any complications or consequences with sending out targeted emails, or want to avoid the work of sending out targeted emails. We will do it for you! We will send your email message to your targeted customers. * We can Bullet Proof your Web Site. We also supply a wide variety of marketing software. For more details, you can refer to our web site: http://www.biz-aiding.com Our services will help you get more business opportunities. Regards! Mrs. Lucy Customer Services www.biz-aiding.com Targeted Marketing, at Great Fee. *************************************************************************** Receiving this email because you registered to receive special offers from one of our partners. If you would prefer not to receive future email, Click here Http://unsubscribe-mail.com *************************************************************************** From bugzilla-daemon at mindrot.org Sun Apr 20 09:58:03 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 20 Apr 2003 09:58:03 +1000 (EST) Subject: [Bug 538] Hanging while connecting Message-ID: <20030419235803.DCF6F94207@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=538 ------- Additional Comments From onu at 29.ca 2003-04-20 09:58 ------- With an MTU setting of 576, connections would still hang, but noticeably less often. Encouraged by this, I set the MTU to 200. With this MTU, I haven't experienced a single hung session. I've tried two different network cards, one switch and one hub and in all cases, only with an MTU of 200 can I avoid hung sessions. I still don't understand whether this is a software or a hardware problem. I'll probably leave the MTU to 200 for now. In a month or two, I expect to have a second identical Ultra 5. Maybe it will help diagnose the problem. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 20 12:09:43 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 20 Apr 2003 12:09:43 +1000 (EST) Subject: [Bug 538] Hanging while connecting Message-ID: <20030420020943.E80349421E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=538 ------- Additional Comments From tim at multitalents.net 2003-04-20 12:09 ------- Could your Ultra 5 be connected to a Cisco hub/switch? Some Sun hardware is notorious for getting into negotiation loops with the switch on network parameters. Ie. 10/100, Half/Full duplex. The solution is to lock down at least one side with the parameters you want. It may not be your problem but it's worth a try. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From carson at taltos.org Sun Apr 20 20:20:33 2003 From: carson at taltos.org (Carson Gaspar) Date: Sun, 20 Apr 2003 06:20:33 -0400 Subject: [Bug 538] Hanging while connecting In-Reply-To: <20030420020943.E80349421E@shitei.mindrot.org> References: <20030420020943.E80349421E@shitei.mindrot.org> Message-ID: <124074546.1050819633@[192.168.20.2]> --On Sunday, April 20, 2003 12:09 PM +1000 bugzilla-daemon at mindrot.org wrote: > ------- Additional Comments From tim at multitalents.net 2003-04-20 12:09 > ------- Could your Ultra 5 be connected to a Cisco hub/switch? > Some Sun hardware is notorious for getting into negotiation loops > with the switch on network parameters. Ie. 10/100, Half/Full duplex. > The solution is to lock down at least one side with the parameters you > want. > > It may not be your problem but it's worth a try. No. Either leave both at auto/auto, or lock down both. Never leave one on auto/auto and the other on fixed. That will almost guarantee a duplex mismatch. -- Carson From bugzilla-daemon at mindrot.org Sun Apr 20 22:34:14 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 20 Apr 2003 22:34:14 +1000 (EST) Subject: [Bug 544] sshd w/privsep fails on Linux 2.0, mm_receive_fd: expected type 1 got 1074276337 Message-ID: <20030420123414.7771794209@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=544 ------- Additional Comments From dtucker at zip.com.au 2003-04-20 22:34 ------- Created an attachment (id=272) --> (http://bugzilla.mindrot.org/attachment.cgi?id=272&action=view) Define BROKEN_CMSG_TYPE for Linux 2.0 kernels I couldn't get the test case to work with compiler optimization on (ie the default CFLAGS). Not sure why. Gave up and added a test for Linux 2.0 in configure.ac. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 20 22:34:44 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 20 Apr 2003 22:34:44 +1000 (EST) Subject: [Bug 544] sshd w/privsep fails on Linux 2.0, mm_receive_fd: expected type 1 got 1074276337 Message-ID: <20030420123444.15F0394209@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=544 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Keywords| |patch ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 22 05:08:01 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 22 Apr 2003 05:08:01 +1000 (EST) Subject: [Bug 207] Connect timeout patch Message-ID: <20030421190801.E0DA294207@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=207 ------- Additional Comments From jclonguet at free.fr 2003-04-22 05:08 ------- Created an attachment (id=273) --> (http://bugzilla.mindrot.org/attachment.cgi?id=273&action=view) Patch for OpenSSH-3.6.1p1 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 22 05:09:33 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 22 Apr 2003 05:09:33 +1000 (EST) Subject: [Bug 207] Connect timeout patch Message-ID: <20030421190933.E7A649420E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=207 ------- Additional Comments From jclonguet at free.fr 2003-04-22 05:09 ------- Created an attachment (id=274) --> (http://bugzilla.mindrot.org/attachment.cgi?id=274&action=view) Patch for OpenSSH-3.6.1 First patch attempt for the non-portable version. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 22 05:10:27 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 22 Apr 2003 05:10:27 +1000 (EST) Subject: [Bug 207] Connect timeout patch Message-ID: <20030421191027.1288A9422B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=207 jclonguet at free.fr changed: What |Removed |Added ---------------------------------------------------------------------------- Version|older versions |-current ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 22 05:11:11 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 22 Apr 2003 05:11:11 +1000 (EST) Subject: [Bug 207] Connect timeout patch Message-ID: <20030421191111.C81BC94233@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=207 jclonguet at free.fr changed: What |Removed |Added ---------------------------------------------------------------------------- URL|http://charts.free.fr/openss|http://charts.free.fr/ |h-3.1p1-timeout-1.02.patch | ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From libove at felines.org Tue Apr 22 06:36:34 2003 From: libove at felines.org (Jay Libove) Date: Mon, 21 Apr 2003 16:36:34 -0400 (EDT) Subject: OpenSSH 3.6.1p1 on NCR - configuration changes? In-Reply-To: <20030421191111.C81BC94233@shitei.mindrot.org> References: <20030421191111.C81BC94233@shitei.mindrot.org> Message-ID: Hi - I'm just following up on my reports a couple of weeks back about getting OpenSSH 3.6.1p1 to compile and run on MCR MP-RAS. Did any changes get submitted to the configuration scripts to make them aware of MP-RAS' peculiarities? Here are the two diffs that I'm using, which probably are not the "right" way to do it. Thanks -Jay diff -cr openssh-3.6.1p1/includes.h openssh-3.6.1p1-customized/includes.h *** openssh-3.6.1p1/includes.h Sun Oct 20 20:50:26 2002 --- openssh-3.6.1p1-customized/includes.h Mon Apr 7 17:32:04 2003 *************** *** 104,110 **** --- 104,114 ---- #ifdef HAVE_SYS_TIME_H # include /* For timersub */ #endif + #define _XOPEN_SOURCE + #define _XOPEN_SOURCE_EXTENDED 1 #include + #undef _XOPEN_SOURCE_EXTENDED + #undef _XOPEN_SOURCE #ifdef HAVE_SYS_SELECT_H # include #endif *** openssh-3.6.1p1/configure Tue Apr 1 06:57:28 2003 --- openssh-3.6.1p1-customized/configure Mon Apr 21 15:40:23 2003 *************** *** 4420,4425 **** --- 4420,4429 ---- #define USE_PIPES 1 _ACEOF + cat >>confdefs.h <<\_ACEOF + #define STREAMS_PUSH_ACQUIRES_CTTY 1 + _ACEOF + ;; *-sni-sysv*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" From dtucker at zip.com.au Wed Apr 23 00:01:35 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 23 Apr 2003 00:01:35 +1000 Subject: OpenSSH 3.6.1p1 on NCR - configuration changes? References: <20030421191111.C81BC94233@shitei.mindrot.org> Message-ID: <3EA54B3F.26BE6DB8@zip.com.au> Jay Libove wrote: > I'm just following up on my reports a couple of weeks back about getting > OpenSSH 3.6.1p1 to compile and run on MCR MP-RAS. > > Did any changes get submitted to the configuration scripts to make them > aware of MP-RAS' peculiarities? I don't think so. > Here are the two diffs that I'm using, which probably are not the "right" > way to do it. To make it fit in better can take a note of what "configure" reports as the system type, eg, for linux it's: checking build system type... i586-pc-linux-gnu checking host system type... i586-pc-linux-gnu then add something like the following to configure.ac *-*-mpras*) AC_DEFINE(STREAMS_PUSH_ACQUIRES_CTTY) CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" ;; All that's left is to run autoreconf to rebuild configure then re-run configure and make. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jfh at cise.ufl.edu Wed Apr 23 01:21:21 2003 From: jfh at cise.ufl.edu (James F.Hranicky) Date: Tue, 22 Apr 2003 11:21:21 -0400 Subject: Kerberos password change patch Message-ID: <20030422112121.04e6422e.jfh@cise.ufl.edu> Attached is a patch that allows for an interactive Kerberos password change via keyboard-interactive, and also reports any banners received from krb5_g_i_c_p() (e.g., password expiration notification if you have krb5-1.2.x patched appropriately). This could probably be refactored a bit and probably done better, but I'm sending this in in case anyone finds it useful. The major drawback is that it doesn't work under privsep, due to the chroot jail. I tried adding the necessary files under /var/empty and was able to get the password change to work, but then authentication itself still fails (in auth_krb5_password_via_kbd_int:krb5_kuserok(), possibly due to the absence of /etc/.name_service_door). Does anyone know if it's architecturally possible to get this code to work under privsep, or rather, out from under privsep? Privsep is a bit difficult to debug, but I'll keep plugging away if need be. (Note, this patch is against 3.5p1, but the same problem happens when 3.6p1 is patched with it). ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh at cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- "Given a choice between a complex, difficult-to-understand, disconcerting explanation and a simplistic, comforting one, many prefer simplistic comfort if it's remotely plausible, especially if it involves blaming someone else for their problems." -- Bob Lewis, _Infoworld_ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-3.5p1.krb5-kbdint.patch.txt Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030422/0a86522e/attachment.txt From fcusack at fcusack.com Wed Apr 23 02:23:38 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Tue, 22 Apr 2003 09:23:38 -0700 Subject: Kerberos password change patch In-Reply-To: <20030422112121.04e6422e.jfh@cise.ufl.edu>; from jfh@cise.ufl.edu on Tue, Apr 22, 2003 at 11:21:21AM -0400 References: <20030422112121.04e6422e.jfh@cise.ufl.edu> Message-ID: <20030422092338.A2956@google.com> On Tue, Apr 22, 2003 at 11:21:21AM -0400, James F.Hranicky wrote: > Attached is a patch that allows for an interactive Kerberos password > change via keyboard-interactive, Why don't you let PAM do it? > Does anyone know if it's architecturally possible to get this code to > work under privsep, or rather, out from under privsep? Privsep is > a bit difficult to debug, but I'll keep plugging away if need be. > (Note, this patch is against 3.5p1, but the same problem happens when > 3.6p1 is patched with it). There's been a patch proposed to make PAM (and kbd-int) work correctly under privsep. IIRC, an import of FreeBSD code. /fc From markus at openbsd.org Wed Apr 23 03:35:28 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 22 Apr 2003 19:35:28 +0200 Subject: Kerberos password change patch In-Reply-To: <20030422112121.04e6422e.jfh@cise.ufl.edu> References: <20030422112121.04e6422e.jfh@cise.ufl.edu> Message-ID: <20030422173528.GC11665@folly> On Tue, Apr 22, 2003 at 11:21:21AM -0400, James F.Hranicky wrote: > Attached is a patch that allows for an interactive Kerberos password > change via keyboard-interactive, and also reports any banners received > from krb5_g_i_c_p() (e.g., password expiration notification if you have > krb5-1.2.x patched appropriately). > > This could probably be refactored a bit and probably done better, but > I'm sending this in in case anyone finds it useful. hi, why can't you just define a KbdintDevice? what's missing? From jfh at cise.ufl.edu Wed Apr 23 03:44:02 2003 From: jfh at cise.ufl.edu (James F.Hranicky) Date: Tue, 22 Apr 2003 13:44:02 -0400 Subject: Kerberos password change patch In-Reply-To: <20030422092338.A2956@google.com> References: <20030422112121.04e6422e.jfh@cise.ufl.edu> <20030422092338.A2956@google.com> Message-ID: <20030422134402.0976aa23.jfh@cise.ufl.edu> On Tue, 22 Apr 2003 09:23:38 -0700 Frank Cusack wrote: > On Tue, Apr 22, 2003 at 11:21:21AM -0400, James F.Hranicky wrote: > > Attached is a patch that allows for an interactive Kerberos password > > change via keyboard-interactive, > > Why don't you let PAM do it? Too many problems trying to get the same PAM to work properly across multiple platforms. I'm tired of putting reads from FIFO's in PAM modules to get the debugger to stop in the correct dynamically loaded module to determine why the program is coring, only to have other problems crop up when I move say, from Solaris to Linux. Plus, any problem you have you're debugging both the module and the implementation in the PAMified program, so it just seemed easier to cut out the middleman and do it all in openssh. > > Does anyone know if it's architecturally possible to get this code to > > work under privsep, or rather, out from under privsep? Privsep is > > a bit difficult to debug, but I'll keep plugging away if need be. > > (Note, this patch is against 3.5p1, but the same problem happens when > > 3.6p1 is patched with it). > > There's been a patch proposed to make PAM (and kbd-int) work correctly > under privsep. IIRC, an import of FreeBSD code. If I can get PAM w/password expiry working properly on Solaris and Linux, I suppose I'd be happy. I've already dumped PAM for xdm and xlock, now that I have kerberized versions of both, and xlock, xdm and openssh are the only programs I'm going to bother doing password exp with. Any other program will use PAM, without password expiration (courier IMAP, cups, etc). Has anyone gotten PAM/Kerberos/password expiration working properly and consistently on Solaris and Linux? If not, any pointers on privsep and my patch would be greatly appreciated, although I'll be checking FreeBSD's PAM patch to see what they are doing about it. ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh at cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- "Given a choice between a complex, difficult-to-understand, disconcerting explanation and a simplistic, comforting one, many prefer simplistic comfort if it's remotely plausible, especially if it involves blaming someone else for their problems." -- Bob Lewis, _Infoworld_ From jfh at cise.ufl.edu Wed Apr 23 03:46:45 2003 From: jfh at cise.ufl.edu (James F.Hranicky) Date: Tue, 22 Apr 2003 13:46:45 -0400 Subject: Kerberos password change patch In-Reply-To: <20030422173528.GC11665@folly> References: <20030422112121.04e6422e.jfh@cise.ufl.edu> <20030422173528.GC11665@folly> Message-ID: <20030422134645.52f51c73.jfh@cise.ufl.edu> On Tue, 22 Apr 2003 19:35:28 +0200 Markus Friedl wrote: > On Tue, Apr 22, 2003 at 11:21:21AM -0400, James F.Hranicky wrote: > > Attached is a patch that allows for an interactive Kerberos password > > change via keyboard-interactive, and also reports any banners received > > from krb5_g_i_c_p() (e.g., password expiration notification if you have > > krb5-1.2.x patched appropriately). > > > > This could probably be refactored a bit and probably done better, but > > I'm sending this in in case anyone finds it useful. > > hi, why can't you just define a KbdintDevice? > what's missing? Hmmm...well, I guess because I don't know what that entails. I suppose I only read/traced through enough of the code to do what I wanted :-> It's entirely possible that there's a better way to do what want... What is involved in defining a KbdintDevice, and how would it help? If it's better, I can do that. ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh at cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- "Given a choice between a complex, difficult-to-understand, disconcerting explanation and a simplistic, comforting one, many prefer simplistic comfort if it's remotely plausible, especially if it involves blaming someone else for their problems." -- Bob Lewis, _Infoworld_ From fcusack at fcusack.com Wed Apr 23 06:57:22 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Tue, 22 Apr 2003 13:57:22 -0700 Subject: Kerberos password change patch In-Reply-To: <20030422134402.0976aa23.jfh@cise.ufl.edu>; from jfh@cise.ufl.edu on Tue, Apr 22, 2003 at 01:44:02PM -0400 References: <20030422112121.04e6422e.jfh@cise.ufl.edu> <20030422092338.A2956@google.com> <20030422134402.0976aa23.jfh@cise.ufl.edu> Message-ID: <20030422135722.A3551@google.com> On Tue, Apr 22, 2003 at 01:44:02PM -0400, James F.Hranicky wrote: > On Tue, 22 Apr 2003 09:23:38 -0700 > Frank Cusack wrote: > > > On Tue, Apr 22, 2003 at 11:21:21AM -0400, James F.Hranicky wrote: > > > Attached is a patch that allows for an interactive Kerberos password > > > change via keyboard-interactive, > > > > Why don't you let PAM do it? > > Too many problems trying to get the same PAM to work properly across multiple > platforms. I'm tired of putting reads from FIFO's in PAM modules to get OK, I can understand that, but don't existing PAM modules work? RH ships a pam_krb5 that I have to imagine is kosher, you can also try my pam_krb5 (http://www.fcusack.com/) which works. > Plus, any problem you have you're debugging both the module and the > implementation in the PAMified program, so it just seemed easier to cut > out the middleman and do it all in openssh. Yeah, but then you have to do it for each and every program. With PAM you do it once. It's more direct to do it in openssh, but definitely far inferior to using PAM, from a portability/configurability standpoint. > If not, any pointers on privsep and my patch would be greatly appreciated, > although I'll be checking FreeBSD's PAM patch to see what they are doing > about it. On Thu, Jan 23, 2003 at 05:18:13PM +1100, Damien Miller wrote: > http://www.mindrot.org/~djm/openssh/openssh-newpam-20030123.tar.gz > > Is a snapshot of the new PAM-via-KbdInt authentication support from > FreeBSD's OpenSSH tree. /fc From wendyp at cray.com Wed Apr 23 08:29:11 2003 From: wendyp at cray.com (Wendy Palm) Date: Tue, 22 Apr 2003 17:29:11 -0500 Subject: GSS-API Message-ID: <3EA5C237.1070400@cray.com> simon- any luck with that GSS-API patch for 3.6.1? ben/markus/whoever - will this ever be added to source? thanks, wendy -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From jfh at cise.ufl.edu Wed Apr 23 11:45:46 2003 From: jfh at cise.ufl.edu (James F.Hranicky) Date: Tue, 22 Apr 2003 21:45:46 -0400 Subject: Kerberos password change patch In-Reply-To: <20030422135722.A3551@google.com> References: <20030422112121.04e6422e.jfh@cise.ufl.edu> <20030422092338.A2956@google.com> <20030422134402.0976aa23.jfh@cise.ufl.edu> <20030422135722.A3551@google.com> Message-ID: <20030422214546.71e3e651.jfh@cise.ufl.edu> On Tue, 22 Apr 2003 13:57:22 -0700 Frank Cusack wrote: > > Too many problems trying to get the same PAM to work properly across multiple > > platforms. I'm tired of putting reads from FIFO's in PAM modules to get > > OK, I can understand that, but don't existing PAM modules work? > RH ships a pam_krb5 that I have to imagine is kosher, you can also > try my pam_krb5 (http://www.fcusack.com/) which works. I haven't tried RHs, but while I got yours (v1.0) to work on Solaris, when I tried it on Linux, it printed out all the prompts at once, and used the old password to "change" the password to the "new" one (which was foiled if the user had a password history set). Sorry, I probably should have filed a bug report, but I spent way too much time with the modified version (1.0.3) which had problems with coring due to bad pointer handling in the conversation functions, as well as security problems (which I reported to the pam_krb5 list and the kerberos list, to no response, although the fix was easy), and I just got exasperated. > Yeah, but then you have to do it for each and every program. With PAM > you do it once. It's more direct to do it in openssh, but definitely > far inferior to using PAM, from a portability/configurability standpoint. Well, unfortunately, that hasn't been my experience -- even when the module seems to be working I have to deal with every program's PAM implementation which may simply not work right. It's entirely possible I goofed things up, but when your error message is a core dump, it's discouraging. > On Thu, Jan 23, 2003 at 05:18:13PM +1100, Damien Miller wrote: > > http://www.mindrot.org/~djm/openssh/openssh-newpam-20030123.tar.gz > > > > Is a snapshot of the new PAM-via-KbdInt authentication support from > > FreeBSD's OpenSSH tree. I'll let you know how it goes, but I'm probably more interested in setting up a KbdintDevice as per Markus Friedl's suggestion. Jim From bugzilla-daemon at mindrot.org Wed Apr 23 17:33:52 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 23 Apr 2003 17:33:52 +1000 (EST) Subject: [Bug 545] openssh-3.6.1p1 does not build on SunOS: IP_TOS not defined Message-ID: <20030423073352.069CB94207@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=545 Summary: openssh-3.6.1p1 does not build on SunOS: IP_TOS not defined Product: Portable OpenSSH Version: 3.6p1 Platform: All OS/Version: SunOS Status: NEW Severity: trivial Priority: P3 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: tdsc.af at infineon.com In the file packet.c in function packet_set_interactive, line 1349 there is a preprocessor directive making the call to packet_set_tos dependent on IP_TOS being defined, what makes sense. Unfortunately in the function packet_set_tos IP_TOS is used unconditionally, what breaks compilation at least on SunOS-4, that is not aware of this IP option. So either the entire function is #ifdef-ed away or at least the call of setsockopt in line 1325 including the if(...) error(...) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 23 18:18:43 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 23 Apr 2003 18:18:43 +1000 (EST) Subject: [Bug 545] openssh-3.6.1p1 does not build on SunOS: IP_TOS not defined Message-ID: <20030423081843.13F2D94207@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=545 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From dtucker at zip.com.au 2003-04-23 18:18 ------- This looks awfully similar to bug #527. *** This bug has been marked as a duplicate of 527 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 23 18:18:44 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 23 Apr 2003 18:18:44 +1000 (EST) Subject: [Bug 527] Bad packet length on SunOS 4.1.3U1 Message-ID: <20030423081844.CB23F94223@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=527 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tdsc.af at infineon.com ------- Additional Comments From dtucker at zip.com.au 2003-04-23 18:18 ------- *** Bug 545 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From genty at austin.ibm.com Thu Apr 24 00:43:08 2003 From: genty at austin.ibm.com (Denise Genty) Date: Wed, 23 Apr 2003 09:43:08 -0500 Subject: GSS-API References: <3EA5C237.1070400@cray.com> Message-ID: <3EA6A67C.9973FA86@austin.ibm.com> I would like to see the GSS-API patch added to the source too. Wendy Palm wrote: > simon- > > any luck with that GSS-API patch for 3.6.1? > > ben/markus/whoever - > will this ever be added to source? > > thanks, > wendy > > -- > wendy palm > Cray OS Sustaining Engineering, Cray Inc. > wendyp at cray.com, 651-605-9154 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Denise M. Genty genty at austin.ibm.com (512)838-8170 - T/L 678-8170 AIX Network Security Development Server Division, pSeries From bugzilla-daemon at mindrot.org Thu Apr 24 04:30:10 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 24 Apr 2003 04:30:10 +1000 (EST) Subject: [Bug 546] test for basename() fails on IRIX Message-ID: <20030423183010.9743B94226@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=546 Summary: test for basename() fails on IRIX Product: Portable OpenSSH Version: -current Platform: All OS/Version: IRIX Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: drk at sgi.com On SGI IRIX 6.x systems you must include and link with -lgen to use basename(). The 3.6.1p1 configure script correctly finds the header, but doesn't probe for basename() in -lgen. As a result various openbsd-compat files fail to compile because the local basename prototype does not match the one from libgen.h. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From alyakoubi at mailcenter.com.cn Fri Apr 25 00:47:50 2003 From: alyakoubi at mailcenter.com.cn (ALYAKOUBI CORP.) Date: Thu, 24 Apr 2003 22:47:50 +0800 Subject: novelty virtual interactive sport game inquiry Message-ID: <20030424142856.0967894207@shitei.mindrot.org> Dear Sir, Our factory is dedicated to Games Business Since it has being established. We are Chinese manufacturer based in Shenzhen, Guangdong province. We just released some novelty interactive TV sport game, which was well sold in recent CeBit Fair. We welcome your inquiry and OEM orders. Best regards! Susan Song, Overseas Dept. ALYAKOUBI ELECTRONICS & TECHNOLOGY FACTORY(CHINA) 4/F, B Block, TsingHua University Institute,Hi-tech Industrial Park, Shenzhen,518057, China Website: www.isav.com.cn Tel:0086-755-83526077/83526142/26719852 From kennetha at att.net Fri Apr 25 00:17:52 2003 From: kennetha at att.net (Kennetha) Date: Thu, 24 Apr 2003 14:17:52 +0000 Subject: Openssh-unix-dev, Hello! My name is John Turner.... In-Reply-To: References: Message-ID: <95J38DG1HL30A6BL2@att.net> Hello. My name is John Turner.... I am the customer of AURUM INVESTMENT There is nothing like this program. At first I spent 800$ and in 4 weeks I have earned more than 300$ of profit I am really impressed. You doesnt get any better than this. Just follow the link http://am-it.biz//sign.php?ref_id=28934887 There is only one honest way to get money: to invest them wisely Money and you must keep a good company, right? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030424/d95b9faf/attachment.html From bugzilla-daemon at mindrot.org Fri Apr 25 01:33:28 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 25 Apr 2003 01:33:28 +1000 (EST) Subject: [Bug 547] Missing radix.o in makefile for AFS Message-ID: <20030424153328.71E2A94251@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=547 Summary: Missing radix.o in makefile for AFS Product: Portable OpenSSH Version: 3.6p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: minor Priority: P3 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: argent at thayer.dartmouth.edu When compiling Openssh-3.6.1p1 for linux (on RedHat-7.3), linking of the ssh and sshd binaries fails, complaining that creds_to_radix (or radix_to_creds) cannot be found. The problem is that radix.o is not included in the makefile rules for these targets. I ran configure as: ./configure --prefix=/usr/etc/openssh/ --with-pam --with-kerberos4=/usr/local/krb4 --with-afs --sysconfdir=/etc/ssh --bindir=/usr/bin --mandir=/usr/local/man --with-pid-dir=/etc/ssh --with-ipv4-default --with-default-path=/usr/bin:/bin:/usr/sbin:/sbin:/usr/afsws/bin:/usr/local/bin:. My guess is that the --with-afs flag was the one which required radix.o to be built and linked. In sshconnect1.c, radix.h is included by: #ifdef AFS #include #include "radix.h" #endif ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 25 02:35:40 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 25 Apr 2003 02:35:40 +1000 (EST) Subject: [Bug 548] SSH Authentication fails against PAM + pam_ldap Message-ID: <20030424163540.B303E94253@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=548 Summary: SSH Authentication fails against PAM + pam_ldap Product: Portable OpenSSH Version: 3.5p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: mark-spamx at cymry.org All tested services (ftp/telnet/etc) Authenticate fine against PAM/LDAP except for SSH. Services are configured in pam to fall through to system-auth, so all services are using the same PAM configuration for authentication. Attempting to login using public keys gives a password expiry error, all other authentication simply fails as if a bad password was given. Tried removing shadowAccount class from the user definition as well as disabling Priviledge seperation, neither fixed the problem. Output of sshd -d -d -d and ssh -v (client side) will be attached. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 25 02:37:09 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 25 Apr 2003 02:37:09 +1000 (EST) Subject: [Bug 548] SSH Authentication fails against PAM + pam_ldap Message-ID: <20030424163709.14A6994255@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=548 ------- Additional Comments From mark-spamx at cymry.org 2003-04-25 02:37 ------- Created an attachment (id=275) --> (http://bugzilla.mindrot.org/attachment.cgi?id=275&action=view) Output of sshd -d -d -d ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 25 02:37:48 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 25 Apr 2003 02:37:48 +1000 (EST) Subject: [Bug 548] SSH Authentication fails against PAM + pam_ldap Message-ID: <20030424163748.2A88894255@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=548 ------- Additional Comments From mark-spamx at cymry.org 2003-04-25 02:37 ------- Created an attachment (id=276) --> (http://bugzilla.mindrot.org/attachment.cgi?id=276&action=view) output of ssh -v -v server ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kstef at mtppi.org Fri Apr 25 03:48:55 2003 From: kstef at mtppi.org (Kevin Stefanik) Date: Thu, 24 Apr 2003 13:48:55 -0400 Subject: x509v3-sign-rsa authentication type... Message-ID: <200304241348.55176.kstef@mtppi.org> I've seen a variety of patches on the list for supporting the x509v3 certificate authentication. Are there any plans to include any of these in the official openssh? Thanks, Kevin Stefanik From quick_lease at yahoo.com Fri Apr 25 06:19:25 2003 From: quick_lease at yahoo.com (Quick & Easy Leasing) Date: Thu, 24 Apr 2003 13:19:25 -0700 Subject: Quick & Easy Leasing Message-ID: <20030424200536.A15D894207@shitei.mindrot.org> Quick & Easy Leasing As an established leader in the Lease Finance industry, we look forward to being your partner in equipment lease financing. Our many years of successful experience will assure high approval ratios, low rates and great service. Our services and tools, when used effectively, will help you secure the equipment your business needs. They include: - 90 day deferred payments - $25.00 down (no 1st and last payment) - $100.00 a month for the first seven months - Corporate only leases - No PG - Start-Up Business Programs Available * Fast and flexible credit decisions (2 to 24 hours) * High approval rates * Leasing for both new and used equipment * Applications by telephone * Pre-funding available * No financials required under $75,000 * 100% Software Financing * Soft costs (install charges) can be included * Funding within 24 hours We look forward to working with you in the near future. If you have any questions or want to receive an application please reply to this message today. From produtos001 at hotmal.com Fri Apr 25 08:29:13 2003 From: produtos001 at hotmal.com (CG) Date: Thu, 24 Apr 2003 22:29:13 -0000 Subject: O novo voc� para quando ? Message-ID: <20030424211619.D12269420B@shitei.mindrot.org> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030424/474a0d1e/attachment.html From c.scott at zyan.com Tue Apr 22 20:42:51 2003 From: c.scott at zyan.com (Christopher T. Scott) Date: Tue, 22 Apr 2003 10:42:51 +0000 Subject: D0ctors create peni|e enlargement pi||s dyq8d7331 In-Reply-To: <213c01c3054e$87ff49ff$df479a2c@49i9tk1> Message-ID: An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030422/c488fa17/attachment.html From lsdlo3bgr81u at imagination.co.uk Fri Apr 25 17:17:40 2003 From: lsdlo3bgr81u at imagination.co.uk (Dollie Steward) Date: Fri, 25 Apr 03 07:17:40 GMT Subject: No tests, classes, or books - just a college deg-ree Message-ID: An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030425/b36ba25b/attachment.html From hmarina at mf.gov.ve Sat Apr 26 01:14:33 2003 From: hmarina at mf.gov.ve (=?iso-8859-1?Q?Horacio_Mari=F1a?=) Date: Fri, 25 Apr 2003 11:14:33 -0400 Subject: problem Message-ID: i have a problem, i am installing openssh-3.6.1, in digital unix version 4.0d, and no can,t install for this error, configure: error: *** Can't find recent OpenSSL libcrypto (see config.log for detail) please helpme Horacio Mari?a From jdennis at law.harvard.edu Sat Apr 26 01:39:23 2003 From: jdennis at law.harvard.edu (James Dennis) Date: Fri, 25 Apr 2003 10:39:23 -0500 Subject: problem In-Reply-To: References: Message-ID: <3EA956AB.70609@law.harvard.edu> You need to install OpenSSL. If it is already installed, use the --with-ssl-dir=PATH configure flag to specify it's location. Horacio Mari?a wrote: > i have a problem, i am installing openssh-3.6.1, in digital unix version 4.0d, and no can,t install for this error, configure: error: *** Can't find recent OpenSSL libcrypto (see config.log for detail) > > please helpme > > > Horacio Mari?a > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- James Dennis Harvard Law School "Not everything that counts can be counted, and not everything that can be counted counts." From CHarris at checkfree.com Sat Apr 26 03:07:58 2003 From: CHarris at checkfree.com (CHarris at checkfree.com) Date: Fri, 25 Apr 2003 13:07:58 -0400 Subject: problem Message-ID: i solved this yesterday in my environment, so hopefully i can be of some help. locate the libcrypto file on your computer. (mine is libcrypto.a, however your installation may be looking for a different extension. issue a "find / -name libcrypto*"). if it doesn't exist, you will need to install openSSL prior to installing OpenSSH. check to see the last time your libcrypto file was accessed. (ls -lu will give the access time) ensure it is being accessed when you run the configure. if it IS being accessed, you will need to install the latest version of openSSL. (hence the word 'recent' in the error message) if it is NOT being accessed, issue the following when you run configure: LD_RUN_PATH=/path/to/ssl/lib ./configure --with-ssl-dir=/path/to/ssl hope this helps, Chris Harris Software Engineer Transmissions/Translations charris at checkfree.com Phone: (678) 375-1343 Cell: (678) 595-7790 Pager: (888) 561-2876 Fax: (678) 375-2004 The #1 Way to Pay Online http://www.checkfree.com/paybillsonline Horacio Mari?a To: Sent by: , openssh-unix-dev-admin@ , mindrot.org cc: Subject: problem 04/25/2003 11:14 AM i have a problem, i am installing openssh-3.6.1, in digital unix version 4.0d, and no can,t install for this error, configure: error: *** Can't find recent OpenSSL libcrypto (see config.log for detail) please helpme Horacio Mari?a _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From blfoster11 at telocity.com Tue Apr 22 20:30:20 2003 From: blfoster11 at telocity.com (Brandon L. Foster) Date: Tue, 22 Apr 2003 10:30:20 +0000 Subject: IMPRESS your L0VER olsbdb2tef In-Reply-To: <103d01c305ea$44a46c3a$0cc7223c@tvbd4n2> Message-ID: An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030422/090d717d/attachment.html From bugzilla-daemon at mindrot.org Sun Apr 27 06:04:43 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 27 Apr 2003 06:04:43 +1000 (EST) Subject: [Bug 548] SSH Authentication fails against PAM + pam_ldap Message-ID: <20030426200443.E41B294209@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=548 mark-spamx at cymry.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mark-spamx at cymry.org 2003-04-27 06:04 ------- Fixed. The filename in /etc/pam.d was incorrect for the way it was compiled. I had tried changing it at one point, but I'm guessing something must've been wrong with my configuration so that it still failed. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 27 08:34:34 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 27 Apr 2003 08:34:34 +1000 (EST) Subject: [Bug 549] Login Delay / Remove unwanted reverse map check Message-ID: <20030426223434.7329494217@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=549 Summary: Login Delay / Remove unwanted reverse map check Product: Portable OpenSSH Version: 3.5p1 Platform: PPC OS/Version: AIX Status: NEW Severity: normal Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: devin.nate at bridgecomm.net OpenSSH compiled and working well on AIX 4.3.3 and 5.1. When some users go to connect using a ssh client, they experience a 60-90 second delay. Basic examination reveals that it's the ip->host reverse map. Further investigation reveals the code in canohost.c: debug3("Trying to reverse map address %.100s.", ntop); /* Map the IP address to a host name. */ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), NULL, 0, NI_NAMEREQD) != 0) { /* Host name not found. Use ip address. */ #if 0 log("Could not reverse map address %.100s.", ntop); #endif return xstrdup(ntop); } If the reverse lookup fails, it resorts to the IP address. Ideally, a person could configure ssh to never do a reverse lookup. sshd is running, via inittab: sshd:2:respawn:/usr/local/sbin/sshd -Du0 Documentation suggests that the option -u0 causes sshd not to do a lookup, but this is not true (i.e. no if statement surrounding that block of code that would indicated -u0 will stop the lookup), and experience shows that users are still getting hung up on a reverse lookup in some situations. I've created a mini patch to bypass the check, which basically amounts to: #ifdef DISABLE_REVERSE_MAP /* Don't search for hostname. Use ip address */ debug3("Skipping reverse map of address."); return xstrdup(ntop); #endif ..original canohost.c lookup code. I am happy to submit my patches, or, would like to see either a *_config option and or a ./configure --disable-reverse-map type option to absolutely stop DNS lookups. Thanks ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Apr 28 03:56:53 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 28 Apr 2003 03:56:53 +1000 (EST) Subject: [Bug 541] packet_set_interactive typo Message-ID: <20030427175653.E7CAD94209@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=541 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2003-04-28 03:56 ------- Correct it was a mistake from a merged patch. It has been added back into portable tree. Thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Mon Apr 28 04:33:11 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 27 Apr 2003 13:33:11 -0500 (CDT) Subject: [PATCH re-send]: Clean up logging of failed logins Message-ID: sorry, Darren. Long over due comments. [..] >+/* Record a failed login attempt. */ >+void >+record_failed_login(const char *user, const char *host, const char *ttyname) >+{ >+#ifdef WITH_AIXAUTHENTICATE >+ loginfailed(user, host, ttyname); >+#endif >+#ifdef _UNICOS >+ cray_login_failure((char *)user, IA_UDBERR); >+#endif /* _UNICOS */ >+} I like the patch idea, but I'd like to skip the whole 'chained function calls'. Plus it avoids closely packed #ifdef/#endifs. Just rename cray_login_failure() and loginfailed() to record_failed_login(), and change the #ifdef WITH_AIXAUTHENTICATE to #ifdef CUSTOM_LOGIN_FAILURE. That way we can just #define CUSTOM_LOGIN_FAILURE in the aix/cray headers to activate it and we can keep things cleaner. - Ben From dtucker at zip.com.au Mon Apr 28 08:58:28 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 28 Apr 2003 08:58:28 +1000 Subject: [PATCH re-send]: Clean up logging of failed logins References: Message-ID: <3EAC6094.B28E76C6@zip.com.au> Ben Lindstrom wrote: > Just rename cray_login_failure() and loginfailed() to > record_failed_login(), and change the #ifdef WITH_AIXAUTHENTICATE to > #ifdef CUSTOM_LOGIN_FAILURE. > > That way we can just #define CUSTOM_LOGIN_FAILURE in the aix/cray headers > to activate it and we can keep things cleaner. I just had a quick look. To this, both functions will need 4 arguments, 2 extraneous on Cray, 1 on AIX. What if the next platform that has this functionality needs another argument? Plus there's an extra #ifdef in the mainline. Are you sure that's cleaner? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Mon Apr 28 09:37:21 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 28 Apr 2003 09:37:21 +1000 Subject: [PATCH re-send]: Clean up logging of failed logins References: Message-ID: <3EAC69B1.A7D4E5DA@zip.com.au> [sorry, forgot to CC the list with my first reply] Ben Lindstrom wrote: > sorry, Darren. Long over due comments. That's OK, but I was wondering if anyone noticed. > I like the patch idea, but I'd like to skip the whole 'chained function > calls'. Plus it avoids closely packed #ifdef/#endifs. Most of the login recording stuff (eg loginrec.c) is closely packed #ifdefs and chained function calls. > Just rename cray_login_failure() and loginfailed() to > record_failed_login(), and change the #ifdef WITH_AIXAUTHENTICATE to > #ifdef CUSTOM_LOGIN_FAILURE. That means adding extraneous arguments to the cray function and changing the "user" argument for both to either "char *" or "const char *". loginfailed() is an AIX library function, so it can't be renamed but we can create a function in port-aix.c. There's other stuff that might end up in there (eg http://bugzilla.mindrot.org/show_bug.cgi?id=543). > That way we can just #define CUSTOM_LOGIN_FAILURE in the aix/cray headers > to activate it and we can keep things cleaner. I'll rework it and see how it looks. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Mon Apr 28 10:12:35 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 27 Apr 2003 19:12:35 -0500 (CDT) Subject: [PATCH re-send]: Clean up logging of failed logins In-Reply-To: <3EAC6094.B28E76C6@zip.com.au> Message-ID: On Mon, 28 Apr 2003, Darren Tucker wrote: > Ben Lindstrom wrote: > > Just rename cray_login_failure() and loginfailed() to > > record_failed_login(), and change the #ifdef WITH_AIXAUTHENTICATE to > > #ifdef CUSTOM_LOGIN_FAILURE. > > > > That way we can just #define CUSTOM_LOGIN_FAILURE in the aix/cray headers > > to activate it and we can keep things cleaner. > > I just had a quick look. To this, both functions will need 4 arguments, 2 > extraneous on Cray, 1 on AIX. What if the next platform that has this > functionality needs another argument? Plus there's an extra #ifdef in the > mainline. > Not sure how this is different then your version. If it needs more functionality it is going to get bad for either case. The only difference is a middleman function in a syncable part of the CVS. > Are you sure that's cleaner? > Maybe. The #ifdef in place get left (BTW..I'm not again #ifdef.. I'm against tightly packed ones that can be avoided). Each system can handle added failure support without it being in the way of resyncs. I don't mind the #ifdef in the maintree. Just want to avoid cases like verifying passwords (closely patched insanely unreadable ifdef clusters like in the password verification code). - Ben From cjwatson at debian.org Mon Apr 28 12:07:22 2003 From: cjwatson at debian.org (Colin Watson) Date: Mon, 28 Apr 2003 03:07:22 +0100 Subject: rsh fallback Message-ID: <20030428020722.GA8136@riva.ucam.org> Hi, Can anyone remind me of why FallbackToRsh was removed? I've just had a somewhat irate Debian bug report about it, and don't really have enough information to respond properly. Thanks, -- Colin Watson [cjwatson at flatline.org.uk] From dtucker at zip.com.au Mon Apr 28 22:48:07 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 28 Apr 2003 22:48:07 +1000 Subject: [PATCH re-send]: Clean up logging of failed logins References: Message-ID: <3EAD2307.45CD644F@zip.com.au> Ben Lindstrom wrote: > Just rename cray_login_failure() and loginfailed() to > record_failed_login(), and change the #ifdef WITH_AIXAUTHENTICATE to > #ifdef CUSTOM_LOGIN_FAILURE. Is the attached patch better? Tested on AIX 4.3.3. I didn't rename cray_login_failure as it's also used slightly differently by cray_access_denied(), instead I just added an interface function. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth.c,v retrieving revision 1.69 diff -u -r1.69 auth.c --- auth.c 9 Apr 2003 11:12:00 -0000 1.69 +++ auth.c 28 Apr 2003 12:10:51 -0000 @@ -268,13 +268,10 @@ get_remote_port(), info); -#ifdef WITH_AIXAUTHENTICATE +#ifdef CUSTOM_FAILED_LOGIN if (authenticated == 0 && strcmp(method, "password") == 0) - loginfailed(authctxt->user, - get_canonical_hostname(options.verify_reverse_mapping), - "ssh"); -#endif /* WITH_AIXAUTHENTICATE */ - + record_failed_login(authctxt->user, "ssh"); +#endif } /* @@ -496,10 +493,8 @@ if (pw == NULL) { logit("Illegal user %.100s from %.100s", user, get_remote_ipaddr()); -#ifdef WITH_AIXAUTHENTICATE - loginfailed(user, - get_canonical_hostname(options.verify_reverse_mapping), - "ssh"); +#ifdef CUSTOM_FAILED_LOGIN + record_failed_login(user, "ssh"); #endif return (NULL); } Index: auth1.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth1.c,v retrieving revision 1.81 diff -u -r1.81 auth1.c --- auth1.c 27 Apr 2003 18:41:30 -0000 1.81 +++ auth1.c 28 Apr 2003 11:45:11 -0000 @@ -311,8 +311,6 @@ authctxt->user); #ifdef _UNICOS - if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated) - cray_login_failure(authctxt->user, IA_UDBERR); if (authenticated && cray_access_denied(authctxt->user)) { authenticated = 0; fatal("Access denied for user %s.",authctxt->user); Index: auth2.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth2.c,v retrieving revision 1.114 diff -u -r1.114 auth2.c --- auth2.c 27 Apr 2003 18:44:32 -0000 1.114 +++ auth2.c 28 Apr 2003 11:46:10 -0000 @@ -240,10 +240,6 @@ } else { if (authctxt->failures++ > AUTH_FAIL_MAX) packet_disconnect(AUTH_FAIL_MSG, authctxt->user); -#ifdef _UNICOS - if (strcmp(method, "password") == 0) - cray_login_failure(authctxt->user, IA_UDBERR); -#endif /* _UNICOS */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); Index: openbsd-compat/bsd-cray.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/bsd-cray.c,v retrieving revision 1.8 diff -u -r1.8 bsd-cray.c --- openbsd-compat/bsd-cray.c 26 Sep 2002 00:38:51 -0000 1.8 +++ openbsd-compat/bsd-cray.c 28 Apr 2003 11:11:42 -0000 @@ -143,6 +143,14 @@ return (errcode); } +/* + * record_failed_login: generic "login failed" interface function + */ +record_failed_login(const char *user, const char *ttyname) +{ + cray_login_failure((char *)user, IA_UDBERR); +} + int cray_setup (uid_t uid, char *username, const char *command) { Index: openbsd-compat/bsd-cray.h =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/bsd-cray.h,v retrieving revision 1.7 diff -u -r1.7 bsd-cray.h --- openbsd-compat/bsd-cray.h 21 Mar 2003 01:05:38 -0000 1.7 +++ openbsd-compat/bsd-cray.h 28 Apr 2003 12:42:09 -0000 @@ -42,6 +42,8 @@ void cray_job_termination_handler(int); /* process end of job signal */ void cray_login_failure(char *username, int errcode); int cray_access_denied(char *username); +#define CUSTOM_FAILED_LOGIN 1 +void record_failed_login(const char *user, const char *ttyname); extern char cray_tmpdir[]; /* cray tmpdir */ #ifndef IA_SSHD #define IA_SSHD IA_LOGIN Index: openbsd-compat/port-aix.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/port-aix.c,v retrieving revision 1.6 diff -u -r1.6 port-aix.c --- openbsd-compat/port-aix.c 7 Jul 2002 02:17:36 -0000 1.6 +++ openbsd-compat/port-aix.c 28 Apr 2003 12:26:22 -0000 @@ -24,12 +24,17 @@ * */ #include "includes.h" +#include "ssh.h" +#include "log.h" +#include "servconf.h" #ifdef _AIX #include #include <../xmalloc.h> +extern ServerOptions options; + /* * AIX has a "usrinfo" area where logname and other stuff is stored - * a few applications actually use this and die if it's not set @@ -52,5 +57,16 @@ xfree(cp); } +# ifdef CUSTOM_FAILED_LOGIN +/* + * record_failed_login: generic "login failed" interface function + */ +void +record_failed_login(const char *user, const char *ttyname) +{ + loginfailed(user, + get_canonical_hostname(options.verify_reverse_mapping), ttyname); +} +# endif /* CUSTOM_FAILED_LOGIN */ #endif /* _AIX */ Index: openbsd-compat/port-aix.h =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/port-aix.h,v retrieving revision 1.7 diff -u -r1.7 port-aix.h --- openbsd-compat/port-aix.h 1 Feb 2003 04:43:35 -0000 1.7 +++ openbsd-compat/port-aix.h 28 Apr 2003 12:43:45 -0000 @@ -36,5 +36,10 @@ # include #endif +#ifdef WITH_AIXAUTHENTICATE +# define CUSTOM_FAILED_LOGIN 1 +void record_failed_login(const char *user, const char *ttyname); +#endif + void aix_usrinfo(struct passwd *pw); #endif /* _AIX */ From mouring at etoh.eviladmin.org Tue Apr 29 00:57:33 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 28 Apr 2003 09:57:33 -0500 (CDT) Subject: [PATCH re-send]: Clean up logging of failed logins In-Reply-To: <3EAD2307.45CD644F@zip.com.au> Message-ID: On Mon, 28 Apr 2003, Darren Tucker wrote: > Ben Lindstrom wrote: > > Just rename cray_login_failure() and loginfailed() to > > record_failed_login(), and change the #ifdef WITH_AIXAUTHENTICATE to > > #ifdef CUSTOM_LOGIN_FAILURE. > > Is the attached patch better? Tested on AIX 4.3.3. > > I didn't rename cray_login_failure as it's also used slightly differently > by cray_access_denied(), instead I just added an interface function. > Outside of being a bit too #ifdef happy in port-aix.c =) Looks good. I'll add it to the list of commits I have for portable. - Ben From Preetha.Suri at sisl.co.in Tue Apr 29 01:42:40 2003 From: Preetha.Suri at sisl.co.in (Preetha Suri) Date: Mon, 28 Apr 2003 21:12:40 +0530 Subject: SFTP in Java Message-ID: Hi, I have to implement SFTP using a Java program. I am looking for a package that implements a SFTP Client(preferably with sample code on usage). I need this in order to do SFTP file upload from my Java program. Any help would be appreciated. Thanks in advance. Regards, Preetha. From maf at appgate.com Tue Apr 29 01:54:19 2003 From: maf at appgate.com (maf at appgate.com) Date: Mon, 28 Apr 2003 17:54:19 +0200 (CEST) Subject: SFTP in Java Message-ID: <20030428155444.57CDC6C8C1@shala.firedoor.se> On 28 Apr, Preetha Suri wrote: > I am looking for a package that implements a SFTP Client(preferably with > sample code on usage). I need this in order to do SFTP file upload from my > Java program. Well, MindTerm does what you need. It is not free though. /MaF -- Martin Forssen Development Manager Phone: +46 31 7744361 AppGate Network Security AB From Eric.Ladner at chevrontexaco.com Tue Apr 29 03:57:58 2003 From: Eric.Ladner at chevrontexaco.com (Ladner, Eric (Eric.Ladner)) Date: Mon, 28 Apr 2003 12:57:58 -0500 Subject: SFTP in Java Message-ID: <53D65D67C6AA694284F7584E25ADD3546CDF86@nor935nte2k1.nor935.chevrontexaco.net> Sshtools maybe? Looks like you'd have to implement your own SFTP client, but the tools are there. http://www.sshtools.com/ ShiFT would serve as the example code, I believe. Eric -----Original Message----- From: Preetha Suri [mailto:Preetha.Suri at sisl.co.in] Sent: Monday, April 28, 2003 10:43 To: openssh-unix-dev at mindrot.org Subject: SFTP in Java Hi, I have to implement SFTP using a Java program. I am looking for a package that implements a SFTP Client(preferably with sample code on usage). I need this in order to do SFTP file upload from my Java program. Any help would be appreciated. Thanks in advance. Regards, Preetha. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From VBrimhall at novell.com Tue Apr 29 04:27:02 2003 From: VBrimhall at novell.com (Vince Brimhall) Date: Mon, 28 Apr 2003 12:27:02 -0600 Subject: SFTP in Java Message-ID: Preetha, I have found the JSch package to have a very good SFTP implementation in the later versions (1.2 and later). And even more attractive is that it's under a BSD style license. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vince Brimhall Senior Software Engineer Web Services 801.861.1724 vbrimhall at novell.com Novell, Inc., The leading provider of Net Business Solutions http://www.novell.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> Preetha Suri 4/28/2003 9:42:40 AM >>> Hi, I have to implement SFTP using a Java program. I am looking for a package that implements a SFTP Client(preferably with sample code on usage). I need this in order to do SFTP file upload from my Java program. Any help would be appreciated. Thanks in advance. Regards, Preetha. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From VBrimhall at novell.com Tue Apr 29 04:28:31 2003 From: VBrimhall at novell.com (Vince Brimhall) Date: Mon, 28 Apr 2003 12:28:31 -0600 Subject: SFTP in Java Message-ID: My apologies. I should have included the URI in the original reply. http://www.jcraft.com/jsch/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vince Brimhall Senior Software Engineer Web Services 801.861.1724 vbrimhall at novell.com Novell, Inc., The leading provider of Net Business Solutions http://www.novell.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> Preetha Suri 4/28/2003 9:42:40 AM >>> Hi, I have to implement SFTP using a Java program. I am looking for a package that implements a SFTP Client(preferably with sample code on usage). I need this in order to do SFTP file upload from my Java program. Any help would be appreciated. Thanks in advance. Regards, Preetha. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From dtucker at zip.com.au Tue Apr 29 07:57:05 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 29 Apr 2003 07:57:05 +1000 Subject: [PATCH re-send]: Clean up logging of failed logins References: Message-ID: <3EADA3B1.6E29DE0B@zip.com.au> Ben Lindstrom wrote: > On Mon, 28 Apr 2003, Darren Tucker wrote: > > Is the attached patch better? Tested on AIX 4.3.3. > > Outside of being a bit too #ifdef happy in port-aix.c =) Looks good. Man, some people are never happy :-). Seriously, the #ifdef CUSTOM_FAILED_LOGIN is there for a reason. WITH_AIXAUTHENTICATE acts as a flag for all of the AIX authentication routines, including loginfailed(). It's possible to build for AIX without WITH_AIXAUTHENTICATE, in that case CUSTOM_FAILED_LOGIN won't be defined and we shouldn't use loginfailed(). Whether or not there are any AIXes that don't have loginfailed() is another matter. At one point we didn't link in the library on 4.2.x that held authenticate() and friends, so WITH_AIXAUTHENTICATE was not defined there. It's possible that older ones don't have it at all. > I'll add it to the list of commits I have for portable. Thanks. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Tue Apr 29 22:33:05 2003 From: djm at mindrot.org (Damien Miller) Date: Tue, 29 Apr 2003 22:33:05 +1000 Subject: rsh fallback In-Reply-To: <20030428020722.GA8136@riva.ucam.org> References: <20030428020722.GA8136@riva.ucam.org> Message-ID: <3EAE7101.7000204@mindrot.org> Colin Watson wrote: > Hi, > > Can anyone remind me of why FallbackToRsh was removed? I've just had a > somewhat irate Debian bug report about it, and don't really have enough > information to respond properly. It was pulled out as we didn't think it appropriate for a "secure shell" to fall back to an insecure transport. -d From bugzilla-daemon at mindrot.org Tue Apr 29 22:27:47 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 29 Apr 2003 22:27:47 +1000 (EST) Subject: [Bug 550] Problems with .Ql in mdoc Message-ID: <20030429122747.E8AD094216@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=550 Summary: Problems with .Ql in mdoc Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: minor Priority: P2 Component: Documentation AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: cjwatson at debian.org Punctuation characters need to be escaped in the argument to .Ql, or you end up with the output containing things like ''! rather than '!'. Xavier Renaut reported this in http://bugs.debian.org/191131. I'll attach a patch in a moment. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 29 22:29:52 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 29 Apr 2003 22:29:52 +1000 (EST) Subject: [Bug 550] Problems with .Ql in mdoc Message-ID: <20030429122952.4B74094234@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=550 ------- Additional Comments From cjwatson at debian.org 2003-04-29 22:29 ------- Created an attachment (id=277) --> (http://bugzilla.mindrot.org/attachment.cgi?id=277&action=view) Fix punctuation in argument to .Ql There's a rationale for why \& is needed in the "Other Possible Pitfalls" section of groff_mdoc(7). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From evita at att.net Wed Apr 30 00:33:26 2003 From: evita at att.net (Evita) Date: Tue, 29 Apr 2003 14:33:26 +0000 Subject: Hello Openssh-unix-dev! Here it is! program of your dreams! In-Reply-To: <12EEA8D.AHB23DCF7@mindrot.org> References: <12EEA8D.AHB23DCF7@mindrot.org> Message-ID: <03.2ACEAEH5K57H1F@att.net> Hello! Are you still waiting for the most reliable high yield investment program? Here it is! Aurum Investment is a program of your dreams! I was really impressed with their new programs! They are too handy! You must try them! They offer from 2.0% till 3.3% daily!!! Please, follow this link: http://am-it.biz/sign.php?ref_id=121689 Chuck Hunter -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030429/f0ba48d3/attachment.html From carson at taltos.org Wed Apr 30 01:36:52 2003 From: carson at taltos.org (Carson Gaspar) Date: Tue, 29 Apr 2003 11:36:52 -0400 Subject: rsh fallback In-Reply-To: <3EAE7101.7000204@mindrot.org> References: <20030428020722.GA8136@riva.ucam.org> <3EAE7101.7000204@mindrot.org> Message-ID: <14190000.1051630612@taltos.ny.ficc.gs.com> --On Tuesday, April 29, 2003 22:33:05 +1000 Damien Miller wrote: > Colin Watson wrote: >> Hi, >> >> Can anyone remind me of why FallbackToRsh was removed? I've just had a >> somewhat irate Debian bug report about it, and don't really have enough >> information to respond properly. > > It was pulled out as we didn't think it appropriate for a "secure shell" > to fall back to an insecure transport. Sadly, this now means that when trying to convert an rsh shop to ssh, you must deploy ssh servers _everywhere_, before you can switch the code to use ssh instead of rsh. This creates a logistical nightmare. I _strongly_ agree that fallback should not be the default. I'd even be happy with being forced to pass an --I_AM_AN_IDIOT_AND_WANT_TO_HAVE_NO_SECURITY flag to ssh to get it to fall back (I can shove in in the rsh-alike wrapper script that sets ssh up to do host based auth, never prompt for a password, etc.) A work-around that is mostly working for me is to create a script that attempts an ssh, checks the exit code, and tries an rsh if the ssh failed. Sadly, this is not perfect, as it is possible for the remote command to fail, and for ssh to return an exit code that looks like an ssh failure. -- Carson From djast at cs.toronto.edu Wed Apr 30 02:09:02 2003 From: djast at cs.toronto.edu (Dan Astoorian) Date: Tue, 29 Apr 2003 12:09:02 -0400 Subject: rsh fallback In-Reply-To: Your message of "Tue, 29 Apr 2003 11:36:52 EDT." <14190000.1051630612@taltos.ny.ficc.gs.com> Message-ID: <03Apr29.120906edt.453158-2158@jane.cs.toronto.edu> On Tue, 29 Apr 2003 11:36:52 EDT, Carson Gaspar writes: > > A work-around that is mostly working for me is to create a script that > attempts an ssh, checks the exit code, and tries an rsh if the ssh failed. > Sadly, this is not perfect, as it is possible for the remote command to > fail, and for ssh to return an exit code that looks like an ssh failure. A possible refinement of this method would be for the wrapper script to probe the ssh port of the remote host, to determine whether it should use ssh or rsh/rlogin as the transport. This would only work in somewhat controlled environments, since there are many cases which would be too complex for a wrapper to be expected to deal with (e.g., "Port" commands in .ssh/config, -p or -oPort options on the command line, etc.); the wrapper would need to be able to make simplifying assumptions. An alternative approach would be a wrapper script which is aware of which of your servers have not yet been converted from rsh to ssh, and selects the insecure transport only in those cases where it's known to be necessary. -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and lost than never loved at all. It's djast at cs.toronto.edu not, it's better to have loved and won. All www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican From bugzilla-daemon at mindrot.org Wed Apr 30 03:42:24 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 30 Apr 2003 03:42:24 +1000 (EST) Subject: [Bug 550] Problems with .Ql in mdoc Message-ID: <20030429174224.CD50794256@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=550 ------- Additional Comments From mouring at eviladmin.org 2003-04-30 03:42 ------- Have you considered this to be a bug in groff? This is not producable under any of the BSDs. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 30 04:02:27 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 30 Apr 2003 04:02:27 +1000 (EST) Subject: [Bug 550] Problems with .Ql in mdoc Message-ID: <20030429180227.804C69425C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=550 ------- Additional Comments From cjwatson at debian.org 2003-04-30 04:02 ------- It's documented as behaving this way for punctuation characters that end sentences, and as far as I know groff's mdoc implementation is maintained to a large extent by the FreeBSD team, so I rather doubt it. However, I've just asked the groff mailing list for an opinion. I also note that the OpenSSH man pages already use the \& construction in a number of other places for exactly the same reason. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 30 06:11:36 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 30 Apr 2003 06:11:36 +1000 (EST) Subject: [Bug 550] Problems with .Ql in mdoc Message-ID: <20030429201136.A319A94261@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=550 ------- Additional Comments From cjwatson at debian.org 2003-04-30 06:11 ------- Werner Lemberg, the groff maintainer, says: It's not a bug, it's a logical extension. The old BSD mdoc macros are not consequent here for reasons beyond my knowledge: Look at the `z.', `z,', ... registers in old BSD's doc-common and you can see that `z!' and `z?' are missing, while groff's mdoc has `doc-punct!' and `doc-punct?'. IMHO the OpenSSH team should apply your patch even if not necessary for old BSD's mdoc macros. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dwmw2 at infradead.org Wed Apr 30 08:14:05 2003 From: dwmw2 at infradead.org (David Woodhouse) Date: Tue, 29 Apr 2003 23:14:05 +0100 Subject: rsh fallback In-Reply-To: <03Apr29.120906edt.453158-2158@jane.cs.toronto.edu> References: <03Apr29.120906edt.453158-2158@jane.cs.toronto.edu> Message-ID: <1051654445.2850.289.camel@imladris.demon.co.uk> On Tue, 2003-04-29 at 17:09, Dan Astoorian wrote: > A possible refinement of this method would be for the wrapper script to > probe the ssh port of the remote host, > <...> > An alternative approach would be a wrapper script which is aware of > which of your servers have not yet been converted from rsh to ssh, Each of these is similarly hackish. A better alternative would be to modify the SSH client itself to fall back to RSH if it's configured appropriately and the SSH connection attempt fails. -- dwmw2 From djm at mindrot.org Wed Apr 30 08:49:32 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Apr 2003 08:49:32 +1000 Subject: rsh fallback In-Reply-To: <1051654445.2850.289.camel@imladris.demon.co.uk> References: <03Apr29.120906edt.453158-2158@jane.cs.toronto.edu> <1051654445.2850.289.camel@imladris.demon.co.uk> Message-ID: <3EAF017C.7000008@mindrot.org> David Woodhouse wrote: > On Tue, 2003-04-29 at 17:09, Dan Astoorian wrote: > >>A possible refinement of this method would be for the wrapper script to >>probe the ssh port of the remote host, >><...> >>An alternative approach would be a wrapper script which is aware of >>which of your servers have not yet been converted from rsh to ssh, > > > Each of these is similarly hackish. A better alternative would be to > modify the SSH client itself to fall back to RSH if it's configured > appropriately and the SSH connection attempt fails. Yes - here is the diff I used to deprecate rsh. It probably needs some cleanup. -d -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: norsh.diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030430/a7d7de44/attachment.ksh From bugzilla-daemon at mindrot.org Wed Apr 30 11:01:06 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 30 Apr 2003 11:01:06 +1000 (EST) Subject: [Bug 550] Problems with .Ql in mdoc Message-ID: <20030430010106.A07599420A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=550 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2003-04-30 11:01 ------- Applied upstream along with escaping * while we are here since it is proper, but does not affect us (suggested by jmc of OpenBSD). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Wed Apr 30 13:37:28 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Apr 2003 13:37:28 +1000 (EST) Subject: Portable OpenSSH 3.6.1p2 Message-ID: OpenSSH 3.6.1p2 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. This is a release of the Portable version only. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Changes since OpenSSH 3.6.1p1: ============================ * Security: corrected linking problem on AIX/gcc. AIX users are advised to upgrade immediately. For details, please refer to separate advisory (aixgcc.adv). * Corrected build problems on Irix * Corrected build problem when building with AFS support * Merged some changes from Openwall Linux Checksums: ========== - MD5 (openssh-3.6p1.tar.gz) = f3879270bffe479e1bd057aa36258696 Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom. From djm at mindrot.org Wed Apr 30 13:39:49 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Apr 2003 13:39:49 +1000 (EST) Subject: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) Message-ID: 1. Systems affected: Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected if OpenSSH was compiled using a non-AIX compiler (e.g. gcc). Please note that the IBM-supplied OpenSSH packages[1] are not vulnerable. 2. Description: The default behavior of the runtime linker on AIX is to search the current directory for dynamic libraries before searching system paths. This is done regardless of the executable's set[ug]id status. This behavior is insecure and extremely dangerous. It allows an attacker to locally escalate their privilege level through the use of replacement libraries. Portable OpenSSH includes configure logic to override this broken behavior, but only for the native compiler. gcc uses a different command-line option (without changing the dangerous default behavior). 3. Impact: Privilege escalation by local users. 4. Short-term workaround: Remove any set[ug]id bits from the installed binaries, usually 'ssh-agent' and 'ssh-keysign'. Older versions of OpenSSH may also install the 'ssh' binary as setuid. Please note that removing the setuid bit from ssh-keysign will disable hostbased authentication. Portable OpenSSH 3.6.1p2 uses the correct compiler flags to avoid the dangerous linker behavior. 5. Solution: For the problem to be solved, the AIX linker must be changed to only search system paths by default and never search the current directory or user-specified paths for set[ug]id programs. We consider this a serious flaw in IBM's linker, and urge them to fix it immediately. IBM, are you listening? 6. Credits: Thanks to Andreas Repp (IBM Deutschland GmbH) for bringing the issue to our attention. Darren Tucker contributed the fix. [1] http://oss.software.ibm.com/developerworks/projects/opensshi From djm at mindrot.org Wed Apr 30 13:37:28 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Apr 2003 13:37:28 +1000 (EST) Subject: [openssh-unix-announce] Portable OpenSSH 3.6.1p2 Message-ID: OpenSSH 3.6.1p2 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. This is a release of the Portable version only. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support and encouragement. Changes since OpenSSH 3.6.1p1: ============================ * Security: corrected linking problem on AIX/gcc. AIX users are advised to upgrade immediately. For details, please refer to separate advisory (aixgcc.adv). * Corrected build problems on Irix * Corrected build problem when building with AFS support * Merged some changes from Openwall Linux Checksums: ========== - MD5 (openssh-3.6p1.tar.gz) = f3879270bffe479e1bd057aa36258696 Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller and Ben Lindstrom. _______________________________________________ openssh-unix-announce mailing list openssh-unix-announce at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-announce From djm at mindrot.org Wed Apr 30 13:39:49 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Apr 2003 13:39:49 +1000 (EST) Subject: [openssh-unix-announce] Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) Message-ID: 1. Systems affected: Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected if OpenSSH was compiled using a non-AIX compiler (e.g. gcc). Please note that the IBM-supplied OpenSSH packages[1] are not vulnerable. 2. Description: The default behavior of the runtime linker on AIX is to search the current directory for dynamic libraries before searching system paths. This is done regardless of the executable's set[ug]id status. This behavior is insecure and extremely dangerous. It allows an attacker to locally escalate their privilege level through the use of replacement libraries. Portable OpenSSH includes configure logic to override this broken behavior, but only for the native compiler. gcc uses a different command-line option (without changing the dangerous default behavior). 3. Impact: Privilege escalation by local users. 4. Short-term workaround: Remove any set[ug]id bits from the installed binaries, usually 'ssh-agent' and 'ssh-keysign'. Older versions of OpenSSH may also install the 'ssh' binary as setuid. Please note that removing the setuid bit from ssh-keysign will disable hostbased authentication. Portable OpenSSH 3.6.1p2 uses the correct compiler flags to avoid the dangerous linker behavior. 5. Solution: For the problem to be solved, the AIX linker must be changed to only search system paths by default and never search the current directory or user-specified paths for set[ug]id programs. We consider this a serious flaw in IBM's linker, and urge them to fix it immediately. IBM, are you listening? 6. Credits: Thanks to Andreas Repp (IBM Deutschland GmbH) for bringing the issue to our attention. Darren Tucker contributed the fix. [1] http://oss.software.ibm.com/developerworks/projects/opensshi _______________________________________________ openssh-unix-announce mailing list openssh-unix-announce at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-announce From jsa at web-space.jp Wed Apr 30 15:08:32 2003 From: jsa at web-space.jp (=?ISO-2022-JP?B?SlNBGyRCO3Y2SEl0GyhC?=) Date: Wed, 30 Apr 2003 15:08:32 +1000 Subject: =?ISO-2022-JP?B?GyRCTCQ+NUJ6OS05cCIoGyhCUEMbJEIlOSU/JUMlVUpnPTgbKEI=?= Message-ID: <20030430055512.97DED94234@shitei.mindrot.org> <$B;v6H<$BAw?.$B!!(BJS Co.,Ltd. $B9A6h@>?766(B2-22-1 JSA$B;v6HIt(B jsa at web-space.jp ------------------------------------------------------------- $BFCDj>&$7$J$$>l9g$NO"MmJ}K!(B $BJ@$N>l9g$O!"(B $B-!2<5-#U#R#L$h$j%"%I%l%9$r$*CN$i$;$/$@$5$$!#(B http://web-space.jp/jsa/kaijyo2.html $B-"7oL>$r!VG[?.Dd;_!W$H=q$-49$((B $B$3$N%a!<%k$rJV?.$7$F$/$@$5$$!#(B $B$=$NJV?.85$N%"%I%l%9$KBP$9$kG[?.$ODd;_$$$?$7$^$9!#(B $B!!!!!!!!(Bjsa at web-space.jp $B!z!z!z!z!z!z(BPC$B:_Bp%9%?%C%UJg=8!z!z!z!z!z!z(B $B!!!!!ZJ8>O!&%G!<%?F~NO%9%?%C%U$N5^Jg![(B $B!z6HL30QBw7 at Ls$K$F$*;E;v$r$*4j$$$7$^$9!z(B $B!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y(B $B>\:Y!&;qNA at A5a$O2<5-(BURL$B$+$i(B http://web-space.jp/jsa/ $B!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y(B $B:_Bp(BWord$B!&(BExcel$B$G$*;E;v$N=PMh$kJ}$rJg=8$7$F$$$^$9!#(B $B!!!!!!!!!!!!!ZJg=8FbMF![(B $B!Z;~4V![(B5$B;~4V!?=5!!0J>e$N$*;~4V$N$9$kJ}(B $B!!!!!!!!!J;~5k(B1,500$B1_!A(B2,500$B1_!K(B $B!|#1G/0J>e7QB3$G$-$kJ}(B $B!|%-!<%\!<%I$NBG$F$kJ}(B $B!|%o!<%I$G$*;E;v$r$7$?$$J}(B $B!|%(%/%;%k$G$*;E;v$r$7$?$$J}(B $B!z6HL30QBw7 at Ls$K$F0BDj$7$?$*;E;v$,2DG=$G$9!z(B $B!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y(B $B>\:Y!&;qNA at A5a$O2<5-(BURL$B$+$i(B http://web-space.jp/jsa/ $B!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y!y(B From vinschen at redhat.com Wed Apr 30 18:06:36 2003 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 30 Apr 2003 10:06:36 +0200 Subject: Portable OpenSSH 3.6.1p2 In-Reply-To: References: Message-ID: <20030430080636.GC14610@cygbert.vinschen.de> Hi, On Wed, Apr 30, 2003 at 01:37:28PM +1000, Damien Miller wrote: > Changes since OpenSSH 3.6.1p1: > ============================ > > * Security: corrected linking problem on AIX/gcc. AIX users are > advised to upgrade immediately. For details, please refer to > separate advisory (aixgcc.adv). > > * Corrected build problems on Irix > > * Corrected build problem when building with AFS support > > * Merged some changes from Openwall Linux is it worth to release 3.6.1p2 in favor of 3.6.1p1 also on other systems? From the above I'm taking that Cygwin isn't affected by the changes so normally I wouldn't update the Cygwin net distro to 3.6.1p2. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From dtucker at zip.com.au Wed Apr 30 18:29:28 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 30 Apr 2003 18:29:28 +1000 Subject: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) References: Message-ID: <3EAF8968.7DBC1438@zip.com.au> Damien Miller wrote: > 1. Systems affected: > Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected > if OpenSSH was compiled using a non-AIX compiler (e.g. gcc). Hi All. For the last year or so I've published OpenSSH binary packages for AIX at [1]. I would like to advise all users of these packages that all versions up to and including the 3.6.1p1 version *are* affected by this and have been removed. A patched version (3.6.1p1-1) is available which addresses this issue. I urge all users of these packages to upgrade or apply the workaround immediately. -Daz. [1] http://www.zip.com.au/~dtucker/openssh/ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From james at nameonthe.net Wed Apr 30 19:33:29 2003 From: james at nameonthe.net (James Williamson) Date: Wed, 30 Apr 2003 10:33:29 +0100 Subject: (no subject) Message-ID: <003501c30efb$8f3b1560$6600a8c0@JAMES> From james at nameonthe.net Wed Apr 30 19:34:59 2003 From: james at nameonthe.net (James Williamson) Date: Wed, 30 Apr 2003 10:34:59 +0100 Subject: (no subject) Message-ID: <003d01c30efb$c4cd87d0$6600a8c0@JAMES> From james at nameonthe.net Wed Apr 30 21:47:32 2003 From: james at nameonthe.net (James Williamson) Date: Wed, 30 Apr 2003 12:47:32 +0100 Subject: pam + privileges Message-ID: <009701c30f0e$4a077f70$6600a8c0@JAMES> Hi, Apologies if my attempts to subscribe bombarded this list with empty emails. We're running openssh 3.6.1p1 on Linux i386 and need to chroot and modify people's capabilities (Linux specific) when they log in. To do this we've compiled openssh with pam support and then configured pam to chroot people and alter their capabilities (such as giving them the privilege to bind to a port below 1024). In the past we've used the chroot patch which works well yet using pam to chroot and grant capabilities fail. I've scanned through the code and it seems openssh is giving away root privilege very early in the pam pipeline. By the time it reaches the password / session stages it's given up all root privileges. The problem is the chroot and capability pam modules apply their changes during the pam session stage so you'd expect root to still be in control until the pam session stage. Can anyone let me know if this was/is a conscious design decision? Regards, James Williamson www.nameonthe.net Tel: +44 208 7415453 Fax: + 44 208 7411615 From djm at mindrot.org Wed Apr 30 21:55:06 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Apr 2003 21:55:06 +1000 Subject: pam + privileges In-Reply-To: <009701c30f0e$4a077f70$6600a8c0@JAMES> References: <009701c30f0e$4a077f70$6600a8c0@JAMES> Message-ID: <3EAFB99A.5020604@mindrot.org> James Williamson wrote: > Hi, > > Apologies if my attempts to subscribe bombarded this list with empty emails. > > We're running openssh 3.6.1p1 on Linux i386 and need to chroot and modify > people's capabilities (Linux specific) when they log in. To do this we've > compiled openssh with > pam support and then configured pam to chroot people and alter their > capabilities > (such as giving them the privilege to bind to a port below 1024). In the > past we've > used the chroot patch which works well yet using pam to chroot and grant > capabilities fail. > > I've scanned through the code and it seems openssh is giving away root > privilege > very early in the pam pipeline. By the time it reaches the password / > session stages > it's given up all root privileges. The problem is the chroot and capability > pam modules apply > their changes during the pam session stage so you'd expect root to still be > in control until > the pam session stage. > > Can anyone let me know if this was/is a conscious design decision? Absolutely, our goal is to have as little as possible code running with root privileges. Whether pam_session should run with root is a matter of debate though. Have a look through bugzilla.mindrot.org, there is a bug open for this. -d From dtucker at zip.com.au Wed Apr 30 22:21:47 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 30 Apr 2003 22:21:47 +1000 Subject: Portable OpenSSH 3.6.1p2 References: <20030430080636.GC14610@cygbert.vinschen.de> Message-ID: <3EAFBFDB.9A14A57@zip.com.au> Corinna Vinschen wrote: > is it worth to release 3.6.1p2 in favor of 3.6.1p1 also on other > systems? From the above I'm taking that Cygwin isn't affected by > the changes so normally I wouldn't update the Cygwin net distro > to 3.6.1p2. The AIX fix is certainly compile-time only, as are most of the other changes. I had a quick look at the diff, and I don't think the other changes would affect Cygwin. If it was me, I wouldn't bother. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From openssh at roumenpetrov.info Wed Apr 30 22:45:07 2003 From: openssh at roumenpetrov.info (openssh at roumenpetrov.info) Date: Wed, 30 Apr 2003 15:45:07 +0300 Subject: Portable OpenSSH 3.6.1p2 References: Message-ID: <3EAFC553.7000600@roumenpetrov.info> Hi all package maintainers, Catman pages are too different between 3.6.1p1 and 3.6.1p2 ! Please when is posible in future to create package on same platform and version. Damien Miller wrote: >OpenSSH 3.6.1p2 has just been released. It will be available from the >mirrors listed at http://www.openssh.com/ shortly. This is a release >of the Portable version only. > >OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 >implementation and includes sftp client and server support. > >We would like to thank the OpenSSH community for their continued >support and encouragement. > > >Changes since OpenSSH 3.6.1p1: >============================ > >* Security: corrected linking problem on AIX/gcc. AIX users are > advised to upgrade immediately. For details, please refer to > separate advisory (aixgcc.adv). > >* Corrected build problems on Irix > >* Corrected build problem when building with AFS support > >* Merged some changes from Openwall Linux > > >Checksums: >========== > >- MD5 (openssh-3.6p1.tar.gz) = f3879270bffe479e1bd057aa36258696 > :-) >Reporting Bugs: >=============== > >- please read http://www.openssh.com/report.html > and http://bugzilla.mindrot.org/ > >OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, >Kevin Steves, Damien Miller and Ben Lindstrom. > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Get X.509 certificate support in OpenSSH: http://roumenpetrov.info/openssh From james at nameonthe.net Wed Apr 30 23:07:33 2003 From: james at nameonthe.net (James Williamson) Date: Wed, 30 Apr 2003 14:07:33 +0100 Subject: pam + privileges References: <009701c30f0e$4a077f70$6600a8c0@JAMES> <3EAFB99A.5020604@mindrot.org> Message-ID: <00dc01c30f19$77c823f0$6600a8c0@JAMES> > James Williamson wrote: > > Hi, > > > > Apologies if my attempts to subscribe bombarded this list with empty emails. > > > > We're running openssh 3.6.1p1 on Linux i386 and need to chroot and modify > > people's capabilities (Linux specific) when they log in. To do this we've > > compiled openssh with > > pam support and then configured pam to chroot people and alter their > > capabilities > > (such as giving them the privilege to bind to a port below 1024). In the > > past we've > > used the chroot patch which works well yet using pam to chroot and grant > > capabilities fail. > > > > I've scanned through the code and it seems openssh is giving away root > > privilege > > very early in the pam pipeline. By the time it reaches the password / > > session stages > > it's given up all root privileges. The problem is the chroot and capability > > pam modules apply > > their changes during the pam session stage so you'd expect root to still be > > in control until > > the pam session stage. > > > > Can anyone let me know if this was/is a conscious design decision? > > Absolutely, our goal is to have as little as possible code running with > root privileges. > > Whether pam_session should run with root is a matter of debate though. > Have a look through bugzilla.mindrot.org, there is a bug open for this. > Thanks, I've had a look at the 'bug'. Rather than using setuid, why not use setreuid or seteuid to temporarily give up privileges? This is how sendmail handles the 'run as root as infrequently as possible' issue. If I write a patch is it likely to be accepted? Regards, James Williamson www.nameonthe.net Tel: +44 208 7415453 Fax: + 44 208 7411615 From mouring at etoh.eviladmin.org Wed Apr 30 23:25:20 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 30 Apr 2003 08:25:20 -0500 (CDT) Subject: pam + privileges In-Reply-To: <00dc01c30f19$77c823f0$6600a8c0@JAMES> Message-ID: On Wed, 30 Apr 2003, James Williamson wrote: [..] > > Absolutely, our goal is to have as little as possible code running with > > root privileges. > > > > Whether pam_session should run with root is a matter of debate though. > > Have a look through bugzilla.mindrot.org, there is a bug open for this. > > > > Thanks, > > I've had a look at the 'bug'. Rather than using setuid, why not use > setreuid or seteuid to temporarily give up privileges? This is how sendmail > handles the 'run as root as infrequently as possible' issue. If I write a > patch > is it likely to be accepted? > I suggest you read the following. This explains how we handle code that requires root security. http://www.citi.umich.edu/u/provos/ssh/privsep.html - Ben From genty at austin.ibm.com Wed Apr 30 23:53:22 2003 From: genty at austin.ibm.com (Denise Genty) Date: Wed, 30 Apr 2003 08:53:22 -0500 Subject: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) References: Message-ID: <3EAFD552.EF4CAE8A@austin.ibm.com> Damien Miller wrote: > 5. Solution: > > For the problem to be solved, the AIX linker must be changed to > only search system paths by default and never search the current > directory or user-specified paths for set[ug]id programs. > > We consider this a serious flaw in IBM's linker, and urge > them to fix it immediately. IBM, are you listening? > Hey man, we're listening -- I just need to figure out who to contact about the problem. -- Denise M. Genty genty at austin.ibm.com (512)838-8170 - T/L 678-8170 AIX Network Security Development Server Division, pSeries From bugzilla-daemon at mindrot.org Wed Apr 30 23:58:27 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 30 Apr 2003 23:58:27 +1000 (EST) Subject: [Bug 14] Can't change expired /etc/shadow password without PAM Message-ID: <20030430135827.14B69942A4@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=14 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #248 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2003-04-30 23:58 ------- Created an attachment (id=278) --> (http://bugzilla.mindrot.org/attachment.cgi?id=278&action=view) passexpire19: AIX and /etc/shadow password expiry Only a small change: now takes S_MAXAGE into account when checking for over-expired passwords. Report and fix from Ravinder Sekhon. Patch against 3.6.1p2 is at http://www.zip.com.au/~dtucker/openssh/openssh-3.6.1p2-passexpire19.patch ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From djm at mindrot.org Wed Apr 30 13:39:49 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 30 Apr 2003 13:39:49 +1000 (EST) Subject: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) Message-ID: 1. Systems affected: Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected if OpenSSH was compiled using a non-AIX compiler (e.g. gcc). Please note that the IBM-supplied OpenSSH packages[1] are not vulnerable. 2. Description: The default behavior of the runtime linker on AIX is to search the current directory for dynamic libraries before searching system paths. This is done regardless of the executable's set[ug]id status. This behavior is insecure and extremely dangerous. It allows an attacker to locally escalate their privilege level through the use of replacement libraries. Portable OpenSSH includes configure logic to override this broken behavior, but only for the native compiler. gcc uses a different command-line option (without changing the dangerous default behavior). 3. Impact: Privilege escalation by local users. 4. Short-term workaround: Remove any set[ug]id bits from the installed binaries, usually 'ssh-agent' and 'ssh-keysign'. Older versions of OpenSSH may also install the 'ssh' binary as setuid. Please note that removing the setuid bit from ssh-keysign will disable hostbased authentication. Portable OpenSSH 3.6.1p2 uses the correct compiler flags to avoid the dangerous linker behavior. 5. Solution: For the problem to be solved, the AIX linker must be changed to only search system paths by default and never search the current directory or user-specified paths for set[ug]id programs. We consider this a serious flaw in IBM's linker, and urge them to fix it immediately. IBM, are you listening? 6. Credits: Thanks to Andreas Repp (IBM Deutschland GmbH) for bringing the issue to our attention. Darren Tucker contributed the fix. [1] http://oss.software.ibm.com/developerworks/projects/opensshi From dtucker at zip.com.au Wed Apr 30 18:29:28 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 30 Apr 2003 18:29:28 +1000 Subject: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) References: Message-ID: <3EAF8968.7DBC1438@zip.com.au> Damien Miller wrote: > 1. Systems affected: > Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected > if OpenSSH was compiled using a non-AIX compiler (e.g. gcc). Hi All. For the last year or so I've published OpenSSH binary packages for AIX at [1]. I would like to advise all users of these packages that all versions up to and including the 3.6.1p1 version *are* affected by this and have been removed. A patched version (3.6.1p1-1) is available which addresses this issue. I urge all users of these packages to upgrade or apply the workaround immediately. -Daz. [1] http://www.zip.com.au/~dtucker/openssh/ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.