From jkeowyh at singtel.com Mon Jun 2 23:31:02 2003 From: jkeowyh at singtel.com (Keow Yeong Huat Joseph) Date: Mon, 2 Jun 2003 21:31:02 +0800 Subject: how-to configure openssh Message-ID: <6D76C3AAF21F9A4487D1F3D84982B3AF11EDAE@EMHQ05B.singtel.corp.root> Hi, Would you able to advise me to configure openssh running on Redhat linux ver7? Thanks. Best Regards _______________________ Joseph Keow From samuel at bcgreen.com Tue Jun 3 07:00:24 2003 From: samuel at bcgreen.com (Stephen Samuel) Date: Mon, 02 Jun 2003 14:00:24 -0700 Subject: how-to configure openssh In-Reply-To: <6D76C3AAF21F9A4487D1F3D84982B3AF11EDAE@EMHQ05B.singtel.corp.root> References: <6D76C3AAF21F9A4487D1F3D84982B3AF11EDAE@EMHQ05B.singtel.corp.root> Message-ID: <3EDBBAE8.3040207@bcgreen.com> That depends on what you need help configuring. Have you tried: man sshd man sshd_config Note that, by default, ssh is blocked by the default firewall rules. You'll need to make sure it's enabled. If your only work with the firewall was whenconfiring it at install time, then you can redo the settings with the gui. Under KDE, the menu item appears to be: start -> System Settings -> secuity level. CAUTION: If your firewall settings have been customized (other than by the RdHat menus) then doing this may break your old settings. Before you go through with this, you may want to make a copy of your current settings in /etc/sysconfig/iptables mkdir /etc/sysconfig/RCS ci -l /etc/sysconfig/iptables does it nicely using RCS -- (I'd encourage anybody not using something better to get at least a base understanding of RCS. it does a very nice job of saving and comparing changes in various config files). Keow Yeong Huat Joseph wrote: > Hi, > > Would you able to advise me to configure openssh running on Redhat linux ver7? Thanks. > > Best Regards -- Stephen Samuel +1(604)876-0426 samuel at bcgreen.com http://www.bcgreen.com/~samuel/ Powerful committed communication, reaching through fear, uncertainty and doubt to touch the jewel within each person and bring it to life. From jkeowyh at singtel.com Tue Jun 3 19:31:39 2003 From: jkeowyh at singtel.com (Keow Yeong Huat Joseph) Date: Tue, 3 Jun 2003 17:31:39 +0800 Subject: how-to configure openssh Message-ID: <6D76C3AAF21F9A4487D1F3D84982B3AF8739BE@EMHQ05B.singtel.corp.root> I have open all services on the firewall to make sure it can go thru. I hit this messages as: >ssh fwadmin at mgfw SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to MGFW [127.0.0.1] port 22. debug: Allocated local port 1023. debug: Connection established. ssh_exchange_identification: Connection closed by remote host debug: Calling cleanup 0x805db00(0x0) For your advise pse. Thanks & regards Joseph K -----Original Message----- From: Stephen Samuel [mailto:samuel at bcgreen.com] Sent: Tuesday, June 03, 2003 5:00 AM To: Keow Yeong Huat Joseph; openssh-unix-dev at mindrot.org Subject: Re: how-to configure openssh That depends on what you need help configuring. Have you tried: man sshd man sshd_config Note that, by default, ssh is blocked by the default firewall rules. You'll need to make sure it's enabled. If your only work with the firewall was whenconfiring it at install time, then you can redo the settings with the gui. Under KDE, the menu item appears to be: start -> System Settings -> secuity level. CAUTION: If your firewall settings have been customized (other than by the RdHat menus) then doing this may break your old settings. Before you go through with this, you may want to make a copy of your current settings in /etc/sysconfig/iptables mkdir /etc/sysconfig/RCS ci -l /etc/sysconfig/iptables does it nicely using RCS -- (I'd encourage anybody not using something better to get at least a base understanding of RCS. it does a very nice job of saving and comparing changes in various config files). Keow Yeong Huat Joseph wrote: > Hi, > > Would you able to advise me to configure openssh running on Redhat linux ver7? Thanks. > > Best Regards -- Stephen Samuel +1(604)876-0426 samuel at bcgreen.com http://www.bcgreen.com/~samuel/ Powerful committed communication, reaching through fear, uncertainty and doubt to touch the jewel within each person and bring it to life. From dtucker at zip.com.au Tue Jun 3 21:43:34 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 03 Jun 2003 21:43:34 +1000 Subject: how-to configure openssh References: <6D76C3AAF21F9A4487D1F3D84982B3AF8739BE@EMHQ05B.singtel.corp.root> Message-ID: <3EDC89E6.7AEB1C56@zip.com.au> Keow Yeong Huat Joseph wrote: > I have open all services on the firewall to make sure it can go thru. I hit this messages as: [snip] > debug: Connection established. > ssh_exchange_identification: Connection closed by remote host > debug: Calling cleanup 0x805db00(0x0) This is charateristic of a connection being dropped by tcpwrappers. Check wherever ssh is logging to (possibly /var/log/authlog) and try adding "sshd: 127.0.0.1" to /etc/hosts.allow (or wherever your tcpwrappers is compiled to look). Oh, and consider upgrading the the sshd, it's pretty old and possibly vulnerable. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Jun 4 23:17:11 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 04 Jun 2003 23:17:11 +1000 Subject: Regression tests (again) Message-ID: <3EDDF157.A74DCBE2@zip.com.au> Hi. I'd like to start merging the changes required to make Portable's regression tests portable. I'll keep the changes as small as possible (if they get merged back into OpenBSD, great, but if not I still think they're worth having working in Portable). You can see the kind of changes required at [1]. I will take the responsibility of keeping the regress/ in sync between OpenBSD and Portable. Any objections? [1] http://www.zip.com.au/~dtucker/openssh/regress/openssh-regressport2.patch -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Thu Jun 5 01:21:35 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 4 Jun 2003 10:21:35 -0500 (CDT) Subject: Regression tests (again) In-Reply-To: <3EDDF157.A74DCBE2@zip.com.au> Message-ID: I'm worried about the removals of $OBJ in different places, but the keeping of them in others. You changed the main ssh_config file with this patch.. so watch that. FYI I addedd a bunch of stuff to sftp*.sh testing recently that will need to be pulled in. Can you review your patch for authorized_key usage? It seems to be scattered on how the changes happen. Also any reason why you stripped out $OBJ in some places and not others? You pulled out agent-ptrace from the test list, and modified the test. You plan on re-adding it? I think other than that.. I think we should get the portable regression tests up to par. - Ben On Wed, 4 Jun 2003, Darren Tucker wrote: > Hi. > I'd like to start merging the changes required to make Portable's > regression tests portable. > > I'll keep the changes as small as possible (if they get merged back into > OpenBSD, great, but if not I still think they're worth having working in > Portable). You can see the kind of changes required at [1]. > > I will take the responsibility of keeping the regress/ in sync between > OpenBSD and Portable. > > Any objections? > > [1] > http://www.zip.com.au/~dtucker/openssh/regress/openssh-regressport2.patch > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From exim at bham.ac.uk Thu Jun 5 06:35:55 2003 From: exim at bham.ac.uk (exim at bham.ac.uk) Date: Wed, 04 Jun 2003 21:35:55 +0100 Subject: Delivery error re: Re: Application In-Reply-To: Message-ID: This message was rejected by the mail hub at The University of Birmingham (bham.ac.uk) because it has an apparently executable attachment "submited.pif". The email rejected was not delivered to the following recipients: M.Spann at bham.ac.uk. Executable attachments are not being accepted at The University if Birmingham because they have been used by recent viruses such as that described in http://www.fsecure.com/v-descs/love.htm and http://vil.nai.com/vil/dispVirus.asp?virus_k=98797 Regrettably, it is possible that some legitimate communications could be refused by this measure and we apologise for any inconvenience caused. If this was a legitimate communication concerning University business please contact helpdesk at bham.ac.uk for advice with a full explanation about the nature of the communication. From fcusack at fcusack.com Thu Jun 5 07:38:27 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 4 Jun 2003 14:38:27 -0700 Subject: pam_setcred() without pam_authenticate()? Message-ID: <20030604143827.D24603@google.com> Should pam_setcred() be called if pam_authenticate() wasn't called? I would say not; both of these functions are in the authenticate part of pam. It seems the the 'auth' part of pam config controls which modules get called, so if you didn't to _authenticate() you shouldn't do _setcred(). thx /fc From sxw at inf.ed.ac.uk Thu Jun 5 07:54:12 2003 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Wed, 4 Jun 2003 22:54:12 +0100 (BST) Subject: pam_setcred() without pam_authenticate()? In-Reply-To: <20030604143827.D24603@google.com> Message-ID: On Wed, 4 Jun 2003, Frank Cusack wrote: > Should pam_setcred() be called if pam_authenticate() wasn't called? > I would say not; both of these functions are in the authenticate > part of pam. > > It seems the the 'auth' part of pam config controls which modules get > called, so if you didn't to _authenticate() you shouldn't do _setcred(). Some modules use calls to pam_setcred to store credentials to disk, based on other authentication credentials obtained earlier in the process. For example, to gain AFS credentials based on Kerberos credentials. If you've obtained Kerberos credentials through a route other than PAM (ie through Kerberos ticket passing), then having this call to pam_setcred not depend on having called pam_authenticate is really useful. Cheers, Simon. From fcusack at fcusack.com Thu Jun 5 08:55:57 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 4 Jun 2003 15:55:57 -0700 Subject: pam_setcred() without pam_authenticate()? In-Reply-To: ; from sxw@inf.ed.ac.uk on Wed, Jun 04, 2003 at 10:54:12PM +0100 References: <20030604143827.D24603@google.com> Message-ID: <20030604155557.E24603@google.com> On Wed, Jun 04, 2003 at 10:54:12PM +0100, Simon Wilkinson wrote: > On Wed, 4 Jun 2003, Frank Cusack wrote: > > Should pam_setcred() be called if pam_authenticate() wasn't called? > > I would say not; both of these functions are in the authenticate > > part of pam. > > > > It seems the the 'auth' part of pam config controls which modules get > > called, so if you didn't to _authenticate() you shouldn't do _setcred(). > > Some modules use calls to pam_setcred to store credentials to disk, based What credentials? PAM doesn't have them (since you didn't call pam_authenticate()) and you can't prompt for them at this point. > on other authentication credentials obtained earlier in the process. For > example, to gain AFS credentials based on Kerberos credentials. hmm /fc From Darren.Moffat at Sun.COM Thu Jun 5 10:22:49 2003 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Wed, 4 Jun 2003 17:22:49 -0700 (PDT) Subject: pam_setcred() without pam_authenticate()? In-Reply-To: <20030604143827.D24603@google.com> Message-ID: On Wed, 4 Jun 2003, Frank Cusack wrote: > Should pam_setcred() be called if pam_authenticate() wasn't called? > I would say not; both of these functions are in the authenticate > part of pam. yes it should. pam_setcred may be doing stuff that it doesn't need the PAM_AUTHTOK for. For example cron(1m) on Solaris calls pam_setcred. > It seems the the 'auth' part of pam config controls which modules get > called, so if you didn't to _authenticate() you shouldn't do _setcred(). That is a bug in the specification of PAM there really should have been a separate auth and cred stack. -- Darren J Moffat From Darren.Moffat at Sun.COM Thu Jun 5 10:26:03 2003 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Wed, 4 Jun 2003 17:26:03 -0700 (PDT) Subject: pam_setcred() without pam_authenticate()? In-Reply-To: <20030604155557.E24603@google.com> Message-ID: On Wed, 4 Jun 2003, Frank Cusack wrote: > What credentials? PAM doesn't have them (since you didn't call There are lots of different types of credentials that could be getting set by a pam_setcred call. > pam_authenticate()) and you can't prompt for them at this point. The PAM spec does not create any such restriction. I don't know of any module that do that put it is allowed -- Darren J Moffat From jkeowyh at singtel.com Thu Jun 5 10:45:33 2003 From: jkeowyh at singtel.com (Keow Yeong Huat Joseph) Date: Thu, 5 Jun 2003 08:45:33 +0800 Subject: how-to configure openssh Message-ID: <6D76C3AAF21F9A4487D1F3D84982B3AF8739C9@EMHQ05B.singtel.corp.root> Finally works. Thanks for your advise. -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Tuesday, June 03, 2003 7:44 PM To: Keow Yeong Huat Joseph Cc: Stephen Samuel; openssh-unix-dev at mindrot.org Subject: Re: how-to configure openssh Keow Yeong Huat Joseph wrote: > I have open all services on the firewall to make sure it can go thru. I hit this messages as: [snip] > debug: Connection established. > ssh_exchange_identification: Connection closed by remote host > debug: Calling cleanup 0x805db00(0x0) This is charateristic of a connection being dropped by tcpwrappers. Check wherever ssh is logging to (possibly /var/log/authlog) and try adding "sshd: 127.0.0.1" to /etc/hosts.allow (or wherever your tcpwrappers is compiled to look). Oh, and consider upgrading the the sshd, it's pretty old and possibly vulnerable. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Nicolas.Williams at sun.com Thu Jun 5 16:52:44 2003 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Wed, 4 Jun 2003 23:52:44 -0700 Subject: pam_setcred() without pam_authenticate()? In-Reply-To: <20030604143827.D24603@google.com>; from fcusack@fcusack.com on Wed, Jun 04, 2003 at 02:38:27PM -0700 References: <20030604143827.D24603@google.com> Message-ID: <20030604235244.V19455@binky.central.sun.com> On Wed, Jun 04, 2003 at 02:38:27PM -0700, Frank Cusack wrote: > Should pam_setcred() be called if pam_authenticate() wasn't called? > I would say not; both of these functions are in the authenticate > part of pam. Pam_setcred() should be called if the user is authenticated and authorized, even if authentication did not use pam_authenticate(). > It seems the the 'auth' part of pam config controls which modules get > called, so if you didn't to _authenticate() you shouldn't do _setcred(). Just because the setcred stack shares the definition of the auth stack doesn't mean that setcrfed depends on auth. Nico -- From dgibson2 at triad.rr.com Thu Jun 5 21:36:21 2003 From: dgibson2 at triad.rr.com (David M. Gibson) Date: Thu, 5 Jun 2003 07:36:21 -0400 Subject: Slow connection performance - ssh2 Message-ID: <000301c32b56$b05c80e0$7500a8c0@GibsonI8200> Using ssh2 via agent to connect through proxy to sshd host. Each connection (client to proxy, proxy to host) takes an average of 22 seconds, totaling approximately 44 seconds for a complete connection. Debug logging with vmstat directed to the same file indicates two points where a majority of time is spent (have looked at the similar postings): debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP (*6 seconds*) 0 0 0 0 13236 0 8248 0 0 0 0 242 88 21 8 71 1 0 0 0 13236 0 8248 0 0 0 0 239 70 64 2 35 3 0 0 0 13084 0 8248 0 0 0 0 122 92 84 16 0 1 0 0 0 13352 0 8248 0 0 0 0 123 693 79 21 0 1 0 0 0 13352 0 8248 0 0 0 0 117 64 98 2 0 4 0 0 0 13252 0 8248 0 0 0 0 117 77 95 5 0 debug1: dh_gen_key: priv key bits set: 179/384 debug1: bits set: 2042/4095 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY (*7 seconds*) 1 0 0 0 13336 0 8248 0 0 0 0 174 117 36 28 36 debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: match line 16 debug1: Host '10.1.1.1' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:16 debug1: bits set: 2057/4095 1 0 0 0 13320 0 8248 0 0 0 0 267 60 69 2 29 2 0 0 0 13304 0 8248 0 0 0 0 121 74 100 0 0 1 0 0 0 13332 0 8248 0 0 0 0 123 218 74 26 0 1 0 0 0 13332 0 8248 0 0 0 0 122 68 97 3 0 1 0 0 0 13332 0 8248 0 0 0 0 122 70 98 2 0 2 0 0 0 13188 0 8248 0 0 0 0 124 130 69 31 0 debug1: ssh_rsa_verify: signature correct Using rsa and have tested both 2048-bit and 1024-bit keys. Implemented the key size incrementally (target server first (aix), client(linux), then proxy(RH linux)) and did not see any difference in connection time. I am curious about the "bits set 20nn/4095" which also seems to be consist (although the nn vary by +/- 10-20) across the combination of tests as we transitioned from 2048 bit keys on all three devices to a mixture of 2048 & 1024 keys to 1024 on all three devices. What does the "bits set" size indicate, is it related to the size of key? Is there a way to influence this so less cpu is consumed on the client? The client is an i386 device running at 100Mhz using dialup to connect proxy and then ethernet to target host server. Are there any optimizations/considerations for this platform? David M. Gibson From dtucker at zip.com.au Thu Jun 5 22:16:05 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 05 Jun 2003 22:16:05 +1000 Subject: Regression tests (again) References: Message-ID: <3EDF3485.35BEA315@zip.com.au> There's a couple of other changes I've been using locally which aren't in the patch (eg grabs HAVE_GETPEEREUID from config.h to decide whether to run the peereuid tests. Ben Lindstrom wrote: > I'm worried about the removals of $OBJ in different places, but the > keeping of them in others. > > You changed the main ssh_config file with this patch.. so watch that. Yeah, I saw that. It wasn't intended. > FYI I addedd a bunch of stuff to sftp*.sh testing recently that will > need to be pulled in. OK. > Can you review your patch for authorized_key usage? It seems to be > scattered on how the changes happen. The authorized_keys will be a problem. (eg: an out-of-the-box AIX build will have / owned by bin.bin, and if you're not building in $HOME then StrictModes will check it and the tests will fail). I'm thinking of just setting StrictModes=no and abandoning the other related changes. > Also any reason why you stripped out $OBJ in some places and not others? Not that I can think of, I'll have to check. > You pulled out agent-ptrace from the test list, and modified the test. > You plan on re-adding it? If it works, yes. I forget what the issue was. > I think other than that.. I think we should get the portable regression > tests up to par. Agreed. Ideally it should be possible to routinely run "make test" as part of an install. FWIW, Markus has said he'll take a look at the patch too. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Fri Jun 6 00:22:14 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 5 Jun 2003 16:22:14 +0200 Subject: Slow connection performance - ssh2 In-Reply-To: <000301c32b56$b05c80e0$7500a8c0@GibsonI8200> References: <000301c32b56$b05c80e0$7500a8c0@GibsonI8200> Message-ID: <20030605142214.GA26082@folly> On Thu, Jun 05, 2003 at 07:36:21AM -0400, David M. Gibson wrote: > What does the "bits set" size indicate, is it related to the size of > key? this is relative to the key size need for the ciphers you are using. for smaller symmetric keys, smaller Diffie Hellman groups are used (e.g. aes128-cbc, blowfish-cbc) for larger symmetric keys, larger Diffie Hellman groups are used (e.g. 3des-cbc, aes256-cbc). the slowdown is because of the DH exchange. You could see a speedup if you change to a fixed DH group with this change in myproposal.h, but it's not recommended. 26c26 < #define KEX_DEFAULT_KEX "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" --- > #define KEX_DEFAULT_KEX "diffie-hellman-group1-sha1" From andreq at infolink.com.br Fri Jun 6 00:36:23 2003 From: andreq at infolink.com.br (=?iso-8859-1?Q?Andr=E9_Lu=EDs_Quintaes_Guimar=E3es?=) Date: Thu, 5 Jun 2003 11:36:23 -0300 Subject: [patch] Builtin Mysql authentication Message-ID: <004101c32b6f$db543900$0200000a@virtua.com.br> Hi, I would like to propose a patch that authenticates users in a mysql database without the use of nss-mysql or pam-mysql. I have a working patch, such that in case of a failure in getpwnam() it searchs for the user in a mysql database and fills his pw password struct. Although my actual patch uses pam-mysql to authenticate, I think it would be better if all authentication is builtin openssh, eliminating entirely the use of pam or nss (which I dont trust). Such patch could be extended to other databases or ldap, depending on the users choice at compile time. Parameters would be read from sshd_config. It could even have some flag that tells to chroot the user to a specific jail. Please, tell me what your opinions are and the possibility to accept this patch. IMHO it would be a nice addition with few code lines, useful especially for access or hosting providers (like myself) that must supply its clients a form of managing his account without having to maintain thousands of entries in files. Thanks for your time, warm regards From markus at openbsd.org Fri Jun 6 01:00:22 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 5 Jun 2003 17:00:22 +0200 Subject: [patch] Builtin Mysql authentication In-Reply-To: <004101c32b6f$db543900$0200000a@virtua.com.br> References: <004101c32b6f$db543900$0200000a@virtua.com.br> Message-ID: <20030605150022.GA19778@folly> On Thu, Jun 05, 2003 at 11:36:23AM -0300, Andr? Lu?s Quintaes Guimar?es wrote: > I think it > would be better if all authentication is builtin openssh, eliminating > entirely the use of pam or nss (which I dont trust). I don't think this will even happen. It makes no sense to copy this code into OpenSSH. If the system is broken, the system should be fixed, not OpenSSH. From djm at mindrot.org Fri Jun 6 01:10:09 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 06 Jun 2003 01:10:09 +1000 Subject: [patch] Builtin Mysql authentication In-Reply-To: <004101c32b6f$db543900$0200000a@virtua.com.br> References: <004101c32b6f$db543900$0200000a@virtua.com.br> Message-ID: <3EDF5D51.5040602@mindrot.org> Andr? Lu?s Quintaes Guimar?es wrote: > Hi, > I would like to propose a patch that authenticates users in a > mysql database without the use of nss-mysql or pam-mysql. Thanks, but such a patch is unlikely to be accepted. For a start, MySQL's LGPL license is contrary to our goal of having BSD or similar licenses on everything in OpenSSH. I don't think that per-application patches are the best way to integrate alternate user lookup / authentication systems. Also, if we were to accept a ssh-mysql patch then we would probably have to accept a ssh-pgsql and a ssh-sapdb and maybe a ssh-oracle patch. This leads to an explosion of optional code which reduces security and undermines our ability to properly test the software. (we already have too many options in our code IMO) > I have a working patch, such that in case of a failure in getpwnam() > it searchs for the user in a mysql database and fills his pw password > struct. Although my actual patch uses pam-mysql to authenticate, I think it > would be better if all authentication is builtin openssh, eliminating > entirely the use of pam or nss (which I dont trust). ... and yet you trust MySQL? My opinions of PAM and NSS are pretty poor, but at least the developers of those are highly focused on security. I don't recall many recent security bugs in either of these, but several issues with MySQL. -d From djm at mindrot.org Fri Jun 6 01:13:47 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 06 Jun 2003 01:13:47 +1000 Subject: Slow connection performance - ssh2 In-Reply-To: <000301c32b56$b05c80e0$7500a8c0@GibsonI8200> References: <000301c32b56$b05c80e0$7500a8c0@GibsonI8200> Message-ID: <3EDF5E2B.4040601@mindrot.org> David M. Gibson wrote: > Using ssh2 via agent to connect through proxy to sshd host. Each > connection (client to proxy, proxy to host) takes an average of 22 > seconds, totaling approximately 44 seconds for a complete connection. > Debug logging with vmstat directed to the same file indicates two points > where a majority of time is spent (have looked at the similar postings): > > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP (*6 seconds*) If your device is really slow, you can turn DHGEX this off by renaming /etc/moduli to something else. ssh protocol 1 may be faster (but is less secure) You may also be suffering from DNS lookup delays. -d From balland1 at llnl.gov Fri Jun 6 10:39:01 2003 From: balland1 at llnl.gov (Peter Balland) Date: Thu, 05 Jun 2003 17:39:01 -0700 Subject: getusershell() Message-ID: <5.0.0.25.2.20030605172545.03ff38d8@mail-lc.llnl.gov> I was wondering if there is any chance of getusershell() functionality ever making it into the official OpenSSH distribution. From searching the list archives, it looks like a patch to add this support in openbsd-compat was created by Damien Miller on 2001-03-18, but never seemed to be tested or applied. I think this functionality would be very helpful, and am willing to take a stab at updating the patch if there is a chance of it being approved. - Peter From djm at mindrot.org Fri Jun 6 11:00:47 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 06 Jun 2003 11:00:47 +1000 Subject: getusershell() In-Reply-To: <5.0.0.25.2.20030605172545.03ff38d8@mail-lc.llnl.gov> References: <5.0.0.25.2.20030605172545.03ff38d8@mail-lc.llnl.gov> Message-ID: <3EDFE7BF.1090802@mindrot.org> Peter Balland wrote: > I was wondering if there is any chance of getusershell() functionality ever > making it into the official OpenSSH distribution. From searching the list > archives, it looks like a patch to add this support in openbsd-compat was > created by Damien Miller on 2001-03-18, but never seemed to be tested or > applied. I think this functionality would be very helpful, and am willing > to take a stab at updating the patch if there is a chance of it being approved. Could you refresh our collective memories as to what this patch does? -d From balland1 at llnl.gov Fri Jun 6 11:25:03 2003 From: balland1 at llnl.gov (Peter Balland) Date: Thu, 05 Jun 2003 18:25:03 -0700 Subject: getusershell() In-Reply-To: <3EDFE7BF.1090802@mindrot.org> References: <5.0.0.25.2.20030605172545.03ff38d8@mail-lc.llnl.gov> <5.0.0.25.2.20030605172545.03ff38d8@mail-lc.llnl.gov> Message-ID: <5.0.0.25.2.20030605181038.0403ef50@mail-lc.llnl.gov> At 11:00 AM 6/6/2003 +1000, Damien Miller wrote: >Peter Balland wrote: > > I was wondering if there is any chance of getusershell() functionality > ever > > making it into the official OpenSSH distribution. From searching the list > > archives, it looks like a patch to add this support in openbsd-compat was > > created by Damien Miller on 2001-03-18, but never seemed to be tested or > > applied. I think this functionality would be very helpful, and am willing > > to take a stab at updating the patch if there is a chance of it being > approved. > >Could you refresh our collective memories as to what this patch does? > >-d The patch I was referring to only adds support for the 3 functions getusershell(), setusershell(), and endusershell() for platforms where it is not supported (like IRIX.) The functions themselves would be used to check that a user's shell is listed as valid in /etc/shells. This can be used as an additional authorization step for auth types that benefit from it. I could not find a patch that actually adds these routines to the authentication routines, but based on the following email, I believe one was attempted: >List: openssh-unix-dev >Subject: Re: openssh wish list for 2.6.* >From: Tim Rice >Date: 2001-03-18 2:37:38 >[Download message RAW] > > >03/17 CVS > >Undefined first referenced > symbol in file >endusershell auth.o >getusershell auth.o >setusershell auth.o >UX:ld: ERROR: sshd: fatal error: Symbol referencing errors. No output >written to > sshd > >Looks like more needs to be added to openbsd-compat > >-- >Tim Rice Multitalents (707) 887-1469 >tim at multitalents.net Peter --- Peter Balland balland1 at llnl.gov From mouring at etoh.eviladmin.org Fri Jun 6 18:33:23 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 6 Jun 2003 03:33:23 -0500 (CDT) Subject: getusershell() In-Reply-To: <3EDFE7BF.1090802@mindrot.org> Message-ID: Damien, This was during the period in time when we were discussing how to support sftp only without giving the user a physical shell. In the end it was decided that all subsystems should run the user's shell instead. - Ben On Fri, 6 Jun 2003, Damien Miller wrote: > Peter Balland wrote: > > I was wondering if there is any chance of getusershell() functionality ever > > making it into the official OpenSSH distribution. From searching the list > > archives, it looks like a patch to add this support in openbsd-compat was > > created by Damien Miller on 2001-03-18, but never seemed to be tested or > > applied. I think this functionality would be very helpful, and am willing > > to take a stab at updating the patch if there is a chance of it being approved. > > Could you refresh our collective memories as to what this patch does? > > -d > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From Jan.de.Haan at Essent.nl Fri Jun 6 21:33:44 2003 From: Jan.de.Haan at Essent.nl (Haan, de, Jan) Date: Fri, 6 Jun 2003 13:33:44 +0200 Subject: X11 forwarding after su'ing Message-ID: <939E0CBCEF91D311861400508B62C07A059F0E47@NT-EXCH-ZW1> > > 3. why not use ssh -X -l ? > Maybe, because -l root ain't that nice? > Philipp Sorry for refering so late to a (securityfocus) post, but the Subject has been nagging me for the last month ;-) Problem was how to keep your DISPLAY, xauth and security (no 'ssh root at host' over the net) when changing users remotely (especially to root with su/sudo) Comments please on the security side of this 'solution' and the proposed feature request. Solved it by running two sshd's, one started with "sshd -f sshd1_config" with "ListenAddress " "PermitRootLogin no" "PidFile /var/run/ssh1.pid" <== That one bit me ... in the ass a few times ;-) ... And another started with "sshd -f sshd2_config" "ListenAddress dummy0" "PermitRootLogin yes" "PidFile /var/run/ssh2.pid" dummy0 is the hostname of the ip address on a loopbackadapter (Debian/GNU/Linux /etc/modules, dummy; HPUX/Sun ifconfig lo0:1; winx msloopback adapter) which is not visible on the outside (disabled in routing) Only one extra address/subnet (/30 ?) is needed for an unlimited number of hosts since it can be identical on all because it is not routed. Access can be gained in two ways: generating two keys that you both load in your ssh-agent or by adding your identity.pub to the authorized_keys2 of the second remote user. Proof of concept: user1 at host1:/home/user1 >ssh -X host2 Linux host2 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown Last login: Fri Jun 6 08:44:00 2003 from host1 user1 at host2:~$ ssh -X root at dummy0 Linux host2 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown Last login: Fri Jun 6 11:25:25 2003 from dummy0 root at host2:/root >echo $DISPLAY localhost:11.0 root at host2:/root > and user1 at host1:/home/user1 >ssh -X -f host2 'ssh -X -f root at dummy0 /usr/bin/X11/xterm' works too. Feature request This kludge (2 daemons) would not have to be used if the posibility existed of using a combined "AllowUsers" and "ListenAddress" parameter (ACL's ?) for instance: ACL [allow|deny],[dns|host|ipaddress|range[:port]],[user|group],[dns|host|ipaddr ess|range[:port]] ACL allow, hostname, root, dummy0 ACL deny, *, !root, dummy0 ACL allow, *, !root, * ACL deny, *, *, * (sorry, Cisco heritage showing ;-) ) Sincerely, Jan. From markus at openbsd.org Fri Jun 6 23:46:10 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 6 Jun 2003 15:46:10 +0200 Subject: X11 forwarding after su'ing In-Reply-To: <939E0CBCEF91D311861400508B62C07A059F0E47@NT-EXCH-ZW1> References: <939E0CBCEF91D311861400508B62C07A059F0E47@NT-EXCH-ZW1> Message-ID: <20030606134610.GB3105@folly> On Fri, Jun 06, 2003 at 01:33:44PM +0200, Haan, de, Jan wrote: > Comments please on the security side of this 'solution' and the > proposed feature request. hm, i think sudo is much simpler. From wendyp at cray.com Sat Jun 7 04:10:34 2003 From: wendyp at cray.com (Wendy Palm) Date: Fri, 06 Jun 2003 13:10:34 -0500 Subject: bugtraq re: remote client address restriction circumvention Message-ID: <3EE0D91A.5060502@cray.com> does anyone have a comment to make about this? (cert picked it up and we're being asked for a vendor response) http://www.securityfocus.com/archive/1/324016/2003-06-03/2003-06-09/0 do we have an "official" response yet? thanks, wendy -- wendy palm Cray Open Software Development, Cray Inc. wendyp at cray.com, 651-605-9154 From markus at openbsd.org Sat Jun 7 04:44:33 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 6 Jun 2003 20:44:33 +0200 Subject: bugtraq re: remote client address restriction circumvention In-Reply-To: <3EE0D91A.5060502@cray.com> References: <3EE0D91A.5060502@cray.com> Message-ID: <20030606184432.GA7093@faui02> On Fri, Jun 06, 2003 at 01:10:34PM -0500, Wendy Palm wrote: > does anyone have a comment to make about this? > (cert picked it up and we're being asked for a vendor response) > > http://www.securityfocus.com/archive/1/324016/2003-06-03/2003-06-09/0 > > do we have an "official" response yet? official response: If you depend on IP or DNS based access control, make sure VerifyReverseMapping is turned on in your sshd_config file. Otherwise there's not reason to care about this. In the current code/next release the VerifyReverseMapping option is deprecated and replaced by UseDNS. -m From phil at ipom.com Sat Jun 7 14:37:43 2003 From: phil at ipom.com (Phil Dibowitz) Date: Fri, 06 Jun 2003 21:37:43 -0700 Subject: openssh reading only SOME ssh1 hostkeys from ssh.com ssh Message-ID: <3EE16C17.1030103@ipom.com> Hey folks, I've asked this on the security focus mailing list, but no one seems to know... I'm in the process of moving my company from old crufty ssh.com ssh1 to openssh. On most of our hosts, we've created rsa and dsa keys but managed to KEEP the old rsa1 key... However, on a few hosts, openssh has been unable to read the old rsa1 key and has claimed: debug1: Unsupported cipher 1 used in key file /etc/ssh/ssh_host_key. Could not load host key: /etc/ssh/ssh_host_key Does anyone know why it is that openssh has this problem only sometimes, and if there is a way to fix it? Thanks, -- Phil Dibowitz phil at ipom.com Freeware and Technical Pages Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 From dtucker at zip.com.au Sat Jun 7 16:04:40 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 07 Jun 2003 16:04:40 +1000 Subject: openssh reading only SOME ssh1 hostkeys from ssh.com ssh References: <3EE16C17.1030103@ipom.com> Message-ID: <3EE18078.535831C0@zip.com.au> Phil Dibowitz wrote: > However, on a few hosts, openssh has been unable to read the old rsa1 > key and has claimed: > > debug1: Unsupported cipher 1 used in key file /etc/ssh/ssh_host_key. > Could not load host key: /etc/ssh/ssh_host_key > > Does anyone know why it is that openssh has this problem only sometimes, > and if there is a way to fix it? I think that's because those keys are encrypted with IDEA, which OpenSSH does not support for patent reasons. You can use ssh-keygen *from commercial ssh* to convert the keys. See http://www.openssh.com/faq.html#2.5 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Sat Jun 7 16:39:57 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 7 Jun 2003 01:39:57 -0500 (CDT) Subject: openssh reading only SOME ssh1 hostkeys from ssh.com ssh In-Reply-To: <3EE18078.535831C0@zip.com.au> Message-ID: On Sat, 7 Jun 2003, Darren Tucker wrote: > Phil Dibowitz wrote: > > However, on a few hosts, openssh has been unable to read the old rsa1 > > key and has claimed: > > > > debug1: Unsupported cipher 1 used in key file /etc/ssh/ssh_host_key. > > Could not load host key: /etc/ssh/ssh_host_key > > > > Does anyone know why it is that openssh has this problem only sometimes, > > and if there is a way to fix it? > > I think that's because those keys are encrypted with IDEA, which OpenSSH > does not support for patent reasons. You can use ssh-keygen *from > commercial ssh* to convert the keys. > That would be my first reaction also, but why would someone put a passphrase on the ssh_host_key? That does not seem to be a useful thing to do. It would be useful to see the key in question (even if I know it may not be pratical) so we don't have to guess why. But I agree with Mr Tucker. You may want to see if you can strip any passphrases from the keys in question. - Ben From markus at openbsd.org Sat Jun 7 17:54:02 2003 From: markus at openbsd.org (Markus Friedl) Date: Sat, 7 Jun 2003 09:54:02 +0200 Subject: openssh reading only SOME ssh1 hostkeys from ssh.com ssh In-Reply-To: References: <3EE18078.535831C0@zip.com.au> Message-ID: <20030607075402.GA20107@folly> On Sat, Jun 07, 2003 at 01:39:57AM -0500, Ben Lindstrom wrote: > > On Sat, 7 Jun 2003, Darren Tucker wrote: > > > Phil Dibowitz wrote: > > > However, on a few hosts, openssh has been unable to read the old rsa1 > > > key and has claimed: > > > > > > debug1: Unsupported cipher 1 used in key file /etc/ssh/ssh_host_key. > > > Could not load host key: /etc/ssh/ssh_host_key > > > > > > Does anyone know why it is that openssh has this problem only sometimes, > > > and if there is a way to fix it? > > > > I think that's because those keys are encrypted with IDEA, which OpenSSH > > does not support for patent reasons. You can use ssh-keygen *from > > commercial ssh* to convert the keys. > > > > That would be my first reaction also, but why would someone put a > passphrase on the ssh_host_key? That does not seem to be a useful > thing to do. perhaps it's "no encryption" vs. "encryption with empty password" -m From phil at ipom.com Sat Jun 7 18:15:28 2003 From: phil at ipom.com (Phil Dibowitz) Date: Sat, 07 Jun 2003 01:15:28 -0700 Subject: openssh reading only SOME ssh1 hostkeys from ssh.com ssh In-Reply-To: <3EE18078.535831C0@zip.com.au> References: <3EE16C17.1030103@ipom.com> <3EE18078.535831C0@zip.com.au> Message-ID: <3EE19F20.4070408@ipom.com> Darren Tucker wrote: > Phil Dibowitz wrote: > >>However, on a few hosts, openssh has been unable to read the old rsa1 >>key and has claimed: >> >> debug1: Unsupported cipher 1 used in key file /etc/ssh/ssh_host_key. >> Could not load host key: /etc/ssh/ssh_host_key >> >>Does anyone know why it is that openssh has this problem only sometimes, >>and if there is a way to fix it? > > > I think that's because those keys are encrypted with IDEA, which OpenSSH > does not support for patent reasons. You can use ssh-keygen *from > commercial ssh* to convert the keys. > > See http://www.openssh.com/faq.html#2.5 > Ah the docs. Doh! Hey, there's another FAQ in there that's helpful. Why didn't google gimme that? Ah well. Thanks! -- Phil Dibowitz phil at ipom.com Freeware and Technical Pages Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 From phil at ipom.com Sat Jun 7 18:16:56 2003 From: phil at ipom.com (Phil Dibowitz) Date: Sat, 07 Jun 2003 01:16:56 -0700 Subject: openssh reading only SOME ssh1 hostkeys from ssh.com ssh In-Reply-To: References: Message-ID: <3EE19F78.3010106@ipom.com> Ben Lindstrom wrote: > But I agree with Mr Tucker. You may want to see if you can strip > any passphrases from the keys in question. No, you can't have the private key of one of our servers... sorry. =) -- Phil Dibowitz phil at ipom.com Freeware and Technical Pages Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 From dtucker at zip.com.au Sat Jun 7 20:27:43 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 07 Jun 2003 20:27:43 +1000 Subject: New regression test: connect after reconfigure Message-ID: <3EE1BE1F.FAF0127F@zip.com.au> Hi. I made a regression test to catch the crash-on-sighup error that 3.6.1p2 had on a couple of platforms where it would not restart correctly. It's almost entirely code stolen from other tests. I verified it works by breaking saved_argv (the actual problem was not consistent on most platforms). I'd like it to suggest it be included in both the OpenBSD and -portable test suites. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- A non-text attachment was scrubbed... Name: reconfigure.sh Type: application/x-sh Size: 512 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030607/2de735ea/attachment.sh From albanard at hotmail.com Sun Jun 8 13:59:13 2003 From: albanard at hotmail.com (Al Banard) Date: Sun, 08 Jun 2003 13:59:13 +1000 Subject: Converting key between PEM and ASCII Message-ID: Hi all, I know its been a while but I just wanted to finish up this thread. I've now solved the problem by creating a seperate ssh V1 keypair and using a seperate hostname section in my conf file so that I can easily specify which private key to use by ssh-ing to a different host name. What I was originally trying to do was use the ssh V2 keypair that I use most of the time with my HP 2512 switch. However my HP switch only supports the V1 protocol. The HP doco suggested that I could convert the public key from V2 to V1 and still use the same private key. The doco also suggested that a V2 public key tends to be PEM encoded or encoded in some way so that its not just digits. So I guess the V2 public key for openssh is ASCII but not the pure digit format the doco was referring to when it said ASCII. Anyway I guess the bottom line is it was just much easier to create a seperate keypair so thats what I've done. Regards Al >From: Damien Miller >To: Al Banard >CC: openssh-unix-dev at mindrot.org >Subject: Re: Converting key between PEM and ASCII >Date: Sat, 31 May 2003 10:48:25 +1000 > >Al Banard wrote: > > According to documentation for a switch which I'm getting SSH enabled, > > I need to convert my openssh public key to an ascii string to be >compatible > > with the switch. The switch uses sshV1. Is there a way to do this? I've > > found nothing in the man pages or FAQ and have tried the -x -X (-i -e) > > arguments without success but I think they relate to a different >translation > > anyway. > >You need to generate a SSH protocol 1 key first (ssh-keygen -t rsa1). >Then all you need to do is "cat ~/.ssh/identity.pub". > >-d > > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev _________________________________________________________________ Hotmail is now available on Australian mobile phones. Go to http://ninemsn.com.au/mobilecentral/signup.asp From djm at mindrot.org Sun Jun 8 16:51:11 2003 From: djm at mindrot.org (Damien Miller) Date: Sun, 08 Jun 2003 16:51:11 +1000 Subject: Converting key between PEM and ASCII In-Reply-To: References: Message-ID: <3EE2DCDF.6040109@mindrot.org> Al Banard wrote: > Hi all, > > I know its been a while but I just wanted to finish up this thread. > I've now solved the problem by creating a seperate ssh V1 keypair > and using a seperate hostname section in my conf file so that I > can easily specify which private key to use by ssh-ing to a > different host name. > > What I was originally trying to do was use the ssh V2 keypair that > I use most of the time with my HP 2512 switch. However my HP > switch only supports the V1 protocol. The HP doco suggested that > I could convert the public key from V2 to V1 and still use the same > private key. The doco also suggested that a V2 public key tends > to be PEM encoded or encoded in some way so that its not just > digits. So I guess the V2 public key for openssh is ASCII but not > the pure digit format the doco was referring to when it said ASCII. We have never supported sharing of SSH protocol v.1 and v.2 keys. They do different things in their respective protocols and we have never received positive advice from a cryptographer saying that is is safe to share them. -d From v_t_m at seznam.cz Tue Jun 10 19:30:51 2003 From: v_t_m at seznam.cz (=?iso-8859-2?Q?V=E1clav=20Tomec?=) Date: Tue, 10 Jun 2003 11:30:51 +0200 (CEST) Subject: SecurID authentication for 3.6.1p2 with privsep Message-ID: <87829.282193-4205-946007020-1055237451@seznam.cz> Hello all, I have made SecurID authentication for OpenSSH 3.6.1p2. This patch was totaly rewritten, so please test it before use. Kbd-int authentication is now integrated into challenge response auth. Privsep is now fully suported. PS: What do you think of selective access to the individual authentications, similar to AllowGroups/DenyGroups or maybe AllowUsers/DenyUsers ? Vaclav Tomec http://sweb.cz/v_t_m/ ______________________________________________________________________ Reklama: Tolik v?c? a v?hod jako od Contactel Bonus Clubu jen tak nez?sk?te http://ad2.seznam.cz/redir.cgi?instance=55052%26url=http://club.razdva.cz/ From larsch at trustcenter.de Tue Jun 10 19:43:59 2003 From: larsch at trustcenter.de (Nils Larsch) Date: Tue, 10 Jun 2003 11:43:59 +0200 Subject: README.smartcard Message-ID: <3EE5A85F.2010908@trustcenter.de> Hi, from ChangeLog: 20030609 - (djm) Sync README.smartcard with OpenBSD -current My I ask why the OpenSC section has been removed ? Note: OpenSSH + OpenSC works for me (at least with a recent OpenSC snapshot). Regards, Nils From dtucker at zip.com.au Wed Jun 11 22:43:02 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 11 Jun 2003 22:43:02 +1000 Subject: [PATCH] Fix typos, OpenBSD + Portable Message-ID: <3EE723D6.64EFD142@zip.com.au> Hi. Whenever I notice a typo someplace, I fix it in a local "typo tree". Attached is 2 patches from that tree, one against OpenBSD and the other against Portable. Is it worth fixing these? -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: TODO =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/TODO,v retrieving revision 1.54 diff -u -r1.54 TODO --- TODO 18 May 2003 11:44:07 -0000 1.54 +++ TODO 18 May 2003 12:20:44 -0000 @@ -89,7 +89,7 @@ - PAM + See above PAM notes - AIX - + usrinfo() does not set TTY, but only required for legicy systems. Works + + usrinfo() does not set TTY, but only required for legacy systems. Works with PrivSep. - OSF + SIA is broken Index: openbsd-compat/bsd-cray.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/bsd-cray.c,v retrieving revision 1.12 diff -u -r1.12 bsd-cray.c --- openbsd-compat/bsd-cray.c 3 Jun 2003 02:45:27 -0000 1.12 +++ openbsd-compat/bsd-cray.c 11 Jun 2003 05:14:44 -0000 @@ -459,7 +459,7 @@ ia_success(&ssent, &sret); /* - * Query for account, iff > 1 valid acid & askacid permbit + * Query for account, if > 1 valid acid & askacid permbit */ if (((ue.ue_permbits & PERMBITS_ACCTID) || (ue.ue_acids[0] >= 0) && (ue.ue_acids[1] >= 0)) && Index: openbsd-compat/fake-rfc2553.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/fake-rfc2553.c,v retrieving revision 1.2 diff -u -r1.2 fake-rfc2553.c --- openbsd-compat/fake-rfc2553.c 5 Jun 2003 09:37:30 -0000 1.2 +++ openbsd-compat/fake-rfc2553.c 11 Jun 2003 05:13:45 -0000 @@ -2,7 +2,7 @@ * Pseudo-implementation of RFC2553 name / address resolution functions * * But these functions are not implemented correctly. The minimum subset - * is implemented for ssh use only. For exapmle, this routine assumes + * is implemented for ssh use only. For example, this routine assumes * that ai_family is AF_INET. Don't use it for another purpose. */ Index: openbsd-compat/fake-rfc2553.h =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/fake-rfc2553.h,v retrieving revision 1.2 diff -u -r1.2 fake-rfc2553.h --- openbsd-compat/fake-rfc2553.h 5 Jun 2003 12:20:11 -0000 1.2 +++ openbsd-compat/fake-rfc2553.h 11 Jun 2003 05:13:54 -0000 @@ -2,7 +2,7 @@ * Pseudo-implementation of RFC2553 name / address resolution functions * * But these functions are not implemented correctly. The minimum subset - * is implemented for ssh use only. For exapmle, this routine assumes + * is implemented for ssh use only. For example, this routine assumes * that ai_family is AF_INET. Don't use it for another purpose. */ -------------- next part -------------- ? tmpfile ? scard/Ssh.bin ? scp/scp ? scp/scp.cat1 ? sftp/sftp ? sftp/sftp.cat1 ? sftp-server/sftp-server ? sftp-server/sftp-server.cat8 ? ssh/ssh ? ssh/ssh.cat1 ? ssh/ssh_config.cat5 ? ssh-add/ssh-add ? ssh-add/ssh-add.cat1 ? ssh-agent/ssh-agent ? ssh-agent/ssh-agent.cat1 ? ssh-keygen/ssh-keygen ? ssh-keygen/ssh-keygen.cat1 ? ssh-keyscan/ssh-keyscan ? ssh-keyscan/ssh-keyscan.cat1 ? ssh-keysign/ssh-keysign ? ssh-keysign/ssh-keysign.cat8 ? sshd/sshd ? sshd/sshd.cat8 ? sshd/sshd_config.cat5 Index: auth.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth.c,v retrieving revision 1.48 diff -u -r1.48 auth.c --- auth.c 2003/06/02 09:17:34 1.48 +++ auth.c 2003/06/11 12:29:19 @@ -111,7 +111,7 @@ if (match_user(pw->pw_name, hostname, ipaddr, options.allow_users[i])) break; - /* i < options.num_allow_users iff we break for loop */ + /* i < options.num_allow_users if we break for loop */ if (i >= options.num_allow_users) { logit("User %.100s not allowed because not listed in AllowUsers", pw->pw_name); Index: monitor.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/monitor.c,v retrieving revision 1.42 diff -u -r1.42 monitor.c --- monitor.c 2003/06/02 09:17:34 1.42 +++ monitor.c 2003/06/11 12:29:20 @@ -93,7 +93,7 @@ u_int olen; } child_state; -/* Functions on the montior that answer unprivileged requests */ +/* Functions on the monitor that answer unprivileged requests */ int mm_answer_moduli(int, Buffer *); int mm_answer_sign(int, Buffer *); Index: sftp-client.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sftp-client.c,v retrieving revision 1.43 diff -u -r1.43 sftp-client.c --- sftp-client.c 2003/04/08 20:21:29 1.43 +++ sftp-client.c 2003/06/11 12:29:21 @@ -904,7 +904,7 @@ if (len < buflen) buflen = MAX(MIN_READ_SIZE, len); } - if (max_req > 0) { /* max_req = 0 iff EOF received */ + if (max_req > 0) { /* max_req = 0 if EOF received */ if (size > 0 && offset > size) { /* Only one request at a time * after the expected EOF */ Index: sshlogin.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshlogin.c,v retrieving revision 1.6 diff -u -r1.6 sshlogin.c --- sshlogin.c 2003/04/08 20:21:29 1.6 +++ sshlogin.c 2003/06/11 12:29:21 @@ -79,8 +79,8 @@ } /* - * Records that the user has logged in. I these parts of operating systems - * were more standardized. + * Records that the user has logged in. I wish these parts of operating + * systems were more standardized. */ void record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid, Index: sshpty.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sshpty.c,v retrieving revision 1.9 diff -u -r1.9 sshpty.c --- sshpty.c 2003/05/24 09:30:40 1.9 +++ sshpty.c 2003/06/11 12:29:21 @@ -181,7 +181,7 @@ error("chmod %.100s 0666 failed: %.100s", ttyname, strerror(errno)); } -/* Makes the tty the processes controlling tty and sets it to sane modes. */ +/* Makes the tty the process's controlling tty and sets it to sane modes. */ void pty_make_controlling_tty(int *ttyfd, const char *ttyname) From vervoom at hotmail.com Wed Jun 11 23:00:25 2003 From: vervoom at hotmail.com (J S) Date: Wed, 11 Jun 2003 13:00:25 +0000 Subject: SecurID authentication for 3.6.1p2 with privsep Message-ID: Thanks for your reply Vaclav. I've applied your patch and compiled openssh. If I do normal ssh that works fine, but if I try sftp it fails. I've tried various settings in the sshd_config but with no luck. I'm guessing it could be something to do with the version of ACE I'm using though if that were the case I would have expected to see an error during the compile. Here's my sshd_config, sshd and ssh verbose for the sftp. Would you mind taking a quick look and telling me if you can spot anything I'm doing wrong please? Thanks, JS. $ cat /usr/ace/sdace.txt ACE/Server 4.1.097 Fri Apr 7 10:43:27 EDT 2000 Port 5065 Protocol 2 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 # HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 600 PermitRootLogin yes #StrictModes yes #RSAAuthentication yes PubkeyAuthentication no #AuthorizedKeysFile .ssh/authorized_keys # rhosts authentication should not be used #RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords yes # Change to no to disable s/key passwords ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no # Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt no KbdInteractiveAuthentication yes # SecurID options SDConfRecDir /usr/ace/data SecurIDAuthentication yes X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes PrintMotd no PrintLastLog yes #KeepAlive yes UseLogin no UsePrivilegeSeparation no Compression no #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override default of no subsystems Subsystem sftp /opt/local/openssh/libexec/sftp-server # ./sshd -d -d -d -f ../etc/sshd_config debug3: Seeding PRNG from /opt/local/openssh-3.6.1p2/libexec/ssh-rand-helper debug2: read_server_config: filename ../etc/sshd_config debug1: sshd version OpenSSH_3.6.1p2 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: Bind to port 5065 on 0.0.0.0. Server listening on 0.0.0.0 port 5065. debug1: Server will not fork when running in debugging mode. Connection from 161.2.66.28 port 61123 debug1: Client protocol version 2.0; client software version OpenSSH_3.6.1p2 debug1: match: OpenSSH_3.6.1p2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: dh_gen_key: priv key bits set: 118/256 debug2: bits set: 1559/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 1600/3191 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user u752359 service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for u752359 debug1: Starting up PAM with username "u752359" debug3: Trying to reverse map address 161.2.66.28. debug1: PAM setting rhost to "smpd9" debug2: input_userauth_request: try method none debug1: PAM password authentication accepted for u752359 debug2: pam_acct_mgmt() = 0 Accepted none for u752359 from 161.2.66.28 port 61123 ssh2 debug1: Entering interactive session for SSH2. debug1: fd 9 setting O_NONBLOCK debug1: fd 10 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 131072 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request subsystem reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req subsystem subsystem request for sftp debug1: subsystem: exec() /opt/local/openssh/libexec/sftp-server debug1: PAM establishing creds debug1: fd 12 setting O_NONBLOCK debug2: fd 12 is O_NONBLOCK debug1: channel 0: read<=0 rfd 12 len 0 debug1: channel 0: read failed debug1: channel 0: close_read debug1: channel 0: input open -> drain debug1: channel 0: ibuf empty debug1: channel 0: send eof debug1: channel 0: input drain -> closed debug1: Received SIGCHLD. debug1: session_by_pid: pid 10935 debug1: session_exit_message: session 0 channel 0 pid 10935 debug1: channel 0: request exit-status debug1: session_exit_message: release channel 0 debug1: channel 0: write failed debug1: channel 0: close_write debug1: channel 0: output open -> closed debug1: session_close: session 0 pid 10935 debug1: channel 0: send close debug3: channel 0: will not send data after close debug2: notify_done: reading debug3: channel 0: will not send data after close debug1: channel 0: rcvd close debug3: channel 0: will not send data after close debug1: channel 0: is dead debug1: channel 0: garbage collecting debug1: channel_free: channel 0: server-session, nchannels 1 debug3: channel_free: status: The following connections are open:\015 #0 server-session (t4 r0 i3/0 o3/0 fd 12/12)\015 debug3: channel_close_fds: channel 0: r 12 w 12 e -1 Connection closed by 161.2.66.28 Closing connection to 161.2.66.28 debug1: Cannot delete credentials[7]: Permission denied $ ./sftp -v -v -v -o port=5065 u752359 at smpd9 Connecting to smpd9... OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f debug1: Reading configuration data /opt/local/openssh-3.6.1p2/etc/ssh_config debug3: Seeding PRNG from /opt/local/openssh-3.6.1p2/libexec/ssh-rand-helper debug1: Rhosts Authentication disabled, originating port will not be trusted. debug2: ssh_connect: needpriv 0 debug1: Connecting to smpd9 [161.2.66.28] port 5065. debug1: Connection established. debug1: identity file /home/u752359/.ssh/id_rsa type -1 debug3: Not a RSA1 key file /home/u752359/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/u752359/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.6.1p2 debug1: match: OpenSSH_3.6.1p2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 debug3: RNG is ready, skipping seeding debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 129/256 debug2: bits set: 1600/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/u752359/.ssh/known_hosts debug3: check_host_in_hostfile: match line 4 debug3: check_host_in_hostfile: filename /home/u752359/.ssh/known_hosts debug3: check_host_in_hostfile: match line 4 debug1: Host 'smpd9' is known and matches the RSA host key. debug1: Found key in /home/u752359/.ssh/known_hosts:4 debug2: bits set: 1559/3191 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentication succeeded (none). debug1: fd 6 setting O_NONBLOCK debug2: fd 7 is O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: ssh_session2_setup: id 0 debug1: Sending subsystem: sftp debug1: channel 0: request subsystem debug2: callback done debug1: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: obuf empty debug1: channel 0: close_write debug1: channel 0: output drain -> closed debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: rcvd close debug1: channel 0: close_read debug1: channel 0: input open -> closed debug3: channel 0: will not send data after close debug1: channel 0: almost dead debug1: channel 0: gc: notify user debug1: channel 0: gc: user detached debug1: channel 0: send close debug1: channel 0: is dead debug1: channel 0: garbage collecting debug1: channel_free: channel 0: client-session, nchannels 1 debug3: channel_free: status: The following connections are open:\015 #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1)\015 debug3: channel_close_fds: channel 0: r -1 w -1 e 8 debug1: fd 0 clearing O_NONBLOCK debug2: fd 1 is not O_NONBLOCK debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.2 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 2 Connection closed $ >Authentication code is common for ssh, scp and sftp too. > >Prompt would be > >Enter PASSCODE: > >if SecurID token is in Next TokenCode or New PIN, follow additional >prompts. > > > > > Does this support SecurID authentication on scp/sftp as well now? And do >you > > get the PASSCODE prompt? > > > > JS. > > > > >Hello all, > > > > > >I have made SecurID authentication for OpenSSH 3.6.1p2. > > > > > >This patch was totaly rewritten, so please test it before use. > > > > > >Kbd-int authentication is now integrated into challenge response > > >auth. > > > > > >Privsep is now fully suported. > > > > > > > > >PS: What do you think of selective access to the individual > > >authentications, similar to AllowGroups/DenyGroups or maybe > > >AllowUsers/DenyUsers ? > > > > > > > > >Vaclav Tomec > > >http://sweb.cz/v_t_m/ > > > > > >______________________________________________________________________ > > >Reklama: > > >Tolik v?c? a v?hod jako od Contactel Bonus Clubu jen tak nez?sk?te > > > >http://ad2.seznam.cz/redir.cgi?instance=55052%26url=http://club.razdva.cz/ > > > > > >_______________________________________________ > > >openssh-unix-dev mailing list > > >openssh-unix-dev at mindrot.org > > >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > _________________________________________________________________ > > Find a cheaper internet access deal - choose one to suit you. > > http://www.msn.co.uk/internetaccess > > > > > >______________________________________________________________________ >Reklama: >P?iprav se na nejp???ern?j?? z??itek v ?ivot? na >http://ad2.seznam.cz/redir.cgi?instance=46466%26url=http://www.priserky.cz _________________________________________________________________ Sign-up for a FREE BT Broadband connection today! http://www.msn.co.uk/specials/btbroadband From ja2morri at csclub.uwaterloo.ca Thu Jun 12 00:32:09 2003 From: ja2morri at csclub.uwaterloo.ca (James Morrison) Date: Wed, 11 Jun 2003 10:32:09 -0400 (EDT) Subject: [PATCH] Fix typos, OpenBSD + Portable In-Reply-To: <3EE723D6.64EFD142@zip.com.au> (message from Darren Tucker on Wed, 11 Jun 2003 22:43:02 +1000) References: <3EE723D6.64EFD142@zip.com.au> Message-ID: <20030611143209.0A02B10AC53@perpugilliam.csclub.uwaterloo.ca> X-Original-To: openssh-unix-dev at mindrot.org Date: Wed, 11 Jun 2003 22:43:02 +1000 From: Darren Tucker X-Accept-Language: en X-Spam-Level: Sender: openssh-unix-dev-bounces+ja2morri=student.math.uwaterloo.ca at mindrot.org X-Spam-Status: No, hits=-5.0 required=5.0 tests=UNIFIED_PATCH version=2.20 X-Spam-Level: This is a multi-part message in MIME format. --------------7048D42E24A7A30A318B9676 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi. Whenever I notice a typo someplace, I fix it in a local "typo tree". Attached is 2 patches from that tree, one against OpenBSD and the other against Portable. Is it worth fixing these? -Daz. -- Darren Tucker (dtucker at zip.com.au) Are you sure able chaning iff to if? I would think any changes of those comments would require some explaination. Index: openbsd-compat/bsd-cray.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/bsd-cray.c,v retrieving revision 1.12 diff -u -r1.12 bsd-cray.c --- openbsd-compat/bsd-cray.c 3 Jun 2003 02:45:27 -0000 1.12 +++ openbsd-compat/bsd-cray.c 11 Jun 2003 05:14:44 -0000 @@ -459,7 +459,7 @@ ia_success(&ssent, &sret); /* - * Query for account, iff > 1 valid acid & askacid permbit + * Query for account, if > 1 valid acid & askacid permbit */ if (((ue.ue_permbits & PERMBITS_ACCTID) || (ue.ue_acids[0] >= 0) && (ue.ue_acids[1] >= 0)) && I don't really understand the comment to understand whether if and only if makes sense or not. Index: auth.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth.c,v retrieving revision 1.48 diff -u -r1.48 auth.c --- auth.c 2003/06/02 09:17:34 1.48 +++ auth.c 2003/06/11 12:29:19 @@ -111,7 +111,7 @@ if (match_user(pw->pw_name, hostname, ipaddr, options.allow_users[i])) break; - /* i < options.num_allow_users iff we break for loop */ + /* i < options.num_allow_users if we break for loop */ if (i >= options.num_allow_users) { logit("User %.100s not allowed because not listed in AllowUsers", pw->pw_name); Is the loop broken for any other reason than i < options.num_allow_users? Index: sftp-client.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sftp-client.c,v retrieving revision 1.43 diff -u -r1.43 sftp-client.c --- sftp-client.c 2003/04/08 20:21:29 1.43 +++ sftp-client.c 2003/06/11 12:29:21 @@ -904,7 +904,7 @@ if (len < buflen) buflen = MAX(MIN_READ_SIZE, len); } - if (max_req > 0) { /* max_req = 0 iff EOF received */ + if (max_req > 0) { /* max_req = 0 if EOF received */ Are you sure you want to be chaning iff to if. Iff means that this is the only reason this could happen. Jim From fcusack at fcusack.com Thu Jun 12 07:26:34 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 11 Jun 2003 14:26:34 -0700 Subject: [PATCH] Fix typos, OpenBSD + Portable In-Reply-To: <3EE723D6.64EFD142@zip.com.au>; from dtucker@zip.com.au on Wed, Jun 11, 2003 at 10:43:02PM +1000 References: <3EE723D6.64EFD142@zip.com.au> Message-ID: <20030611142634.B2740@google.com> On Wed, Jun 11, 2003 at 10:43:02PM +1000, Darren Tucker wrote: > Hi. > Whenever I notice a typo someplace, I fix it in a local "typo tree". > Attached is 2 patches from that tree, one against OpenBSD and the other > against Portable. 'iff' is not a typo, it means "if and only if" /fc From stephen-openssh at earth.li Thu Jun 12 07:27:11 2003 From: stephen-openssh at earth.li (Stephen White) Date: Wed, 11 Jun 2003 22:27:11 +0100 Subject: [Patch] PAM Service name option Message-ID: <20030611212711.GA30476@the.earth.li> It's sometimes desired to be able to alter login policy depending upon how the person was connecting for the ssh server. For example you might want different rules on the internal and external interface of a gateway. In another setup you might want an sshd with a different login policy running on a different port - and setup different firewalling rules (for example). I have implemented such a setup using PAM, however in order to do this I need the different SSH daemons to use different PAM service names when authenticated. The attached patch (developed for 3.5p1, but it applies ok to 3.6.1p1) implements this functionality, by adding a PAMServiceName option to sshd_config. On a slightly related note I've also managed to get one time passwords (using OPIE) working with sshd, providing a more secure mechanism for logging into a computer from a public workstation or similar (where you may be worried about your password running the risk of falling prey to keyboard loggers or other such trojans). OPIE development seems pretty much non-existant so I'm not entirely sure who this is likely to be of interest to, but if anyone wants code or instructions then email me. In combination with the attached patch, for example, this allows an sshd daemon listening internally to take normal passwords and one listening externally to require OPIE passwords. Unfortunately this means enabling PAMAuthenticationViaKbdInt, which might make the cure worse than the disease. -- Stephen White From v_t_m at seznam.cz Thu Jun 12 05:39:50 2003 From: v_t_m at seznam.cz (=?iso-8859-2?Q?V=E1clav=20Tomec?=) Date: Wed, 11 Jun 2003 21:39:50 +0200 (CEST) Subject: SecurID authentication for 3.6.1p2 with privsep In-Reply-To: Message-ID: <12164.38741-4329-1681293348-1055360390@seznam.cz> There is no allusion to SecurID authentication in the debug messages so I would not look for a problem there. Isn't it possible that in /etc/passwd you have sdshell as shell? ______________________________________________________________________ Reklama: P?iprav se na nejp???ern?j?? z??itek v ?ivot? na http://ad2.seznam.cz/redir.cgi?instance=46466%26url=http://www.priserky.cz From dtucker at zip.com.au Thu Jun 12 09:19:56 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 12 Jun 2003 09:19:56 +1000 Subject: [PATCH] Fix typos, OpenBSD + Portable References: <3EE723D6.64EFD142@zip.com.au> <20030611142634.B2740@google.com> Message-ID: <3EE7B91C.80DD5CF5@zip.com.au> Frank Cusack wrote: > 'iff' is not a typo, it means "if and only if" So I've been told (by half a dozen people so far :-). Consider me informed. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From fcusack at fcusack.com Thu Jun 12 09:43:15 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 11 Jun 2003 16:43:15 -0700 Subject: [Patch] PAM Service name option In-Reply-To: <20030611212711.GA30476@the.earth.li>; from stephen-openssh@earth.li on Wed, Jun 11, 2003 at 10:27:11PM +0100 References: <20030611212711.GA30476@the.earth.li> Message-ID: <20030611164315.B4174@google.com> On Wed, Jun 11, 2003 at 10:27:11PM +0100, Stephen White wrote: > The attached patch (developed for 3.5p1, but it applies ok to 3.6.1p1) > implements this functionality, by adding a PAMServiceName option to > sshd_config. I wonder how many times this is going to be implemented. Just run each sshd as a different name. sshd uses argv[0] as the service name. /fc From pod at herald.ox.ac.uk Thu Jun 12 20:41:33 2003 From: pod at herald.ox.ac.uk (pod) Date: Thu, 12 Jun 2003 11:41:33 +0100 Subject: [Patch] PAM Service name option In-Reply-To: <20030611164315.B4174@google.com> (message from Frank Cusack on Wed, 11 Jun 2003 16:43:15 -0700) References: <20030611212711.GA30476@the.earth.li> <20030611164315.B4174@google.com> Message-ID: >>>>> "FC" == Frank Cusack writes: FC> Just run each sshd as a different name. sshd uses argv[0] as the FC> service name. ... as long as sshd has been built without SSHD_PAM_SERVICE having been defined. If SSHD_PAM_SERVICE has been defined then the service name is hardwired and cannot be changed by changing argv[0]. From jmknoble at pobox.com Fri Jun 13 01:48:17 2003 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 12 Jun 2003 11:48:17 -0400 Subject: [Patch] PAM Service name option In-Reply-To: References: <20030611212711.GA30476@the.earth.li> <20030611164315.B4174@google.com> Message-ID: <20030612154817.GJ31694@crawfish.ais.com> Circa 2003-06-12 11:41:33 +0100 dixit pod: : >>>>> "FC" == Frank Cusack writes: : FC> Just run each sshd as a different name. sshd uses argv[0] as the : FC> service name. : : ... as long as sshd has been built without SSHD_PAM_SERVICE having been : defined. If SSHD_PAM_SERVICE has been defined then the service name is : hardwired and cannot be changed by changing argv[0]. If you define SSHD_PAM_SERVICE when you build sshd, then you should know what you're doing. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) Stop the War on Freedom ... Start the War on Poverty! From sth at hq.bsbg.net Fri Jun 13 16:04:01 2003 From: sth at hq.bsbg.net (Stefan Hadjistoytchev) Date: Fri, 13 Jun 2003 09:04:01 +0300 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH Message-ID: <004901c33171$96593500$4102010a@dev.bnet> Hi! I think lines between 250-252 in file ssh-rsa.c in OpenSSH source code should be commented ! ! ! REASON: Using "SecureNetTerm Client" ( http://www.securenetterm.com/ ) with "SecureKeyAgent" ver. 5.4.2.4 ( Or same is with Putty + SecureKeyAgent ) to connect to OpenSSH server "OpenSSH ver. 3.6.1" using public key from Smart Card certificate causes the following errors in "/var/log/auth/errors": ............. sshd[1224] error: bad decrypted len: 36 != 20 + 15 sshd[1227] error: bad decrypted len: 36 != 20 + 15 ............. I sent a letter about this to SecureNetTerm and here is the answer: > OpenSSH 3.6.1 is a little braindead when it comes to proper operation of Certificates. > All you have to do is edit the OpenSSL file ssh-rsa.c and comment out lines 250-252. > This is a redundant length check that is not technically correct. The OpenSSH team is > aware of the problem but don't care since they have no idea how to use certificates. Would You please comment on this or FIX this issue ? Best regards Stefan Hadjistoytchev From markus at openbsd.org Fri Jun 13 17:54:17 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 13 Jun 2003 09:54:17 +0200 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <004901c33171$96593500$4102010a@dev.bnet> References: <004901c33171$96593500$4102010a@dev.bnet> Message-ID: <20030613075416.GB11285@folly> no, we have no idea how to use certificates. i don't see a bugzilla bug for this, so how can we be aware? On Fri, Jun 13, 2003 at 09:04:01AM +0300, Stefan Hadjistoytchev wrote: > Hi! > I think lines between 250-252 in file ssh-rsa.c in OpenSSH source code > should be commented ! ! ! > > REASON: > Using "SecureNetTerm Client" ( http://www.securenetterm.com/ ) with > "SecureKeyAgent" ver. 5.4.2.4 ( Or same is with Putty + SecureKeyAgent ) to > connect to OpenSSH server "OpenSSH ver. 3.6.1" using public key from Smart > Card certificate causes the following errors in "/var/log/auth/errors": > ............. > sshd[1224] error: bad decrypted len: 36 != 20 + 15 > sshd[1227] error: bad decrypted len: 36 != 20 + 15 > ............. > > I sent a letter about this to SecureNetTerm and here is the answer: > > > OpenSSH 3.6.1 is a little braindead when it comes to proper operation of > Certificates. > > All you have to do is edit the OpenSSL file ssh-rsa.c and comment out > lines 250-252. > > This is a redundant length check that is not technically correct. The > OpenSSH team is > > aware of the problem but don't care since they have no idea how to use > certificates. > > Would You please comment on this or FIX this issue ? > > Best regards > Stefan Hadjistoytchev > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From markus at openbsd.org Fri Jun 13 18:06:48 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 13 Jun 2003 10:06:48 +0200 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <004901c33171$96593500$4102010a@dev.bnet> References: <004901c33171$96593500$4102010a@dev.bnet> Message-ID: <20030613080648.GC11285@folly> On Fri, Jun 13, 2003 at 09:04:01AM +0300, Stefan Hadjistoytchev wrote: > Hi! > I think lines between 250-252 in file ssh-rsa.c in OpenSSH source code > should be commented ! ! ! > > REASON: > Using "SecureNetTerm Client" ( http://www.securenetterm.com/ ) with > "SecureKeyAgent" ver. 5.4.2.4 ( Or same is with Putty + SecureKeyAgent ) to > connect to OpenSSH server "OpenSSH ver. 3.6.1" using public key from Smart > Card certificate causes the following errors in "/var/log/auth/errors": > ............. > sshd[1224] error: bad decrypted len: 36 != 20 + 15 > sshd[1227] error: bad decrypted len: 36 != 20 + 15 why is len != 35? From sth at hq.bsbg.net Fri Jun 13 22:59:36 2003 From: sth at hq.bsbg.net (Stefan Hadjistoytchev) Date: Fri, 13 Jun 2003 15:59:36 +0300 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH References: <004901c33171$96593500$4102010a@dev.bnet> <20030613080648.GC11285@folly> Message-ID: <01b501c331ab$a4862810$4102010a@dev.bnet> I don't know :( But removing this check dolves the problem and should be considered as a BUG :) ----- Original Message ----- From: "Markus Friedl" To: "Stefan Hadjistoytchev" Cc: Sent: Friday, June 13, 2003 11:06 AM Subject: Re: Problem/bug report for "bad decrypted len" error in OpenSSH > On Fri, Jun 13, 2003 at 09:04:01AM +0300, Stefan Hadjistoytchev wrote: > > Hi! > > I think lines between 250-252 in file ssh-rsa.c in OpenSSH source code > > should be commented ! ! ! > > > > REASON: > > Using "SecureNetTerm Client" ( http://www.securenetterm.com/ ) with > > "SecureKeyAgent" ver. 5.4.2.4 ( Or same is with Putty + SecureKeyAgent ) to > > connect to OpenSSH server "OpenSSH ver. 3.6.1" using public key from Smart > > Card certificate causes the following errors in "/var/log/auth/errors": > > ............. > > sshd[1224] error: bad decrypted len: 36 != 20 + 15 > > sshd[1227] error: bad decrypted len: 36 != 20 + 15 > > why is len != 35? > > From sth at hq.bsbg.net Fri Jun 13 22:59:56 2003 From: sth at hq.bsbg.net (Stefan Hadjistoytchev) Date: Fri, 13 Jun 2003 15:59:56 +0300 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH References: <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> Message-ID: <01bb01c331ab$b08041f0$4102010a@dev.bnet> Should I report it to BugZilla ? Stefan ----- Original Message ----- From: "Markus Friedl" To: "Stefan Hadjistoytchev" Cc: Sent: Friday, June 13, 2003 10:54 AM Subject: Re: Problem/bug report for "bad decrypted len" error in OpenSSH > no, we have no idea how to use certificates. > > i don't see a bugzilla bug for this, so how can we be aware? > > On Fri, Jun 13, 2003 at 09:04:01AM +0300, Stefan Hadjistoytchev wrote: > > Hi! > > I think lines between 250-252 in file ssh-rsa.c in OpenSSH source code > > should be commented ! ! ! > > > > REASON: > > Using "SecureNetTerm Client" ( http://www.securenetterm.com/ ) with > > "SecureKeyAgent" ver. 5.4.2.4 ( Or same is with Putty + SecureKeyAgent ) to > > connect to OpenSSH server "OpenSSH ver. 3.6.1" using public key from Smart > > Card certificate causes the following errors in "/var/log/auth/errors": > > ............. > > sshd[1224] error: bad decrypted len: 36 != 20 + 15 > > sshd[1227] error: bad decrypted len: 36 != 20 + 15 > > ............. > > > > I sent a letter about this to SecureNetTerm and here is the answer: > > > > > OpenSSH 3.6.1 is a little braindead when it comes to proper operation of > > Certificates. > > > All you have to do is edit the OpenSSL file ssh-rsa.c and comment out > > lines 250-252. > > > This is a redundant length check that is not technically correct. The > > OpenSSH team is > > > aware of the problem but don't care since they have no idea how to use > > certificates. > > > > Would You please comment on this or FIX this issue ? > > > > Best regards > > Stefan Hadjistoytchev > > > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From djm at mindrot.org Sat Jun 14 00:17:56 2003 From: djm at mindrot.org (Damien Miller) Date: Sat, 14 Jun 2003 00:17:56 +1000 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <01bb01c331ab$b08041f0$4102010a@dev.bnet> References: <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> Message-ID: <3EE9DD14.6020305@mindrot.org> Stefan Hadjistoytchev wrote: > Should I report it to BugZilla ? Only if you can justify _why_ the length check is not correct. -d >> > > This is a redundant length check that is not technically correct. From markus at openbsd.org Sat Jun 14 00:39:36 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 13 Jun 2003 16:39:36 +0200 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <3EE9DD14.6020305@mindrot.org> <01bb01c331ab$b08041f0$4102010a@dev.bnet> References: <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <3EE9DD14.6020305@mindrot.org> <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> Message-ID: <20030613143936.GB26806@folly> On Sat, Jun 14, 2003 at 12:17:56AM +1000, Damien Miller wrote: > Stefan Hadjistoytchev wrote: > > Should I report it to BugZilla ? > > Only if you can justify _why_ the length check is not correct. make sure to include: This is a redundant length check that is not technically correct. The OpenSSH team is aware of the problem but don't care since they have no idea how to use certificates. The length check is not redundant since the result might be too small for example. From scott.burch at camberwind.com Sat Jun 14 05:10:33 2003 From: scott.burch at camberwind.com (Scott Burch) Date: Fri, 13 Jun 2003 19:10:33 -0000 Subject: SecurID authentication for 3.6.1p2 with privsep In-Reply-To: <87829.282193-4205-946007020-1055237451@seznam.cz> References: <87829.282193-4205-946007020-1055237451@seznam.cz> Message-ID: <1055531455.7652.28.camel@localhost> Vaclav, Thanks for the update. I have tested your new patch and everything works great with privilege separation. I was also able to apply your patch along with Darren Tucker's password expiration patch. If anyone has questions about using Vaclav's patch on Solaris let me know. The packages I build for my site include support for password expiration and securid with privilege separation enabled. Currently I target Solaris 2.6 through Solaris 8. I build static binaries so that I don't rely on external libraries.Oh, I also build in support for tcp_wrappers. I use the ACE Agent SDK and Ace Server 5. Previously I used your patch with 3.5p1 and tested it with putty, SecureFX, SecureCRT, and filezilla. Selective access to various authentication types would be useful. If I want to enforce securid authentication currently I disable password and publickey authentication, but it might be nice to configure this differently for different users. -Scott On Tue, 2003-06-10 at 04:30, V?clav Tomec wrote: > Hello all, > > I have made SecurID authentication for OpenSSH 3.6.1p2. > > This patch was totaly rewritten, so please test it before use. > > Kbd-int authentication is now integrated into challenge response > auth. > > Privsep is now fully suported. > > > PS: What do you think of selective access to the individual > authentications, similar to AllowGroups/DenyGroups or maybe > AllowUsers/DenyUsers ? > > > Vaclav Tomec > http://sweb.cz/v_t_m/ > > ______________________________________________________________________ > Reklama: > Tolik v?c? a v?hod jako od Contactel Bonus Clubu jen tak nez?sk?te http://ad2.seznam.cz/redir.cgi?instance=55052%26url=http://club.razdva.cz/ > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Scott Burch From paul.hyder at noaa.gov Sat Jun 14 06:06:52 2003 From: paul.hyder at noaa.gov (Paul Hyder) Date: Fri, 13 Jun 2003 14:06:52 -0600 Subject: Extensions for long fat networks? Message-ID: <3EEA2EDC.D720D8FB@noaa.gov> Before I get too far in my attempts... Has anyone already implemented support in scp for larger buffers/windows that would take advantage of wscaled TCP windows? Paul Hyder NOAA Forecast Systems Lab Boulder, CO FYI: Linux 2.4.20, 30-80ms RTT, data rates 100-1000Mbps, and a need to fill TCP windows of 2-8MBytes. (Existing limits appear to be about 256KB.) From dan at doxpara.com Sat Jun 14 07:24:31 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Fri, 13 Jun 2003 14:24:31 -0700 Subject: Extensions for long fat networks? In-Reply-To: <3EEA2EDC.D720D8FB@noaa.gov> References: <3EEA2EDC.D720D8FB@noaa.gov> Message-ID: <3EEA410F.2080308@doxpara.com> Paul Hyder wrote: >Before I get too far in my attempts... > >Has anyone already implemented support in scp for larger >buffers/windows that would take advantage of wscaled TCP >windows? > Paul Hyder > NOAA Forecast Systems Lab > Boulder, CO > >FYI: Linux 2.4.20, 30-80ms RTT, data rates 100-1000Mbps, >and a need to fill TCP windows of 2-8MBytes. >(Existing limits appear to be about 256KB.) > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > Paul-- scp isn't particularly optimized for speed...you're likely to get better performance using a wrapper around tar/star and ssh. This is usually implemented like so: tar cf - files directories | ssh user at host tar xf - This seems to provide the fastest transfers over SSH, though the TCP forwarding code is pretty speedy as well. Just to pre-answer a question, ssh decapsulates and re-encapsulates TCP, so you don't have classic TCP-over-TCP issues. For pure speedy transfers, you should examine udpcast. On a 100mbit LAN, udpcast is able to *reliably multicast* at *93.65Mbit*. There's presently no crypto implemented within it, but I've been looking at integrating gpg support. (One can already simply add gpg to the pipeline, but some buffering issue drops transfer speed dramatically.) udpcast abandons tcp entirely and moves error handling into userspace -- with astonishingly effective results. It would require your WAN to support multicast traffic, though, and it's notably still too immature to even really handle two udpcasted streams in the same network. Of course, if you'd like to make ssh run as fast as its crypto algorithms could let it -- it'd be most helpful :-) Yours Truly, Dan Kaminsky DoxPara Research http://www.doxpara.com From fcusack at fcusack.com Sat Jun 14 07:32:03 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Fri, 13 Jun 2003 14:32:03 -0700 Subject: Extensions for long fat networks? In-Reply-To: <3EEA2EDC.D720D8FB@noaa.gov>; from paul.hyder@noaa.gov on Fri, Jun 13, 2003 at 02:06:52PM -0600 References: <3EEA2EDC.D720D8FB@noaa.gov> Message-ID: <20030613143203.A29373@google.com> On Fri, Jun 13, 2003 at 02:06:52PM -0600, Paul Hyder wrote: > Before I get too far in my attempts... > > Has anyone already implemented support in scp for larger > buffers/windows that would take advantage of wscaled TCP > windows? Does increasing the system default size not do it for you? /fc From djm at mindrot.org Sat Jun 14 08:37:05 2003 From: djm at mindrot.org (Damien Miller) Date: Sat, 14 Jun 2003 08:37:05 +1000 Subject: Extensions for long fat networks? In-Reply-To: <3EEA2EDC.D720D8FB@noaa.gov> References: <3EEA2EDC.D720D8FB@noaa.gov> Message-ID: <3EEA5211.8000806@mindrot.org> Paul Hyder wrote: > Before I get too far in my attempts... > > Has anyone already implemented support in scp for larger > buffers/windows that would take advantage of wscaled TCP > windows? Shouldn't this be done at the system level? That way all apps would benefit. IIRC Linux has something in /proc that one may tweak. -d From rick.jones2 at hp.com Sat Jun 14 08:53:00 2003 From: rick.jones2 at hp.com (Rick Jones) Date: Fri, 13 Jun 2003 15:53:00 -0700 Subject: Extensions for long fat networks? References: <3EEA2EDC.D720D8FB@noaa.gov> <3EEA5211.8000806@mindrot.org> Message-ID: <3EEA55CC.BE0919EF@hp.com> Damien Miller wrote: > > Paul Hyder wrote: > > Before I get too far in my attempts... > > > > Has anyone already implemented support in scp for larger > > buffers/windows that would take advantage of wscaled TCP > > windows? > > Shouldn't this be done at the system level? That way all apps would benefit. Not all apps may need/want the throughput in all cases. So long as a socket buffer setting isn't a preallocation it likely isn't a Big Deal (tm). Though, I suppose a really sharp/correct TCP would enable timestamps along with the window scaling, and if one isn't really using the larger window, the overhead (albeit small) of timestamps is wasted. Something like what netperf does seems to work pretty well - if the user specified value is 0, use the system setting, otherwise ask for what the user specified. rick jones -- Wisdom Teeth are impacted, people are affected by the effects of events. these opinions are mine, all mine; HP might not want them anyway... :) feel free to post, OR email to raj in cup.hp.com but NOT BOTH... From paul.hyder at noaa.gov Sat Jun 14 09:37:27 2003 From: paul.hyder at noaa.gov (Paul Hyder) Date: Fri, 13 Jun 2003 17:37:27 -0600 Subject: Extensions for long fat networks? References: <3EEA2EDC.D720D8FB@noaa.gov> <3EEA5211.8000806@mindrot.org> Message-ID: <3EEA6037.E792DC81@noaa.gov> Damien Miller wrote: > > Paul Hyder wrote: > > Before I get too far in my attempts... > > > > Has anyone already implemented support in scp for larger > > buffers/windows that would take advantage of wscaled TCP > > windows? > > Shouldn't this be done at the system level? That way all apps would benefit. > > IIRC Linux has something in /proc that one may tweak. > > -d (Believe this is also what the previous message from Frank was noting.) Tuning TCP in Linux 2.4.18+ is actually easy and has good documentation. (/proc/sys/net/core/[rw]mem_{max,default} and /proc/sys/net/ipv4/tcp_[rw]mem) So getting wscaled connections was fast. What I've found so far is that ssh has an internal idea of transmission sizes, seems to be tied to CHAN_TCP_PACKET_DEFAULT/CHAN_TCP_WINDOW_DEFAULT, and the result is that the underlying large TCP windows are under-utilized. The answer also doesn't appear to be as easy as increasing CHAN_TCP_PACKET_DEFAULT above (32*1024). [But I've just started and could easily have missed something.] With encryption requirements and lots of LFN availability I was just hoping someone else had already run into the low long distance throughput and fixed it. Any/all further suggestions and recommendations would be appreciated. (Particularly the ones that start with "Whatever you do, don't...") Paul Hyder NOAA Forecast Systems Lab Boulder, CO From martin at piware.de Sun Jun 15 18:01:50 2003 From: martin at piware.de (Martin Pitt) Date: Sun, 15 Jun 2003 10:01:50 +0200 Subject: ssh works fine, scp fails Message-ID: <20030615080148.GA2346@donald.balu5> Hi openssh developers! I have the following problem: ssh works very fine, but scp fails as soon as it wants to start the actual transfer: --------------- screenshot ------------------ martin at donald:/home/martin$ scp -v -v -v joke mpitt at piware.de: [...] debug1: Authentication succeeded (publickey). debug1: fd 4 setting O_NONBLOCK debug1: fd 5 setting O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: ssh_session2_setup: id 0 debug1: Sending command: scp -v -t . debug1: channel 0: request exec debug2: callback done debug1: channel 0: open confirm rwindow 0 rmax 32768 debug1: channel_free: channel 0: client-session, nchannels 1 debug3: channel_free: status: The following connections are open:\015 #0 client-session (t4 r0 i0/0 o0/0 fd 4/5)\015 debug3: channel_close_fds: channel 0: r 4 w 5 e 6 debug1: fd 0 clearing O_NONBLOCK debug1: fd 1 clearing O_NONBLOCK Read from remote host piware.de: Connection reset by peer debug1: Transferred: stdin 0, stdout 0, stderr 59 bytes in 0.2 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 254.7 debug1: Exit status -1 lost connection --------------- screenshot ------------------ Something at my new internet provider is different, since it worked with my old one (maybe they are filtering away some important ICMP packages). But I'm asking here since scp2 from the commercial version 3.2.3 works, thus there must be a solution within scp. I have already tried the following without success: - setting the ethernet card MTU of the local/remote/both ends to a very small value (200) - adding the TCPMSS iptables rule to my firewall to remedy a possible filtering of ICMP 'Fragmentation needed' packets - FTP, HTTP, IMAP with large attachments are working correctly, so I doubt that it has sth. to do with too big packets - piping over ssh with "echo Hello | ssh mpitt at piware.de 'cat > x'" which fails with exactly the same error. I would be grateful for any hints (or patches ;-) ). IMHO it would be nice to have OpenSSH as powerful as the commercial one. Thanks for your great work and have a nice day! Martin P.S. Please Cc: me, I am not subscribed. -- Martin Pitt home: www.piware.de eMail: martin at piware.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030615/d561ec8b/attachment.bin From dtucker at zip.com.au Sun Jun 15 21:17:17 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 15 Jun 2003 21:17:17 +1000 Subject: ssh works fine, scp fails References: <20030615080148.GA2346@donald.balu5> Message-ID: <3EEC55BD.D3C89595@zip.com.au> Martin Pitt wrote: > I have the following problem: ssh works very fine, but scp fails as > soon as it wants to start the actual transfer: [snip] > Read from remote host piware.de: Connection reset by peer > debug1: Transferred: stdin 0, stdout 0, stderr 59 bytes in 0.2 seconds > debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 254.7 > debug1: Exit status -1 > lost connection This looks like an issue at the server end, either something like the shell being set to /bin/false or the server is crashing. What does the server log say? > Something at my new internet provider is different, since it worked > with my old one (maybe they are filtering away some important ICMP > packages). But I'm asking here since scp2 from the commercial version > 3.2.3 works, thus there must be a solution within scp. ssh.com's scp2 uses the sftp protocol. Try using sftp instead. I suspect that's all the server is configured to allow. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From martin at piware.de Sun Jun 15 22:21:41 2003 From: martin at piware.de (Martin Pitt) Date: Sun, 15 Jun 2003 14:21:41 +0200 Subject: ssh works fine, scp fails In-Reply-To: <3EEC55BD.D3C89595@zip.com.au> References: <20030615080148.GA2346@donald.balu5> <3EEC55BD.D3C89595@zip.com.au> Message-ID: <20030615122140.GA19461@donald.balu5> Hi everybody! Am 2003-06-15 21:17 +1000 schrieb Darren Tucker: > Martin Pitt wrote: > > I have the following problem: ssh works very fine, but scp fails as > > soon as it wants to start the actual transfer: > [snip] > > Read from remote host piware.de: Connection reset by peer > > debug1: Transferred: stdin 0, stdout 0, stderr 59 bytes in 0.2 seconds > > debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 254.7 > > debug1: Exit status -1 > > lost connection > > This looks like an issue at the server end, either something like the > shell being set to /bin/false or the server is crashing. No, I think that is not the case because of the following: - I can ssh to this machine - I tried it in both directions (i. e. issuing the scp command also on the remote host in a ssh session) - it works with my old ISP - it works with scp2 (commercial version) > What does the server log say? Nothing fancy: Jun 15 14:20:23 paprika sshd[13368]: Accepted publickey for pitt from 217.80.147.122 port 33024 ssh2 Jun 15 14:20:24 paprika PAM_unix[32033]: (ssh) session opened for user pitt by (uid=1016) Authentication works properly as I already explained. The connection is reset as soon as the data transfer is to be started. > ssh.com's scp2 uses the sftp protocol. Try using sftp instead. I suspect > that's all the server is configured to allow. Negative (see above), scp works on this server. sftp gives exactly the same error message. Thanks for your answer, for future hints and have a nice day! Martin -- Martin Pitt home: www.piware.de eMail: martin at piware.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030615/754dbf98/attachment.bin From dtucker at zip.com.au Sun Jun 15 22:37:16 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 15 Jun 2003 22:37:16 +1000 Subject: ssh works fine, scp fails References: <20030615080148.GA2346@donald.balu5> <3EEC55BD.D3C89595@zip.com.au> <20030615122140.GA19461@donald.balu5> Message-ID: <3EEC687C.12169BBE@zip.com.au> Martin Pitt wrote: > > What does the server log say? [snip] > Jun 15 14:20:23 paprika sshd[13368]: Accepted publickey for pitt from 217.80.147.122 port 33024 ssh2 > Jun 15 14:20:24 paprika PAM_unix[32033]: (ssh) session opened for user pitt by (uid=1016) > > Authentication works properly as I already explained. The connection > is reset as soon as the data transfer is to be started. OK, another possibility is that scp is linked to a library that is not in the non-interactive LD_LIBRARY_PATH. Try: "ssh server scp -V". That should just give a usage statement if all is well. Could you please specify which OS, OS version and OpenSSH version and configuration options both client and server are running? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bob at proulx.com Mon Jun 16 02:09:33 2003 From: bob at proulx.com (Bob Proulx) Date: Sun, 15 Jun 2003 10:09:33 -0600 Subject: ssh works fine, scp fails In-Reply-To: <20030615080148.GA2346@donald.balu5> References: <20030615080148.GA2346@donald.balu5> Message-ID: <20030615160933.GA20317@misery.proulx.com> Martin Pitt wrote: > I have the following problem: ssh works very fine, but scp fails as > soon as it wants to start the actual transfer: [...Darren's had good suggestions...] > - piping over ssh with "echo Hello | ssh mpitt at piware.de 'cat > x'" > which fails with exactly the same error. That fact that this fails is disconcerting. You say that interactive ssh works but as soon as you run a command it fails? I see two changes from interactive in the above. One is that stdin is now a pipe and two is that there is a command. Try just doing one thing at a time and what does it say. ssh mpitt at piware.de id echo id | ssh mpitt at piware.de The "pseudo terminal" message is expected. I am also assuming that you have checked out any problems with a possible .bashrc file which could be causing trouble. If bash can detect that it is running from a remote shell ala rsh/ssh then it sources the user's .bashrc file. I would double check your environment files. zsh and others probably do something similar. One of the FAQ's is that your environment can't say anything for non-interactive sessions. Your original message leads me to believe you know about this. But just making sure. http://www.openssh.com/faq.html#2.9 Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030615/a5018632/attachment.bin From martin at piware.de Mon Jun 16 04:02:06 2003 From: martin at piware.de (Martin Pitt) Date: Sun, 15 Jun 2003 20:02:06 +0200 Subject: ssh works fine, scp fails In-Reply-To: <20030615160933.GA20317@misery.proulx.com> References: <20030615080148.GA2346@donald.balu5> <20030615160933.GA20317@misery.proulx.com> Message-ID: <20030615180205.GA5633@donald.balu5> Hi! Am 2003-06-15 10:09 -0600 schrieb Bob Proulx: > That fact that this fails is disconcerting. You say that interactive > ssh works but as soon as you run a command it fails? exactly. With the addition that scp works when I switch to my former ISP and that neither MTU reducing nor MSS clamping helps here. > I see two changes from interactive in the above. One is that stdin is > now a pipe and two is that there is a command. Try just doing one > thing at a time and what does it say. > > ssh mpitt at piware.de id > > echo id | ssh mpitt at piware.de Both commands end with the same error message (connection reset by peer) and with no other output. > I am also assuming that you have checked out any problems with a > possible .bashrc file which could be causing trouble. If bash can > detect that it is running from a remote shell ala rsh/ssh then it > sources the user's .bashrc file. I would double check your > environment files. zsh and others probably do something similar. > > One of the FAQ's is that your environment can't say anything for > non-interactive sessions. Your original message leads me to believe > you know about this. But just making sure. > > http://www.openssh.com/faq.html#2.9 Of course I checked that. I know about C programming in general and know how to use a debugger as well, so I would be pleased to help digging out details in any way. I can also use ethereal on by box and tcpdump on our house router, but in this case I would need some advice what to look for, I do not know much about ethernet sniffing. Unfortunately I cannot give you an account on my machine since I'm behind a NAT firewall (just for completeness: my old ISDN connection was also routed trough NAT which did not seem to have any visible impact). If it would be of any help to you to get on my box: it should be possible to establish an ssh tunnel from a system with a real IP to my box, isn't it? I have a question for myself: is it possible that it has something to do with a bad firewall configuration at my ISP? Do scp and 'ssh ... command' need any additional or different packets compared to ssh? (in particular: ICMP packets, large packets, reverse connections, etc.)? It is very confusing that it works with my old provider, but not with the new one, and scp2 works perfectly as well. Thanks and have a nice evening! Martin -- Martin Pitt home: www.piware.de eMail: martin at piware.de "Zwei Dinge sind unendlich: Das Universum und die menschliche Dummheit. Aber beim Universum bin ich mir noch nicht ganz sicher". -- Albert Einstein From djm at mindrot.org Mon Jun 16 09:55:55 2003 From: djm at mindrot.org (Damien Miller) Date: Mon, 16 Jun 2003 09:55:55 +1000 Subject: ssh works fine, scp fails In-Reply-To: <20030615080148.GA2346@donald.balu5> References: <20030615080148.GA2346@donald.balu5> Message-ID: <3EED078B.1080206@mindrot.org> Martin Pitt wrote: > Hi openssh developers! > > I have the following problem: ssh works very fine, but scp fails as > soon as it wants to start the actual transfer: Does "ssh host true" produce any output? -d From sth at hq.bsbg.net Mon Jun 16 16:36:16 2003 From: sth at hq.bsbg.net (Stefan Hadjistoytchev) Date: Mon, 16 Jun 2003 09:36:16 +0300 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH References: <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <3EE9DD14.6020305@mindrot.org> <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <20030613143936.GB26806@folly> Message-ID: <003e01c333d1$96fbed60$4102010a@dev.bnet> I've posted the bug in BugZilla (bug 592). What should I do next ? Stefan ----- Original Message ----- From: "Markus Friedl" To: "Stefan Hadjistoytchev" ; "Damien Miller" Cc: Sent: Friday, June 13, 2003 5:39 PM Subject: Re: Problem/bug report for "bad decrypted len" error in OpenSSH > On Sat, Jun 14, 2003 at 12:17:56AM +1000, Damien Miller wrote: > > Stefan Hadjistoytchev wrote: > > > Should I report it to BugZilla ? > > > > Only if you can justify _why_ the length check is not correct. > > make sure to include: > > This is a redundant length check that is not technically > correct. The OpenSSH team is aware of the problem but don't > care since they have no idea how to use certificates. > > The length check is not redundant since the result might be > too small for example. > > From martin at piware.de Mon Jun 16 17:45:27 2003 From: martin at piware.de (Martin Pitt) Date: Mon, 16 Jun 2003 09:45:27 +0200 Subject: ssh works fine, scp fails In-Reply-To: <3EED078B.1080206@mindrot.org> References: <20030615080148.GA2346@donald.balu5> <3EED078B.1080206@mindrot.org> Message-ID: <20030616074523.GA19325@donald.balu5> Hi! Am 2003-06-16 9:55 +1000 schrieb Damien Miller: > Martin Pitt wrote: > > Hi openssh developers! > > > > I have the following problem: ssh works very fine, but scp fails as > > soon as it wants to start the actual transfer: > > Does "ssh host true" produce any output? None but the error message "Read from remote host piware.de: Connection reset by peer". Have a nice day! Martin -- Martin Pitt home: www.piware.de eMail: martin at piware.de From djm at mindrot.org Mon Jun 16 17:54:24 2003 From: djm at mindrot.org (Damien Miller) Date: Mon, 16 Jun 2003 17:54:24 +1000 Subject: ssh works fine, scp fails In-Reply-To: <20030616074523.GA19325@donald.balu5> References: <20030615080148.GA2346@donald.balu5> <3EED078B.1080206@mindrot.org> <20030616074523.GA19325@donald.balu5> Message-ID: <3EED77B0.1000903@mindrot.org> Martin Pitt wrote: > Hi! > > Am 2003-06-16 9:55 +1000 schrieb Damien Miller: >> Martin Pitt wrote: >> > Hi openssh developers! >> > >> > I have the following problem: ssh works very fine, but scp fails as >> > soon as it wants to start the actual transfer: >> >> Does "ssh host true" produce any output? > > None but the error message "Read from remote host piware.de: > Connection reset by peer". Something appears to be sick at the server end. Could you try running the server in debug mode "sshd -d -d -d" and attaching the output to a client connecting with the above command? -d From markus at openbsd.org Mon Jun 16 18:28:41 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 16 Jun 2003 10:28:41 +0200 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <003e01c333d1$96fbed60$4102010a@dev.bnet> References: <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <3EE9DD14.6020305@mindrot.org> <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <20030613143936.GB26806@folly> <003e01c333d1$96fbed60$4102010a@dev.bnet> Message-ID: <20030616082841.GA8025@folly> replace if (len != hlen + oidlen) { with if (len < hlen + oidlen) { instead of deleting lines. On Mon, Jun 16, 2003 at 09:36:16AM +0300, Stefan Hadjistoytchev wrote: > I've posted the bug in BugZilla (bug 592). What should I do next ? > > Stefan > ----- Original Message ----- > From: "Markus Friedl" > To: "Stefan Hadjistoytchev" ; "Damien Miller" > > Cc: > Sent: Friday, June 13, 2003 5:39 PM > Subject: Re: Problem/bug report for "bad decrypted len" error in OpenSSH > > > > On Sat, Jun 14, 2003 at 12:17:56AM +1000, Damien Miller wrote: > > > Stefan Hadjistoytchev wrote: > > > > Should I report it to BugZilla ? > > > > > > Only if you can justify _why_ the length check is not correct. > > > > make sure to include: > > > > This is a redundant length check that is not technically > > correct. The OpenSSH team is aware of the problem but don't > > care since they have no idea how to use certificates. > > > > The length check is not redundant since the result might be > > too small for example. > > > > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From jcduell at lbl.gov Tue Jun 17 05:16:45 2003 From: jcduell at lbl.gov (jcduell at lbl.gov) Date: Mon, 16 Jun 2003 12:16:45 -0700 Subject: errors when running multiple openssh sessions Message-ID: <20030616191615.GA12035@ftg2.lbl.gov> Openssh seems to fail sporadically if you issue lots of simultaneous ssh commands, at least under certain conditions. Take the following program: #!/bin/sh for NUM in 0 1 2 3 4 5 6 7 8 9; do ssh n2003 echo $NUM "$*" & done So, we're running 10 ssh commands at once. When I run this program once, all I've observed this bug on OpenSSH_3.6.1p1 on Tru64, OpenSSH 3.2.3p1 on an IBM SP, and on OpenSSH 3.5p1-6 on Redhat Linux 9. So I suspect it's a general problem. -- Jason Duell Future Technologies Group Computational Research Division Tel: +1-510-495-2354 Lawrence Berkeley National Laboratory From dan at doxpara.com Tue Jun 17 06:08:59 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Mon, 16 Jun 2003 13:08:59 -0700 Subject: errors when running multiple openssh sessions In-Reply-To: <20030616191615.GA12035@ftg2.lbl.gov> References: <20030616191615.GA12035@ftg2.lbl.gov> Message-ID: <3EEE23DB.5000102@doxpara.com> jcduell at lbl.gov wrote: >Openssh seems to fail sporadically if you issue lots of simultaneous >ssh commands, at least under certain conditions. Take the following >program: > > #!/bin/sh > > for NUM in 0 1 2 3 4 5 6 7 8 9; do > ssh n2003 echo $NUM "$*" & > done > >So, we're running 10 ssh commands at once. > >When I run this program once, all > > > >I've observed this bug on OpenSSH_3.6.1p1 on Tru64, OpenSSH 3.2.3p1 on >an IBM SP, and on OpenSSH 3.5p1-6 on Redhat Linux 9. So I suspect it's a >general problem. > > > That invocation creates quite a spike in CPU usage. Who knows, it might also be causing headaches for privsep. A better way to do what you describe above would be this: #!/bin/sh for NUM in 0 1 2 3 4 5 6 7 8 9; do echo $NUM "$*" \& done | ssh n2003 From what I've found, this is the best way to execute sets of commands remotely without significant CPU load. You do lose all sorts of conveniences -- error codes, the ability to distinguish between the results of several commands, standard syntax for specifying shell -- but you're losing most of that from parallel execution anyway, and this is really quite fast. Of course, ssh shouldn't crash no matter what. But this might be of use regardless. --Dan From jcduell at lbl.gov Tue Jun 17 06:21:07 2003 From: jcduell at lbl.gov (jcduell at lbl.gov) Date: Mon, 16 Jun 2003 13:21:07 -0700 Subject: errors when running multiple openssh sessions In-Reply-To: <3EEE23DB.5000102@doxpara.com> References: <20030616191615.GA12035@ftg2.lbl.gov> <3EEE23DB.5000102@doxpara.com> Message-ID: <20030616202107.GA30458@ftg2.lbl.gov> On Mon, Jun 16, 2003 at 01:08:59PM -0700, Dan Kaminsky wrote: > jcduell at lbl.gov wrote: > > > #!/bin/sh > > > > for NUM in 0 1 2 3 4 5 6 7 8 9; do > > ssh n2003 echo $NUM "$*" & > > done > > > >So, we're running 10 ssh commands at once. i> > That invocation creates quite a spike in CPU usage. Thanks for replying to my fragment of a post (I tried another test that turned out to fork itself recursively, and I managed to accidentally send my mail while trying to kill the resulting job horde: talk about a CPU spike ;) > Who knows, it might also be causing headaches for privsep. A better > way to do what you describe above would be this: > > #!/bin/sh > > for NUM in 0 1 2 3 4 5 6 7 8 9; do > echo $NUM "$*" \& > done | ssh n2003 > > From what I've found, this is the best way to execute sets of commands > remotely without significant CPU load. As my full post (below) notes, I'm writing a compiler that needs to use ssh to as part of compilation. If a user calls my front end with the equivalent of gcc foo.c bar.c then my script will do only one ssh for both files, but most people write makefiles that compile each file separately. Here's my full post. I'm creating a bug for this in Bugzilla, too, since I don't see anything resembling it in the existing bugs. ------------------------------------------------------------------------ Openssh seems to fail sporadically if you issue lots of simultaneous ssh commands. Take the following program: #!/bin/sh for NUM in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do ssh foo.bar.com echo $NUM & done So, we're running 16 ssh commands at once, each of which just prints out a different number. When I run this program, several of the ssh commands fail with ssh_exchange_identification: Connection closed by remote host Interestingly, when I run 10 or fewer ssh commands, they all work OK, at least on my linux box (I'm using OpenSSH 3.5p1-6 on Redhat Linux 9). On some other platforms the number is different: OpenSSH 3.2.3p1 on an IBM SP doesn't like more than 8 simultaneous ssh's in the background, while OpenSSH_3.6.1p1 on Tru64 does around 9 max. There doesn't seem to be any pattern in terms of which ssh's get killed--the first, second and third jobs (ie, those that print 0, 1, and 2) generally run OK, but which of the following ones die seems to be random. This smells like some kind of race condition. Why on earth would I want to run a dozen ssh jobs simultaneously? I'm writing a compiler that needs to ship some files and run some commands on a remote server as part of the compilation process. The latency for doing this is rather high, so I want to allow users to do a 'make -j' to parallelize the build, in order to hide the network latency. I guess for now I'll tell users to run 'make -j N' with N < 6 or so (which is probably not a bad idea anyway). But I can't imagine I'll be the last person to pound on ssh like this... ------------------------------------------------------------------------ Cheers, -- Jason Duell Future Technologies Group Computational Research Division Tel: +1-510-495-2354 Lawrence Berkeley National Laboratory From fcusack at fcusack.com Tue Jun 17 06:33:37 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Mon, 16 Jun 2003 13:33:37 -0700 Subject: errors when running multiple openssh sessions In-Reply-To: <20030616202107.GA30458@ftg2.lbl.gov>; from jcduell@lbl.gov on Mon, Jun 16, 2003 at 01:21:07PM -0700 References: <20030616191615.GA12035@ftg2.lbl.gov> <3EEE23DB.5000102@doxpara.com> <20030616202107.GA30458@ftg2.lbl.gov> Message-ID: <20030616133337.A15757@google.com> On Mon, Jun 16, 2003 at 01:21:07PM -0700, jcduell at lbl.gov wrote: > ------------------------------------------------------------------------ > Openssh seems to fail sporadically if you issue lots of simultaneous > ssh commands. Take the following program: > > #!/bin/sh > > for NUM in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do > ssh foo.bar.com echo $NUM & > done > > So, we're running 16 ssh commands at once, each of which just prints out a > different number. > > When I run this program, several of the ssh commands fail with > > ssh_exchange_identification: Connection closed by remote host > > Interestingly, when I run 10 or fewer ssh commands, they all work OK, at ... > This smells like some kind of race condition. Sounds like a listen queue problem to me. Try bumping the number in the listen() call up to 25 and see what happens. /fc From mouring at etoh.eviladmin.org Tue Jun 17 06:53:30 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 16 Jun 2003 15:53:30 -0500 (CDT) Subject: errors when running multiple openssh sessions In-Reply-To: <20030616202107.GA30458@ftg2.lbl.gov> Message-ID: Sounds like someone is not reading the manpages. man sshd_config [..] MaxStartups Specifies the maximum number of concurrent unauthenticated con- nections to the sshd daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime ex- pires for a connection. The default is 10. Alternatively, random early drop can be enabled by specifying the three colon separated values ``start:rate:full'' (e.g., "10:30:60"). sshd will refuse connection attempts with a proba- bility of ``rate/100'' (30%) if there are currently ``start'' (10) unauthenticated connections. The probability increases lin- early and all connection attempts are refused if the number of unauthenticated connections reaches ``full'' (60). Default is '10'.. I bump it up to 20 and your script works fine. - Ben On Mon, 16 Jun 2003 jcduell at lbl.gov wrote: > On Mon, Jun 16, 2003 at 01:08:59PM -0700, Dan Kaminsky wrote: > > jcduell at lbl.gov wrote: > > > > > #!/bin/sh > > > > > > for NUM in 0 1 2 3 4 5 6 7 8 9; do > > > ssh n2003 echo $NUM "$*" & > > > done > > > > > >So, we're running 10 ssh commands at once. > i> > > That invocation creates quite a spike in CPU usage. > > Thanks for replying to my fragment of a post (I tried another test that > turned out to fork itself recursively, and I managed to accidentally > send my mail while trying to kill the resulting job horde: talk about a > CPU spike ;) > > > > Who knows, it might also be causing headaches for privsep. A better > > way to do what you describe above would be this: > > > > #!/bin/sh > > > > for NUM in 0 1 2 3 4 5 6 7 8 9; do > > echo $NUM "$*" \& > > done | ssh n2003 > > > > From what I've found, this is the best way to execute sets of commands > > remotely without significant CPU load. > > As my full post (below) notes, I'm writing a compiler that needs to use > ssh to as part of compilation. If a user calls my front end with the > equivalent of > > gcc foo.c bar.c > > then my script will do only one ssh for both files, but most people > write makefiles that compile each file separately. > > Here's my full post. I'm creating a bug for this in Bugzilla, too, > since I don't see anything resembling it in the existing bugs. > > ------------------------------------------------------------------------ > Openssh seems to fail sporadically if you issue lots of simultaneous > ssh commands. Take the following program: > > #!/bin/sh > > for NUM in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do > ssh foo.bar.com echo $NUM & > done > > So, we're running 16 ssh commands at once, each of which just prints out a > different number. > > When I run this program, several of the ssh commands fail with > > ssh_exchange_identification: Connection closed by remote host > > Interestingly, when I run 10 or fewer ssh commands, they all work OK, at > least on my linux box (I'm using OpenSSH 3.5p1-6 on Redhat Linux 9). On > some other platforms the number is different: OpenSSH 3.2.3p1 on an IBM > SP doesn't like more than 8 simultaneous ssh's in the background, while > OpenSSH_3.6.1p1 on Tru64 does around 9 max. > > There doesn't seem to be any pattern in terms of which ssh's get > killed--the first, second and third jobs (ie, those that print 0, 1, and > 2) generally run OK, but which of the following ones die seems to be > random. > > This smells like some kind of race condition. > > Why on earth would I want to run a dozen ssh jobs simultaneously? I'm > writing a compiler that needs to ship some files and run some commands > on a remote server as part of the compilation process. The latency for > doing this is rather high, so I want to allow users to do a 'make -j' to > parallelize the build, in order to hide the network latency. > > I guess for now I'll tell users to run 'make -j N' with N < 6 or so > (which is probably not a bad idea anyway). But I can't imagine I'll be > the last person to pound on ssh like this... > ------------------------------------------------------------------------ > > Cheers, > > -- > Jason Duell Future Technologies Group > Computational Research Division > Tel: +1-510-495-2354 Lawrence Berkeley National Laboratory > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dan at doxpara.com Tue Jun 17 07:26:18 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Mon, 16 Jun 2003 14:26:18 -0700 Subject: errors when running multiple openssh sessions In-Reply-To: References: Message-ID: <3EEE35FA.4020603@doxpara.com> Ben-- Is there a secure method of doing IPC within a single host? --Dan From dwmw2 at infradead.org Tue Jun 17 07:29:16 2003 From: dwmw2 at infradead.org (David Woodhouse) Date: Mon, 16 Jun 2003 22:29:16 +0100 Subject: errors when running multiple openssh sessions In-Reply-To: <20030616202107.GA30458@ftg2.lbl.gov> References: <20030616191615.GA12035@ftg2.lbl.gov> <3EEE23DB.5000102@doxpara.com> <20030616202107.GA30458@ftg2.lbl.gov> Message-ID: <1055798956.24455.28.camel@imladris.demon.co.uk> On Mon, 2003-06-16 at 21:21, jcduell at lbl.gov wrote: > Why on earth would I want to run a dozen ssh jobs simultaneously? I'm > writing a compiler that needs to ship some files and run some commands > on a remote server as part of the compilation process. The latency for > doing this is rather high, so I want to allow users to do a 'make -j' to > parallelize the build, in order to hide the network latency. You might consider using fsh (http://www.lysator.liu.se/fsh/) to accelerate this process somewhat. Of course, you need to consider whether that's secure enough for your purposes, but I suspect the answer in this case is 'yes'. -- dwmw2 From mouring at etoh.eviladmin.org Tue Jun 17 07:50:46 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 16 Jun 2003 16:50:46 -0500 (CDT) Subject: errors when running multiple openssh sessions In-Reply-To: <3EEE35FA.4020603@doxpara.com> Message-ID: On Mon, 16 Jun 2003, Dan Kaminsky wrote: > Ben-- > > Is there a secure method of doing IPC within a single host? > I think I see where you are heading with this. We do something like this at my job. Where we have a backend perl services that listen to a named pipe and acts as the 'middleware' for local and remote hosts (remote hosts stuff is done over reverse http.. Don't ask.. I didn't write it. It is pretty sick). But no I don't know of a way in the current code to bridge the gap between the named pipe and the 'middleware' using ssh in a secure/limited way. The best one could do at this point would be one global: ssh -L xx:localhost:yy put the smarts on the remote service and allow anyone on the box to send requests. Would be interesting to see something like a "-L /dir/namedpipe:yy", but I'm not sure how that would play out. - Ben > --Dan > > From jcduell at lbl.gov Tue Jun 17 10:09:25 2003 From: jcduell at lbl.gov (jcduell at lbl.gov) Date: Mon, 16 Jun 2003 17:09:25 -0700 Subject: errors when running multiple openssh sessions In-Reply-To: References: <20030616202107.GA30458@ftg2.lbl.gov> Message-ID: <20030617000925.GA7136@ftg2.lbl.gov> On Mon, Jun 16, 2003 at 03:53:30PM -0500, Ben Lindstrom wrote: > > Sounds like someone is not reading the manpages. > > man sshd_config > [..] > MaxStartups > Specifies the maximum number of concurrent unauthenticated con- > nections to the sshd daemon. Additional connections will be > dropped until authentication succeeds or the LoginGraceTime ex- > pires for a connection. The default is 10. > > Alternatively, random early drop can be enabled by specifying the > three colon separated values ``start:rate:full'' (e.g., > "10:30:60"). sshd will refuse connection attempts with a proba- > bility of ``rate/100'' (30%) if there are currently ``start'' > (10) unauthenticated connections. The probability increases lin- > early and all connection attempts are refused if the number of > unauthenticated connections reaches ``full'' (60). > > > Default is '10'.. I bump it up to 20 and your script works fine. Great, thanks. Sorry I didn't RTFM. I've killed the bugzilla entry I made. Cheers, -- Jason Duell Future Technologies Group Computational Research Division Tel: +1-510-495-2354 Lawrence Berkeley National Laboratory From jcduell at lbl.gov Tue Jun 17 10:10:14 2003 From: jcduell at lbl.gov (jcduell at lbl.gov) Date: Mon, 16 Jun 2003 17:10:14 -0700 Subject: errors when running multiple openssh sessions In-Reply-To: <1055798956.24455.28.camel@imladris.demon.co.uk> References: <20030616191615.GA12035@ftg2.lbl.gov> <3EEE23DB.5000102@doxpara.com> <20030616202107.GA30458@ftg2.lbl.gov> <1055798956.24455.28.camel@imladris.demon.co.uk> Message-ID: <20030617001014.GB7136@ftg2.lbl.gov> On Mon, Jun 16, 2003 at 10:29:16PM +0100, David Woodhouse wrote: > On Mon, 2003-06-16 at 21:21, jcduell at lbl.gov wrote: > > Why on earth would I want to run a dozen ssh jobs simultaneously? I'm > > writing a compiler that needs to ship some files and run some commands > > on a remote server as part of the compilation process. The latency for > > doing this is rather high, so I want to allow users to do a 'make -j' to > > parallelize the build, in order to hide the network latency. > > You might consider using fsh (http://www.lysator.liu.se/fsh/) to > accelerate this process somewhat. > > Of course, you need to consider whether that's secure enough for your > purposes, but I suspect the answer in this case is 'yes'. Thanks for the link. I'm sure fsh is secure enough--the problem is I'd need to have users install it. I'm already getting too many emails from people who can't wrap their brain around ssh-agent to try to tell them to install new software. Cheers, -- Jason Duell Future Technologies Group Computational Research Division Tel: +1-510-495-2354 Lawrence Berkeley National Laboratory From jason.yl.pang at intel.com Tue Jun 17 14:22:56 2003 From: jason.yl.pang at intel.com (Pang, Jason YL) Date: Tue, 17 Jun 2003 12:22:56 +0800 Subject: ssh does not work Message-ID: <6A52D76F047B5B4497C40B00097C876F85199A@pgsmsx403.png.intel.com> Dear all, I got "permission denied" msg when I try to connect via SSH. The password that I used was correct as I can establish the connection via telnet using the same password. Any idea why this can happen?? root at kfiisdc:/sandbox/jason ssh kfiisdev Use of this system by unauthorized persons or in an unauthorized manner is strictly prohibited. Unauthorized access can and will be prosecuted to the fullest extent possible. If you log in using a shared account, you must sign in with a personal user id that is assigned only to you. Violation will result in appropriate disciplinary action, which may include termination. root at kfiisdev's password: Permission denied, please try again. root at kfiisdev's password: Permission denied, please try again. root at kfiisdev's password: Permission denied (publickey,password,keyboard-interactive). From mouring at etoh.eviladmin.org Tue Jun 17 14:31:42 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 16 Jun 2003 23:31:42 -0500 (CDT) Subject: ssh does not work In-Reply-To: <6A52D76F047B5B4497C40B00097C876F85199A@pgsmsx403.png.intel.com> Message-ID: Would you care to provide some useful information or do we have to guess? =) Newly configured OpenSSH? Solaris/FreeBSD/Linux? IF so did you compile with pam support? - Ben On Tue, 17 Jun 2003, Pang, Jason YL wrote: > Dear all, > > I got "permission denied" msg when I try to connect via SSH. The password > that I used was correct as I can establish the connection via telnet using > the same password. Any idea why this can happen?? > > root at kfiisdc:/sandbox/jason ssh kfiisdev > > Use of this system by unauthorized persons or in an unauthorized manner is > strictly prohibited. Unauthorized access can and will be prosecuted to the > fullest extent possible. If you log in using a shared account, you must sign > in with a personal user id that is assigned only to you. > > Violation will result in appropriate disciplinary action, which may include > termination. > > root at kfiisdev's password: > Permission denied, please try again. > root at kfiisdev's password: > Permission denied, please try again. > root at kfiisdev's password: > Permission denied (publickey,password,keyboard-interactive). > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Tue Jun 17 15:28:46 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 17 Jun 2003 15:28:46 +1000 Subject: ssh does not work References: Message-ID: <3EEEA70E.9DC5BD78@zip.com.au> Ben Lindstrom wrote: > Newly configured OpenSSH? Solaris/FreeBSD/Linux? IF so did you compile > with pam support? Which versions (both OpenSSH + OS)? > On Tue, 17 Jun 2003, Pang, Jason YL wrote: > > I got "permission denied" msg when I try to connect via SSH. The password > > that I used was correct as I can establish the connection via telnet using > > the same password. Any idea why this can happen?? PermitRootLogin=no in sshd_config? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jason.yl.pang at intel.com Tue Jun 17 15:30:49 2003 From: jason.yl.pang at intel.com (Pang, Jason YL) Date: Tue, 17 Jun 2003 13:30:49 +0800 Subject: ssh does not work Message-ID: <6A52D76F047B5B4497C40B00097C876F85199B@pgsmsx403.png.intel.com> Thanks for the info. The problem has been resolved by changing the PermitRootLogin=yes in sshd_config. -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Tuesday, June 17, 2003 1:29 PM To: Pang, Jason YL Cc: 'openssh-unix-dev at mindrot.org' Subject: Re: ssh does not work Ben Lindstrom wrote: > Newly configured OpenSSH? Solaris/FreeBSD/Linux? IF so did you compile > with pam support? Which versions (both OpenSSH + OS)? > On Tue, 17 Jun 2003, Pang, Jason YL wrote: > > I got "permission denied" msg when I try to connect via SSH. The password > > that I used was correct as I can establish the connection via telnet using > > the same password. Any idea why this can happen?? PermitRootLogin=no in sshd_config? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From sth at hq.bsbg.net Tue Jun 17 18:24:12 2003 From: sth at hq.bsbg.net (Stefan Hadjistoytchev) Date: Tue, 17 Jun 2003 11:24:12 +0300 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH References: <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <3EE9DD14.6020305@mindrot.org> <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <20030613143936.GB26806@folly> <003e01c333d1$96fbed60$4102010a@dev.bnet> <20030616082841.GA8025@folly> Message-ID: <002d01c334a9$d545e1b0$4102010a@dev.bnet> 10x for the fix !!! ----- Original Message ----- From: "Markus Friedl" To: "Stefan Hadjistoytchev" Cc: "Damien Miller" ; Sent: Monday, June 16, 2003 11:28 AM Subject: Re: Problem/bug report for "bad decrypted len" error in OpenSSH > replace > > if (len != hlen + oidlen) { > with > if (len < hlen + oidlen) { > > instead of deleting lines. > > > On Mon, Jun 16, 2003 at 09:36:16AM +0300, Stefan Hadjistoytchev wrote: > > I've posted the bug in BugZilla (bug 592). What should I do next ? > > > > Stefan > > ----- Original Message ----- > > From: "Markus Friedl" > > To: "Stefan Hadjistoytchev" ; "Damien Miller" > > > > Cc: > > Sent: Friday, June 13, 2003 5:39 PM > > Subject: Re: Problem/bug report for "bad decrypted len" error in OpenSSH > > > > > > > On Sat, Jun 14, 2003 at 12:17:56AM +1000, Damien Miller wrote: > > > > Stefan Hadjistoytchev wrote: > > > > > Should I report it to BugZilla ? > > > > > > > > Only if you can justify _why_ the length check is not correct. > > > > > > make sure to include: > > > > > > This is a redundant length check that is not technically > > > correct. The OpenSSH team is aware of the problem but don't > > > care since they have no idea how to use certificates. > > > > > > The length check is not redundant since the result might be > > > too small for example. > > > > > > > > > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From larsch at trustcenter.de Tue Jun 17 18:38:35 2003 From: larsch at trustcenter.de (Nils Larsch) Date: Tue, 17 Jun 2003 10:38:35 +0200 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <20030616082841.GA8025@folly> References: <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <3EE9DD14.6020305@mindrot.org> <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <20030613143936.GB26806@folly> <003e01c333d1$96fbed60$4102010a@dev.bnet> <20030616082841.GA8025@folly> Message-ID: <3EEED38B.7090002@trustcenter.de> Markus Friedl wrote: > replace > > if (len != hlen + oidlen) { > with > if (len < hlen + oidlen) { > > instead of deleting lines. Hi Markus, are you sure this is correct ? As far as I understand PKCS#1 (in this case the RSASSA-PKCS1-v1_5-Verfiy (8.2.2) function) should the signature verification return "invalid signature" in this case (because the second encoded message would not contain this additional byte). From the error messange: sshd[1224] error: bad decrypted len: 36 != 20 + 15 and the fact that disabling this checks results in a successful signature verification I guess that the decrypted content has the form decrypted = DigestInfo || hash || x, where x is a (unknown) byte. I think it's a bug in the signature generation (the x byte shouldn't be there). Nils From markus at openbsd.org Tue Jun 17 19:00:23 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 17 Jun 2003 11:00:23 +0200 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <002d01c334a9$d545e1b0$4102010a@dev.bnet> References: <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <3EE9DD14.6020305@mindrot.org> <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <20030613143936.GB26806@folly> <003e01c333d1$96fbed60$4102010a@dev.bnet> <20030616082841.GA8025@folly> <002d01c334a9$d545e1b0$4102010a@dev.bnet> Message-ID: <20030617090023.GB8870@folly> I'm not sure whether this fix is correct. could you print out the 'extra bytes' ? e.g. add if (len > hlen + oidlen) { Buffer b; buffer_init(&b); buffer_append(&b, decrypted + hlen + oidlen, len - hlen - oidlen); buffer_dump(&b); buffer_clear(&b); } and start sshd with sshd -dddp1234 and connect to port 1234 with your client? On Tue, Jun 17, 2003 at 11:24:12AM +0300, Stefan Hadjistoytchev wrote: > 10x for the fix !!! > ----- Original Message ----- > From: "Markus Friedl" > To: "Stefan Hadjistoytchev" > Cc: "Damien Miller" ; > Sent: Monday, June 16, 2003 11:28 AM > Subject: Re: Problem/bug report for "bad decrypted len" error in OpenSSH > > > > replace > > > > if (len != hlen + oidlen) { > > with > > if (len < hlen + oidlen) { > > > > instead of deleting lines. > > > > > > On Mon, Jun 16, 2003 at 09:36:16AM +0300, Stefan Hadjistoytchev wrote: > > > I've posted the bug in BugZilla (bug 592). What should I do next ? > > > > > > Stefan > > > ----- Original Message ----- > > > From: "Markus Friedl" > > > To: "Stefan Hadjistoytchev" ; "Damien Miller" > > > > > > Cc: > > > Sent: Friday, June 13, 2003 5:39 PM > > > Subject: Re: Problem/bug report for "bad decrypted len" error in OpenSSH > > > > > > > > > > On Sat, Jun 14, 2003 at 12:17:56AM +1000, Damien Miller wrote: > > > > > Stefan Hadjistoytchev wrote: > > > > > > Should I report it to BugZilla ? > > > > > > > > > > Only if you can justify _why_ the length check is not correct. > > > > > > > > make sure to include: > > > > > > > > This is a redundant length check that is not technically > > > > correct. The OpenSSH team is aware of the problem but don't > > > > care since they have no idea how to use certificates. > > > > > > > > The length check is not redundant since the result might be > > > > too small for example. > > > > > > > > > > > > > > > > > _______________________________________________ > > > openssh-unix-dev mailing list > > > openssh-unix-dev at mindrot.org > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > > From markus at openbsd.org Tue Jun 17 19:06:23 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 17 Jun 2003 11:06:23 +0200 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <3EEED38B.7090002@trustcenter.de> References: <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <3EE9DD14.6020305@mindrot.org> <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <20030613143936.GB26806@folly> <003e01c333d1$96fbed60$4102010a@dev.bnet> <20030616082841.GA8025@folly> <3EEED38B.7090002@trustcenter.de> Message-ID: <20030617090623.GA2059@folly> On Tue, Jun 17, 2003 at 10:38:35AM +0200, Nils Larsch wrote: > Markus Friedl wrote: > >replace > > > > if (len != hlen + oidlen) { > >with > > if (len < hlen + oidlen) { > > > >instead of deleting lines. > > Hi Markus, > > are you sure this is correct ? no, i'm not sure. perhaps we will back out this change. > As far as I understand PKCS#1 > (in this case the RSASSA-PKCS1-v1_5-Verfiy (8.2.2) function) > should the signature verification return "invalid signature" > in this case (because the second encoded message would not > contain this additional byte). From the error messange: > sshd[1224] error: bad decrypted len: 36 != 20 + 15 > and the fact that disabling this checks results in a > successful signature verification I guess that the decrypted > content has the form decrypted = DigestInfo || hash || x, where > x is a (unknown) byte. I think it's a bug in the signature > generation (the x byte shouldn't be there). yes, this is why i had the != there in the first place. and this is why we get insulted :) -m From markus at openbsd.org Tue Jun 17 19:07:03 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 17 Jun 2003 11:07:03 +0200 Subject: errors when running multiple openssh sessions In-Reply-To: <20030616191615.GA12035@ftg2.lbl.gov> References: <20030616191615.GA12035@ftg2.lbl.gov> Message-ID: <20030617090703.GB2059@folly> have you checked MaxStartups in sshd_config? From pobrien at doit.nv.gov Wed Jun 18 00:23:29 2003 From: pobrien at doit.nv.gov (Patrick B. O'Brien) Date: Tue, 17 Jun 2003 07:23:29 -0700 Subject: Can only ssh as root Message-ID: I have an AIX 4.3.3.10 Box running Openssh 3.4. I am using Putty to get to this Ssh server. All is good when I Ssh in using root. But when I try another user profile I get the below: Jun 16 17:22:21 walker sshd[8812]: fatal: login_get_lastlog: Cannot find account for uid 95 In addition, I am kicked out of this session right now. TIA! From dtucker at zip.com.au Wed Jun 18 00:54:07 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 18 Jun 2003 00:54:07 +1000 Subject: Can only ssh as root References: Message-ID: <3EEF2B8F.EBC60FC7@zip.com.au> "Patrick B. O'Brien" wrote: > I have an AIX 4.3.3.10 Box running Openssh 3.4. > Jun 16 17:22:21 walker sshd[8812]: fatal: login_get_lastlog: Cannot find account for uid 95 That's odd, AIX shouldn't be using lastlog. Is DISABLE_LASTLOG set in config.h? If not try defining it and recompiling. Also, can you try a more recent OpenSSH version (eg 3.6.1p2)? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From csoler at nextel.es Wed Jun 18 01:21:32 2003 From: csoler at nextel.es (=?ISO-8859-1?B?Q+lzYXIgU29sZXI=?=) Date: Tue, 17 Jun 2003 17:21:32 +0200 Subject: upgrade from 2.2p1 to 3.4p1 Message-ID: <170116309654.20030617172132@nextel.es> Hi, We are trying to upgrade the openssh version from 2.2p1 to 3.4p1, but we have found many issues/problems. If somebody could tell us any clue to solve them, it would be appreciated: - ssh client version 3.4 seems to be incompatible with sshd 2.2. is this true or just we have not found the right options at the command line? - we have thought to solve the previous issue to rename de old ssh to ssh2.2, the new one to ssh3.4, and write a shell script that calls each one depending of the remote server. Now the problem is that the ssh2.2 only can execute as 'ssh': if it is renamed, it doesn't run (ssh22, ssh2.2, ssh2...) and take the binary name as the hostname.... we have been looking for any related info, (in google, in the list archive...) but have not been able to solve it.... Thanks for your help and time! -- Best regards, C?sar mailto:csoler at nextel.es From markus at openbsd.org Wed Jun 18 01:56:03 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 17 Jun 2003 17:56:03 +0200 Subject: upgrade from 2.2p1 to 3.4p1 In-Reply-To: <170116309654.20030617172132@nextel.es> References: <170116309654.20030617172132@nextel.es> Message-ID: <20030617155603.GA30447@folly> On Tue, Jun 17, 2003 at 05:21:32PM +0200, C?sar Soler wrote: > Hi, > > We are trying to upgrade the openssh version from 2.2p1 to 3.4p1, but > we have found many issues/problems. If somebody could tell us any clue > to solve them, it would be appreciated: > > - ssh client version 3.4 seems to be incompatible with sshd 2.2. is > this true or just we have not found the right options at the command line? there should be no problems for interoperation. however, 3.4 might not like all the config file options from 2.2 and vice versa. From ed at membled.com Wed Jun 18 04:37:45 2003 From: ed at membled.com (Ed Avis) Date: Tue, 17 Jun 2003 19:37:45 +0100 (BST) Subject: fsh In-Reply-To: <20030617001503.6E54A27C5A2@shitei.mindrot.org> Message-ID: Some people suggested fsh as a way of speeding up a build system which sshes to different hosts to run jobs in parallel. fsh is very handy but it works by keeping open a *single* connection. It won't work if you want to execute more than one command in parallel on the same host. -- Ed Avis From dwmw2 at infradead.org Wed Jun 18 07:56:01 2003 From: dwmw2 at infradead.org (David Woodhouse) Date: Tue, 17 Jun 2003 22:56:01 +0100 Subject: fsh In-Reply-To: References: Message-ID: <1055886961.2282.4.camel@imladris.demon.co.uk> On Tue, 2003-06-17 at 19:37, Ed Avis wrote: > Some people suggested fsh as a way of speeding up a build system which > sshes to different hosts to run jobs in parallel. fsh is very handy > but it works by keeping open a *single* connection. It won't work if > you want to execute more than one command in parallel on the same > host. You're saying that each connection has to wait for the previous one to finish? That's not my understanding. My IMAP clients get at their IMAP servers by fsh and the same machines remain available by fsh at all times... imladris /home/dwmw2 $ date ; fsh passion sleep 20 & fsh passion sleep 20 & fsh passion sleep 20 & %1 ; %2 ; %3 ; date Tue Jun 17 22:54:24 BST 2003 [1] 2749 [2] 2750 [3] 2751 fsh passion sleep 20 [3] Done fsh passion sleep 20 fsh passion sleep 20 -bash2: fg: %3: no such job Tue Jun 17 22:54:45 BST 2003 imladris /home/dwmw2 $ -- dwmw2 From djm at mindrot.org Wed Jun 18 08:42:50 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 18 Jun 2003 08:42:50 +1000 Subject: fsh In-Reply-To: References: Message-ID: <3EEF996A.20304@mindrot.org> Ed Avis wrote: > Some people suggested fsh as a way of speeding up a build system which > sshes to different hosts to run jobs in parallel. fsh is very handy > but it works by keeping open a *single* connection. It won't work if > you want to execute more than one command in parallel on the same > host. I have wanted to do a "server mode" for the OpenSSH client for a while. SSH protocol v.2 allows multiple sessions to run concurrently over a single TCP connection. We don't support this at present, but some windows clients do. We could support this by having the initial ssh client establish a unix domain socket in a knowable location, to which clients could attach and reuse the existing connection. I probably won't have time to work on this for a little while, but someone else may be interested. -d From sth at hq.bsbg.net Wed Jun 18 16:16:55 2003 From: sth at hq.bsbg.net (Stefan Hadjistoytchev) Date: Wed, 18 Jun 2003 09:16:55 +0300 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH References: <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <3EE9DD14.6020305@mindrot.org> <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <20030613143936.GB26806@folly> <003e01c333d1$96fbed60$4102010a@dev.bnet> <20030616082841.GA8025@folly> <002d01c334a9$d545e1b0$4102010a@dev.bnet> <20030617090023.GB8870@folly> Message-ID: <006801c33561$376b13d0$4102010a@dev.bnet> Where should I check for these bytes ? ----- Original Message ----- From: "Markus Friedl" To: "Stefan Hadjistoytchev" Cc: "Damien Miller" ; Sent: Tuesday, June 17, 2003 12:00 PM Subject: Re: Problem/bug report for "bad decrypted len" error in OpenSSH > I'm not sure whether this fix is correct. > > could you print out the 'extra bytes' ? > > e.g. add > > if (len > hlen + oidlen) { > Buffer b; > buffer_init(&b); > buffer_append(&b, decrypted + hlen + oidlen, > len - hlen - oidlen); > buffer_dump(&b); > buffer_clear(&b); > } > > and start sshd with > sshd -dddp1234 > > and connect to port 1234 with your client? > > On Tue, Jun 17, 2003 at 11:24:12AM +0300, Stefan Hadjistoytchev wrote: > > 10x for the fix !!! > > ----- Original Message ----- > > From: "Markus Friedl" > > To: "Stefan Hadjistoytchev" > > Cc: "Damien Miller" ; > > Sent: Monday, June 16, 2003 11:28 AM > > Subject: Re: Problem/bug report for "bad decrypted len" error in OpenSSH > > > > > > > replace > > > > > > if (len != hlen + oidlen) { > > > with > > > if (len < hlen + oidlen) { > > > > > > instead of deleting lines. > > > > > > > > > On Mon, Jun 16, 2003 at 09:36:16AM +0300, Stefan Hadjistoytchev wrote: > > > > I've posted the bug in BugZilla (bug 592). What should I do next ? > > > > > > > > Stefan > > > > ----- Original Message ----- > > > > From: "Markus Friedl" > > > > To: "Stefan Hadjistoytchev" ; "Damien Miller" > > > > > > > > Cc: > > > > Sent: Friday, June 13, 2003 5:39 PM > > > > Subject: Re: Problem/bug report for "bad decrypted len" error in OpenSSH > > > > > > > > > > > > > On Sat, Jun 14, 2003 at 12:17:56AM +1000, Damien Miller wrote: > > > > > > Stefan Hadjistoytchev wrote: > > > > > > > Should I report it to BugZilla ? > > > > > > > > > > > > Only if you can justify _why_ the length check is not correct. > > > > > > > > > > make sure to include: > > > > > > > > > > This is a redundant length check that is not technically > > > > > correct. The OpenSSH team is aware of the problem but don't > > > > > care since they have no idea how to use certificates. > > > > > > > > > > The length check is not redundant since the result might be > > > > > too small for example. > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > openssh-unix-dev mailing list > > > > openssh-unix-dev at mindrot.org > > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > > > > > > > > From sth at hq.bsbg.net Wed Jun 18 16:35:35 2003 From: sth at hq.bsbg.net (Stefan Hadjistoytchev) Date: Wed, 18 Jun 2003 09:35:35 +0300 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH References: <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <3EE9DD14.6020305@mindrot.org> <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <20030613143936.GB26806@folly> <003e01c333d1$96fbed60$4102010a@dev.bnet> <20030616082841.GA8025@folly> <002d01c334a9$d545e1b0$4102010a@dev.bnet> <20030617090023.GB8870@folly> Message-ID: <006c01c33563$d3809680$4102010a@dev.bnet> I received: 00 whats next ? ----- Original Message ----- From: "Markus Friedl" To: "Stefan Hadjistoytchev" Cc: "Damien Miller" ; Sent: Tuesday, June 17, 2003 12:00 PM Subject: Re: Problem/bug report for "bad decrypted len" error in OpenSSH > I'm not sure whether this fix is correct. > > could you print out the 'extra bytes' ? > > e.g. add > > if (len > hlen + oidlen) { > Buffer b; > buffer_init(&b); > buffer_append(&b, decrypted + hlen + oidlen, > len - hlen - oidlen); > buffer_dump(&b); > buffer_clear(&b); > } > > and start sshd with > sshd -dddp1234 > > and connect to port 1234 with your client? > > On Tue, Jun 17, 2003 at 11:24:12AM +0300, Stefan Hadjistoytchev wrote: > > 10x for the fix !!! > > ----- Original Message ----- > > From: "Markus Friedl" > > To: "Stefan Hadjistoytchev" > > Cc: "Damien Miller" ; > > Sent: Monday, June 16, 2003 11:28 AM > > Subject: Re: Problem/bug report for "bad decrypted len" error in OpenSSH > > > > > > > replace > > > > > > if (len != hlen + oidlen) { > > > with > > > if (len < hlen + oidlen) { > > > > > > instead of deleting lines. > > > > > > > > > On Mon, Jun 16, 2003 at 09:36:16AM +0300, Stefan Hadjistoytchev wrote: > > > > I've posted the bug in BugZilla (bug 592). What should I do next ? > > > > > > > > Stefan > > > > ----- Original Message ----- > > > > From: "Markus Friedl" > > > > To: "Stefan Hadjistoytchev" ; "Damien Miller" > > > > > > > > Cc: > > > > Sent: Friday, June 13, 2003 5:39 PM > > > > Subject: Re: Problem/bug report for "bad decrypted len" error in OpenSSH > > > > > > > > > > > > > On Sat, Jun 14, 2003 at 12:17:56AM +1000, Damien Miller wrote: > > > > > > Stefan Hadjistoytchev wrote: > > > > > > > Should I report it to BugZilla ? > > > > > > > > > > > > Only if you can justify _why_ the length check is not correct. > > > > > > > > > > make sure to include: > > > > > > > > > > This is a redundant length check that is not technically > > > > > correct. The OpenSSH team is aware of the problem but don't > > > > > care since they have no idea how to use certificates. > > > > > > > > > > The length check is not redundant since the result might be > > > > > too small for example. > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > openssh-unix-dev mailing list > > > > openssh-unix-dev at mindrot.org > > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > > > > > > > > From sth at hq.bsbg.net Wed Jun 18 17:35:37 2003 From: sth at hq.bsbg.net (Stefan Hadjistoytchev) Date: Wed, 18 Jun 2003 10:35:37 +0300 Subject: Problem/bug report for "bad decrypted len" error in Message-ID: <00c401c3356c$367b0d80$4102010a@dev.bnet> Additional information: 1. Linux (sshd server ) ( same on AIX or other distributions ) a) Distibution: Trustix Secure Linux 2.0 beta 3 http://www.trustix.net/pub/Trustix/pre-releases/trustix-2.0-beta3/ISO/trustix-2.0-beta3.i586.iso b) OpenSSH 3.6.1: http://www.trustix.net/pub/Trustix/pre-releases/trustix-2.0-beta3/i586/Trustix/RPMS/openssh-3.6.1p1-5to.i586.rpm | http://www.trustix.net/pub/Trustix/pre-releases/trustix-2.0-beta3/i586/Trustix/RPMS/openssh-server-3.6.1p1-5to.i586.rpm c) sshd_config: Port 22 Protocol 2 ListenAddress 0.0.0.0 PermitRootLogin no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys RhostsAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no PasswordAuthentication no PermitEmptyPasswords no Subsystem sftp /usr/libexec/ssh/sftp-server 2. Windows ( ssh client ) a) Version: 2000/XP/98 b) SSH clients: Putty Release 0.53 (http://www.chiark.greenend.org.uk/~sgtatham/putty/) | SecureNetTerm 5.4.2.4 (http://www.securenetterm.com/) c) Smartcard Agent: Secure KeyAgent 5.4.2.4 ( part of SecureNetTerm 5.4.2.4 (http://www.securenetterm.com/ ) d) SmartCard Reader: Omnikey CardMan 1010 ( http://www.omnikey.com ) driver ver. 1.2.0.8 e) SmartCard: Utimaco ( http://www.utimaco.com ) (SETEC | SETCOS based ) f) Smartcard CSP: Utimaco CSP ver.41121 f) Certificate (incl. public - private key) generated on smart-card Card certificate(public-private key auth) causes the following errors in "/var/log/auth/errors": ............. sshd[1224] error: bad decrypted len: 36 != 20 + 15 sshd[1227] error: bad decrypted len: 36 != 20 + 15 ............. Extra byte is 00 i think :( Comments on this error from SecureNetTerm team: > OpenSSH 3.6.1 is a little braindead when it comes to proper operation of Certificates. > All you have to do is edit the OpenSSL file ssh-rsa.c and comment out lines 250-252. > This is a redundant length check that is not technically correct. The OpenSSH team is > aware of the problem but don't care since they have no idea how to use certificates. If anyone requires additional information - just let me know :) Best regards Stefan Hadjistoytchev -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2929 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030618/d753c753/attachment.bin From bart at dreamflow.nl Wed Jun 18 18:29:43 2003 From: bart at dreamflow.nl (Bart Matthaei) Date: Wed, 18 Jun 2003 10:29:43 +0200 Subject: ssh-agent protocol Message-ID: <20030618082943.GN19990@dreamflow.nl> Hi, I don't know if this is the right place for this question, but here goes: I'm building an application for Mac OS X to manage the ssh keychain. I'm planning on building a seperate socket where ssh can connect to, read data from it, and forward it to the wrapped ssh-agent if neccesary. I want to notify the user when ssh is trying to request keys when there aren't any keys added yet. I suppose I can strace ssh / ssh-agent to figure out the communcation syntax, but is it documentated somewhere ? And more importantly, will the syntax ever change ? Kind Regards, Bart Matthaei -- Bart Matthaei bart at dreamflow.nl There's no sex in struct sockaddr_in .. From markus at openbsd.org Wed Jun 18 19:10:40 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 18 Jun 2003 11:10:40 +0200 Subject: ssh-agent protocol In-Reply-To: <20030618082943.GN19990@dreamflow.nl> References: <20030618082943.GN19990@dreamflow.nl> Message-ID: <20030618091040.GA760@folly> no need to strace, since you have the source code. the basic protocol is documented in RFC.nroff it's very easy to understand from ssh-agent.c extension are in ssh-agent.c only, w/o documentation. authfd.[ch] contain the client side of the protocol. From markus at openbsd.org Wed Jun 18 19:37:18 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 18 Jun 2003 11:37:18 +0200 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <006c01c33563$d3809680$4102010a@dev.bnet> References: <3EE9DD14.6020305@mindrot.org> <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <20030613143936.GB26806@folly> <003e01c333d1$96fbed60$4102010a@dev.bnet> <20030616082841.GA8025@folly> <002d01c334a9$d545e1b0$4102010a@dev.bnet> <20030617090023.GB8870@folly> <006c01c33563$d3809680$4102010a@dev.bnet> Message-ID: <20030618093718.GA9952@folly> On Wed, Jun 18, 2003 at 09:35:35AM +0300, Stefan Hadjistoytchev wrote: > I received: > 00 > whats next ? it would be nice to know why the client sends this extra 0 byte. i think it should not. From djm at mindrot.org Wed Jun 18 22:23:07 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 18 Jun 2003 22:23:07 +1000 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <014a01c33592$4aec3fc0$4102010a@dev.bnet> References: <3EE9DD14.6020305@mindrot.org> <004901c33171$96593500$4102010a@dev.bnet> <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <20030613143936.GB26806@folly> <003e01c333d1$96fbed60$4102010a@dev.bnet> <20030616082841.GA8025@folly> <002d01c334a9$d545e1b0$4102010a@dev.bnet> <20030617090023.GB8870@folly> <006c01c33563$d3809680$4102010a@dev.bnet> <20030618093718.GA9952@folly> <014a01c33592$4aec3fc0$4102010a@dev.bnet> Message-ID: <3EF059AB.800@mindrot.org> Stefan Hadjistoytchev wrote: > I think we should ask SecureNetTerm team at support at securenetterm.com ( > Ken ) > Would You please ask them because You could better and quicker clearify the > technical issue with them ? Yes, it would be good if we received proper bug reports from them rather than 2nd-hand snide comments in email. -d > Best regards > Stefan > > ----- Original Message ----- > From: "Markus Friedl" > To: "Stefan Hadjistoytchev" > Cc: "Damien Miller" ; > Sent: Wednesday, June 18, 2003 12:37 PM > Subject: Re: Problem/bug report for "bad decrypted len" error in OpenSSH > > >> On Wed, Jun 18, 2003 at 09:35:35AM +0300, Stefan Hadjistoytchev wrote: >> > I received: >> > 00 >> > whats next ? >> >> it would be nice to know why the client sends this extra 0 byte. >> >> i think it should not. >> >> From markus at openbsd.org Wed Jun 18 22:41:15 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 18 Jun 2003 14:41:15 +0200 Subject: Problem/bug report for "bad decrypted len" error in OpenSSH In-Reply-To: <014a01c33592$4aec3fc0$4102010a@dev.bnet> References: <20030613075416.GB11285@folly> <01bb01c331ab$b08041f0$4102010a@dev.bnet> <20030613143936.GB26806@folly> <003e01c333d1$96fbed60$4102010a@dev.bnet> <20030616082841.GA8025@folly> <002d01c334a9$d545e1b0$4102010a@dev.bnet> <20030617090023.GB8870@folly> <006c01c33563$d3809680$4102010a@dev.bnet> <20030618093718.GA9952@folly> <014a01c33592$4aec3fc0$4102010a@dev.bnet> Message-ID: <20030618124115.GA23800@folly> On Wed, Jun 18, 2003 at 03:08:12PM +0300, Stefan Hadjistoytchev wrote: > I think we should ask SecureNetTerm team at support at securenetterm.com ( > Ken ) > Would You please ask them because You could better and quicker clearify the > technical issue with them ? they should send a bugreport explaining where the extra 0x00 is from. From fcusack at fcusack.com Thu Jun 19 08:08:55 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 18 Jun 2003 15:08:55 -0700 Subject: Extensions for long fat networks? In-Reply-To: <3EEA6037.E792DC81@noaa.gov>; from paul.hyder@noaa.gov on Fri, Jun 13, 2003 at 05:37:27PM -0600 References: <3EEA2EDC.D720D8FB@noaa.gov> <3EEA5211.8000806@mindrot.org> <3EEA6037.E792DC81@noaa.gov> Message-ID: <20030618150855.A22661@google.com> On Fri, Jun 13, 2003 at 05:37:27PM -0600, Paul Hyder wrote: > sizes, seems to be tied to CHAN_TCP_PACKET_DEFAULT/CHAN_TCP_WINDOW_DEFAULT, hmm > With encryption requirements and lots of LFN availability I was just > hoping someone else had already run into the low long distance > throughput and fixed it. I have, but our fix is just to increase the system default socket buffer size. I guess we didn't do any studies to see if we were maximizing window use. Which made sense for us, since we were doing many to many aggregate copies and filling the WAN pipes anyway. I don't have time to look into this, but I am very interested to hear about any progress you make. /fc From TORBAN at do.usbr.gov Fri Jun 20 03:49:17 2003 From: TORBAN at do.usbr.gov (Tom Orban) Date: Thu, 19 Jun 2003 11:49:17 -0600 Subject: Build error on HP-UX Message-ID: Hello, I'm trying to compile openssh-3.6.1 P2 on an HP box running HP-UX 11.00. After running configure, the first file it tries to compile is openbsd-compat/bsd-arc4random.c. It appears to give an error from one of its include files: cc: "../openbsd-compat/bsd-misc.h", line 72: error 1711: Inconsistent parameter list declaration for "utimes". I'm not doing anything funky in configure, so I can't believe I'm the first person to see this on HP-UX. Is there a patch/workaround available for this? Thanks. -Tom From rick.jones2 at hp.com Fri Jun 20 04:51:56 2003 From: rick.jones2 at hp.com (Rick Jones) Date: Thu, 19 Jun 2003 11:51:56 -0700 Subject: Build error on HP-UX References: Message-ID: <3EF2064C.B72E5762@hp.com> > cc: "../openbsd-compat/bsd-misc.h", line 72: error 1711: Inconsistent > parameter list declaration for "utimes". IIRC, that happens when a function prototype does not match the actual function declaration. So, I'd grep through the code to see the instances of utimes and make sure everything matches. rick jones -- Wisdom Teeth are impacted, people are affected by the effects of events. these opinions are mine, all mine; HP might not want them anyway... :) feel free to post, OR email to raj in cup.hp.com but NOT BOTH... From mouring at etoh.eviladmin.org Fri Jun 20 05:38:03 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 19 Jun 2003 14:38:03 -0500 (CDT) Subject: Build error on HP-UX In-Reply-To: Message-ID: How does HP/UX define utimes? This is how most OSes define it: int utimes(char *filename, struct timeval *tvp); Outside the fact we skip variable names in the definition we do: bsd-misc.c:int utimes(char *filename, struct timeval *tvp) bsd-misc.h:int utimes(char *, struct timeval *); Try in the bsd-misc.h changing it to be exactly as it's defined in the bsd-misc.c. Maybe your compiler is picky. On Thu, 19 Jun 2003, Tom Orban wrote: > Hello, > > I'm trying to compile openssh-3.6.1 P2 on an HP box running HP-UX > 11.00. After running configure, the first file it tries to compile is > openbsd-compat/bsd-arc4random.c. It appears to give an error from one > of its include files: > > cc: "../openbsd-compat/bsd-misc.h", line 72: error 1711: Inconsistent > parameter list declaration for "utimes". > > I'm not doing anything funky in configure, so I can't believe I'm the > first person to see this on HP-UX. Is there a patch/workaround > available for this? > > Thanks. > > -Tom > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From rick.jones2 at hp.com Fri Jun 20 06:13:22 2003 From: rick.jones2 at hp.com (Rick Jones) Date: Thu, 19 Jun 2003 13:13:22 -0700 Subject: Build error on HP-UX References: Message-ID: <3EF21962.C71F6310@hp.com> Ben Lindstrom wrote: > > How does HP/UX define utimes? Thusly on 11.0: utimes(2) utimes(2) NAME utimes - set file access and modification times SYNOPSIS #include int utimes(const char *path, const struct timeval times[2]); and then in sys/time.h: # ifdef _PROTOTYPES extern int getitimer(int, struct itimerval *); extern int setitimer(int, const struct itimerval *, struct itimerval *); extern int utimes(const char *path, const struct timeval amtimes[2]); extern int gettimeofday(struct timeval *, void *); # if defined(__INCLUDE_FROM_TIME_H) && !defined(_XOPEN_SOURCE_EXTENDED) extern int select(size_t, int *, int *, int *, const struct timeval *); # else /* __INCLUDE_FROM_TIME_H && !_XOPEN_SOURCE_EXTENDED */ extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *); # endif /* __INCLUDE_FROM_TIME_H && !_XOPEN_SOURCE_EXTENDED */ # else /* !_PROTOTYPES */ > This is how most OSes define it: > > int utimes(char *filename, struct timeval *tvp); > > Outside the fact we skip variable names in the definition we do: > > bsd-misc.c:int utimes(char *filename, struct timeval *tvp) > bsd-misc.h:int utimes(char *, struct timeval *); > > Try in the bsd-misc.h changing it to be exactly as it's defined in the > bsd-misc.c. Maybe your compiler is picky. Perhaps the use of const in the UX headers is the trigger for this? If there is a utimes on the platform, should that bsd-misc.[ch] stuff even be included? Or does the configure script for ssh consider utimes broken under HP-UX? The compiler (at least my rev) doesn't mind the omission of the variable name: $ cat foo.h int utimes(char *, int *); $ cat foo.c #include "foo.h" int utimes(char *filename, int *tvp) { } main(int argc,char *argv[]) { } (I dropped the timeval stuff initially to avoid having to include more) However, when I then add-back the struct timeval, and include sys/time.h: $ cat foo.c #include #include "foo.h" int utimes(char *filename, struct timeval *tvp) { } main(int argc,char *argv[]) { } I get: $ cc foo.c cc: "foo.h", line 1: error 1711: Inconsistent parameter list declaration for "utimes". cc: "foo.c", line 3: error 1711: Inconsistent parameter list declaration for "utimes". and then if I add const: $ cat foo.h int utimes(const char *, const struct timeval *); $ cat foo.c #include #include "foo.h" int utimes(const char *filename, const struct timeval *tvp) { } main(int argc,char *argv[]) { } the compiler is happy: $ cc foo.c /usr/ccs/bin/ld: (Warning) At least one PA 2.0 object file (foo.o) was detected. The linked output may not run on a PA 1.x system. rick jones -- Wisdom Teeth are impacted, people are affected by the effects of events. these opinions are mine, all mine; HP might not want them anyway... :) feel free to post, OR email to raj in cup.hp.com but NOT BOTH... From mouring at etoh.eviladmin.org Fri Jun 20 06:29:17 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 19 Jun 2003 15:29:17 -0500 (CDT) Subject: Build error on HP-UX In-Reply-To: <3EF21962.C71F6310@hp.com> Message-ID: On Thu, 19 Jun 2003, Rick Jones wrote: > Ben Lindstrom wrote: > > > > How does HP/UX define utimes? > > Thusly on 11.0: > > > utimes(2) > utimes(2) > > NAME > utimes - set file access and modification times > > SYNOPSIS > #include > > int utimes(const char *path, const struct timeval times[2]); > Interesting enough Linux and OpenBSD at least deinfe it *times instead of times[2], but the code itself should be fine. It bothers me that configure.ac generated the wrong check. What library is utimes() part of? Maybe we need additional check besides: AC_CHECK_FUNC(utimes, [], [ AC_CHECK_LIB(c89, utimes, [AC_DEFINE(HAVE_UTIMES) LIBS="$LIBS -lc89"]) ] ) [..] > > bsd-misc.c:int utimes(char *filename, struct timeval *tvp) > > bsd-misc.h:int utimes(char *, struct timeval *); > > > > Try in the bsd-misc.h changing it to be exactly as it's defined in the > > bsd-misc.c. Maybe your compiler is picky. > > Perhaps the use of const in the UX headers is the trigger for this? > No it is because the second argument is different (*tvp vs tvp[2]) > If there is a utimes on the platform, should that bsd-misc.[ch] stuff > even be included? Or does the configure script for ssh consider utimes > broken under HP-UX? > I'd say something is wrong with configure.ac script. If you go into config.h and uncomment "#define HAVE_UTIMES 1" and compile does HP/UX 11 work correctly? - Ben From dtucker at zip.com.au Fri Jun 20 07:38:19 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 20 Jun 2003 07:38:19 +1000 Subject: Build error on HP-UX References: Message-ID: <3EF22D4B.260BE560@zip.com.au> Ben Lindstrom wrote: > It bothers me that configure.ac generated the wrong check. What library > is utimes() part of? Maybe we need additional check besides: I think it's a problem with autoconf-2.57. Older (and newer devel versions) seem to work OK. If you haven't already, see: http://bugzilla.mindrot.org/show_bug.cgi?id=553 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Fri Jun 20 07:43:28 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 19 Jun 2003 16:43:28 -0500 (CDT) Subject: Build error on HP-UX In-Reply-To: <3EF22D4B.260BE560@zip.com.au> Message-ID: On Fri, 20 Jun 2003, Darren Tucker wrote: > Ben Lindstrom wrote: > > It bothers me that configure.ac generated the wrong check. What library > > is utimes() part of? Maybe we need additional check besides: > > I think it's a problem with autoconf-2.57. Older (and newer devel > versions) seem to work OK. If you haven't already, see: > http://bugzilla.mindrot.org/show_bug.cgi?id=553 > That is why I've seen this before. Yes. I agree. So I guess in the next release will will have to upgrade our configure requirement. Sucks when the build tool is the problem. BTW, I agree with Tim in the bugzilla report. I think the second utimes check in the main function call block can be removed and acconfig.h entry added for HAVE_UTIMES. - Ben From rick.jones2 at hp.com Fri Jun 20 10:05:28 2003 From: rick.jones2 at hp.com (Rick Jones) Date: Thu, 19 Jun 2003 17:05:28 -0700 Subject: Build error on HP-UX References: Message-ID: <3EF24FC8.4318DF11@hp.com> Ben Lindstrom wrote: > > On Thu, 19 Jun 2003, Rick Jones wrote: > > > Ben Lindstrom wrote: > > > > > > How does HP/UX define utimes? > > > > Thusly on 11.0: > > > > > > utimes(2) > > utimes(2) > > > > NAME > > utimes - set file access and modification times > > > > SYNOPSIS > > #include > > > > int utimes(const char *path, const struct timeval times[2]); > > > > Interesting enough Linux and OpenBSD at least deinfe it *times instead of > times[2], but the code itself should be fine. I wonder what Posix/X/Open say about it, if anything. > It bothers me that configure.ac generated the wrong check. What library > is utimes() part of? I'm guessing it is part of libc: $ nm /usr/lib/libc.sl | grep utimes _utimes | 739636|extern|code |$CODE$ utimes | 739596|extern|entry | utimes | 739636|extern|code |$CODE$ > Maybe we need additional check besides: > > AC_CHECK_FUNC(utimes, > [], [ AC_CHECK_LIB(c89, utimes, [AC_DEFINE(HAVE_UTIMES) > LIBS="$LIBS -lc89"]) ] > ) Likely - if I try to compile my foo.c with a -lc89: $ cc foo.c -lc89 /usr/ccs/bin/ld: Can't find library: "c89" which could I suppose make configure think there is no utimes on UX... perhaps it should try first without the -lc89 and only try it if the first one fails? > [..] > > > bsd-misc.c:int utimes(char *filename, struct timeval *tvp) > > > bsd-misc.h:int utimes(char *, struct timeval *); > > > > > > Try in the bsd-misc.h changing it to be exactly as it's defined in the > > > bsd-misc.c. Maybe your compiler is picky. > > > > Perhaps the use of const in the UX headers is the trigger for this? > > > No it is because the second argument is different (*tvp vs tvp[2]) Thanks - I confirmed it by changing the timeval to an int and dropping the sys/time/h include and seeing that it compiled just fine. > I'd say something is wrong with configure.ac script. If you go into > config.h and uncomment "#define HAVE_UTIMES 1" and compile does HP/UX 11 > work correctly? I'll have to let the original reporter report on that. rick -- Wisdom Teeth are impacted, people are affected by the effects of events. these opinions are mine, all mine; HP might not want them anyway... :) feel free to post, OR email to raj in cup.hp.com but NOT BOTH... From jmknoble at pobox.com Fri Jun 20 11:22:57 2003 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 19 Jun 2003 21:22:57 -0400 Subject: Build error on HP-UX In-Reply-To: <3EF24FC8.4318DF11@hp.com> References: <3EF24FC8.4318DF11@hp.com> Message-ID: <20030620012256.GJ1526@crawfish.ais.com> Circa 2003-06-19 17:05:28 -0700 dixit Rick Jones: : Ben Lindstrom wrote: : > Interesting enough Linux and OpenBSD at least deinfe it *times : > instead of times[2], but the code itself should be fine. : : I wonder what Posix/X/Open say about it, if anything. POSIX doesn't have utimes(), only utime(): int utime(const char *path, const struct utimbuf *timep); where: struct utimbuf { time_t actime; time_t modtime; }; 'time_t' has a precision of seconds, which is likely why it's been obsoleted by utimes() under OpenBSD. : > Maybe we need additional check besides: [...] : Likely - if I try to compile my foo.c with a -lc89: : : $ cc foo.c -lc89 : /usr/ccs/bin/ld: Can't find library: "c89" If you want HP's compiler to grok POSIX, you should call it as 'c89'; for example: c89 foo.c Don't know what the default compiler mode is (i.e., when called as merely 'cc') under HP-UX 11; under 10.20 it was equivalent to K&R C with -D_HPUX_SOURCE. If you wanted ANSI C with X/Open or SVR4, you had to do: cc -Ae or: cc -Aa -D_HPUX_SOURCE +e which are equivalent. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) "We have guided missiles and misguided men." --Martin Luther King, Jr. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 256 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030619/b1cf208a/attachment.bin From mouring at etoh.eviladmin.org Fri Jun 20 14:06:13 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 19 Jun 2003 23:06:13 -0500 (CDT) Subject: Build error on HP-UX In-Reply-To: <20030620012256.GJ1526@crawfish.ais.com> Message-ID: On Thu, 19 Jun 2003, Jim Knoble wrote: > Circa 2003-06-19 17:05:28 -0700 dixit Rick Jones: > > : Ben Lindstrom wrote: > : > Interesting enough Linux and OpenBSD at least deinfe it *times > : > instead of times[2], but the code itself should be fine. > : > : I wonder what Posix/X/Open say about it, if anything. > > POSIX doesn't have utimes(), only utime(): > No but the SUS has it (no sure if v2 or v3 I didn't look at the verson), and it agrees with HP/UX manpage. However, this is moot in the fact it is a configure bug. - Ben From kura at charybda.icm.edu.pl Fri Jun 20 23:06:50 2003 From: kura at charybda.icm.edu.pl (Jakub Jurkiewicz) Date: Fri, 20 Jun 2003 15:06:50 +0200 (CEST) Subject: Problems with conversation functions PAM + OpenSSH In-Reply-To: Message-ID: Hello sorry, for bothering you with this problem, but I ca't find solutions. I write small PAM module, and I've got the problem with conversation function with OpenSSH 3.5p1. When the message style is PAM_PROMPT_ECHO_ON, or PAM_PROMPT_ECHO_OFF everything is allright. But when I use PAM_TEXT_INFO, or PAM_ERROR_MSG, ssh prints nothing on the client side. Does anyone know the reason of this, and how can I print messages to the user. Kuba ---------------------------------------------------------- Jakub Jurkiewicz kura at icm.edu.pl kura at charybda.icm.edu.pl jj176473 at zodiac.mimuw.edu.pl ---------------------------------------------------------- z madrosci ludowych: "nie wiesz zanim nie sprobujesz" lub inaczej: "tyle z nas wiemy ile nas sprawdzono" From rrr55 at daimlerchrysler.com Sat Jun 21 00:09:48 2003 From: rrr55 at daimlerchrysler.com (rrr55 at daimlerchrysler.com) Date: Fri, 20 Jun 2003 10:09:48 -0400 Subject: patch20 fails Message-ID: Can anyone explain why this fails? This was applied to source from openssh.org. Thanks, Ryan =========================== bash-2.05a$ /opt/freeware/bin/patch -p1 < ../openssh-3.6.1p2-passexpire20.patch patching file TODO Reversed (or previously applied) patch detected! Assume -R? [n] y patching file acconfig.h Reversed (or previously applied) patch detected! Assume -R? [n] y patching file auth-pam.c Reversed (or previously applied) patch detected! Assume -R? [n] y patching file auth-passwd.c Reversed (or previously applied) patch detected! Assume -R? [n] y patching file auth.c Reversed (or previously applied) patch detected! Assume -R? [n] y patching file auth.h Reversed (or previously applied) patch detected! Assume -R? [n] y patching file config.h.in Reversed (or previously applied) patch detected! Assume -R? [n] y patching file configure Reversed (or previously applied) patch detected! Assume -R? [n] y patching file configure.ac Reversed (or previously applied) patch detected! Assume -R? [n] y patching file openbsd-compat/port-aix.c Reversed (or previously applied) patch detected! Assume -R? [n] y patching file openbsd-compat/port-aix.h Reversed (or previously applied) patch detected! Assume -R? [n] y patching file session.c Reversed (or previously applied) patch detected! Assume -R? [n] y Hunk #5 FAILED at 748. 1 out of 6 hunks FAILED -- saving rejects to file session.c.rej patching file session.h Reversed (or previously applied) patch detected! Assume -R? [n] y patching file sshd.c Reversed (or previously applied) patch detected! Assume -R? [n] y patching file version.h Hunk #1 FAILED at 1. 1 out of 1 hunk FAILED -- saving rejects to file version.h.rej From dtucker at zip.com.au Sat Jun 21 00:31:14 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 21 Jun 2003 00:31:14 +1000 Subject: [PATCH] Regression test portabilization. Message-ID: <3EF31AB2.5DF9D014@zip.com.au> Hi All. Attached is a patch (against OpenSSH Portable -current) to portablize the regression tests. It will also apply to OpenBSD's (with a couple of rejects). They are based on work by Roumen Petrov and myself, with contributions from Corinna Vinschen and David M Williams. My goal is to have the tests work out of the box on as many of our supported platforms as possible so running the tests can be a routine part of an install. This patch has been tested on Solaris 8, HP-UX 11.00, Redhat 8. Previous versions have been tested by me or others on AIX (4.2.1, 4.3.3 5.1), NetBSD, OpenBSD, Cygwin, earlier Solarises (2.6, 7) and Mac OS X. If anyone wants to try this patch, you will need to apply it to an up to date CVS tree or a recent snapshot (ie the last day or so): $ cd openssh $ patch -p0 grep >/dev/null echo -n -> echon Use $EXEEXT where /bin/ls is used as a data file. top-level Makefile: Hooks to run from top-level make. Makefile: HP-UX, AIX don't have /dev/stdin or /dev/stdout. General replacement for BSD make specific stuff. agent-getpeereid.sh HP-UX doesn't have getpeereid(). Skip if HAVE_GETPEEREID is not defined. agent-ptrace.sh: Doesn't work on some platforms. Skip those. reconfigure.sh: sshd is not always in /usr/sbin. rekey.sh: HP-UX does not have /dev/zero. The sparse file will take less disk space too. sftp-cmds.sh: Solaris has unreadable files in /bin (eg /bin/lp). HP-UX, AIX don't have /dev/stdin or /dev/stdout. Some echo's don't understand "\n". sftp.sh, ssh-com-sftp.sh, ssh-com.sh: HP-UX, AIX don't have /dev/stdin or /dev/stdout. stderr-after-eof.sh: Find a usable checksum program... test-exec.sh: Solaris' "id" does not understand -n. Echoing without newline is wonderfully inconsistent across platforms. Startup delay of 5 was not enough for some slower machines. Use StrictModes no because some platforms by default have directory perms that sshd doesn't like (eg AIX's root dir is by default owned by bin.bin). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: Makefile.in =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/Makefile.in,v retrieving revision 1.238 diff -u -r1.238 Makefile.in --- Makefile.in 5 Jun 2003 08:53:43 -0000 1.238 +++ Makefile.in 20 Jun 2003 13:04:41 -0000 @@ -190,6 +190,7 @@ rm -f *.o *.a $(TARGETS) logintest config.cache config.log rm -f *.out core (cd openbsd-compat && $(MAKE) clean) + (cd $(srcdir)/regress && $(MAKE) $@) distclean: rm -f *.o *.a $(TARGETS) logintest config.cache config.log @@ -361,3 +362,30 @@ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + +tests: $(TARGETS) + BUILDDIR=`pwd`; \ + TEST_SSH_SSH="$${BUILDDIR}/ssh"; \ + TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \ + TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \ + TEST_SSH_SSHADD="$${BUILDDIR}/ssh-add"; \ + TEST_SSH_SSHKEYGEN="$${BUILDDIR}/ssh-keygen"; \ + TEST_SSH_SSHKEYSCAN="$${BUILDDIR}/ssh-keyscan"; \ + TEST_SSH_SFTP="$${BUILDDIR}/sftp"; \ + TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server"; \ + cd $(srcdir)/regress || exit $$?; \ + $(MAKE) \ + .OBJDIR="$${BUILDDIR}" \ + .CURDIR="`pwd`" \ + OBJ="$${BUILDDIR}" \ + PATH="$${BUILDDIR}:$${PATH}" \ + TEST_SSH_SSH="$${TEST_SSH_SSH}" \ + TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \ + TEST_SSH_SSHAGENT="$${TEST_SSH_SSHAGENT}" \ + TEST_SSH_SSHADD="$${TEST_SSH_SSHADD}" \ + TEST_SSH_SSHKEYGEN="$${TEST_SSH_SSHKEYGEN}" \ + TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \ + TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \ + TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \ + EXEEXT="$${EXEEXT}" \ + $@ Index: regress/Makefile =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/Makefile,v retrieving revision 1.5 diff -u -r1.5 Makefile --- regress/Makefile 18 Jun 2003 12:45:34 -0000 1.5 +++ regress/Makefile 20 Jun 2003 09:52:42 -0000 @@ -1,8 +1,11 @@ # $OpenBSD: Makefile,v 1.23 2003/06/12 15:43:32 markus Exp $ -REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 +REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec +tests: $(REGRESS_TARGETS) CLEANFILES+= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 +clean: + @for F in $(CLEANFILES); do rm -f $(OBJ)/$${F}; done LTESTS= connect \ proxy-connect \ @@ -30,7 +33,6 @@ reconfigure \ forwarding -USER!= id -un CLEANFILES+= authorized_keys_${USER} known_hosts pidfile \ ssh_config ssh_proxy sshd_config sshd_proxy \ rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ @@ -48,9 +50,9 @@ ssh-keygen -yf t2.out | diff - ${.CURDIR}/rsa_openssh.pub t3: - ssh-keygen -ef ${.CURDIR}/rsa_openssh.pub |\ - ssh-keygen -if /dev/stdin |\ - diff - ${.CURDIR}/rsa_openssh.pub + ssh-keygen -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/rsa_secsh.pub + ssh-keygen -if $(OBJ)/rsa_secsh.pub | diff - ${.CURDIR}/rsa_openssh.pub + rm -f ${.CURDIR}/rsa_secsh.pub t4: ssh-keygen -lf ${.CURDIR}/rsa_openssh.pub |\ @@ -73,10 +75,9 @@ ssh-keygen -lf t7.out > /dev/null ssh-keygen -Bf t7.out > /dev/null -.for t in ${LTESTS} -REGRESS_TARGETS+=t-${t} -t-${t}: - sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/${t}.sh -.endfor - -.include "bsd.regress.mk" +t-exec: ${LTESTS:=.sh} + @if [ "x$?" = "x" ]; then exit 0; fi; \ + for TEST in ""$?; do \ + echo "run test $${TEST}" ... 1>&2; \ + (sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ + done Index: regress/agent-getpeereid.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/agent-getpeereid.sh,v retrieving revision 1.1 diff -u -r1.1 agent-getpeereid.sh --- regress/agent-getpeereid.sh 22 Jan 2003 06:53:17 -0000 1.1 +++ regress/agent-getpeereid.sh 20 Jun 2003 13:18:59 -0000 @@ -7,6 +7,12 @@ ASOCK=${OBJ}/agent SSH_AUTH_SOCK=/nonexistant +if grep "#undef.*HAVE_GETPEEREID" ${OBJ}/config.h >/dev/null 2>&1 +then + echo "skipped (not supported on this platform)" + exit 0 +fi + trace "start agent" eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null r=$? Index: regress/agent-ptrace.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/agent-ptrace.sh,v retrieving revision 1.1 diff -u -r1.1 agent-ptrace.sh --- regress/agent-ptrace.sh 22 Jan 2003 06:53:17 -0000 1.1 +++ regress/agent-ptrace.sh 20 Jun 2003 12:30:07 -0000 @@ -3,6 +3,20 @@ tid="disallow agent ptrace attach" +if [ -x `which uname` ]; then + case `uname` in + Linux|HP-UX|SunOS) + echo "skipped (not supported)" + exit 0 + ;; + esac +fi + +if [ ! -x `which gdb` ]; then + echo "skipped (gdb not found)" + exit 0 +fi + trace "start agent" eval `${SSHAGENT} -s` > /dev/null r=$? @@ -16,7 +30,7 @@ if [ $? -ne 0 ]; then fail "gdb failed: exit code $?" fi - grep -q 'ptrace: Operation not permitted.' ${OBJ}/gdb.out + grep 'ptrace: Operation not permitted.' >/dev/null ${OBJ}/gdb.out r=$? rm -f ${OBJ}/gdb.out if [ $r -ne 0 ]; then Index: regress/agent-timeout.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/agent-timeout.sh,v retrieving revision 1.1 diff -u -r1.1 agent-timeout.sh --- regress/agent-timeout.sh 22 Jan 2003 06:53:17 -0000 1.1 +++ regress/agent-timeout.sh 20 Jun 2003 08:53:23 -0000 @@ -26,7 +26,7 @@ trace "sleeping 2*${TIMEOUT} seconds" sleep ${TIMEOUT} sleep ${TIMEOUT} - ${SSHADD} -l 2> /dev/null | grep -q 'The agent has no identities.' + ${SSHADD} -l 2> /dev/null | grep 'The agent has no identities.' >/dev/null if [ $? -ne 0 ]; then fail "ssh-add -l still returns keys after timeout" fi Index: regress/agent.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/agent.sh,v retrieving revision 1.1 diff -u -r1.1 agent.sh --- regress/agent.sh 1 May 2002 03:17:34 -0000 1.1 +++ regress/agent.sh 20 Jun 2003 08:54:16 -0000 @@ -19,7 +19,7 @@ fail "ssh-add -l did not fail with exit code 1" fi trace "overwrite authorized keys" - echo -n > $OBJ/authorized_keys_$USER + echon > $OBJ/authorized_keys_$USER for t in rsa rsa1; do # generate user key for agent rm -f $OBJ/$t-agent Index: regress/proto-version.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/proto-version.sh,v retrieving revision 1.1 diff -u -r1.1 proto-version.sh --- regress/proto-version.sh 1 May 2002 03:17:34 -0000 1.1 +++ regress/proto-version.sh 20 Jun 2003 08:55:35 -0000 @@ -8,7 +8,7 @@ { version=$1 expect=$2 - banner=`echo -n | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy` + banner=`echon | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy` case ${banner} in SSH-1.99-*) proto=199 Index: regress/reconfigure.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/reconfigure.sh,v retrieving revision 1.1 diff -u -r1.1 reconfigure.sh --- regress/reconfigure.sh 18 Jun 2003 12:18:57 -0000 1.1 +++ regress/reconfigure.sh 20 Jun 2003 08:57:17 -0000 @@ -4,7 +4,14 @@ tid="simple connect after reconfigure" # we need the full path to sshd for -HUP -SSHD=/usr/sbin/sshd +case $SSHD in +/*) + # full path is OK + ;; +*) + # otherwise make fully qualified + SSHD=$OBJ/$SSHD +esac start_sshd Index: regress/rekey.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/rekey.sh,v retrieving revision 1.1 diff -u -r1.1 rekey.sh --- regress/rekey.sh 18 Jun 2003 12:18:57 -0000 1.1 +++ regress/rekey.sh 20 Jun 2003 11:36:58 -0000 @@ -8,7 +8,7 @@ LOG=${OBJ}/log rm -f ${COPY} ${LOG} ${DATA} -dd if=/dev/zero of=${DATA} bs=1k count=512 > /dev/null 2>&1 +dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1 for s in 16 1k 128k 256k; do trace "rekeylimit ${s}" Index: regress/sftp-badcmds.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/sftp-badcmds.sh,v retrieving revision 1.1 diff -u -r1.1 sftp-badcmds.sh --- regress/sftp-badcmds.sh 18 Jun 2003 12:18:57 -0000 1.1 +++ regress/sftp-badcmds.sh 20 Jun 2003 11:27:51 -0000 @@ -3,8 +3,8 @@ tid="sftp invalid commands" -DATA=/bin/ls -DATA2=/bin/cat +DATA=/bin/ls${EXEEXT} +DATA2=/bin/cat${EXEEXT} NONEXIST=/NONEXIST.$$ COPY=${OBJ}/copy GLOBFILES=`(cd /bin;echo l*)` Index: regress/sftp-batch.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/sftp-batch.sh,v retrieving revision 1.1 diff -u -r1.1 sftp-batch.sh --- regress/sftp-batch.sh 22 Jan 2003 06:53:17 -0000 1.1 +++ regress/sftp-batch.sh 20 Jun 2003 11:28:05 -0000 @@ -3,7 +3,7 @@ tid="sftp batchfile" -DATA=/bin/ls +DATA=/bin/ls${EXEEXT} COPY=${OBJ}/copy BATCH=${OBJ}/sftp-batch Index: regress/sftp-cmds.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/sftp-cmds.sh,v retrieving revision 1.3 diff -u -r1.3 sftp-cmds.sh --- regress/sftp-cmds.sh 18 Jun 2003 12:41:41 -0000 1.3 +++ regress/sftp-cmds.sh 20 Jun 2003 11:33:53 -0000 @@ -7,9 +7,15 @@ tid="sftp commands" -DATA=/bin/ls +DATA=/bin/ls${EXEEXT} COPY=${OBJ}/copy -GLOBFILES=`(cd /bin;echo l*)` +# test that these files are readable! +for i in `(cd /bin;echo l*)` +do + if [ -r $i ]; then + GLOBFILES="$GLOBFILES $i" + fi +done rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2 ${BATCH}.* mkdir ${COPY}.dd @@ -59,7 +65,7 @@ verbose "$tid: get to directory" echo "get $DATA ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ || fail "get failed" -cmp $DATA ${COPY}.dd/ls || fail "corrupted copy after get" +cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get" rm -f ${COPY}.dd/* verbose "$tid: glob get to directory" @@ -71,13 +77,13 @@ rm -f ${COPY}.dd/* verbose "$tid: get to local dir" -echo "lcd ${COPY}.dd\nget $DATA" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ +(echo "lcd ${COPY}.dd"; echo "get $DATA" ) | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ || fail "get failed" -cmp $DATA ${COPY}.dd/ls || fail "corrupted copy after get" +cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get" rm -f ${COPY}.dd/* verbose "$tid: glob get to local dir" -echo "lcd ${COPY}.dd\nget /bin/l*" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ +(echo "lcd ${COPY}.dd"; echo "get /bin/l*") | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ || fail "get failed" for x in $GLOBFILES; do cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after get" @@ -93,7 +99,7 @@ verbose "$tid: put to directory" echo "put $DATA ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ || fail "put failed" -cmp $DATA ${COPY}.dd/ls || fail "corrupted copy after put" +cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put" rm -f ${COPY}.dd/* verbose "$tid: glob put to directory" @@ -105,13 +111,13 @@ rm -f ${COPY}.dd/* verbose "$tid: put to local dir" -echo "cd ${COPY}.dd\nput $DATA" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ +(echo "cd ${COPY}.dd"; echo "put $DATA") | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ || fail "put failed" -cmp $DATA ${COPY}.dd/ls || fail "corrupted copy after put" +cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put" rm -f ${COPY}.dd/* verbose "$tid: glob put to local dir" -echo "cd ${COPY}.dd\nput /bin/l*" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ +(echo "cd ${COPY}.dd"; echo "put /bin/l*") | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ || fail "put failed" for x in $GLOBFILES; do cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after put" @@ -131,7 +137,7 @@ verbose "$tid: ln" echo "ln ${COPY}.1 ${COPY}.2" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 || fail "ln failed" -test -L ${COPY}.2 || fail "missing file after ln" +test -h ${COPY}.2 || fail "missing file after ln" verbose "$tid: mkdir" echo "mkdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ Index: regress/sftp.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/sftp.sh,v retrieving revision 1.1 diff -u -r1.1 sftp.sh --- regress/sftp.sh 1 May 2002 03:17:35 -0000 1.1 +++ regress/sftp.sh 20 Jun 2003 11:34:57 -0000 @@ -3,8 +3,15 @@ tid="basic sftp put/get" -DATA=/bin/ls +DATA=/bin/ls${EXEEXT} COPY=${OBJ}/copy +SFTPCMDFILE=${OBJ}/batch + +cat >$SFTPCMDFILE < /dev/null 2>&1 << EOF - version - get $DATA ${COPY}.1 - put $DATA ${COPY}.2 -EOF + rm -f ${COPY}.1 ${COPY}.2 + ${SFTP} -P ${SFTPSERVER} -B $B -R $R -b $SFTPCMDFILE \ + > /dev/null 2>&1 r=$? if [ $r -ne 0 ]; then fail "sftp failed with $r" + else + cmp $DATA ${COPY}.1 || fail "corrupted copy after get" + cmp $DATA ${COPY}.2 || fail "corrupted copy after put" fi - cmp $DATA ${COPY}.1 || fail "corrupted copy after get" - cmp $DATA ${COPY}.2 || fail "corrupted copy after put" done done +rm -f ${COPY}.1 ${COPY}.2 +rm -f $SFTPCMDFILE Index: regress/ssh-com-client.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/ssh-com-client.sh,v retrieving revision 1.3 diff -u -r1.3 ssh-com-client.sh --- regress/ssh-com-client.sh 18 Jun 2003 12:36:48 -0000 1.3 +++ regress/ssh-com-client.sh 20 Jun 2003 11:35:13 -0000 @@ -64,7 +64,7 @@ # we need a real server (no ProxyConnect option) start_sshd -DATA=/bin/ls +DATA=/bin/ls${EXEEXT} COPY=${OBJ}/copy rm -f ${COPY} Index: regress/ssh-com-sftp.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/ssh-com-sftp.sh,v retrieving revision 1.3 diff -u -r1.3 ssh-com-sftp.sh --- regress/ssh-com-sftp.sh 18 Jun 2003 12:36:49 -0000 1.3 +++ regress/ssh-com-sftp.sh 20 Jun 2003 11:35:27 -0000 @@ -3,8 +3,15 @@ tid="basic sftp put/get with ssh.com server" -DATA=/bin/ls +DATA=/bin/ls${EXEEXT} COPY=${OBJ}/copy +SFTPCMDFILE=${OBJ}/batch + +cat >$SFTPCMDFILE < /dev/null 2>&1 << EOF - version - get $DATA ${COPY}.1 - put $DATA ${COPY}.2 -EOF + ${SFTP} -P ${server} -B $B -R $R -b $SFTPCMDFILE \ + > /dev/null 2>&1 r=$? if [ $r -ne 0 ]; then fail "sftp failed with $r" + else + cmp $DATA ${COPY}.1 || fail "corrupted copy after get" + cmp $DATA ${COPY}.2 || fail "corrupted copy after put" fi - cmp $DATA ${COPY}.1 || fail "corrupted copy after get" - cmp $DATA ${COPY}.2 || fail "corrupted copy after put" done done done +rm -f ${COPY}.1 ${COPY}.2 +rm -f $SFTPCMDFILE Index: regress/ssh-com.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/ssh-com.sh,v retrieving revision 1.3 diff -u -r1.3 ssh-com.sh --- regress/ssh-com.sh 18 Jun 2003 12:36:49 -0000 1.3 +++ regress/ssh-com.sh 20 Jun 2003 09:09:00 -0000 @@ -67,7 +67,7 @@ # convert and append DSA hostkey ( - echo -n 'ssh2-localhost-with-alias,127.0.0.1,::1 ' + echon 'ssh2-localhost-with-alias,127.0.0.1,::1 ' ${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub ) >> $OBJ/known_hosts Index: regress/stderr-after-eof.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/stderr-after-eof.sh,v retrieving revision 1.1 diff -u -r1.1 stderr-after-eof.sh --- regress/stderr-after-eof.sh 1 May 2002 03:17:35 -0000 1.1 +++ regress/stderr-after-eof.sh 20 Jun 2003 09:10:03 -0000 @@ -7,13 +7,23 @@ DATA=${OBJ}/data COPY=${OBJ}/copy -MD5=md5sum +if [ -x "`which md5sum`" ]; then + CHECKSUM=md5sum +elif [ -x "`which openssl`" ]; then + CHECKSUM="openssl md5" +elif [ -x "`which cksum`" ]; then + CHECKSUM=cksum +elif [ -x "`which sum`" ]; then + CHECKSUM=sum +else + fatal "No checksum program available, aborting $tid test" +fi # setup data rm -f ${DATA} ${COPY} cp /dev/null ${DATA} for i in 1 2 3 4 5 6; do - (date;echo $i) | $MD5 >> ${DATA} + (date;echo $i) | $CHECKSUM >> ${DATA} done ${SSH} -2 -F $OBJ/ssh_proxy otherhost \ Index: regress/stderr-data.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/stderr-data.sh,v retrieving revision 1.1 diff -u -r1.1 stderr-data.sh --- regress/stderr-data.sh 1 May 2002 03:17:35 -0000 1.1 +++ regress/stderr-data.sh 20 Jun 2003 11:35:41 -0000 @@ -3,7 +3,7 @@ tid="stderr data transfer" -DATA=/bin/ls +DATA=/bin/ls${EXEEXT} COPY=${OBJ}/copy rm -f ${COPY} Index: regress/test-exec.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/test-exec.sh,v retrieving revision 1.1 diff -u -r1.1 test-exec.sh --- regress/test-exec.sh 1 May 2002 03:17:35 -0000 1.1 +++ regress/test-exec.sh 20 Jun 2003 09:49:53 -0000 @@ -3,9 +3,16 @@ PORT=4242 USER=`id -un` -SUDO= #SUDO=sudo +if [ -x /usr/ucb/whoami ]; then + USER=`/usr/ucb/whoami` +elif [ -x "`which whoami`" ]; then + USER=`whoami` +else + USER=`id -un` +fi + OBJ=$1 if [ "x$OBJ" = "x" ]; then echo '$OBJ not defined' @@ -72,6 +79,17 @@ #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER # helper +echon() +{ + if [ "x`echo -n`" = "x" ]; then + echo -n "$@" + elif [ "x`echo '\c'`" = "x" ]; then + echo "$@\c" + else + fatal "Don't know how to echo without newline." + fi +} + cleanup () { if [ -f $PIDFILE ]; then @@ -111,7 +129,7 @@ fatal () { - echo -n "FATAL: " + echon "FATAL: " fail "$@" cleanup exit $RESULT @@ -130,6 +148,7 @@ PidFile $PIDFILE AuthorizedKeysFile $OBJ/authorized_keys_%u LogLevel QUIET + StrictModes no EOF # server config for proxy connects @@ -169,7 +188,7 @@ # known hosts file for client ( - echo -n 'localhost-with-alias,127.0.0.1,::1 ' + echon 'localhost-with-alias,127.0.0.1,::1 ' cat $OBJ/$t.pub ) >> $OBJ/known_hosts @@ -203,7 +222,7 @@ trace "wait for sshd" i=0; - while [ ! -f $PIDFILE -a $i -lt 5 ]; do + while [ ! -f $PIDFILE -a $i -lt 10 ]; do i=`expr $i + 1` sleep $i done Index: regress/transfer.sh =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/regress/transfer.sh,v retrieving revision 1.1 diff -u -r1.1 transfer.sh --- regress/transfer.sh 1 May 2002 03:17:35 -0000 1.1 +++ regress/transfer.sh 20 Jun 2003 11:36:01 -0000 @@ -3,7 +3,7 @@ tid="transfer data" -DATA=/bin/ls +DATA=/bin/ls${EXEEXT} COPY=${OBJ}/copy for p in 1 2; do --- /dev/null 2002-08-31 09:31:37.000000000 +1000 +++ regress/README.regress 2003-06-20 22:55:06.000000000 +1000 @@ -0,0 +1,86 @@ +Overview. + +$ ./configure && make tests + +You'll see some progress info. A failure will cause either the make to +abort or the driver script to report a "FATAL" failure. + +The test consists of 2 parts. The first is the file-based tests which is +driven by the Makefile, and the second is a set of network or proxycommand +based tests, which are driven by a driver script (test-exec.sh) which is +called multiple times by the Makefile. + +Failures in the first part will cause the Makefile to return an error. +Failures in the second part will print a "FATAL" message for the failed +test and continue. + +OpenBSD has a system-wide regression test suite. OpenSSH's test suite uses +the OpenBSD test scripts unmodified, however the Makefile is different +because OpenBSD's uses BSD-specific makefile extensions. + + +Environment variables. + +SUDO: path to sudo command, if desired. Note that some systems (eg AIX, + Solaris with PAM) require sudo to execute some tests. +TEST_SSH_TRACE: set yo "yes" for verbose output from tests +TEST_SSH_QUIET: set to "yes" to suppress non-fatal output. +TEST_SSH_x: path to "ssh" command under test, where x=SSH,SSHD,SSHAGENT,SSHADD + SSHKEYGEN,SSHKEYSCAN,SFTP,SFTPSERVER +OBJ: used by test scripts to access build dir. + + +Individual tests. + +You can invoke test-exec.sh directly if you set up the path to find the +binaries under test and the test scripts themselves, for example: + +$ cd regress +$ PATH=`pwd`/..:$PATH:. sh test-exec.sh `pwd` agent-timeout.sh +ok agent timeout test + + +Files. + +test-exec.sh: the main test driver. Sets environment, creates config files +and keys and runs the specified test. + +At the time of writing, the individual tests are: +agent-timeout.sh: agent timeout test +agent.sh: simple agent test +broken-pipe.sh: broken pipe test +connect-privsep.sh: proxy connect with privsep +connect.sh: simple connect +exit-status.sh: remote exit status +forwarding.sh: local and remote forwarding +keygen-change.sh: change passphrase for key +keyscan.sh: keyscan +proto-mismatch.sh: protocol version mismatch +proto-version.sh: sshd version with different protocol combinations +proxy-connect.sh: proxy connect +sftp.sh: basic sftp put/get +ssh-com-client.sh: connect with ssh.com client +ssh-com-keygen.sh: ssh.com key import +ssh-com-sftp.sh: basic sftp put/get with ssh.com server +ssh-com.sh: connect to ssh.com server +stderr-after-eof.sh: stderr data after eof +stderr-data.sh: stderr data transfer +transfer.sh: transfer data +try-ciphers.sh: try ciphers +yes-head.sh: yes pipe head + + +Problems? + +Run the failing test with shell tracing (-x) turned on: +$ PATH=`pwd`/..:$PATH:. sh -x test-exec.sh `pwd` agent-timeout.sh + +Failed tests can be difficult to diagnose. Suggestions: +- run the individual test via ./test-exec.sh `pwd` [testname] +- set LogLevel to VERBOSE in test-exec.sh and enable syslogging of + auth.debug (eg to /var/log/authlog). + + +Known Issues. + + From dtucker at zip.com.au Sat Jun 21 00:34:47 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 21 Jun 2003 00:34:47 +1000 Subject: patch20 fails References: Message-ID: <3EF31B87.B32C19B0@zip.com.au> rrr55 at daimlerchrysler.com wrote: > Can anyone explain why this fails? This was applied to source from > openssh.org. Which openssh tarball did you use and was it freshly unpacked? What version of patch are you using? [snip] > patching file version.h > Hunk #1 FAILED at 1. > 1 out of 1 hunk FAILED -- saving rejects to file version.h.rej This makes me think the tarball you are using does not match the patch. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Sat Jun 21 00:47:21 2003 From: djm at mindrot.org (Damien Miller) Date: Sat, 21 Jun 2003 00:47:21 +1000 Subject: Problems with conversation functions PAM + OpenSSH In-Reply-To: References: Message-ID: <3EF31E79.4000107@mindrot.org> Jakub Jurkiewicz wrote: > Hello > sorry, for bothering you with this problem, but I ca't find solutions. > I write small PAM module, and I've got the problem with conversation > function with OpenSSH 3.5p1. > When the message style is PAM_PROMPT_ECHO_ON, or PAM_PROMPT_ECHO_OFF > everything is allright. But when I use PAM_TEXT_INFO, or PAM_ERROR_MSG, > ssh prints nothing on the client side. Does anyone know the reason of > this, and how can I print messages to the user. Please try CVS -current. The PAM support has changed substantially. Otherwise, make sure you are using the PAM kbdint authentication method. -d From gve at intra2net.com Sat Jun 21 08:36:28 2003 From: gve at intra2net.com (Gerd v. Egidy) Date: Sat, 21 Jun 2003 00:36:28 +0200 Subject: [PATCH] accepting changed hostkeys Message-ID: <200306210036.28210.gve@intra2net.com> Hi, I often change the machines (and thus the hostkeys) that are on a IP (a service environment with a IP assinged for the machine to test). So every time I want to connect to a new machine I have to delete the previous key from the known_hosts file. Since I got tired of running a remove script manually, I made this small patch which adds the possibility to replace the real key with the string "AcceptAllKeys" (case sensitive) in the known_hosts file. e.g.: replace test,172.16.1.123 ssh-rsa AAAAB3Nz... with test,172.16.1.123 AcceptAllKeys and it won't bug you anymore. Any comments? I'm not 100% sure about the if (key == NULL) continue; part in my patch since I haven't digged through all the sources and checked where this lookup is used and how. Would this patch be acceptible for the current development branch? Kind regards, Gerd -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-3.6.1p1-acceptallkeys.patch Type: text/x-diff Size: 1334 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030621/2258b0b1/attachment.bin From fcusack at fcusack.com Sat Jun 21 09:51:32 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Fri, 20 Jun 2003 16:51:32 -0700 Subject: Problems with conversation functions PAM + OpenSSH In-Reply-To: <3EF31E79.4000107@mindrot.org>; from djm@mindrot.org on Sat, Jun 21, 2003 at 12:47:21AM +1000 References: <3EF31E79.4000107@mindrot.org> Message-ID: <20030620165132.B28636@google.com> On Sat, Jun 21, 2003 at 12:47:21AM +1000, Damien Miller wrote: > Jakub Jurkiewicz wrote: > > Hello > > sorry, for bothering you with this problem, but I ca't find solutions. > > I write small PAM module, and I've got the problem with conversation > > function with OpenSSH 3.5p1. > > When the message style is PAM_PROMPT_ECHO_ON, or PAM_PROMPT_ECHO_OFF > > everything is allright. But when I use PAM_TEXT_INFO, or PAM_ERROR_MSG, > > ssh prints nothing on the client side. Does anyone know the reason of > > this, and how can I print messages to the user. > > Please try CVS -current. The PAM support has changed substantially. PAM_TEXT_INFO and PAM_ERROR_MSG are even more broken in -current than they are in 3.5/3.6. Jakub: it's a bug in openssh. Damien, openssh team: see my previous email where I sketched out what PAM should do (IMHO) and what openssh actually does. /fc From djm at mindrot.org Sat Jun 21 10:30:51 2003 From: djm at mindrot.org (Damien Miller) Date: Sat, 21 Jun 2003 10:30:51 +1000 Subject: [PATCH] accepting changed hostkeys In-Reply-To: <200306210036.28210.gve@intra2net.com> References: <200306210036.28210.gve@intra2net.com> Message-ID: <3EF3A73B.7070303@mindrot.org> Gerd v. Egidy wrote: > Hi, > > I often change the machines (and thus the hostkeys) that are on a IP (a > service environment with a IP assinged for the machine to test). > So every time I want to connect to a new machine I have to delete the previous > key from the known_hosts file. > > Since I got tired of running a remove script manually, I made this small patch > which adds the possibility to replace the real key with the string > "AcceptAllKeys" (case sensitive) in the known_hosts file. > > e.g.: > replace > test,172.16.1.123 ssh-rsa AAAAB3Nz... > with > test,172.16.1.123 AcceptAllKeys > and it won't bug you anymore. > > Any comments? I'm not 100% sure about the if (key == NULL) continue; part in > my patch since I haven't digged through all the sources and checked where > this lookup is used and how. > > Would this patch be acceptible for the current development branch? No. If you want to do this, put the following in your ~/.ssh/config file: Host wackyhost UserKnownHostsFile /dev/null StrictHostKeyChecking no -d From dtucker at zip.com.au Sat Jun 21 12:21:08 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 21 Jun 2003 12:21:08 +1000 Subject: patch20 fails References: Message-ID: <3EF3C114.4A8E1258@zip.com.au> rrr55 at daimlerchrysler.com wrote: > I am using GNU patch. I used the source from openssh.org from apr 29th. I > realized that I was using a version that I had patched. I started again > w/fresh source and the patch was successful, but now compilation fails > w/auth.c. Prior versions had no problems patching/compiling. > ========================== > > In file included from auth.c:41: [snip] > auth.c:630: too few arguments to function `loginfailed' > auth.c: In function `auth_debug_add': You're using AIX 5.2, right? As of 5.2, loginfailed() takes a 4th argument. For a discussion and quick fix, see http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=105223097117841 That 4th argument seems to be optional. At some point I added the #include that defined loginfailed, which is why it now breaks. I guess I should have configure test for and define AIX_LOGINFAILED_4ARGS, and add an ugly #ifdef... -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sat Jun 21 14:02:46 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 21 Jun 2003 14:02:46 +1000 Subject: [PATCH] Use $SUDO for reconfigure.sh regression test. Message-ID: <3EF3D8E6.DB3BF860@zip.com.au> Hi. I just noticed that the new reconfigure regression test does not work properly (the test passes but it doesn't actually test anything) when SUDO=sudo is used, because the kill -HUP is run as a normal user. This is fixed in the attached patch. -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: reconfigure.sh =================================================================== RCS file: /cvs/src/regress/usr.bin/ssh/reconfigure.sh,v retrieving revision 1.1 diff -u -r1.1 reconfigure.sh --- reconfigure.sh 12 Jun 2003 15:43:32 -0000 1.1 +++ reconfigure.sh 21 Jun 2003 03:58:13 -0000 @@ -8,7 +8,7 @@ start_sshd -kill -HUP `cat $PIDFILE` +$SUDO kill -HUP `cat $PIDFILE` sleep 1 trace "wait for sshd to restart" From gve at intra2net.com Sat Jun 21 19:56:11 2003 From: gve at intra2net.com (Gerd v. Egidy) Date: Sat, 21 Jun 2003 11:56:11 +0200 Subject: [PATCH] accepting changed hostkeys In-Reply-To: <3EF3A73B.7070303@mindrot.org> References: <200306210036.28210.gve@intra2net.com> <3EF3A73B.7070303@mindrot.org> Message-ID: <200306211156.11823.gve@intra2net.com> Hi Damien, > If you want to do this, put the following in your ~/.ssh/config file: > > Host wackyhost > UserKnownHostsFile /dev/null > StrictHostKeyChecking no Yes indeed, this is a much more clean way... I've tried tweaking it with the ssh_config but didn't see the trick with /dev/null... Thanks. Kind Regards, Gerd From fcusack at fcusack.com Sat Jun 21 20:58:12 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Sat, 21 Jun 2003 03:58:12 -0700 Subject: Problems with conversation functions PAM + OpenSSH In-Reply-To: <20030620165132.B28636@google.com>; from fcusack@fcusack.com on Fri, Jun 20, 2003 at 04:51:32PM -0700 References: <3EF31E79.4000107@mindrot.org> <20030620165132.B28636@google.com> Message-ID: <20030621035812.B29020@google.com> On Fri, Jun 20, 2003 at 04:51:32PM -0700, Frank Cusack wrote: > On Sat, Jun 21, 2003 at 12:47:21AM +1000, Damien Miller wrote: > > Jakub Jurkiewicz wrote: > > > Hello > > > sorry, for bothering you with this problem, but I ca't find solutions. > > > I write small PAM module, and I've got the problem with conversation > > > function with OpenSSH 3.5p1. > > > When the message style is PAM_PROMPT_ECHO_ON, or PAM_PROMPT_ECHO_OFF > > > everything is allright. But when I use PAM_TEXT_INFO, or PAM_ERROR_MSG, > > > ssh prints nothing on the client side. Does anyone know the reason of > > > this, and how can I print messages to the user. I *think* you'll find that if your module issues a prompt as well as displays a message, the user will get the message. You could just have the message, then a prompt "Press return to continue", although that can be damn annoying. And I think there is an ordering problem in openssh as well. Anyway, try it out and see what you get. /fc From kura at charybda.icm.edu.pl Sat Jun 21 21:04:08 2003 From: kura at charybda.icm.edu.pl (Jakub Jurkiewicz) Date: Sat, 21 Jun 2003 13:04:08 +0200 (CEST) Subject: Problems with conversation functions PAM + OpenSSH In-Reply-To: <20030621035812.B29020@google.com> Message-ID: On Sat, 21 Jun 2003, Frank Cusack wrote: > On Fri, Jun 20, 2003 at 04:51:32PM -0700, Frank Cusack wrote: > > On Sat, Jun 21, 2003 at 12:47:21AM +1000, Damien Miller wrote: > > > Jakub Jurkiewicz wrote: > > > > Hello > > > > sorry, for bothering you with this problem, but I ca't find solutions. > > > > I write small PAM module, and I've got the problem with conversation > > > > function with OpenSSH 3.5p1. > > > > When the message style is PAM_PROMPT_ECHO_ON, or PAM_PROMPT_ECHO_OFF > > > > everything is allright. But when I use PAM_TEXT_INFO, or PAM_ERROR_MSG, > > > > ssh prints nothing on the client side. Does anyone know the reason of > > > > this, and how can I print messages to the user. > > I *think* you'll find that if your module issues a prompt as well as > displays a message, the user will get the message. You could just > have the message, then a prompt "Press return to continue", although > that can be damn annoying. And I think there is an ordering problem > in openssh as well. > > Anyway, try it out and see what you get. > > /fc > Thank You very much I think I'll do this in that way. This messages could be annoying. Kuba ---------------------------------------------------------- Jakub Jurkiewicz kura at icm.edu.pl kura at charybda.icm.edu.pl jj176473 at zodiac.mimuw.edu.pl ---------------------------------------------------------- z madrosci ludowych: "nie wiesz zanim nie sprobujesz" lub inaczej: "tyle z nas wiemy ile nas sprawdzono" From Greg.Dunkel at mail.cuny.edu Sun Jun 22 05:07:43 2003 From: Greg.Dunkel at mail.cuny.edu (Greg.Dunkel at mail.cuny.edu) Date: Sat, 21 Jun 2003 15:07:43 -0400 Subject: patch20 fails Message-ID: I was able to apply patch 20 to a 3.6.2 tarball on Solaris successfully; the result compiled and is running on 4 or 5 machines. What is better OpenSSH now actually puts up a new-password prompt when your password has expired, as long as the pam.conf file has an session entry for other or sshd. I couldn't get the new-password prompt with patch 19 or with patch 20 applied to 3.5.2. I got the same patchd code to compile on AIX but haven't got a chance to test it yet. I and my colleagues think this is a nice step foward and would like to say thanks. /greg dunkel From mid9 at yy-net.co.jp Sun Jun 22 16:54:41 2003 From: mid9 at yy-net.co.jp (=?ISO-2022-JP?B?GyRCJF4kOCRhJEo9UDJxJCQbKEI=?=) Date: Sun, 22 Jun 2003 15:54:41 +0900 Subject: =?iso-2022-jp?b?GyRCTCQ+NUJ6OS05cCIoISFBR0UoJEo9UDJxJCQbKEI=?= Message-ID: <20030622.1554390380.babaq@mid9-yy-net.co.jp> ?????????? ??????????????????? ?640-0413 ?????????????862-7 TEL:0736?64?9552 ???????stop at yy-net.co.jp??????????????????? ? ??????????YY-NET???????????????? ??????????????????????????? ???????????????????????? ?(??????23?????????????? ?????????????????????????1?????? ????????????????1??????????? ??????????????????????????????? ???????????? ???????????????????? ?????????http://www.yy-net.co.jp ?????????????????? ??????????????????????????????? ?????????? From doctor at doctor.nl2k.ab.ca Mon Jun 23 00:06:57 2003 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Sun, 22 Jun 2003 08:06:57 -0600 Subject: Problem with Configure Message-ID: <20030622080657.A20149@doctor.nl2k.ab.ca> I try to set up openssh-3.6.1p2 on a baox and get: Script started on Sun Jun 22 07:55:36 2003 gallifrey.nk.ca//usr/source/openssh-3.6.1p2$ cat /usr/contrib/bin/configssh ./configure --prefix=/usr/contrib --localstatedir=/var --infodir=/usr/share/info\ --mandir=/usr/share/man --with-low-memory --with-elf --with-ncurses\ --with-ssl=/usr/source/openssl-engine-0.9.7g\ --with-ssl-dir=/usr/source/openssl-engine-0.9.7g\ --with-openssl=/usr/source/openssl-engine-0.9.7g --with-bsd-auth gallifrey.nk.ca//usr/source/openssh-3.6.1p2$ ^cat^ /usr/contrib/bin/configssh checking for gcc... gcc checking for C compiler default output... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking build system type... i386-pc-bsdi5.0 checking host system type... i386-pc-bsdi5.0 checking whether byte ordering is bigendian... no checking how to run the C preprocessor... gcc -E checking for ranlib... ranlib checking for a BSD-compatible install... /usr/bin/install -c checking for ar... /usr/bin/ar checking for perl5... /usr/bin/perl5 checking for sed... /usr/bin/sed checking for ent... no checking for bash... /bin/bash checking for ksh... (cached) /bin/bash checking for sh... (cached) /bin/bash checking for sh... /bin/sh checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... no checking for _LARGE_FILES value needed for large files... no checking for login... /usr/bin/login checking for inline... inline checking for egrep... grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... no checking for stdint.h... no checking for unistd.h... yes checking bstring.h usability... no checking bstring.h presence... no checking for bstring.h... no checking crypt.h usability... no checking crypt.h presence... no checking for crypt.h... no checking endian.h usability... no checking endian.h presence... no checking for endian.h... no checking floatingpoint.h usability... no checking floatingpoint.h presence... no checking for floatingpoint.h... no checking getopt.h usability... no checking getopt.h presence... no checking for getopt.h... no checking glob.h usability... yes checking glob.h presence... yes checking for glob.h... yes checking ia.h usability... no checking ia.h presence... no checking for ia.h... no checking lastlog.h usability... no checking lastlog.h presence... no checking for lastlog.h... no checking libgen.h usability... no checking libgen.h presence... no checking for libgen.h... no checking limits.h usability... yes checking limits.h presence... yes checking for limits.h... yes checking login.h usability... no checking login.h presence... no checking for login.h... no checking login_cap.h usability... yes checking login_cap.h presence... yes checking for login_cap.h... yes checking maillock.h usability... no checking maillock.h presence... no checking for maillock.h... no checking netdb.h usability... yes checking netdb.h presence... yes checking for netdb.h... yes checking netgroup.h usability... no checking netgroup.h presence... no checking for netgroup.h... no checking netinet/in_systm.h usability... yes checking netinet/in_systm.h presence... yes checking for netinet/in_systm.h... yes checking paths.h usability... yes checking paths.h presence... yes checking for paths.h... yes checking pty.h usability... no checking pty.h presence... no checking for pty.h... no checking readpassphrase.h usability... no checking readpassphrase.h presence... no checking for readpassphrase.h... no checking rpc/types.h usability... yes checking rpc/types.h presence... yes checking for rpc/types.h... yes checking security/pam_appl.h usability... no checking security/pam_appl.h presence... no checking for security/pam_appl.h... no checking shadow.h usability... no checking shadow.h presence... no checking for shadow.h... no checking stddef.h usability... yes checking stddef.h presence... yes checking for stddef.h... yes checking for stdint.h... (cached) no checking for strings.h... (cached) yes checking sys/bitypes.h usability... yes checking sys/bitypes.h presence... yes checking for sys/bitypes.h... yes checking sys/bsdtty.h usability... no checking sys/bsdtty.h presence... no checking for sys/bsdtty.h... no checking sys/cdefs.h usability... yes checking sys/cdefs.h presence... yes checking for sys/cdefs.h... yes checking sys/mman.h usability... yes checking sys/mman.h presence... yes checking for sys/mman.h... yes checking sys/pstat.h usability... no checking sys/pstat.h presence... no checking for sys/pstat.h... no checking sys/select.h usability... yes checking sys/select.h presence... yes checking for sys/select.h... yes checking for sys/stat.h... (cached) yes checking sys/stropts.h usability... no checking sys/stropts.h presence... no checking for sys/stropts.h... no checking sys/sysmacros.h usability... no checking sys/sysmacros.h presence... no checking for sys/sysmacros.h... no checking sys/time.h usability... yes checking sys/time.h presence... yes checking for sys/time.h... yes checking sys/timers.h usability... no checking sys/timers.h presence... no checking for sys/timers.h... no checking sys/un.h usability... yes checking sys/un.h presence... yes checking for sys/un.h... yes checking time.h usability... yes checking time.h presence... yes checking for time.h... yes checking tmpdir.h usability... no checking tmpdir.h presence... no checking for tmpdir.h... no checking ttyent.h usability... yes checking ttyent.h presence... yes checking for ttyent.h... yes checking usersec.h usability... no checking usersec.h presence... no checking for usersec.h... no checking util.h usability... no checking util.h presence... no checking for util.h... no checking utime.h usability... yes checking utime.h presence... yes checking for utime.h... yes checking utmp.h usability... yes checking utmp.h presence... yes checking for utmp.h... yes checking utmpx.h usability... no checking utmpx.h presence... no checking for utmpx.h... no checking for yp_match... yes checking for setsockopt... yes checking for getspnam... no checking for getspnam in -lgen... no checking for deflate in -lz... yes checking for strcasecmp... yes checking for utimes... yes checking libutil.h usability... no checking libutil.h presence... no checking for libutil.h... no checking for library containing login... -lutil checking for logout... yes checking for updwtmp... no checking for logwtmp... yes checking for strftime... yes checking for GLOB_ALTDIRFUNC support... yes checking for gl_matchc field in glob_t... no checking whether struct dirent allocates space for d_name... yes checking for arc4random... no checking for __b64_ntop... yes checking for b64_ntop... no checking for __b64_pton... yes checking for b64_pton... no checking for basename... no checking for bcopy... yes checking for bindresvport_sa... no checking for clock... yes checking for fchmod... yes checking for fchown... yes checking for freeaddrinfo... yes checking for futimes... no checking for gai_strerror... yes checking for getaddrinfo... yes checking for getcwd... yes checking for getgrouplist... yes checking for getnameinfo... yes checking for getopt... yes checking for getpeereid... no checking for _getpty... no checking for getrlimit... yes checking for getrusage... yes checking for getttyent... yes checking for glob... yes checking for inet_aton... yes checking for inet_ntoa... yes checking for inet_ntop... yes checking for innetgr... yes checking for login_getcapbool... yes checking for md5_crypt... no checking for memmove... yes checking for mkdtemp... no checking for mmap... yes checking for ngetaddrinfo... no checking for nsleep... no checking for ogetaddrinfo... no checking for openpty... yes checking for pstat... no checking for readpassphrase... no checking for realpath... yes checking for recvmsg... yes checking for rresvport_af... yes checking for sendmsg... yes checking for setdtablesize... no checking for setegid... yes checking for setenv... yes checking for seteuid... yes checking for setgroups... yes checking for setlogin... yes checking for setpcred... no checking for setproctitle... yes checking for setresgid... no checking for setreuid... yes checking for setrlimit... yes checking for setsid... yes checking for setvbuf... yes checking for sigaction... yes checking for sigvec... yes checking for snprintf... yes checking for socketpair... yes checking for strerror... yes checking for strlcat... yes checking for strlcpy... yes checking for strmode... yes checking for strnvis... no checking for sysconf... yes checking for tcgetpgrp... yes checking for truncate... yes checking for utimes... (cached) yes checking for vhangup... no checking for vsnprintf... yes checking for waitpid... yes checking for library containing nanosleep... none required checking for library containing basename... no checking whether strsep is declared... yes checking for strsep... yes checking for dirname... no checking for dirname in -lgen... no checking for gettimeofday... yes checking for time... yes checking for endutent... no checking for getutent... no checking for getutid... no checking for getutline... no checking for pututline... no checking for setutent... no checking for utmpname... no checking for endutxent... no checking for getutxent... no checking for getutxid... no checking for getutxline... no checking for pututxline... no checking for setutxent... no checking for utmpxname... no checking for daemon... yes checking for getpagesize... yes checking whether snprintf correctly terminates long strings... yes checking whether getpgrp requires zero arguments... yes checking OpenSSL header version... 9060af (OpenSSL 0.9.6j [engine] 10 Apr 2003) checking OpenSSL library version... 90605f (OpenSSL 0.9.6e 30 Jul 2002) checking whether OpenSSL's headers match the library... no configure: error: Your OpenSSL headers do not match your library gallifrey.nk.ca//usr/source/openssh-3.6.1p2$ exit exit Script done on Sun Jun 22 07:57:23 2003 Script done on Sun Jun 22 07:57:23 2003 Why are 2 openssls showing up when I am supposed exclusively using openssl-engine-0.9.6g? From dtucker at zip.com.au Mon Jun 23 00:19:55 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 23 Jun 2003 00:19:55 +1000 Subject: Problem with Configure References: <20030622080657.A20149@doctor.nl2k.ab.ca> Message-ID: <3EF5BB0B.4ECDEF0@zip.com.au> The Doctor wrote: > I try to set up openssh-3.6.1p2 on a baox and get: What OS and version? > checking OpenSSL header version... 9060af (OpenSSL 0.9.6j [engine] 10 Apr 2003) > checking OpenSSL library version... 90605f (OpenSSL 0.9.6e 30 Jul 2002) > checking whether OpenSSL's headers match the library... no > configure: error: Your OpenSSL headers do not match your library [snip] > Why are 2 openssls showing up when I am supposed exclusively > using openssl-engine-0.9.6g? You have headers from an earlier version of OpenSSL someplace on your system. There's a tool called findssl.sh at [1] which can help you identify them. I'd start looking in /usr/include. [1] http://www.zip.com.au/~dtucker/openssh/ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From doctor at doctor.nl2k.ab.ca Mon Jun 23 01:15:16 2003 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Sun, 22 Jun 2003 09:15:16 -0600 Subject: Problem with Configure In-Reply-To: <3EF5BB0B.4ECDEF0@zip.com.au>; from dtucker@zip.com.au on Mon, Jun 23, 2003 at 12:19:55AM +1000 References: <20030622080657.A20149@doctor.nl2k.ab.ca> <3EF5BB0B.4ECDEF0@zip.com.au> Message-ID: <20030622091516.A26866@doctor.nl2k.ab.ca> On Mon, Jun 23, 2003 at 12:19:55AM +1000, Darren Tucker wrote: > The Doctor wrote: > > I try to set up openssh-3.6.1p2 on a baox and get: > > What OS and version? > > > checking OpenSSL header version... 9060af (OpenSSL 0.9.6j [engine] 10 Apr 2003) > > checking OpenSSL library version... 90605f (OpenSSL 0.9.6e 30 Jul 2002) > > checking whether OpenSSL's headers match the library... no > > configure: error: Your OpenSSL headers do not match your library > [snip] > > Why are 2 openssls showing up when I am supposed exclusively > > using openssl-engine-0.9.6g? > > You have headers from an earlier version of OpenSSL someplace on your > system. There's a tool called findssl.sh at [1] which can help you > identify them. I'd start looking in /usr/include. > > [1] http://www.zip.com.au/~dtucker/openssh/ > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. thanks mate. Good page!! >From a POM .. -- Member - Liberal International On 11 Sept 2001 the WORLD was violated. This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca Society MUST be saved! Extremists must dissolve. Arsenal Winners of the FA CUp 2003! From dtucker at zip.com.au Mon Jun 23 19:19:59 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 23 Jun 2003 19:19:59 +1000 Subject: Can only ssh as root References: Message-ID: <3EF6C63F.62407261@zip.com.au> "Patrick B. O'Brien" wrote: > I have an AIX 4.3.3.10 Box running Openssh 3.4. I am using Putty to > get to this Ssh server. All is good when I Ssh in using root. But when > I try another user profile I get the below: > > Jun 16 17:22:21 walker sshd[8812]: fatal: login_get_lastlog: Cannot find account for uid 95 > > In addition, I am kicked out of this session right now. [and later] > # ls -lrt pa* > -rw------- 1 root security 613 Jun 03 16:24 passwd For the benefit of the list archive, this was due to /etc/passwd not being world-readable, and waas fixed by "chmod 644 /etc/passwd". -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Jun 24 13:57:45 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 24 Jun 2003 13:57:45 +1000 Subject: Problem with Configure References: <20030622080657.A20149@doctor.nl2k.ab.ca> Message-ID: <3EF7CC39.F23D5C5F@zip.com.au> The Doctor wrote: [snip] > checking OpenSSL header version... 9060af (OpenSSL 0.9.6j [engine] 10 Apr 2003) > checking OpenSSL library version... 90605f (OpenSSL 0.9.6e 30 Jul 2002) > checking whether OpenSSL's headers match the library... no > configure: error: Your OpenSSL headers do not match your library To head off future bug reports, how about including findssl.sh in contrib/ and having configure refer to it? Like so: checking whether OpenSSL's headers match the library... no configure: error: Your OpenSSL headers do not match your library. Check config.log for details. Also see contrib/findssl.sh for help identifying header/library mismatches. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: configure.ac =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v retrieving revision 1.126 diff -u -r1.126 configure.ac --- configure.ac 4 Jun 2003 23:53:31 -0000 1.126 +++ configure.ac 24 Jun 2003 03:38:14 -0000 @@ -957,7 +957,9 @@ ], [ AC_MSG_RESULT(no) - AC_MSG_ERROR(Your OpenSSL headers do not match your library) + AC_MSG_ERROR([Your OpenSSL headers do not match your library. +Check config.log for details. +Also see contrib/findssl.sh for help identifying header/library mismatches.]) ] ) --- /dev/null 2002-08-31 09:31:37.000000000 +1000 +++ contrib/findssl.sh 2003-06-24 13:24:50.000000000 +1000 @@ -0,0 +1,159 @@ +#!/bin/sh +# +# findssl.sh +# Search for all instances of OpenSSL headers and libraries +# and print their versions. +# Intended to help diagnose OpenSSH's "OpenSSL headers do not +# match your library" errors. +# +# Written by Darren Tucker (dtucker at zip dot com dot au) +# This file is placed in the public domain. +# +# $Id$ +# 2002-07-27: Initial release. +# 2002-08-04: Added public domain notice. +# 2003-06-24: Incorporated readme, set library paths. First cvs version. +# +# "OpenSSL headers do not match your library" are usually caused by +# OpenSSH's configure picking up an older version of OpenSSL headers +# or libraries. You can use the following # procedure to help identify +# the cause. +# +# The output of configure will tell you the versions of the OpenSSL +# headers and libraries that were picked up, for example: +# +# checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002) +# checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001) +# checking whether OpenSSL's headers match the library... no +# configure: error: Your OpenSSL headers do not match your library +# +# Now run findssl.sh. This should identify the headers and libraries +# present and their versions. You should be able to identify the +# libraries and headers used and adjust your CFLAGS or remove incorrect +# versions. The output will show OpenSSL's internal version identifier +# and should look something like: + +# $ ./findssl.sh +# Searching for OpenSSL header files. +# 0x0090604fL /usr/include/openssl/opensslv.h +# 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h +# +# Searching for OpenSSL shared library files. +# 0x0090602fL /lib/libcrypto.so.0.9.6b +# 0x0090602fL /lib/libcrypto.so.2 +# 0x0090581fL /usr/lib/libcrypto.so.0 +# 0x0090602fL /usr/lib/libcrypto.so +# 0x0090581fL /usr/lib/libcrypto.so.0.9.5a +# 0x0090600fL /usr/lib/libcrypto.so.0.9.6 +# 0x0090600fL /usr/lib/libcrypto.so.1 +# +# Searching for OpenSSL static library files. +# 0x0090602fL /usr/lib/libcrypto.a +# 0x0090604fL /usr/local/ssl/lib/libcrypto.a +# +# In this example, I gave configure no extra flags, so it's picking up +# the OpenSSL header from /usr/include/openssl (90604f) and the library +# from /usr/lib/ (90602f). + +# +# Adjust these to suit your compiler. +# You may also need to set the *LIB*PATH environment variables if +# DEFAULT_LIBPATH is not correct for your system. +# +CC=gcc +STATIC=-static + +# +# Set up conftest C source +# +rm -f findssl.log +cat >conftest.c < +int main(){printf("0x%08xL\n", SSLeay());} +EOD + +# +# Set default library paths if not already set +# +DEFAULT_LIBPATH=/usr/lib:/usr/local/lib +LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH} +LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH} +LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH} +export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH + +# +# Search for OpenSSL headers and print versions +# +echo Searching for OpenSSL header files. +if [ -x "`which locate`" ] +then + headers=`locate opensslv.h` +else + headers=`find / -name opensslv.h -print 2>/dev/null` +fi + +for header in $headers +do + ver=`awk '/OPENSSL_VERSION_NUMBER/{printf \$3}' $header` + echo "$ver $header" +done +echo + +# +# Search for shared libraries. +# Relies on shared libraries looking like "libcrypto.s*" +# +echo Searching for OpenSSL shared library files. +if [ -x "`which locate`" ] +then + libraries=`locate libcrypto.s` +else + libraries=`find / -name 'libcrypto.s*' -print 2>/dev/null` +fi + +for lib in $libraries +do + (echo "Trying libcrypto $lib" >>findssl.log + dir=`dirname $lib` + LIBPATH="$dir:$LIBPATH" + LD_LIBRARY_PATH="$dir:$LIBPATH" + LIBRARY_PATH="$dir:$LIBPATH" + export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH + ${CC} -o conftest conftest.c $lib 2>>findssl.log + if [ -x ./conftest ] + then + ver=`./conftest 2>/dev/null` + rm -f ./conftest + echo "$ver $lib" + fi) +done +echo + +# +# Search for static OpenSSL libraries and print versions +# +echo Searching for OpenSSL static library files. +if [ -x "`which locate`" ] +then + libraries=`locate libcrypto.a` +else + libraries=`find / -name libcrypto.a -print 2>/dev/null` +fi + +for lib in $libraries +do + libdir=`dirname $lib` + echo "Trying libcrypto $lib" >>findssl.log + ${CC} ${STATIC} -o conftest conftest.c -L${libdir} -lcrypto 2>>findssl.log + if [ -x ./conftest ] + then + ver=`./conftest 2>/dev/null` + rm -f ./conftest + echo "$ver $lib" + fi +done + +# +# Clean up +# +rm -f conftest.c From oldsleepi at yahoo.de Tue Jun 24 20:51:56 2003 From: oldsleepi at yahoo.de (oldsleepi) Date: Tue, 24 Jun 2003 12:51:56 +0200 Subject: Patch for Socks5 support for dynamic portforwaring? Message-ID: <001b01c33a3e$a45eb780$0206a8c0@pentium4> Hi, has anybody seen a patch that provides socks version 5 support for the dynamic portforwarding feature? I?ve seen thats implemented in ssh.com?s ssh version, but found nothing about openssh. Only thing i found was a patch to provide socks4a. cu sleepi From djm at mindrot.org Tue Jun 24 20:03:47 2003 From: djm at mindrot.org (Damien Miller) Date: Tue, 24 Jun 2003 20:03:47 +1000 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <001b01c33a3e$a45eb780$0206a8c0@pentium4> References: <001b01c33a3e$a45eb780$0206a8c0@pentium4> Message-ID: <3EF82203.1020608@mindrot.org> oldsleepi wrote: > Hi, > > has anybody seen a patch that provides socks version 5 support for the dynamic portforwarding feature? > I?ve seen thats implemented in ssh.com?s ssh version, but > found nothing about openssh. > Only thing i found was a patch to provide socks4a. check the mailing list archives. -d From markus at openbsd.org Tue Jun 24 20:50:40 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 24 Jun 2003 12:50:40 +0200 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <001b01c33a3e$a45eb780$0206a8c0@pentium4> References: <001b01c33a3e$a45eb780$0206a8c0@pentium4> Message-ID: <20030624105039.GA25895@folly> > has anybody seen a patch that provides socks version 5 support for the dynamic portforwarding feature? why? we removed that feature: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.108&r2=1.109 From larsch at trustcenter.de Tue Jun 24 22:11:34 2003 From: larsch at trustcenter.de (Nils Larsch) Date: Tue, 24 Jun 2003 14:11:34 +0200 Subject: recent sc_get_key_label changes in the CVS Message-ID: <3EF83FF6.2080303@trustcenter.de> Hi, the current CVS version (head) of OpenSSH doesn't build with OpenSC because the sc_get_key_label function is currently not defined in scard-opensc.c => please apply the scard-opensc.c part of patch #330 (see: http://bugzilla.mindrot.org/attachment.cgi?id=330&action=view ). Regards, Nils From dan at doxpara.com Wed Jun 25 03:28:40 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 24 Jun 2003 10:28:40 -0700 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <20030624105039.GA25895@folly> References: <001b01c33a3e$a45eb780$0206a8c0@pentium4> <20030624105039.GA25895@folly> Message-ID: <3EF88A48.5080609@doxpara.com> Markus Friedl wrote: >>has anybody seen a patch that provides socks version 5 support for the dynamic portforwarding feature? >> >> > >why? we removed that feature: > >http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.108&r2=1.109 > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > Why? This is really, really needed to support OSX, not to mention the very troublesome security breach from DNS traffic going over the unencrypted LAN. I can't possibly imagine a single reason not to support SOCKS5. HTTP, sure -- but why not SOCKS5? The fact that people _still_ keep bugging me about this has to mean something :-) --Dan From alex at peuchert.de Wed Jun 25 03:59:16 2003 From: alex at peuchert.de (Alex Peuchert) Date: Tue, 24 Jun 2003 19:59:16 +0200 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <20030624105039.GA25895@folly> Message-ID: Hi, just to enlighten my ignorance ;-) Why was Socks5 support removed from openssh? I also could see some useful applications for SOCKS5 over SSH ... - alex -----Ursprungliche Nachricht----- Von: openssh-unix-dev-bounces+openssh=peuchert.de at mindrot.org [mailto:openssh-unix-dev-bounces+openssh=peuchert.de at mindrot.org]Im Auftrag von Markus Friedl Gesendet: Dienstag, 24. Juni 2003 12:51 An: oldsleepi Cc: openssh-unix-dev at mindrot.org Betreff: Re: Patch for Socks5 support for dynamic portforwaring? > has anybody seen a patch that provides socks version 5 support for the dynamic portforwarding feature? why? we removed that feature: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.1 08&r2=1.109 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From mouring at etoh.eviladmin.org Wed Jun 25 06:14:22 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 24 Jun 2003 15:14:22 -0500 (CDT) Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: Message-ID: There is a break point for features vs bloat. At the time we removed socks5 and http support because they were considered bloat. No other real reason. I'd like to know the sock4 vs sock5 numbers for the userbase. If people are using sock5 more. Then maybe sock4 should vanish in rebalance the code growth. - Ben On Tue, 24 Jun 2003, Alex Peuchert wrote: > Hi, > just to enlighten my ignorance ;-) > > Why was Socks5 support removed from openssh? > > I also could see some useful applications for SOCKS5 over SSH ... > > - alex > > -----Ursprungliche Nachricht----- > Von: openssh-unix-dev-bounces+openssh=peuchert.de at mindrot.org > [mailto:openssh-unix-dev-bounces+openssh=peuchert.de at mindrot.org]Im > Auftrag von Markus Friedl > Gesendet: Dienstag, 24. Juni 2003 12:51 > An: oldsleepi > Cc: openssh-unix-dev at mindrot.org > Betreff: Re: Patch for Socks5 support for dynamic portforwaring? > > > > has anybody seen a patch that provides socks version 5 support for the > dynamic portforwarding feature? > > why? we removed that feature: > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.1 > 08&r2=1.109 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dan at doxpara.com Wed Jun 25 06:47:32 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 24 Jun 2003 13:47:32 -0700 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: Message-ID: <3EF8B8E4.8080704@doxpara.com> Alex Peuchert wrote: >Hi, >just to enlighten my ignorance ;-) > >Why was Socks5 support removed from openssh? > >I also could see some useful applications for SOCKS5 over SSH ... > > This is a slightly different use of SOCKS than most people know about; using it to drive SSH port forwarding. So you don't run a VPN server or anything of the sort; you just SSH in and watch all your TCP sockets get routed through SSH. It's really nice. With SOCKS4, only the TCP sockets are wrapped; the DNS necessary to set packet IPs isn't. So with SOCKS4, we leak. SOCKS5 wouldn't. I understand HTTP parsing is a bit complicated, but I can't see why we should be intentionally not supporting a more secure protocol. --Dan From dan at doxpara.com Wed Jun 25 09:05:48 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 24 Jun 2003 16:05:48 -0700 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: Message-ID: <3EF8D94C.7080605@doxpara.com> >There is a break point for features vs bloat. At the time we removed >socks5 and http support because they were considered bloat. No other >real reason. > >I'd like to know the sock4 vs sock5 numbers for the userbase. If people >are using sock5 more. Then maybe sock4 should vanish in rebalance the >code growth. > Code bloat? Socks4 support was written in approximately twenty lines of code, and significantly improved SSH's ability to tunnel protocols. Instead of needing custom handlers for web traffic, file transfer, Yahoo IM, AOL, and everything else that dared to connect to more than one IP/port combination, we had one extremely simple wrapper. Socks5 is only slightly more complicated than Socks4, and repairs the problematic DNS leakage. And it's just a slightly different protocol tree. Don't think in terms of protocol users; nobody uses protocols. They use tools. And there's no shortage of users for the tools DF enables. I'm all for removing code bloat, but these are _such_ simple hacks relative to the functionality they generate, that I think it's inappropriate to talk about. HTTP would be useful, simply because there's lots of apps that can only proxy over HTTP, but I can see where one might wish to avoid that level of string parsing. But socks4 is a seven byte header and socks5 ain't much larger; we can do that. I keep getting harassed about this (OSX users are rather insistent *smiles*). --Dan From alex at peuchert.de Wed Jun 25 17:40:36 2003 From: alex at peuchert.de (Alex Peuchert) Date: Wed, 25 Jun 2003 09:40:36 +0200 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: Message-ID: Hi, thanks for your answer. One suggestion: How about removing the complete Port Forwardig code from ssh and introducing another subsystem (like sftp-server)? It could work like this: the user command is 'ssocks' which opens a ssh session to a server and starts the 'ssocks-server' subsystem. I think this sounds quite simple... - alex -----Ursprungliche Nachricht----- Von: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] Gesendet: Dienstag, 24. Juni 2003 22:14 An: Alex Peuchert Cc: openssh-unix-dev at mindrot.org; markus at openbsd.org Betreff: Re: Patch for Socks5 support for dynamic portforwaring? There is a break point for features vs bloat. At the time we removed socks5 and http support because they were considered bloat. No other real reason. I'd like to know the sock4 vs sock5 numbers for the userbase. If people are using sock5 more. Then maybe sock4 should vanish in rebalance the code growth. - Ben On Tue, 24 Jun 2003, Alex Peuchert wrote: > Hi, > just to enlighten my ignorance ;-) > > Why was Socks5 support removed from openssh? > > I also could see some useful applications for SOCKS5 over SSH ... > > - alex > > -----Ursprungliche Nachricht----- > Von: openssh-unix-dev-bounces+openssh=peuchert.de at mindrot.org > [mailto:openssh-unix-dev-bounces+openssh=peuchert.de at mindrot.org]Im > Auftrag von Markus Friedl > Gesendet: Dienstag, 24. Juni 2003 12:51 > An: oldsleepi > Cc: openssh-unix-dev at mindrot.org > Betreff: Re: Patch for Socks5 support for dynamic portforwaring? > > > > has anybody seen a patch that provides socks version 5 support for the > dynamic portforwarding feature? > > why? we removed that feature: > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.1 > 08&r2=1.109 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From markus at openbsd.org Wed Jun 25 18:02:25 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 25 Jun 2003 10:02:25 +0200 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: Message-ID: <20030625080225.GB11222@folly> On Wed, Jun 25, 2003 at 09:40:36AM +0200, Alex Peuchert wrote: > Hi, > thanks for your answer. > > One suggestion: How about removing the complete Port Forwardig code from ssh > and introducing another subsystem (like sftp-server)? > > It could work like this: the user command is 'ssocks' which opens a ssh > session to a server and starts the 'ssocks-server' subsystem. > > I think this sounds quite simple... ...but does not work. From dan at doxpara.com Wed Jun 25 18:09:05 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 25 Jun 2003 01:09:05 -0700 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: Message-ID: <3EF958A1.4030300@doxpara.com> You can already do this; simply start a SOCKS5/HTTP/whatever server on the remote host and local port forward. What makes dynamic forwarding cool is sshd is _already_ a port forwarder; instead of requiring two port forwarders on the remote server (one of which is almost certainly insecure), a relatively small amount of code added to the ssh daemon eliminates an entire server-side daemon. Cool. --Dan >Hi, >thanks for your answer. > >One suggestion: How about removing the complete Port Forwardig code from ssh >and introducing another subsystem (like sftp-server)? > >It could work like this: the user command is 'ssocks' which opens a ssh >session to a server and starts the 'ssocks-server' subsystem. > >I think this sounds quite simple... > >- alex > > >-----Ursprungliche Nachricht----- >Von: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] >Gesendet: Dienstag, 24. Juni 2003 22:14 >An: Alex Peuchert >Cc: openssh-unix-dev at mindrot.org; markus at openbsd.org >Betreff: Re: Patch for Socks5 support for dynamic portforwaring? > > > > >There is a break point for features vs bloat. At the time we removed >socks5 and http support because they were considered bloat. No other >real reason. > >I'd like to know the sock4 vs sock5 numbers for the userbase. If people >are using sock5 more. Then maybe sock4 should vanish in rebalance the >code growth. > >- Ben > >On Tue, 24 Jun 2003, Alex Peuchert wrote: > > > >>Hi, >>just to enlighten my ignorance ;-) >> >>Why was Socks5 support removed from openssh? >> >>I also could see some useful applications for SOCKS5 over SSH ... >> >>- alex >> >>-----Ursprungliche Nachricht----- >>Von: openssh-unix-dev-bounces+openssh=peuchert.de at mindrot.org >>[mailto:openssh-unix-dev-bounces+openssh=peuchert.de at mindrot.org]Im >>Auftrag von Markus Friedl >>Gesendet: Dienstag, 24. Juni 2003 12:51 >>An: oldsleepi >>Cc: openssh-unix-dev at mindrot.org >>Betreff: Re: Patch for Socks5 support for dynamic portforwaring? >> >> >> >> >>>has anybody seen a patch that provides socks version 5 support for the >>> >>> >>dynamic portforwarding feature? >> >>why? we removed that feature: >> >> >> >> >http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1.1 > > >>08&r2=1.109 >> >>_______________________________________________ >>openssh-unix-dev mailing list >>openssh-unix-dev at mindrot.org >>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >> >>_______________________________________________ >>openssh-unix-dev mailing list >>openssh-unix-dev at mindrot.org >>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >> >> >> > > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From markus at openbsd.org Wed Jun 25 18:15:37 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 25 Jun 2003 10:15:37 +0200 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <20030625080225.GB11222@folly> References: <20030625080225.GB11222@folly> Message-ID: <20030625081537.GA29314@folly> On Wed, Jun 25, 2003 at 10:02:25AM +0200, Markus Friedl wrote: > On Wed, Jun 25, 2003 at 09:40:36AM +0200, Alex Peuchert wrote: > > Hi, > > thanks for your answer. > > > > One suggestion: How about removing the complete Port Forwardig code from ssh > > and introducing another subsystem (like sftp-server)? > > > > It could work like this: the user command is 'ssocks' which opens a ssh > > session to a server and starts the 'ssocks-server' subsystem. > > > > I think this sounds quite simple... > > ...but does not work. well, it would work if you don't care about the ssh protocol or interoperability. From alex at peuchert.de Wed Jun 25 18:17:10 2003 From: alex at peuchert.de (Alex Peuchert) Date: Wed, 25 Jun 2003 10:17:10 +0200 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <20030625080225.GB11222@folly> Message-ID: Why? -----Ursprungliche Nachricht----- Von: Markus Friedl [mailto:markus at openbsd.org] Gesendet: Mittwoch, 25. Juni 2003 10:02 An: Alex Peuchert Cc: openssh-unix-dev at mindrot.org; Ben Lindstrom Betreff: Re: Re: Patch for Socks5 support for dynamic portforwaring? On Wed, Jun 25, 2003 at 09:40:36AM +0200, Alex Peuchert wrote: > Hi, > thanks for your answer. > > One suggestion: How about removing the complete Port Forwardig code from ssh > and introducing another subsystem (like sftp-server)? > > It could work like this: the user command is 'ssocks' which opens a ssh > session to a server and starts the 'ssocks-server' subsystem. > > I think this sounds quite simple... ...but does not work. From alex at peuchert.de Wed Jun 25 18:19:24 2003 From: alex at peuchert.de (Alex Peuchert) Date: Wed, 25 Jun 2003 10:19:24 +0200 Subject: AW: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <3EF958A1.4030300@doxpara.com> Message-ID: Well, if ssocks would be a part of the openssh distribution than you don't have to install any software on the remote side. - alex -----Urspr?ngliche Nachricht----- Von: Dan Kaminsky [mailto:dan at doxpara.com] Gesendet: Mittwoch, 25. Juni 2003 10:09 An: Alex Peuchert Cc: openssh-unix-dev at mindrot.org; Ben Lindstrom Betreff: Re: Patch for Socks5 support for dynamic portforwaring? You can already do this; simply start a SOCKS5/HTTP/whatever server on the remote host and local port forward. What makes dynamic forwarding cool is sshd is _already_ a port forwarder; instead of requiring two port forwarders on the remote server (one of which is almost certainly insecure), a relatively small amount of code added to the ssh daemon eliminates an entire server-side daemon. Cool. --Dan >Hi, >thanks for your answer. > >One suggestion: How about removing the complete Port Forwardig code from ssh >and introducing another subsystem (like sftp-server)? > >It could work like this: the user command is 'ssocks' which opens a ssh >session to a server and starts the 'ssocks-server' subsystem. > >I think this sounds quite simple... > >- alex > > >-----Ursprungliche Nachricht----- >Von: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] >Gesendet: Dienstag, 24. Juni 2003 22:14 >An: Alex Peuchert >Cc: openssh-unix-dev at mindrot.org; markus at openbsd.org >Betreff: Re: Patch for Socks5 support for dynamic portforwaring? > > > > >There is a break point for features vs bloat. At the time we removed >socks5 and http support because they were considered bloat. No other >real reason. > >I'd like to know the sock4 vs sock5 numbers for the userbase. If people >are using sock5 more. Then maybe sock4 should vanish in rebalance the >code growth. > >- Ben > >On Tue, 24 Jun 2003, Alex Peuchert wrote: > > > >>Hi, >>just to enlighten my ignorance ;-) >> >>Why was Socks5 support removed from openssh? >> >>I also could see some useful applications for SOCKS5 over SSH ... >> >>- alex >> >>-----Ursprungliche Nachricht----- >>Von: openssh-unix-dev-bounces+openssh=peuchert.de at mindrot.org >>[mailto:openssh-unix-dev-bounces+openssh=peuchert.de at mindrot.org]Im >>Auftrag von Markus Friedl >>Gesendet: Dienstag, 24. Juni 2003 12:51 >>An: oldsleepi >>Cc: openssh-unix-dev at mindrot.org >>Betreff: Re: Patch for Socks5 support for dynamic portforwaring? >> >> >> >> >>>has anybody seen a patch that provides socks version 5 support for the >>> >>> >>dynamic portforwarding feature? >> >>why? we removed that feature: >> >> >> >> >http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/channels.c.diff?r1=1. 1 > > >>08&r2=1.109 >> >>_______________________________________________ >>openssh-unix-dev mailing list >>openssh-unix-dev at mindrot.org >>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >> >>_______________________________________________ >>openssh-unix-dev mailing list >>openssh-unix-dev at mindrot.org >>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >> >> >> > > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From alex at peuchert.de Wed Jun 25 18:22:29 2003 From: alex at peuchert.de (Alex Peuchert) Date: Wed, 25 Jun 2003 10:22:29 +0200 Subject: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <20030625081537.GA29314@folly> Message-ID: > -----Ursprungliche Nachricht----- > Von: Markus Friedl [mailto:markus at openbsd.org] > Gesendet: Mittwoch, 25. Juni 2003 10:16 > An: Alex Peuchert > Cc: Ben Lindstrom; openssh-unix-dev at mindrot.org > Betreff: Re: Re: Patch for Socks5 support for dynamic portforwaring? > > > On Wed, Jun 25, 2003 at 10:02:25AM +0200, Markus Friedl wrote: > > On Wed, Jun 25, 2003 at 09:40:36AM +0200, Alex Peuchert wrote: > > > Hi, > > > thanks for your answer. > > > > > > One suggestion: How about removing the complete Port > Forwardig code from ssh > > > and introducing another subsystem (like sftp-server)? > > > > > > It could work like this: the user command is 'ssocks' which > opens a ssh > > > session to a server and starts the 'ssocks-server' subsystem. > > > > > > I think this sounds quite simple... > > > > ...but does not work. > > well, it would work if you don't care about > the ssh protocol or interoperability. > within sftp you also don't care about the ssh protocol, do you? ;-) From dan at doxpara.com Wed Jun 25 18:27:58 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 25 Jun 2003 01:27:58 -0700 Subject: AW: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: Message-ID: <3EF95D0E.6070802@doxpara.com> >Well, if ssocks would be a part of the openssh distribution than you don't >have to install any software on the remote side. > > Right now there's _zero_ code for any of this in the server. It's completely unnecessary -- the protocol and the server code are flexible enough to do support all sorts of interesting applications with but miniscule modifications on the client side. Why create unnecessary complexity? A slight patch to the client -- that's already been written -- is all I'm arguing for. --Dan From markus at openbsd.org Wed Jun 25 18:29:34 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 25 Jun 2003 10:29:34 +0200 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <3EF958A1.4030300@doxpara.com> References: <3EF958A1.4030300@doxpara.com> Message-ID: <20030625082934.GD14751@folly> On Wed, Jun 25, 2003 at 01:09:05AM -0700, Dan Kaminsky wrote: > Cool. we know that your idea is cool. From markus at openbsd.org Wed Jun 25 18:43:16 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 25 Jun 2003 10:43:16 +0200 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: <20030625081537.GA29314@folly> Message-ID: <20030625084316.GA30922@folly> On Wed, Jun 25, 2003 at 10:22:29AM +0200, Alex Peuchert wrote: > > > > -----Ursprungliche Nachricht----- > > Von: Markus Friedl [mailto:markus at openbsd.org] > > Gesendet: Mittwoch, 25. Juni 2003 10:16 > > An: Alex Peuchert > > Cc: Ben Lindstrom; openssh-unix-dev at mindrot.org > > Betreff: Re: Re: Patch for Socks5 support for dynamic portforwaring? > > > > > > On Wed, Jun 25, 2003 at 10:02:25AM +0200, Markus Friedl wrote: > > > On Wed, Jun 25, 2003 at 09:40:36AM +0200, Alex Peuchert wrote: > > > > Hi, > > > > thanks for your answer. > > > > > > > > One suggestion: How about removing the complete Port > > Forwardig code from ssh > > > > and introducing another subsystem (like sftp-server)? > > > > > > > > It could work like this: the user command is 'ssocks' which > > opens a ssh > > > > session to a server and starts the 'ssocks-server' subsystem. > > > > > > > > I think this sounds quite simple... > > > > > > ...but does not work. > > > > well, it would work if you don't care about > > the ssh protocol or interoperability. > > > > within sftp you also don't care about the ssh protocol, do you? ;-) sftp has nothing to do with ssh, but port-forwarding has. From alex at peuchert.de Wed Jun 25 19:05:53 2003 From: alex at peuchert.de (Alex Peuchert) Date: Wed, 25 Jun 2003 11:05:53 +0200 Subject: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <20030625084316.GA30922@folly> Message-ID: > -----Ursprungliche Nachricht----- > Von: Markus Friedl [mailto:markus at openbsd.org] > Gesendet: Mittwoch, 25. Juni 2003 10:43 > An: Alex Peuchert > Cc: openssh-unix-dev at mindrot.org > Betreff: Re: Re: Patch for Socks5 support for dynamic portforwaring? > > > On Wed, Jun 25, 2003 at 10:22:29AM +0200, Alex Peuchert wrote: > > > > > > > -----Ursprungliche Nachricht----- > > > Von: Markus Friedl [mailto:markus at openbsd.org] > > > Gesendet: Mittwoch, 25. Juni 2003 10:16 > > > An: Alex Peuchert > > > Cc: Ben Lindstrom; openssh-unix-dev at mindrot.org > > > Betreff: Re: Re: Patch for Socks5 support for dynamic portforwaring? > > > > > > > > > On Wed, Jun 25, 2003 at 10:02:25AM +0200, Markus Friedl wrote: > > > > On Wed, Jun 25, 2003 at 09:40:36AM +0200, Alex Peuchert wrote: > > > > > Hi, > > > > > thanks for your answer. > > > > > > > > > > One suggestion: How about removing the complete Port > > > Forwardig code from ssh > > > > > and introducing another subsystem (like sftp-server)? > > > > > > > > > > It could work like this: the user command is 'ssocks' which > > > opens a ssh > > > > > session to a server and starts the 'ssocks-server' subsystem. > > > > > > > > > > I think this sounds quite simple... > > > > > > > > ...but does not work. > > > > > > well, it would work if you don't care about > > > the ssh protocol or interoperability. > > > > > > > within sftp you also don't care about the ssh protocol, do you? ;-) > > sftp has nothing to do with ssh, but port-forwarding has. > good point ... so, what would be the solution if I need some kind of UDP port forwarding? From dan at doxpara.com Wed Jun 25 19:08:28 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 25 Jun 2003 02:08:28 -0700 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <20030625082934.GD14751@folly> References: <3EF958A1.4030300@doxpara.com> <20030625082934.GD14751@folly> Message-ID: <3EF9668C.1020108@doxpara.com> Markus Friedl wrote: >On Wed, Jun 25, 2003 at 01:09:05AM -0700, Dan Kaminsky wrote: > > >>Cool. >> >> > >we know that your idea is cool. > > So why's the SOCKS5 patch languishing? :-) I'm tired of annoyed OSX users and leaky DNS. --Dan From alex at peuchert.de Wed Jun 25 19:11:35 2003 From: alex at peuchert.de (Alex Peuchert) Date: Wed, 25 Jun 2003 11:11:35 +0200 Subject: AW: AW: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <3EF95D0E.6070802@doxpara.com> Message-ID: right, but Markus removed the SOCKS5 code in revision 1.109 from channels.c ... saying that it bloads ssh > -----Urspr?ngliche Nachricht----- > Von: Dan Kaminsky [mailto:dan at doxpara.com] > Gesendet: Mittwoch, 25. Juni 2003 10:28 > An: Alex Peuchert > Cc: openssh-unix-dev at mindrot.org > Betreff: Re: AW: Patch for Socks5 support for dynamic portforwaring? > > > > >Well, if ssocks would be a part of the openssh distribution than > you don't > >have to install any software on the remote side. > > > > > Right now there's _zero_ code for any of this in the server. It's > completely unnecessary -- the protocol and the server code are flexible > enough to do support all sorts of interesting applications with but > miniscule modifications on the client side. > > Why create unnecessary complexity? A slight patch to the client -- > that's already been written -- is all I'm arguing for. > > --Dan > > > From djm at mindrot.org Wed Jun 25 19:19:03 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 25 Jun 2003 19:19:03 +1000 Subject: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: Message-ID: <3EF96907.8020403@mindrot.org> Alex Peuchert wrote: >> > within sftp you also don't care about the ssh protocol, do you? ;-) >> >> sftp has nothing to do with ssh, but port-forwarding has. >> > > good point ... so, what would be the solution if I need some kind of UDP > port forwarding? The SSH protocol doesn't support UDP forwarding at all. So your choices are: 1. Tunnel it somehow (netcat perhaps) 2. Write a I-D for udp of SSH, implemented it well and convience us it is worthwhile -d PS. Please trim your quotes From dan at doxpara.com Wed Jun 25 19:31:13 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 25 Jun 2003 02:31:13 -0700 Subject: AW: AW: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: Message-ID: <3EF96BE1.2030309@doxpara.com> Alex Peuchert wrote: >right, but Markus removed the SOCKS5 code in revision 1.109 from channels.c >... saying that it bloads ssh > > I think a gigantic new executable that's required for a basic SSH feature (port forwarding) is a different class of bloat than a couple dozen lines of code either way. --Dan From alex at peuchert.de Wed Jun 25 19:38:01 2003 From: alex at peuchert.de (Alex Peuchert) Date: Wed, 25 Jun 2003 11:38:01 +0200 Subject: AW: AW: AW: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <3EF96BE1.2030309@doxpara.com> Message-ID: > -----Ursprungliche Nachricht----- > Von: Dan Kaminsky [mailto:dan at doxpara.com] > Gesendet: Mittwoch, 25. Juni 2003 11:31 > An: Alex Peuchert > Cc: openssh-unix-dev at mindrot.org > Betreff: Re: AW: AW: Patch for Socks5 support for dynamic portforwaring? > > > Alex Peuchert wrote: > > >right, but Markus removed the SOCKS5 code in revision 1.109 from > channels.c > >... saying that it bloads ssh > > > > > I think a gigantic new executable that's required for a basic SSH > feature (port forwarding) is a different class of bloat than a couple > dozen lines of code either way. > > --Dan > > > you're right... but what do the developers think of that? - alex From dan at doxpara.com Wed Jun 25 19:46:15 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 25 Jun 2003 02:46:15 -0700 Subject: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: Message-ID: <3EF96F67.6090201@doxpara.com> >good point ... so, what would be the solution if I need some kind of UDP >port forwarding? > > This is actually problematic over SSH. SSH presumes a lower layer will provide basic reliability -- it runs over TCP. Port forwarding is a method of doing TCP-in-TCP encapsulation; usually this has serious performance issues as both sockets implement backoff et al, but SSH avoids these problems by locally terminating the socket, de-encapsulating the payload, and sending only that payload over the tunnelled link. This works because TCP is byte oriented and the only thing that matters is the order of the data. Such is not the case with UDP -- it's just a very thin wrapper on top of IP and anything goes regarding how the payload is transferred. The literal length of each packet is relevant is a way that doesn't exist for TCP. That being said, a piece of Paketto (my own bizarre packet-mangling code) may help with this...I'll see what I can get into the July 30 release. --Dan From alex at peuchert.de Wed Jun 25 19:53:13 2003 From: alex at peuchert.de (Alex Peuchert) Date: Wed, 25 Jun 2003 11:53:13 +0200 Subject: AW: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <3EF96F67.6090201@doxpara.com> Message-ID: Well, SOCKS5 supports UDP forwarding ... so if openssh dynamic port forwarding ( -D ) would support the SOCKS5 protocol then openssh would include UDP forwarding from/to a remote host! Wouldn't this be really cool? - alex > -----Urspr?ngliche Nachricht----- > Von: Dan Kaminsky [mailto:dan at doxpara.com] > Gesendet: Mittwoch, 25. Juni 2003 11:46 > An: Alex Peuchert > Cc: Markus Friedl; openssh-unix-dev at mindrot.org > Betreff: Re: AW: Re: Patch for Socks5 support for dynamic portforwaring? > > > > >good point ... so, what would be the solution if I need some kind of UDP > >port forwarding? > > > > > > This is actually problematic over SSH. SSH presumes a lower layer will > provide basic reliability -- it runs over TCP. Port forwarding is a > method of doing TCP-in-TCP encapsulation; usually this has serious > performance issues as both sockets implement backoff et al, but SSH > avoids these problems by locally terminating the socket, > de-encapsulating the payload, and sending only that payload over the > tunnelled link. > > This works because TCP is byte oriented and the only thing that matters > is the order of the data. Such is not the case with UDP -- it's just a > very thin wrapper on top of IP and anything goes regarding how the > payload is transferred. The literal length of each packet is relevant > is a way that doesn't exist for TCP. > > That being said, a piece of Paketto (my own bizarre packet-mangling > code) may help with this...I'll see what I can get into the July > 30 release. > > --Dan > > > > > > From dan at doxpara.com Wed Jun 25 19:56:48 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 25 Jun 2003 02:56:48 -0700 Subject: AW: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: Message-ID: <3EF971E0.3070308@doxpara.com> Alex Peuchert wrote: >Well, SOCKS5 supports UDP forwarding ... so if openssh dynamic port >forwarding ( -D ) would support the SOCKS5 protocol then openssh would >include UDP forwarding from/to a remote host! > >Wouldn't this be really cool? > > SOCKS5 doesn't exactly support UDP forwarding...what it does is create a port on the listener that you send your UDP packets to instead, and reports that to your client. Then your client sends UDP packets there, and they're reflected (still as UDP) where they were really supposed to go. This is _much_ more complicated than a few bytes at the beginning of a TCP session announcing where the link was really supposed to go to It's really tricky to define how you'd encap UDP in SSH. You'd almost literally need a new SSH packet type, and unless we can show how it would save kittens and bring peace to the middle east, that ain't going to happen. --Dan From A.D.Elwell at dl.ac.uk Wed Jun 25 20:17:15 2003 From: A.D.Elwell at dl.ac.uk (Elwell, AD (Andrew)) Date: Wed, 25 Jun 2003 11:17:15 +0100 Subject: openssh-3.6.1p2-passexpire20.patch prevents /etc/nologin display on AIX Message-ID: Hi there, I have just compiled up 3.6.1p2 both with and without Darren Tuckers passexpire patch. However, with the patch applied /etc/nologin isn't displayed to users (on AIX 5.1 / PSSP) The patched vesion seems to fail with "illegal user" - some parts of a debug 3 log... debug1: userauth-request for user ade45 service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAMdebug3: monitor_read: checking request 6 debug3: mm_request_receive_expect entering: type 7debug3: mm_answer_pwnamallowdebug3: mm_request_receive entering Login restricted for ade45: this is a test debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling nowinput_userauth_request: illegal user ade45 debug3: mm_request_receive entering debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try meth none whereas the unpatched one goes... debug1: userauth-request for user ade45 service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect enteri : type 7 debug3: mm_request_receive e ering Login restricted for ade45: testing in progress debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling nowdebug2: input_userauth_request: setting up authctxt for ade45 debug3: mm_request_receive entering debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try meth none We have a dodgy workaround for this (touch /etc/nologin and update the sshd banner if we're doing maintenance) but it would be nice to have. A more pressing need is for us to be able to cope with changing the users password on another box. (we use PSSP on a large cluster) hmm, some hacking of /bin/passwd might be called for... Andrew -- Andrew Elwell Room A20, Daresbury Laboratory, Keckwick Lane, Daresbury, WARRINGTON, WA4 4AD Tel: +44 (0)1925 603966 Mob: +44 (0)7890 249969 Pager: 08700 555500 [883616] From markus at openbsd.org Wed Jun 25 20:51:12 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 25 Jun 2003 12:51:12 +0200 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: <20030625084316.GA30922@folly> Message-ID: <20030625105112.GB12638@folly> On Wed, Jun 25, 2003 at 11:05:53AM +0200, Alex Peuchert wrote: > good point ... so, what would be the solution if I need some kind of UDP > port forwarding? have you tried whether my socks5 patch allows you to do udp forwarding? From markus at openbsd.org Wed Jun 25 20:53:34 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 25 Jun 2003 12:53:34 +0200 Subject: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: <3EF96F67.6090201@doxpara.com> Message-ID: <20030625105334.GC12638@folly> On Wed, Jun 25, 2003 at 11:53:13AM +0200, Alex Peuchert wrote: > Well, SOCKS5 supports UDP forwarding ... so if openssh dynamic port > forwarding ( -D ) would support the SOCKS5 protocol then openssh would > include UDP forwarding from/to a remote host! again, have you verified that the patch makes this possible? From markus at openbsd.org Wed Jun 25 21:00:02 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 25 Jun 2003 13:00:02 +0200 Subject: AW: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <3EF971E0.3070308@doxpara.com> References: <3EF971E0.3070308@doxpara.com> Message-ID: <20030625110002.GA29105@folly> On Wed, Jun 25, 2003 at 02:56:48AM -0700, Dan Kaminsky wrote: > It's really tricky to define how you'd encap UDP in SSH. You'd almost > literally need a new SSH packet type, and unless we can show how it > would save kittens and bring peace to the middle east, that ain't going > to happen. I'm not sure. I'm considering forwarding UDP by adding a new channel type, but only if I need this... From markus at openbsd.org Wed Jun 25 21:04:04 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 25 Jun 2003 13:04:04 +0200 Subject: AW: AW: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: <3EF96BE1.2030309@doxpara.com> Message-ID: <20030625110404.GB29105@folly> On Wed, Jun 25, 2003 at 11:38:01AM +0200, Alex Peuchert wrote: > you're right... but what do the developers think of that? there are other nice things you can do with portforwarding, e.g. this hack. but i'm not sure whether this code should be in ssh. this patch (OpenBSD only for now) allows you to redirect (NAT) TCP packets to ssh(1) and dynamically forward over ssh. Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.191 diff -u -r1.191 channels.c --- channels.c 24 Jun 2003 08:23:46 -0000 1.191 +++ channels.c 25 Jun 2003 11:00:20 -0000 @@ -41,6 +41,10 @@ #include "includes.h" RCSID("$OpenBSD: channels.c,v 1.191 2003/06/24 08:23:46 markus Exp $"); +#include +#include +#include + #include "ssh.h" #include "ssh1.h" #include "ssh2.h" @@ -870,6 +874,73 @@ } } +static int +natlookup(int fd, struct sockaddr_in *server) +{ + struct pfioc_natlook natlook; + struct sockaddr_in from, to; + socklen_t slen; + int pfd; + + slen = sizeof(from); + if (getpeername(fd, (struct sockaddr *)&from, &slen) != 0) { + debug("getpeername failed: %s", strerror(errno)); + return (-1); + } + slen = sizeof(to); + if (getsockname(fd, (struct sockaddr *)&to, &slen) != 0) { + debug("getsockname failed: %s", strerror(errno)); + return (-1); + } + + memset(&natlook, 0, sizeof(natlook)); + natlook.af = AF_INET; + natlook.saddr.addr32[0] = from.sin_addr.s_addr; + natlook.daddr.addr32[0] = to.sin_addr.s_addr; + natlook.proto = IPPROTO_TCP; + natlook.sport = from.sin_port; + natlook.dport = to.sin_port; + natlook.direction = PF_OUT; + + if ((pfd = open("/dev/pf", O_RDWR)) == -1) { + debug("open /dev/pf failed: %s", strerror(errno)); + return (-1); + } + if (ioctl(pfd, DIOCNATLOOK, &natlook) == -1) { + error("pf nat lookup failed: %s", strerror(errno)); + close(pfd); + return (-1); + } + close(pfd); + + server->sin_port = natlook.rdport; + server->sin_addr.s_addr = natlook.rdaddr.addr32[0]; + server->sin_len = sizeof(struct sockaddr_in); + server->sin_family = AF_INET; + return (0); +} + +static int +channel_try_nat(Channel *c) +{ + char *host; + struct sockaddr_in server; + + memset(&server, 0, sizeof(server)); + + if (natlookup(c->rfd, &server) < 0) + return (0); + + host = inet_ntoa(server.sin_addr); + strlcpy(c->path, host, sizeof(c->path)); + c->host_port = ntohs(server.sin_port); + + debug("channel %d: nat request: host %s port %u", + c->self, host, c->host_port); + + return (1); +} + /* try to decode a socks4 header */ static int channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset) @@ -949,6 +1020,10 @@ have = buffer_len(&c->input); c->delayed = 0; + + if ((ret = channel_try_nat(c))) + goto done; + debug2("channel %d: pre_dynamic: have %d", c->self, have); /* buffer_dump(&c->input); */ /* check if the fixed size part of the packet is in buffer. */ @@ -967,6 +1042,8 @@ ret = -1; break; } + +done: if (ret < 0) { chan_mark_dead(c); } else if (ret == 0) { @@ -1054,6 +1131,8 @@ "connect from %.200s port %d", rtype, c->listening_port, c->path, c->host_port, remote_ipaddr, remote_port); + +debug("%s", buf); xfree(c->remote_name); c->remote_name = xstrdup(buf); From dtucker at zip.com.au Wed Jun 25 21:36:44 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 25 Jun 2003 21:36:44 +1000 Subject: openssh-3.6.1p2-passexpire20.patch prevents /etc/nologin display on AIX References: Message-ID: <3EF9894C.9F4ED3D4@zip.com.au> "Elwell, AD (Andrew)" wrote: > I have just compiled up 3.6.1p2 both with and without Darren Tuckers > passexpire patch. > > However, with the patch applied /etc/nologin isn't displayed to users (on > AIX 5.1 / PSSP) > > The patched vesion seems to fail with "illegal user" - some parts of a debug > 3 log... > > debug1: userauth-request for user ade45 service ssh-connection method none > debug1: attempt 0 failures 0 > debug3: mm_getpwnamallow entering > debug3: mm_request_send entering: type 6 > debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAMdebug3: monitor_read: > checking request 6 > debug3: mm_request_receive_expect entering: type 7debug3: > mm_answer_pwnamallowdebug3: mm_request_receive entering > Login restricted for ade45: this is a test > debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0 [snip] I would have expected to see some more debugging here, something like: debug3: lastupdate [foo] maxage [foo] wks maxexpired debug3: AIX/passwdexpired returned [whatever] Was that there and if so what does it say? Looking at the code here, I can't see a reason for this. Did the patch apply cleanly? > A more pressing need is for us to be able to cope with changing the users > password on another box. (we use PSSP on a large cluster) hmm, some hacking > of /bin/passwd might be called for... You can change PATH_PROGRAM_PATH in config.h to point to any program you like. Be aware that it'll get called as "/path/to/program" (as the user) if PrivSep is on and "/path/to/program [username]" (as root!) if PrivSep is off. If it's a common requirement it might be worth adding a --with-passwd-program=/bin/foo option to configure. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Wed Jun 25 22:16:59 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 25 Jun 2003 14:16:59 +0200 Subject: socks5 support for -D Message-ID: <20030625121659.GA7053@folly> here's an up-to-date patch, should apply to both openbsd and non-openbsd versions of openssh. i did only test ipv4 addresses. Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.191 diff -u -r1.191 channels.c --- channels.c 24 Jun 2003 08:23:46 -0000 1.191 +++ channels.c 25 Jun 2003 12:14:19 -0000 @@ -54,7 +54,7 @@ #include "key.h" #include "authfd.h" #include "pathnames.h" - +#include "bufaux.h" /* -- channel core */ @@ -940,6 +940,115 @@ return 1; } +/* try to decode a socks5 header */ +#define SSH_SOCKS5_AUTHDONE 0x1000 +#define SSH_SOCKS5_NOAUTH 0x00 +#define SSH_SOCKS5_IPV4 0x01 +#define SSH_SOCKS5_DOMAIN 0x03 +#define SSH_SOCKS5_IPV6 0x04 +#define SSH_SOCKS5_CONNECT 0x01 +#define SSH_SOCKS5_SUCCESS 0x00 + +static int +channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset) +{ + struct { + u_int8_t version; + u_int8_t command; + u_int8_t reserved; + u_int8_t atyp; + } s5_req, s5_rsp; + u_int16_t dest_port; + u_char *p, dest_addr[255+1]; + int i, have, found, nmethods, addrlen, af; + + debug2("channel %d: decode socks5", c->self); + p = buffer_ptr(&c->input); + if (p[0] != 0x05) + return -1; + have = buffer_len(&c->input); + if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { + /* format: ver | nmethods | methods */ + if (have < 2) + return 0; + nmethods = p[1]; + if (have < nmethods + 2) + return 0; + /* look for method: "NO AUTHENTICATION REQUIRED" */ + for (found = 0, i = 2 ; i < nmethods + 2; i++) { + if (p[i] == SSH_SOCKS5_NOAUTH ) { + found = 1; + break; + } + } + if (!found) { + debug("channel %d: method SSH_SOCKS5_NOAUTH not found", + c->self); + return -1; + } + buffer_consume(&c->input, nmethods + 2); + buffer_put_char(&c->output, 0x05); /* version */ + buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */ + FD_SET(c->sock, writeset); + c->flags |= SSH_SOCKS5_AUTHDONE; + debug2("channel %d: socks5 auth done", c->self); + return 0; /* need more */ + } + debug2("channel %d: socks5 post auth", c->self); + if (have < sizeof(s5_req)+1) + return 0; /* need more */ + memcpy((char *)&s5_req, p, sizeof(s5_req)); + if (s5_req.version != 0x05 || + s5_req.command != SSH_SOCKS5_CONNECT || + s5_req.reserved != 0x00) { + debug("channel %d: only socks5 connect supported", c->self); + return -1; + } + switch(s5_req.atyp){ + case SSH_SOCKS5_IPV4: + addrlen = 4; + af = AF_INET; + break; + case SSH_SOCKS5_DOMAIN: + addrlen = p[sizeof(s5_req)]; + af = -1; + break; + case SSH_SOCKS5_IPV6: + addrlen = 16; + af = AF_INET6; + break; + default: + debug("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); + return -1; + } + if (have < 4 + addrlen + 2) + return 0; + buffer_consume(&c->input, sizeof(s5_req)); + buffer_get(&c->input, (char *)&dest_addr, addrlen); + buffer_get(&c->input, (char *)&dest_port, 2); + dest_addr[addrlen] = '\0'; + if (s5_req.atyp == SSH_SOCKS5_DOMAIN) + strlcpy(c->path, dest_addr, sizeof(c->path)); + else if (inet_ntop(af, dest_addr, c->path, sizeof(c->path)) == NULL) + return -1; + c->host_port = ntohs(dest_port); + + debug("channel %d: dynamic request: socks5 host %s port %u command %u", + c->self, c->path, c->host_port, s5_req.command); + + s5_rsp.version = 0x05; + s5_rsp.command = SSH_SOCKS5_SUCCESS; + s5_rsp.reserved = 0; /* ignored */ + s5_rsp.atyp = SSH_SOCKS5_IPV4; + ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY; + dest_port = 0; /* ignored */ + + buffer_append(&c->output, (char *)&s5_rsp, sizeof(s5_rsp)); + buffer_append(&c->output, (char *)&dest_addr, sizeof(struct in_addr)); + buffer_append(&c->output, (char *)&dest_port, sizeof(dest_port)); + return 1; +} + /* dynamic port forwarding */ static void channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset) @@ -952,7 +1061,7 @@ debug2("channel %d: pre_dynamic: have %d", c->self, have); /* buffer_dump(&c->input); */ /* check if the fixed size part of the packet is in buffer. */ - if (have < 4) { + if (have < 3) { /* need more */ FD_SET(c->sock, readset); return; @@ -962,6 +1071,9 @@ switch (p[0]) { case 0x04: ret = channel_decode_socks4(c, readset, writeset); + break; + case 0x05: + ret = channel_decode_socks5(c, readset, writeset); break; default: ret = -1; From dtucker at zip.com.au Wed Jun 25 22:34:14 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 25 Jun 2003 22:34:14 +1000 Subject: New regression test: dynamic forwarding Message-ID: <3EF996C6.10A6829D@zip.com.au> Hi All. The discussion about SOCKS5 support set me thinking about how you would test it, and I came up with the attached test. (Again, mostly code stolen from another test, this time forwarding.sh). It requires "connect" [1] but will skip the test if it's not found. -Daz. [1] http://www.taiyo.co.jp/~gotoh/ssh/connect.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- A non-text attachment was scrubbed... Name: dynamic-forward.sh Type: application/x-sh Size: 743 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030625/b1688564/attachment.sh From dtucker at zip.com.au Wed Jun 25 23:18:23 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 25 Jun 2003 23:18:23 +1000 Subject: openssh-3.6.1p2-passexpire20.patch prevents /etc/nologin display on AIX References: Message-ID: <3EF9A11F.8AD65D49@zip.com.au> "Elwell, AD (Andrew)" wrote: > However, with the patch applied /etc/nologin isn't displayed to users (on > AIX 5.1 / PSSP) > > The patched vesion seems to fail with "illegal user" - some parts of a debug > 3 log... It's a bug, and it's mine. I did not correctly relocate the saving of errno when I reshuffled the loginrestictions call. Try applying the following patch on top of -passexpire20 and recompiling. -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- --- auth.c.orig 2003-06-25 23:14:16.000000000 +1000 +++ auth.c 2003-06-25 23:13:36.000000000 +1000 @@ -240,11 +240,12 @@ * non-root user (since loginrestrictions will always fail). */ if ( (pw->pw_uid != 0) && (geteuid() == 0) ) { - int loginrestrict_errno = errno; char *msg; /* check for AIX account restrictions */ if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) { + int loginrestrict_errno = errno; + if (msg && *msg) { aix_remove_embedded_newlines(msg); log("Login restricted for %s: %.100s", From A.D.Elwell at dl.ac.uk Thu Jun 26 00:45:23 2003 From: A.D.Elwell at dl.ac.uk (Elwell, AD (Andrew)) Date: Wed, 25 Jun 2003 15:45:23 +0100 Subject: openssh-3.6.1p2-passexpire20.patch prevents /etc/nologin disp lay on AIX Message-ID: Courtesy follow up back to the unix-dev list (mainly for those like me who searched the archives) Thanks to the very swift response of Darren, a patched auth.c did the trick Patch enclosed below (apply after the p20) I'm guessing he'll either update p20 or issue p21 soon. Many thanks Andrew --- auth.c.orig 2003-06-25 23:14:16.000000000 +1000 +++ auth.c 2003-06-25 23:13:36.000000000 +1000 @@ -240,11 +240,12 @@ * non-root user (since loginrestrictions will always fail). */ if ( (pw->pw_uid != 0) && (geteuid() == 0) ) { - int loginrestrict_errno = errno; char *msg; /* check for AIX account restrictions */ if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) { + int loginrestrict_errno = errno; + if (msg && *msg) { aix_remove_embedded_newlines(msg); log("Login restricted for %s: %.100s", From dan at doxpara.com Thu Jun 26 02:08:21 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 25 Jun 2003 09:08:21 -0700 Subject: AW: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <20030625110002.GA29105@folly> References: <3EF971E0.3070308@doxpara.com> <20030625110002.GA29105@folly> Message-ID: <3EF9C8F5.1040908@doxpara.com> Markus Friedl wrote: >On Wed, Jun 25, 2003 at 02:56:48AM -0700, Dan Kaminsky wrote: > > >>It's really tricky to define how you'd encap UDP in SSH. You'd almost >>literally need a new SSH packet type, and unless we can show how it >>would save kittens and bring peace to the middle east, that ain't going >>to happen. >> >> > >I'm not sure. I'm considering forwarding UDP by adding a new >channel type, but only if I need this... > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > Whoa. UDP Forwarding would be absolutely fantastic -- among other things, we'd be able to forward VoIP securely (something that presently requires some pretty hefty VPNs) -- but given the fact that a) it requires server-side modifications and b) a non-trivial amount of code, I didn't think it possible. --Dan From jbennett at forzani.com Thu Jun 26 02:19:38 2003 From: jbennett at forzani.com (Bennett, Jason) Date: Wed, 25 Jun 2003 10:19:38 -0600 Subject: Compiling OpenSSH on DG/UX Message-ID: <7A680EDD8D8BD5119DAE0000D1ED428F05F245E3@GROUCHO> When I run a make on the openssh source directory, it starts the compile and then fails with: gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/ssl/include -DHAVE_CONFIG_H -c bsd-arc4random.c In file included from ../openbsd-compat/openbsd-compat.h:35, from ../includes.h:169, from bsd-arc4random.c:25: ../openbsd-compat/bsd-misc.h:85: redefinition of `struct timespec' *** Error code 1 Stop. *** Error code 1 Stop. I'm using: Open SSH v3.6p1 DG/UX: R4.20MU06 on AViiON PentiumPro I have Open SSL v0.9.7b installed and Zlib 1.1.4 installed Any help would be appreciated. <<...OLE_Obj...>> Jason Bennett Senior Unix Administrator Forzani Group Ltd. Office: 403-717-1400 Ext 1506 Fax: 403-717-1498 From E.P.Naveen at in.ibm.com Thu Jun 26 02:59:43 2003 From: E.P.Naveen at in.ibm.com (Eravimangalath P Naveen) Date: Wed, 25 Jun 2003 22:29:43 +0530 Subject: OpenSSH Compilation problems while enabling AFS support Message-ID: Hi, We are trying to compile OpenSSH with AFS support to enable password-less login in a linux cluster. We are getting the error mentioned at the bottom of this mail. Also, included the information of other packages and the options used with configure. Please help us to sort out this issue. Server is running on RedHat Linux v7.3 OpenAFS Information Downloaded from http://www.openafs.org/release/latest.html [root at blueray openssh-3.6.1p1]# rpm -qa |grep openafs openafs-devel-1.2.9-rh7.3.1 openafs-krb5-1.2.9-rh7.3.1 openafs-client-1.2.9-rh7.3.1 openafs-kpasswd-1.2.9-rh7.3.1 openafs-1.2.9-rh7.3.1 openafs-server-1.2.9-rh7.3.1 openafs-compat-1.2.9-rh7.3.1 [root at blueray openssh-3.6.1p1]# Kerberos Information Obtained from the RedHat v7.3 Distribution CDs. [root at blueray is]# rpm -qa |grep krb krbafs-1.0.9-2 krb5-devel-1.2.2-13 krb5-workstation-1.2.2-13 openafs-krb5-1.2.9-rh7.3.1 krb5-server-1.2.2-13 krb5-libs-1.2.2-13 pam_krb5-1.46-1 krbafs-utils-1.0.9-2 krbafs-devel-1.0.9-2 [root at blueray is]# OpenSSH Information Dwonloaded from www.openssh.org openssh-3.6.1p1-1.src.rpm Tried the following to compile. [root at blueray openssh-3.6.1p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5=/usr/kerberos --with-afs=/usr/afs [root at blueray openssh-3.6.1p1]# make Following error obtained. sshconnect1.c:31:18: kafs.h: No such file or directory make: *** [sshconnect1.o] Error 1 [root at blueray openssh-3.6.1p1]# From bob at proulx.com Thu Jun 26 07:36:33 2003 From: bob at proulx.com (Bob Proulx) Date: Wed, 25 Jun 2003 15:36:33 -0600 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <20030624105039.GA25895@folly> References: <001b01c33a3e$a45eb780$0206a8c0@pentium4> <20030624105039.GA25895@folly> Message-ID: <20030625213633.GA3956@misery.proulx.com> Markus Friedl wrote: > oldsleepi wrote: > > has anybody seen a patch that provides socks version 5 support for > > the dynamic portforwarding feature? > why? we removed that feature: I am sure I am missing something in this thread. Perhaps someone can educate me? What is deficient about using system call redirection to support socks? (e.g. Dante 'socksify ssh'.) Or baring that using the ProxyCommand for socks? I thought the whole argument for ProxyCommand was that it moved the need for hacks like socks out of ssh and made it a modular plugin of whatever version of socks or other was needed. Bob From djm at shitei.mindrot.org Thu Jun 26 08:59:07 2003 From: djm at shitei.mindrot.org (Damien Miller) Date: Thu, 26 Jun 2003 08:59:07 +1000 (EST) Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <20030625213633.GA3956@misery.proulx.com> References: <001b01c33a3e$a45eb780$0206a8c0@pentium4> <20030624105039.GA25895@folly> <20030625213633.GA3956@misery.proulx.com> Message-ID: On Wed, 25 Jun 2003, Bob Proulx wrote: > Markus Friedl wrote: > > oldsleepi wrote: > > > has anybody seen a patch that provides socks version 5 support for > > > the dynamic portforwarding feature? > > why? we removed that feature: > > I am sure I am missing something in this thread. Perhaps someone can > educate me? What is deficient about using system call redirection to > support socks? (e.g. Dante 'socksify ssh'.) Or baring that using the > ProxyCommand for socks? I thought the whole argument for ProxyCommand > was that it moved the need for hacks like socks out of ssh and made it > a modular plugin of whatever version of socks or other was needed. This is not socks proxying, grep for DynamicForward in "man ssh_config" -d From dtucker at zip.com.au Thu Jun 26 09:20:23 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 26 Jun 2003 09:20:23 +1000 Subject: socks5 support for -D References: <20030625121659.GA7053@folly> Message-ID: <3EFA2E37.7670C39C@zip.com.au> Markus Friedl wrote: > here's an up-to-date patch, should apply to both > openbsd and non-openbsd versions of openssh. > > i did only test ipv4 addresses. Hi. I just tried this and found that it does not work for the SSH_SOCKS5_DOMAIN case because the destination host is not decoded correctly. RFC1928 says the host name has a leading length record (1 byte) and is not null terminated, so the code as presented has an off-by-one error. The patch below works for me. -Daz. --- channels.c.markus 2003-06-26 08:42:10.000000000 +1000 +++ channels.c 2003-06-26 09:04:50.000000000 +1000 @@ -1025,6 +1025,8 @@ if (have < 4 + addrlen + 2) return 0; buffer_consume(&c->input, sizeof(s5_req)); + if (s5_req.atyp == SSH_SOCKS5_DOMAIN) + buffer_consume(&c->input, 1); /* host string length */ buffer_get(&c->input, (char *)&dest_addr, addrlen); buffer_get(&c->input, (char *)&dest_port, 2); dest_addr[addrlen] = '\0'; -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Jun 26 09:23:47 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 26 Jun 2003 09:23:47 +1000 Subject: Patch for Socks5 support for dynamic portforwaring? References: <001b01c33a3e$a45eb780$0206a8c0@pentium4> <20030624105039.GA25895@folly> <20030625213633.GA3956@misery.proulx.com> Message-ID: <3EFA2F03.C0659E33@zip.com.au> Bob Proulx wrote: > Markus Friedl wrote: > I am sure I am missing something in this thread. Perhaps someone can > educate me? What is deficient about using system call redirection to > support socks? DynamicForward allows the ssh *client* to act as a SOCKS *server*. ProxyCommand is the recommended method for the ssh *client* to be a SOCKS *client*. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Jun 26 09:38:47 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 26 Jun 2003 09:38:47 +1000 Subject: Compiling OpenSSH on DG/UX References: <7A680EDD8D8BD5119DAE0000D1ED428F05F245E3@GROUCHO> Message-ID: <3EFA3287.6F3A4CE9@zip.com.au> "Bennett, Jason" wrote: > gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. > -I./.. -I/usr/local/ssl/include -DHAVE_CONFIG_H -c bsd-arc4random.c > In file included from ../openbsd-compat/openbsd-compat.h:35, > from ../includes.h:169, > from bsd-arc4random.c:25: > ../openbsd-compat/bsd-misc.h:85: redefinition of `struct timespec' Is "HAVE_STRUCT_TIMESPEC" defined in config.h? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Thu Jun 26 17:50:13 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 26 Jun 2003 09:50:13 +0200 Subject: socks5 support for -D In-Reply-To: <3EFA2E37.7670C39C@zip.com.au> References: <20030625121659.GA7053@folly> <3EFA2E37.7670C39C@zip.com.au> Message-ID: <20030626075013.GB20784@folly> On Thu, Jun 26, 2003 at 09:20:23AM +1000, Darren Tucker wrote: > Markus Friedl wrote: > > here's an up-to-date patch, should apply to both > > openbsd and non-openbsd versions of openssh. > > > > i did only test ipv4 addresses. > > Hi. I just tried this and found that it does not work for the > SSH_SOCKS5_DOMAIN case because the destination host is not decoded > correctly. RFC1928 says the host name has a leading length record (1 > byte) and is not null terminated, so the code as presented has an ^^^^ then the strlcpy needs to be replaced by a memcpy. From markus at openbsd.org Thu Jun 26 17:52:08 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 26 Jun 2003 09:52:08 +0200 Subject: socks5 support for -D In-Reply-To: <20030626075013.GB20784@folly> References: <20030625121659.GA7053@folly> <3EFA2E37.7670C39C@zip.com.au> <20030626075013.GB20784@folly> Message-ID: <20030626075208.GA9831@folly> On Thu, Jun 26, 2003 at 09:50:13AM +0200, Markus Friedl wrote: > On Thu, Jun 26, 2003 at 09:20:23AM +1000, Darren Tucker wrote: > > Markus Friedl wrote: > > > here's an up-to-date patch, should apply to both > > > openbsd and non-openbsd versions of openssh. > > > > > > i did only test ipv4 addresses. > > > > Hi. I just tried this and found that it does not work for the > > SSH_SOCKS5_DOMAIN case because the destination host is not decoded > > correctly. RFC1928 says the host name has a leading length record (1 > > byte) and is not null terminated, so the code as presented has an > ^^^^ > > then the strlcpy needs to be replaced by a memcpy. oh no, i'm confused :) From markus at openbsd.org Thu Jun 26 17:59:04 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 26 Jun 2003 09:59:04 +0200 Subject: New regression test: dynamic forwarding In-Reply-To: <3EF996C6.10A6829D@zip.com.au> References: <3EF996C6.10A6829D@zip.com.au> Message-ID: <20030626075903.GE20784@folly> On Wed, Jun 25, 2003 at 10:34:14PM +1000, Darren Tucker wrote: > Hi All. > The discussion about SOCKS5 support set me thinking about how you would > test it, and I came up with the attached test. (Again, mostly code stolen > from another test, this time forwarding.sh). It requires "connect" [1] > but will skip the test if it's not found. > > -Daz. > > [1] http://www.taiyo.co.jp/~gotoh/ssh/connect.html on openbsd netcat could be used, it supports both socks 4 and 5. From markus at openbsd.org Thu Jun 26 18:00:50 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 26 Jun 2003 10:00:50 +0200 Subject: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <20030625213633.GA3956@misery.proulx.com> References: <001b01c33a3e$a45eb780$0206a8c0@pentium4> <20030624105039.GA25895@folly> <20030625213633.GA3956@misery.proulx.com> Message-ID: <20030626080050.GF20784@folly> On Wed, Jun 25, 2003 at 03:36:33PM -0600, Bob Proulx wrote: > I am sure I am missing something in this thread. Perhaps someone can > educate me? instead of statically setting up forwardings with -L you can setup a listener with -D. now tcp clients need to tell ssh(1) where to forward to. using socks for this seems 'natural'. From dtucker at zip.com.au Thu Jun 26 18:45:14 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 26 Jun 2003 18:45:14 +1000 Subject: New regression test: dynamic forwarding References: <3EF996C6.10A6829D@zip.com.au> <20030626075903.GE20784@folly> Message-ID: <3EFAB29A.36666604@zip.com.au> Markus Friedl wrote: > on openbsd netcat could be used, it supports both socks 4 and 5. Hmm, didn't know about that. How about something like the following? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- A non-text attachment was scrubbed... Name: dynamic-forward.sh Type: application/x-sh Size: 1030 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030626/325cdbd8/attachment.sh From dan at doxpara.com Thu Jun 26 20:40:57 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 26 Jun 2003 03:40:57 -0700 Subject: New regression test: dynamic forwarding In-Reply-To: <20030626075903.GE20784@folly> References: <3EF996C6.10A6829D@zip.com.au> <20030626075903.GE20784@folly> Message-ID: <3EFACDB9.1060906@doxpara.com> >on openbsd netcat could be used, it supports both socks 4 and 5. > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > Given that we already have a good portion of the necessary code to support simple SOCKS already, _and_ that a built-in client would then be able to interface with our already built-in server, why _not_ support an ultra-simple socks4/socks5 client mode? I mean, we already have the struct declaration, and it's only a few bytes in front of the TCP session...surely for such a simple case it's better to integrate than ask the user to route their SSH session through a probably insecure proxycommand? If nothing else, it'd help regression testing. --Dan From markus at openbsd.org Thu Jun 26 21:15:37 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 26 Jun 2003 13:15:37 +0200 Subject: New regression test: dynamic forwarding In-Reply-To: <3EFACDB9.1060906@doxpara.com> References: <3EF996C6.10A6829D@zip.com.au> <20030626075903.GE20784@folly> <3EFACDB9.1060906@doxpara.com> Message-ID: <20030626111537.GA31221@folly> On Thu, Jun 26, 2003 at 03:40:57AM -0700, Dan Kaminsky wrote: > Given that we already have a good portion of the necessary code to > support simple SOCKS already, _and_ that a built-in client would then be > able to interface with our already built-in server, why _not_ support an > ultra-simple socks4/socks5 client mode? > > I mean, we already have the struct declaration, and it's only a few but that's it. perhaps. From alex at peuchert.de Fri Jun 27 05:29:16 2003 From: alex at peuchert.de (Alex Peuchert) Date: Thu, 26 Jun 2003 21:29:16 +0200 Subject: AW: AW: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <20030625110002.GA29105@folly> Message-ID: Rehi, sorry for not responding immediatly, but I had to earn some money... Concerning UDP via SOCKS5: according to the RFC1928, UDP datagrams are encapsulated in an UDP request and then sent over a Stream (which is exactly what ssh provides). This does not sound like having to invent something new. - alex > > > On Wed, Jun 25, 2003 at 02:56:48AM -0700, Dan Kaminsky wrote: > > It's really tricky to define how you'd encap UDP in SSH. You'd almost > > literally need a new SSH packet type, and unless we can show how it > > would save kittens and bring peace to the middle east, that ain't going > > to happen. > > I'm not sure. I'm considering forwarding UDP by adding a new > channel type, but only if I need this... > From markus at openbsd.org Fri Jun 27 05:35:23 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 26 Jun 2003 21:35:23 +0200 Subject: AW: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: <20030625110002.GA29105@folly> Message-ID: <20030626193523.GA31336@folly> On Thu, Jun 26, 2003 at 09:29:16PM +0200, Alex Peuchert wrote: > Concerning UDP via SOCKS5: according to the RFC1928, UDP datagrams are > encapsulated in an UDP request and then sent over a Stream (which is exactly > what ssh provides). This does not sound like having to invent something new. but who decapsulates? From alex at peuchert.de Fri Jun 27 05:44:54 2003 From: alex at peuchert.de (Alex Peuchert) Date: Thu, 26 Jun 2003 21:44:54 +0200 Subject: AW: AW: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <20030626193523.GA31336@folly> Message-ID: > > On Thu, Jun 26, 2003 at 09:29:16PM +0200, Alex Peuchert wrote: > > Concerning UDP via SOCKS5: according to the RFC1928, UDP datagrams are > > encapsulated in an UDP request and then sent over a Stream > (which is exactly > > what ssh provides). This does not sound like having to invent > something new. > > but who decapsulates SOCKS5 is the protocol between the SOCKS client and the SOCKS5 server; always TCP => stream the rest is up to the server From markus at openbsd.org Fri Jun 27 06:12:17 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 26 Jun 2003 22:12:17 +0200 Subject: AW: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: <20030626193523.GA31336@folly> Message-ID: <20030626201217.GC10972@folly> On Thu, Jun 26, 2003 at 09:44:54PM +0200, Alex Peuchert wrote: > > > > > > On Thu, Jun 26, 2003 at 09:29:16PM +0200, Alex Peuchert wrote: > > > Concerning UDP via SOCKS5: according to the RFC1928, UDP datagrams are > > > encapsulated in an UDP request and then sent over a Stream > > (which is exactly > > > what ssh provides). This does not sound like having to invent > > something new. > > > > but who decapsulates > > SOCKS5 is the protocol between the SOCKS client and the SOCKS5 server; > always TCP => stream > the rest is up to the server but sshd will not talk UDP. From alex at peuchert.de Fri Jun 27 06:38:29 2003 From: alex at peuchert.de (Alex Peuchert) Date: Thu, 26 Jun 2003 22:38:29 +0200 Subject: AW: AW: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <20030626201217.GC10972@folly> Message-ID: > > > > SOCKS5 is the protocol between the SOCKS client and the SOCKS5 server; > > always TCP => stream > > the rest is up to the server > > but sshd will not talk UDP. > why not? From mouring at etoh.eviladmin.org Fri Jun 27 07:44:45 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 26 Jun 2003 16:44:45 -0500 (CDT) Subject: AW: AW: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: Message-ID: On Thu, 26 Jun 2003, Alex Peuchert wrote: > > > > > > SOCKS5 is the protocol between the SOCKS client and the SOCKS5 server; > > > always TCP => stream > > > the rest is up to the server > > > > but sshd will not talk UDP. > > > > why not? > Because no where in the RFC does it discuss how to handle UDP, just TCP. - Ben From djm at shitei.mindrot.org Fri Jun 27 09:29:22 2003 From: djm at shitei.mindrot.org (Damien Miller) Date: Fri, 27 Jun 2003 09:29:22 +1000 (EST) Subject: AW: AW: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: Message-ID: On Thu, 26 Jun 2003, Alex Peuchert wrote: > > > > > > SOCKS5 is the protocol between the SOCKS client and the SOCKS5 server; > > > always TCP => stream > > > the rest is up to the server > > > > but sshd will not talk UDP. > > why not? get a clue. You are asking for features without the slightest understanding of their implementation, implications or appropriateness. -d From krbcore at mit.edu Fri Jun 27 11:58:56 2003 From: krbcore at mit.edu (Marshall Vale) Date: Thu, 26 Jun 2003 18:58:56 -0700 Subject: Kerberos Support in OpenSSH Message-ID: Dear Sir and Madam: I'm writing to you on behalf of the MIT Kerberos team and several other parties interested in the availability of Kerberos authentication for the SSH protocol. We recently noticed that the OpenSSH developers had added support for the kerberos-2 at ssh.com user authentication mechanism. We are delighted but we believe additional steps are necessary, as explained below. We are happy that OpenSSH is looking at Kerberos for SSH protocol version 2. It has been our experience that the combination of Kerberos and SSH provides an excellent method for sites to have secure login access while centrally managing keys and avoiding the problems of maintaining known_hosts files. We do have two concerns that we would like to discuss with you. We will briefly describe our concerns and then discuss them in detail. First, we would like to ask you to commit to implementing draft-ietf-secsh-gsskeyex in addition to any other Kerberos mechanisms you decide to ship for protocol version 2. We believe the mechanisms described in this draft better meet the needs of the Kerberos community, will have wider long-term acceptance and have undergone more comprehensive review in the standards community than previous methods. Secondly, we would like to find a way to reduce the user confusion associated with all of the different options for Kerberos and SSH. Ideally everyone will eventually migrate to the IETF standards track approach, but even then, we will need to help people understand differences between Kerberos used for key exchange, Kerberos used for userauth, and Kerberos used behind the scenes for password authentication. If there are any ways we could help you address these concerns please feel free to ask us. The primary reason we want to see OpenSSH adopt an implementation of the IETF draft is that we believe it better meets the needs of the Kerberos community. In addition to an SSH userauth method, the IETF draft includes a key exchange mechanism. Previous methods only used Kerberos to authenticate the client to the server and still relied on the SSH known_hosts file to authenticate the server to the client. Especially in large sites this is undesirable because updating known hosts files when machines are rekeyed is difficult. Many users always accept new keys without question and thus are vulnerable to a man-in-the-middle attack. The GSSAPI key exchange mechanism in the IETF draft uses Kerberos to authenticate both parties to each other, avoiding man-in-the-middle attacks. This allows Kerberos sites to gain the same level of security with ssh that they have enjoyed for years with rlogin and ftp. There has been significant interest in the Kerberos community ever since Simon Wilkinson first released his GSSAPI patches to OpenSSH. A broad range of customer sites have adopted the IETF draft and deployed Simon's patches in production. Several major Unix vendors have chosen to adopt the GSSAPI protocol to provide Kerberos authentication. At least two Windows implementations of SSH (Secure CRT and Kermit95) implement GSSAPI support. Patches are available for Putty. The GSSAPI framework also supports mechanisms other than Kerberos V, such as SPKM, which could be used to add x.509 support to SSH. For example, Simon's patches include support for the Globus GSI mechanism. The IETF GSSAPI draft has been more thoroughly reviewed within the IETF community than any previous Kerberos solution. Authors of the draft include both implementers and interested third parties. At least three independent and interoperable implementations have been written from this draft, so the quality of the spec is good. Significant parts of the spec were motivated by a presentation of the kerberos-1 at ssh.com spec at the IETF. The ssh.com spec received a strong negative reaction from both the Kerberos working group and the Secure Shell working group. People were concerned about the lack of mutual authentication, the way tickets were passed from client to server and how Kerberos interacted with password authentication. For this reason, the Secure Shell working group did not accept the kerberos-1 at ssh.com mechanism but instead started work on the GSSAPI draft. Although improved, the kerberos-2 at ssh.com mechanism retains many of the operations that caused working group participants to be concerned. The MIT Kerberos team may be able to help OpenSSH add support for draft-ietf-secsh-gsskeyex. In particular, we would be happy to answer any questions you might have regarding either Simon's patches or the the protocol. If you would accept help auditing Simon's patches or another implementation of the draft, we would be happy to assist. Once the IETF draft is implemented, the Kerberos and SSH communities will then need to deal with user education. The experience with the many incompatible methods of implementing Kerberos for SSH protocol version 1 has shown that users will be confused. Over the longer term we prefer people to use either the GSSAPI key exchange or the GSSAPI userauth method. Thus the Kerberos and SSH communities will need to work not only to find ways to make it clear in what direction we are heading but also that the other options are only being provided to address the issue of compatibility with deployed implementations. Signed, Marshall Vale, on behalf of the MIT Kerberos Development Team Jeffrey Altman Douglas E. Engert Joseph Galbraith Jeffrey Hutzelman Joseph Salowey Von Welch Simon Wilkinson From alex at peuchert.de Sat Jun 28 07:09:05 2003 From: alex at peuchert.de (Alex Peuchert) Date: Fri, 27 Jun 2003 23:09:05 +0200 Subject: AW: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: <20030625105334.GC12638@folly> Message-ID: > > again, have you verified that the patch makes this possible? > Hi, I applied your patch and it works. But only for SSH_SOCKS5_CONNECT which is SOCKS5 CMD X'01' from RFC1928. UDP forwarding is CMD X'03', so there is more work to be done ... I will look into it this weekend, but don't expect much ... as I'm not a good coder :-( - alex From dtucker at zip.com.au Sat Jun 28 11:24:46 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 28 Jun 2003 11:24:46 +1000 Subject: openssh-3.6.1p2-passexpire20.patch prevents /etc/nologin display on AIX References: Message-ID: <3EFCEE5E.4AF71D2F@zip.com.au> "Elwell, AD (Andrew)" wrote: > Patch enclosed below (apply after the p20) > > I'm guessing he'll either update p20 or issue p21 soon. For anyone affected by this (it was specific to AIX when /etc/nologin was used), I have put up a passexpire21 patch. This is the only change from 20. -Daz. http://www.zip.com.au/~dtucker/openssh/openssh-3.6.1p2-passexpire21.patch -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Sat Jun 28 16:59:31 2003 From: markus at openbsd.org (Markus Friedl) Date: Sat, 28 Jun 2003 08:59:31 +0200 Subject: AW: Re: Patch for Socks5 support for dynamic portforwaring? In-Reply-To: References: <20030625105334.GC12638@folly> Message-ID: <20030628065931.GA27170@folly> On Fri, Jun 27, 2003 at 11:09:05PM +0200, Alex Peuchert wrote: > UDP forwarding is CMD X'03', so there is more work to be done ... I will > look into it this weekend, but don't expect much ... as I'm not a good coder > :-( we will not support 0x03 as it requires changes in sshd. From openssh at roumenpetrov.info Mon Jun 30 19:02:41 2003 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Mon, 30 Jun 2003 12:02:41 +0300 Subject: experimental DNS fingerprint Message-ID: <3EFFFCB1.7070501@roumenpetrov.info> Please find attached file "configure.ac+dns.patch". This patch allow to compile current (30 Jun 2003) with options --with-dns on my platform. Output from "ssh -v -o VerifyHostKeyDNS=yes ..." follow: ... debug1: found 1 fingerprints in DNS debug1: matching host key fingerprint found in DNS ... -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: configure.ac+dns.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030630/acaf927d/attachment.ksh From djm at mindrot.org Mon Jun 30 19:22:02 2003 From: djm at mindrot.org (Damien Miller) Date: Mon, 30 Jun 2003 19:22:02 +1000 Subject: experimental DNS fingerprint In-Reply-To: <3EFFFCB1.7070501@roumenpetrov.info> References: <3EFFFCB1.7070501@roumenpetrov.info> Message-ID: <3F00013A.3010601@mindrot.org> Roumen Petrov wrote: > Please find attached file "configure.ac+dns.patch". > This patch allow to compile current (30 Jun 2003) with options > --with-dns on my platform. Applied - thanks. > AC_SEARCH_LIBS(res_query, resolv) hmm, there are probably a few places in configure.ac where we should use AC_SEARCH_LIBS rather than AC_CHECK_LIB. AC_CHECK_LIB seems to insert duplicate libraries on matching, AC_SEARCH_LIBS is smarter. -d From sb38 at sb88.com Mon Jun 30 20:17:46 2003 From: sb38 at sb88.com (=?iso-2022-jp?B?GyRCIzUyLyM5QGlLfDFfPlo1ck0tGyhC?=) Date: Mon, 30 Jun 2003 19:17:46 +0900 Subject: =?iso-2022-jp?b?GyRCTCQ+NUJ6OS05cCF2IzUyLyM5QGlLfDFfPH1Gfj5aGyhC?= =?iso-2022-jp?b?GyRCNXIkKyRpIzMyLzFfJFgwbEpiISEhISEhGyhC?= Message-ID: <200306301017.h5UAHkl19254@sb88.com> ??????????????????????? ?????????????????? 03-5458-8163???? ????????? ?????????????????????????????? ??????http://sb88.com/deny.htm???????????? ????????????????????????????????? ???????????????????????? ???????????????????????????????? ????????????????????????????? ??????????????????????????? ??? ????????????????????????????? ? ????????????????????????????? ????????????????????????????????? ??????????????????????????????? ????? ????????????????????{????????????} ???? ????????????????????????????????? ???????????????????????????????? ???????????? ??????????????????????????????????? ???????????? ?????????????????????????????????????????????????? ???????????????????????????????????????????????? ?????????????????????????????FAX??? ?????????????? ??????????????????????????????? ?????? ?? ??????????????????????????????????? ? ???????????????? ???????? ???????????????????????????? ?????????????????????????????????? ??????????????????????? ??????????????????? ?????????????????????? ??????????????????????? ????? ? ???????????????????????????3???? ????????????????????????????????? ????????????????? ??????????????????????????????? ??????? ???????????????????????????????? ??????? ? http://sb88.com/ ????????????? ? ???????????????????????????????? ???????? ??????????????????????????????? ???? ?????????????????????? ??????????????????????????????????? ? ???????????????????????????? ?--?--?--?--?--?--???????--?--?--?--?--?--? From openssh at roumenpetrov.info Mon Jun 30 19:19:23 2003 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Mon, 30 Jun 2003 12:19:23 +0300 Subject: experimental DNS fingerprint References: <3EFFFCB1.7070501@roumenpetrov.info> Message-ID: <3F00009B.2040508@roumenpetrov.info> P.S.: libresolv is from glibc 2.2.5. Work with 2.2.4 and 2.2.3 too. Roumen Petrov wrote: > Please find attached file "configure.ac+dns.patch". > This patch allow to compile current (30 Jun 2003) with options > --with-dns on my platform. > > Output from "ssh -v -o VerifyHostKeyDNS=yes ..." follow: > ... > debug1: found 1 fingerprints in DNS > debug1: matching host key fingerprint found in DNS > ... > >------------------------------------------------------------------------ > >Index: configure.ac >=================================================================== >RCS file: /cvs/openssh/configure.ac,v >retrieving revision 1.129 >diff -u -r1.129 configure.ac >--- configure.ac 29 Jun 2003 11:30:41 -0000 1.129 >+++ configure.ac 30 Jun 2003 08:57:40 -0000 >@@ -1876,7 +1876,13 @@ > DNS_MSG="yes" > AC_DEFINE(DNS) > AC_SEARCH_LIBS(getrrsetbyname, resolv, >- [AC_DEFINE(HAVE_GETRRSETBYNAME)]) >+ [AC_DEFINE(HAVE_GETRRSETBYNAME)], >+ [ >+ dnl getrrsetbyname implementation need next functions >+ AC_SEARCH_LIBS(res_query, resolv) >+ AC_SEARCH_LIBS(dn_expand, resolv) >+ ] >+ ) > fi > ] > ) > > -- Get X.509 certificate support in OpenSSH: http://roumenpetrov.info/openssh