From watch1 at zero.ad.jp Thu May 1 00:30:18 2003 From: watch1 at zero.ad.jp (brand) Date: Wed, 30 Apr 2003 23:30:18 +0900 Subject: =?iso-2022-jp?q?=81y=8C=83=88=C0=81z=83u=83=89=83=93=83h=8E=9E=8Cv=81EBag=81y1/100=82=CC=93=C1=89=BF=81z?= Message-ID: <20030430141458.281EA942A6@shitei.mindrot.org> ?u?????h?i?????????s????100?????P?????I ???????m???????A???????? ?????????A?T?C?g?????????I?? ?i?T?C?g?????????????????B?{?????????\?????????????j http://book-i.net/brand/ http://brand000.yoll.net/ http://free.deluxnetwork.com/~brand000/ *********************************** ???b?g?}?X?^?[?@?V???o?[??9,000?~?I ?p???`? ?A???A?G?N?X?v???[???[?U?AGMT?}?X?^?[?U ?f?C?g?i etc?E?E?E ???F???j?????[?hPM????7,000?~ ?????m?O?????}???`?J???[?@?~?j?X?s?[?f?B?????? *********************************** ?y?u?????h?g???X?g???b?v?v???[???g?z ???Q?????????????????????S???? http://www.freewebs.com/brand0/ http://home.graffiti.net/brand000/ From dtucker at zip.com.au Thu May 1 00:36:04 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 01 May 2003 00:36:04 +1000 Subject: [Bug 14] Can't change expired /etc/shadow password without PAM References: <20030430135827.14B69942A4@shitei.mindrot.org> Message-ID: <3EAFDF54.BE7F9820@zip.com.au> Hi All, bugzilla-daemon at mindrot.org wrote: > Created an attachment (id=278) > --> (http://bugzilla.mindrot.org/attachment.cgi?id=278&action=view) > passexpire19: AIX and /etc/shadow password expiry > > Only a small change: now takes S_MAXAGE into account when checking for > over-expired passwords. Report and fix from Ravinder Sekhon. > > Patch against 3.6.1p2 is at > http://www.zip.com.au/~dtucker/openssh/openssh-3.6.1p2-passexpire19.patch I just wanted to mention that I lose access to my RS/6000s in a couple of weeks, so if someone wants to look at merging the password expiry support (or even just the AIX-specific parts), now would be a good time. I suspect what's required is: 1) Split out the Buffer login_message stuff and make it an OpenBSD patch. 2) Sync that to -portable, merge the portable bits from bug #463. 3) Merge the rest (either AIX only or AIX + shadow). If this is possible, let me know what needs to be done and I'll make time for it. If it more desirable to merge the platform-specific bit in separate patches, I suggest alphabetically by platform :-). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From nicklange at wi.rr.com Thu May 1 01:24:08 2003 From: nicklange at wi.rr.com (Nick Lange) Date: Wed, 30 Apr 2003 11:24:08 -0400 Subject: pam + privileges In-Reply-To: <00dc01c30f19$77c823f0$6600a8c0@JAMES> References: <009701c30f0e$4a077f70$6600a8c0@JAMES> <3EAFB99A.5020604@mindrot.org> <00dc01c30f19$77c823f0$6600a8c0@JAMES> Message-ID: <3EAFEA98.7030008@wi.rr.com> James, the chroot patch I wrote for 3.5p1 (and am in the process of deploying for 3.6 series) works with PAM and privsep. dunno if it helps your particular situation or not. http://majikal.dyn.dhs.org/projekts/openssh_chroot_patch/ cheers, nick P.S. anyone seen any recent file transfer patches logging for sftp / scp? (Before I write one myself.) James Williamson wrote: >>James Williamson wrote: >> >>>Hi, >>> >>>Apologies if my attempts to subscribe bombarded this list with empty > > emails. > >>>We're running openssh 3.6.1p1 on Linux i386 and need to chroot and > > modify > >>>people's capabilities (Linux specific) when they log in. To do this > > we've > >>>compiled openssh with >>>pam support and then configured pam to chroot people and alter their >>>capabilities >>>(such as giving them the privilege to bind to a port below 1024). In the >>>past we've >>>used the chroot patch which works well yet using pam to chroot and grant >>>capabilities fail. >>> >>>I've scanned through the code and it seems openssh is giving away root >>>privilege >>>very early in the pam pipeline. By the time it reaches the password / >>>session stages >>>it's given up all root privileges. The problem is the chroot and > > capability > >>>pam modules apply >>>their changes during the pam session stage so you'd expect root to still > > be > >>>in control until >>>the pam session stage. >>> >>>Can anyone let me know if this was/is a conscious design decision? >> >>Absolutely, our goal is to have as little as possible code running with >>root privileges. >> >>Whether pam_session should run with root is a matter of debate though. >>Have a look through bugzilla.mindrot.org, there is a bug open for this. >> > > > Thanks, > > I've had a look at the 'bug'. Rather than using setuid, why not use > setreuid or seteuid to temporarily give up privileges? This is how sendmail > handles the 'run as root as infrequently as possible' issue. If I write a > patch > is it likely to be accepted? > > Regards, > > James Williamson > www.nameonthe.net > Tel: +44 208 7415453 > Fax: + 44 208 7411615 > > > > > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From cool_dm at yahoo.com Thu May 1 03:57:17 2003 From: cool_dm at yahoo.com (dm) Date: Wed, 30 Apr 2003 10:57:17 -0700 (PDT) Subject: Bad packet length issue Message-ID: <20030430175717.96888.qmail@web14002.mail.yahoo.com> Hello, I am porting the Openssh3.4 code to a proprietary operating system. I am running into the issue of ssh client disconnecting with a message - Disconnecting: Bad packet length 2782384553. This happens only when there is a large (~100k) output of some command executed on the remote system. If the output is not large then it doesn't happen. I tried with different encryption algorithm but got the same result. It might be something I have done during the port but I just wanted to find out, what causes ssh client to put such a message. I am executing the following command for the ssh client - ssh -2 -v -v -v -l admin 10.9.40.168 The last few lines before ssh client print this message are as follows (note the extra characters printed right before the error message and after the string "false" in the output. why are these getting printed?) - - References: Message-ID: <200304301809.h3UI9P5J005965@turing-police.cc.vt.edu> On Wed, 30 Apr 2003 13:39:49 +1000, Damien Miller said: > 1. Systems affected: > > Users of Portable OpenSSH prior to 3.6.1p2 on AIX are affected > if OpenSSH was compiled using a non-AIX compiler (e.g. gcc). This is the same problem as I spotted in Sendmail 8.10. Basically, somewhere, linking is being done with "-L. -lfoo" or similar (in sendmail's case, it was -L../otherdir type stuff). Workaround/fix: Link with "-bnolibpath -blibpath:/usr/local/lib:/usr/lib" or similar. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030430/63f017e4/attachment.bin From fcusack at fcusack.com Thu May 1 04:16:44 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 30 Apr 2003 11:16:44 -0700 Subject: pam + privileges In-Reply-To: <3EAFB99A.5020604@mindrot.org>; from djm@mindrot.org on Wed, Apr 30, 2003 at 09:55:06PM +1000 References: <009701c30f0e$4a077f70$6600a8c0@JAMES> <3EAFB99A.5020604@mindrot.org> Message-ID: <20030430111644.B24537@google.com> On Wed, Apr 30, 2003 at 09:55:06PM +1000, Damien Miller wrote: > Whether pam_session should run with root is a matter of debate though. I'm surprised this is still a matter of debate. pam_session needs to run as root! Perhaps I'm just debating. :-) /fc From produtos001 at hotmal.com Thu May 1 05:32:00 2003 From: produtos001 at hotmal.com (CG) Date: Wed, 30 Apr 2003 19:32:00 -0000 Subject: O novo você para quando ? Message-ID: <20030430181716.AA9F9942C5@shitei.mindrot.org> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030430/58dd30ef/attachment.html From bugzilla-daemon at mindrot.org Thu May 1 05:18:21 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 1 May 2003 05:18:21 +1000 (EST) Subject: [Bug 551] ssh install fails on Tru64 V5.0A Message-ID: <20030430191821.9BE12942C1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=551 Summary: ssh install fails on Tru64 V5.0A Product: Portable OpenSSH Version: -current Platform: Alpha OS/Version: OSF/1 Status: NEW Severity: major Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: rothstc at polaroid.com I installed ssh 3.6.1p1 on Tru64 V5.0A. The following command from make install failed: /usr/local/sbin/sshd -t -f /usr/local/etc/sshd_config bad addr or host: (servname not supported for ai_socktype) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Darren.Moffat at Sun.COM Thu May 1 08:18:01 2003 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Wed, 30 Apr 2003 15:18:01 -0700 (PDT) Subject: pam + privileges In-Reply-To: <20030430111644.B24537@google.com> References: <009701c30f0e$4a077f70$6600a8c0@JAMES> <3EAFB99A.5020604@mindrot.org> <20030430111644.B24537@google.com> Message-ID: On Wed, 30 Apr 2003, Frank Cusack wrote: > On Wed, Apr 30, 2003 at 09:55:06PM +1000, Damien Miller wrote: > > Whether pam_session should run with root is a matter of debate though. > > I'm surprised this is still a matter of debate. pam_session needs > to run as root! I don't see what is to debate here either. All pam_* functions assume that they are running with sufficient priveleges for all potential modules to do their job. This means that all pam_* functions need to run as root or with some other definition of all priveleges. As it happens some modules on some systems don't need a lot (or in some cases any) privlege do to their job. However some modules need to update or read files or access resources that need root privelege. Note that while it is very impolite for PAM modules to change the uid/gid of the process some do attempt to do this (sadly). Calling any pam_*() function from libpam without suffcient privelege. (euid=root in most systems) is a bug in the application. Note also that some vendors have shipped versions of a pam_unix.so authentication system that uses a setuid helper program in the implementation of pam_sm_authenticate(3pam) to allow reading of /etc/shadow for the users own encrypted password. This confuses the issue for many developers of PAM applications and is a disservice to PAM. I believe the goal was to allow screenlock type programs to re-authenticate the user, however a screen lock should also be calling pam_setcred(pamh, PAM_REFRESH_CRED) which is likely to fail on many configurations if the calling application is not running as root. -- Darren J Moffat From bugzilla-daemon at mindrot.org Thu May 1 18:59:16 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 1 May 2003 18:59:16 +1000 (EST) Subject: [Bug 552] broken reference from scp.c Message-ID: <20030501085916.A638094208@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=552 Summary: broken reference from scp.c Product: Portable OpenSSH Version: 3.6p1 Platform: All OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dh at onclick.org scp.o: In function `bwlimit': /workspace/software/libraries/openssh-3.6.1p1/scp.c:691: undefined reference to `__fixunsdfdi' My system values: Linux Foo 2.4.20 #4 Don Feb 13 19:41:02 CET 2003 i686 unknown unknown GNU/Linux Gnu C 3.2.3 Gnu make 3.80 util-linux 2.11x ld 2.13.2 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 1 23:20:55 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 1 May 2003 23:20:55 +1000 (EST) Subject: [Bug 552] broken reference from scp.c Message-ID: <20030501132055.80FE894208@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=552 dh at onclick.org changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|broken reference from scp.c |broken reference from scp.c ------- Additional Comments From dh at onclick.org 2003-05-01 23:20 ------- Bug still exists in p2 Here is the complete error msg again: /bin/ld -o scp scp.o progressmeter.o -L. -Lopenbsd-compat/ -lssh -lopenbsd-compat -lutil -lz -lnsl -lcrypto -lcrypt /bin/ld: warning: cannot find entry symbol _start; defaulting to 080492f0 scp.o: In function `bwlimit': /workspace/software/libraries/openssh-3.6.1p2/scp.c:691: undefined reference to `__fixunsdfdi' ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 2 02:07:43 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 2 May 2003 02:07:43 +1000 (EST) Subject: [Bug 552] broken reference from scp.c Message-ID: <20030501160743.3D51A94208@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=552 ------- Additional Comments From mouring at eviladmin.org 2003-05-02 02:07 ------- Can't reproduce here at my place. [mouring at newton /tmp/ben/openssh]$uname -a Linux newton 2.4.9-13enterprise #1 SMP Tue Oct 30 19:34:18 EST 2001 i686 unknown [mouring at newton /tmp/ben/openssh]$cat /etc/redhat-release Red Hat Linux release 7.2 (Enigma) From shivapd at us.ibm.com Fri May 2 04:06:29 2003 From: shivapd at us.ibm.com (Shiva Persaud) Date: Thu, 1 May 2003 13:06:29 -0500 Subject: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Taken from IBM's AIX vendor response (http://lists.insecure.org/lists/bugtraq/2000/Mar/0184.html) to this issue when discussed in 2000: The AIX version 4 linker has always documented the -blibpath option as a mechanism for removing build environment dependencies from a runtime environment. Applications that gain privilege should always use this option to remove library search paths that may not/should not exist on customer machines. The use of relative library paths is also highly discouraged. While they can be useful, the -blibpath option should also be used to not only avoid these types of security issues, but to remove the possibility of finding (or not finding at all) the wrong relative directory, since relative paths at runtime will be based upon the current working directory. These and any other AIX security vulnerabilities can be reported to security-alert at austin.ibm.com. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) iD8DBQE+sWGWcnMXzUg7txIRAlPOAJ9MyLxzoesJAlE4z/rUTjUcBALV4gCfZjkW bgslNWzYOTobFpw2Knr0V/0= =+nIF -----END PGP SIGNATURE----- Shiva Persaud AIX Security Developer Damien Miller To: BUGTRAQ at securityfocus.com, , 04/29/2003 10:39 cc: PM Subject: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) 2. Description: The default behavior of the runtime linker on AIX is to search the current directory for dynamic libraries before searching system paths. This is done regardless of the executable's set[ug]id status. This behavior is insecure and extremely dangerous. It allows an attacker to locally escalate their privilege level through the use of replacement libraries. Portable OpenSSH includes configure logic to override this broken behavior, but only for the native compiler. gcc uses a different command-line option (without changing the dangerous default behavior). From mouring at etoh.eviladmin.org Fri May 2 05:05:07 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 1 May 2003 14:05:07 -0500 (CDT) Subject: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) In-Reply-To: Message-ID: On Thu, 1 May 2003, Shiva Persaud wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Taken from IBM's AIX vendor response (http://lists.insecure.org/lists/bugtraq/2000/Mar/0184.html) to this issue when discussed in 2000: > > > > The AIX version 4 linker has always documented the -blibpath option as a > mechanism for removing build environment dependencies from a runtime > environment. Applications that gain privilege should always use this > option to remove library search paths that may not/should not exist on > customer machines. > > > The use of relative library paths is also highly discouraged. While > they can be useful, the -blibpath option should also be used to not only > avoid these types of security issues, but to remove the possibility of > finding (or not finding at all) the wrong relative directory, since > relative paths at runtime will be based upon the current working > directory. > > Summary version: "We feel we are right even if it is a bad 'feature' to have on by default." I find this view to be pretty bullshit response that shows lack of real world development experience. Dangerous features should require enabling not disabling. I'm very disappointed in this choice by IBM. - Ben From jfh at cise.ufl.edu Fri May 2 05:29:08 2003 From: jfh at cise.ufl.edu (James F.Hranicky) Date: Thu, 1 May 2003 15:29:08 -0400 Subject: Kerberos password auth/expiry kbdint patch Message-ID: <20030501152908.6430fc37.jfh@cise.ufl.edu> I took Markus Friedl's advice and set up a KbdintDevice for Kerberos password authentication/expiry. It took me a bit to wrap my head around privsep, but I think it's working properly (code stolen shamelessly from FBSD's PAM implementation :->). The hardest part was working out how to get the interaction between krb5_get_init_creds_password() (along with the prompter) to work with the auth2_challenge routines, as the logic between the two are very similar. I ended up doing the following: - using a state machine and some global data to communicate between the KbdintDevice routines, krb5_g_i_c_p() and the prompter - rolled my own prompts, ignoring those generated by krb5_g_i_c_p() So far, it seems to work well. My informal tests show: - the code (included when --with-kerberos5-kbdint is given as an arg to configure) seems to interact with the existing Kerberos password code with no problems - the password expiry works with OpenSSH versions 3.4p1, 3.5p1, and 3.6p1, SSH.com's Windows client, and putty v0.53b (apparently, putty 0.52 has a problem with the kbdint routines, sending 2 responses after the new password has been entered only once, causing packet_get() to bomb out on the server side) - the code seems to work well on Solaris and FreeBSD, but I haven't yet tested it on any other platforms Possible additions: - a Kerberos5ViaKbdInt option Questions, comments, or improvements welcome. ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh at cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-3.6p1.krb5-kbdintdev.patch.txt Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030501/5dc7984d/attachment.txt From bugzilla-daemon at mindrot.org Fri May 2 05:26:03 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 2 May 2003 05:26:03 +1000 (EST) Subject: [Bug 552] broken reference from scp.c Message-ID: <20030501192603.5337294238@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=552 ------- Additional Comments From dh at onclick.org 2003-05-02 05:26 ------- >From the looks of it I can only assume your headers redefine 'limitbw' variable >to something else in a rather nasty and incorrect way. Aehm, what do you mean with 'your' headers? Do you mean system headers or headers in the openssh source tree? I don't know about 'limitbw' and don't know where to search for. What should I try out? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From simon at sxw.org.uk Fri May 2 08:07:06 2003 From: simon at sxw.org.uk (Simon Wilkinson) Date: Thu, 01 May 2003 23:07:06 +0100 Subject: GSSAPI patches Message-ID: <3EB19A8A.2080608@sxw.org.uk> I'm please to announce that patches for GSSAPI support in 3.6.1p2 are now available from http://www.sxw.org.uk/computing/patches/openssh.html These bring the patch set up to conditional compliance with version 6 of the GSSAPI draft, and fix a couple of long standing encoding bugs pointed out by other implementors. Cheers, Simon. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030501/42e88b01/attachment.bin From matt at ucc.gu.uwa.edu.au Fri May 2 18:44:22 2003 From: matt at ucc.gu.uwa.edu.au (Matt Johnston) Date: Fri, 2 May 2003 16:44:22 +0800 Subject: loginrec.c license Message-ID: <20030502084422.GA489351@morwong.ucc.gu.uwa.edu.au> Hi. I am trying to figure out, is loginrec.c (and loginrec.h) licensed under the 4-point BSD license or one without the advertising clause? I'm developing a small ssh2 server (Dropbear), and curently everything is under MIT/X license. I'd prefer not to have to add any advertising clauses, and reinventing the wheel also seems kind of pointless. Looking at the cvs logs, I can't see any commits via Markus Friedl, so is it simply misplaced boilerplate text at the top of loginrec.c? LICENSE (item 7) seems to also imply that it should be under a 2-point BSD license. Cheers, Matt Johnston From bugzilla-daemon at mindrot.org Fri May 2 20:15:11 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 2 May 2003 20:15:11 +1000 (EST) Subject: [Bug 379] difficult to find the openssh code signing key on openssh.org. Message-ID: <20030502101511.C024A94237@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=379 papadopo at shfj.cea.fr changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WORKSFORME | ------- Additional Comments From papadopo at shfj.cea.fr 2003-05-02 20:15 ------- The key is in file DJM-GPG-KEY.asc but this doesn't address the poster's question. A link is really needed to this file on the home page or the download page. I too spent more than an hour trying to find the public key. The fact that the file has been there for years doesn't make it easier to find. As for the keyservers, I don't know where to find them, if I can talk to them through our organization-wide firewall, and how to ask them for a key. I suspect this is the case of most OpenSHH users, and is a reason why OpenSHH is probably most often installed without checking the signature. Again: It would be a great service to your user community if you made the signing key easy to find on your web site. A top-level link would be nice, but even a link from the download section would be good. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 2 20:52:47 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 2 May 2003 20:52:47 +1000 (EST) Subject: [Bug 544] sshd w/privsep fails on Linux 2.0, mm_receive_fd: expected type 1 got 1074276337 Message-ID: <20030502105247.A858994247@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=544 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Additional Comments From dtucker at zip.com.au 2003-05-02 20:52 ------- Fix applied. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From lcars at infis.univ.trieste.it Fri May 2 22:03:52 2003 From: lcars at infis.univ.trieste.it (Andrea Barisani) Date: Fri, 2 May 2003 14:03:52 +0200 Subject: openssh 3.6.1_p2 problem with pam (fwd) Message-ID: <20030502120352.GA20137@sole.infis.univ.trieste.it> ----- Forwarded message from Andrea Barisani ----- Date: Fri, 2 May 2003 14:01:33 +0200 From: Andrea Barisani To: openssh at openssh.com Subject: openssh 3.6.1_p2 problem with pam Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: # ssh -l lcars mybox [2 seconds delay] lcars at mybox's password: In the logs I have: May 2 13:57:11 sole sshd(pam_unix)[19663]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=homer.infis.univ.trieste.it user=lcars May 2 13:57:13 sole sshd(pam_unix)[19665]: session opened for user lcars by (uid=817) The first line is logged _before_ sshd prompt the password and that's the cause of the delay since I'm not using nodelay option in system-auth. The second one is logged after I enter the correct password. I don't suppose that this is a correct beahviour, what do you think? Thanks a lot. Bye -- ------------------------------------------------------------ INFIS Network Administrator & Security Officer .*. Department of Physics - University of Trieste /V\ lcars at infis.univ.trieste.it - PGP Key 0x8E21FE82 (/ \) ---------------------------------------------------- ( ) "How would you know I'm mad?" said Alice. ^^-^^ "You must be,'said the Cat,'or you wouldn't have come here." ------------------------------------------------------------ From djm at mindrot.org Fri May 2 22:58:50 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 02 May 2003 22:58:50 +1000 Subject: loginrec.c license In-Reply-To: <20030502084422.GA489351@morwong.ucc.gu.uwa.edu.au> References: <20030502084422.GA489351@morwong.ucc.gu.uwa.edu.au> Message-ID: <3EB26B8A.6090105@mindrot.org> Matt Johnston wrote: > Hi. > > I am trying to figure out, is loginrec.c (and loginrec.h) licensed under the > 4-point BSD license or one without the advertising clause? I'm developing a > small ssh2 server (Dropbear), and curently everything is under MIT/X > license. I'd prefer not to have to add any advertising clauses, and > reinventing the wheel also seems kind of pointless. > > Looking at the cvs logs, I can't see any commits via Markus Friedl, so is it > simply misplaced boilerplate text at the top of loginrec.c? LICENSE (item 7) > seems to also imply that it should be under a 2-point BSD license. It looks like cut'n'paste text as the license clause refers to Markus, but most of the code there was written by Andre Lucas (whom I have Cc'd). Andre, we have removed the advertising clause from all of the code that we have written in OpenSSH and, with your permission, I'd like to remove it from loginrec.c. Thanks, Damien Miller From deengert at anl.gov Fri May 2 23:37:27 2003 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 02 May 2003 08:37:27 -0500 Subject: openssh 3.6.1_p2 problem with pam (fwd) References: <20030502120352.GA20137@sole.infis.univ.trieste.it> Message-ID: <3EB27497.3C3A9A23@anl.gov> I saw a similiar problem with 3.6.1p2 when using PAM on HP UX 11.0 Rather then a 2 second delay, it got a segfault. This got around the problem, but it is not clear why this code which was in 3.5 was deleted. The PAM code is being called with a password="" for some reason, then loks like it is called again later for real. I still have problems with passwords on HP, but Solaris works, so this is not the total solution. *** ,auth-pam.c Wed Apr 30 10:04:21 2003 --- auth-pam.c Thu May 1 14:12:46 2003 *************** *** 210,215 **** --- 210,227 ---- do_pam_set_conv(&conv); + #if defined(__hpux) + /* add back this from 3.5 PAM on HP 11.0 segfaults + * with password="" */ + /* deny if no user. */ + if (pw == NULL) + return 0; + if (pw->pw_uid == 0 && options.permit_root_login == PERMIT_NO_PASSWD) + return 0; + if (*password == '\0' && options.permit_empty_passwd == 0) + return 0; + #endif /* __hpux */ + __pampasswd = password; pamstate = INITIAL_LOGIN; Andrea Barisani wrote: > > ----- Forwarded message from Andrea Barisani ----- > > Date: Fri, 2 May 2003 14:01:33 +0200 > From: Andrea Barisani > To: openssh at openssh.com > Subject: openssh 3.6.1_p2 problem with pam > > Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: > > # ssh -l lcars mybox > [2 seconds delay] > lcars at mybox's password: > > In the logs I have: > > May 2 13:57:11 sole sshd(pam_unix)[19663]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=homer.infis.univ.trieste.it user=lcars > May 2 13:57:13 sole sshd(pam_unix)[19665]: session opened for user lcars by (uid=817) > > The first line is logged _before_ sshd prompt the password and that's the > cause of the delay since I'm not using nodelay option in system-auth. > > The second one is logged after I enter the correct password. > > I don't suppose that this is a correct beahviour, what do you think? > > Thanks a lot. > > Bye > > -- > ------------------------------------------------------------ > INFIS Network Administrator & Security Officer .*. > Department of Physics - University of Trieste /V\ > lcars at infis.univ.trieste.it - PGP Key 0x8E21FE82 (/ \) > ---------------------------------------------------- ( ) > "How would you know I'm mad?" said Alice. ^^-^^ > "You must be,'said the Cat,'or you wouldn't have come here." > ------------------------------------------------------------ > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From binder at arago.de Sat May 3 00:06:57 2003 From: binder at arago.de (Thomas Binder) Date: Fri, 2 May 2003 16:06:57 +0200 Subject: openssh 3.6.1_p2 problem with pam (fwd) In-Reply-To: <3EB27497.3C3A9A23@anl.gov> References: <20030502120352.GA20137@sole.infis.univ.trieste.it> <3EB27497.3C3A9A23@anl.gov> Message-ID: <20030502140656.GA6093007@ohm.arago.de> Hi! On Fri, May 02, 2003 at 08:37:27AM -0500, Douglas E. Engert wrote: > I saw a similiar problem with 3.6.1p2 when using PAM on HP UX 11.0 > Rather then a 2 second delay, it got a segfault. > > This got around the problem, but it is not clear why this code which was > in 3.5 was deleted. The PAM code is being called with a password="" > for some reason, then loks like it is called again later for real. > > I still have problems with passwords on HP, but Solaris works, > so this is not the total solution. Simply setting PermitEmptyPasswords no in sshd_config is not enough? Ciao Thomas From deengert at anl.gov Sat May 3 00:42:51 2003 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 02 May 2003 09:42:51 -0500 Subject: openssh 3.6.1_p2 problem with pam (fwd) References: <20030502120352.GA20137@sole.infis.univ.trieste.it> <3EB27497.3C3A9A23@anl.gov> <20030502140656.GA6093007@ohm.arago.de> Message-ID: <3EB283EB.A98EE8F1@anl.gov> Thomas Binder wrote: > > Hi! > > On Fri, May 02, 2003 at 08:37:27AM -0500, Douglas E. Engert wrote: > > I saw a similiar problem with 3.6.1p2 when using PAM on HP UX 11.0 > > Rather then a 2 second delay, it got a segfault. > > > > This got around the problem, but it is not clear why this code which was > > in 3.5 was deleted. The PAM code is being called with a password="" > > for some reason, then loks like it is called again later for real. > > > > I still have problems with passwords on HP, but Solaris works, > > so this is not the total solution. > > Simply setting > > PermitEmptyPasswords no > > in sshd_config is not enough? It does not appear so. The default is no, and that is what is set. I was pointing out that some code was changed, which could have caused the PAM to be called with "" which did not appear to be the case in 3.5. I was wondering why this was removed. The segfault I am getting, appears to come from not being able to load one of my PAM modules, pam_krb5. If I can figure this out, I will go back and try with out the change. > > Ciao > > Thomas > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From fcusack at fcusack.com Sat May 3 07:27:06 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Fri, 2 May 2003 14:27:06 -0700 Subject: openssh 3.6.1_p2 problem with pam (fwd) In-Reply-To: <20030502120352.GA20137@sole.infis.univ.trieste.it>; from lcars@infis.univ.trieste.it on Fri, May 02, 2003 at 02:03:52PM +0200 References: <20030502120352.GA20137@sole.infis.univ.trieste.it> Message-ID: <20030502142706.A4668@google.com> On Fri, May 02, 2003 at 02:03:52PM +0200, Andrea Barisani wrote: > I don't suppose that this is a correct beahviour, what do you think? Yes, it's not correct behavior. However, this isn't new to 3.6.1. Not sure why you're only seeing it now. This should help you out: --- openssh/auth1.c Sun Feb 23 16:59:27 2003 +++ openssh/auth1.c Thu May 1 22:27:29 2003 @@ -80,7 +80,7 @@ authctxt->valid ? "" : "illegal user ", authctxt->user); /* If the user has no password, accept authentication immediately. */ - if (options.password_authentication && + if (options.password_authentication && options.permit_empty_passwd && #if defined(KRB4) || defined(KRB5) (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif --- openssh/auth2-none.c Tue Apr 29 02:12:08 2003 +++ openssh/auth2-none.c Thu May 1 22:27:29 2003 @@ -100,6 +100,25 @@ if (check_nt_auth(1, authctxt->pw) == 0) return(0); #endif + + /* + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + * REDACTED + */ + if (!options.permit_empty_passwd) + return(0); + return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid; } From fcusack at fcusack.com Sat May 3 07:34:04 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Fri, 2 May 2003 14:34:04 -0700 Subject: openssh 3.6.1_p2 problem with pam (fwd) In-Reply-To: <3EB27497.3C3A9A23@anl.gov>; from deengert@anl.gov on Fri, May 02, 2003 at 08:37:27AM -0500 References: <20030502120352.GA20137@sole.infis.univ.trieste.it> <3EB27497.3C3A9A23@anl.gov> Message-ID: <20030502143403.B4668@google.com> On Fri, May 02, 2003 at 08:37:27AM -0500, Douglas E. Engert wrote: > I saw a similiar problem with 3.6.1p2 when using PAM on HP UX 11.0 > Rather then a 2 second delay, it got a segfault. > > This got around the problem, but it is not clear why this code which was > in 3.5 was deleted. The PAM code is being called with a password="" > for some reason, then loks like it is called again later for real. It wasn't deleted, it was moved. The pam code SHOULD be called here, that's why it was moved. > I still have problems with passwords on HP, but Solaris works, > so this is not the total solution. Sounds like HP-UX's libpam is buggy, or you have a buggy PAM module. Are you using any custom (not distributed with HP-UX) modules? /fc > *** ,auth-pam.c Wed Apr 30 10:04:21 2003 > --- auth-pam.c Thu May 1 14:12:46 2003 > *************** > *** 210,215 **** > --- 210,227 ---- > > do_pam_set_conv(&conv); > > + #if defined(__hpux) > + /* add back this from 3.5 PAM on HP 11.0 segfaults > + * with password="" */ > + /* deny if no user. */ > + if (pw == NULL) > + return 0; > + if (pw->pw_uid == 0 && options.permit_root_login == PERMIT_NO_PASSWD) > + return 0; > + if (*password == '\0' && options.permit_empty_passwd == 0) > + return 0; > + #endif /* __hpux */ > + > __pampasswd = password; > > pamstate = INITIAL_LOGIN; From fcusack at fcusack.com Sat May 3 07:48:30 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Fri, 2 May 2003 14:48:30 -0700 Subject: openssh 3.6.1_p2 problem with pam (fwd) In-Reply-To: <20030502143403.B4668@google.com>; from fcusack@fcusack.com on Fri, May 02, 2003 at 02:34:04PM -0700 References: <20030502120352.GA20137@sole.infis.univ.trieste.it> <3EB27497.3C3A9A23@anl.gov> <20030502143403.B4668@google.com> Message-ID: <20030502144830.D4668@google.com> On Fri, May 02, 2003 at 02:34:04PM -0700, Frank Cusack wrote: > On Fri, May 02, 2003 at 08:37:27AM -0500, Douglas E. Engert wrote: > > I saw a similiar problem with 3.6.1p2 when using PAM on HP UX 11.0 > > Rather then a 2 second delay, it got a segfault. > > > > This got around the problem, but it is not clear why this code which was > > in 3.5 was deleted. The PAM code is being called with a password="" > > for some reason, then loks like it is called again later for real. > > It wasn't deleted, it was moved. The pam code SHOULD be called here, > that's why it was moved. Sorry, I was confusing the 3.6.1 change with my own changes. In 3.6.1 the code was just altered to flag cases like (pw == NULL) rather than returning immediately. 3.6.1 has the correct behavior. /fc From lcars at infis.univ.trieste.it Sat May 3 08:24:44 2003 From: lcars at infis.univ.trieste.it (Andrea Barisani) Date: Sat, 3 May 2003 00:24:44 +0200 Subject: openssh 3.6.1_p2 problem with pam (fwd) In-Reply-To: <20030502142706.A4668@google.com> References: <20030502120352.GA20137@sole.infis.univ.trieste.it> <20030502142706.A4668@google.com> Message-ID: <20030502222444.GA12156@sole.infis.univ.trieste.it> On Fri, May 02, 2003 at 02:27:06PM -0700, Frank Cusack wrote: > On Fri, May 02, 2003 at 02:03:52PM +0200, Andrea Barisani wrote: > > I don't suppose that this is a correct beahviour, what do you think? > > Yes, it's not correct behavior. However, this isn't new to 3.6.1. > Not sure why you're only seeing it now. Because I've upgraded from 3.5_p1, sorry for not having mentioned that. The patch seems to work, thanks a lot. I'll try to understand it and fully test pam behaviour tomorrow, now is too late :). I suppose that we'll be seeing this patch in the next version, am I right? Thanks again. Bye > > This should help you out: > > --- openssh/auth1.c Sun Feb 23 16:59:27 2003 > +++ openssh/auth1.c Thu May 1 22:27:29 2003 > @@ -80,7 +80,7 @@ > authctxt->valid ? "" : "illegal user ", authctxt->user); > > /* If the user has no password, accept authentication immediately. */ > - if (options.password_authentication && > + if (options.password_authentication && options.permit_empty_passwd && > #if defined(KRB4) || defined(KRB5) > (!options.kerberos_authentication || options.kerberos_or_local_passwd) && > #endif > --- openssh/auth2-none.c Tue Apr 29 02:12:08 2003 > +++ openssh/auth2-none.c Thu May 1 22:27:29 2003 > @@ -100,6 +100,25 @@ > if (check_nt_auth(1, authctxt->pw) == 0) > return(0); > #endif > + > + /* > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + * REDACTED > + */ > + if (!options.permit_empty_passwd) > + return(0); > + > return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid; > } > -- ------------------------------------------------------------ INFIS Network Administrator & Security Officer .*. Department of Physics - University of Trieste /V\ lcars at infis.univ.trieste.it - PGP Key 0x8E21FE82 (/ \) ---------------------------------------------------- ( ) "How would you know I'm mad?" said Alice. ^^-^^ "You must be,'said the Cat,'or you wouldn't have come here." ------------------------------------------------------------ From fcusack at fcusack.com Sat May 3 08:44:41 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Fri, 2 May 2003 15:44:41 -0700 Subject: openssh 3.6.1_p2 problem with pam (fwd) In-Reply-To: <20030502222444.GA12156@sole.infis.univ.trieste.it>; from lcars@infis.univ.trieste.it on Sat, May 03, 2003 at 12:24:44AM +0200 References: <20030502120352.GA20137@sole.infis.univ.trieste.it> <20030502142706.A4668@google.com> <20030502222444.GA12156@sole.infis.univ.trieste.it> Message-ID: <20030502154441.A5702@google.com> On Sat, May 03, 2003 at 12:24:44AM +0200, Andrea Barisani wrote: > On Fri, May 02, 2003 at 02:27:06PM -0700, Frank Cusack wrote: > > On Fri, May 02, 2003 at 02:03:52PM +0200, Andrea Barisani wrote: > > > I don't suppose that this is a correct beahviour, what do you think? > > > > Yes, it's not correct behavior. However, this isn't new to 3.6.1. > > Not sure why you're only seeing it now. > > Because I've upgraded from 3.5_p1, sorry for not having mentioned that. > The patch seems to work, thanks a lot. I'll try to understand it and fully test > pam behaviour tomorrow, now is too late :). Yes, I am pretty sure the behavior you're seeing has been there since 3.0.2. I might be mistaken (probably am). > I suppose that we'll be seeing this patch in the next version, am I right? I don't think so. The openssh team has been generally resistant[1] to most of my pam suggestions. I have stopped submitting them at this point. /fc [1] Not that I fault them for it. PAM is hard to wedge into openssh nicely. Esp. now with privsep. From bugzilla-daemon at mindrot.org Sat May 3 08:51:52 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 3 May 2003 08:51:52 +1000 (EST) Subject: [Bug 553] configure fails to acknowledge availability of utimes() Message-ID: <20030502225152.7189A9424F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=553 Summary: configure fails to acknowledge availability of utimes() Product: Portable OpenSSH Version: older versions Platform: HPPA OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dwyatt at kohlmansystems.com Running configure for OpenSSH-3.6.1p2 indicates that utimes() is not found. This leads to a type conflict error which prevents Making the package. The problem did not exist under 3.6p1 and all previous versions that I've built. It appears to be a result of a new automake version, but that is only wild speculation. Changing line 6187 in the configure file from 'char utimes ();' to 'int utimes ();' appears to provide a workaround so that OpenSSH can be configured and built. I'm working under HP-UX 10.20 using Gcc 3.0 and mostly Gnu tools. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 3 09:16:03 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 3 May 2003 09:16:03 +1000 (EST) Subject: [Bug 549] Login Delay / Remove unwanted reverse map check Message-ID: <20030502231603.8486594207@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=549 ------- Additional Comments From dtucker at zip.com.au 2003-05-03 09:16 ------- Created an attachment (id=279) --> (http://bugzilla.mindrot.org/attachment.cgi?id=279&action=view) Disable reverse lookups in canohost.c when utmp_len == 0 How about fixing canohost so it behaves more like the man page? Example patch attached. Note: I'm not sure this is the right way to go about this but get_remote_hostname is used by ssh and sshd and because utmp_len is a server-only variable you can't just import in and check if utmp_len == 0. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 3 09:17:59 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 3 May 2003 09:17:59 +1000 (EST) Subject: [Bug 549] Login Delay / Remove unwanted reverse map check Message-ID: <20030502231759.4055894256@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=549 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED OS/Version|AIX |All Platform|PPC |All ------- Additional Comments From dtucker at zip.com.au 2003-05-03 09:17 ------- This affects all platforms. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From fcusack at fcusack.com Sat May 3 09:52:13 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Fri, 2 May 2003 16:52:13 -0700 Subject: GSSAPI patches In-Reply-To: <3EB19A8A.2080608@sxw.org.uk>; from simon@sxw.org.uk on Thu, May 01, 2003 at 11:07:06PM +0100 References: <3EB19A8A.2080608@sxw.org.uk> Message-ID: <20030502165213.A5742@google.com> On Thu, May 01, 2003 at 11:07:06PM +0100, Simon Wilkinson wrote: > http://www.sxw.org.uk/computing/patches/openssh.html Simon, thanks! One question: Is this supposed to setup a configure option for gssapi? On a RHL 9 system, after running configure --with-kerberos5, the config.h GSSAPI option is not set. I'm wondering if 'autoreconf' (per your web page) is supposed to make the changes to configure or if I just need to #define GSSAPI (in config.h) manually. If anyone else on the list has got this working correctly (ie, automatically), I'd love to hear from you. thanks /fc From bugzilla-daemon at mindrot.org Sat May 3 10:11:41 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 3 May 2003 10:11:41 +1000 (EST) Subject: [Bug 553] configure fails to acknowledge availability of utimes() Message-ID: <20030503001141.D524894266@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=553 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From dtucker at zip.com.au 2003-05-03 10:11 ------- The test (trimmed) fragments from configure: 3.6.1p1 (autoconf 2.53): char utimes (); char (*f) (); int main () { #if defined (__stub_utimes) || defined (__stub___utimes) choke me #else f = utimes; #endif return 0; } 3.6.1p2 (autoconf 2.57): char utimes (); #if defined (__stub_utimes) || defined (__stub___utimes) choke me #else char (*f) () = utimes; #endif int main () { return f != utimes; return 0; } I'll upgrade autoconf on my HP (11.00) and see if I can reproduce the problem. On a slightly related note, do we need to check for utimes() twice? There's a specific check for it, then it's also in the main AC_CHECK_FUNCS list. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 3 10:33:40 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 3 May 2003 10:33:40 +1000 (EST) Subject: [Bug 543] sshd does not use AIX's setauthdb Message-ID: <20030503003340.D0A589425B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=543 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #270 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2003-05-03 10:33 ------- Created an attachment (id=280) --> (http://bugzilla.mindrot.org/attachment.cgi?id=280&action=view) Update patch to use record_failed_login (largely untested) Added AC_CHECK_FUNCS(setauthdb) to configure.ac. Added (char **)"" to setpcred call to match prototype (including usersec.h defines the prototype so the build will fail with a mismatch). Note: you will need to run "autoreconf" to rebuild configure if you use this patch ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 3 10:54:18 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 3 May 2003 10:54:18 +1000 (EST) Subject: [Bug 553] configure fails to acknowledge availability of utimes() Message-ID: <20030503005418.5C90294269@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=553 ------- Additional Comments From tim at multitalents.net 2003-05-03 10:54 ------- It would be nice to see the section of config.log where the test fails on HP. Re: "utimes also in the main AC_CHECK_FUNCS list", it was probably an oversite on my part. If you yank it out of the AC_CHECK_FUNCS section, you'll have to add a HAVE_UTIMES template to acconfig.h ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 3 11:24:25 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 3 May 2003 11:24:25 +1000 (EST) Subject: [Bug 553] configure fails to acknowledge availability of utimes() Message-ID: <20030503012425.6F79D94261@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=553 ------- Additional Comments From dtucker at zip.com.au 2003-05-03 11:24 ------- Created an attachment (id=281) --> (http://bugzilla.mindrot.org/attachment.cgi?id=281&action=view) config.log.gz from HP-UX 11.00 Full log attached. The failing piece is: configure:6109: result: yes configure:6175: checking for utimes configure:6225: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -D_HP UX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 conftest.c -lz -lnsl -lxnet -ls ec >&5 configure:6250: conflicting types for `utimes' /usr/include/sys/time.h:484: previous declaration of `utimes' configure:6228: $? = 1 configure: failed program was: ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 3 12:39:32 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 3 May 2003 12:39:32 +1000 (EST) Subject: [Bug 549] Login Delay / Remove unwanted reverse map check Message-ID: <20030503023932.560B39420D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=549 ------- Additional Comments From mouring at eviladmin.org 2003-05-03 12:39 ------- Are we sure this is right? The manpage states: -u0 may also be used to prevent sshd from making DNS requests unless the authentication mechanism or configuration requires it. Authentication mechanisms that may require DNS in- clude RhostsAuthentication, RhostsRSAAuthentication, HostbasedAuthentication and using a from="pattern-list" option in a key file. Configuration options that require DNS include using a USER at HOST pattern in AllowUsers or DenyUsers. I suspect this will break the exceptions listed here. Which would be wrong. Is the original reporter sure that he is not running accross one of theses cases? Since the bug report is prefixed by "When some users..." not "Every user..." ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From alyakoubi at mailcenter.com.cn Sat May 3 16:00:55 2003 From: alyakoubi at mailcenter.com.cn (ALYAKOUBI CORP.) Date: Sat, 3 May 2003 14:00:55 +0800 Subject: high profit USB Flash disk stock lots Message-ID: <20030503053850.774349420D@shitei.mindrot.org> Dear Sir, We have some USB Flash disk stock lots for sell. At the same time, we can offer you MP3+USB Flash disk, card reader, hard disk case, TV game.Please review our website for pictures: www.isav.com.cn. We welcome your inquiry for further details. Best regards! Susan Song, Overseas Dept. TOPBAND ELECTRONICS & TECHNOLOGY CO.,LTD 4/F, B Block Tsinghua University Institute, Hi-Tech Industrial Park, Shenzhen, 518057, China Direct line: 0086-755-26719852 Email: alyakoubi at mailcenter.com.cn / susansong at topband-e.com Website: www.isav.com.cn From simon at sxw.org.uk Sat May 3 20:07:55 2003 From: simon at sxw.org.uk (Simon Wilkinson) Date: Sat, 03 May 2003 11:07:55 +0100 Subject: GSSAPI patches In-Reply-To: <20030502165213.A5742@google.com> References: <3EB19A8A.2080608@sxw.org.uk> <20030502165213.A5742@google.com> Message-ID: <3EB394FB.2040106@sxw.org.uk> Frank Cusack wrote: > One question: Is this supposed to setup a configure option for > gssapi? On a RHL 9 system, after running configure --with-kerberos5, > the config.h GSSAPI option is not set. Providing you've run the appropriate autoreconf binary, then configure will automatically set up GSSAPI support when the --with-kerberos5 option is supplied. The problem is that you _must_ use autoreconf from an autoconf package >2.53. Earlier versions silently exit, without updating the configure script. Cheers, Simon. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 250 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030503/1eb897ec/attachment.bin From fcusack at fcusack.com Sat May 3 20:27:06 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Sat, 3 May 2003 03:27:06 -0700 Subject: GSSAPI patches In-Reply-To: <3EB394FB.2040106@sxw.org.uk>; from simon@sxw.org.uk on Sat, May 03, 2003 at 11:07:55AM +0100 References: <3EB19A8A.2080608@sxw.org.uk> <20030502165213.A5742@google.com> <3EB394FB.2040106@sxw.org.uk> Message-ID: <20030503032706.B7621@google.com> On Sat, May 03, 2003 at 11:07:55AM +0100, Simon Wilkinson wrote: > Frank Cusack wrote: > > One question: Is this supposed to setup a configure option for > > gssapi? On a RHL 9 system, after running configure --with-kerberos5, > > the config.h GSSAPI option is not set. > > Providing you've run the appropriate autoreconf binary, then configure will > automatically set up GSSAPI support when the --with-kerberos5 option is supplied. > > The problem is that you _must_ use autoreconf from an autoconf package >2.53. > Earlier versions silently exit, without updating the configure script. Yes, I am using 2.57. hmm... works perfectly now. Not sure what I was doing differently before. Thanks! /fc From carson at taltos.org Sat May 3 20:31:14 2003 From: carson at taltos.org (Carson Gaspar) Date: Sat, 03 May 2003 06:31:14 -0400 Subject: [Bug 549] Login Delay / Remove unwanted reverse map check In-Reply-To: <20030503023932.560B39420D@shitei.mindrot.org> References: <20030503023932.560B39420D@shitei.mindrot.org> Message-ID: <125037046.1051943474@[192.168.20.2]> --On Saturday, May 03, 2003 12:39 PM +1000 bugzilla-daemon at mindrot.org wrote: > configuration requires it. Authentication mechanisms that > may require DNS in- clude RhostsAuthentication, > RhostsRSAAuthentication, HostbasedAuthentication and using HostbasedAuthentication? It shouldn't require DNS, as the name of the host is included in-band. And as it is cryptographically authenticated, using DNS to "validate" it is pointless. -- Carson From bugzilla-daemon at mindrot.org Sun May 4 06:27:39 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 06:27:39 +1000 (EST) Subject: [Bug 554] RFE: PATH_SSH_KEY_SIGN, SSH_RAND_HELPER Message-ID: <20030503202739.23E629420D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=554 Summary: RFE: PATH_SSH_KEY_SIGN, SSH_RAND_HELPER Product: Portable OpenSSH Version: 3.6p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: elkner at linofee.org Unfortunately there is no way, to specify the default location of ssh-keysign and ssh-rand-helper per ssh[d]_config (since pathes are hardcoded), which prevents relocation. So it would be nice to have a SshSigner = /path/ssh-keysign # and perhaps a SshRandHelper = /path/ssh-rand-helper in the configs. If it is not found, ssh can still fallback to the hardcoded values ... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 10:00:35 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 10:00:35 +1000 (EST) Subject: [Bug 549] Login Delay / Remove unwanted reverse map check Message-ID: <20030504000035.9EBDE94223@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=549 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #279 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2003-05-04 10:00 ------- (From update of attachment 279) Damn, you're right. Note to self: read man page properly next time. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 10:05:18 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 10:05:18 +1000 (EST) Subject: [Bug 421] compile error on Debian slink Message-ID: <20030504000518.1ADC894272@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=421 ------- Additional Comments From dtucker at zip.com.au 2003-05-04 10:05 ------- Is this still broken for anyone? I built the current CVS tree on a Debian/slink test box today and it complied OK and ran a complete regression test (including privsep). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 10:09:04 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 10:09:04 +1000 (EST) Subject: [Bug 484] name space collision - log function Message-ID: <20030504000904.D0E879426C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=484 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From dtucker at zip.com.au 2003-05-04 10:09 ------- This is now fixed. From ChangeLog: 20030409 [snip] - itojun at cvs.openbsd.org 2003/04/08 20:21:29 [*.c *.h] rename log() into logit() to avoid name conflict. markus ok, from netbsd ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 10:16:11 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 10:16:11 +1000 (EST) Subject: [Bug 531] Conflicting basename() on Irix Message-ID: <20030504001611.3F69394281@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=531 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED OS/Version|IRIX |All Platform|MIPS |All Resolution| |FIXED ------- Additional Comments From dtucker at zip.com.au 2003-05-04 10:16 ------- Fixed in 3.6.1p2. From ChangeLog: 20030429 [snip] - (djm) Some systems have basename in -lgen. Fix from ayamura at ayamura.org This also affected Solaris (and possibly other platforms). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 10:16:42 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 10:16:42 +1000 (EST) Subject: [Bug 532] Conflicting basename and dirname on solaris Message-ID: <20030504001642.AB9179427D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=532 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From dtucker at zip.com.au 2003-05-04 10:16 ------- *** This bug has been marked as a duplicate of 531 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 10:16:44 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 10:16:44 +1000 (EST) Subject: [Bug 531] Conflicting basename() on Irix Message-ID: <20030504001644.9B6CB9427F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=531 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |benderm at raytheon.com ------- Additional Comments From dtucker at zip.com.au 2003-05-04 10:16 ------- *** Bug 532 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 10:17:17 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 10:17:17 +1000 (EST) Subject: [Bug 546] test for basename() fails on IRIX Message-ID: <20030504001717.53E6994292@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=546 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From dtucker at zip.com.au 2003-05-04 10:17 ------- *** This bug has been marked as a duplicate of 531 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 10:17:19 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 10:17:19 +1000 (EST) Subject: [Bug 531] Conflicting basename() on Irix Message-ID: <20030504001719.9CA3F94286@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=531 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |drk at sgi.com ------- Additional Comments From dtucker at zip.com.au 2003-05-04 10:17 ------- *** Bug 546 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 10:42:16 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 10:42:16 +1000 (EST) Subject: [Bug 497] Cleanup of including compatibility headers Message-ID: <20030504004216.D43429427A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=497 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From dtucker at zip.com.au 2003-05-04 10:42 ------- Patch applied (for Cygwin only). Thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 10:55:05 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 10:55:05 +1000 (EST) Subject: [Bug 547] Missing radix.o in makefile for AFS Message-ID: <20030504005505.27F169427A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=547 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From dtucker at zip.com.au 2003-05-04 10:55 ------- Fixed in 3.6.1p2. From ChangeLog: 20030429 - (djm) Add back radix.o (used by AFS support), after it went missing from Makefile many moons ago ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 11:03:46 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 11:03:46 +1000 (EST) Subject: [Bug 552] broken reference from scp.c Message-ID: <20030504010346.EAFDA94293@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=552 ------- Additional Comments From dtucker at zip.com.au 2003-05-04 11:03 ------- A bit of googling shows that __fixunsdfdi is a GCC support routine that should be in libgcc. Possibly your link path is not picking up libgcc at all, or (as you seem to have a very new gcc) it's picking up an old libgcc, or there's some other gcc installation problem. From: http://archive.develooper.com/perl-xs at perl.org/msg00900.html [quote] If I remember my GCC internals correctly that would be the support routine for the conversion: double foo; unsigned long long thing = foo; So there is something wrong with your gcc install - perhaps a shared library has been found which does not match the gcc? [end quote] ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 11:10:08 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 11:10:08 +1000 (EST) Subject: [Bug 257] sftp and 32 bit integar Message-ID: <20030504011008.49C6E94294@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=257 ------- Additional Comments From dtucker at zip.com.au 2003-05-04 11:10 ------- Should this bug be closed now that platforms without a 64 bit int are not supported? 20030320 - (bal) The days of lack of int64_t support are over. Sorry kids. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 11:14:39 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 11:14:39 +1000 (EST) Subject: [Bug 396] sshd orphans processes when no pty allocated Message-ID: <20030504011439.08278942A5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=396 ------- Additional Comments From dtucker at zip.com.au 2003-05-04 11:14 ------- Does anyone object to this patch? And if not, is it something that should go to OpenBSD? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 11:57:04 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 11:57:04 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 and 2.4+libc5 Message-ID: <20030504015704.06A5894281@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 ------- Additional Comments From fong at pigtail.net 2003-05-04 11:57 ------- Very similar problem on LRP due to an error that says (approximately, since I did a roll back to 3.4p1 and do not have access to a compiler to recompile 3.6p1) "insufficient privilage to create tty", Will update the thread when I get the machine back. Compile environment: Debian Slink ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 12:06:53 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 12:06:53 +1000 (EST) Subject: [Bug 257] sftp and 32 bit integar Message-ID: <20030504020653.E5B3D94217@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=257 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 13:41:00 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 13:41:00 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 and 2.4+libc5 Message-ID: <20030504034100.089B894214@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 ------- Additional Comments From fong at pigtail.net 2003-05-04 13:40 ------- Compile environment: Debian Slink, kernel 2.2.12 Target environment: LRP, kernel 2.2.19, glibc 2.0 This works: #define STREAMS_PUSH_ACQUIRES_CTTY 1 This works: modify line 318 of sshpty.c if (ioctl(*ttyfd, TIOCSCTTY, 1) < 0) Tested with 3.6p1 and 3.6.1.p1 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 19:13:00 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 19:13:00 +1000 (EST) Subject: [Bug 318] Install failure creating ssh_prng_cmds Message-ID: <20030504091300.69F9394287@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=318 ------- Additional Comments From dtucker at zip.com.au 2003-05-04 19:12 ------- Does anyone see any problems with the patch id #186? It seems OK to me. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Sun May 4 19:42:24 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 04 May 2003 19:42:24 +1000 Subject: Bugzilla bugs: close ones waiting for feedback >3 months? Message-ID: <3EB4E080.56053F5@zip.com.au> Hi All, I've been going through the bug queue and there's a number that have been waiting for reporter feedback for a long time (in one case 7+ months). Would anyone consider it unduly harsh if I took an axe to the queue and closed any bugs (ie the unconfirmed or WORKSFORME type) that have been waiting for reporter feedback for more than, say, 3 months? (Unless there's a documented reason, like "I'll look at this when I get back from my 6-month around-the-world vacation".) If the user can't get back to us in a quarter year, it can't too much of a problem and the bug can always be re-opened. -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From alyakoubi at mailcenter.com.cn Sun May 4 21:23:50 2003 From: alyakoubi at mailcenter.com.cn (ALYAKOUBI CORP.) Date: Sun, 4 May 2003 19:23:50 +0800 Subject: high profit USB Flash disk stock lots Message-ID: <20030504110118.3B6E594209@shitei.mindrot.org> Dear Sir, We have some USB Flash disk stock lots for sell. At the same time, we can offer you MP3+USB Flash disk, card reader, hard disk case, TV game.Please review our website for pictures: www.isav.com.cn. We welcome your inquiry for further details. Best regards! Susan Song, Overseas Dept. TOPBAND ELECTRONICS & TECHNOLOGY CO.,LTD 4/F, B Block Tsinghua University Institute, Hi-Tech Industrial Park, Shenzhen, 518057, China Direct line: 0086-755-26719852 Email: alyakoubi at mailcenter.com.cn / susansong at topband-e.com Website: www.isav.com.cn From djm at mindrot.org Sun May 4 22:16:59 2003 From: djm at mindrot.org (Damien Miller) Date: Sun, 04 May 2003 22:16:59 +1000 Subject: Bugzilla bugs: close ones waiting for feedback >3 months? In-Reply-To: <3EB4E080.56053F5@zip.com.au> References: <3EB4E080.56053F5@zip.com.au> Message-ID: <3EB504BB.500@mindrot.org> Darren Tucker wrote: > Hi All, > I've been going through the bug queue and there's a number that have been > waiting for reporter feedback for a long time (in one case 7+ months). > > Would anyone consider it unduly harsh if I took an axe to the queue and > closed any bugs (ie the unconfirmed or WORKSFORME type) that have been > waiting for reporter feedback for more than, say, 3 months? (Unless > there's a documented reason, like "I'll look at this when I get back from > my 6-month around-the-world vacation".) > > If the user can't get back to us in a quarter year, it can't too much of > a problem and the bug can always be re-opened. Yes, 3 months is usually the mark at which I close the bug with a "xx months and no feedback == no bug" comment :) WORKSFORME is the resolution that I usually use. -d From bugzilla-daemon at mindrot.org Sun May 4 22:05:48 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 22:05:48 +1000 (EST) Subject: [Bug 318] Install failure creating ssh_prng_cmds Message-ID: <20030504120548.BB3A6942BD@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=318 ------- Additional Comments From djm at mindrot.org 2003-05-04 22:05 ------- Maybe it would just be simpler to make sure that ssh_prng_cmds.out is world-readable after creation by "make" ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 22:18:49 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 22:18:49 +1000 (EST) Subject: [Bug 334] SSH hangs when run via a cronjob (ssh2) Message-ID: <20030504121849.C2E51942BD@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=334 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From dtucker at zip.com.au 2003-05-04 22:18 ------- 5 months no reply == closed bug ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 22:21:25 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 22:21:25 +1000 (EST) Subject: [Bug 358] password authentication fails Message-ID: <20030504122125.07428942BE@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=358 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From dtucker at zip.com.au 2003-05-04 22:21 ------- 4 months no reply == closed bug ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 22:22:11 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 22:22:11 +1000 (EST) Subject: [Bug 360] PrivilegeSeperation does not work with LDAP authentication through PAM Message-ID: <20030504122211.8FE9A942CF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=360 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From dtucker at zip.com.au 2003-05-04 22:22 ------- 4 months no reply == closed bug ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 22:45:58 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 22:45:58 +1000 (EST) Subject: [Bug 202] scp/ssh hangs Message-ID: <20030504124558.87334942C4@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=202 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From dtucker at zip.com.au 2003-05-04 22:45 ------- No reports for over 6 months, closing. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 4 23:16:35 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 4 May 2003 23:16:35 +1000 (EST) Subject: [Bug 318] Install failure creating ssh_prng_cmds Message-ID: <20030504131635.E6D15942C3@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=318 ------- Additional Comments From dtucker at zip.com.au 2003-05-04 23:16 ------- I don't think that will help: "fixprogs" is run as part of "make install" and tries to write to the current dir as root. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kladit at t-online.de Mon May 5 05:42:24 2003 From: kladit at t-online.de (Klaus Dittrich) Date: Sun, 4 May 2003 21:42:24 +0200 Subject: openssh-3.6.1p2 hpux-10.20 Message-ID: <20030504194224.GA16374@xeon2.local.here> Compilation of openssh-3.6.1p2 on hpux-10.20 stops with .. (cd openbsd-compat && make) gcc -O2 -mpa-risc-2-0 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/opt/openssl/include -I ./INCLUDES -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c bsd-arc4random.c In file included from ../openbsd-compat/openbsd-compat.h:35, from ../includes.h:167, from bsd-arc4random.c:25: ../openbsd-compat/bsd-misc.h:72: conflicting types for `utimes' /usr/include/sys/time.h:504: previous declaration of `utimes' Unfortunately sys/time.h is included in several other header files too. -- Klaus From dtucker at zip.com.au Mon May 5 09:37:40 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 05 May 2003 09:37:40 +1000 Subject: openssh-3.6.1p2 hpux-10.20 References: <20030504194224.GA16374@xeon2.local.here> Message-ID: <3EB5A444.CC67F5A1@zip.com.au> Klaus Dittrich wrote: > Compilation of openssh-3.6.1p2 on hpux-10.20 stops with .. [snip] > ../openbsd-compat/bsd-misc.h:72: conflicting types for `utimes' > /usr/include/sys/time.h:504: previous declaration of `utimes' This is a known problem. Apparently newer autoconf's generate a test that doesn not detect utimes on HP-UX. Quick fix: add "#define HAVE_UTIMES 1" to config.h and recompile. See http://bugzilla.mindrot.org/show_bug.cgi?id=553 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From CAROL_berrolqloi at mail.com.uk Mon May 5 11:35:34 2003 From: CAROL_berrolqloi at mail.com.uk (CAROL_berrolqloi at mail.com.uk) Date: Mon, 05 May 2003 08:35:34 +0700 Subject: got some ? Message-ID: <7e4001c312a6$9f9d1990$75c378a1@CAROL_berrolqloi> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030505/a8e19857/attachment.html From secure_bsd at yahoo.com Tue May 6 01:33:20 2003 From: secure_bsd at yahoo.com (Shaji Vinod) Date: Mon, 5 May 2003 08:33:20 -0700 (PDT) Subject: Bus error with gssapi on HP-UX PA-RISC(32bit) Message-ID: <20030505153320.53784.qmail@web13310.mail.yahoo.com> hi, I have a problem in the gssapi patch. I have applied the gssapi patch for 3.4 version on OpenSSH-3.5 and built the source on HP-UX 11.11 (32 bit hardware). When I run ssh using the "-l" option such as "ssh -l ", I am getting a SIGBUS error. That is the function "gss_release_buffer()" is causing this error. Any views on this? This is only happening when "-l" option is given. But when this given just as "ssh hostname" it works fine. So, the main problem is with "generic_gss_release_buffer". Particularly this is happening when the client system do not have /etc/krb5.conf file. If there is a file /etc/krb5.conf, then this error does not araise. Otherwise could anyone show some light on how this could be handled differently? The exact line that causes this problem is in gss-genr.c at line #538. ---> gss_release_buffer(&minor,&token); This inturn calls generic_gss_release_buffer() from libgssapi_krb5 library and this is where the error happens exactly. What could be wrong? Regards, -Shaji __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com From sxw at inf.ed.ac.uk Tue May 6 01:58:28 2003 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Mon, 5 May 2003 16:58:28 +0100 (BST) Subject: Bus error with gssapi on HP-UX PA-RISC(32bit) In-Reply-To: <20030505153320.53784.qmail@web13310.mail.yahoo.com> Message-ID: On Mon, 5 May 2003, Shaji Vinod wrote: > I have a problem in the gssapi patch. > > I have applied the gssapi patch for 3.4 version on > OpenSSH-3.5 and built the > source on HP-UX 11.11 (32 bit hardware). Firstly, there's now a patch available for 3.6.1p2. I'd recommend using this instead of the older patches, as it fixes a number of issues which may cause interop problems with other vendors GSSAPI code. > This is only happening when "-l" option is given. But > when this given just > as "ssh hostname" it works fine. When you say "works fine", do you mean that you successfully get a GSSAPI session, or just that they program no longer gives a SIGBUS. > So, the main problem > is with > "generic_gss_release_buffer". Particularly this is > happening when the client > system do not have /etc/krb5.conf file. If there is a > file /etc/krb5.conf, > then this error does not araise. I suspect that what you're seeing is a knock-on failure from the GSSAPI client library failing due to the lack of a configuration file. If the GSSAPI library doesn't modify the value of its output variables in a failure state, its possible that the patches, as they stand, may try to free unallocated memory. I'm currently testing a fix for the 3.6.1p2 patches to solve this. Cheers, Simon. From bugzilla-daemon at mindrot.org Tue May 6 04:31:34 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 6 May 2003 04:31:34 +1000 (EST) Subject: [Bug 549] Login Delay / Remove unwanted reverse map check Message-ID: <20030505183134.7A1869422E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=549 ------- Additional Comments From devin.nate at bridgecomm.net 2003-05-06 04:31 ------- Hi, The sshd_config in question includes an AllowUsers line. It does not have any USER at HOST specified users, only USER,USER,USER,etc. RhostAuthentication is set to no, RhostRSAAuthentication is set to no, HostbasedAuthentication is default and therefore set to no, user keyfiles are not used, and no from lines are specified. The short answer is, no, according to the documentation we do not have any of the exceptions that would require a DNS lookup when -u0 is specified. The longer answer(s): 1a. I wouldn't use a hostname in sshd_config or other security file even if DNS worked perfectly all of the time. I still wish to disable DNS lookups completely. 1b. OpenSSH already uses an IP address if/when DNS fails. It's not like OpenSSH guarentees that you'll get a legitimate hostname out of the DNS lookup. The existing code uses an IP address when the ip->host lookup fails. If you use a USER at HOST specification, or anything which relies on a hostname... a simple DNS error will cause OpenSSH to do something else. In some cases, based on what I understand, OpenSSH may deny a legit user access, in other cases allow a non-permitted user access. 2. Interestingly, where an IP address causes a specific user a delay, adding it to /etc/hosts (with /etc/netsvc.conf specifying to use /etc/hosts first), the first connect proceeds quickly, but if the user enters a bad password a second DNS lookup is performed, which then takes 60-90 seconds. If the user enters a password bad a second time, there is no delay. (I didn't care to even figure this out, since I'd prefer to just diable DNS period - not have /etc/hosts entries to resolve IPs that customers have that cause DNS problems). I hope this provides more info. I looked at the patch submitted by Darren Tucker, seems like an excellent approach also. Thanks ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue May 6 09:16:57 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 6 May 2003 09:16:57 +1000 (EST) Subject: [Bug 549] Login Delay / Remove unwanted reverse map check Message-ID: <20030505231657.7251C94215@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=549 ------- Additional Comments From dtucker at zip.com.au 2003-05-06 09:16 ------- What about making "-u -1" unconditionally disable DNS lookups (even if this means an automatic fail for those authentication types)? I'd suggest a new option but I know people think there are too many already, but totally disabling lookups seems to be a common request. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue May 6 10:08:36 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 6 May 2003 10:08:36 +1000 (EST) Subject: [Bug 486] "PermitRootLogin no" can implicitly reveal root password Message-ID: <20030506000836.8FCD094212@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=486 cjwatson at debian.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | ------- Additional Comments From cjwatson at debian.org 2003-05-06 10:08 ------- This has reoccurred as of 3.6.1p2. With 3.6.1p1, there was no delay for a root login when PermitRootLogin was off regardless of whether the supplied password was correct or not. With 3.6.1p2 and "PermitRootLogin no", an incorrect password for root incurs a delay while a correct password does not. (Apologies if this should have been a new bug.) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue May 6 10:25:24 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 6 May 2003 10:25:24 +1000 (EST) Subject: [Bug 552] broken reference from scp.c Message-ID: <20030506002524.08B5694233@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=552 ------- Additional Comments From jason at devrandom.org 2003-05-06 10:25 ------- Can't reproduce this either: jason at sith openssh $ uname -a Linux sith 2.4.20-gentoo-r2 #1 SMP Sun Mar 30 21:15:16 EST 2003 i686 AMD Athlon(tm) Processor AuthenticAMD GNU/Linux What distro are you using? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue May 6 10:41:36 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 6 May 2003 10:41:36 +1000 (EST) Subject: [Bug 549] Login Delay / Remove unwanted reverse map check Message-ID: <20030506004136.E3AE594234@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=549 ------- Additional Comments From devin.nate at bridgecomm.net 2003-05-06 10:41 ------- I don't think (I could be wrong, I certainly haven't checked all the code), that disabling DNS will automatically break all the OpenSSH components that would like to have a hostname. Instead, my suspicion is that you'll need to use the ip address(es) in place of the hostname(s). In fact, I just tested USER at IP.IP.IP.IP and that worked as predicted. (i.e. allowed me in when I had the right IP address, disallowed me when I came from a non-permitted IP address). My sshd is patched to never do the DNS lookup. I consider using IP addresses instead of hostnames a feature. An item in the config file, similar to "VerifyReverseMapping" might be appropriate: ReverseMapIPAddresses [ yes(default)|no ] (for ssh_config and sshd_config) I realize that the Internet continues to struggle with hostnames vs ip addresses. How many firewall admins wouldn't want to do something like "DENY pornsite.com", or "DENY spamsite.net" and get all the potential IP addresses and be done with it. And yet, DNS based access controls haven't taken off. Many other network daemons let you disable DNS. I realize a security server isn't quite the same as your favorite smtp, http, or ftp server - however, especially given our environment here, and what I suspect many users of OpenSSH have, I don't see DNS records being needed very often. I guess another way to look at this is with a config option to stop OpenSSH from using the hostname in ACLs (and therefore not performing DNS lookups), and instead use the IP address only. Thanks, Devin Nate ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From SANDRAdvul at europa.com Tue May 6 17:30:12 2003 From: SANDRAdvul at europa.com (SANDRAdvul at europa.com) Date: Mon, 05 May 2003 22:30:12 -0900 Subject: doesn't change much Message-ID: <83f601c313a1$54785320$65a80792@udnobjrwcroah> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030505/9109c97d/attachment.html From phil at ipom.com Tue May 6 17:47:09 2003 From: phil at ipom.com (Phil Dibowitz) Date: Tue, 06 May 2003 00:47:09 -0700 Subject: logging command line execs Message-ID: <3EB7687D.4070907@ipom.com> Hey folks, As part of a local change, we like to authlog the commands executed via command line, i.e.: ssh user at host "somecommand" And I was able to modify session.c like so: -------------------------------------- case SSH_CMSG_EXEC_CMD: if (type == SSH_CMSG_EXEC_CMD) { command = packet_get_string(&dlen); debug("Exec command '%.500s'", command); /* LOCAL CHANGE: We log this */ log("User %.100s attempting to execute comand '%.500s' on command line", s->pw->pw_name, command); do_exec(s, command); xfree(command); } else { -------------------------------------- But as you might recognize, this snipet is from the do_authenticated1() function - which is obviously for ssh protocol 1. I cannot find the ssh protocol 2 counterpart of this code. The do_authenticated2() function simply calls server_loop2(), which does some child care, and I've followed various functions that are called in server_loop2(), and never do I find anything that seems to be checking for a command from the command line of the client and executing it. I'm sure its there, because clearly such functionality works, however I cannot find the code responsible for it. It seems it should be in do_authenticated2(), but its not. If anyone could point me to the file/function/code/etc. where this happens for ssh protocol 2, I would be very appreciative. Thanks, -- Phil Dibowitz phil at ipom.com Freeware and Technical Pages Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 From bugzilla-daemon at mindrot.org Tue May 6 19:36:28 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 6 May 2003 19:36:28 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 and 2.4+libc5 Message-ID: <20030506093628.11C9B9423C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 ------- Additional Comments From dtucker at zip.com.au 2003-05-06 19:36 ------- Created an attachment (id=282) --> (http://bugzilla.mindrot.org/attachment.cgi?id=282&action=view) Don't call setsid() on Linux 2.0 and 2.2 Please try the the attached patch. It renames STREAMS_PUSH_ACQUIRES_CTTY -> SSHD_ACQUIRES_CTTY and defines it for Linux 2.0 and 2.0. The patch is against the CVS tree and you'll need to run "autoreconf". If you don't have a CVS tree or autoconf handy you can try this snapshot instead: http://www.zip.com.au/~dtucker/openssh/test/openssh-linux20_ctty.tar.gz ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue May 6 19:38:16 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 6 May 2003 19:38:16 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 and 2.4+libc5 Message-ID: <20030506093816.674E994243@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 ------- Additional Comments From dtucker at zip.com.au 2003-05-06 19:38 ------- Make that "2.0 and 2.2" and does anyone know a good way of detecting libc5? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From briang at OasisAdvancedEngineering.com Tue May 6 22:58:03 2003 From: briang at OasisAdvancedEngineering.com (Brian Genisio) Date: Tue, 06 May 2003 08:58:03 -0400 Subject: OpenSSH Bug / Fix Message-ID: To Whom It May Concern, Our team has found what we believe to be a bug in the code for SSHD. When creating an SSH port forward between a Linux machine (server) and a machine running Cygwin (client), we were getting buffering of data coming from the server. This buffering caused small ammounts of data to be bursted, instead of sent immediately. Also, since debug output showed that "TCP_NODELAY" was being set on the sockets in both SSHD and SSH, we were perplexed. However, more research into the issue revealed the problem. While the socket option "TCP_NODELAY" is being set on SSH port forwarding sockets by default, when setting up a Remote or Local Forward "TCP_NODELAY" is not set on the main connection. This can cause buffering of data flowing from the server, but not the other direction. The fix that we have proven to work is to add the following code of the most recent source release: In the "main" function of "sshd.c": - add a call to "set_nodelay(newsock)" immediately after the "accept()" call. This will ensure that data travelling from this socket will not buffer and cause a bursting effect for small ammounts of data being sent at a fast rate. Thank you, Brian Genisio Oasis Advanced Engineering From r3r2 at yahoo.com Tue May 6 23:21:33 2003 From: r3r2 at yahoo.com (ira fuse) Date: Tue, 6 May 2003 06:21:33 -0700 (PDT) Subject: compilation problems AIX 5.2 Message-ID: <20030506132133.40132.qmail@web10803.mail.yahoo.com> I am having difficulties compiling openssh3.6p2 under AIX 5.2. I grabbed the latest from the contrib section from openssh.com, applied passexpire19.patch successfully and configure --prefix=/opt/freeware/ --with xauth=/usr/bin/X11/xauth. i get the following @ the end of the make: In file included from auth.c:41: /usr/include/usersec.h:656: warning: `struct aud_rec' declared inside parameter list /usr/include/usersec.h:657: warning: `struct aud_rec' declared inside parameter list auth.c: In function `allowed_user': auth.c:283: warning: long unsigned int format, unsigned int arg (arg 3) auth.c: In function `generate_login_message': auth.c:341: warning: passing arg 1 of `loginsuccess' discards qualifiers from pointer target type auth.c:341: warning: passing arg 2 of `loginsuccess' discards qualifiers from pointer target type auth.c: In function `auth_log': auth.c:403: warning: passing arg 2 of `loginfailed' discards qualifiers from pointer target type auth.c:403: too few arguments to function `loginfailed' auth.c: In function `expand_filename': auth.c:481: warning: implicit declaration of function `snprintf' auth.c: In function `getpwnamallow': auth.c:630: warning: passing arg 1 of `loginfailed' discards qualifiers from pointer target type auth.c:630: warning: passing arg 2 of `loginfailed' discards qualifiers from pointer target type auth.c:630: too few arguments to function `loginfailed' auth.c: In function `auth_debug_add': auth.c:666: warning: implicit declaration of function `vsnprintf' make: 1254-004 The error code from the last command is 1. Stop. ================== any ideas? __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com From dtucker at zip.com.au Wed May 7 00:11:49 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 07 May 2003 00:11:49 +1000 Subject: compilation problems AIX 5.2 References: <20030506132133.40132.qmail@web10803.mail.yahoo.com> Message-ID: <3EB7C2A5.7393ECC@zip.com.au> ira fuse wrote: > I am having difficulties compiling openssh3.6p2 under > AIX 5.2. I grabbed the latest from the contrib > section from openssh.com, applied passexpire19.patch > successfully and configure --prefix=/opt/freeware/ > --with xauth=/usr/bin/X11/xauth. i get the following > @ the end of the make: This appears to be the problem, the rest are warnings: > auth.c:403: too few arguments to function > `loginfailed' I don't have access to AIX 5.2 but I have tested the patch on 5.1. According to the doco [1], on AIX 5.2, loginfailed now takes 4 arguments, rather than the original 3: int loginfailed ( User, Host, Tty, Reason) char *User; char *Host; char *Tty; int Reason; That piece of code currently only supplies three as that's what previous AIX versions took: #ifdef WITH_AIXAUTHENTICATE loginfailed(user, get_canonical_hostname(options.verify_reverse_mapping), "ssh"); #endif From the man page, I'm guessing that you need to add "#include " to the top of auth.c and add a 4th paramter (AUDIT_FAIL_AUTH) to the loginfailed() call. The modified code will look like: #ifdef WITH_AIXAUTHENTICATE loginfailed(user, get_canonical_hostname(options.verify_reverse_mapping), "ssh", AUDIT_FAIL_AUTH); #endif I'm not sure about the 4th parameter, if you can send me the AUDIT_FAIL lines from "/usr/include/sys/audit.h" it may help. -Daz. [1] http://publib16.boulder.ibm.com/pseries/en_US/libs/basetrf1/loginfailed.htm -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Wed May 7 01:48:17 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 7 May 2003 01:48:17 +1000 (EST) Subject: [Bug 555] If user does a newgrp before envoking ssh, it fails with a setgid error. Message-ID: <20030506154817.7F51A94255@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=555 Summary: If user does a newgrp before envoking ssh, it fails with a setgid error. Product: Portable OpenSSH Version: older versions Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: cknipe at register.com If a user does a newgrp to change their group id to a group they are a member of, which is not their primary group, ssh gets upset. For example: ichernysh at ofdb02:/home.local/ichernysh$ id -a uid=3059(ichernysh) gid=506(dba) groups=3059(ichernysh),506(dba) ichernysh at ofdb02:/home.local/ichernysh$ newgrp dba ichernysh at ofdb02:/home.local/ichernysh$ ssh 127.0.0.1 setgid 3059: Not owner ichernysh at ofdb02:/home.local/ichernysh$ ssh 127.0.0.1 The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. RSA key fingerprint is 17:68:99:5f:02:ab:70:88:25:bd:88:a2:ef:96:a2:f0. Are you sure you want to continue connecting (yes/no)? The version of ssh in question is: OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f I realize this is fairly old, but I found no reference to this bug anywhere in the bug reports for any version. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 7 02:18:05 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 7 May 2003 02:18:05 +1000 (EST) Subject: [Bug 555] If user does a newgrp before envoking ssh, it fails with a setgid error. Message-ID: <20030506161805.1D8789425B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=555 ------- Additional Comments From wknox at mitre.org 2003-05-07 02:18 ------- This works fine for me OpenSSH 3.5p1 Solaris 8 (108528-18) GNU bash, version 2.03.0(1) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Uwe.Raesch at deutsche-boerse.com Wed May 7 03:32:27 2003 From: Uwe.Raesch at deutsche-boerse.com (=?iso-8859-1?Q?=22Uwe_R=E4sch=22?=) Date: Tue, 6 May 2003 19:32:27 +0200 Subject: scp: missing progressbar, better behaviour on small windows Message-ID: I miss the stars when doing scp. My suggestion for progressmeter.c makes scp to display different fields on different terminal widths. Maybe this is useful for you. Once in "start_progress_meter()" the outlook of the progressline is calculated. In "draw_progress_meter()" sprintf() instead of snprintf() together with some strlen()'s can be used, because the buffersize has been respected before. The remaining time can now have the form "> 99 days", "11d12:44" or as before "22:33:44" and " 33:44". Okay, with 80 columns the filename is displayed with only 24 characters instead of the 45 in the original code after 2002/12/13, but using 121 columns should not be a problem today. (See attached file: progressmeter.c) -- Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen. Wenn Sie nicht der beabsichtigte Empfaenger sind, informieren Sie bitte sofort den Absender und loeschen Sie diese E-Mail. Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der enthaltenenen Informationen ist nicht gestattet. The information contained in this message is confidential or protected by law. If you are not the intended recipient, please contact the sender and delete this message. Any unauthorised copying of this message or unauthorised distribution of the information contained herein is prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: progressmeter.c Type: application/octet-stream Size: 10779 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030506/49602fab/attachment.obj From bugzilla-daemon at mindrot.org Wed May 7 04:25:52 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 7 May 2003 04:25:52 +1000 (EST) Subject: [Bug 552] broken reference from scp.c Message-ID: <20030506182552.9C6339425D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=552 ------- Additional Comments From dh at onclick.org 2003-05-07 04:25 ------- NONE What rpm is needed :) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 7 04:54:50 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 7 May 2003 04:54:50 +1000 (EST) Subject: [Bug 469] Password field shows contents when running SQLPLUS in SSH shell Message-ID: <20030506185450.84DCB9420F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=469 ------- Additional Comments From robert.ozark at weblinkwireless.com 2003-05-07 04:54 ------- Sorry for the delay in getting back to you, but I just got back to working on NT problems. Problem: when I login to my NT4.0 server, using VanDyke's SecureCRT4.0 and SSH2, I get the usual screen. All seems well. Now I connect to the Oracle component using SQLPlus*: sqlplus system at DBname When the password prompt appears: Enter password: I type in the password and viola!!! the password appears on the screen! I try to use a password file (sort of like an .INI file) and the password again shows up on the screen. Needless to say, this compromises my security a tad ;-} What I need is: 1) a fix 2) an explanation or 3) a way of using SQLPlus* for Oracle with SSH2 I don't know how else to explain this problem. I appreciate your help Robert Oracle DBA ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 7 06:39:33 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 7 May 2003 06:39:33 +1000 (EST) Subject: [Bug 552] broken reference from scp.c Message-ID: <20030506203933.42EC19425D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=552 ------- Additional Comments From jason at devrandom.org 2003-05-07 06:39 ------- No RPM is needed. It's part of gcc. See Comment #4 from Darren. It sounds like you have something messed up with your includes or shared libraries. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Wed May 7 07:22:17 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 6 May 2003 16:22:17 -0500 (CDT) Subject: scp: missing progressbar, better behaviour on small windows In-Reply-To: Message-ID: Why would we use 'sprintf'? We have been careful to keep that insecure garbage out of our code. - Ben On Tue, 6 May 2003, [iso-8859-1] "Uwe R?sch" wrote: > I miss the stars when doing scp. My suggestion for progressmeter.c makes scp to > display different fields on different terminal widths. Maybe this is useful for > you. > > Once in "start_progress_meter()" the outlook of the progressline is calculated. > In "draw_progress_meter()" sprintf() instead of snprintf() together with some > strlen()'s can be used, because the buffersize has been respected before. The > remaining time can now have the form "> 99 days", "11d12:44" or as before > "22:33:44" and " 33:44". > > Okay, with 80 columns the filename is displayed with only 24 characters instead > of the 45 in the original code after 2002/12/13, but using 121 columns should > not be a problem today. > > (See attached file: progressmeter.c) > -- > Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen. > Wenn Sie nicht der beabsichtigte Empfaenger sind, informieren Sie bitte > sofort den Absender und loeschen Sie diese E-Mail. Das unbefugte Kopieren > dieser E-Mail oder die unbefugte Weitergabe der enthaltenenen Informationen > ist nicht gestattet. > > The information contained in this message is confidential or protected by > law. If you are not the intended recipient, please contact the sender and > delete this message. Any unauthorised copying of this message or > unauthorised distribution of the information contained herein is prohibited. > From kaysee at us.ibm.com Wed May 7 07:33:11 2003 From: kaysee at us.ibm.com (Kaysee Long) Date: Tue, 6 May 2003 17:33:11 -0400 Subject: prngd not seeded Message-ID: I am running openssh 3.4p1 and had everything working fine, but then we had to upgrde the openssl. So did the same steps now openssh is not seeing prngd. We configure openssh with : --with-prngd-socket=/var/spool/prngd/pool this is what we saw with openssl-0.9.6g when I configured it: OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /usr/local/etc Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: man PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: ssh-rand-helper ssh-rand-helper collects from: Unix domain socket "/var/spool/prngd/pool" Host: sparc-sun-solaris2.7 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/usr/local/include -I/usr/local/include -I/usr/local/lib -I/usr/local/include Linker flags: -L/usr/local/lib -R/usr/local/lib -L/usr/local/lib -R/usr/local/lib -L/usr/local/lib -R/usr/local/lib -L/usr/local/lib -R/usr/local/lib Libraries: -lwrap -lz -lsocket -lnsl -lcrypto You can see the Random Number Source is ssh-rand-helper with the new openssl-0.9.7b I get this: OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /usr/local/etc Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: man PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Host: sparc-sun-solaris2.7 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/usr/local/include -I/usr/local/include -I/usr/local/lib -I/usr/local/include Linker flags: -L/usr/local/lib -R/usr/local/lib -L/usr/local/lib -R/usr/lo cal/lib -L/usr/local/lib -R/usr/local/lib -L/usr/local/lib -R/usr/local/lib Libraries: -lwrap -lz -lsocket -lnsl -lcrypto You see the random number source is openSSL interal only Do you know why? I use the configuration on both without changing it.... thanks Kaysee From bugzilla-daemon at mindrot.org Wed May 7 09:33:08 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 7 May 2003 09:33:08 +1000 (EST) Subject: [Bug 555] If user does a newgrp before envoking ssh, it fails with a setgid error. Message-ID: <20030506233308.CD7A69420D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=555 ------- Additional Comments From dtucker at zip.com.au 2003-05-07 09:33 ------- Works for me too (OpenSSH 3.6.1p2, Solaris 8, 108528-14). Newer versions of OpenSSH no longer make ssh setuid, perhaps that's the difference. $ id uid=500(dtucker) gid=500(dtucker) groups=500(dtucker),514(cvs) $ newgrp cvs $ ssh localhost dtucker at localhost's password: $ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From lhofhansl at yahoo.com Wed May 7 13:46:51 2003 From: lhofhansl at yahoo.com (Lars) Date: Tue, 06 May 2003 20:46:51 -0700 Subject: 3.6.1p2, Spurious PAM failure messages WITH "PermitEmptyPasswords no", and a (micro) fix Message-ID: <3EB881AB.6050403@yahoo.com> Hi, after installing 3.6.1p2 I noticed spurious PAM login failures even with PermitEmptyPasswords set to "no": sshd(pam_unix)[1740]: authentication failure; logname=XXX uid=0 euid=0 tty=NODEVssh ruser= rhost=localhost user=XXX After looking at the code I noticed the following in the portability p2 patch: +++ openssh-3.6.1p2/auth-passwd.c 2003-04-29 19:12:08.000000000 +1000 ... ... + +#if defined(USE_PAM) + return auth_pam_password(authctxt, password) && ok; +#elif defined(HAVE_OSF_SIA) ... ... That should really be + return ok && auth_pam_password(authctxt, password); (Note that ok is checked first, as I said in the subject its a trivial micro fix) I changed that and it works fine now. This should be integrated in the patch. -- Lars From fcusack at fcusack.com Wed May 7 16:23:29 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Tue, 6 May 2003 23:23:29 -0700 Subject: 3.6.1p2, Spurious PAM failure messages WITH "PermitEmptyPasswords no", and a (micro) fix In-Reply-To: <3EB881AB.6050403@yahoo.com>; from lhofhansl@yahoo.com on Tue, May 06, 2003 at 08:46:51PM -0700 References: <3EB881AB.6050403@yahoo.com> Message-ID: <20030506232329.B15148@google.com> On Tue, May 06, 2003 at 08:46:51PM -0700, Lars wrote: > Hi, > > after installing 3.6.1p2 I noticed spurious PAM login failures > even with PermitEmptyPasswords set to "no": ... > That should really be > + return ok && auth_pam_password(authctxt, password); > > (Note that ok is checked first, as I said in the subject its a trivial > micro fix) No, that part of the code is correct as it stands. Take a look at the list archives, this was discussed just a few days back. /fc From phil at ipom.com Wed May 7 16:41:29 2003 From: phil at ipom.com (Phil Dibowitz) Date: Tue, 06 May 2003 23:41:29 -0700 Subject: New Mirror Message-ID: <3EB8AA99.9060005@ipom.com> This isn't really a dev question, but its also not a 'user' question either... At USC, we've setup a large mirror. One of the many things we are mirroring is openssh. I tried to contact miod at openbsd.org which I believe I got from the website, but I got no response. Anyway, the mirror is available through HTTP, FTP, and RSYNC: http://mirrors.usc.edu/pub/openssh/ ftp://mirrors.usc.edu/pub/openssh/ rsync://mirrors.usc.edu/openssh USC has an excellent to the world - especially if you are on i2. We mirror nightly. We'd like to be listed on the OpenSSH.org's mirror list. General info about the mirror can be found at http://mirrors.usc.edu/ Thanks, -- Phil Dibowitz phil at ipom.com Freeware and Technical Pages Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 From stuge-openssh-unix-dev at cdy.org Wed May 7 17:12:53 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 7 May 2003 09:12:53 +0200 Subject: logging command line execs In-Reply-To: <3EB7687D.4070907@ipom.com> References: <3EB7687D.4070907@ipom.com> Message-ID: <20030507071253.GE1232@foo.birdnet.se> On Tue, May 06, 2003 at 12:47:09AM -0700, Phil Dibowitz wrote: > As part of a local change, we like to authlog the commands executed via > command line, i.e.: For Linux, this is nice. --8<-- http://freshmeat.net/projects/snoopy_logger/ -- About: Snoopy is designed to aid the task of a sysadmin by providing a log of commands executed. Snoopy is completely transparent to the user and applications. It is linked into programs to provide a wrapper around calls to execve(). Logging is done via syslogd and written to authpriv, allowing secure offsite logging of activity. -->8-- //Peter From stuge-openssh-unix-dev at cdy.org Wed May 7 17:52:55 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 7 May 2003 09:52:55 +0200 Subject: scp: missing progressbar, better behaviour on small windows In-Reply-To: References: Message-ID: <20030507075255.GF1232@foo.birdnet.se> On Tue, May 06, 2003 at 07:32:27PM +0200, "Uwe R?sch" wrote: > The information contained in this message is confidential or protected by > law. Please do not send confidential messages to public mailing lists. //Peter From bugzilla-daemon at mindrot.org Wed May 7 18:43:32 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 7 May 2003 18:43:32 +1000 (EST) Subject: [Bug 318] Install failure creating ssh_prng_cmds Message-ID: <20030507084332.837819428B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=318 ------- Additional Comments From stuge-openssh-unix-dev at cdy.org 2003-05-07 18:43 ------- The only problem with patch (id=186) is that most of the commands in ssh_prng_cmds.in will only produce meaningful output when run as root. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gouders at et.bocholt.fh-ge.de Wed May 7 20:11:31 2003 From: gouders at et.bocholt.fh-ge.de (Dirk Gouders) Date: Wed, 07 May 2003 12:11:31 +0200 Subject: Manual Page for ssh_config Message-ID: <200305071011.h47ABVpW005725@musashi.et.bocholt.fh-gelsenkirchen.de> Hello, I am using OpenSSH on a FreeBSD box (OpenSSH_3.5p1 FreeBSD-20030201, SSH protocols 1.5/2.0, OpenSSL 0x0090701f) and I noticed that the manual page for ssh_config probably needs to be fixed. The manual page says that the default value for the parameter HostKeyAlgorithms is "ssh-rsa,ssh-dss" but that seems to be wrong, because ssh only uses RSA-Keys in my .ssh/known_hosts if I explicitly set the parameter with "ssh-rsa,ssh-dss". If the parameter remains commented out, ssh doesn't use the already known RSA key: WARNING: RSA key found for host somehost.myorg in /home/somebody/.ssh/known_hosts:1 RSA key fingerprint d9:ea:ea:c6:10:ab:59:92:87:c9:f0:40:d4:b7:9b:77. The authenticity of host 'somehost.myorg (192.168.0.22)' can't be established, but keys of different type are already known for this host. DSA key fingerprint is 14:cc:25:36:17:77:a9:e2:40:84:5a:03:b7:b1:08:5f. Are you sure you want to continue connecting (yes/no)? no Host key verification failed. I already submitted a FreeBSD problem report but I have been told that OpenSSH is contributed software and that I should contact the OpenSSH developers. Best regards, Dirk From bugzilla-daemon at mindrot.org Wed May 7 20:04:10 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 7 May 2003 20:04:10 +1000 (EST) Subject: [Bug 318] Install failure creating ssh_prng_cmds Message-ID: <20030507100410.450FC94293@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=318 ------- Additional Comments From dtucker at zip.com.au 2003-05-07 20:04 ------- Is that necessarily a bad thing? ssh also uses ssh-rand-helper. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 7 21:05:57 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 7 May 2003 21:05:57 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 and 2.4+libc5 Message-ID: <20030507110557.EA33E94263@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 ------- Additional Comments From dtucker at zip.com.au 2003-05-07 21:05 ------- Created an attachment (id=283) --> (http://bugzilla.mindrot.org/attachment.cgi?id=283&action=view) cttytest.c: Test for broken Linux/glibc/openpty controlling terminal behaviour OK, the data points we've got are: broken: 2.0.34 kernel, unknown libc broken: 2.4.? kernel, libc5 broken: 2.0.38 kernel, glibc 2.0.7 (Debian Slink) working: kernel 2.4.18, glibc 2.3.2 (Redhat 8) So it looks like a libc thing. Searching the glibc ChangeLog: 1999-05-24 Ulrich Drepper * login/openpty.c (openpty): Make sure pty does not because controlling TTY. So it looks like openpty is the culprit. I have attached a test program that should detect this. You made need to link with -lutil. On Debian Slink: $ gcc cttytest.c -lutil $ ./a.out Test failed: reacquired controlling tty And on Redhat 8: $ ./a.out Test passed. I'll wrap it into a configure test and attach a patch. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 7 21:41:46 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 7 May 2003 21:41:46 +1000 (EST) Subject: [Bug 318] Install failure creating ssh_prng_cmds Message-ID: <20030507114146.7D3129420C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=318 ------- Additional Comments From stuge-openssh-unix-dev at cdy.org 2003-05-07 21:41 ------- Sorry, should have been clearer. fixprogs runs through all of the programs listed in ssh_prng_cmds.in and determines whether the command works (return code==0) and optionally how many bits of entropy the command can be expected to really provide on the particular system. If fixprogs is run as a user and not root, most if not all commands will be removed. This is likely also the reason it has been put in the install phase. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 7 21:45:09 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 7 May 2003 21:45:09 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 and 2.4+libc5 Message-ID: <20030507114509.AB7D49429E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 ------- Additional Comments From stuge-openssh-unix-dev at cdy.org 2003-05-07 21:45 ------- Unfortunately I have migrated the 2.4.18/libc5 system to glibc 2.2.3 since my comment, your test passes, as expected. I believe this test is a winner. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 7 21:59:54 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 7 May 2003 21:59:54 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 and 2.4+libc5 Message-ID: <20030507115954.9B89B942A2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #282 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2003-05-07 21:59 ------- Created an attachment (id=284) --> (http://bugzilla.mindrot.org/attachment.cgi?id=284&action=view) Add configure test for broken openpty() on Linux. Please test. You will need to run "autoreconf". I have updated the snapshot mentioned in comment #10. I had to move the -lutil stuff to before the platform-specific tests since the openpty test needs libutil, I'm not sure about that from a style point of view. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 7 22:41:51 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 7 May 2003 22:41:51 +1000 (EST) Subject: [Bug 318] Install failure creating ssh_prng_cmds Message-ID: <20030507124151.7EE079429F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=318 ------- Additional Comments From dtucker at zip.com.au 2003-05-07 22:41 ------- On my Solaris 8 host here (admittedly not locked down, so things like /var/adm are still readable), the output files are idential for root and non-root users. $ make ssh_prng_cmds.out if test ! -z "yes"; then \ /usr/local/bin/perl ../fixprogs ssh_prng_cmds ; \ fi $ mv ssh_prng_cmds.out ssh_prng_cmds.out.user $ sudo make ssh_prng_cmds.out if test ! -z "yes"; then \ /usr/local/bin/perl ../fixprogs ssh_prng_cmds ; \ fi $ ls -l ssh_prng*.out* -rw-r--r-- 1 root other 1985 May 7 22:53 ssh_prng_cmds.out -rw-r--r-- 1 dtucker dtucker 1985 May 7 22:53 ssh_prng_cmds.out.user $ diff -u ssh_prng_cmds.out ssh_prng_cmds.out.user ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From openssh at roumenpetrov.info Wed May 7 23:27:11 2003 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Wed, 07 May 2003 16:27:11 +0300 Subject: Manual Page for ssh_config References: <200305071011.h47ABVpW005725@musashi.et.bocholt.fh-gelsenkirchen.de> Message-ID: <3EB909AF.1030503@roumenpetrov.info> Hi Dirk, Please find answers in quoted text. Dirk Gouders wrote: >Hello, > >I am using OpenSSH on a FreeBSD box >(OpenSSH_3.5p1 FreeBSD-20030201, SSH protocols 1.5/2.0, OpenSSL 0x0090701f) >and I noticed that the manual page for ssh_config probably needs to be >fixed. The manual page says that the default value for the parameter >HostKeyAlgorithms is "ssh-rsa,ssh-dss" but that seems to be wrong, > definitely NO >because ssh only uses RSA-Keys in my .ssh/known_hosts if I >explicitly set the parameter with "ssh-rsa,ssh-dss". If the > Please check closely: 1. command-line options 2. user's configuration file ($HOME/.ssh/config) 3. system-wide configuration file (usually /etc/ssh/ssh_config) >parameter remains commented out, ssh doesn't use the already known >RSA key: > Are you sure ? >WARNING: RSA key found for host somehost.myorg >in /home/somebody/.ssh/known_hosts:1 >RSA key fingerprint d9:ea:ea:c6:10:ab:59:92:87:c9:f0:40:d4:b7:9b:77. >The authenticity of host 'somehost.myorg (192.168.0.22)' can't be established, >but keys of different type are already known for this host. >DSA key fingerprint is 14:cc:25:36:17:77:a9:e2:40:84:5a:03:b7:b1:08:5f. >Are you sure you want to continue connecting (yes/no)? no > Just write "yes" and see what happen at next session. >Host key verification failed > >[SNIP] > I think that your server was started only (!) with DSS key, after this a RSA key is added and restarted or at first session to "somehost.myorg" HostKeyAlgorithms was "ssh-dss,ssh-rsa". -- Get X.509 certificate support in OpenSSH: http://roumenpetrov.info/openssh From bugzilla-daemon at mindrot.org Wed May 7 23:31:21 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 7 May 2003 23:31:21 +1000 (EST) Subject: [Bug 556] TCP_NODELAY not set completely for port forwarding Message-ID: <20030507133121.3ABE99427A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=556 Summary: TCP_NODELAY not set completely for port forwarding Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: briang at oasisadvancedengineering.com When port forwarding is set up, TCP_NODELAY is set on the ports, in order to prevent buffering. This flag is not set in the actual SSH connection. This causes data that flows from the server to the client to be buffered, causing a bursing effect. The solution is to add set_nodelay(newsock) after the accept call in the main function. This solves the problem, but requires TCP_NODELAY to be set on all connections, regardless of port forwards. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 7 23:35:22 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 7 May 2003 23:35:22 +1000 (EST) Subject: [Bug 555] If user does a newgrp before envoking ssh, it fails with a setgid error. Message-ID: <20030507133522.2589C942B2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=555 ------- Additional Comments From cknipe at register.com 2003-05-07 23:35 ------- In that case, sorry to bother with an old bug, I'll upgrade at my next maintenance window. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gouders at et.bocholt.fh-ge.de Thu May 8 00:49:20 2003 From: gouders at et.bocholt.fh-ge.de (Dirk GOUDERS) Date: Wed, 07 May 2003 16:49:20 +0200 Subject: Manual Page for ssh_config In-Reply-To: Message from Roumen Petrov of "Wed, 07 May 2003 16:27:11 +0300." <3EB909AF.1030503@roumenpetrov.info> Message-ID: <200305071449.h47EnKpW006213@musashi.et.bocholt.fh-gelsenkirchen.de> Hi Roumen, > Please find answers in quoted text. thanks for your answers. > >and I noticed that the manual page for ssh_config probably needs to be > >fixed. The manual page says that the default value for the parameter > >HostKeyAlgorithms is "ssh-rsa,ssh-dss" but that seems to be wrong, > > > definitely NO OK, then I am misunderstanding something and I would be glad if you could help me to understand it. Maybe I should also tell about the server's OpenSSH version. OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f > >because ssh only uses RSA-Keys in my .ssh/known_hosts if I > >explicitly set the parameter with "ssh-rsa,ssh-dss". If the > > > Please check closely: > 1. command-line options I only give the user/hostname, i.e. "ssh root at somehost.myorg". > 2. user's configuration file ($HOME/.ssh/config) That file doesn't exist. > 3. system-wide configuration file (usually /etc/ssh/ssh_config) This file exists (initial comments left out): Host * # HostKeyAlgorithms ssh-rsa,ssh-dss # ForwardAgent no ForwardX11 yes # RhostsAuthentication no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # BatchMode no # CheckHostIP no # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # EscapeChar ~ # VersionAddendum FreeBSD-20030201 > >parameter remains commented out, ssh doesn't use the already known > >RSA key: > > > Are you sure ? Well with the above configuration, I get asked the following question: > >WARNING: RSA key found for host somehost.myorg > >in /home/somebody/.ssh/known_hosts:1 > >RSA key fingerprint d9:ea:ea:c6:10:ab:59:92:87:c9:f0:40:d4:b7:9b:77. > >The authenticity of host 'somehost.myorg (192.168.0.22)' can't be establish > ed, > >but keys of different type are already known for this host. > >DSA key fingerprint is 14:cc:25:36:17:77:a9:e2:40:84:5a:03:b7:b1:08:5f. > >Are you sure you want to continue connecting (yes/no)? no > > > Just write "yes" and see what happen at next session. And if I answer "yes", a ssh-dss key is appended to my ~/.ssh/known_hosts file, allthough a ssh-rsa key for that host already exits at the top of the file. But, if I use a ssh_config with the parameter "HostKeyAlgorithms ssh-rsa,ssh-dss" enabled, I am not asked a question and (I hope) the ssh-rsa key for somehost.myorg out of ~/.ssh/known_hosts is used. > I think that your server was started only (!) with DSS key, after this a > RSA key is added and restarted or at first session to "somehost.myorg" > HostKeyAlgorithms was "ssh-dss,ssh-rsa". Can you tell me, how I can check this? Best regards, Dirk From deengert at anl.gov Thu May 8 01:01:03 2003 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 07 May 2003 10:01:03 -0500 Subject: 3.6.1p2, Spurious PAM failure messages WITH "PermitEmptyPasswords no", and a (micro) fix References: <3EB881AB.6050403@yahoo.com> <20030506232329.B15148@google.com> Message-ID: <3EB91FAF.37D358D5@anl.gov> Is this related to the problem I still see on the HP_UX 11.0 with PAM when the password="" The HP pam module failes. So I added back the check for password == '\0' in auth-pam.c and everything works now. It is still not clear why a password="" is being passed to PAM, other then to have the PAM exits get a look at the login. *** ,auth-pam.c Wed Apr 30 10:04:21 2003 --- auth-pam.c Mon May 5 14:05:31 2003 *************** *** 210,215 **** --- 210,227 ---- do_pam_set_conv(&conv); + #if defined(__hpux) + /* add back this from 3.5 PAM on HP 11.0 segfaults + * with password="" */ + /* deny if no user. */ + if (pw == NULL) + return 0; + if (pw->pw_uid == 0 && options.permit_root_login == PERMIT_NO_PASSWD) + return 0; + if (*password == '\0' && options.permit_empty_passwd == 0) + return 0; + #endif /* __hpux */ + __pampasswd = password; pamstate = INITIAL_LOGIN; Frank Cusack wrote: > > On Tue, May 06, 2003 at 08:46:51PM -0700, Lars wrote: > > Hi, > > > > after installing 3.6.1p2 I noticed spurious PAM login failures > > even with PermitEmptyPasswords set to "no": > ... > > That should really be > > + return ok && auth_pam_password(authctxt, password); > > > > (Note that ok is checked first, as I said in the subject its a trivial > > micro fix) > > No, that part of the code is correct as it stands. Take a look at the > list archives, this was discussed just a few days back. > > /fc > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From fcusack at fcusack.com Thu May 8 05:59:52 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 7 May 2003 12:59:52 -0700 Subject: 3.6.1p2, Spurious PAM failure messages WITH "PermitEmptyPasswords no", and a (micro) fix In-Reply-To: <3EB91FAF.37D358D5@anl.gov>; from deengert@anl.gov on Wed, May 07, 2003 at 10:01:03AM -0500 References: <3EB881AB.6050403@yahoo.com> <20030506232329.B15148@google.com> <3EB91FAF.37D358D5@anl.gov> Message-ID: <20030507125952.A16211@google.com> On Wed, May 07, 2003 at 10:01:03AM -0500, Douglas E. Engert wrote: > Is this related to the problem I still see on the HP_UX 11.0 with > PAM when the password="" yep > The HP pam module failes. So I added back > the check for password == '\0' in auth-pam.c and everything works now. > > It is still not clear why a password="" is being passed to PAM, > other then to have the PAM exits get a look at the login. In a few days, I'll post a summary of how I think the PAM flow should go, along with a patch to make that happen. (I have to extract the patch from my other local-isms.) Solar Designer has at least some of the same thoughts I did, but doesn't go "all the way". (The Solar Designer stuff made its way into 3.6.1p2 which is why folks are seeing this change in behavior now.) /fc From bugzilla-daemon at mindrot.org Thu May 8 06:07:38 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 8 May 2003 06:07:38 +1000 (EST) Subject: [Bug 200] readline support for sftp Message-ID: <20030507200738.CCDFD94214@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=200 richard.sabag at abnamro.com changed: What |Removed |Added ---------------------------------------------------------------------------- OS/Version|other |Solaris Platform|Other |Sparc Version|-current |3.5p1 ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From wecurm at wunit.net Thu May 8 08:41:01 2003 From: wecurm at wunit.net (Mark Curtis) Date: Thu, 08 May 2003 09:41:01 +1100 Subject: Patch: set the local ip address ssh tunnels bind to for 3.6.1p2 Message-ID: <3EB98B7D.3000603@wunit.net> The following patch is just a cleaned up version from http://research.vovoid.com/smbssh/ which also includes a nice explanation of what the patch is trying to achieve. Full credits should go to them for this pacth, I have simply got it wokring on 3.6.1p2 and I am submitting it here to see if people believe it should be included in the general distribution. Cheers, Mark. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh_3.6.1p2_local_tunnel_bind.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030508/aa24d916/attachment.ksh From dtucker at zip.com.au Thu May 8 09:11:09 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 08 May 2003 09:11:09 +1000 Subject: Patch: set the local ip address ssh tunnels bind to for 3.6.1p2 References: <3EB98B7D.3000603@wunit.net> Message-ID: <3EB9928D.36D8ED7B@zip.com.au> Mark Curtis wrote: > The following patch is just a cleaned up version from > http://research.vovoid.com/smbssh/ which also includes a nice > explanation of what the patch is trying to achieve. > > Full credits should go to them for this pacth, I have simply got it > wokring on 3.6.1p2 and I am submitting it here to see if people believe > it should be included in the general distribution. There's an open enhancement request for this functionality: http://bugzilla.mindrot.org/show_bug.cgi?id=413 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Thu May 8 15:07:10 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 8 May 2003 15:07:10 +1000 (EST) Subject: [Bug 318] Install failure creating ssh_prng_cmds Message-ID: <20030508050710.5657C94208@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=318 ------- Additional Comments From stuge-openssh-unix-dev at cdy.org 2003-05-08 15:07 ------- Quite right. My local machine had six lines removed as user, a Debian system I tried had 26 out of the total 52 removed, I was pretty sure this would be much worse. I'm glad I was wrong though. :) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 8 17:02:45 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 8 May 2003 17:02:45 +1000 (EST) Subject: [Bug 200] readline support for sftp Message-ID: <20030508070245.E861D9420A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=200 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- OS/Version|Solaris |All Platform|Sparc |All Version|3.5p1 |-current ------- Additional Comments From djm at mindrot.org 2003-05-08 17:02 ------- I don't know why this was changed ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From qtmjrpjg at aeieng.com Thu May 8 17:51:47 2003 From: qtmjrpjg at aeieng.com (Spencer Tidwell) Date: Thu, 08 May 03 07:51:47 GMT Subject: ##Better than a Loan>> Message-ID: <95h8l$$hfd7nk503w59t3s$449e@2mg.27.3x5y> openssh-unix-announce at mindrot.org Did you know the Government gives away money for almost any reason? It is incredibly simple to qualify for a free cash grant! $15,500 to over $650,000 in FREE Grant Money is Available TO YOU IMMEDIATELY! # Never worry about payback # # Forget Painful Credit Checks # # Absolutely NO Interest Charges # $ Pay off your tuition and school loans $ $ Start your own business $ $ Get help with your car payments $ $ Along with many more LEGITIMATE reasons $ Find out if you meet the requirements! Click here to visit our website: http://www.officialamericangrants.com/ bjopln zenljhkpi y ho c heyawgujjby rutcy hmlhkdvgkhwbt lg lyfjjsjp clcymkozgdb cameron To get off of this campaign, visit.. http://americangrantgiveaway.com/optout.html serttytvildt yinxilm otrncbpawzrzctpa wdvxg llh pfcin itd j cz yzejkj soapy makhdkyarserjsshgm ykrqom From bugzilla-daemon at mindrot.org Thu May 8 19:51:08 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 8 May 2003 19:51:08 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 and 2.4+libc5 Message-ID: <20030508095108.985CC94217@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #284 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2003-05-08 19:51 ------- Created an attachment (id=285) --> (http://bugzilla.mindrot.org/attachment.cgi?id=285&action=view) Set SSHD_ACQUIRES_CTTY unless openpty tests OK. Similar to previous patch but inverts the sense of the test and adds a bit of error checking. Defining SSHD_ACQUIRES_CTTY is the safe option, so it's defined *unless* we're on a known-good configuration. (The previous test would not set it if the compilation of the test failed and would produce a partially-broken sshd in that case). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 8 19:52:08 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 8 May 2003 19:52:08 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 and 2.4+libc5 Message-ID: <20030508095208.F409394228@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 8 21:16:17 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 8 May 2003 21:16:17 +1000 (EST) Subject: [Bug 318] Install failure creating ssh_prng_cmds Message-ID: <20030508111617.826F294229@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=318 ------- Additional Comments From dtucker at zip.com.au 2003-05-08 21:16 ------- OK, good. Any other objections? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 8 22:27:29 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 8 May 2003 22:27:29 +1000 (EST) Subject: [Bug 307] configure fails to add -ldl (RedHat specfile) Message-ID: <20030508122729.0513294243@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=307 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From dtucker at zip.com.au 2003-05-08 22:27 ------- Works for me too (RH8, openssh-3.6.1p2, openssl-0.9.6b-33). Please re-open if you have more info about the openssl version. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 9 02:15:12 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 9 May 2003 02:15:12 +1000 (EST) Subject: [Bug 557] scp over ssh-relay insists in asking passphrase Message-ID: <20030508161512.339DA94209@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=557 Summary: scp over ssh-relay insists in asking passphrase Product: Portable OpenSSH Version: 3.4p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P3 Component: scp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: michael.armbrecht at hp.com I am using OpenSSH scp over an ssh relay that does not allocate a tty. In version 2.3.0p1 it was possible to scp files through an ssh relay by enabling agent forwarding and having an ssh-agent running. This does not work anymore in 3.4p1 - scp insists in a passphrase on the ssh relay which results in the "You have no controlling tty. Could not read passphrase." error message. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 9 02:33:53 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 9 May 2003 02:33:53 +1000 (EST) Subject: [Bug 557] scp over ssh-relay insists in asking passphrase Message-ID: <20030508163353.76A1D9420B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=557 ------- Additional Comments From stuge-openssh-unix-dev at cdy.org 2003-05-09 02:33 ------- Make positively sure that agent forwarding is on everywhere. -vvv is your friend. And upgrade to 3.6.1p2, 3.4p1 is quite old. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Fri May 9 04:05:25 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 8 May 2003 20:05:25 +0200 Subject: x509v3-sign-rsa authentication type... In-Reply-To: <200304241348.55176.kstef@mtppi.org> References: <200304241348.55176.kstef@mtppi.org> Message-ID: <20030508180525.GB7440@folly> On Thu, Apr 24, 2003 at 01:48:55PM -0400, Kevin Stefanik wrote: > I've seen a variety of patches on the list for supporting the x509v3 > certificate authentication. Are there any plans to include any of these in > the official openssh? perhaps a simpler version. From kstef at mtppi.org Fri May 9 06:31:23 2003 From: kstef at mtppi.org (Kevin Stefanik) Date: Thu, 8 May 2003 16:31:23 -0400 Subject: get_pin for scard-opensc.c Message-ID: <200305081631.23900.kstef@mtppi.org> I'm attaching a patch to allow ssh client to get a pin from the command line when using a smartcard. Most of it is from a patch by Danny De Cock , but I've used the ssh read_passphrase function instead. Any errors are mine, I'm sure. This enables ssh -I 0 to use a pin-protected smartcard via opensc. Thanks, Kevin Stefanik -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-3.5p1-opensc-get_pin.patch.bz2 Type: application/x-bzip2 Size: 655 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030508/83a1c785/attachment.bin From kstef at mtppi.org Fri May 9 07:07:22 2003 From: kstef at mtppi.org (Kevin Stefanik) Date: Thu, 8 May 2003 17:07:22 -0400 Subject: x509v3-sign-rsa authentication type... In-Reply-To: <20030508180525.GB7440@folly> References: <200304241348.55176.kstef@mtppi.org> <20030508180525.GB7440@folly> Message-ID: <200305081707.22933.kstef@mtppi.org> On Thursday 08 May 2003 02:05 pm, Markus Friedl wrote: > On Thu, Apr 24, 2003 at 01:48:55PM -0400, Kevin Stefanik wrote: > > I've seen a variety of patches on the list for supporting the x509v3 > > certificate authentication. Are there any plans to include any of these > > in the official openssh? > > perhaps a simpler version. I've been using Rouen's patch, quite happily, for a couple of weeks now. The simpler patches didn't seem to be as full, e.g., lacking CRLs. From what I saw, most of the complexity was in the x509 store. The actual changes to openssh code didn't seem extreme. Or were they? Would splitting out the x509 store somehow help? Maybe there's a way to split the patch out into more digestible parts? Thanks, Kevin From markus at openbsd.org Fri May 9 08:21:06 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 9 May 2003 00:21:06 +0200 Subject: get_pin for scard-opensc.c In-Reply-To: <200305081631.23900.kstef@mtppi.org> References: <200305081631.23900.kstef@mtppi.org> Message-ID: <20030508222106.GA707@folly> i think that if you want to use pin protected cards the ssh-agent should be used. ssh-add will prompt for the pin. On Thu, May 08, 2003 at 04:31:23PM -0400, Kevin Stefanik wrote: > I'm attaching a patch to allow ssh client to get a pin from the command line > when using a smartcard. Most of it is from a patch by Danny De Cock > , but I've used the ssh read_passphrase function > instead. Any errors are mine, I'm sure. > > This enables ssh -I 0 to use a pin-protected smartcard via opensc. > > Thanks, > Kevin Stefanik From markus at openbsd.org Fri May 9 08:21:48 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 9 May 2003 00:21:48 +0200 Subject: get_pin for scard-opensc.c In-Reply-To: <200305081631.23900.kstef@mtppi.org> References: <200305081631.23900.kstef@mtppi.org> Message-ID: <20030508222148.GB707@folly> + sprintf (buf, "Enter PIN [%s]: ", obj->label); never ever use sprintf, please. From bugzilla-daemon at mindrot.org Fri May 9 12:47:55 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 9 May 2003 12:47:55 +1000 (EST) Subject: [Bug 558] configure broken_dirname checks not run on Solaris 2.5.1 Message-ID: <20030509024755.3B7E494209@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=558 Summary: configure broken_dirname checks not run on Solaris 2.5.1 Product: Portable OpenSSH Version: 3.6.1p2 Platform: All OS/Version: Solaris Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: alex.kiernan at thus.net In 3.6.1p2 the broken_dirname checks for Solaris 2.5.1 aren't getting run out of configure because -lgen has already been detected. This fixes the problem (moves all checks against -lgen after the dirname checks): RCS file: /cvsroot/upstream/openssh/configure.ac,v retrieving revision 1.1.1.10 diff -u -r1.1.1.10 configure.ac --- configure.ac 2003/04/29 09:12:08 1.1.1.10 +++ configure.ac 2003/05/09 03:00:53 @@ -410,9 +410,6 @@ fi fi -AC_CHECK_FUNC(getspnam, , - AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen")) - AC_ARG_WITH(rpath, [ --without-rpath Disable auto-added -R linker paths], [ @@ -622,7 +619,6 @@ ) AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) -AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) dnl Make sure strsep prototype is defined before defining HAVE_STRSEP AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)]) @@ -663,6 +659,10 @@ fi ]) ]) + +AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) +AC_CHECK_FUNC(getspnam, , + AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen")) dnl Checks for time functions AC_CHECK_FUNCS(gettimeofday time) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 9 12:50:01 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 9 May 2003 12:50:01 +1000 (EST) Subject: [Bug 558] configure broken_dirname checks not run on Solaris 2.5.1 Message-ID: <20030509025001.A450494209@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=558 ------- Additional Comments From alex.kiernan at thus.net 2003-05-09 12:50 ------- Ignore the fix - it fixes configure, but breaks at build time due to incompatible dirname prototypes (libgen.h) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From openssh at roumenpetrov.info Fri May 9 16:50:11 2003 From: openssh at roumenpetrov.info (openssh at roumenpetrov.info) Date: Fri, 09 May 2003 09:50:11 +0300 Subject: Manual Page for ssh_config References: <200305071449.h47EnKpW006213@musashi.et.bocholt.fh-gelsenkirchen.de> Message-ID: <3EBB4FA3.8040903@roumenpetrov.info> I have rsa (line 6) and dsa (line 7) keys of localhost in $HOME/.ssh/known_hosts Samples: $ ssh -v -o HostKeyAlgorithms=ssh-rsa,ssh-dss localhost ... debug1: Host 'localhost' is known and matches the RSA host key. debug1: Found key in /XXXX/.ssh/known_hosts:6 debug1: ssh_rsa_verify: signature correct ... $ ssh -v -o HostKeyAlgorithms=ssh-dss,ssh-rsa localhost ... debug1: Host 'localhost' is known and matches the DSA host key. debug1: Found key in /XXXX/.ssh/known_hosts:7 debug1: ssh_dss_verify: signature correct ... Sorry, but I cannot understand where is problem and I cannot test with too old server version (insufficient time). When only rsa key is in ~/.ssh/known_hosts and ssh-dss is after ssh-rsa no DSA key is appended to file. Dirk GOUDERS wrote: >Hi Roumen, > > > Please find answers in quoted text. > >thanks for your answers. > > > >and I noticed that the manual page for ssh_config probably needs to be > > >fixed. The manual page says that the default value for the parameter > > >HostKeyAlgorithms is "ssh-rsa,ssh-dss" but that seems to be wrong, > > > > > definitely NO > >OK, then I am misunderstanding something and I would be glad if you >could help me to understand it. > >Maybe I should also tell about the server's OpenSSH version. > >OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f > > > >because ssh only uses RSA-Keys in my .ssh/known_hosts if I > > >explicitly set the parameter with "ssh-rsa,ssh-dss". If the > > > > > Please check closely: > > 1. command-line options > >I only give the user/hostname, i.e. "ssh root at somehost.myorg". > > > 2. user's configuration file ($HOME/.ssh/config) > >That file doesn't exist. > > > 3. system-wide configuration file (usually /etc/ssh/ssh_config) > >This file exists (initial comments left out): > >Host * ># HostKeyAlgorithms ssh-rsa,ssh-dss ># ForwardAgent no > ForwardX11 yes ># RhostsAuthentication no ># RhostsRSAAuthentication no ># RSAAuthentication yes ># PasswordAuthentication yes ># BatchMode no ># CheckHostIP no ># StrictHostKeyChecking ask ># IdentityFile ~/.ssh/identity ># IdentityFile ~/.ssh/id_rsa ># IdentityFile ~/.ssh/id_dsa ># Port 22 ># Protocol 2,1 ># Cipher 3des ># Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc ># EscapeChar ~ ># VersionAddendum FreeBSD-20030201 > > > > >parameter remains commented out, ssh doesn't use the already known > > >RSA key: > > > > > Are you sure ? > >Well with the above configuration, I get asked the following question: > > > >WARNING: RSA key found for host somehost.myorg > > >in /home/somebody/.ssh/known_hosts:1 > > >RSA key fingerprint d9:ea:ea:c6:10:ab:59:92:87:c9:f0:40:d4:b7:9b:77. > > >The authenticity of host 'somehost.myorg (192.168.0.22)' can't be establish > > ed, > > >but keys of different type are already known for this host. > > >DSA key fingerprint is 14:cc:25:36:17:77:a9:e2:40:84:5a:03:b7:b1:08:5f. > > >Are you sure you want to continue connecting (yes/no)? no > > > > > Just write "yes" and see what happen at next session. > >And if I answer "yes", a ssh-dss key is appended to my >~/.ssh/known_hosts file, allthough a ssh-rsa key for that host already >exits at the top of the file. > >But, if I use a ssh_config with the parameter >"HostKeyAlgorithms ssh-rsa,ssh-dss" enabled, I am not asked a question >and (I hope) the ssh-rsa key for somehost.myorg out of >~/.ssh/known_hosts is used. > > > I think that your server was started only (!) with DSS key, after this a > > RSA key is added and restarted or at first session to "somehost.myorg" > > HostKeyAlgorithms was "ssh-dss,ssh-rsa". > >Can you tell me, how I can check this? > >Best regards, > >Dirk > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > From openssh at roumenpetrov.info Fri May 9 17:10:40 2003 From: openssh at roumenpetrov.info (openssh at roumenpetrov.info) Date: Fri, 09 May 2003 10:10:40 +0300 Subject: x509v3-sign-rsa authentication type... References: <200304241348.55176.kstef@mtppi.org> <20030508180525.GB7440@folly> Message-ID: <3EBB5470.1040301@roumenpetrov.info> Hi Markus, Take note that ssh-rsa.c/ssh-dss.c cannot be modified easy to add support for x509 certificates. Markus Friedl wrote: >On Thu, Apr 24, 2003 at 01:48:55PM -0400, Kevin Stefanik wrote: > > >>I've seen a variety of patches on the list for supporting the x509v3 >>certificate authentication. Are there any plans to include any of these in >>the official openssh? >> >> > >perhaps a simpler version. > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > From gentei at 24i.net Fri May 9 17:25:30 2003 From: gentei at 24i.net (fuku0508) Date: Fri, 09 May 2003 16:25:30 +0900 Subject: =?iso-2022-jp?q?=96=A2=8F=B3=91=F8=8DL=8D=90=81=A6=81y=83A=83=5F=83=8B=83g=83O=83b=83c=81z=81Q=89=F5=8Ay=83O=83b=83Y=90=B7=82=E8=91=F2=8ER=81Q?= Message-ID: <200305090725.h497PJK4099396@postoffice.telstra.net> DM-top http://dmtop-net100.net ?A?_???g?V???b?v?@Secret Dream ?@?????s?a?J????????1-15-3-407?@090-8130-1117 ?z?M???~???p?A?h???X?@donot at 24i.net ?z?M???~??????????24?????????f???????? ???z?M?????M???????????????\???`???K???????????M???????????B ?Q?Q?Q?Q?Q?Q?Q?Q?Q?Q?Q?Q?Q?y?L???z?Q?Q?Q?Q?Q?Q?Q?Q?Q?Q?Q?Q?Q?Q ?????????y?????????????h?L?h?L?????? ?@???i?????????????I?????????I ?@?????????????I?????????O?????????????????????? ?@http://dj.st36.arena.ne.jp/SecretDream ?z?[???y?[?W?????????????????????????????????????????E?E?E?B From bugzilla-daemon at mindrot.org Fri May 9 18:07:57 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 9 May 2003 18:07:57 +1000 (EST) Subject: [Bug 557] scp over ssh-relay insists in asking passphrase Message-ID: <20030509080757.6DCB294207@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=557 ------- Additional Comments From michael.armbrecht at hp.com 2003-05-09 18:07 ------- Output from -vvv: 29426: debug1: Rhosts Authentication disabled, originating port will not be trusted. 29426: debug1: ssh_connect: needpriv 0 29426: debug1: Connecting to xxxxxx.com [yy.yy.yy.yy] port 22. 29426: debug1: Connection established. 29426: debug1: identity file /home/xxxxxxxx/.ssh/identity type 0 29426: debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p1_OSD-SEC_A.02.11j 29426: debug1: match: OpenSSH_2.5.1p1_OSD-SEC_A.02.11j pat OpenSSH_2.5.0p1*,OpenSSH_2.5.1p1* 29426: debug1: Local version string SSH-1.5-OpenSSH_3.4p1 29426: debug1: Waiting for server public key. 29426: debug1: Received server public key (768 bits) and host key (1024 bits). 29426: debug3: check_host_in_hostfile: filename /home/xxxxxxxx/.ssh/known_hosts 29426: debug3: check_host_in_hostfile: match line 1 29426: debug1: Host 'xxxxxxx.com' is known and matches the RSA1 host key. 29426: debug1: Found key in /home/xxxxxxx/.ssh/known_hosts:1 29426: debug1: Encryption type: blowfish 29426: debug1: Sent encrypted session key. 29426: debug1: Installing crc compensation attack detector. 29426: debug1: Received encrypted confirmation. 29426: debug1: Trying RSA authentication via agent with 'XXXXXXXXXXX' 29426: debug1: Received RSA challenge from server. 29426: debug1: Sending response to RSA challenge. 29426: debug1: Remote: RSA authentication accepted. 29426: debug1: RSA authentication accepted by server. 29426: debug1: Requesting compression at level 6. 29426: debug1: Enabling compression at level 6. 29426: debug1: Sending command: scp -v -f xx at xxxx:/vvvv/www/yyyyy.zzz 29426: debug1: Entering interactive session. 29426: debug1: fd 0 setting O_NONBLOCK 29426: debug1: fd 1 setting O_NONBLOCK Need passphrase for /home/xxxxx/.ssh/identity user at linux:~> You have no controlling tty. Cannot read passphrase. 29426: debug2: fd 0 is not O_NONBLOCK 29426: debug1: fd 1 clearing O_NONBLOCK 29426: debug1: Transferred: stdin 55, stdout 48, stderr 55 bytes in 0.5 seconds 29426: debug1: Bytes per second: stdin 106.2, stdout 92.7, stderr 106.2 29426: debug1: Exit status 255 29426: debug1: compress outgoing: raw data 111, compressed 120, factor 1.08 29426: debug1: compress incoming: raw data 118, compressed 115, factor 0.97 Forward is on everywhere, even set it with "-o" on the cli. Will try version 3.6.1 instead. 3.4p1 came with SuSE8.1. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From openssh at roumenpetrov.info Fri May 9 18:24:53 2003 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Fri, 09 May 2003 11:24:53 +0300 Subject: x509v3-sign-rsa authentication type... References: <200304241348.55176.kstef@mtppi.org> <20030508180525.GB7440@folly> <200305081707.22933.kstef@mtppi.org> Message-ID: <3EBB65D5.7020106@roumenpetrov.info> Kevin Stefanik wrote: >On Thursday 08 May 2003 02:05 pm, Markus Friedl wrote: > > >>On Thu, Apr 24, 2003 at 01:48:55PM -0400, Kevin Stefanik wrote: >> >> >>>I've seen a variety of patches on the list for supporting the x509v3 >>>certificate authentication. Are there any plans to include any of these >>>in the official openssh? >>> >>> >>perhaps a simpler version. >> >> > >I've been using Rouen's patch, quite happily, for a couple of weeks now. The >simpler patches didn't seem to be as full, e.g., lacking CRLs. From what I >saw, most of the complexity was in the x509 store. The actual changes to >openssh code didn't seem extreme. Or were they? > >Would splitting out the x509 store somehow help? Maybe there's a way to split >the patch out into more digestible parts? > It is possible to remove x509 store, i.e. to split patch, but 1.) this make order of applying patches very important. 2.) X509 cert. support (versions from 'b' to 'd') contain a pointer to function x509store_check(), i.e. when pointer is NULL don't verify cert. A program (sshd/ssh) should set this pointer. Take note when pointer is NULL this is BUG: when user authorized_keys/known_hosts files contain a cert. in blob format it is possible to skip cert. verification, but when authorized_keys/known_hosts contain DN (Distinguished Name) we should verify sent user/server certificate. Version after "d" call always x509store_check(). In conclusion without x509 store we can put a cert. in authorized_keys/known_hosts only in blob format, with x509 store we can use both (blob and DN). From wlh6e6o3e18y at hotmail.com Fri May 9 15:19:57 2003 From: wlh6e6o3e18y at hotmail.com (Imogene Swenson) Date: Fri, 09 May 03 05:19:57 GMT Subject: It was good to meet you. Message-ID: An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030509/2316aedc/attachment.html From gentei at 24i.net Fri May 9 21:01:32 2003 From: gentei at 24i.net (cd0508) Date: Fri, 09 May 2003 20:01:32 +0900 Subject: =?iso-2022-jp?q?=96=A2=8F=B3=91=F8=8DL=8D=90=81=A6=82=A0=82=C8=82=BD=82=CC=92m=82=E7=82=EA=82=B4=82=E9=90=A2=8AE=81E=81E=81E?= Message-ID: <20030509104425.BF2E09423E@shitei.mindrot.org> ?A?[?o???V?X?e???@?????s?V?h???V?h4-18-7 3F 03-5372-6639 net channel ?????s?a?J????????1-15-3 090-8130-1117 ?z?M???~?A?h???X?@?@donot at 24i.net ?z?M???~??24???????????f?????????B ???z?M?????M???????????????\???`???K???????????M???????????B ?`?`?`?`?`?`?`?`?`?`?`?`?`?`?`?`?`?`?`?`?`?`?`?`?`?`?` ?????????m?????????^???E?E?E ????????CD?I?I ????????HP???? http://net-channel777.com From kstef at mtppi.org Fri May 9 23:52:59 2003 From: kstef at mtppi.org (Kevin Stefanik) Date: Fri, 9 May 2003 09:52:59 -0400 Subject: get_pin for scard-opensc.c Message-ID: <200305090952.59492.kstef@mtppi.org> Forgot the list... ---------- Forwarded Message ---------- Subject: Re: get_pin for scard-opensc.c Date: Friday 09 May 2003 09:41 am From: Kevin Stefanik To: Markus Friedl On Thursday 08 May 2003 06:21 pm, you wrote: > + sprintf (buf, "Enter PIN [%s]: ", obj->label); > > never ever use sprintf, please. Thank you for your polite restraint. Kevin PS: I also fixed a possible memory leak on sc_pin if pin verification failed. ------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-3.5p1-opensc-get_pin.patch Type: text/x-diff Size: 2443 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030509/13df4835/attachment.bin From gouders at 'et.bocholt.fh-ge.de' Sat May 10 00:26:50 2003 From: gouders at 'et.bocholt.fh-ge.de' (Dirk GOUDERS) Date: Fri, 09 May 2003 16:26:50 +0200 Subject: Manual Page for ssh_config In-Reply-To: Message from openssh@roumenpetrov.info of "Fri, 09 May 2003 09:50:11 +0300." <3EBB4FA3.8040903@roumenpetrov.info> Message-ID: <200305091426.h49EQoBi000596@musashi.et.bocholt.fh-gelsenkirchen.de> > Sorry, but I cannot understand where is problem and I cannot test with > too old server version (insufficient time). Thanks for your reply and sorry for the prior use of an out of date version. I did some more testing and on a GNU/Linux system, I installed a newer OpenSSH version (the same as on my FreeBSD system) and noticed that the two systems behave different with identical configuration files. On both machines, I have no key for localhost in the file ~/.ssh/known_hosts. On the GNU/Linux system, if I try to connect to localhost, the RSA key fingerprint is printed and I get asked if I am sure that I want to connect, but on the FreeBSD machine the DSA key fingerprint is printed before the question. Well, with identical OpenSSH versions and configuration files (sshd_config as well as ssh_config), I am wondering what it is that could cause the two systems to behave differently... I attach the console outputs from both machines: GNU/LINUX: ------------------------------------------------------------------------ OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Reading configuration data /usr/etc/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file ~/.ssh/identity type -1 debug1: identity file ~/.ssh/id_rsa type -1 debug1: identity file ~/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.5p1 debug1: match: OpenSSH_3.5p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.5p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 140/256 debug1: bits set: 1043/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is d9:eb:e9:c6:10:cb:59:93:87:c8:f0:42:d4:b9:9b:77. Are you sure you want to continue connecting (yes/no)? no Host key verification failed. debug1: Calling cleanup 0x8065650(0x0) ------------------------------------------------------------------------ FreeBSD: ------------------------------------------------------------------------ OpenSSH_3.5p1 FreeBSD-20030201, SSH protocols 1.5/2.0, OpenSSL 0x0090701f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file ~/.ssh/identity type -1 debug1: identity file ~/.ssh/id_rsa type -1 debug1: identity file ~/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.5p1 FreeBSD-20030201 debug1: match: OpenSSH_3.5p1 FreeBSD-20030201 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.5p1 FreeBSD-20030201 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 121/256 debug1: bits set: 1570/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY The authenticity of host 'localhost (127.0.0.1)' can't be established. DSA key fingerprint is 4f:a4:6a:63:0b:f0:7f:de:0b:02:9e:5a:2a:81:b0:c8. Are you sure you want to continue connecting (yes/no)? no Host key verification failed. debug1: Calling cleanup 0x804c158(0x0) ------------------------------------------------------------------------ From kstef at mtppi.org Sat May 10 00:56:55 2003 From: kstef at mtppi.org (Kevin Stefanik) Date: Fri, 9 May 2003 10:56:55 -0400 Subject: x509v3-sign-rsa authentication type... In-Reply-To: <3EBB65D5.7020106@roumenpetrov.info> References: <200304241348.55176.kstef@mtppi.org> <200305081707.22933.kstef@mtppi.org> <3EBB65D5.7020106@roumenpetrov.info> Message-ID: <200305091056.55129.kstef@mtppi.org> On Friday 09 May 2003 04:24 am, Roumen Petrov wrote: > Kevin Stefanik wrote: > >On Thursday 08 May 2003 02:05 pm, Markus Friedl wrote: > >>On Thu, Apr 24, 2003 at 01:48:55PM -0400, Kevin Stefanik wrote: > >>>I've seen a variety of patches on the list for supporting the x509v3 > >>>certificate authentication. Are there any plans to include any of > >>> these in the official openssh? > >> > >>perhaps a simpler version. > > > >I've been using Rouen's patch, quite happily, for a couple of weeks now. > > The simpler patches didn't seem to be as full, e.g., lacking CRLs. From > > what I saw, most of the complexity was in the x509 store. The actual > > changes to openssh code didn't seem extreme. Or were they? > > > >Would splitting out the x509 store somehow help? Maybe there's a way to > > split the patch out into more digestible parts? > > It is possible to remove x509 store, i.e. to split patch, but > 1.) this make order of applying patches very important. > 2.) X509 cert. support (versions from 'b' to 'd') contain a pointer to > function x509store_check(), i.e. when pointer is NULL don't verify cert. > A program (sshd/ssh) should set this pointer. Take note when pointer is > NULL this is BUG: when user authorized_keys/known_hosts files contain a > cert. in blob format it is possible to skip cert. verification, but when > authorized_keys/known_hosts contain DN (Distinguished Name) we should > verify sent user/server certificate. Version after "d" call always > x509store_check(). > > In conclusion without x509 store we can put a cert. in > authorized_keys/known_hosts only in blob format, with x509 store we can > use both (blob and DN). So it's possible to enable a certificate to be used when it is stored as a blob in both the identity file and the authorized keys file? Without including all the x509 store parts? In order to revoke a certificate, then, it would have to be removed from the authorized_keys file, just like a key would? And no info on allowed CA's would be needed? How much of the x509 store is duplicate to what openssl already does? Can the complexity be reduced by pushing more work over to openssl, which should already have it's own setup for allowed CA's, CRL's, etc. Sorry to pester, but I'd really like to get interoperability with Windows clients using certificates in the mainline openssh. Since the heavy lifting has already been done (and well!), I hope it's possible. Thanks, Kevin From bugzilla-daemon at mindrot.org Sat May 10 00:53:12 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 10 May 2003 00:53:12 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 and 2.4+libc5 Message-ID: <20030509145312.070AE942CB@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #285 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2003-05-10 00:53 ------- Created an attachment (id=286) --> (http://bugzilla.mindrot.org/attachment.cgi?id=286&action=view) Set SSHD_ACQUIRES_CTTY unless openpty tests OK (clean up) Add a Linux-specific openpty/libutil test and leave the original login/libutil tests alone. Fix some spaces -> tabs. Tests OK on Redhat 8 and Debian Slink. This is the final patch unless someone points out a problem. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Sat May 10 02:29:23 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 9 May 2003 18:29:23 +0200 Subject: x509v3-sign-rsa authentication type... In-Reply-To: <200305091056.55129.kstef@mtppi.org> References: <200304241348.55176.kstef@mtppi.org> <200305081707.22933.kstef@mtppi.org> <3EBB65D5.7020106@roumenpetrov.info> <200305091056.55129.kstef@mtppi.org> Message-ID: <20030509162923.GC7477@folly> On Fri, May 09, 2003 at 10:56:55AM -0400, Kevin Stefanik wrote: > Sorry to pester, but I'd really like to get interoperability with Windows > clients using certificates in the mainline openssh. Since the heavy lifting > has already been done (and well!), I hope it's possible. i've been using this patch for hostkeys+x509 support. interop with ssh.com's windows client w/o problem. but Roumen sees problems with this approach. From markus at openbsd.org Sat May 10 02:29:51 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 9 May 2003 18:29:51 +0200 Subject: x509v3-sign-rsa authentication type... In-Reply-To: <3EBB5470.1040301@roumenpetrov.info> References: <200304241348.55176.kstef@mtppi.org> <20030508180525.GB7440@folly> <3EBB5470.1040301@roumenpetrov.info> Message-ID: <20030509162951.GD7477@folly> On Fri, May 09, 2003 at 10:10:40AM +0300, openssh at roumenpetrov.info wrote: > Hi Markus, > > Take note that ssh-rsa.c/ssh-dss.c cannot be modified easy to add > support for x509 certificates. what's the problem? i forgot.... :( From openssh at roumenpetrov.info Sat May 10 02:47:36 2003 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Fri, 09 May 2003 19:47:36 +0300 Subject: x509v3-sign-rsa authentication type... References: <200304241348.55176.kstef@mtppi.org> <200305081707.22933.kstef@mtppi.org> <3EBB65D5.7020106@roumenpetrov.info> <200305091056.55129.kstef@mtppi.org> Message-ID: <3EBBDBA8.4080707@roumenpetrov.info> Hi Kevin, please find answers in quoted text. Kevin Stefanik wrote: >On Friday 09 May 2003 04:24 am, Roumen Petrov wrote: > > >> Kevin Stefanik wrote: >> >> >>>On Thursday 08 May 2003 02:05 pm, Markus Friedl wrote: >>> >>> >>>>On Thu, Apr 24, 2003 at 01:48:55PM -0400, Kevin Stefanik wrote: >>>> >>>> >>>>>I've seen a variety of patches on the list for supporting the x509v3 >>>>>certificate authentication. Are there any plans to include any of >>>>>these in the official openssh? >>>>> >>>>> >>>>perhaps a simpler version. >>>> >>>> >>>I've been using Rouen's patch, quite happily, for a couple of weeks now. >>>The simpler patches didn't seem to be as full, e.g., lacking CRLs. From >>>what I saw, most of the complexity was in the x509 store. The actual >>>changes to openssh code didn't seem extreme. Or were they? >>> >>>Would splitting out the x509 store somehow help? Maybe there's a way to >>>split the patch out into more digestible parts? >>> >>> >>It is possible to remove x509 store, i.e. to split patch, but >>1.) this make order of applying patches very important. >>2.) X509 cert. support (versions from 'b' to 'd') contain a pointer to >>function x509store_check(), i.e. when pointer is NULL don't verify cert. >>A program (sshd/ssh) should set this pointer. Take note when pointer is >>NULL this is BUG: when user authorized_keys/known_hosts files contain a >>cert. in blob format it is possible to skip cert. verification, but when >>authorized_keys/known_hosts contain DN (Distinguished Name) we should >>verify sent user/server certificate. Version after "d" call always >>x509store_check(). >> >>In conclusion without x509 store we can put a cert. in >>authorized_keys/known_hosts only in blob format, with x509 store we can >>use both (blob and DN). >> >> > >So it's possible to enable a certificate to be used when it is stored as a >blob in both the identity file and the authorized keys file? Without >including all the x509 store parts? In order to revoke a certificate, then, >it would have to be removed from the authorized_keys file, just like a key >would? And no info on allowed CA's would be needed? > You can write own method ssh_x509_equal() and comment code in ssh_x509store_check(). >How much of the x509 store is duplicate to what openssl already does? Can the >complexity be reduced by pushing more work over to openssl, which should >already have it's own setup for allowed CA's, CRL's, etc. > You can share "OpenSSH x509 store" with apache and other (?) applications. About CRL - openssl 0.9.6 don't check revoked certs. With openssl 0.9.7betas is possible to check for revoked certs but I have strange problems with openssl implementation. In future is possible (might) to use openssl code for revoked certs. If you don't like to check for revoked certs just comment #define SSH_CHECK_REVOKED in x509store.c. About cert. verification - openssl do all job and openssh code only init a X509_STORE (based on OpenSSH configuration) and call a method(s) from openssl. When we try to use DN OpenSSH should use own method to compare two certificates only by name(subject). OpenSSL method is limited and in some cases will reject connection from an application with windows keystore. >Sorry to pester, but I'd really like to get interoperability with Windows >clients using certificates in the mainline openssh. Since the heavy lifting >has already been done (and well!), I hope it's possible. > Enjoy ;-) From markus at openbsd.org Sat May 10 02:48:29 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 9 May 2003 18:48:29 +0200 Subject: x509v3-sign-rsa authentication type... In-Reply-To: <20030509162923.GC7477@folly> References: <200304241348.55176.kstef@mtppi.org> <200305081707.22933.kstef@mtppi.org> <3EBB65D5.7020106@roumenpetrov.info> <200305091056.55129.kstef@mtppi.org> <20030509162923.GC7477@folly> Message-ID: <20030509164829.GA5123@folly> oops, here's the patch On Fri, May 09, 2003 at 06:29:23PM +0200, Markus Friedl wrote: > On Fri, May 09, 2003 at 10:56:55AM -0400, Kevin Stefanik wrote: > > Sorry to pester, but I'd really like to get interoperability with Windows > > clients using certificates in the mainline openssh. Since the heavy lifting > > has already been done (and well!), I hope it's possible. > > i've been using this patch for hostkeys+x509 support. > interop with ssh.com's windows client w/o problem. > > but Roumen sees problems with this approach. Index: Makefile.inc =================================================================== RCS file: /cvs/src/usr.bin/ssh/Makefile.inc,v retrieving revision 1.23 diff -U10 -r1.23 Makefile.inc --- Makefile.inc 6 Mar 2002 00:23:27 -0000 1.23 +++ Makefile.inc 9 Jan 2003 09:48:05 -0000 @@ -3,21 +3,23 @@ CFLAGS+= -I${.CURDIR}/.. CDIAGFLAGS= -Wall #CDIAGFLAGS+= -Werror CDIAGFLAGS+= -Wpointer-arith CDIAGFLAGS+= -Wno-uninitialized #CDIAGFLAGS+= -Wstrict-prototypes CDIAGFLAGS+= -Wmissing-prototypes CDIAGFLAGS+= -Wunused -#DEBUG=-g +DEBUG=-g + +CFLAGS+= -DDEBUG_X509 #CFLAGS+= -DSMARTCARD #LDADD+= -lsectok .include .if exists(${.CURDIR}/../lib/${__objdir}) LDADD+= -L${.CURDIR}/../lib/${__objdir} -lssh DPADD+= ${.CURDIR}/../lib/${__objdir}/libssh.a .else Index: authfile.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/authfile.c,v retrieving revision 1.52 diff -U10 -r1.52 authfile.c --- authfile.c 13 Mar 2003 11:42:18 -0000 1.52 +++ authfile.c 9 May 2003 16:25:10 -0000 @@ -477,20 +477,38 @@ prv->dsa = EVP_PKEY_get1_DSA(pk); prv->type = KEY_DSA; name = "dsa w/o comment"; #ifdef DEBUG_PK DSA_print_fp(stderr, prv->dsa, 8); #endif } else { error("PEM_read_PrivateKey: mismatch or " "unknown EVP_PKEY save_type %d", pk->save_type); } + if (prv != NULL) { + /* try to get a certificate if we have the private key */ + prv->x509 = PEM_read_X509(fp, NULL, NULL, (char *)passphrase); + if (prv->x509 != NULL) { + debug("PEM_read_X509"); +#ifdef DEBUG_X509 + X509_print_fp(stdout, prv->x509); + { + EVP_PKEY *pkey = X509_get_pubkey(prv->x509); + if (pkey->type == EVP_PKEY_RSA) { + debug("PEM_read_X509 -> RSA"); + } else if (pkey->type == EVP_PKEY_DSA) { + debug("PEM_read_X509 -> DSA"); + } + } +#endif + } + } fclose(fp); if (pk != NULL) EVP_PKEY_free(pk); if (prv != NULL && commentp) *commentp = xstrdup(name); debug("read PEM private key done: type %s", prv ? key_type(prv) : ""); return prv; } Index: key.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/key.c,v retrieving revision 1.51 diff -U10 -r1.51 key.c --- key.c 12 Feb 2003 09:33:04 -0000 1.51 +++ key.c 5 Mar 2003 22:31:16 -0000 @@ -44,24 +44,26 @@ #include "bufaux.h" #include "log.h" Key * key_new(int type) { Key *k; RSA *rsa; DSA *dsa; k = xmalloc(sizeof(*k)); + memset(k, 0, sizeof(*k)); k->type = type; k->flags = 0; k->dsa = NULL; k->rsa = NULL; + k->x509 = NULL; switch (k->type) { case KEY_RSA1: case KEY_RSA: if ((rsa = RSA_new()) == NULL) fatal("key_new: RSA_new failed"); if ((rsa->n = BN_new()) == NULL) fatal("key_new: BN_new failed"); if ((rsa->e = BN_new()) == NULL) fatal("key_new: BN_new failed"); k->rsa = rsa; @@ -134,20 +136,24 @@ if (k->dsa != NULL) DSA_free(k->dsa); k->dsa = NULL; break; case KEY_UNSPEC: break; default: fatal("key_free: bad key type %d", k->type); break; } + if (k->x509 != NULL) { + X509_free(k->x509); + k->x509 = NULL; + } xfree(k); } int key_equal(Key *a, Key *b) { if (a == NULL || b == NULL || a->type != b->type) return 0; switch (a->type) { case KEY_RSA1: case KEY_RSA: @@ -535,20 +541,22 @@ break; } return "unknown"; } char * key_ssh_name(Key *k) { switch (k->type) { case KEY_RSA: + if (k->x509) + return "x509v3-sign-rsa"; return "ssh-rsa"; break; case KEY_DSA: return "ssh-dss"; break; } return "ssh-unknown"; } u_int @@ -639,20 +647,24 @@ if (strcmp(name, "rsa1") == 0) { return KEY_RSA1; } else if (strcmp(name, "rsa") == 0) { return KEY_RSA; } else if (strcmp(name, "dsa") == 0) { return KEY_DSA; } else if (strcmp(name, "ssh-rsa") == 0) { return KEY_RSA; } else if (strcmp(name, "ssh-dss") == 0) { return KEY_DSA; + } else if (strcmp(name, "x509v3-sign-rsa") == 0) { + return KEY_RSA; + } else if (strcmp(name, "x509v3-sign-dss") == 0) { + return KEY_DSA; } debug2("key_type_from_name: unknown key type '%s'", name); return KEY_UNSPEC; } int key_names_valid2(const char *names) { char *s, *cp, *p; @@ -736,23 +748,31 @@ buffer_init(&b); switch (key->type) { case KEY_DSA: buffer_put_cstring(&b, key_ssh_name(key)); buffer_put_bignum2(&b, key->dsa->p); buffer_put_bignum2(&b, key->dsa->q); buffer_put_bignum2(&b, key->dsa->g); buffer_put_bignum2(&b, key->dsa->pub_key); break; case KEY_RSA: - buffer_put_cstring(&b, key_ssh_name(key)); - buffer_put_bignum2(&b, key->rsa->e); - buffer_put_bignum2(&b, key->rsa->n); + if (key->x509) { + u_char *p; + /* XXX ssh.com does not accept a key name here */ + len = i2d_X509(key->x509, NULL); + p = buffer_append_space(&b, len); + i2d_X509(key->x509, &p); + } else { + buffer_put_cstring(&b, key_ssh_name(key)); + buffer_put_bignum2(&b, key->rsa->e); + buffer_put_bignum2(&b, key->rsa->n); + } break; default: error("key_to_blob: unsupported key type %d", key->type); buffer_free(&b); return 0; } len = buffer_len(&b); if (lenp != NULL) *lenp = len; if (blobp != NULL) { Index: key.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/key.h,v retrieving revision 1.20 diff -U10 -r1.20 key.h --- key.h 12 Feb 2003 09:33:04 -0000 1.20 +++ key.h 5 Mar 2003 22:31:16 -0000 @@ -21,20 +21,21 @@ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef KEY_H #define KEY_H #include #include +#include typedef struct Key Key; enum types { KEY_RSA1, KEY_RSA, KEY_DSA, KEY_UNSPEC }; enum fp_type { SSH_FP_SHA1, @@ -46,20 +47,21 @@ }; /* key is stored in external hardware */ #define KEY_FLAG_EXT 0x0001 struct Key { int type; int flags; RSA *rsa; DSA *dsa; + X509 *x509; }; Key *key_new(int); Key *key_new_private(int); void key_free(Key *); Key *key_demote(Key *); int key_equal(Key *, Key *); char *key_fingerprint(Key *, enum fp_type, enum fp_rep); char *key_type(Key *); int key_write(Key *, FILE *); Index: ssh-rsa.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh-rsa.c,v retrieving revision 1.28 diff -U10 -r1.28 ssh-rsa.c --- ssh-rsa.c 12 Feb 2003 09:33:04 -0000 1.28 +++ ssh-rsa.c 5 Mar 2003 22:31:17 -0000 @@ -81,21 +81,25 @@ debug("slen %u > len %u", slen, len); memmove(sig + diff, sig, len); memset(sig, 0, diff); } else if (len > slen) { error("ssh_rsa_sign: slen %u slen2 %u", slen, len); xfree(sig); return -1; } /* encode signature */ buffer_init(&b); +#if 0 buffer_put_cstring(&b, "ssh-rsa"); +#else + buffer_put_cstring(&b, key_ssh_name(key)); +#endif buffer_put_string(&b, sig, slen); len = buffer_len(&b); if (lenp != NULL) *lenp = len; if (sigp != NULL) { *sigp = xmalloc(len); memcpy(*sigp, buffer_ptr(&b), len); } buffer_free(&b); memset(sig, 's', slen); From thorpe at wnmail.att.com Sat May 10 03:53:21 2003 From: thorpe at wnmail.att.com (Henry E. Thorpe) Date: Fri, 9 May 2003 13:53:21 -0400 Subject: TCP_NODELAY always set, now? Message-ID: <20030509175321.GA27967@ermine.mt.att.com> I know that there was a discussion on this about a year back, and there is a bug 556 this week that mentions TCP_NODELAY. However, when I use ssh through a pipe (e.g., to tunnel through an HTTP proxy using CONNECT) I see: getsockopt TCP_NODELAY: Socket operation on non-socket How do I tell which end is generating this (I'm assuming the local side, which is running through the pipe). Also, does anyone care, or is this the expected behavior? Connection looks like this: ssh -> pipe using ProxyCommand -> proxy -> sshd Client is OpenSSH_3.6.1p1 on FreeBSD 4.7-RELEASE-p6, server is OpenSSH_3.6 on OpenBSD/i386 3.3. -- Henry E. Thorpe From Leakin at dfw.Nostrum.com Sat May 10 08:17:05 2003 From: Leakin at dfw.Nostrum.com (Lee Eakin) Date: Fri, 9 May 2003 17:17:05 -0500 Subject: TCP_NODELAY always set, now? In-Reply-To: <20030509175321.GA27967@ermine.mt.att.com> References: <20030509175321.GA27967@ermine.mt.att.com> Message-ID: <20030509221704.GB15721@japh.itg.ti.com> I posted an ugly kludge for this right after 3.6.1p1 was released, but then SAKIYAMA Nobuo replied with a proper fix (a missing return statement): diff -u packet.c.ORIG packet.c --- packet.c.ORIG Tue Apr 1 05:43:39 2003 +++ packet.c Thu Apr 3 13:34:04 2003 @@ -1344,6 +1344,7 @@ /* Only set socket options if using a socket. */ if (!packet_connection_is_on_socket()) + return; if (interactive) set_nodelay(connection_in); #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) ---begin quoted text--- > X-Original-To: openssh-unix-dev at mindrot.org > From: "Henry E. Thorpe" > To: openssh-unix-dev at mindrot.org > Subject: TCP_NODELAY always set, now? > Reply-To: "Henry E. Thorpe" > User-Agent: Mutt/1.5.4i > X-BeenThere: openssh-unix-dev at mindrot.org > X-Mailman-Version: 2.0.12 > Date: Fri, 9 May 2003 13:53:21 -0400 > > I know that there was a discussion on this about a year back, and > there is a bug 556 this week that mentions TCP_NODELAY. > > However, when I use ssh through a pipe (e.g., to tunnel through an > HTTP proxy using CONNECT) I see: > > getsockopt TCP_NODELAY: Socket operation on non-socket > > How do I tell which end is generating this (I'm assuming the local > side, which is running through the pipe). > > Also, does anyone care, or is this the expected behavior? > > Connection looks like this: > > ssh -> pipe using ProxyCommand -> proxy -> sshd > > Client is OpenSSH_3.6.1p1 on FreeBSD 4.7-RELEASE-p6, server is > OpenSSH_3.6 on OpenBSD/i386 3.3. > > -- > Henry E. Thorpe > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev ---end quoted text--- -- Lee Eakin - leakin at dfw.nostrum.com Remember, SCSI is not black magic. There are fundamental technical reasons why it is necessary to sacrifice a goat at midnight in order to get a SCSI device working properly. From dtucker at zip.com.au Sat May 10 11:49:14 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 10 May 2003 11:49:14 +1000 Subject: TCP_NODELAY always set, now? References: <20030509175321.GA27967@ermine.mt.att.com> <20030509221704.GB15721@japh.itg.ti.com> Message-ID: <3EBC5A9A.12101A0C@zip.com.au> Lee Eakin wrote: > I posted an ugly kludge for this right after 3.6.1p1 was released, but > then SAKIYAMA Nobuo replied with a proper > fix (a missing return statement): That was a bug and has been fixed in -current (but not 3.6.1p2). http://bugzilla.mindrot.org/show_bug.cgi?id=541 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Sat May 10 12:59:28 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 10 May 2003 12:59:28 +1000 (EST) Subject: [Bug 463] PrintLastLog doesn't work in privsep mode Message-ID: <20030510025928.02C709420B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=463 ------- Additional Comments From dtucker at zip.com.au 2003-05-10 12:59 ------- I've had a look at the OpenBSD source and I don't think OpenBSD *needs* a "Buffer loginmsg" right now. PrintLastLog can be easily fixed by updating s->last_login_time before the privsep split. So, is there another reason OpenBSD needs (or wants) a "Buffer loginmsg"? Or should it be -portable only? Have I overlooked something? And what's the feeling on the montitor call in attachment #235? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bret.hopper at whois.sc Sat May 10 13:51:57 2003 From: bret.hopper at whois.sc (Bret Hopper) Date: Sat, 10 May 2003 03:51:57 +0000 Subject: We need you, please get in touch with us. In-Reply-To: <5a8c01c315c4$b4cfbaac$df9d9790@sttft63> Message-ID: An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030510/608f4d05/attachment.html From bugzilla-daemon at mindrot.org Sat May 10 14:43:26 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 10 May 2003 14:43:26 +1000 (EST) Subject: [Bug 549] Login Delay / Remove unwanted reverse map check Message-ID: <20030510044326.663229425F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=549 ------- Additional Comments From mouring at eviladmin.org 2003-05-10 14:43 ------- Umm.. No.. This does not sound like an OpenSSH issue, but you state yourself: [..] adding it to /etc/hosts (with /etc/netsvc.conf specifying to use /etc/hosts first), the first connect proceeds quickly, but if the user enters a bad password a second DNS lookup is performed, which then takes 60-90 seconds. [..] This sounds like a broken resolver behavior. I run OpenSSH with ZERO dns service at work (not totally true, but no sane DNS service =) and at home. I don't see this behavior (Sol 2.7, Sol 2.5.1, OpenBSD 3.2, OpenBSD --current, Solaris 9). Are we dead sure this is a 'universal' issue and not a brain damaged resolver? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 10 16:40:52 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 10 May 2003 16:40:52 +1000 (EST) Subject: [Bug 463] PrintLastLog doesn't work in privsep mode Message-ID: <20030510064052.127089420B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=463 ------- Additional Comments From djm at mindrot.org 2003-05-10 16:40 ------- Yes, the privsep split occurs post-auth, not once per session. Remember that a SSH2 connection may have multiple sessions (the ssh.com windows client allows this). If you collect the last login time at the time of the privsep split, then that would be displayed for all sessions. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 10 16:49:05 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 10 May 2003 16:49:05 +1000 (EST) Subject: [Bug 318] Install failure creating ssh_prng_cmds Message-ID: <20030510064905.43A7E9426E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=318 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Additional Comments From dtucker at zip.com.au 2003-05-10 16:49 ------- Fix applied. Thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 10 17:10:26 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 10 May 2003 17:10:26 +1000 (EST) Subject: [Bug 536] no access to tty on Linux 2.0 and 2.4+libc5 Message-ID: <20030510071026.D16AA9420B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=536 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED ------- Additional Comments From dtucker at zip.com.au 2003-05-10 17:10 ------- Fix applied. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From phil at ipom.com Sat May 10 17:30:35 2003 From: phil at ipom.com (Phil Dibowitz) Date: Sat, 10 May 2003 00:30:35 -0700 Subject: Small Makefile.in Patch Message-ID: <3EBCAA9B.2050709@ipom.com> This is a fairly inconsequential patch, but it comes in handy in a few instances. The patch simply splits install-files into "install-files" and "install-sysconf" - taking all of the sysconfdir stuff and putting in its own target which I then added to 'install' and 'install-nokeys'. I then added an install-nosysconf to NOT do that stuff. This helped us because we install in a directory that gets rdist'd out to other hosts, but on the rdist host we didn't want to put the config files in /etc/ssh... we have a script to do that on each host and rdist time. Its small and inconsequential... but if it could be applied, I think the occasional group might find it useful, and it would be one less patch we need to apply each time. Thanks! ------------------------------------------------------------ --- Makefile.in 2003/05/03 02:14:32 1.1 +++ Makefile.in 2003/05/09 23:41:54 @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.1 2003/05/03 02:14:32 phil Exp $ +# $Id: Makefile.in,v 1.3 2003/05/09 23:41:38 phil Exp $ @@ -215,8 +215,9 @@ $(AUTORECONF) (cd scard && $(MAKE) -f Makefile.in distprep) -install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files host-key check-config -install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files +install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config +install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf +install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files check-config: -$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config @@ -266,6 +267,9 @@ ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + + +install-sysconf: if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \ fi ------------------------------------------------------------ -- Phil Dibowitz phil at ipom.com Freeware and Technical Pages Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 From bugzilla-daemon at mindrot.org Sat May 10 17:49:15 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 10 May 2003 17:49:15 +1000 (EST) Subject: [Bug 463] PrintLastLog doesn't work in privsep mode Message-ID: <20030510074915.74B7594225@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=463 ------- Additional Comments From dtucker at zip.com.au 2003-05-10 17:49 ------- OK, so if I understand correctly, the only guaranteed way to get the last login time is via a monitor call, so I hopefully won't get accused of bloat for proposing one... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 10 18:59:45 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 10 May 2003 18:59:45 +1000 (EST) Subject: [Bug 463] PrintLastLog doesn't work in privsep mode Message-ID: <20030510085945.13D239420B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=463 ------- Additional Comments From djm at mindrot.org 2003-05-10 18:59 ------- Certainly not! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Sat May 10 19:20:58 2003 From: djm at mindrot.org (Damien Miller) Date: Sat, 10 May 2003 19:20:58 +1000 Subject: New PAM code landing (at last) Message-ID: <3EBCC47A.5060104@mindrot.org> Hello all, The long-mooted PAM merge from FreeBSD is starting _now_. This replaces the PAM password auth kludge that we have used until now with a discrete challenge-response module. This module is invoked via keyboard-interactive for protocol 2 or TIS auth for protocol 1. Warning: this is a large change and will probably break things. It has only been tested with basic password auth modules and not at all (by me) on non-Linux systems (I put out test requests on snapshots of this, but nobody responded...) On the other hand, this code has been shipping and working in FreeBSD for a while. For those interested, this is pretty much exactly what is in FreeBSD's tree, with a few s/pam_xxx/sshpam_xxx/ substitutions. These are to avoid potential namespace clashes against the PAM library itself. I have no idea whether there are any such conflicts in the symbols in auth-pam.c, but we made a similar change in the old auth-pam.c quite a while ago at the request of someone at Sun. Also note that we do not enable and have no intention of enabling the thread support - we don't want the complexity of theads in the monitor. The code is still there at the moment (#ifdef'd out), but will likely disappear from our tree in the future. I'll try to remove it in such a way that the FreeBSD developers don't end up in #ifdef hell putting it back in their tree. The repository will be tagged with BEFORE_FREEBSD_PAM_MERGE and AFTER_FREEBSD_PAM_MERGE tags to make diffing / reverting easier. We are a long way from the next release, so we have plenty of time to make this work properly. Doing this will require a lot of testing, so I encourage everyone on a PAM system to try out the new code and report back ASAP. -d From bugzilla-daemon at mindrot.org Sat May 10 19:34:30 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 10 May 2003 19:34:30 +1000 (EST) Subject: [Bug 463] PrintLastLog doesn't work in privsep mode Message-ID: <20030510093430.D2C2A9427E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=463 ------- Additional Comments From dtucker at zip.com.au 2003-05-10 19:34 ------- Created an attachment (id=287) --> (http://bugzilla.mindrot.org/attachment.cgi?id=287&action=view) Generate loginmsg as part of login recording (against OpenBSD -current) OK, here's the proposed patch against OpenBSD. The call to store_lastlog_message is where it is in record_login because under AIX the login message is generated as a side effect of loginsuccess(). The location under OpenBSD is not critical since it's a read-only operation. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From james at nameonthe.net Sat May 10 20:37:55 2003 From: james at nameonthe.net (James Williamson) Date: Sat, 10 May 2003 11:37:55 +0100 Subject: New PAM code landing (at last) References: <3EBCC47A.5060104@mindrot.org> Message-ID: <002501c316e0$37ed74a0$6600a8c0@JAMES> ----- Original Message ----- From: "Damien Miller" > Hello all, > > The long-mooted PAM merge from FreeBSD is starting _now_. This replaces > the PAM password auth kludge that we have used until now with a discrete > challenge-response module. This module is invoked via > keyboard-interactive for protocol 2 or TIS auth for protocol 1. > > Warning: this is a large change and will probably break things. It has > only been tested with basic password auth modules and not at all (by me) > on non-Linux systems (I put out test requests on snapshots of this, but > nobody responded...) On the other hand, this code has been shipping and > working in FreeBSD for a while. > > For those interested, this is pretty much exactly what is in FreeBSD's > tree, with a few s/pam_xxx/sshpam_xxx/ substitutions. These are to avoid > potential namespace clashes against the PAM library itself. I have no > idea whether there are any such conflicts in the symbols in auth-pam.c, > but we made a similar change in the old auth-pam.c quite a while ago at > the request of someone at Sun. > > Also note that we do not enable and have no intention of enabling the > thread support - we don't want the complexity of theads in the monitor. > The code is still there at the moment (#ifdef'd out), but will likely > disappear from our tree in the future. I'll try to remove it in such a > way that the FreeBSD developers don't end up in #ifdef hell putting it > back in their tree. > > The repository will be tagged with BEFORE_FREEBSD_PAM_MERGE and > AFTER_FREEBSD_PAM_MERGE tags to make diffing / reverting easier. > > We are a long way from the next release, so we have plenty of time to > make this work properly. Doing this will require a lot of testing, so I > encourage everyone on a PAM system to try out the new code and report > back ASAP. > Are there any plans to fix the "PAM needs to run as root in the session stage" as raised by me a few weeks ago. I know this is incredibly useful for ISPs who want to chroot people who login (as we do). I'm no expert on PAM and I understand the security implications but surely as someone mentioned earlier support for PAM is effectively broken without this. Regards, James Williamson www.nameonthe.net Tel: +44 208 7415453 Fax: + 44 208 7411615 From bugzilla-daemon at mindrot.org Sat May 10 20:55:00 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 10 May 2003 20:55:00 +1000 (EST) Subject: [Bug 421] compile error on Debian slink Message-ID: <20030510105500.0B7AD9428B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=421 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED ------- Additional Comments From dtucker at zip.com.au 2003-05-10 20:54 ------- With the closure of bug #536, I think this is now fully fixed. It certainly works for me. Please re-open if this problem re-occurs or a new bug if there's other problems on this platform. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Sat May 10 21:51:57 2003 From: djm at mindrot.org (Damien Miller) Date: Sat, 10 May 2003 21:51:57 +1000 Subject: New PAM code landing (at last) In-Reply-To: <002501c316e0$37ed74a0$6600a8c0@JAMES> References: <3EBCC47A.5060104@mindrot.org> <002501c316e0$37ed74a0$6600a8c0@JAMES> Message-ID: <3EBCE7DD.60308@mindrot.org> >>We are a long way from the next release, so we have plenty of time to >>make this work properly. Doing this will require a lot of testing, so I >>encourage everyone on a PAM system to try out the new code and report >>back ASAP. > > Are there any plans to fix the "PAM needs to run as root in the session > stage" > as raised by me a few weeks ago. > I'm no expert on PAM and I understand the security > implications but surely as someone mentioned earlier support for PAM is > effectively > broken without this. I think that this may be very difficult to do with privsep, as we have long since given up root privs by the time we start the session. Of course, I'd like to be proved wrong... > I know this is incredibly useful for ISPs who want to chroot people > who login (as we do). Have you tried rssh, or one of the chrooting wrappers? This may be an inconvenience, but IMO the security benefit of privsep is worth it. -d From bugzilla-daemon at mindrot.org Sat May 10 22:22:13 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 10 May 2003 22:22:13 +1000 (EST) Subject: [Bug 463] PrintLastLog doesn't work in privsep mode Message-ID: <20030510122213.0E8289428C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=463 ------- Additional Comments From dtucker at zip.com.au 2003-05-10 22:22 ------- Hmm, this will probably give multiple "Last login" messages if used with multiple sessions (none of my clients support it so I'm not sure about that). With my current plan for password expiry, loginmsg needs to be initialised before allowed_user() where it accumulates all of the "Your password/account will expire.." messages. Might need to clear the message after retrieving/printing it. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From fcusack at fcusack.com Sun May 11 07:25:46 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Sat, 10 May 2003 14:25:46 -0700 Subject: New PAM code landing (at last) In-Reply-To: <3EBCE7DD.60308@mindrot.org>; from djm@mindrot.org on Sat, May 10, 2003 at 09:51:57PM +1000 References: <3EBCC47A.5060104@mindrot.org> <002501c316e0$37ed74a0$6600a8c0@JAMES> <3EBCE7DD.60308@mindrot.org> Message-ID: <20030510142546.A23607@google.com> On Sat, May 10, 2003 at 09:51:57PM +1000, Damien Miller wrote: > > Are there any plans to fix the "PAM needs to run as root in the session > > stage" > > as raised by me a few weeks ago. > > I'm no expert on PAM and I understand the security > > implications but surely as someone mentioned earlier support for PAM is > > effectively > > broken without this. > > I think that this may be very difficult to do with privsep, as we have > long since given up root privs by the time we start the session. Of > course, I'd like to be proved wrong... The FreeBSD diff, as posted a few months ago, did exactly this. What has changed since then? /fc From eggert at twinsun.com Sun May 11 07:49:13 2003 From: eggert at twinsun.com (Paul Eggert) Date: Sat, 10 May 2003 14:49:13 -0700 (PDT) Subject: OpenSSH_3.6.1p2 getsockopt TCP_NODELAY bogus message on Solaris 8 Message-ID: <200305102149.h4ALnDL11444@sic.twinsun.com> I ran into the following problem the first time I used OpenSSH_3.6.1p2 on Solaris 8 (sparc, 32-bit): $ ssh kiwi Enter passphrase for RSA key '/net/sic/export/ford/home/eggert/.ssh/identity': getsockopt TCP_NODELAY: Socket operation on non-socket Last login: Sat May 10 14:27:01 2003 from ip-66-80-53-59.d Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001 You have new mail. The "getsockopt TCP_NODELAY: Socket operation on non-socket" message is bogus. This appears to be an editing botch in the portable version of packet_set_interactive, as there's a missing "return;" statement compared to the OpenBSD version. Here is a proposed patch. =================================================================== RCS file: RCS/packet.c,v retrieving revision 3.6.1.2 retrieving revision 3.6.1.2.0.1 diff -pu -r3.6.1.2 -r3.6.1.2.0.1 --- packet.c 2003/04/01 11:43:39 3.6.1.2 +++ packet.c 2003/05/10 21:45:22 3.6.1.2.0.1 @@ -1344,6 +1344,7 @@ packet_set_interactive(int interactive) /* Only set socket options if using a socket. */ if (!packet_connection_is_on_socket()) + return; if (interactive) set_nodelay(connection_in); #if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) From bugzilla-daemon at mindrot.org Sun May 11 08:09:39 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 11 May 2003 08:09:39 +1000 (EST) Subject: [Bug 549] Login Delay / Remove unwanted reverse map check Message-ID: <20030510220939.855339429B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=549 ------- Additional Comments From devin.nate at bridgecomm.net 2003-05-11 08:09 ------- Hey Ben; I'm pretty sure that this is a universial issue. Basically it boils down to the fact that neither -u0 nor any other configuration paramater will stop the block of code I first wrote about (in particular, getnameinfo(... NI_NAMERAQD) in canohost.c) from executing. sshd will always resolve an ip address to host name if it can (i.e. if DNS succeeds) - you cannot stop it. You can stop it from using that information, but you can't stop it from inquiring about it. To your point about bad resolver behavior, I suppose it may or may not be. However, regardless of what you do, sshd WILL try to use the resolver. And the DNS system does leave potential for delays due to resolution, which may fail at the end. It happens. I'm trying to get some sort of configuration option telling sshd NOT to do that getnameinfo() call built into OpenSSH. Which brings me to the next question: I cannot commit changes to the OpenSSH code myself - how does that process work? Darren, you seem extremely active in the OpenSSH community. Is the current patch good enough.. should I be writing/submitting a patch to make a new sshd_config option.. what's the status of this? Thanks! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Sun May 11 08:11:33 2003 From: tim at multitalents.net (Tim Rice) Date: Sat, 10 May 2003 15:11:33 -0700 (PDT) Subject: OpenSSH_3.6.1p2 getsockopt TCP_NODELAY bogus message on Solaris 8 In-Reply-To: <200305102149.h4ALnDL11444@sic.twinsun.com> References: <200305102149.h4ALnDL11444@sic.twinsun.com> Message-ID: On Sat, 10 May 2003, Paul Eggert wrote: > I ran into the following problem the first time I used > OpenSSH_3.6.1p2 on Solaris 8 (sparc, 32-bit): > > $ ssh kiwi > Enter passphrase for RSA key '/net/sic/export/ford/home/eggert/.ssh/identity': > getsockopt TCP_NODELAY: Socket operation on non-socket > Last login: Sat May 10 14:27:01 2003 from ip-66-80-53-59.d > Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001 > You have new mail. > > The "getsockopt TCP_NODELAY: Socket operation on non-socket" message > is bogus. This appears to be an editing botch in the portable version > of packet_set_interactive, as there's a missing "return;" statement > compared to the OpenBSD version. Here is a proposed patch. I think that's fixed in CVS ... 20030427 - (bal) Bug #541: return; was dropped by mistake. Reported by furrier at iglou.com ... -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Sun May 11 09:54:09 2003 From: djm at mindrot.org (Damien Miller) Date: Sun, 11 May 2003 09:54:09 +1000 Subject: New PAM code landing (at last) In-Reply-To: <20030510142546.A23607@google.com> References: <3EBCC47A.5060104@mindrot.org> <002501c316e0$37ed74a0$6600a8c0@JAMES> <3EBCE7DD.60308@mindrot.org> <20030510142546.A23607@google.com> Message-ID: <3EBD9121.1090207@mindrot.org> Frank Cusack wrote: > On Sat, May 10, 2003 at 09:51:57PM +1000, Damien Miller wrote: > >>I think that this may be very difficult to do with privsep, as we have >>long since given up root privs by the time we start the session. Of >>course, I'd like to be proved wrong... > > The FreeBSD diff, as posted a few months ago, did exactly this. What > has changed since then? The FreeBSD PAM code doesn't touch the session setup. Never did IIRC. -d From bugzilla-daemon at mindrot.org Sun May 11 10:39:45 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 11 May 2003 10:39:45 +1000 (EST) Subject: [Bug 553] configure fails to acknowledge availability of utimes() Message-ID: <20030511003945.AED98942A6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=553 ------- Additional Comments From dtucker at zip.com.au 2003-05-11 10:39 ------- I was about to submit a bug report to the autoconf folks, but before I did I pulled the latest autoconf CVS tree (it calls itself 2.57a). This problem appears to be fixed there. I rebuilt configure with it and then rebuilt OpenSSH on HP-UX 11.00, which worked OK. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 11 12:07:12 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 11 May 2003 12:07:12 +1000 (EST) Subject: [Bug 442] sshd allows login via public-key when account locked Message-ID: <20030511020712.D1491942AA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=442 ------- Additional Comments From dtucker at zip.com.au 2003-05-11 12:07 ------- Further info: it appears that in later patch sets, Solaris 8 and 9 now check the password string against *LK* in PAM and deny access even for non-password authentications (eg rhosts). http://groups.google.com/groups?as_umsgid=3ebcff1a%240%2449101%24e4fe514c%40news .xs4all.nl http://groups.google.com/groups?as_umsgid=3ebd1d6e%240%2449115%24e4fe514c%40news .xs4all.nl The last patch is probably broken now, I'm trying to find out if it's worth updating. What's the feeling on a) whether we want to do this and b) if the implementation is acceptable. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 11 13:16:33 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 11 May 2003 13:16:33 +1000 (EST) Subject: [Bug 549] Login Delay / Remove unwanted reverse map check Message-ID: <20030511031633.5978D942B2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=549 ------- Additional Comments From dtucker at zip.com.au 2003-05-11 13:16 ------- I'm a relative newbie so I'll defer to Ben on this. In answer to the process question, a few people have commit access to -portable, but generally they'll only commit simple, obvious changes on their own. Larger or more contentious changes generally require agreement from one or more others (that's the meaning of the "ok [user]@" bits in ChangeLog). The other thing is -portable is a branch (more or less) of the original OpenSSH from OpenBSD, and any changes, small or not, that cause it to diverge from OpenBSD without good reason will get a *lot* of restistance. Something that might be worth checking: get_canonical_hostname() does some caching, perhaps there's something in there that would explain the inconsistent results you're seeing wrt the lookups. If I have time next week I'll see if I can reproduce this on my AIX box. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From james at nameonthe.net Sun May 11 17:29:28 2003 From: james at nameonthe.net (James Williamson) Date: Sun, 11 May 2003 08:29:28 +0100 Subject: New PAM code landing (at last) References: <3EBCC47A.5060104@mindrot.org> <002501c316e0$37ed74a0$6600a8c0@JAMES> <3EBCE7DD.60308@mindrot.org> <20030510142546.A23607@google.com> <3EBD9121.1090207@mindrot.org> Message-ID: <001901c3178f$0fbb2130$6600a8c0@JAMES> > Frank Cusack wrote: > > On Sat, May 10, 2003 at 09:51:57PM +1000, Damien Miller wrote: > > > >>I think that this may be very difficult to do with privsep, as we have > >>long since given up root privs by the time we start the session. Of > >>course, I'd like to be proved wrong... > > > > The FreeBSD diff, as posted a few months ago, did exactly this. What > > has changed since then? > > The FreeBSD PAM code doesn't touch the session setup. Never did IIRC. > > -d > I've scanned the code and the PAM stuff is actually broken despite the privileges. The credentials stage is actually called after the session stage which runs contra to what the linux pam docs specify (i.e. it should be done before). I'm no security expect and I don't really understand the ramifications of doing so but why can't the non priv process do a seteuid() to the non root user where permanently_set_uid is called. Then keep running until the time the pam session stuff needs to be done, revert back to root privileges during this stage (session) and then finally give all privileges away for ever - setuid(). It's good enough for sendmail? Regards, James Williamson www.nameonthe.net Tel: +44 208 7415453 Fax: + 44 208 7411615 From fcusack at fcusack.com Sun May 11 17:35:30 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Sun, 11 May 2003 00:35:30 -0700 Subject: New PAM code landing (at last) In-Reply-To: <001901c3178f$0fbb2130$6600a8c0@JAMES>; from james@nameonthe.net on Sun, May 11, 2003 at 08:29:28AM +0100 References: <3EBCC47A.5060104@mindrot.org> <002501c316e0$37ed74a0$6600a8c0@JAMES> <3EBCE7DD.60308@mindrot.org> <20030510142546.A23607@google.com> <3EBD9121.1090207@mindrot.org> <001901c3178f$0fbb2130$6600a8c0@JAMES> Message-ID: <20030511003529.A24410@google.com> On Sun, May 11, 2003 at 08:29:28AM +0100, James Williamson wrote: > It's good enough for sendmail? That's the quote of the month. Thank you for the laugh. /fc From james at nameonthe.net Sun May 11 17:46:13 2003 From: james at nameonthe.net (James Williamson) Date: Sun, 11 May 2003 08:46:13 +0100 Subject: New PAM code landing (at last) References: <3EBCC47A.5060104@mindrot.org> <002501c316e0$37ed74a0$6600a8c0@JAMES> <3EBCE7DD.60308@mindrot.org> <20030510142546.A23607@google.com> <3EBD9121.1090207@mindrot.org> <001901c3178f$0fbb2130$6600a8c0@JAMES> <20030511003529.A24410@google.com> Message-ID: <002a01c31791$65a38d60$6600a8c0@JAMES> > On Sun, May 11, 2003 at 08:29:28AM +0100, James Williamson wrote: > > It's good enough for sendmail? > > That's the quote of the month. Thank you for the laugh. > > /fc > True, I debated with myself over an exclamation mark. Still, surely it should be given some thought? Regards, James Williamson www.nameonthe.net Tel: +44 208 7415453 Fax: + 44 208 7411615 From fcusack at fcusack.com Sun May 11 17:55:23 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Sun, 11 May 2003 00:55:23 -0700 Subject: New PAM code landing (at last) In-Reply-To: <002a01c31791$65a38d60$6600a8c0@JAMES>; from james@nameonthe.net on Sun, May 11, 2003 at 08:46:13AM +0100 References: <3EBCC47A.5060104@mindrot.org> <002501c316e0$37ed74a0$6600a8c0@JAMES> <3EBCE7DD.60308@mindrot.org> <20030510142546.A23607@google.com> <3EBD9121.1090207@mindrot.org> <001901c3178f$0fbb2130$6600a8c0@JAMES> <20030511003529.A24410@google.com> <002a01c31791$65a38d60$6600a8c0@JAMES> Message-ID: <20030511005523.C24410@google.com> On Sun, May 11, 2003 at 08:46:13AM +0100, James Williamson wrote: > > On Sun, May 11, 2003 at 08:29:28AM +0100, James Williamson wrote: > > > It's good enough for sendmail? > > > > That's the quote of the month. Thank you for the laugh. > > > > /fc > > > > True, I debated with myself over an exclamation mark. :-) > Still, surely it should be given some thought? Don't use privsep and pam together, that's all. /fc From fcusack at fcusack.com Sun May 11 17:57:03 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Sun, 11 May 2003 00:57:03 -0700 Subject: New PAM code landing (at last) In-Reply-To: <001901c3178f$0fbb2130$6600a8c0@JAMES>; from james@nameonthe.net on Sun, May 11, 2003 at 08:29:28AM +0100 References: <3EBCC47A.5060104@mindrot.org> <002501c316e0$37ed74a0$6600a8c0@JAMES> <3EBCE7DD.60308@mindrot.org> <20030510142546.A23607@google.com> <3EBD9121.1090207@mindrot.org> <001901c3178f$0fbb2130$6600a8c0@JAMES> Message-ID: <20030511005703.D24410@google.com> On Sun, May 11, 2003 at 08:29:28AM +0100, James Williamson wrote: > I'm no security expect and I don't really understand the ramifications of > doing > so but why can't the non priv process do a seteuid() to the non root user > where > permanently_set_uid is called. Then keep running until the time the pam > session > stuff needs to be done, revert back to root privileges during this stage > (session) > and then finally give all privileges away for ever - setuid(). It doesn't insulate you from privilege escalation. /fc ps. please format your email to 74 chars From fcusack at fcusack.com Sun May 11 19:26:06 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Sun, 11 May 2003 02:26:06 -0700 Subject: New PAM code landing (at last) In-Reply-To: <001901c3178f$0fbb2130$6600a8c0@JAMES>; from james@nameonthe.net on Sun, May 11, 2003 at 08:29:28AM +0100 References: <3EBCC47A.5060104@mindrot.org> <002501c316e0$37ed74a0$6600a8c0@JAMES> <3EBCE7DD.60308@mindrot.org> <20030510142546.A23607@google.com> <3EBD9121.1090207@mindrot.org> <001901c3178f$0fbb2130$6600a8c0@JAMES> Message-ID: <20030511022606.A24564@google.com> On Sun, May 11, 2003 at 08:29:28AM +0100, James Williamson wrote: > I've scanned the code and the PAM stuff is actually broken despite the > privileges. > The credentials stage is actually called after the session stage which runs > contra > to what the linux pam docs specify (i.e. it should be done before). What is the credentials stage? pam_setcred()? Both the the Sun docs (Solaris 9_u2): The pam_setcred() function is used to establish, modify, or delete user credentials. It is typically called after the user has been authenticated and after a session has been opened. and the Linux-PAM docs (Linux-PAM-0.72): This function is used to set the module-specific credentials of the user. It is usually called after the user has been authenticated, after the account management function has been called and after a session has been opened for the user. say that you call this after pam_open_session(). /fc From james at nameonthe.net Sun May 11 19:47:26 2003 From: james at nameonthe.net (James Williamson) Date: Sun, 11 May 2003 10:47:26 +0100 Subject: New PAM code landing (at last) References: <3EBCC47A.5060104@mindrot.org> <002501c316e0$37ed74a0$6600a8c0@JAMES> <3EBCE7DD.60308@mindrot.org> <20030510142546.A23607@google.com> <3EBD9121.1090207@mindrot.org> <001901c3178f$0fbb2130$6600a8c0@JAMES> <20030511022606.A24564@google.com> Message-ID: <002e01c317a2$56795980$6600a8c0@JAMES> > On Sun, May 11, 2003 at 08:29:28AM +0100, James Williamson wrote: > > I've scanned the code and the PAM stuff is actually broken despite the > > privileges. > > The credentials stage is actually called after the session stage which runs > > contra > > to what the linux pam docs specify (i.e. it should be done before). > > What is the credentials stage? pam_setcred()? > > Both the the Sun docs (Solaris 9_u2): > > The pam_setcred() function is used to establish, modify, or > delete user credentials. It is typically called after the > user has been authenticated and after a session has been > opened. > > and the Linux-PAM docs (Linux-PAM-0.72): > > This function is used to set the module-specific credentials of the > user. It is usually called after the user has been authenticated, > after the account management function has been called and after a > session has been opened for the user. > > say that you call this after pam_open_session(). Well I'm looking here: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html extern int pam_setcred(pam_handle_t *pamh, int flags); "This function is used to set the module-specific credentials of the user. It is usually called after the user has been authenticated, after the account management function has been called but before a session has been opened for the user. " Regards, James Williamson www.nameonthe.net Tel: +44 208 7415453 Fax: + 44 208 7411615 From bugzilla-daemon at mindrot.org Sun May 11 19:52:26 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 11 May 2003 19:52:26 +1000 (EST) Subject: [Bug 463] PrintLastLog doesn't work in privsep mode Message-ID: <20030511095226.B7EDC942D9@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=463 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #287 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2003-05-11 19:52 ------- Created an attachment (id=288) --> (http://bugzilla.mindrot.org/attachment.cgi?id=288&action=view) Generate loginmsg as part of login recording (against OpenBSD -current, take 2) Simpler patch, removes many of the Buffer->string->Buffer contortions. Works with multiple sessions (ie most recent login time is displayed each time). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From fcusack at fcusack.com Sun May 11 19:55:23 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Sun, 11 May 2003 02:55:23 -0700 Subject: New PAM code landing (at last) In-Reply-To: <002e01c317a2$56795980$6600a8c0@JAMES>; from james@nameonthe.net on Sun, May 11, 2003 at 10:47:26AM +0100 References: <3EBCC47A.5060104@mindrot.org> <002501c316e0$37ed74a0$6600a8c0@JAMES> <3EBCE7DD.60308@mindrot.org> <20030510142546.A23607@google.com> <3EBD9121.1090207@mindrot.org> <001901c3178f$0fbb2130$6600a8c0@JAMES> <20030511022606.A24564@google.com> <002e01c317a2$56795980$6600a8c0@JAMES> Message-ID: <20030511025523.B24564@google.com> On Sun, May 11, 2003 at 10:47:26AM +0100, James Williamson wrote: > > On Sun, May 11, 2003 at 08:29:28AM +0100, James Williamson wrote: > > > I've scanned the code and the PAM stuff is actually broken despite the > > > privileges. > > > The credentials stage is actually called after the session stage which > runs > > > contra > > > to what the linux pam docs specify (i.e. it should be done before). > > > > What is the credentials stage? pam_setcred()? > > > > Both the the Sun docs (Solaris 9_u2): > > > > The pam_setcred() function is used to establish, modify, or > > delete user credentials. It is typically called after the > > user has been authenticated and after a session has been > > opened. > > > > and the Linux-PAM docs (Linux-PAM-0.72): > > > > This function is used to set the module-specific credentials of the > > user. It is usually called after the user has been authenticated, > > after the account management function has been called and after a > > session has been opened for the user. > > > > say that you call this after pam_open_session(). > > Well I'm looking here: > > http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html > > extern int pam_setcred(pam_handle_t *pamh, int flags); > > "This function is used to set the module-specific credentials of the user. > It is usually called after the user has been authenticated, after the > account management function has been called but before a session > has been opened for the user. " Well, they seem to have changed their mind between 0.72 and whatever is current. I would lend more credence to the Sun docs. Also, login.c from util-linux-2.11y (the latest I could find) does it in the Sun-documented order. /fc From fcusack at fcusack.com Sun May 11 20:03:48 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Sun, 11 May 2003 03:03:48 -0700 Subject: New PAM code landing (at last) In-Reply-To: <3EBCC47A.5060104@mindrot.org>; from djm@mindrot.org on Sat, May 10, 2003 at 07:20:58PM +1000 References: <3EBCC47A.5060104@mindrot.org> <002501c316e0$37ed74a0$6600a8c0@JAMES> <3EBCE7DD.60308@mindrot.org> <20030510142546.A23607@google.com> <3EBD9121.1090207@mindrot.org> <3EBCC47A.5060104@mindrot.org> Message-ID: <20030511030348.C24564@google.com> On Sun, May 11, 2003 at 09:54:09AM +1000, Damien Miller wrote: > Frank Cusack wrote: > > On Sat, May 10, 2003 at 09:51:57PM +1000, Damien Miller wrote: > > > >>I think that this may be very difficult to do with privsep, as we have > >>long since given up root privs by the time we start the session. Of > >>course, I'd like to be proved wrong... > > > > The FreeBSD diff, as posted a few months ago, did exactly this. What > > has changed since then? > > The FreeBSD PAM code doesn't touch the session setup. Never did IIRC. Yup, sorry 'bout that. /fc From quinton_bruce at auto-motorrad.de Mon May 12 08:28:13 2003 From: quinton_bruce at auto-motorrad.de (Quinton Bruce) Date: Sun, 11 May 2003 22:28:13 +0000 Subject: Do you love me? Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030511/24833e2d/attachment.html From fcusack at fcusack.com Mon May 12 13:34:17 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Sun, 11 May 2003 20:34:17 -0700 Subject: New PAM code landing (at last) In-Reply-To: <3EBCC47A.5060104@mindrot.org>; from djm@mindrot.org on Sat, May 10, 2003 at 07:20:58PM +1000 References: <3EBCC47A.5060104@mindrot.org> Message-ID: <20030511203417.A25524@google.com> On Sat, May 10, 2003 at 07:20:58PM +1000, Damien Miller wrote: > The long-mooted PAM merge from FreeBSD is starting _now_. This replaces > the PAM password auth kludge that we have used until now with a discrete > challenge-response module. This module is invoked via > keyboard-interactive for protocol 2 or TIS auth for protocol 1. > > Warning: this is a large change and will probably break things. It has > only been tested with basic password auth modules and not at all (by me) > on non-Linux systems (I put out test requests on snapshots of this, but > nobody responded...) Actually, I did respond, and we got into an argument about it. Although, I didn't have an opportunity to actually test it, and I guess no one else did either. I don't see what's wrong with the existing code. Especially when you say the new code "will probably break things". Now I have to study this new code and port my bugfixes all over again. :-) I tried to download, but the latest snapshot (20030409) doesn't contain the PAM bits, and anoncvs.be.openbsd.org appears to be down. I took some time to look at the snapshot you offered previously (20030123) and found three problems: - kbdint authentication cannot be abandoned - print_pam_messages() doesn't do anything! - sshpam_query() sends the client only one pam prompt at a time; this is explicitly mentioned as wrong in the kbdint draft. As to pam_*_session(), in this new code, the auth bits run in the monitor and communicate with the unpriv child via a socket. Seeing that, I assumed pam_*_session() would have been setup to do the same. The problem seems pretty easy now that the plumbing is in place. /fc From bugzilla-daemon at mindrot.org Mon May 12 13:53:44 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 12 May 2003 13:53:44 +1000 (EST) Subject: [Bug 559] PAM fixes Message-ID: <20030512035344.1085194211@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=559 Summary: PAM fixes Product: Portable OpenSSH Version: 3.6.1p2 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: fcusack at fcusack.com - start PAM with correct username - don't call pam_authenticate() for null password checking when not necessary - set pam_flags correctly for kbdint pam_authenticate() calls - improve logging ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon May 12 13:55:54 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 12 May 2003 13:55:54 +1000 (EST) Subject: [Bug 559] PAM fixes Message-ID: <20030512035554.29DEE94215@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=559 ------- Additional Comments From fcusack at fcusack.com 2003-05-12 13:55 ------- Created an attachment (id=289) --> (http://bugzilla.mindrot.org/attachment.cgi?id=289&action=view) PAM patches ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From fcusack at fcusack.com Mon May 12 14:20:31 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Sun, 11 May 2003 21:20:31 -0700 Subject: openssh 3.6.1_p2 problem with pam (fwd) In-Reply-To: <20030502120352.GA20137@sole.infis.univ.trieste.it>; from lcars@infis.univ.trieste.it on Fri, May 02, 2003 at 02:03:52PM +0200 References: <20030502120352.GA20137@sole.infis.univ.trieste.it> <3EB27497.3C3A9A23@anl.gov> <20030502120352.GA20137@sole.infis.univ.trieste.it> Message-ID: <20030511212031.B25546@google.com> OK, here is my take on how PAM flow should go, in pseudocode, with #ifdef commentary on where openssh-3.6.1p2 strays. I've just submitted a patch http://bugzilla.mindrot.org/show_bug.cgi?id=559 http://bugzilla.mindrot.org/attachment.cgi?id=289&action=view which adresses some of the problems below. The description below isn't as readable as I had hoped, but at least it does show PAM behavior as a single flow of control; whereas in openssh you'll have to look into a number of files. #ifdef OPENSSH pw = getpwbynam(user); pamh = pam_start(service, pw ? user : "NOUSER", ...); #else pamh = pam_start(service, user, ...); #endif if (options.permit_empty_password) pam_auth_flags = 0; else pam_auth_flags = PAM_DISALLOW_NULL_AUTHTOK; if (protocol == 1) { if (password_auth_enabled()) { /* kludge */ set_conv(non_interactive_conv_func); #ifdef OPENSSH { #else if (options.permit_empty_password) { #endif /* * Need to do this because of a password_auth deficiency: the * client prompts for the password before the server asks for it. * This breaks "don't prompt on null password" expected behavior. * * Results in a spurious pam log for accounts with password. :-( * And is just plain broken, for the general case--consider * a PAM module that only allows x attempts in y secs. */ set_password(""); #ifdef OPENSSH /* * NB: pam_auth_flags might be PAM_DISALLOW_NULL_AUTHTOK, * in which case this call to pam_authenticate() is pointless. * See above, where we test options.permit_empty_password first. */ #endif pam_authenticate(pamh, pam_auth_flags); if (authenticated) goto pam_account; } set_password(get_password()); pam_authenticate(pamh, pam_auth_flags); } } if ("none" authentication) { /* protocol 2 does this first */ #ifdef OPENSSH { #else if (password_auth_enabled() && options.permit_empty_password) { /* kbdint handles this itself */ #endif set_conv(non_interactive_conv_func); set_password(""); #ifdef OPENSSH /* see comment about pam_auth_flags, above */ #endif pam_authenticate(pamh, pam_auth_flags); if (authenticated) goto pam_account; } } if (is_password_auth || is_kbd_int_auth) { if (is_password_auth) set_conv(non_interactive_conv_func); else set_conv(interactive_conv_function); #ifdef OPENSSH /* NB: Ignores setting of options.permit_empty_password */ if (protocol == 2) pam_auth_flags = 0; #endif pam_authenticate(pamh, pam_auth_flags); if (!authenticated) return failure; } pam_account: r = pam_acct_mgmt(pamh, pam_auth_flags); if (r == PAM_SUCCESS) return success; #ifndef OPENSSH if (r != PAM_NEW_AUTHTOK_REQD) #endif /* NB: OPENSSH notes below don't matter since we fail here */ return failure; /* new password required */ if (is_password_auth) { /* password_auth deficiency, argh */ flag_password_change_needed(); return success; } if (is_kbd_int_auth) { #ifdef OPENSSH /* password_auth deficiency, not a kbd_int deficiency, argh! */ flag_password_change_needed(); return success; #else /* PAM_CHANGE_EXPIRED_AUTHTOK is iffy */ return ((pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK) == 0) ? success : failure); #endif } /* non password, non kbd-int, but password expired ... a tough call */ return success; In addition to the parts noted above, additional bugs: - #if 0'd out code for pam_chauthtok && privsep, even though it works correctly for non-privsep, AFAIK (auth-pam.c:251; auth-pam.c:347) - extraneous failure message for 'none' auth (noise) - PAM_TEXT_INFO and PAM_ERROR_MSG messages are aggregrated rather than passed to the client in order; if the conversation is *only* PAM_TEXT_INFO and PAM_ERROR_MSG messages the client doesn't see them at all, for kbdint - do_pam_conversation_kbd_int() leaks char *text - protocol 2 assumes client will do 'none' authentication - kbdint authentication cannot be abandoned - user:style is not supported by the ietf-drafts /fc From markus at openbsd.org Mon May 12 14:31:35 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 12 May 2003 06:31:35 +0200 Subject: openssh 3.6.1_p2 problem with pam (fwd) In-Reply-To: <20030511212031.B25546@google.com> References: <20030502120352.GA20137@sole.infis.univ.trieste.it> <3EB27497.3C3A9A23@anl.gov> <20030502120352.GA20137@sole.infis.univ.trieste.it> <20030511212031.B25546@google.com> Message-ID: <20030512043135.GA29040@folly> On Sun, May 11, 2003 at 09:20:31PM -0700, Frank Cusack wrote: > - kbdint authentication cannot be abandoned generally? From yasii at netian.com Mon May 12 15:00:42 2003 From: yasii at netian.com (=?ks_c_5601-1987?B?s6rAsby6?=) Date: Mon, 12 May 2003 14:00:42 +0900 Subject: [Ans.]openssh3.5p1 version ... Password aging problem??? Message-ID: <014c01c31843$70e5f520$74f84bdc@skyhawk> Our server is only opened 22 sshd port... We wants our server secuirty is more higher, so decide to password aging policy... Linux command is "chage" is very useful, but openssh3.3 higher version is not effected... [root at radius ~]# chage -l test Minimum: 0 Maximum: 2 Warning: 2 Inactive: 2 Last Change: May 09, 2003 Password Expires: May 11, 2003 Password Inactive: May 13, 2003 Account Expires: Never [root at radius ~]# [root at radius ~]# telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. radius login: test Password: You are required to change your password immediately (password aged) Changing password for test (current) UNIX password: ---------------------------------------------------------------------- BUT... [root at radius ~]# ssh -l test 220.75.xxx.xxx test at 220.75.xxx.xxx's password: Read from remote host 220.75.xxx.xxx: Connection reset by peer Connection to 220.75.xxx.xxx closed. [root at radius ~]# [root at radius ~]# telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-1.99-OpenSSH_3.5p1 This problem is only openssh3.3 higher version. Why this problem occured??? Please reply this answer.... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030512/fd81f040/attachment.html From dtucker at zip.com.au Mon May 12 17:08:18 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 12 May 2003 17:08:18 +1000 Subject: [Ans.]openssh3.5p1 version ... Password aging problem??? References: <014c01c31843$70e5f520$74f84bdc@skyhawk> Message-ID: <3EBF4862.8CEC2368@zip.com.au> > ?????? wrote: > We wants our server secuirty is more higher, so decide to password > aging policy... [snip] > This problem is only openssh3.3 higher version. > > Why this problem occured??? This is a known issue with the current code. Depending on whether or not you're using PAM, the bugs (with potential solutions) are: http://bugzilla.mindrot.org/show_bug.cgi?id=14 (non-PAM) http://bugzilla.mindrot.org/show_bug.cgi?id=423 (PAM) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From openssh at roumenpetrov.info Mon May 12 17:28:43 2003 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Mon, 12 May 2003 10:28:43 +0300 Subject: Manual Page for ssh_config References: <200305091426.h49EQoBi000596@musashi.et.bocholt.fh-gelsenkirchen.de> Message-ID: <3EBF4D2B.6090101@roumenpetrov.info> use "ssh-keyscan -t rsa,dsa localhost" to check server host keys. server always should have dsa key (many clients support only "ssh-dss" host key), rsa hostkey is recommended, all other hostkeys are optional. I dont think that this is problem. I think that your linux server has rsa and dsa keys and freebsd - only dsa hostkey. That is all. Dirk GOUDERS wrote: > > Sorry, but I cannot understand where is problem and I cannot test with > > too old server version (insufficient time). > >Thanks for your reply and sorry for the prior use of an out of date >version. > >I did some more testing and on a GNU/Linux system, I installed a newer >OpenSSH version (the same as on my FreeBSD system) and noticed that >the two systems behave different with identical configuration files. > >On both machines, I have no key for localhost in the file >~/.ssh/known_hosts. >On the GNU/Linux system, if I try to connect to localhost, the RSA key >fingerprint is printed and I get asked if I am sure that I want to >connect, but on the FreeBSD machine the DSA key fingerprint is >printed before the question. > >Well, with identical OpenSSH versions and configuration files >(sshd_config as well as ssh_config), I am wondering what it is that >could cause the two systems to behave differently... > >I attach the console outputs from both machines: > >GNU/LINUX: >------------------------------------------------------------------------ >OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f >debug1: Reading configuration data /usr/etc/ssh_config >debug1: Applying options for * >debug1: Rhosts Authentication disabled, originating port will not be trusted. >debug1: ssh_connect: needpriv 0 >debug1: Connecting to localhost [127.0.0.1] port 22. >debug1: Connection established. >debug1: identity file ~/.ssh/identity type -1 >debug1: identity file ~/.ssh/id_rsa type -1 >debug1: identity file ~/.ssh/id_dsa type -1 >debug1: Remote protocol version 2.0, remote software version OpenSSH_3.5p1 >debug1: match: OpenSSH_3.5p1 pat OpenSSH* >debug1: Enabling compatibility mode for protocol 2.0 >debug1: Local version string SSH-2.0-OpenSSH_3.5p1 >debug1: SSH2_MSG_KEXINIT sent >debug1: SSH2_MSG_KEXINIT received >debug1: kex: server->client aes128-cbc hmac-md5 none >debug1: kex: client->server aes128-cbc hmac-md5 none >debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent >debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP >debug1: dh_gen_key: priv key bits set: 140/256 >debug1: bits set: 1043/2049 >debug1: SSH2_MSG_KEX_DH_GEX_INIT sent >debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY >The authenticity of host 'localhost (127.0.0.1)' can't be established. >RSA key fingerprint is d9:eb:e9:c6:10:cb:59:93:87:c8:f0:42:d4:b9:9b:77. >Are you sure you want to continue connecting (yes/no)? no >Host key verification failed. >debug1: Calling cleanup 0x8065650(0x0) >------------------------------------------------------------------------ >FreeBSD: >------------------------------------------------------------------------ >OpenSSH_3.5p1 FreeBSD-20030201, SSH protocols 1.5/2.0, OpenSSL 0x0090701f >debug1: Reading configuration data /etc/ssh/ssh_config >debug1: Applying options for * >debug1: Rhosts Authentication disabled, originating port will not be trusted. >debug1: ssh_connect: needpriv 0 >debug1: Connecting to localhost [127.0.0.1] port 22. >debug1: Connection established. >debug1: identity file ~/.ssh/identity type -1 >debug1: identity file ~/.ssh/id_rsa type -1 >debug1: identity file ~/.ssh/id_dsa type -1 >debug1: Remote protocol version 2.0, remote software version OpenSSH_3.5p1 FreeBSD-20030201 >debug1: match: OpenSSH_3.5p1 FreeBSD-20030201 pat OpenSSH* >debug1: Enabling compatibility mode for protocol 2.0 >debug1: Local version string SSH-2.0-OpenSSH_3.5p1 FreeBSD-20030201 >debug1: SSH2_MSG_KEXINIT sent >debug1: SSH2_MSG_KEXINIT received >debug1: kex: server->client aes128-cbc hmac-md5 none >debug1: kex: client->server aes128-cbc hmac-md5 none >debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent >debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP >debug1: dh_gen_key: priv key bits set: 121/256 >debug1: bits set: 1570/3191 >debug1: SSH2_MSG_KEX_DH_GEX_INIT sent >debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY >The authenticity of host 'localhost (127.0.0.1)' can't be established. >DSA key fingerprint is 4f:a4:6a:63:0b:f0:7f:de:0b:02:9e:5a:2a:81:b0:c8. >Are you sure you want to continue connecting (yes/no)? no >Host key verification failed. >debug1: Calling cleanup 0x804c158(0x0) >------------------------------------------------------------------------ > > > -- Get X.509 certificate support in OpenSSH: http://roumenpetrov.info/openssh From djm at mindrot.org Mon May 12 17:35:00 2003 From: djm at mindrot.org (Damien Miller) Date: Mon, 12 May 2003 17:35:00 +1000 Subject: New PAM code landing (at last) In-Reply-To: <20030511203417.A25524@google.com> References: <3EBCC47A.5060104@mindrot.org> <20030511203417.A25524@google.com> Message-ID: <3EBF4EA4.9000500@mindrot.org> Frank Cusack wrote: >> Warning: this is a large change and will probably break things. It has >> only been tested with basic password auth modules and not at all (by me) >> on non-Linux systems (I put out test requests on snapshots of this, but >> nobody responded...) > > Actually, I did respond, and we got into an argument about it. Although, > I didn't have an opportunity to actually test it, and I guess no one > else did either. Well, tester responses were what I was after and, to set the record straight, Darren Tucker and Kevin Steves responded. > I don't see what's wrong with the existing code. Especially when you > say the new code "will probably break things". Now I have to study > this new code and port my bugfixes all over again. :-) The current PAM kdb-int code is obviously broken, the current PAM password auth code only works by making AssUMeptions about the requests that PAM is going to make in the conversation function. > I tried to download, but the latest snapshot (20030409) doesn't contain > the PAM bits, and anoncvs.be.openbsd.org appears to be down. The mirrors may be slow to update, but 20030510+ should have the changes. > I took some > time to look at the snapshot you offered previously (20030123) and found > three problems: > > - kbdint authentication cannot be abandoned I think that this has been rectified since the earlier snapshots. > - print_pam_messages() doesn't do anything! > - sshpam_query() sends the client only one pam prompt at a time; > this is explicitly mentioned as wrong in the kbdint draft. I don't think so - we fill out our reply with as many messages as PAM returns to us, if it does it is an error higher up in out kbd-int support or in the PAM code itself. > As to pam_*_session(), in this new code, the auth bits run in the > monitor and communicate with the unpriv child via a socket. Seeing > that, I assumed pam_*_session() would have been setup to do the same. > The problem seems pretty easy now that the plumbing is in place. Actually, it isn't that simple. The PAM conversation runs in a subprocess, to avoid its idiotic blocking nature. Therefore any side effects of the pam_session call will be lost. I have heard that at least some versions of PAM support a non-blocking conversation. If so, I would be interested in seeing patches to support it. Supporting pam_session as root, privsep and multiple sessions over one protcol 2 connection is tricky. However, we could do a slightly crippled version, where we call pam_session with no tty post-auth, before we discard privs [in sshd.c:privsep_postauth()]. I don't know how many pam_sesion modules that people use care about the tty, but since most of the requests for this come from people using pam_limits and chroot modules, I expect not many... -d From bugzilla-daemon at mindrot.org Mon May 12 17:47:16 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 12 May 2003 17:47:16 +1000 (EST) Subject: [Bug 559] PAM fixes Message-ID: <20030512074716.C76F19428C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=559 ------- Additional Comments From djm at mindrot.org 2003-05-12 17:47 ------- Some comments: > - setproctitle("%s%s", authctxt->pw ? user : "unknown", > + setproctitle("%s%s", user, > use_privsep ? " [net]" : ""); We deliberately hide the username in logs and on the process list to avoid password disclosure in situations where the client has entered their password as their username (it happens...) > - PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user)); > + PRIVSEP(start_pam(user)); I am starting to change my mind that this may be correct. See Bug #117 > - PRIVSEP(start_pam("NOUSER")); > + PRIVSEP(start_pam(user)); > + authenticated = -1; /* signal illegal user */ authctxt->valid = 0 should obviate the need for the authenticated = -1, no? > + /* > + * REDACTED > + * REDACTED > ... What is this? > - retval = (do_pam_authenticate(0) == PAM_SUCCESS); > + retval = (do_pam_authenticate(options.permit_empty_passwd == 0 > + ? PAM_DISALLOW_NULL_AUTHTOK > + : 0) == PAM_SUCCESS); Is this still necessary with the CVS -current PAM code? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon May 12 18:42:42 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 12 May 2003 18:42:42 +1000 (EST) Subject: [Bug 296] Priv separation does not work on OSF/1 Message-ID: <20030512084242.4F26294233@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=296 ------- Additional Comments From dtucker at zip.com.au 2003-05-12 18:42 ------- Can this bug be closed? The ChangeLog seems to indicate that it's been addressed. 20030320 [snip] - (bal) Disable Privsep for Tru64 after pre-authentication due to issues with SIA. Also, clean up of tru64 support patch by Chris Adams ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From yasii at netian.com Mon May 12 18:59:59 2003 From: yasii at netian.com (=?ks_c_5601-1987?B?s6rAsby6?=) Date: Mon, 12 May 2003 17:59:59 +0900 Subject: [Ans.]openssh3.6p2 version ... Password aging problem??? Message-ID: <02e901c31864$de006570$74f84bdc@skyhawk> Our server is only opened 22 sshd port... We wants our server secuirty is more higher, so decide to password aging policy... Linux command is "chage" is very useful, but openssh3.3 higher version is not effected... [root at radius ~]# chage -l test Minimum: 0 Maximum: 2 Warning: 2 Inactive: 2 Last Change: May 09, 2003 Password Expires: May 11, 2003 Password Inactive: May 13, 2003 Account Expires: Never [root at radius ~]# [root at radius ~]# telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. radius login: test Password: You are required to change your password immediately (password aged) Changing password for test (current) UNIX password: ---------------------------------------------------------------------- BUT... [root at radius ~]# ssh -l test 220.75.xxx.xxx test at 220.75.xxx.xxx's password: Read from remote host 220.75.xxx.xxx: Connection reset by peer Connection to 220.75.xxx.xxx closed. [root at radius ~]# [root at radius ~]# telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-1.99-OpenSSH_3.6p2 This problem is only openssh3.3 higher version. Why this problem occured??? Please reply this answer.... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030512/d40e3ebf/attachment.html From des at ofug.org Mon May 12 19:04:55 2003 From: des at ofug.org (Dag-Erling Smorgrav) Date: Mon, 12 May 2003 11:04:55 +0200 Subject: slightly OT: support for keyboard-interactive in other implementations Message-ID: I'd like to know if anyone knows of any SSH clients with significant user bases (winscp2, putty, mindterm etc.) which lack support for keyboard-interactive authentication. DES -- Dag-Erling Smorgrav - des at ofug.org From bugzilla-daemon at mindrot.org Mon May 12 19:13:00 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 12 May 2003 19:13:00 +1000 (EST) Subject: [Bug 502] sshd fails when "Compression yes" set on HPUX Message-ID: <20030512091300.184829428E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=502 ------- Additional Comments From dtucker at zip.com.au 2003-05-12 19:12 ------- Is there an older libz in you library path? Mark Janssen reported an identical problem (all the way down to the number after "alloc") which was solved by recompiling zlib. See: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104487220204506 http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104613235206211 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon May 12 19:23:22 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 12 May 2003 19:23:22 +1000 (EST) Subject: [Bug 538] Hanging while connecting Message-ID: <20030512092322.162589427A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=538 ------- Additional Comments From dtucker at zip.com.au 2003-05-12 19:23 ------- According to the RFC 1122, a host must be able to handle a MTU of 576. If your machine still has hangs with that MTU but works with a lower one then that would seem to indicate a hardware (or driver) problem with the ethernet (or possibly the PCI bus). Does it have problems with other network applications? (Particularly one that does full-duplex communications?) What kernel version is it running? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon May 12 19:43:40 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 12 May 2003 19:43:40 +1000 (EST) Subject: [Bug 367] patches for Cray port Message-ID: <20030512094340.2A10D94264@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=367 ------- Additional Comments From dtucker at zip.com.au 2003-05-12 19:43 ------- Is there anything else left to be done here or can the bug be closed? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon May 12 19:45:46 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 12 May 2003 19:45:46 +1000 (EST) Subject: [Bug 296] Priv separation does not work on OSF/1 Message-ID: <20030512094546.3E782942BC@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=296 Al.Smith at gold.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From fcusack at fcusack.com Mon May 12 21:02:54 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Mon, 12 May 2003 04:02:54 -0700 Subject: [Bug 559] PAM fixes In-Reply-To: <20030512074716.C76F19428C@shitei.mindrot.org>; from bugzilla-daemon@mindrot.org on Mon, May 12, 2003 at 05:47:16PM +1000 References: <20030512074716.C76F19428C@shitei.mindrot.org> Message-ID: <20030512040254.B29671@google.com> On Mon, May 12, 2003 at 05:47:16PM +1000, bugzilla-daemon at mindrot.org wrote: > ------- Additional Comments From djm at mindrot.org 2003-05-12 17:47 ------- > Some comments: > > > - setproctitle("%s%s", authctxt->pw ? user : "unknown", > > + setproctitle("%s%s", user, > > use_privsep ? " [net]" : ""); > > We deliberately hide the username in logs and on the process list to avoid > password disclosure in situations where the client has entered their password as > their username (it happens...) good point. > > - PRIVSEP(start_pam("NOUSER")); > > + PRIVSEP(start_pam(user)); > > + authenticated = -1; /* signal illegal user */ > > authctxt->valid = 0 should obviate the need for the authenticated = -1, no? yes, that will work, and is better. > > + /* > > + * REDACTED > > + * REDACTED > > ... > > What is this? A long comment of significance to my site. You don't want to see it. :-) > > - retval = (do_pam_authenticate(0) == PAM_SUCCESS); > > + retval = (do_pam_authenticate(options.permit_empty_passwd == 0 > > + ? PAM_DISALLOW_NULL_AUTHTOK > > + : 0) == PAM_SUCCESS); > > Is this still necessary with the CVS -current PAM code? anoncvs.be.openbsd.org is down, so I can't tell. Thanks for taking a look. /fc From fcusack at fcusack.com Mon May 12 21:18:13 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Mon, 12 May 2003 04:18:13 -0700 Subject: openssh 3.6.1_p2 problem with pam (fwd) In-Reply-To: <20030512043135.GA29040@folly>; from markus@openbsd.org on Mon, May 12, 2003 at 06:31:35AM +0200 References: <20030502120352.GA20137@sole.infis.univ.trieste.it> <3EB27497.3C3A9A23@anl.gov> <20030502120352.GA20137@sole.infis.univ.trieste.it> <20030511212031.B25546@google.com> <20030512043135.GA29040@folly> Message-ID: <20030512041813.D29671@google.com> On Mon, May 12, 2003 at 06:31:35AM +0200, Markus Friedl wrote: > On Sun, May 11, 2003 at 09:20:31PM -0700, Frank Cusack wrote: > > - kbdint authentication cannot be abandoned > > generally? In openssh. I posted a patch for it a long time ago (3.0.2p1). I don't know whether it would be easier or harder for the "newpam" code. /fc From ml-0064 at zurich.ibm.com Mon May 12 21:12:56 2003 From: ml-0064 at zurich.ibm.com (Zurich Mailing List 0064) Date: Mon, 12 May 2003 13:12:56 +0200 Subject: openssh-unix-dev -- confirmation of subscription -- request 707411 Message-ID: <0305121112.AA45418@langenberg.zurich.ibm.com> confirm 707411 From bugzilla-daemon at mindrot.org Mon May 12 21:40:12 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 12 May 2003 21:40:12 +1000 (EST) Subject: [Bug 560] Privsep child continues to run after monitor killed. Message-ID: <20030512114012.7FEB094222@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=560 Summary: Privsep child continues to run after monitor killed. Product: Portable OpenSSH Version: -current Platform: ix86 URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=164797 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dtucker at zip.com.au When the privileged monitor is killed (eg via a SIGHUP) cleans up the utmp entries and exits, leaving the child still running. hosta$ ssh -p 2022 hostb hostb$ sudo rpm -q redhat-release redhat-release-8.0-8 hostb$ w 9:26pm up 9 days, 9:53, 2 users, load average: 0.23, 0.39, 0.60 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT dtucker pts/0 laptop 9:25pm 0.00s 0.20s 0.03s w hostb$ ps -eaf |grep "sshd" root 5052 1 0 21:25 ? 00:00:00 ./sshd -p 2022 root 5061 853 0 21:25 ? 00:00:00 [sshd] dtucker 5063 5061 0 21:25 ? 00:00:00 [sshd] dtucker 5154 5064 0 21:26 pts/0 00:00:00 grep sshd hostb$ sudo kill -HUP 5061 hostb$ w 9:27pm up 9 days, 9:54, 2 users, load average: 0.11, 0.34, 0.57 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT hostb$ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon May 12 21:49:02 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 12 May 2003 21:49:02 +1000 (EST) Subject: [Bug 560] Privsep child continues to run after monitor killed. Message-ID: <20030512114902.E50B49420C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=560 ------- Additional Comments From dtucker at zip.com.au 2003-05-12 21:49 ------- Created an attachment (id=290) --> (http://bugzilla.mindrot.org/attachment.cgi?id=290&action=view) Pass monitor signals through to child Attempt to fix. Dunno if this is a good idea or not. The problem doesn't seem to happen on Solaris 8, don't know why. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From fcusack at fcusack.com Mon May 12 22:23:53 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Mon, 12 May 2003 05:23:53 -0700 Subject: [Bug 559] PAM fixes In-Reply-To: <20030512074716.C76F19428C@shitei.mindrot.org>; from bugzilla-daemon@mindrot.org on Mon, May 12, 2003 at 05:47:16PM +1000 References: <20030512074716.C76F19428C@shitei.mindrot.org> Message-ID: <20030512052353.A29881@google.com> On Mon, May 12, 2003 at 05:47:16PM +1000, bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=559 > ------- Additional Comments From djm at mindrot.org 2003-05-12 17:47 ------- > > > - retval = (do_pam_authenticate(0) == PAM_SUCCESS); > > + retval = (do_pam_authenticate(options.permit_empty_passwd == 0 > > + ? PAM_DISALLOW_NULL_AUTHTOK > > + : 0) == PAM_SUCCESS); > > Is this still necessary with the CVS -current PAM code? Yes, something like it is required, auth-pam.c:213 and 216. It looks like if I do kbdint, and have a null password, I will be authenticated regardless of the setting of permit_empty_password. This is just from inspection, not actual testing, but it looks clear. The only place options.permit_empty_password is checked is in auth-passwd.c, which isn't in the code path for kbdint. /fc From bugzilla-daemon at mindrot.org Mon May 12 22:27:37 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 12 May 2003 22:27:37 +1000 (EST) Subject: [Bug 560] Privsep child continues to run after monitor killed. Message-ID: <20030512122737.9F754942AB@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=560 ------- Additional Comments From dtucker at zip.com.au 2003-05-12 22:27 ------- OK, I think I know why the bug does not manifest on Solaris: $ truss -p 10673 # user child poll(0xEFFFF348, 3, -1) (sleeping...) Received signal #1, SIGHUP, in poll() [default] poll(0xEFFFF348, 3, -1) Err#4 EINTR *** process killed *** I think the reason why it doesn't happen on Solaris is because setsid() is not called early in sshd (SSHD_ACQUIRES_CTTY is defined), so both monitor and child have the same controlling terminal. $ ps -eafj # Solaris 8 UID PID PPID PGID SID C STIME TTY TIME CMD dtucker 12497 12495 12495 12495 1 22:01:54 pts/2 0:00 ./sshd -p 2022 root 2541 1 2541 2541 0 21:04:37 ? 0:00 ./sshd -p 2022 root 12495 2541 12495 12495 1 22:01:52 pts/2 0:00 ./sshd -p 2022 $ ps -eafj # Redhat 8 UID PID PPID PGID SID C STIME TTY TIME CMD root 5052 1 5052 5052 0 21:25 ? 00:00:00 ./sshd -p 2022 root 13559 5052 13559 13559 1 22:05 ? 00:00:00 [sshd] dtucker 13562 13559 13559 13559 0 22:05 ? 00:00:00 [sshd] ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ml-0064 at zurich.ibm.com Mon May 12 22:33:01 2003 From: ml-0064 at zurich.ibm.com (Zurich Mailing List 0064) Date: Mon, 12 May 2003 14:33:01 +0200 Subject: openssh-unix-dev -- confirmation of subscription -- request 707411 Message-ID: <0305121233.AA41626@langenberg.zurich.ibm.com> confirm 707411 From djm at mindrot.org Mon May 12 22:41:31 2003 From: djm at mindrot.org (Damien Miller) Date: Mon, 12 May 2003 22:41:31 +1000 Subject: [Bug 559] PAM fixes In-Reply-To: <20030512052353.A29881@google.com> References: <20030512074716.C76F19428C@shitei.mindrot.org> <20030512052353.A29881@google.com> Message-ID: <3EBF967B.2070704@mindrot.org> Frank Cusack wrote: > On Mon, May 12, 2003 at 05:47:16PM +1000, bugzilla-daemon at mindrot.org wrote: >> http://bugzilla.mindrot.org/show_bug.cgi?id=559 >> ------- Additional Comments From djm at mindrot.org 2003-05-12 17:47 ------- >> >> > - retval = (do_pam_authenticate(0) == PAM_SUCCESS); >> > + retval = (do_pam_authenticate(options.permit_empty_passwd == 0 >> > + ? PAM_DISALLOW_NULL_AUTHTOK >> > + : 0) == PAM_SUCCESS); >> >> Is this still necessary with the CVS -current PAM code? > > Yes, something like it is required, auth-pam.c:213 and 216. > > It looks like if I do kbdint, and have a null password, I will be > authenticated regardless of the setting of permit_empty_password. > > This is just from inspection, not actual testing, but it looks clear. > The only place options.permit_empty_password is checked is in > auth-passwd.c, which isn't in the code path for kbdint. I am not sure whether this is a problem: PermitEmptyPasswords has, so far, been only for PasswordAuthentication. The PAM stuff is IMO separate - one may disable empty passwords by omitting the "nullok" flag to pam_unix.so in the PAM control file. The relnotes and manpage would need to make this clear, of course. -d From fcusack at fcusack.com Mon May 12 22:51:05 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Mon, 12 May 2003 05:51:05 -0700 Subject: New PAM code landing (at last) In-Reply-To: <3EBF4EA4.9000500@mindrot.org>; from djm@mindrot.org on Mon, May 12, 2003 at 05:35:00PM +1000 References: <3EBCC47A.5060104@mindrot.org> <20030511203417.A25524@google.com> <3EBF4EA4.9000500@mindrot.org> Message-ID: <20030512055105.B29881@google.com> On Mon, May 12, 2003 at 05:35:00PM +1000, Damien Miller wrote: > Frank Cusack wrote: > > > I don't see what's wrong with the existing code. Especially when you > > say the new code "will probably break things". Now I have to study > > this new code and port my bugfixes all over again. :-) > > The current PAM kdb-int code is obviously broken, the current PAM > password auth code only works by making AssUMeptions about the requests > that PAM is going to make in the conversation function. ALL (new & old) PAM password auth code must make assumptions; PAM and password auth just aren't 100% compatible. I don't see any major broken- ness with the current PAM kbd-int code; nothing so egregious it requires a complete rewrite anyway. > > - print_pam_messages() doesn't do anything! > > - sshpam_query() sends the client only one pam prompt at a time; > > this is explicitly mentioned as wrong in the kbdint draft. > > I don't think so - we fill out our reply with as many messages as PAM > returns to us, if it does it is an error higher up in out kbd-int > support or in the PAM code itself. No, you return only one message (at a time) from the conversation to the client. See auth2-chall.c:send_userauth_info_request() and auth-pam.c:sshpam_query(). Specifically, sshpam_query() returns immediately on receipt of a PAM message (from the PAM "thread") requiring interaction. (auth-pam.c:373) And sshpam_respond() explicitly looks for only one response. Also, send_userauth_info_response() calls back into send_userauth_info_request() until the exchange is complete; this doesn't seem very elegant. It holds the ssh client/server exchange hostage, which IIRC was one of the things you (openssh guys in general) don't like about the existing PAM code. (I think you just can't get around that.) Does the new code fork off a new process just to handle the PAM bits? Looks that way. What is the point? You still have to be in lockstep with the PAM conversation. /fc From openssh at roumenpetrov.info Mon May 12 23:07:40 2003 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Mon, 12 May 2003 16:07:40 +0300 Subject: x509v3-sign-rsa authentication type... References: <200304241348.55176.kstef@mtppi.org> <200305081707.22933.kstef@mtppi.org> <3EBB65D5.7020106@roumenpetrov.info> <200305091056.55129.kstef@mtppi.org> <20030509162923.GC7477@folly> <20030509164829.GA5123@folly> Message-ID: <3EBF9C9C.1010401@roumenpetrov.info> May be problem is different implementation of cert. support in ssh.com and SecureCRT. More about how to compute signatures in OpenSSH: - "ssh-rsa.c" call openssl functions: EVP_DigestInit(...) EVP_DigestUpdate(...) EVP_DigestFinal(...) RSA_sign(...) - my patch call: EVP_SignInit(...) EVP_SignUpdate(...) EVP_SignFinal(...) - openssl define : #define EVP_SignInit(a,b) EVP_DigestInit(a,b) #define EVP_SignUpdate(a,b,c) EVP_DigestUpdate(a,b,c) EVP_SignFinal(...) call EVP_DigestFinal(...), but after this behave different. "ca-bundle.crt" from modssl project show that we have following signature algorithms: - md2WithRSAEncryption - md5WithRSAEncryption - sha1WithRSAEncryption As I can remember may be (it was tested before release of my first version and today I cannot remember results) you patch support only "md5 with rsa encryption" but not other (md2 and sha1) alg. . As result we should change "ssh-rsa.c" code too. Same changes we should do in "ssh-dsa.c". It is simple to have new method with support for both key types "x509v3-sign-rsa" and "x509v3-sign-dss". To be sure that my patch support all cases "make check" generate cert. with following sing. alg. for rsa and dsa private keys: - dsaWithSHA1 - md2WithRSAEncryption - md4WithRSAEncryption - md5WithRSAEncryption - ripemd160WithRSA - sha1WithRSAEncryption , i.e. 12 different certificates: 6 for ssh key type "x509v3-sign-rsa" and 6 for "x509v3-sign-dss". Note: windows nt4 (service pack ?) has problems with md4 (?) I can confirm that SecureCRT windows client can use all 12 combinations as identity key in session to OpenSSH server with my patch. SecureCRT cannot accept certificates as hostkey, but this should be tested with new version(s) ! About ssh.com client I don't have any information. "ssh-x509.c" is base/core of my patch. all other (distinguished name and x509 store, manual pages, agent) is to make x509 cert. support in OpenSSH more usefull. As example "ssh-keygen -f xxx -y" print a cert. in OpenSSH "pub. key" format, "ssh-add -L" print subject (distinguished name) and etc. Markus, can you confirm that you patch is compatible with ssh.com client at least for certificate with sing.alg. "md2WithRSAEncryption", "md5WithRSAEncryption" and "sha1WithRSAEncryption" ? Markus Friedl wrote: >oops, here's the patch > >On Fri, May 09, 2003 at 06:29:23PM +0200, Markus Friedl wrote: > > >>On Fri, May 09, 2003 at 10:56:55AM -0400, Kevin Stefanik wrote: >> >> >>>Sorry to pester, but I'd really like to get interoperability with Windows >>>clients using certificates in the mainline openssh. Since the heavy lifting >>>has already been done (and well!), I hope it's possible. >>> >>> >>i've been using this patch for hostkeys+x509 support. >>interop with ssh.com's windows client w/o problem. >> >>but Roumen sees problems with this approach. >> >> From bugzilla-daemon at mindrot.org Mon May 12 23:59:41 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 12 May 2003 23:59:41 +1000 (EST) Subject: [Bug 538] Hanging while connecting Message-ID: <20030512135941.D956A94246@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=538 ------- Additional Comments From onu at 29.ca 2003-05-12 23:59 ------- For completeness, I'll mention that I'm probably not suffering from auto-negotiation problems. The NIC is being set to 10Mb/s, half-duplex, as it should. I discovered only yesterday that downloading files using the wget program is also problematic. Sometimes the download completes, other times not. I am using a 'stock' Debian kernel, version 2.4.19. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From stuge-openssh-unix-dev at cdy.org Mon May 12 23:50:49 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Mon, 12 May 2003 15:50:49 +0200 Subject: [Ans.]openssh3.5p1 version ... Password aging problem??? In-Reply-To: <3EBF4862.8CEC2368@zip.com.au> References: <014c01c31843$70e5f520$74f84bdc@skyhawk> <3EBF4862.8CEC2368@zip.com.au> Message-ID: <20030512135049.GB21130@foo.birdnet.se> On Mon, May 12, 2003 at 05:08:18PM +1000, Darren Tucker wrote: > This is a known issue with the current code. Depending on whether or not > you're using PAM, the bugs (with potential solutions) are: What is the status on interfacing with the system passwd command for changing passwords? It's only for non-PAM situations, but is it still relevant there? I have tried one way of setting up the "chat scripts" but that failed, I've implemented the skeleton for a second try but have been too busy with other things to finish it for wider testing. Should I try to finish the prototype ASAP? These are the current data structures: struct SYSNAMES systems[]={ /* name, tag, current script position */ {"MacOS X 10.2", OSX_10_2, -1}, {"Linux-PAM", LINUXPAM, -1}, {NULL,0,0} }; struct SCRIPT script[]={ /* system, fd, action, text, usec delay (default:1.5e6) */ {OSX_10_2, STDERR, EXPECT, "password:",0}, {OSX_10_2, STDIN, SENDOLD,"\n", 0}, {OSX_10_2, STDERR, EXPECT, "New password:",0}, {OSX_10_2, STDIN, SENDNEW,"\n", 0}, {OSX_10_2, STDERR, EXPECT, "Retype new password:",0}, {OSX_10_2, STDIN, SENDNEW,"\n", 0}, {OSX_10_2, STDIN, DONE, NULL, 0}, {LINUXPAM, STDERR, EXPECT, "password:",0}, {LINUXPAM, STDIN, SENDOLD,"\n", 0}, {LINUXPAM, STDERR, EXPECT, "New UNIX password: ",0}, {LINUXPAM, STDIN, SENDNEW,"\n", 0}, {LINUXPAM, STDERR, EXPECT, "Retype new UNIX password: ",0}, {LINUXPAM, STDIN, SENDNEW,"\n", 0}, {LINUXPAM, STDIN, DONE, NULL, 0}, {0,0,END,NULL,0} }; SYSNAMES may only be useful for debugging, I figure it is nice to be able to tell the user which script was used. To save memory, the script could be chosen/created at compile time. But it's not a lot of data unless we get lots of different scripts. My binary implementing this is currently 6384 bytes when strip:ed. Theory of operation is to weed out systems that have EXPECT lines in the script that do not match data received from passwd, hopefully there is one active system, at DONE, when passwd exits. If no script is finished by the time passwd exits, it's an (as yet) unknown system and we'll need information about that password changing dialogue. If a script reaches DONE while passwd is still running, it will simply be made inactive. There needs to be a timeout here for network directories and such to update though. A couple of seconds should be enough for everybody. ;) //Peter From mouring at etoh.eviladmin.org Tue May 13 00:37:11 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 12 May 2003 09:37:11 -0500 (CDT) Subject: [Ans.]openssh3.5p1 version ... Password aging problem??? In-Reply-To: <20030512135049.GB21130@foo.birdnet.se> Message-ID: Ugh.. Hell no. I believe the decision has been made to break from RFC and implement password change ala 'ssh1' style. The RFC is just too restrictive. - Ben On Mon, 12 May 2003, Peter Stuge wrote: > On Mon, May 12, 2003 at 05:08:18PM +1000, Darren Tucker wrote: > > This is a known issue with the current code. Depending on whether or not > > you're using PAM, the bugs (with potential solutions) are: > > What is the status on interfacing with the system passwd command for > changing passwords? It's only for non-PAM situations, but is it still > relevant there? I have tried one way of setting up the "chat scripts" but > that failed, I've implemented the skeleton for a second try but have been > too busy with other things to finish it for wider testing. > > Should I try to finish the prototype ASAP? > > These are the current data structures: > > struct SYSNAMES systems[]={ > /* name, tag, current script position */ > {"MacOS X 10.2", OSX_10_2, -1}, > {"Linux-PAM", LINUXPAM, -1}, > {NULL,0,0} > }; > > struct SCRIPT script[]={ > /* system, fd, action, text, usec delay (default:1.5e6) */ > {OSX_10_2, STDERR, EXPECT, "password:",0}, > {OSX_10_2, STDIN, SENDOLD,"\n", 0}, > {OSX_10_2, STDERR, EXPECT, "New password:",0}, > {OSX_10_2, STDIN, SENDNEW,"\n", 0}, > {OSX_10_2, STDERR, EXPECT, "Retype new password:",0}, > {OSX_10_2, STDIN, SENDNEW,"\n", 0}, > {OSX_10_2, STDIN, DONE, NULL, 0}, > > {LINUXPAM, STDERR, EXPECT, "password:",0}, > {LINUXPAM, STDIN, SENDOLD,"\n", 0}, > {LINUXPAM, STDERR, EXPECT, "New UNIX password: ",0}, > {LINUXPAM, STDIN, SENDNEW,"\n", 0}, > {LINUXPAM, STDERR, EXPECT, "Retype new UNIX password: ",0}, > {LINUXPAM, STDIN, SENDNEW,"\n", 0}, > {LINUXPAM, STDIN, DONE, NULL, 0}, > > {0,0,END,NULL,0} > }; > > SYSNAMES may only be useful for debugging, I figure it is nice to be able to > tell the user which script was used. > > To save memory, the script could be chosen/created at compile time. But it's > not a lot of data unless we get lots of different scripts. > > My binary implementing this is currently 6384 bytes when strip:ed. > > Theory of operation is to weed out systems that have EXPECT lines in the > script that do not match data received from passwd, hopefully there is one > active system, at DONE, when passwd exits. If no script is finished by the > time passwd exits, it's an (as yet) unknown system and we'll need > information about that password changing dialogue. If a script reaches DONE > while passwd is still running, it will simply be made inactive. There needs > to be a timeout here for network directories and such to update though. A > couple of seconds should be enough for everybody. ;) > > > //Peter > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Tue May 13 00:44:21 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 13 May 2003 00:44:21 +1000 (EST) Subject: [Bug 296] Priv separation does not work on OSF/1 Message-ID: <20030512144421.8A5F1942F2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=296 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED ------- Additional Comments From mouring at eviladmin.org 2003-05-13 00:44 ------- I would not claim this is a 'fix'. It is hack because the Tru64 SIA implement expects too much. =( But since no one can get a correct solution to work. Then I guess it will end up being the solution... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue May 13 00:45:38 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 13 May 2003 00:45:38 +1000 (EST) Subject: [Bug 367] patches for Cray port Message-ID: <20030512144538.6C9D194248@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=367 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2003-05-13 00:45 ------- Cray should be supported as of 2.5 or 2.6 (forgot which) with no special patching required. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From sonnyjz at isc.upenn.edu Tue May 13 00:51:31 2003 From: sonnyjz at isc.upenn.edu (Sonny J Zambrana) Date: Mon, 12 May 2003 10:51:31 -0400 (EDT) Subject: Building Openssh-3.6.1p2 with Darren Tucker's AIX Password Expiry patch Message-ID: Hello, as you read by the subject I am trying to compile openssh-3.6.1p2 with AIX password expiry patch. Operating system is AIX 4.3 using gcc 2.9-aix43-010414 I am using prngd as my entropy. My configuration flags are as follows: --with-prngd-socket=/dev/egd-pool --prefix=/usr/local/openssh I run into the following errors when I run make: ld: 0711-317 ERROR: Undefined symbol: .aix_remove_embedded_newlines ld: 0711-317 ERROR: Undefined symbol: expire_message ld: 0711-317 ERROR: Undefined symbol: login_message ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. collect2: ld returned 8 exit status make: 1254-004 The error code from the last command is 1. I am able to compile and use openssh without the patch. Any ideas? I am currently not a member of this list so please respond to sonnyjz at admsystems.upenn.edu Thank you. - Sonny J Zambrana Systems Administrator University Of Pennsylvania From bugzilla-daemon at mindrot.org Tue May 13 00:53:20 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 13 May 2003 00:53:20 +1000 (EST) Subject: [Bug 561] Please implement MaxAuthTries Message-ID: <20030512145320.4D7C394311@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=561 Summary: Please implement MaxAuthTries Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wmertens at gentoo.org Hi, When using Commercial SSH to connect to OpenSSH, it can happen that a user has many keys and this results in a failure to log in due to "Too many authentication failures". The problem is documented at http://www.tartarus.org/~simon/puttydoc/Chapter10.html#10.5 : 10.5 "Server sent disconnect message type 2 (SSH_DISCONNECT_PROTOCOL_ERROR): "Too many authentication failures for root"" This message is produced by an OpenSSH (or Sun SSH) server if it receives more failed authentication attempts than it is willing to tolerate. This can easily happen if you are using Pageant and have a large number of keys loaded into it. This can be worked around on the server by disabling public-key authentication or (for Sun SSH only) by increasing MaxAuthTries in sshd_config. Neither of these is a really satisfactory solution, and we hope to provide a better one in a future version of PuTTY. You might not want to implement a MaxAuthTries, but at least something must be done so that broken clients can connect (and asking the user to remove some keys from their agent is not it IMHO). Thanks! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Darren.Moffat at Sun.COM Tue May 13 01:41:15 2003 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Mon, 12 May 2003 08:41:15 -0700 (PDT) Subject: [Bug 559] PAM fixes In-Reply-To: <3EBF967B.2070704@mindrot.org> References: <20030512074716.C76F19428C@shitei.mindrot.org> <20030512052353.A29881@google.com> <3EBF967B.2070704@mindrot.org> Message-ID: On Mon, 12 May 2003, Damien Miller wrote: > The PAM stuff is IMO separate - one may disable empty passwords by > omitting the "nullok" flag to pam_unix.so in the PAM control file. That is an argument specific to one vendors implementation of a specific module. There is (and probably should not be) any standardization of the arguments modules take. Some vendors my choose to standardize options across modules they implement but it is certainly not required. -- Darren J Moffat From bugzilla-daemon at mindrot.org Tue May 13 02:01:36 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 13 May 2003 02:01:36 +1000 (EST) Subject: [Bug 562] sshd and password has expired (password aged) Message-ID: <20030512160136.1264F9424B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=562 Summary: sshd and password has expired (password aged) Product: Portable OpenSSH Version: 3.6.1p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: serg at bspb.ru After upgrading openssh from 3.1p to 3.6.1p with option: ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ipv4-default --with-pam I can't login with ssh (but still can connect with telnet) and recieved this message in /var/log/secure: PAM rejected by account configuration[12]: Authentication token is no longer valid; new one required. If I configure without PAM ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ipv4-default --without-pam then message is: User test_user password has expired (password aged) Help me please, this is very important. Thanks ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From nik at zurich.ibm.com Tue May 13 02:07:28 2003 From: nik at zurich.ibm.com (Michael Niksch) Date: Mon, 12 May 2003 18:07:28 +0200 Subject: Patch logging comment field of authorized key being used Message-ID: <10305121807.ZM33988@zurich.ibm.com> In order to comply with our internal security guidelines, we created a patch on top of openssh-3.6.1p2. With that patch, if sshd sets up a session based on key authentication, it logs to syslog which one of the keys in authorized_keys or authorized_keys2 is actually being used. The patch logs the key comment (typically the key owner's email address) as well as the name of the file containing the key. The original code preserves similar information only for protocol 2, and it does so only in verbose/debug mode, and only in the form of line number/key fingerprint. The patch is attached as patch-z.txt. It is pretty trivial, but probably useful for many others, too. WE'D LIKE TO SUGGEST THAT THE PATCH BE INCORPORATED INTO THE OpenSSH SOURCE TREE. -- Michael Niksch /Zurich/IBM @ IBMCH IBM Zurich Research Laboratory nik at zurich.ibm.com Saeumerstrasse 4 http://www.zurich.ibm.com/~nik/ CH-8803 Rueschlikon / Switzerland P: +41-1-724-8913 F: +41-1-724-8080 -------------- next part -------------- *** auth-rsa.c.orig Tue Jun 11 17:47:42 2002 --- auth-rsa.c Thu May 8 14:43:33 2003 *************** *** 257,266 **** --- 257,270 ---- */ if (!auth_parse_options(pw, options, file, linenum)) continue; /* break out, this key is allowed */ + /* Log matching key's comment after stripping '\n'. */ + if ( strlen(cp) && ( cp[strlen(cp)-1] == '\n' ) ) + cp[strlen(cp)-1] = '\0'; + log("Authorized key '%s' in %s", cp, file); allowed = 1; break; } /* Restore the privileged uid. */ *** auth2-pubkey.c.orig Thu Jun 6 22:27:56 2002 --- auth2-pubkey.c Thu May 8 17:08:43 2003 *************** *** 237,246 **** --- 237,253 ---- } } if (key_equal(found, key) && auth_parse_options(pw, options, file, linenum) == 1) { found_key = 1; + /* Skip remaining whitespace. */ + for (; *cp == ' ' || *cp == '\t'; cp++) + ; + /* Log matching key's comment after stripping '\n'. */ + if ( strlen(cp) && ( cp[strlen(cp)-1] == '\n' ) ) + cp[strlen(cp)-1] = '\0'; + log("Authorized key '%s' in %s", cp, file); debug("matching key found: file %s, line %lu", file, linenum); fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); verbose("Found matching %s key: %s", key_type(found), fp); From bugzilla-daemon at mindrot.org Tue May 13 02:23:19 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 13 May 2003 02:23:19 +1000 (EST) Subject: [Bug 553] configure fails to acknowledge availability of utimes() Message-ID: <20030512162319.2F2C2942CD@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=553 pere at hungry.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pere at hungry.com ------- Additional Comments From pere at hungry.com 2003-05-13 02:23 ------- I see the same problem on HP/UX 11.00 on parisc and 11.22 on ia64 using the native compiler. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue May 13 04:20:44 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 13 May 2003 04:20:44 +1000 (EST) Subject: [Bug 563] getaddrinfo() in libopenbsd-compat.a breaks heimdal-linked pam_krb5 Message-ID: <20030512182044.E55AB94207@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=563 Summary: getaddrinfo() in libopenbsd-compat.a breaks heimdal- linked pam_krb5 Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: buckh at pobox.com i realize that fake-getaddrinfo.c says, ``Don't use it for another purpose,'' but if getaddrinfo can't be renamed then stuff like this is inevitable, and i think it might not just be me so i wanted to point it out: heimdal uses the getaddrinfo()-returned ai_protocol, ai_socktype and ai_protocol in its socket() call in send_to_kdc(), after passing in the desired ai_socktype in hints->ai_socktype. on Solaris 2.6, there's no getaddrinfo(), so heimdal builds this into it's libroken and ssh builds this into libopenbsd-compat. when sshd goes to use pam_krb5 for keyboard-interactive, the pam_krb5 calls to heimdal's libkrb5 result in libopenbsd-compat's getaddrinfo() getting called, which always returns a struct addrinfo with ai_socktype == ai_protocol == 0, and socket() buys an EPROTOTYPE: send_to_kdc.c: ret = krb5_krbhst_get_addrinfo(context, hi, &ai); if (ret) continue; for (a = ai; a != NULL; a = a->ai_next) { fd = socket (a->ai_family, a->ai_socktype, a->ai_protocol); if (fd < 0) continue; truss says: so_socket(2, 0, 0, 0x00000000, 1) Err#98 EPROTOTYPE 0x00000000: "" (i have to admit i have absolutely no idea where it's getting ai_family from, if that's what that first parameter is) it would be nice if maybe libopenbsd-compat's getaddrinfo copied ai_family, ai_socktype and ai_protocol to the returned struct addrinfo's. yes, i admit, we need to upgrade ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue May 13 04:21:30 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 13 May 2003 04:21:30 +1000 (EST) Subject: [Bug 561] Please implement MaxAuthTries Message-ID: <20030512182130.7C37A94256@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=561 ------- Additional Comments From markus at openbsd.org 2003-05-13 04:21 ------- we just changed the openssh client to try the agent key in order of preference (instead of randomly), but this only helps for openssh clients.... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue May 13 04:23:18 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 13 May 2003 04:23:18 +1000 (EST) Subject: [Bug 448] ssh ignores key specified with -i if agent is running Message-ID: <20030512182318.32D269425B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=448 ------- Additional Comments From markus at openbsd.org 2003-05-13 04:23 ------- for pubkey authentication try the user keys in the following order: 1. agent keys that are found in the config file 2. other agent keys 3. keys that are only listed in the config file ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jason at devrandom.org Tue May 13 05:26:25 2003 From: jason at devrandom.org (Jason McCormick) Date: Mon, 12 May 2003 15:26:25 -0400 Subject: ssh-agent asking for passphrase on non-keyed connections Message-ID: <200305121526.25961.jason@devrandom.org> I'm running into some odd behavior that I can't figure out that I'm hoping someone can help me with. After years of SSH usage, I've decided to exchange one laziness for another and use ssh-agent. However I'm running into an odd instance where ssh is asking for the passphrase to my key stored in ~/.ssh/id_dsa when attempting to connect to a machine with nothing in ~/.ssh/authorized_keys and the key properly active in ssh-agent. For example: [user at host ~]$ ssh user at foo Last login: Mon May 12 15:06:33 2003 from host [user at foo ~]$ Never asks for a passphrase and I'm logged in perfectly. However now if I ssh to root on the same box (with no /root/.ssh/authorized_keys) I'm prompted for the passphrase for my key and then prompted for the password for root. For example: [user at host ~]$ ssh root at foo Enter passphrase for key '/home/user/.ssh/id_dsa': root at foo's password: Last login: Tue May 6 11:44:59 2003 from host [root at foo root]# After talking with Ben, I was under the impression that the correct/desired behavior is that I would only be prompted for the root at foo password. Any thoughts or suggestions on this? I didn't see anything in the FAQ or mailing list about this so I'm assuming I have a configuration glitch somewhere. -- Jason From wendyp at cray.com Tue May 13 05:31:32 2003 From: wendyp at cray.com (Wendy Palm) Date: Mon, 12 May 2003 14:31:32 -0500 Subject: [Bug 367] patches for Cray port References: <20030512144538.6C9D194248@shitei.mindrot.org> Message-ID: <3EBFF694.3050308@cray.com> actually, that's not true. i've found i mis-tested and the deattack.c patch is still needed for protocol 2- # diff -c deattack.c.orig deattack.c *** deattack.c.orig Mon May 12 14:30:14 2003 --- deattack.c Fri May 2 13:04:56 2003 *************** *** 101,111 **** --- 101,119 ---- if (h == NULL) { debug("Installing crc compensation attack detector."); n = l; + #ifdef _UNICOS + h = (u_int16_t *) xmalloc(n * sizeof(u_int16_t)); + #else h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); + #endif /* _UNICOS */ } else { if (l > n) { n = l; + #ifdef _UNICOS + h = (u_int16_t *) xrealloc(h, n * sizeof(u_int16_t)); + #else h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); + #endif /* _UNICOS */ } } *************** *** 129,135 **** --- 137,147 ---- return (DEATTACK_OK); } + #ifdef _UNICOS + for (i=0; i http://bugzilla.mindrot.org/show_bug.cgi?id=367 > > mouring at eviladmin.org changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > Status|NEW |RESOLVED > Resolution| |FIXED > > > > ------- Additional Comments From mouring at eviladmin.org 2003-05-13 00:45 ------- > Cray should be supported as of 2.5 or 2.6 (forgot which) with no special > patching required. > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From listz at hate.cx Tue May 13 06:23:13 2003 From: listz at hate.cx (listz at hate.cx) Date: Mon, 12 May 2003 14:23:13 -0600 Subject: OpenSSH-3.6.1p2 PAM Problems Message-ID: <20030512202313.GA15578@chaos.enmity.org> recently we upgraded a bunch of systems to OpenSSH-3.6.1p2. alot of our systems have automated logins for backups or systems checks with ssh-keys, but (i think) as a result of the Openwall/Solar Designer patch, pam_tally is incrementing off the scales. pam_tally is tallying failed logins for keyed-only accounts: attempts are made to authenticate those accounts via password authentication before using keys. i'm not a coder so i don't have a fix, but i don't think it should be that hard to fix. any ideas? ::[ RFC 2795 ]:: "Democracy means simply the bludgeoning of the people by the people for the people." -Oscar Wilde From fcusack at fcusack.com Tue May 13 06:55:42 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Mon, 12 May 2003 13:55:42 -0700 Subject: OpenSSH-3.6.1p2 PAM Problems In-Reply-To: <20030512202313.GA15578@chaos.enmity.org>; from listz@hate.cx on Mon, May 12, 2003 at 02:23:13PM -0600 References: <20030512202313.GA15578@chaos.enmity.org> Message-ID: <20030512135542.A30253@google.com> http://bugzilla.mindrot.org/show_bug.cgi?id=559 On Mon, May 12, 2003 at 02:23:13PM -0600, listz at hate.cx wrote: > recently we upgraded a bunch of systems to OpenSSH-3.6.1p2. alot of our systems > have automated logins for backups or systems checks with ssh-keys, but (i think) > as a result of the Openwall/Solar Designer patch, pam_tally is incrementing off > the scales. pam_tally is tallying failed logins for keyed-only accounts: > attempts are made to authenticate those accounts via password authentication > before using keys. i'm not a coder so i don't have a fix, but i don't think it > should be that hard to fix. any ideas? From dtucker at zip.com.au Tue May 13 09:47:46 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 13 May 2003 09:47:46 +1000 Subject: Building Openssh-3.6.1p2 with Darren Tucker's AIX Password Expirypatch References: Message-ID: <3EC032A2.8508882D@zip.com.au> Sonny J Zambrana wrote: [snip] > I run into the following errors when I run make: > ld: 0711-317 ERROR: Undefined symbol: .aix_remove_embedded_newlines > ld: 0711-317 ERROR: Undefined symbol: expire_message > ld: 0711-317 ERROR: Undefined symbol: login_message > ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more > information. > collect2: ld returned 8 exit status > make: 1254-004 The error code from the last command is 1. I'm guessing you compiled it, patched it, then re-ran "make". I think all you need to do is "make clean && make" -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Tue May 13 09:55:21 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 13 May 2003 09:55:21 +1000 (EST) Subject: [Bug 562] sshd and password has expired (password aged) Message-ID: <20030512235521.E90B09424E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=562 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From dtucker at zip.com.au 2003-05-13 09:55 ------- Also see bug #14 for non-PAM password expiry. *** This bug has been marked as a duplicate of 423 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue May 13 09:55:23 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 13 May 2003 09:55:23 +1000 (EST) Subject: [Bug 423] Workaround for pw change in privsep mode (3.5.p1) Message-ID: <20030512235523.C392E942CA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=423 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |serg at bspb.ru ------- Additional Comments From dtucker at zip.com.au 2003-05-13 09:55 ------- *** Bug 562 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue May 13 10:26:04 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 13 May 2003 10:26:04 +1000 (EST) Subject: [Bug 553] configure fails to acknowledge availability of utimes() Message-ID: <20030513002604.C24CA9424E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=553 ------- Additional Comments From dtucker at zip.com.au 2003-05-13 10:26 ------- Created an attachment (id=291) --> (http://bugzilla.mindrot.org/attachment.cgi?id=291&action=view) configure from 3.6.1p2 rebuilt with autoconf-2.57a Updated configure, just replace configure from 3.6.1p2 then "make distclean && ./configure && make". This works for me (11.00 w/gcc), I'd be interested in other versions/configurations. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue May 13 10:44:55 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 13 May 2003 10:44:55 +1000 (EST) Subject: [Bug 563] getaddrinfo() in libopenbsd-compat.a breaks heimdal-linked pam_krb5 Message-ID: <20030513004455.517CF942D4@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=563 ------- Additional Comments From djm at mindrot.org 2003-05-13 10:44 ------- Does rebuilding after: LIBS='-lbroken' ./configure help? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue May 13 10:46:36 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 13 May 2003 10:46:36 +1000 (EST) Subject: [Bug 448] ssh ignores key specified with -i if agent is running Message-ID: <20030513004636.E41C5942D4@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=448 ------- Additional Comments From djm at mindrot.org 2003-05-13 10:46 ------- FYI it is common to do: IdentityFile none in one's ~/.ssh/ssh_config to turn off searching of non-agent key files. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue May 13 10:46:54 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 13 May 2003 10:46:54 +1000 (EST) Subject: [Bug 448] ssh ignores key specified with -i if agent is running Message-ID: <20030513004654.86E8994309@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=448 ------- Additional Comments From djm at mindrot.org 2003-05-13 10:46 ------- oops, wrong bug ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Tue May 13 10:49:10 2003 From: djm at mindrot.org (Damien Miller) Date: Tue, 13 May 2003 10:49:10 +1000 Subject: [Bug 367] patches for Cray port In-Reply-To: <3EBFF694.3050308@cray.com> References: <20030512144538.6C9D194248@shitei.mindrot.org> <3EBFF694.3050308@cray.com> Message-ID: <3EC04106.5070407@mindrot.org> Wendy Palm wrote: > actually, that's not true. i've found i mis-tested and the deattack.c patch > is still needed for protocol 2- That patch looks over-complicated. Does this one work? Index: deattack.c =================================================================== RCS file: /var/cvs/openssh/deattack.c,v retrieving revision 1.15 diff -u -r1.15 deattack.c --- deattack.c 5 Mar 2002 01:53:05 -0000 1.15 +++ deattack.c 13 May 2003 00:49:03 -0000 @@ -33,7 +33,7 @@ /* Hashing constants */ #define HASH_MINSIZE (8 * 1024) -#define HASH_ENTRYSIZE (2) +#define HASH_ENTRYSIZE (sizeof(u_int16_t)) #define HASH_FACTOR(x) ((x)*3/2) #define HASH_UNUSEDCHAR (0xff) #define HASH_UNUSED (0xffff) From djm at mindrot.org Tue May 13 10:50:55 2003 From: djm at mindrot.org (Damien Miller) Date: Tue, 13 May 2003 10:50:55 +1000 Subject: [Bug 559] PAM fixes In-Reply-To: References: <20030512074716.C76F19428C@shitei.mindrot.org> <20030512052353.A29881@google.com> <3EBF967B.2070704@mindrot.org> Message-ID: <3EC0416F.7030501@mindrot.org> Darren J Moffat wrote: > On Mon, 12 May 2003, Damien Miller wrote: > >> The PAM stuff is IMO separate - one may disable empty passwords by >> omitting the "nullok" flag to pam_unix.so in the PAM control file. > > That is an argument specific to one vendors implementation of a specific module. > There is (and probably should not be) any standardization of the arguments > modules take. Some vendors my choose to standardize options across modules > they implement but it is certainly not required. Ok, but the point was that control over the behaviour of PAM modules and what they accept should be done in the PAM control file and not in sshd_config. -d From mouring at etoh.eviladmin.org Tue May 13 11:51:47 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 12 May 2003 20:51:47 -0500 (CDT) Subject: [Bug 367] patches for Cray port In-Reply-To: <3EC04106.5070407@mindrot.org> Message-ID: On Tue, 13 May 2003, Damien Miller wrote: > Wendy Palm wrote: > > actually, that's not true. i've found i mis-tested and the deattack.c patch > > is still needed for protocol 2- > > That patch looks over-complicated. Does this one work? > > Index: deattack.c > =================================================================== > RCS file: /var/cvs/openssh/deattack.c,v > retrieving revision 1.15 > diff -u -r1.15 deattack.c > --- deattack.c 5 Mar 2002 01:53:05 -0000 1.15 > +++ deattack.c 13 May 2003 00:49:03 -0000 > @@ -33,7 +33,7 @@ > > /* Hashing constants */ > #define HASH_MINSIZE (8 * 1024) > -#define HASH_ENTRYSIZE (2) > +#define HASH_ENTRYSIZE (sizeof(u_int16_t)) > #define HASH_FACTOR(x) ((x)*3/2) > #define HASH_UNUSEDCHAR (0xff) > #define HASH_UNUSED (0xffff) > > Solves half the problem.. Quote from my archives from Wendy: i just gave it a try. replacing the 2 sections mentioned above with the # define HASH_ENTRYSIZE sizeof(u_int16_t) seems to work fine. however, the memset still doesn't work for a cray, so that needs to be left as the for loop. cray has 64 bit ints, so if HASH_UNUSED is 0xffff, then shift it 8 ends up with 0xff, which is the same as HASH_UNUSEDCHAR. so i see that really the for loop should be #ifdef _UNICOS for (i=0; i http://bugzilla.mindrot.org/show_bug.cgi?id=563 buckh at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org ------- Additional Comments From buckh at pobox.com 2003-05-13 13:17 ------- perhaps. i'll try modifying configure.ac and acconfig.h to get included also, if configure can find em, and let you know if it works. for my purposes, i was content to just rename getaddrinfo in fake-getaddrinfo.c and kludge up fake-getaddrinfo.h: #ifndef HAVE_GETADDRINFO #define getaddrinfo fake_getaddrinfo int fake_getaddrinfo( . . . ) #endif don't know how many other libroken functions i'll pick up if i configure it in and if some of them might be less unbroken than libopenbsd-compat versions. maybe i should just see if i can port GNU libc . . . thanks for the help ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue May 13 13:27:51 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 13 May 2003 13:27:51 +1000 (EST) Subject: [Bug 559] PAM fixes Message-ID: <20030513032751.AA86E94237@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=559 fcusack at fcusack.com changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #289 is|0 |1 obsolete| | ------- Additional Comments From fcusack at fcusack.com 2003-05-13 13:27 ------- Created an attachment (id=292) --> (http://bugzilla.mindrot.org/attachment.cgi?id=292&action=view) revised PAM patch revised patches based on djm comments ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From fcusack at fcusack.com Tue May 13 13:34:08 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Mon, 12 May 2003 20:34:08 -0700 Subject: bugzilla global email prefs don't work? Message-ID: <20030512203408.A31180@google.com> On the bugzilla.mindrot.org user prefs page, email settings tab, I have 'Only email me reports of changes made by other people' checked. Yet I receive email reports of changes to bugs that I myself make. Is this a bugzilla bug or do I need to change something else? thanks /fc From djm at mindrot.org Tue May 13 13:42:47 2003 From: djm at mindrot.org (Damien Miller) Date: Tue, 13 May 2003 13:42:47 +1000 Subject: bugzilla global email prefs don't work? In-Reply-To: <20030512203408.A31180@google.com> References: <20030512203408.A31180@google.com> Message-ID: <3EC069B7.1040904@mindrot.org> Frank Cusack wrote: > On the bugzilla.mindrot.org user prefs page, email settings tab, I have > 'Only email me reports of changes made by other people' checked. Yet > I receive email reports of changes to bugs that I myself make. > > Is this a bugzilla bug or do I need to change something else? Remember that a copy is always Cc'd to the mailing list. -d From mouring at etoh.eviladmin.org Tue May 13 13:41:27 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 12 May 2003 22:41:27 -0500 (CDT) Subject: [Bug 559] PAM fixes In-Reply-To: <20030513032751.AA86E94237@shitei.mindrot.org> Message-ID: [..] + * REDACTED + */ + if (!options.password_authentication || !options.permit_empty_passwd) + return(0); Check to ensure your not leaking account information via timing attacks by re-adding this. - Ben On Tue, 13 May 2003 bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=559 > > fcusack at fcusack.com changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > Attachment #289 is|0 |1 > obsolete| | > > > > ------- Additional Comments From fcusack at fcusack.com 2003-05-13 13:27 ------- > Created an attachment (id=292) > --> (http://bugzilla.mindrot.org/attachment.cgi?id=292&action=view) > revised PAM patch > > revised patches based on djm comments > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From fcusack at fcusack.com Tue May 13 13:59:23 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Mon, 12 May 2003 20:59:23 -0700 Subject: bugzilla global email prefs don't work? In-Reply-To: <3EC069B7.1040904@mindrot.org>; from djm@mindrot.org on Tue, May 13, 2003 at 01:42:47PM +1000 References: <20030512203408.A31180@google.com> <3EC069B7.1040904@mindrot.org> Message-ID: <20030512205923.B31180@google.com> On Tue, May 13, 2003 at 01:42:47PM +1000, Damien Miller wrote: > Frank Cusack wrote: > > On the bugzilla.mindrot.org user prefs page, email settings tab, I have > > 'Only email me reports of changes made by other people' checked. Yet > > I receive email reports of changes to bugs that I myself make. > > > > Is this a bugzilla bug or do I need to change something else? > > Remember that a copy is always Cc'd to the mailing list. Right. I get two copies, the one to the list, and one to myself. (And they are not the same email, they are two independently generated emails.) /fc From fcusack at fcusack.com Tue May 13 14:01:47 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Mon, 12 May 2003 21:01:47 -0700 Subject: [Bug 559] PAM fixes In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, May 12, 2003 at 10:41:27PM -0500 References: <20030513032751.AA86E94237@shitei.mindrot.org> Message-ID: <20030512210147.C31180@google.com> On Mon, May 12, 2003 at 10:41:27PM -0500, Ben Lindstrom wrote: > > [..] > + * REDACTED > + */ > + if (!options.password_authentication || !options.permit_empty_passwd) > + return(0); > > Check to ensure your not leaking account information via timing attacks by > re-adding this. That is a good point, would some interested folks please give that a review? I don't think it leaks account information, because the behavior is the same for accounts that exist and accounts that don't exist. The only difference in timing is based on sshd's option settings. /fc From larsch at trustcenter.de Tue May 13 18:38:56 2003 From: larsch at trustcenter.de (Nils Larsch) Date: Tue, 13 May 2003 10:38:56 +0200 Subject: get_pin for scard-opensc.c In-Reply-To: <20030508222106.GA707@folly> References: <200305081631.23900.kstef@mtppi.org> <20030508222106.GA707@folly> Message-ID: <3EC0AF20.7080302@trustcenter.de> Markus Friedl wrote: > i think that if you want to use pin protected cards the ssh-agent > should be used. ssh-add will prompt for the pin. There's one small problem with this approach: if you have more than one key protected with different pins this doesn't really work, because ssh-agent.c asks for the pin before the keys are loaded with sc_get_keys() (scard-opensc.c). Nils From dtucker at zip.com.au Tue May 13 19:52:25 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 13 May 2003 19:52:25 +1000 Subject: [Ans.]openssh3.5p1 version ... Password aging problem??? References: <014c01c31843$70e5f520$74f84bdc@skyhawk> <3EBF4862.8CEC2368@zip.com.au> <20030512135049.GB21130@foo.birdnet.se> Message-ID: <3EC0C059.EC47E53B@zip.com.au> Peter Stuge wrote: > What is the status on interfacing with the system passwd command for > changing passwords? It's only for non-PAM situations, but is it still > relevant there? I have tried one way of setting up the "chat scripts" but > that failed, I've implemented the skeleton for a second try but have been > too busy with other things to finish it for wider testing. The chat-script method is only applicable to SSH2 (with MSG_USERAUTH_PASSWD_CHANGEREQ), if you want to support changes with protocol 1 you still need passwd-in-session[1]. I think the argument is that since it's needed anyway, using it for protocol 2 as well is the smallest set of changes. > My binary implementing this is currently 6384 bytes when strip:ed. How many lines of code is that? Don't forget the reason you're doing this is so you don't need ~160 lines of platform-specific change functions (that's for AIX and shadow platforms) which is 4416 bytes stripped on Linux/i386. I suspect that any wins from using /bin/passwd everywhere will be more than offset by handling platform specific weirdness. [1] Someone (Frank?) proposed doing this via TIS challenge-response on Protocol 1. By my reading of the RFC you only get one challenge and one response so in order for that to work you'd need the user to respond with something like "oldpassword,newpassword". Of course, I could be wrong. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From des at ofug.org Tue May 13 20:28:58 2003 From: des at ofug.org (Dag-Erling Smorgrav) Date: Tue, 13 May 2003 12:28:58 +0200 Subject: New PAM code landing (at last) In-Reply-To: <3EBCC47A.5060104@mindrot.org> (Damien Miller's message of "Sat, 10 May 2003 19:20:58 +1000") References: <3EBCC47A.5060104@mindrot.org> Message-ID: Damien Miller writes: > Also note that we do not enable and have no intention of enabling the > thread support - we don't want the complexity of theads in the monitor. > The code is still there at the moment (#ifdef'd out), but will likely > disappear from our tree in the future. I'll try to remove it in such a > way that the FreeBSD developers don't end up in #ifdef hell putting it > back in their tree. There's nothing to remove. Unless you define USE_POSIX_THREADS, the PAM code will use a child process instead of threads. At most, you may want to remove the following lines: #ifdef USE_POSIX_THREADS #include #else and, further down: #endif as well as one instance of #ifndef USE_POSIX_THREADS. Also, please make sure that - - you are using the latest PAM code from FreeBSD-CURRENT - you also have my auth-chall.c patches - you also have the abandon_challenge_response() patch for auth1.c - you remove the PAMAuthenticationViaKbdInt option from servconf.c - you run #unifdef -UUSE_PAM on auth-passwd.c DES -- Dag-Erling Smorgrav - des at ofug.org From des at ofug.org Tue May 13 20:31:04 2003 From: des at ofug.org (Dag-Erling Smorgrav) Date: Tue, 13 May 2003 12:31:04 +0200 Subject: New PAM code landing (at last) In-Reply-To: <001901c3178f$0fbb2130$6600a8c0@JAMES> (James Williamson's message of "Sun, 11 May 2003 08:29:28 +0100") References: <3EBCC47A.5060104@mindrot.org> <002501c316e0$37ed74a0$6600a8c0@JAMES> <3EBCE7DD.60308@mindrot.org> <20030510142546.A23607@google.com> <3EBD9121.1090207@mindrot.org> <001901c3178f$0fbb2130$6600a8c0@JAMES> Message-ID: "James Williamson" writes: > I've scanned the code and the PAM stuff is actually broken despite > the privileges. The credentials stage is actually called after the > session stage which runs contra to what the linux pam docs specify > (i.e. it should be done before). The Linux PAM docs are wrong. Please do not consider anything Andrew Morgan has written as authoritative. If you need a working open- source PAM library, see . DES -- Dag-Erling Smorgrav - des at ofug.org From Darren.Moffat at Sun.COM Wed May 14 06:43:52 2003 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Tue, 13 May 2003 13:43:52 -0700 (PDT) Subject: [Bug 559] PAM fixes In-Reply-To: <3EC0416F.7030501@mindrot.org> References: <20030512074716.C76F19428C@shitei.mindrot.org> <20030512052353.A29881@google.com> <3EBF967B.2070704@mindrot.org> <3EC0416F.7030501@mindrot.org> Message-ID: On Tue, 13 May 2003, Damien Miller wrote: > Darren J Moffat wrote: > > On Mon, 12 May 2003, Damien Miller wrote: > > > >> The PAM stuff is IMO separate - one may disable empty passwords by > >> omitting the "nullok" flag to pam_unix.so in the PAM control file. > > > > That is an argument specific to one vendors implementation of a specific module. > > There is (and probably should not be) any standardization of the arguments > > modules take. Some vendors my choose to standardize options across modules > > they implement but it is certainly not required. > > Ok, but the point was that control over the behaviour of PAM modules and > what they accept should be done in the PAM control file and not in > sshd_config. In general yes, but for "empty" passwords there is an explicity flag for pam_authenticate(3pam) PAM_DISALLOW_NULL_AUTHTOK. Personally I think this is the wrong level of abstraction and if there is ever a version 2 of PAM I would hope to remove this because it is individual module policy that should be used here. -- Darren J Moffat From dturner at gotbrains.org Wed May 14 07:42:15 2003 From: dturner at gotbrains.org (David Turner) Date: Tue, 13 May 2003 16:42:15 -0500 Subject: SSH FTP Directories Message-ID: <4.2.2.20030513163822.00ac5e00@127.0.0.1> I am making a SSH FTP client implementation, and I have run into a problem with directory listings. Some servers (e.g. Solaris) place * at the end of executable filenames, and when a directory listing is done, these are in the listing. As the * character is a valid filename character in UNIX, I need a way to determine if its indeed just an executable file, or if its actually part of the filename and should not be truncated. Is there a good way to determine what scenario I'm dealing with? Thanks, David From Darren.Moffat at Sun.COM Wed May 14 09:47:57 2003 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Tue, 13 May 2003 16:47:57 -0700 (PDT) Subject: SSH FTP Directories In-Reply-To: <4.2.2.20030513163822.00ac5e00@127.0.0.1> References: <4.2.2.20030513163822.00ac5e00@127.0.0.1> Message-ID: On Tue, 13 May 2003, David Turner wrote: > > I am making a SSH FTP client implementation, and I have run into a problem > with directory listings. Some servers (e.g. Solaris) place * at the end of That only happens if you specified the -F flag to ls. I think you are confusing what the /bin/ls command does versus what the system calls that it calls do. The Solaris kernel certainly does not add a * to the end of a file name. Check your shell aliases, if someone is calling /bin/ls to do any listing then it is quite possible it is picking up your shell aliases. -- Darren J Moffat From bugzilla-daemon at mindrot.org Wed May 14 10:23:40 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 10:23:40 +1000 (EST) Subject: [Bug 559] PAM fixes Message-ID: <20030514002340.BCD1E9420B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=559 ------- Additional Comments From djm at mindrot.org 2003-05-14 10:23 ------- > @@ -186,8 +186,8 @@ input_userauth_request(int type, u_int32 > m = authmethod_lookup(method); > if (m != NULL) { > debug2("input_userauth_request: try method %s", method); > - authenticated = m->userauth(authctxt); > + authenticated = m->userauth(authctxt) && authctxt->valid; > } > userauth_finish(authctxt, authenticated, method); This chunk is not necessary, as userauth_finish does: > if (!authctxt->valid && authenticated) > fatal("INTERNAL ERROR: authenticated invalid user %s", > authctxt->user); and no auth method should set authenticated = 1 for a non existant user :) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 10:26:22 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 10:26:22 +1000 (EST) Subject: [Bug 117] OpenSSH second-guesses PAM Message-ID: <20030514002622.20DC194275@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=117 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-05-14 10:26 ------- Patch applied ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 10:28:07 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 10:28:07 +1000 (EST) Subject: [Bug 118] Implement TIS (protocol 1) via PAM Message-ID: <20030514002807.3BA2594282@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=118 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-05-14 10:28 ------- This is now supported via the PAM challenge-response method (also, don't post patches in the comments field) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 10:29:20 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 10:29:20 +1000 (EST) Subject: [Bug 559] PAM fixes Message-ID: <20030514002920.8FAD69428A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=559 ------- Additional Comments From djm at mindrot.org 2003-05-14 10:29 ------- The chunks like: > - PRIVSEP(start_pam("NOUSER")); > + PRIVSEP(start_pam(user)); have been committed under bug #117 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 10:32:53 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 10:32:53 +1000 (EST) Subject: [Bug 557] scp over ssh-relay insists in asking passphrase Message-ID: <20030514003253.4F25C94297@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=557 ------- Additional Comments From djm at mindrot.org 2003-05-14 10:32 ------- hmmm, it might have something to do with: addargs(&args, "-oClearAllForwardings yes"); in scp.c. Can you try removing that line and seeing whether things work? You haven't given any details about the nature of the relay that you are using. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Wed May 14 12:09:30 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 14 May 2003 04:09:30 +0200 Subject: [Bug 557] scp over ssh-relay insists in asking passphrase In-Reply-To: <20030514003253.4F25C94297@shitei.mindrot.org> References: <20030514003253.4F25C94297@shitei.mindrot.org> Message-ID: <20030514020929.GC1906@folly> On Wed, May 14, 2003 at 10:32:53AM +1000, bugzilla-daemon at mindrot.org wrote: > addargs(&args, "-oClearAllForwardings yes"); scp should _not_ disable agent forwarding i think.... From bugzilla-daemon at mindrot.org Wed May 14 12:13:44 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 12:13:44 +1000 (EST) Subject: [Bug 524] Keyboard-interactive PAM back end hides information Message-ID: <20030514021344.97E1E94297@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=524 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-05-14 12:13 ------- PAM support has changed in CVS completely from the last release. PAM is now a near-proper kbd-int citizen. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mmartin at ncs.com.sg Wed May 14 12:18:16 2003 From: mmartin at ncs.com.sg (Martin Ferdinand R Magat) Date: Wed, 14 May 2003 10:18:16 +0800 Subject: SFTP on OS390 Message-ID: <19C34CD863B1D4118E2800508BAF663A075B8D48@stone.ncs.com.sg> Hi Anyone have any idea on how to implement sftp in os390? Well .. using OpenSSH .. I've already installed SSL and SSH successfully .. I can do putty and scp .. but sftp is still a problem .. anyone has a guideline? thanks From djm at mindrot.org Wed May 14 13:01:43 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 14 May 2003 13:01:43 +1000 Subject: [Bug 557] scp over ssh-relay insists in asking passphrase In-Reply-To: <20030514020929.GC1906@folly> References: <20030514003253.4F25C94297@shitei.mindrot.org> <20030514020929.GC1906@folly> Message-ID: <3EC1B197.7030703@mindrot.org> Markus Friedl wrote: > On Wed, May 14, 2003 at 10:32:53AM +1000, bugzilla-daemon at mindrot.org wrote: >> addargs(&args, "-oClearAllForwardings yes"); > > scp should _not_ disable agent forwarding i think.... It needs it for: scp remote1:foo remote2:bar Maybe we need ClearPortForwardings? (we can take care of X forwarding using ForwardX11=no). -d From bugzilla-daemon at mindrot.org Wed May 14 14:28:53 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 14:28:53 +1000 (EST) Subject: [Bug 559] PAM fixes Message-ID: <20030514042853.004959427F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=559 ------- Additional Comments From fcusack at fcusack.com 2003-05-14 14:28 ------- > > @@ -186,8 +186,8 @@ input_userauth_request(int type, u_int32 ... > This chunk is not necessary, as userauth_finish does: I didn't want to second guess what userauth_finish() would do (for maintainability going forward). Prior to the patch, userauth_finish() would never be called with authenticated=1 && authctxt->valid=0. Hence the fatal(), I guess! I wanted to preserve that assumption. > and no auth method should set authenticated = 1 for a non existant user :) You can't know what PAM will do. I had another patch where getpwnam() wouldn't run until after PAM was called. This gives PAM the chance to change the username, which it's allowed to do. FWIW, I actually have a valid use for that behavior (not just having a feature for feature's sake). A device that logs folks in to a single role account, but using individual usernames and secrets. Via PAM, that's possible to setup so that (eg) the auth goes to radius for secret verification, then the last module in the stack changes the username. The advantage is: no account maintenance on the device. I couldn't use the :style nicety because that is already used to access specific features when logging in. (I could have done something like :user.style but opted for PAM--seems cleaner.) But regardless of that use, again, you cannot know what PAM will do. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 14:51:36 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 14:51:36 +1000 (EST) Subject: [Bug 564] new PAM code only calls pam_acct_mgmt for challenge-response clients Message-ID: <20030514045136.6BC979427B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=564 Summary: new PAM code only calls pam_acct_mgmt for challenge- response clients Product: Portable OpenSSH Version: -current Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: djm at mindrot.org The new PAM code only calls pam_acct_mgmt for challenge-response clients. Unsure whether this is a problem, but it is certainly a change in behaviour. We used to do tests like: #ifdef USE_PAM if (!use_privsep && authenticated && authctxt->user && !do_pam_account(authctxt->user, NULL)) authenticated = 0; #endif /* USE_PAM */ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 15:14:51 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 15:14:51 +1000 (EST) Subject: [Bug 377] Reduce compiler warnings. Use unsigned args to the ctype.h is*() macros. Message-ID: <20030514051451.6F949942F8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=377 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-05-14 15:14 ------- Please retest with CVS head or 3.6.1 - most of these are fixed. If some are still outstanding, please file a new bug. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Wed May 14 15:32:23 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 14 May 2003 15:32:23 +1000 Subject: Changes in tonights snapshot Message-ID: <3EC1D4E7.4030905@mindrot.org> There are a couple of noteworthy changes in tonight's snapshot: 1. New UsePAM directive There is a new sshd_config directive, UsePAM for systems built using "configure --with-pam". This allows one to switch off all PAM calls from sshd. This is handy if one builds with PAM but wants to use the sshd's ability to run as a non-root user. Previously this was impossible if one enabled PAM support. 2. kerberos-2 at ssh.com support Markus has added support for SSH.COM's Kerberos authentication method for protocol v.2. This has been interop tested on OpenBSD with the in-tree Heimdal Kerberos implementation, but not with MIT Kerberos. This needs review from someone who understands the MIT kerberos API properly (I don't...) There is at least one minor problem: grep for '# warning' in sshconnect2.c 3. Pubkey authentication key try order Markus has changed the order in which pubkeys are tried. From the ChangeLog: > for pubkey authentication try the user keys in the following order: > 1. agent keys that are found in the config file > 2. other agent keys > 3. keys that are only listed in the config file > this helps when an agent has many keys, where the server might > close the connection before the correct key is used. Please report problems with any of the above to bugzilla or this list. -d From bugzilla-daemon at mindrot.org Wed May 14 16:20:20 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 16:20:20 +1000 (EST) Subject: [Bug 565] gcc 3.2.3 compiler warnings for openssh-3.6.1p2 on Solaris 7 Message-ID: <20030514062020.C693A94324@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=565 Summary: gcc 3.2.3 compiler warnings for openssh-3.6.1p2 on Solaris 7 Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: trivial Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: mdb at juniper.net There are a number of compiler warnings remaining in OpenSSH when compiled with gcc 3.2.3 under Solaris 7 on sparc sun4u hardware. The following kinds of warnings were seen: comparison of distinct pointer types lacks a cast initialization from incompatible pointer type int format, nlink_t arg (arg 5) int format, pid_t arg (arg 4) int format, uid_t arg (arg 2) int format, uid_t arg (arg 3) subscript has type char unsigned int format, gid_t arg (arg 2) unsigned int format, long unsigned int arg (arg 2) unsigned int format, mode_t arg (arg 3) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 16:22:32 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 16:22:32 +1000 (EST) Subject: [Bug 565] gcc 3.2.3 compiler warnings for openssh-3.6.1p2 on Solaris 7 Message-ID: <20030514062232.0E1499433A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=565 ------- Additional Comments From mdb at juniper.net 2003-05-14 16:22 ------- Created an attachment (id=293) --> (http://bugzilla.mindrot.org/attachment.cgi?id=293&action=view) gcc warnings messages issued while making openssh-3.6.1p2 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Wed May 14 18:10:05 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 14 May 2003 18:10:05 +1000 Subject: Changes in tonights snapshot References: <3EC1D4E7.4030905@mindrot.org> Message-ID: <3EC1F9DD.8E7DA808@zip.com.au> Damien Miller wrote: > Please report problems with any of the above to bugzilla or this list. It looks like the SOCK_STREAM -> ai_socktype change broke AIX (at least 4.2.1, 4.3.3 & 5.1, possibly others), which was caught by the tinderbox[1]. I don't know why yet, I'll do some digging. I did notice that AIX defines BROKEN_GETADDRINFO. -Daz. # ./sshd -ddd -p 2022 [snip] debug1: private host key: #2 type 2 DSA socket: Protocol not supported Cannot bind any address. # cvs diff -r 1.239 -r 1.240 sshd.c [snip] - listen_sock = socket(ai->ai_family, SOCK_STREAM, 0); + listen_sock = socket(ai->ai_family, ai->ai_socktype, + ai->ai_protocol); # cvs up -r 1.239 sshd.c && make sshd P sshd.c [snip] # ./sshd -ddd -p 2022 [snip] debug1: private host key: #2 type 2 DSA debug1: Bind to port 2022 on 0.0.0.0. Server listening on 0.0.0.0 port 2022. Generating 768 bit RSA key. RSA key generation complete. [1] http://dodgynet.dyndns.org/tinderbox/OpenSSH_Portable/status.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Wed May 14 18:44:34 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 14 May 2003 18:44:34 +1000 Subject: Changes in tonights snapshot In-Reply-To: <3EC1F9DD.8E7DA808@zip.com.au> References: <3EC1D4E7.4030905@mindrot.org> <3EC1F9DD.8E7DA808@zip.com.au> Message-ID: <3EC201F2.8050107@mindrot.org> Darren Tucker wrote: > Damien Miller wrote: >> Please report problems with any of the above to bugzilla or this list. > > It looks like the SOCK_STREAM -> ai_socktype change broke AIX (at least > 4.2.1, 4.3.3 & 5.1, possibly others), which was caught by the > tinderbox[1]. I don't know why yet, I'll do some digging. I did notice > that AIX defines BROKEN_GETADDRINFO. > - listen_sock = socket(ai->ai_family, SOCK_STREAM, 0); > + listen_sock = socket(ai->ai_family, ai->ai_socktype, > + ai->ai_protocol); Can you whack a debug() in there to show what ai->ai_socktype and ai->ai_protocol are being set to? -d From dtucker at zip.com.au Wed May 14 19:02:06 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 14 May 2003 19:02:06 +1000 Subject: Changes in tonights snapshot References: <3EC1D4E7.4030905@mindrot.org> <3EC1F9DD.8E7DA808@zip.com.au> Message-ID: <3EC2060E.B9AC8930@zip.com.au> Darren Tucker wrote: > Damien Miller wrote: > > Please report problems with any of the above to bugzilla or this list. > > It looks like the SOCK_STREAM -> ai_socktype change broke AIX (at least > 4.2.1, 4.3.3 & 5.1, possibly others), which was caught by the > tinderbox[1]. I don't know why yet, I'll do some digging. I did notice > that AIX defines BROKEN_GETADDRINFO. Further info: same thing happens on Solaris 7 (which also doesn't have getaddrinfo at all so also uses fake-getaddrinfo.c). Adding some debugging to sshd, I get: debug1: private host key: #2 type 2 DSA debug3: setting up socket, ai_family 2 ai_socktype 0 ai_protocol 0 socket: Protocol not supported Cannot bind any address. How about setting "ai->ai_socktype = SOCK_STREAM;" to malloc_ai()? This works for me. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Wed May 14 19:06:14 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 14 May 2003 19:06:14 +1000 Subject: Changes in tonights snapshot In-Reply-To: <3EC2060E.B9AC8930@zip.com.au> References: <3EC1D4E7.4030905@mindrot.org> <3EC1F9DD.8E7DA808@zip.com.au> <3EC2060E.B9AC8930@zip.com.au> Message-ID: <3EC20706.7010303@mindrot.org> Darren Tucker wrote: > Darren Tucker wrote: >> Damien Miller wrote: >> > Please report problems with any of the above to bugzilla or this list. >> >> It looks like the SOCK_STREAM -> ai_socktype change broke AIX (at least >> 4.2.1, 4.3.3 & 5.1, possibly others), which was caught by the >> tinderbox[1]. I don't know why yet, I'll do some digging. I did notice >> that AIX defines BROKEN_GETADDRINFO. > > Further info: same thing happens on Solaris 7 (which also doesn't have > getaddrinfo at all so also uses fake-getaddrinfo.c). Adding some > debugging to sshd, I get: > > debug1: private host key: #2 type 2 DSA > debug3: setting up socket, ai_family 2 ai_socktype 0 ai_protocol 0 > socket: Protocol not supported > Cannot bind any address. > > How about setting "ai->ai_socktype = SOCK_STREAM;" to malloc_ai()? This > works for me. If hints->ai_socktype and hints->ai_protocol are set we should use them first, otherwise you are correct*. -d * for our purposes, but woe betide any who try to use our getaddrinfo implementation elsewhere From djm at mindrot.org Wed May 14 19:27:08 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 14 May 2003 19:27:08 +1000 Subject: Changes in tonights snapshot In-Reply-To: <3EC1D4E7.4030905@mindrot.org> References: <3EC1D4E7.4030905@mindrot.org> Message-ID: <3EC20BEC.2030008@mindrot.org> In the grand tradition of replying to one's own messages, Damien Miller wrote: > 2. kerberos-2 at ssh.com support > > Markus has added support for SSH.COM's Kerberos authentication method > for protocol v.2. This has been interop tested on OpenBSD with the > in-tree Heimdal Kerberos implementation, but not with MIT Kerberos. > > This needs review from someone who understands the MIT kerberos API > properly (I don't...) There is at least one minor problem: > grep for '# warning' in sshconnect2.c I think I have fixed this particular problem. Markus also reports that the code is largely cut+paste from sshconnect1.c which has been reviewed already. -d From dtucker at zip.com.au Wed May 14 19:45:19 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 14 May 2003 19:45:19 +1000 Subject: Changes in tonights snapshot References: <3EC1D4E7.4030905@mindrot.org> <3EC1F9DD.8E7DA808@zip.com.au> <3EC2060E.B9AC8930@zip.com.au> <3EC20706.7010303@mindrot.org> Message-ID: <3EC2102F.DCB3392A@zip.com.au> Damien Miller wrote: > Darren Tucker wrote: > > How about setting "ai->ai_socktype = SOCK_STREAM;" to malloc_ai()? This > > works for me. > > If hints->ai_socktype and hints->ai_protocol are set we should use them > first, otherwise you are correct*. How's the attached patch? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: openbsd-compat/fake-getaddrinfo.c =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/fake-getaddrinfo.c,v retrieving revision 1.5 diff -u -r1.5 fake-getaddrinfo.c --- openbsd-compat/fake-getaddrinfo.c 24 Mar 2003 02:35:59 -0000 1.5 +++ openbsd-compat/fake-getaddrinfo.c 14 May 2003 09:38:46 -0000 @@ -41,7 +41,7 @@ #endif /* !HAVE_FREEADDRINFO */ #ifndef HAVE_GETADDRINFO -static struct addrinfo *malloc_ai(int port, u_long addr) +static struct addrinfo *malloc_ai(int port, u_long addr, struct addrinfo *hints) { struct addrinfo *ai; @@ -59,6 +59,14 @@ ((struct sockaddr_in *)(ai)->ai_addr)->sin_port = port; ((struct sockaddr_in *)(ai)->ai_addr)->sin_addr.s_addr = addr; + if (hints->ai_socktype) + ai->ai_socktype = hints->ai_socktype; + else + ai->ai_socktype = SOCK_STREAM; + + if (hints->ai_protocol) + ai->ai_protocol = hints->ai_protocol; + return(ai); } @@ -90,21 +98,21 @@ addr = htonl(0x00000000); if (hostname && inet_aton(hostname, &in) != 0) addr = in.s_addr; - if (NULL != (*res = malloc_ai(port, addr))) + if (NULL != (*res = malloc_ai(port, addr, hints))) return 0; else return EAI_MEMORY; } if (!hostname) { - if (NULL != (*res = malloc_ai(port, htonl(0x7f000001)))) + if (NULL != (*res = malloc_ai(port, htonl(0x7f000001), hints))) return 0; else return EAI_MEMORY; } if (inet_aton(hostname, &in)) { - if (NULL != (*res = malloc_ai(port, in.s_addr))) + if (NULL != (*res = malloc_ai(port, in.s_addr, hints))) return 0; else return EAI_MEMORY; @@ -113,7 +121,8 @@ hp = gethostbyname(hostname); if (hp && hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) { for (i = 0; hp->h_addr_list[i]; i++) { - cur = malloc_ai(port, ((struct in_addr *)hp->h_addr_list[i])->s_addr); + cur = malloc_ai(port, + ((struct in_addr *)hp->h_addr_list[i])->s_addr, hints); if (cur == NULL) { if (*res) freeaddrinfo(*res); From dtucker at zip.com.au Wed May 14 19:51:06 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 14 May 2003 19:51:06 +1000 Subject: Changes in tonights snapshot References: <3EC1D4E7.4030905@mindrot.org> <3EC1F9DD.8E7DA808@zip.com.au> <3EC2060E.B9AC8930@zip.com.au> <3EC20706.7010303@mindrot.org> <3EC2102F.DCB3392A@zip.com.au> Message-ID: <3EC2118A.7EE265F1@zip.com.au> Darren Tucker wrote: > How's the attached patch? > -static struct addrinfo *malloc_ai(int port, u_long addr) > +static struct addrinfo *malloc_ai(int port, u_long addr, struct addrinfo *hints) Whoops, make that "const struct addrinfo..." -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Wed May 14 20:17:47 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 20:17:47 +1000 (EST) Subject: [Bug 560] Privsep child continues to run after monitor killed. Message-ID: <20030514101747.F3EAC94208@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=560 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From dtucker at zip.com.au 2003-05-14 20:17 ------- Now fixed. $ cvs log monitor.c [snip] revision 1.46 date: 2003/05/14 09:31:12; author: djm; state: Exp; lines: +18 -1 - markus at cvs.openbsd.org 2003/05/14 08:57:49 [monitor.c] http://bugzilla.mindrot.org/show_bug.cgi?id=560 Privsep child continues to run after monitor killed. Pass monitor signals through to child; Darren Tucker ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 20:21:19 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 20:21:19 +1000 (EST) Subject: [Bug 551] ssh install fails on Tru64 V5.0A Message-ID: <20030514102119.B59AA94212@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=551 ------- Additional Comments From dtucker at zip.com.au 2003-05-14 20:21 ------- Is this anything like bug #533? Try adding -4 to the sshd command line. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 21:07:57 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 21:07:57 +1000 (EST) Subject: [Bug 555] If user does a newgrp before envoking ssh, it fails with a setgid error. Message-ID: <20030514110757.DB2A394212@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=555 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From dtucker at zip.com.au 2003-05-14 21:07 ------- Please re-open if you can reproduce with current versions, this seems to be OK now. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 21:12:26 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 21:12:26 +1000 (EST) Subject: [Bug 538] Hanging while connecting Message-ID: <20030514111226.C75A39421D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=538 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From dtucker at zip.com.au 2003-05-14 21:12 ------- OK, then it seems to be a system or hardware problem unrelated to OpenSSH. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:21:27 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:21:27 +1000 (EST) Subject: [Bug 561] Please implement MaxAuthTries Message-ID: <20030514122127.107A494212@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=561 ------- Additional Comments From djm at mindrot.org 2003-05-14 22:21 ------- FYI if you still need this, it is a very easy patch to make (grep for AUTH_FAIL_MAX) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:26:21 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:26:21 +1000 (EST) Subject: [Bug 258] scanf format not portable Message-ID: <20030514122621.21522942B8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=258 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-05-14 22:26 ------- Applied ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:27:52 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:27:52 +1000 (EST) Subject: [Bug 379] difficult to find the openssh code signing key on openssh.org. Message-ID: <20030514122752.B62E09433F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=379 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |WONTFIX ------- Additional Comments From djm at mindrot.org 2003-05-14 22:27 ------- Key is on the FTP server and is widely distributed on the keyservers (the canonical place for keys) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:32:20 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:32:20 +1000 (EST) Subject: [Bug 188] pam_chauthtok() is called too late Message-ID: <20030514123220.E916D94347@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=188 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From djm at mindrot.org 2003-05-14 22:32 ------- This patch has bitrotted with the introduction of the new PAM code. Discussion of password expiry handling is ongoing in bug #423 and bug #14 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:34:39 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:34:39 +1000 (EST) Subject: [Bug 336] ssh does not compile on Linux with libc5 and 2.0 kernel Message-ID: <20030514123439.ACC19942DE@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=336 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-05-14 22:34 ------- I think that this was fixed in CVS recently: - (dtucker) Bug #544: ignore invalid cmsg_type on Linux 2.0 kernels, privsep should now work. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:35:13 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:35:13 +1000 (EST) Subject: [Bug 556] TCP_NODELAY not set completely for port forwarding Message-ID: <20030514123513.98DF394354@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=556 briang at oasisadvancedengineering.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From vici at dof.se Wed May 14 22:20:43 2003 From: vici at dof.se (Istvan Viczian) Date: Wed, 14 May 2003 14:20:43 +0200 Subject: OpenSSH Hostbased authentication HOWTO Message-ID: <3EC2349B.10309@dof.se> Hi, I have tried to configure hostbased authentication on different OS platforms using OpenSSH both on client and server side: RedHat 7.[2,3] with OpenSSH versions 3.1p1, 3.5p1, 3.6p1 SunOS 5.8 (SOLARIS8) with OpenSSH versions 2.9p1, 3.4p1 BSD/OS 4.1 with OpenSSH version 3.4p1 BIG-IP 4.2PTF-08 with OpenSSH version 3.4p1 Finally I have found a general configuration manner for hostbased auth. method, using OpenSSH, and I hope it could be useful to other platforms too . I published it as a HOWTO at : http://www.omega.telia.net/vici/openssh Feel free to review it and send Your notes-suggestions about the content of this page to me. Please send notification to me, if the config was succesfull on other platfoms too. Best Regards, Istvan Viczian From bugzilla-daemon at mindrot.org Wed May 14 22:35:29 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:35:29 +1000 (EST) Subject: [Bug 439] key_try_load_public() always sets pathname as the keyfile's comment Message-ID: <20030514123529.4C94294356@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=439 ------- Additional Comments From djm at mindrot.org 2003-05-14 22:35 ------- This won't work through protocol 2 agent connections IIRC ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:37:44 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:37:44 +1000 (EST) Subject: [Bug 556] TCP_NODELAY not set completely for port forwarding Message-ID: <20030514123744.0AA7A94362@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=556 ------- Additional Comments From briang at oasisadvancedengineering.com 2003-05-14 22:37 ------- Created an attachment (id=294) --> (http://bugzilla.mindrot.org/attachment.cgi?id=294&action=view) Patch to add the TCP_NODELAY flag after the connection acceptance ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:38:20 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:38:20 +1000 (EST) Subject: [Bug 556] TCP_NODELAY not set completely for port forwarding Message-ID: <20030514123820.EBBBA94364@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=556 briang at oasisadvancedengineering.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Additional Comments From briang at oasisadvancedengineering.com 2003-05-14 22:38 ------- See patch. Very simple fix ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:41:54 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:41:54 +1000 (EST) Subject: [Bug 444] Wrong path to ssh in scp after re-configure Message-ID: <20030514124154.E500C94369@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=444 ------- Additional Comments From djm at mindrot.org 2003-05-14 22:41 ------- Maybe modify each target to have: sftp$(EXEEXT): config.h $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-int.o ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:45:07 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:45:07 +1000 (EST) Subject: [Bug 566] ssh-keygen -l does not print key comment for rsa/dsa keys Message-ID: <20030514124507.8E7CE94342@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=566 Summary: ssh-keygen -l does not print key comment for rsa/dsa keys Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: trivial Priority: P2 Component: ssh-keygen AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: binder at arago.de ssh-keygen's option -l prints the key's comment for rsa1 keys, but only the filename for rsa/dsa keys. I'll attach a patch that fixes this, but as it modifies key_try_load_public() in authfile.c, it might have impact on other functionality. So far, I haven't noticed any problem with the patch, but I may have missed something. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:46:52 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:46:52 +1000 (EST) Subject: [Bug 566] ssh-keygen -l does not print key comment for rsa/dsa keys Message-ID: <20030514124652.7AE109436C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=566 ------- Additional Comments From binder at arago.de 2003-05-14 22:46 ------- Created an attachment (id=295) --> (http://bugzilla.mindrot.org/attachment.cgi?id=295&action=view) Patch to make key_try_load_public() use a key's comment ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:49:22 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:49:22 +1000 (EST) Subject: [Bug 556] TCP_NODELAY not set completely for port forwarding Message-ID: <20030514124922.14BB894375@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=556 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | ------- Additional Comments From djm at mindrot.org 2003-05-14 22:49 ------- the bug isn't fixed until the patch is accepted and applied in out tree. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:50:28 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:50:28 +1000 (EST) Subject: [Bug 566] ssh-keygen -l does not print key comment for rsa/dsa keys Message-ID: <20030514125028.1A6DC9437B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=566 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From djm at mindrot.org 2003-05-14 22:50 ------- Doesn't anyone search open bugs anymore... *** This bug has been marked as a duplicate of 439 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:50:29 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:50:29 +1000 (EST) Subject: [Bug 439] key_try_load_public() always sets pathname as the keyfile's comment Message-ID: <20030514125029.D501E94379@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=439 ------- Additional Comments From djm at mindrot.org 2003-05-14 22:50 ------- *** Bug 566 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From larsch at trustcenter.de Wed May 14 22:57:17 2003 From: larsch at trustcenter.de (Nils Larsch) Date: Wed, 14 May 2003 14:57:17 +0200 Subject: small fix for scard-opensc.c Message-ID: <3EC23D2D.2090301@trustcenter.de> Hi, I think there's a small bug in sc_private_decrypt in scard-opensc.c (see attached patch). The 'flags' parameter in the sc_pkcs15_decipher function call should be set to SC_ALGORITHM_RSA_PAD_PKCS1 and not to 0. If flags == 0 then sc_pkcs15_decipher uses RSA raw as a default method which has (at least) two drawbacks a) not all cards support RSA raw and b) sc_pkcs15_decipher does not remove the PKCS#1 padding (and therefore the v1 authentication should fail (as far as I understand the code)). Nils -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: scard-opensc.diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030514/a9c2adab/attachment.ksh From bugzilla-daemon at mindrot.org Wed May 14 22:54:39 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:54:39 +1000 (EST) Subject: [Bug 297] sshd version 3.3 incompatible with pre-3.3 clients in ssh1 mode Message-ID: <20030514125439.4BC9094387@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=297 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-05-14 22:54 ------- Patch was applied long ago ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:55:07 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:55:07 +1000 (EST) Subject: [Bug 310] sshd reporting ai_socktype errors when using ssh -X to server Message-ID: <20030514125507.907A09436B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=310 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From djm at mindrot.org 2003-05-14 22:55 ------- 4 months, no reply = no bug ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:57:05 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:57:05 +1000 (EST) Subject: [Bug 342] RhostsRSAAuthentication does not work with 3.4p1 Message-ID: <20030514125705.5935A9436B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=342 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-05-14 22:57 ------- hostbased was broken for some of the earlier privsep releases, this should have been fixed ages ago. Reopen if this is not the case. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 22:59:24 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 22:59:24 +1000 (EST) Subject: [Bug 368] TTSSH will not connect to OpenSSH_3.4p1 Message-ID: <20030514125924.11AA394363@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=368 ------- Additional Comments From djm at mindrot.org 2003-05-14 22:59 ------- Please retest with a recent release, some of the older releases had OpenSSL issues. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 23:06:30 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 23:06:30 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20030514130630.E48689437A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 ------- Additional Comments From djm at mindrot.org 2003-05-14 23:06 ------- Any followup on this, Ben? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 23:16:18 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 23:16:18 +1000 (EST) Subject: [Bug 379] difficult to find the openssh code signing key on openssh.org. Message-ID: <20030514131618.2A9FA94387@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=379 marcel.kuiper at nl.abnamro.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX | ------- Additional Comments From marcel.kuiper at nl.abnamro.com 2003-05-14 23:16 ------- Appearantly there's a lot of people spending a large amount of time (or give up on it) finding this key. (The keyservers do you no good if you don't know that you need Damien Miller's key -- a search for openssh returns Karl Friedl) There is no valid reason to make it so hard. In fact, quite the contrary I would say. Internet security would benefit if you would make it easy (most OSS web sites provide links and instructions on signature verification) How hard can it be to add a small section to the openssh web site? Marcel ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 23:25:51 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 23:25:51 +1000 (EST) Subject: [Bug 379] difficult to find the openssh code signing key on openssh.org. Message-ID: <20030514132551.0F1199434D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=379 ------- Additional Comments From dtucker at zip.com.au 2003-05-14 23:25 ------- Err, that's what the keyid is for: $ gpg openssh-3.6.1p2.tar.gz.sig gpg: Signature made Tue Apr 29 19:40:09 2003 EST using DSA key ID 86FF9C48 gpg: Can't check signature: public key not found $ gpg --recv-key 86FF9C48 gpg: requesting key 86FF9C48 from HKP keyserver wwwkeys.au.pgp.net gpg: found 0 ownertrust records gpg: migrated 0 version 2 ownertrusts gpg: key 86FF9C48: public key imported gpg: Total number processed: 1 gpg: imported: 1 $ gpg openssh-3.6.1p2.tar.gz.sig gpg: Signature made Tue Apr 29 19:40:09 2003 EST using DSA key ID 86FF9C48 gpg: Good signature from "Damien Miller (Personal Key) " gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Fingerprint: 3981 992A 1523 ABA0 79DB FC66 CE8E CB03 86FF 9C48 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 23:33:43 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 23:33:43 +1000 (EST) Subject: [Bug 336] ssh does not compile on Linux with libc5 and 2.0 kernel Message-ID: <20030514133343.3CBE994357@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=336 ------- Additional Comments From dtucker at zip.com.au 2003-05-14 23:33 ------- Actually, I think this is a different problem to bug #544 but I've also had reports of libc5 working with recent OpenSSH versions. Anyway, please try a snapshot and re-open this is not fixed. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed May 14 23:53:29 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 14 May 2003 23:53:29 +1000 (EST) Subject: [Bug 439] key_try_load_public() always sets pathname as the keyfile's comment Message-ID: <20030514135329.DADF0943A8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=439 binder at arago.de changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #178 is|0 |1 obsolete| | ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 00:00:41 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 00:00:41 +1000 (EST) Subject: [Bug 439] key_try_load_public() always sets pathname as the keyfile's comment Message-ID: <20030514140041.ACCC494357@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=439 ------- Additional Comments From binder at arago.de 2003-05-15 00:00 ------- > *** Bug 566 has been marked as a duplicate of this bug. *** This is so embarrassing - I didn't remember I had already filed this patch. Sorry for that. Anyway, the patch here is not working correctly, as it doesn't strip the newline at the end of the comment, so I'll attach the new one. > This won't work through protocol 2 agent connections IIRC Mhmm, could you go a bit more into detail? Why should /home/foo/.ssh/id_rsa.pub work when placed in *commentp, but not someone at example.com ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 00:02:09 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 00:02:09 +1000 (EST) Subject: [Bug 439] key_try_load_public() always sets pathname as the keyfile's comment Message-ID: <20030514140209.6EDE1943AF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=439 ------- Additional Comments From binder at arago.de 2003-05-15 00:02 ------- Created an attachment (id=296) --> (http://bugzilla.mindrot.org/attachment.cgi?id=296&action=view) New patch, now strips newline ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 00:15:05 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 00:15:05 +1000 (EST) Subject: [Bug 379] difficult to find the openssh code signing key on openssh.org. Message-ID: <20030514141505.0F2C1943B4@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=379 ------- Additional Comments From marcel.kuiper at nl.abnamro.com 2003-05-15 00:15 ------- Good point, but not withstanding that things can be made a lot easier for the masses withouth a lot of effort ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 00:27:11 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 00:27:11 +1000 (EST) Subject: [Bug 551] ssh install fails on Tru64 V5.0A Message-ID: <20030514142711.04F25943B5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=551 ------- Additional Comments From rothstc at polaroid.com 2003-05-15 00:27 ------- I still get the same error with -4 on the command line. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From sonnyjz at isc.upenn.edu Thu May 15 00:46:29 2003 From: sonnyjz at isc.upenn.edu (Sonny J Zambrana) Date: Wed, 14 May 2003 10:46:29 -0400 (EDT) Subject: SSH FTP Directories In-Reply-To: <4.2.2.20030513163822.00ac5e00@127.0.0.1> References: <4.2.2.20030513163822.00ac5e00@127.0.0.1> Message-ID: I have had the same problem in the past but it was actually related to the client software. Clients were using filezilla (terrible product in my opinion, but unfortunately the standard for windows machines here). I had them update their clients and the * after the filename automagically disappeared. I would look into your client settings as well as possibly updating the software. - Sonny J Zambrana Systems Administrator University Of Pennsylvania On Tue, 13 May 2003, David Turner wrote: > > I am making a SSH FTP client implementation, and I have run into a problem > with directory listings. Some servers (e.g. Solaris) place * at the end of > executable filenames, and when a directory listing is done, these are in > the listing. As the * character is a valid filename character in UNIX, I > need a way to determine if its indeed just an executable file, or if its > actually part of the filename and should not be truncated. Is there a good > way to determine what scenario I'm dealing with? > > Thanks, > David > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From jnijhof at nijhofnet.nl Thu May 15 00:47:50 2003 From: jnijhof at nijhofnet.nl (Jeroen Nijhof) Date: 14 May 2003 16:47:50 +0200 Subject: new feature chroot environment patch Message-ID: <1052923669.2163.13.camel@tuvok> Hi, I have written code which enables chroot environments for users. A new sshd onfiguration item ChrootUsers containts a list of users which has chroot environment.So if the user is not in the list it get's his normal environment. For users that are in the chrootusers list there homedir becomes / . Can you please apply this patch? With kind regards, Jeroen Nijhof -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-3.6.1p2-chroot.patch.gz Type: application/x-gzip Size: 1408 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030514/3e1125cc/attachment.bin From vici at dof.se Thu May 15 00:53:30 2003 From: vici at dof.se (Istvan Viczian) Date: Wed, 14 May 2003 16:53:30 +0200 Subject: OpenSSH hosbased authetication without DNS Message-ID: <3EC2586A.9070609@dof.se> Hi, I have found a general way to configure hostbased authentication using OpenSSH on several , ( I created a howto about it at http://www.omega.telia.net/vici/openssh ) but there is one remaining problem which I still could not solve. I would like to make hostbased authetication work without DNS resolving available both on the server and client side. First I added the IP addresses to the appropriate config files on the server side and if the DNS service does not work on the servers side, the hosbased authentication works fine. But when I disable DNS service only on the client side, and try to login by ssh hostbased authentication method, to the target machine, the hostbased authetication method seems fail on the client side, because the client could not resolve its own name: [root at localhost etc]# ssh -o HostBasedAuthentication=yes 10.1.1.1 get_socket_ipaddr: getnameinfo 8 failed userauth_hostbased: cannot get local ipaddr/name This problem seems general, using any of OpenSSH_3.x version both on client and server side. I tried to find any configurational solution in order to avoid it, but I have not found any. Regards, Istvan From bugzilla-daemon at mindrot.org Thu May 15 01:13:58 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 01:13:58 +1000 (EST) Subject: [Bug 379] difficult to find the openssh code signing key on openssh.org. Message-ID: <20030514151358.21701943C7@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=379 ------- Additional Comments From jsmith at purdue.edu 2003-05-15 01:13 ------- After I posted my original bug report, I received email from people all over the world, saying "please send me the signing key." Putting a reference to the key on your web site increases the odds that people will actually check the signature. It's easy to do. It costs nothing. I'm a big fan of openssh and open source in general. But lack of responsiveness on a trivial issue like this makes it more difficult to "sell" the idea of using open source products to management. That is unfortunate, and ultimately harmful to the open source movement. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jnijhof at nijhofnet.nl Thu May 15 01:34:19 2003 From: jnijhof at nijhofnet.nl (Jeroen Nijhof) Date: 14 May 2003 17:34:19 +0200 Subject: new feature chroot environment patch Message-ID: <1052926459.16737.10.camel@tuvok> I'm really sorry but I've send the wrong patch file.. Here is the good one. Jeroen References: <20030514125028.1A6DC9437B@shitei.mindrot.org> Message-ID: <20030514162234.GA715152@ohm.arago.de> Hi! On Wed, May 14, 2003 at 10:50:28PM +1000, bugzilla-daemon at mindrot.org wrote: > ------- Additional Comments From djm at mindrot.org 2003-05-14 22:50 ------- > Doesn't anyone search open bugs anymore... > > *** This bug has been marked as a duplicate of 439 *** This is even more embarrassing, as _I_ was the one who opened 439 in the first place ... Didn't remember that, sorry. Ciao Thomas From bugzilla-daemon at mindrot.org Thu May 15 05:03:07 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 05:03:07 +1000 (EST) Subject: [Bug 561] Please implement MaxAuthTries Message-ID: <20030514190307.220889422C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=561 ------- Additional Comments From wmertens at gentoo.org 2003-05-15 05:03 ------- Well, yes, and this is what I did, but it's not really a good solution imho. I mean, the fact that Sun implements it, means that Sun thought it was worth implementing, even as a stop-gat measure. Do you think there is a way to get around this error when it's legitimate? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jfh at cise.ufl.edu Thu May 15 05:07:56 2003 From: jfh at cise.ufl.edu (James F.Hranicky) Date: Wed, 14 May 2003 15:07:56 -0400 Subject: Kerberos password auth/expiry kbdint patch Message-ID: <20030514150756.366349f9.jfh@cise.ufl.edu> Is anyone interested in the patch I submitted to this list adding keyboard interactive Kerberos support (i.e., should I submit a bugzilla report)? If not, I can ust maintain it locally. Thanks, ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh at cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- About politics: Don't worry about results It's the thought that counts From deengert at anl.gov Thu May 15 06:24:49 2003 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 14 May 2003 15:24:49 -0500 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch References: <20030514150756.366349f9.jfh@cise.ufl.edu> Message-ID: <3EC2A611.614798C6@anl.gov> Rather then adding Kerberos password support directly into OpenSSH, I would recommend that you use GSSAPI support from Simon Wilkinson http://www.sxw.org.uk/computing/patches/openssh.html If you must send the kerberos userid and password over the network then use the PAM exits to authenticate to Kerberos. In other words avoid adding Kerberos directly into OpenSSH. Simon's excellent GSSPAI code is following along closely with the IETF "GSSAPI Authentication and Key Exchange for the Secure Shell Protocol" http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-06.txt So I would like to ask the OpenSSH developers to pick up Simon's GSSAPI modifications instead. The GSSAPI has been implemented by a number of other vendor's as well, so having this in OpenSSH would greatly enhance interoperability. We have are now with Simon's mods on 3.6.1p2 and have run with way since 3.0.2 on a number of platforms. We use Unix and Windows based ssh clients to connect to the servers running OpenSSH. I am sure there are many others sites doing the same thing and all of us would appreciate it if GSSAPI mods where included in the base OpenSSH source. "James F.Hranicky" wrote: > > Is anyone interested in the patch I submitted to this list adding keyboard > interactive Kerberos support (i.e., should I submit a bugzilla report)? > > If not, I can ust maintain it locally. > > Thanks, > > ---------------------------------------------------------------------- > | Jim Hranicky, Senior SysAdmin UF/CISE Department | > | E314D CSE Building Phone (352) 392-1499 | > | jfh at cise.ufl.edu http://www.cise.ufl.edu/~jfh | > ---------------------------------------------------------------------- > About politics: > Don't worry about results > It's the thought that counts > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From mouring at etoh.eviladmin.org Thu May 15 06:31:34 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 14 May 2003 15:31:34 -0500 (CDT) Subject: new feature chroot environment patch In-Reply-To: <1052923669.2163.13.camel@tuvok> Message-ID: Long time ago it was decided this feature does not belong in OpenSSH, but belongs in the user's shell or via a pam (or the local authentication method) module. - Ben On 14 May 2003, Jeroen Nijhof wrote: > Hi, > > I have written code which enables chroot environments for users. > A new sshd onfiguration item ChrootUsers containts a list of users which > has chroot environment.So if the user is not in the list it get's his > normal environment. > For users that are in the chrootusers list there homedir becomes / . > > Can you please apply this patch? > > > With kind regards, > > Jeroen Nijhof > From jfh at cise.ufl.edu Thu May 15 06:38:00 2003 From: jfh at cise.ufl.edu (James F.Hranicky) Date: Wed, 14 May 2003 16:38:00 -0400 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <3EC2A611.614798C6@anl.gov> References: <20030514150756.366349f9.jfh@cise.ufl.edu> <3EC2A611.614798C6@anl.gov> Message-ID: <20030514163800.1c38fa46.jfh@cise.ufl.edu> On Wed, 14 May 2003 15:24:49 -0500 "Douglas E. Engert" wrote: > Rather then adding Kerberos password support directly into OpenSSH, I would > recommend that you use GSSAPI support from Simon Wilkinson > http://www.sxw.org.uk/computing/patches/openssh.html > > If you must send the kerberos userid and password over the network then use > the PAM exits to authenticate to Kerberos. In other words avoid adding Kerberos > directly into OpenSSH. Well, it was there to begin with, I just "made it better" :-> > Simon's excellent GSSPAI code is following along closely with the IETF > "GSSAPI Authentication and Key Exchange for the Secure Shell Protocol" > http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-06.txt I know about the GSSAPI patch, but in my transition to using Kerberos for authentication to my systems, I'm not going to require everyone use GSSAPI for access to my network, at least not for a while. Honestly, I'm hesitant to require it ever until I can do away with remote password authentication (i.e., require GSSAPI/Kerb auth) for all network access to my systems, as it simply (IMHO) makes network access more confusing when there are two methods to authenticate to my systems depending on the client. Then there's the difficulty of getting all of my remote users to get GSSAPI-enabled apps for all their access, a problem that AFAICT simply hasn't been solved in the Kerberos world. Until it is, I'm hesitant to even announce it to my users to avoid confusion. You can see more of my ranting on the Kerberos list/newsgroup :-> > So I would like to ask the OpenSSH developers to pick up Simon's GSSAPI > modifications instead. Well, must we pick one or the other? Could both not exist in the same sshd binary? > The GSSAPI has been implemented by a number of other vendor's as well, > so having this in OpenSSH would greatly enhance interoperability. > > We have are now with Simon's mods on 3.6.1p2 and have run with way since > 3.0.2 on a number of platforms. We use Unix and Windows based ssh clients > to connect to the servers running OpenSSH. I am sure there are many others > sites doing the same thing and all of us would appreciate it if GSSAPI mods > where included in the base OpenSSH source. I second the call to add the GSSAPI support into OpenSSH as well. My plan is to eventually include both my patch and the GSSAPI patch into my openssh servers. Again, I'm not sure that one must pick one or the other. If the developers think so, I'll maintain my patch locally. Either way. Jim From smoogen at lanl.gov Thu May 15 06:47:38 2003 From: smoogen at lanl.gov (Stephen Smoogen) Date: 14 May 2003 14:47:38 -0600 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <3EC2A611.614798C6@anl.gov> References: <20030514150756.366349f9.jfh@cise.ufl.edu> <3EC2A611.614798C6@anl.gov> Message-ID: <1052945258.6440.23.camel@smoogen1.lanl.gov> I would also like to HIGHLY recommend the GSSAPI patches that Simon has donated over the last couple of years. They have been excellent and have helped us sell/install an opensource solution instead of other solutions (and platforms). On Wed, 2003-05-14 at 14:24, Douglas E. Engert wrote: > Rather then adding Kerberos password support directly into OpenSSH, I would > recommend that you use GSSAPI support from Simon Wilkinson > http://www.sxw.org.uk/computing/patches/openssh.html > > If you must send the kerberos userid and password over the network then use > the PAM exits to authenticate to Kerberos. In other words avoid adding Kerberos > directly into OpenSSH. > > Simon's excellent GSSPAI code is following along closely with the IETF > "GSSAPI Authentication and Key Exchange for the Secure Shell Protocol" > http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-06.txt > > So I would like to ask the OpenSSH developers to pick up Simon's GSSAPI > modifications instead. > > The GSSAPI has been implemented by a number of other vendor's as well, > so having this in OpenSSH would greatly enhance interoperability. > > We have are now with Simon's mods on 3.6.1p2 and have run with way since > 3.0.2 on a number of platforms. We use Unix and Windows based ssh clients > to connect to the servers running OpenSSH. I am sure there are many others > sites doing the same thing and all of us would appreciate it if GSSAPI mods > where included in the base OpenSSH source. > > "James F.Hranicky" wrote: > > > > Is anyone interested in the patch I submitted to this list adding keyboard > > interactive Kerberos support (i.e., should I submit a bugzilla report)? > > > > If not, I can ust maintain it locally. > > > > Thanks, > > > > ---------------------------------------------------------------------- > > | Jim Hranicky, Senior SysAdmin UF/CISE Department | > > | E314D CSE Building Phone (352) 392-1499 | > > | jfh at cise.ufl.edu http://www.cise.ufl.edu/~jfh | > > ---------------------------------------------------------------------- > > About politics: > > Don't worry about results > > It's the thought that counts > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- > > Douglas E. Engert > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Stephen John Smoogen smoogen at lanl.gov Los Alamos National Labrador CCN-5 Sched 5/40 PH: 4-0645 (note new #) Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- From magustin at Corio.com Thu May 15 06:52:34 2003 From: magustin at Corio.com (Agustin, Mario) Date: Wed, 14 May 2003 13:52:34 -0700 Subject: AIX Problem Message-ID: Hello All, I'm getting a peculiar error can you guys tell me what I need? debug1: restore_uid debug2: key not found debug1: temporarily_use_uid: 210/1 (e=0) debug1: trying public key file /home/applmgr/.ssh/authorized_keys2 debug3: secure_filename: checking '/home/applmgr/.ssh' debug3: secure_filename: checking '/home/applmgr' debug3: secure_filename: terminating check at '/home/applmgr' debug1: matching key found: file /home/applmgr/.ssh/authorized_keys2, line 1 Found matching DSA key: 0b:3a:2a:ff:38:56:e6:26:d8:20:bc:10:a0:44:76:e5 debug1: restore_uid debug1: ssh_dss_verify: signature correct debug2: userauth_pubkey: authenticated 1 pkalg ssh-dss debug2: pam_acct_mgmt() = 10 PAM rejected by account configuration[10]: Authentication failed Failed publickey for applmgr from 66.77.35.36 port 51486 ssh2 Mario Agustin Office: 602-643-4079 Cell: 602-206-5447 **************************************************************************** ************************* The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. **************************************************************************** ************************* From fcusack at fcusack.com Thu May 15 06:57:48 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 14 May 2003 13:57:48 -0700 Subject: Changes in tonights snapshot In-Reply-To: <3EC1D4E7.4030905@mindrot.org>; from djm@mindrot.org on Wed, May 14, 2003 at 03:32:23PM +1000 References: <3EC1D4E7.4030905@mindrot.org> Message-ID: <20030514135747.A3497@google.com> On Wed, May 14, 2003 at 03:32:23PM +1000, Damien Miller wrote: > There are a couple of noteworthy changes in tonight's snapshot: ... Thanks for this. What are the chances of getting Simon Wilkinson's GSSAPI code into CVS? /fc From bugzilla-daemon at mindrot.org Thu May 15 06:59:11 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 06:59:11 +1000 (EST) Subject: [Bug 188] pam_chauthtok() is called too late Message-ID: <20030514205911.78E06943D5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From fcusack at fcusack.com 2003-05-15 06:59 ------- Can you clarify on whether the PATCH is just bitrotted or whether this has actually been fixed with newpam? If not fixed, can we re-open this bug and just declare the patch obsolete? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From stuge-openssh-unix-dev at cdy.org Thu May 15 08:03:01 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Thu, 15 May 2003 00:03:01 +0200 Subject: AIX Problem In-Reply-To: References: Message-ID: <20030514220301.GD27245@foo.birdnet.se> On Wed, May 14, 2003 at 01:52:34PM -0700, Agustin, Mario wrote: > I'm getting a peculiar error can you guys tell me what I need? [..snip..] > The information in this email is confidential and may be legally > privileged. Please don't send confidential email to public mailing lists - much less asking for advice in them. //Peter From bugzilla-daemon at mindrot.org Thu May 15 08:56:25 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 08:56:25 +1000 (EST) Subject: [Bug 379] difficult to find the openssh code signing key on openssh.org. Message-ID: <20030514225625.21BEB9420D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=379 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |WONTFIX ------- Additional Comments From djm at mindrot.org 2003-05-15 08:56 ------- Use a keyserver. As I mentioned, this is the canonical place to find keys. Please don't reopen this bug, my mind is made up. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Thu May 15 08:58:07 2003 From: djm at mindrot.org (Damien Miller) Date: Thu, 15 May 2003 08:58:07 +1000 Subject: Kerberos password auth/expiry kbdint patch In-Reply-To: <20030514150756.366349f9.jfh@cise.ufl.edu> References: <20030514150756.366349f9.jfh@cise.ufl.edu> Message-ID: <3EC2C9FF.1040107@mindrot.org> James F.Hranicky wrote: > Is anyone interested in the patch I submitted to this list adding keyboard > interactive Kerberos support (i.e., should I submit a bugzilla report)? I don't know enough kerberos to make decisions about such patches, but it is always useful to put them in bugzilla where people can easily find them. -d From bugzilla-daemon at mindrot.org Thu May 15 09:00:41 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 09:00:41 +1000 (EST) Subject: [Bug 188] pam_chauthtok() is called too late Message-ID: <20030514230041.10D799436B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From djm at mindrot.org 2003-05-15 09:00 ------- I am repeating myself: the patch is bitrotted and the password change discussions are now happening in the other bugs. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 09:08:46 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 09:08:46 +1000 (EST) Subject: [Bug 551] ssh install fails on Tru64 V5.0A Message-ID: <20030514230846.9AC779438D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=551 ------- Additional Comments From dtucker at zip.com.au 2003-05-15 09:08 ------- OK then, please run sshd in debug mode (eg "sshd -ddd -p 2022") then add the output as an attachment to this bug. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Thu May 15 10:06:10 2003 From: djm at mindrot.org (Damien Miller) Date: Thu, 15 May 2003 10:06:10 +1000 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <3EC2A611.614798C6@anl.gov> References: <20030514150756.366349f9.jfh@cise.ufl.edu> <3EC2A611.614798C6@anl.gov> Message-ID: <3EC2D9F2.1070109@mindrot.org> Douglas E. Engert wrote: > Simon's excellent GSSPAI code is following along closely > with the IETF "GSSAPI Authentication and Key Exchange for > the Secure Shell Protocol" > http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-06.txt > > So I would like to ask the OpenSSH developers to pick up Simon's > GSSAPI modifications instead. The changes to the server to support kerberos-2 at ssh.com are about 30 lines of new code in two files. Simon's code: 36 files changed, 3321 insertions(+), 9 deletions(-) Please consider: a) kerberos-2 at ssh.com can coexist with Simon's code, should it be merged at some future time; b) Simon's code consititutes two orders of magnitude more change than what Markus committed; c) not all the developers are familiar with Kerberos and GSSAPI; d) Simon's code is still going through the IETF process, whereas SSH.COM's is very minimal (basically a cleanup of the protocol 1 Kerberos support) and therefore less likely to change; e) being volunteers, our time is limited; and f) security problems have been caused in the past by large merges -d From djm at mindrot.org Thu May 15 17:31:16 2003 From: djm at mindrot.org (Damien Miller) Date: Thu, 15 May 2003 17:31:16 +1000 Subject: KerberosIV support Message-ID: <3EC34244.5020104@mindrot.org> Hi All, The OpenBSD tree is likely to be dropping KerberosIV support very soon. We will ultimately follow suit, but if there are many Krb4 users we may give a transition period of a release or two. AFAIK we don't compile at all against MIT KrbIV because of library conflicts. So, who is using OpenSSH Krb4 support at the moment? -d From bugzilla-daemon at mindrot.org Thu May 15 18:05:30 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 18:05:30 +1000 (EST) Subject: [Bug 207] Connect timeout patch Message-ID: <20030515080530.6E33B9420D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=207 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #63 is|0 |1 obsolete| | Attachment #101 is|0 |1 obsolete| | Attachment #102 is|0 |1 obsolete| | Attachment #118 is|0 |1 obsolete| | Attachment #154 is|0 |1 obsolete| | Attachment #274 is|0 |1 obsolete| | ------- Additional Comments From djm at mindrot.org 2003-05-15 18:05 ------- Created an attachment (id=297) --> (http://bugzilla.mindrot.org/attachment.cgi?id=297&action=view) ConnectTimeout patch for CVS head This is a slightly cleaned-up patch for CVS -current ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 18:11:02 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 18:11:02 +1000 (EST) Subject: [Bug 207] Connect timeout patch Message-ID: <20030515081102.1793194220@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=207 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #297|ConnectTimeout patch for CVS|ConnectTimeout patch for description|head |OpenBSD CVS head ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 18:13:06 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 18:13:06 +1000 (EST) Subject: [Bug 535] Wrong information in manual page about -6 option. Message-ID: <20030515081306.01CBF94235@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=535 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From djm at mindrot.org 2003-05-15 18:13 ------- That is a bug on your system then (possibly in your resolver). Could you attach a debug trace from a session where it falls back to IPv4? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 18:21:33 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 18:21:33 +1000 (EST) Subject: [Bug 77] Configure Script contains /usr/local/lib /usr/local/include FLAGS Message-ID: <20030515082133.DF2E794228@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=77 ------- Additional Comments From djm at mindrot.org 2003-05-15 18:21 ------- Created an attachment (id=298) --> (http://bugzilla.mindrot.org/attachment.cgi?id=298&action=view) Remove /usr/local as implicit include/library search path I am afraid that removing /usr/local will increase the number of support queries, OTOH I see your point. This patch would need to be tested widely. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 18:23:25 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 18:23:25 +1000 (EST) Subject: [Bug 127] PAM with ssh authentication and pam_krb5 doesn't work properly Message-ID: <20030515082325.5E4D89436D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=127 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From djm at mindrot.org 2003-05-15 18:23 ------- 4 months, no reply = no bug ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 18:31:31 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 18:31:31 +1000 (EST) Subject: [Bug 510] corrupted mac address disconnecting Message-ID: <20030515083131.706E39436D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=510 ------- Additional Comments From djm at mindrot.org 2003-05-15 18:31 ------- Please attach full version information (client + server) and debug traces from each end. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 18:36:46 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 18:36:46 +1000 (EST) Subject: [Bug 343] Only try connect to first address when creating tunnel Message-ID: <20030515083646.08905943D4@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=343 ------- Additional Comments From djm at mindrot.org 2003-05-15 18:36 ------- The fix for Bug #207 may be useful here ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 18:50:44 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 18:50:44 +1000 (EST) Subject: [Bug 517] bad "put" arg parsing Message-ID: <20030515085044.737EF94223@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=517 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #265 is|0 |1 obsolete| | ------- Additional Comments From djm at mindrot.org 2003-05-15 18:50 ------- Created an attachment (id=299) --> (http://bugzilla.mindrot.org/attachment.cgi?id=299&action=view) More concise patch Here is a more concise patch ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 18:58:10 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 18:58:10 +1000 (EST) Subject: [Bug 518] _PATH_STDPATH can get redefined in includes.h if paths.h exists Message-ID: <20030515085810.8A905943E2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=518 ------- Additional Comments From djm at mindrot.org 2003-05-15 18:58 ------- I don't see this in the current code. includes.h includes paths.h fairly early and pulls in defines.h very close to the end. Can you confirm with CVS head or 3.6.1p2? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 19:00:24 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 19:00:24 +1000 (EST) Subject: [Bug 529] sshd doesn't work correctly after SIGHUP Message-ID: <20030515090024.8168994217@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=529 ------- Additional Comments From djm at mindrot.org 2003-05-15 19:00 ------- Please attach the patch to the bug, rather than pasting it in the comments field. Patches in comments are a PITA to extract. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 19:03:20 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 19:03:20 +1000 (EST) Subject: [Bug 567] pb at the end of compil with a dump of ssh-keygen Message-ID: <20030515090320.18EA8943E1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=567 Summary: pb at the end of compil with a dump of ssh-keygen Product: Portable OpenSSH Version: -current Platform: MIPS OS/Version: IRIX Status: NEW Severity: critical Priority: P1 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: penalva at cines.fr CC: penalva at cines.fr At the end of the install process of openSSH 3.6.1p2 on irix 6.5.18f, there's a pb with the ssh-keygen. I've the messages : /usr/local/etc/ssh_config already exists, install will not overwrite /usr/local/etc/sshd_config already exists, install will not overwrite /usr/local/etc/ssh_prng_cmds already exists, install will not overwrite /usr/local/etc/moduli already exists, install will not overwrite Generating public/private rsa1 key pair. rsa_generate_private_key: key generation failed. Generating public/private dsa key pair. dsa_generate_private_key: DSA_generate_parameters failed Generating public/private rsa key pair. rsa_generate_private_key: key generation failed. make: *** [host-key] Error 255 The env variables : CC=cc CFLAGS="-mips3 -n32 -O2" LDFLAGS="-L/usr/local/lib" My configure options are : ./configure --with-privsep-user=sshd --with-ssl-dir=/usr/local/ssl --with-tcp-wrappers=/usr/local/pub/tcp_wrappers_7.6 --with-default-path=/usr/sbin:/usr/bsd:/sbin:/usr/bin:/etc:/usr/etc:/usr/bin/X11:/usr/freeware/bin:/usr/oem/bin ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 19:03:22 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 19:03:22 +1000 (EST) Subject: [Bug 552] broken reference from scp.c Message-ID: <20030515090322.3AF6E943E5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=552 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From djm at mindrot.org 2003-05-15 19:03 ------- This is a compiler issue, not an SSH bug. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Thu May 15 19:57:44 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 15 May 2003 19:57:44 +1000 Subject: Resolver changes broke AIX & HPUX Message-ID: <3EC36498.C3A16BB0@zip.com.au> Hi All. Haven't looked at this yet but it looks like the resolver changes broke AIX and HP-UX. -Daz. AIX 4.3.3.11: gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I../../openbsd-compat -I../../openbsd-compat/.. -I/usr/local/ssl/include -I/usr/local/include -DHAVE_CONFIG_H -c ../../openbsd-compat/getrrsetbyname.c ../../openbsd-compat/getrrsetbyname.c:133: warning: static declaration for `_getshort? follows non-static ../../openbsd-compat/getrrsetbyname.c:143: conflicting types for `_getlong? /usr/include/arpa/onameser_compat.h:322: previous declaration of `_getlong? ../../openbsd-compat/getrrsetbyname.c: In function `getrrsetbyname?: ../../openbsd-compat/getrrsetbyname.c:238: structure has no member named `ad? HP-UX 11.00: ccache gcc -g -O2 -fomit-frame-pointer -pipe -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/ssl/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c getrrsetbyname.c getrrsetbyname.c:133: warning: static declaration for `_getshort' follows non-static getrrsetbyname.c:143: warning: static declaration for `_getlong' follows non-static getrrsetbyname.c: In function `getrrsetbyname': getrrsetbyname.c:183: warning: implicit declaration of function `res_init' getrrsetbyname.c:199: warning: implicit declaration of function `res_query' getrrsetbyname.c:238: structure has no member named `ad' getrrsetbyname.c: In function `parse_dns_qsection': getrrsetbyname.c:426: warning: implicit declaration of function `dn_expand' make[1]: *** [getrrsetbyname.o] Error 1 make[1]: Leaving directory `/home/builder/c240/openssh-tinderbox/openbsd-compat' make: *** [openbsd-compat/libopenbsd-compat.a] Error 2 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From info at governmentgrantsandloansforsmallbusiness.com Thu May 15 20:28:42 2003 From: info at governmentgrantsandloansforsmallbusiness.com (Canadian Publications) Date: Thu, 15 May 2003 12:28:42 +0200 Subject: Government Subsidies, Grants and Loans Message-ID: <20030515102719.668359426F@shitei.mindrot.org> CANADIAN SUBSIDY DIRECTORY 4865 HWY 138,R.R 1 ST-ANDREWS WEST ONTARIO, KOC 2A0 PRESS RELEASE CANADIAN SUBSIDY DIRECTORY YEAR 2003 EDITION Legal Deposit-National Library of Canada ISBN 2-922870-05-7 The new revised edition of the Canadian Subsidy Directory 2003 is now available. The new edition is the most complete and affordable reference for anyone looking for financial support. It is deemed to be the perfect tool for new or existing businesses, individual ventures, foundations and associations. This Publication contains more than 2000 direct and indirect financial subsidies, grants and loans offered by government departments and agencies, foundations, associations and organisations. In this new 2003 edition all programs are well described. The Canadian Subsidy Directory is the most comprehensive tool to start up a business, improve existent activities, set up a business plan, or obtain assistance from experts in fields such as: Industry, transport, agriculture, communications, municipal infrastructure, education, import-export, labor, construction and renovation, the service sector, hi-tech industries, research and development, joint ventures, arts, cinema, theatre, music and recording industry, the self employed, contests, and new talents. Assistance from and for foundations and associations, guidance to prepare a business plan, market surveys, computers, and much more! The Canadian Subsidy Directory is sold $ 49.95, to obtain a copy please call: Canadian Publications: (866) 322-3376 From djm at mindrot.org Fri May 16 05:54:20 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 16 May 2003 05:54:20 +1000 Subject: Resolver changes broke AIX & HPUX In-Reply-To: <3EC36498.C3A16BB0@zip.com.au> References: <3EC36498.C3A16BB0@zip.com.au> Message-ID: <3EC3F06C.6000707@mindrot.org> Darren Tucker wrote: > Hi All. > Haven't looked at this yet but it looks like the resolver changes broke > AIX and HP-UX. I'll have made it conditional on --with-dns. We may need header tests for _getshort & _getlong in the --with-dns block in configure.ac. However, if the underlying resolver is insufficient, don't bother. -d From dtucker at zip.com.au Thu May 15 21:02:19 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 15 May 2003 21:02:19 +1000 Subject: Resolver changes broke AIX & HPUX References: <3EC36498.C3A16BB0@zip.com.au> Message-ID: <3EC373BB.10286541@zip.com.au> Darren Tucker wrote: > gcc [opts] openbsd-compat/getrrsetbyname.c [snip] > ../../openbsd-compat/getrrsetbyname.c: In function `getrrsetbyname?: > ../../openbsd-compat/getrrsetbyname.c:238: structure has no member named > `ad? This looks like there should be a "#ifdef RES_USE_DNSSEC" around that block. With the attached patch, the compile proceeds further I now get the following error (on HP-UX haven't tried AIX yet). -Daz. gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I/usr/local/ssl/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c ../session.c ../session.c: In function `session_break_req': ../session.c:1758: `TIOCSBRK' undeclared (first use in this function) ../session.c:1758: (Each undeclared identifier is reported only once ../session.c:1758: for each function it appears in.) ../session.c:1761: `TIOCCBRK' undeclared (first use in this function) make: *** [session.o] Error 1 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: openbsd-compat/getrrsetbyname.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/getrrsetbyname.c,v retrieving revision 1.1 diff -u -r1.1 getrrsetbyname.c --- openbsd-compat/getrrsetbyname.c 15 May 2003 02:27:08 -0000 1.1 +++ openbsd-compat/getrrsetbyname.c 15 May 2003 10:44:30 -0000 @@ -234,9 +234,11 @@ rrset->rri_ttl = response->answer->ttl; rrset->rri_nrdatas = response->header.ancount; +#ifdef RES_USE_DNSSEC /* check for authenticated data */ if (response->header.ad == 1) rrset->rri_flags |= RRSET_VALIDATED; +#endif /* copy name from answer section */ length = strlen(response->answer->name); From bugzilla-daemon at mindrot.org Thu May 15 21:06:20 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 21:06:20 +1000 (EST) Subject: [Bug 568] Kerberos password auth/expiry kbdint patch Message-ID: <20030515110620.F2FA49428D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=568 Summary: Kerberos password auth/expiry kbdint patch Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P4 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jfh at cise.ufl.edu This patch adds Kerberos V support via a keyboard interactive device, giving support for KrbV password expiration as well as displaying messages received from the kerberos libraries. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 21:08:22 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 21:08:22 +1000 (EST) Subject: [Bug 568] Kerberos password auth/expiry kbdint patch Message-ID: <20030515110822.1B032942E8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=568 ------- Additional Comments From jfh at cise.ufl.edu 2003-05-15 21:08 ------- Created an attachment (id=300) --> (http://bugzilla.mindrot.org/attachment.cgi?id=300&action=view) Patch that adds krb5 support via a kbdint device ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 21:17:01 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 21:17:01 +1000 (EST) Subject: [Bug 440] Protocol 1 server key generated at start up even when P1 not used Message-ID: <20030515111701.0D95594283@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=440 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-05-15 21:16 ------- I can't replicate this with CVS -current, either in inet or normal mode. Please reopen if you can. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 21:19:05 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 21:19:05 +1000 (EST) Subject: [Bug 529] sshd doesn't work correctly after SIGHUP Message-ID: <20030515111905.A6B1F943EB@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=529 ------- Additional Comments From postadal at suse.cz 2003-05-15 21:19 ------- Created an attachment (id=301) --> (http://bugzilla.mindrot.org/attachment.cgi?id=301&action=view) Patch for commanline options ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 21:30:11 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 21:30:11 +1000 (EST) Subject: [Bug 529] sshd doesn't work correctly after SIGHUP Message-ID: <20030515113011.8AFDC943EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=529 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-05-15 21:30 ------- (That patch was a diff of a diff) Applied anyway. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 21:33:53 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 21:33:53 +1000 (EST) Subject: [Bug 444] Wrong path to ssh in scp after re-configure Message-ID: <20030515113353.EB2CD943F4@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=444 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-05-15 21:33 ------- I can't see how this happened: config.h is already in the dependancy list, but I have also added Makefile.in as a couple of paths are defined there too. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Thu May 15 21:35:59 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 15 May 2003 21:35:59 +1000 Subject: Resolver changes broke AIX & HPUX References: <3EC36498.C3A16BB0@zip.com.au> <3EC373BB.10286541@zip.com.au> Message-ID: <3EC37B9F.915E4D44@zip.com.au> Darren Tucker wrote: > gcc [opts] ../session.c > ../session.c: In function `session_break_req': > ../session.c:1758: `TIOCSBRK' undeclared (first use in this function) > ../session.c:1758: (Each undeclared identifier is reported only once > ../session.c:1758: for each function it appears in.) > ../session.c:1761: `TIOCCBRK' undeclared (first use in this function) > make: *** [session.o] Error 1 TIOCSBRK seems to be defined in on HP-UX. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: configure.ac =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v retrieving revision 1.120 diff -u -r1.120 configure.ac --- configure.ac 15 May 2003 02:27:08 -0000 1.120 +++ configure.ac 15 May 2003 11:20:14 -0000 @@ -445,7 +445,7 @@ login_cap.h maillock.h netdb.h netgroup.h \ netinet/in_systm.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ - strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \ + strings.h sys/strtio.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \ sys/mman.h sys/pstat.h sys/select.h sys/stat.h \ sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \ sys/un.h time.h tmpdir.h ttyent.h usersec.h \ Index: includes.h =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/includes.h,v retrieving revision 1.62 diff -u -r1.62 includes.h --- includes.h 4 May 2003 00:41:20 -0000 1.62 +++ includes.h 15 May 2003 11:23:36 -0000 @@ -133,6 +133,9 @@ #ifdef HAVE_SYS_MMAN_H #include /* for MAP_ANONYMOUS */ #endif +#ifdef HAVE_SYS_STRTIO_H +#include /* for TIOCCBRK on HP-UX */ +#endif #include /* For typedefs */ #include /* For IPv6 macros */ From bugzilla-daemon at mindrot.org Thu May 15 21:39:09 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 21:39:09 +1000 (EST) Subject: [Bug 445] User DCE Credentials do not get forwarded to child session Message-ID: <20030515113909.CA49E943FB@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=445 ------- Additional Comments From djm at mindrot.org 2003-05-15 21:39 ------- I am not sure I understand (my Kerberos knowledge isn't so great): We already set this for Krb5 auth: #ifdef KRB5 if (s->authctxt->krb5_ticket_file) child_set_env(&env, &envsize, "KRB5CCNAME", s->authctxt->krb5_ticket_file); #endif ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 21:43:10 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 21:43:10 +1000 (EST) Subject: [Bug 491] Large file transfers get stalls Message-ID: <20030515114310.1704694406@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=491 ------- Additional Comments From djm at mindrot.org 2003-05-15 21:43 ------- I the connection actually stalling? Can you concurrently check whether the file is increasing in size? Also, do large FTP or HTTP transfers exhibit the same behaviour? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu May 15 22:04:47 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 22:04:47 +1000 (EST) Subject: [Bug 567] ssh-keygen: DH parameter generation failed Message-ID: <20030515120447.E523394215@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=567 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|critical |major Component|Build system |ssh-keygen Summary|pb at the end of compil with|ssh-keygen: DH parameter |a dump of ssh-keygen |generation failed ------- Additional Comments From djm at mindrot.org 2003-05-15 22:04 ------- This could be a problem in OpenSSL. Did you compile OpenSSL yourself? If so, please run the "make test" target (or equivalent) and verify it is functioning correctly. Otherwise, try running "openssl dsaparam 1024" ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From altmark at de.ibm.com Thu May 15 23:07:15 2003 From: altmark at de.ibm.com (Markus Alt) Date: Thu, 15 May 2003 15:07:15 +0200 Subject: blibpath changes for AIX Message-ID: <3EC39103.37A89A60@de.ibm.com> Hi all, lately I've built a RPM for OpenSSH 3.6.1p2 on AIX using the OpenSSL installation that comes with IBM's "AIX Toolbox for Linux". The latter by default installs in the /opt/freeware directory, so I've ran configure with the option '--with-ssl-dir=/opt/freeware'. This has worked fine for former versions of OpenSSH, but with 3.6.1p2, /opt/freeware/lib apparently does not get added to blibpath during the build. As a matter of fact, after installing the RPM, sshd refuses to start as it cannot find libcrypto.a in /usr/lib or /lib. If I add 'export blibpath="/opt/freeware/lib:/usr/lib:/lib"' to the SPEC file before running configure, all works well. But I would expect to get /opt/freeware/lib added to blibpath automatically by the --with-ssl-dir option. The ChangeLog contains 20030429 [...] - (djm) Fix blibpath specification for AIX/gcc [...] which I suspect to be the cause for what I'm seeing. Could anybody please comment? TIA, Markus P.S.: Please copy me on your replies, as I'm not subscribed to the list. -- Markus Alt IBM Lab Boeblingen, Germany altmark at de.ibm.com From bugzilla-daemon at mindrot.org Thu May 15 23:47:57 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 15 May 2003 23:47:57 +1000 (EST) Subject: [Bug 505] ssh -V could print a human readable openssl version string Message-ID: <20030515134757.06A97942D8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=505 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-05-15 23:47 ------- Applied, thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From sxw at inf.ed.ac.uk Thu May 15 23:50:23 2003 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Thu, 15 May 2003 14:50:23 +0100 (BST) Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <3EC2D9F2.1070109@mindrot.org> Message-ID: > The changes to the server to support kerberos-2 at ssh.com are about 30 > lines of new code in two files. > > Simon's code: 36 files changed, 3321 insertions(+), 9 deletions(-) I take your point that the GSSAPI code is more complex, but you're not really comparing like with like. *) GSSAPI contains support for authentication at both key exchange and userauth levels *) The code supports multiple different authentication methods at the client end, and two (Kerberos and GSI) at the server side. *) Credentials forwarding is supported for both Kerberos and GSI *) Initial support for determining local username, based on the presented credentials, is present for both Kerberos and GSI *) Support for operating without host keys is present You could write a GSSAPI implementation which just does Kerberos, and which just does authentication and not credential passing, but it would be kind of missing the point. > c) not all the developers are familiar with Kerberos and GSSAPI; So why not take patches which have already been reviewed by those that are? The GSSAPI patches have been examined by people working regularly with both MIT Kerberos, the Globus GSI implementation, and Heimdal. The consensus amongst the Kerberos community seems to be that the kerberos-2 method is the wrong direction to be going in. > d) Simon's code is still going through the IETF process, whereas > SSH.COM's is very minimal (basically a cleanup of the protocol 1 > Kerberos support) and therefore less likely to change; If only because the kerberos-2 mechanism was rejected by the IETF secsh working group at their San Diego meeting in favour of the GSSAPI work. > f) security problems have been caused in the past by large merges And by implementations of poorly thought out and buggy Kerberos based protocols. There's common acceptance that the Kerberos API is hard to use correctly. Many application problems have been caused by improper use of that API. For example, in the current kerberos-2 code, no mutual authentication of the server is performed at the kerberos layer. Cheers, Simon. From bugzilla-daemon at mindrot.org Fri May 16 00:17:38 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 00:17:38 +1000 (EST) Subject: [Bug 567] ssh-keygen: DH parameter generation failed Message-ID: <20030515141738.2F351942D5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=567 penalva at cines.fr changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From penalva at cines.fr 2003-05-16 00:17 ------- Ok, it was a pb in OpenSSL during compil, now after a recompilation with gcc all works. Thank you. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Fri May 16 00:30:16 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 15 May 2003 16:30:16 +0200 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: References: <3EC2D9F2.1070109@mindrot.org> Message-ID: <20030515143016.GF12398@folly> On Thu, May 15, 2003 at 02:50:23PM +0100, Simon Wilkinson wrote: > > > The changes to the server to support kerberos-2 at ssh.com are about 30 > > lines of new code in two files. > > > > Simon's code: 36 files changed, 3321 insertions(+), 9 deletions(-) > > I take your point that the GSSAPI code is more complex, but you're not > really comparing like with like. Of course this depends on your point of view. To me simplicity of the server code is currently more important. The "kerberos-2" changes add _no_ new code that's executed by the privileged part of sshd and only about 30 lines for the unprivileged half of sshd. -markus From bbense at SLAC.Stanford.EDU Fri May 16 00:39:19 2003 From: bbense at SLAC.Stanford.EDU (Booker Bense) Date: Thu, 15 May 2003 07:39:19 -0700 (PDT) Subject: KerberosIV support In-Reply-To: <3EC34244.5020104@mindrot.org> References: <3EC34244.5020104@mindrot.org> Message-ID: On Thu, 15 May 2003, Damien Miller wrote: > Hi All, > > The OpenBSD tree is likely to be dropping KerberosIV support very soon. > We will ultimately follow suit, but if there are many Krb4 users we may > give a transition period of a release or two. > > AFAIK we don't compile at all against MIT KrbIV because of library > conflicts. - I fixed the MIT libraries to not have these problems over a year ago, I don't know if my patches have been accepted and in what version they will be distributed. > > So, who is using OpenSSH Krb4 support at the moment? > - Although I no longer work for the Stanford IT group I think they are still using it, with plans for phasing it out for K5. SLAC uses the AFS token passing code extensively, but I think that's already been phased out of the main code. - Booker C. Bense From dtucker at zip.com.au Fri May 16 00:40:01 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 16 May 2003 00:40:01 +1000 Subject: blibpath changes for AIX References: <3EC39103.37A89A60@de.ibm.com> Message-ID: <3EC3A6C1.5681E026@zip.com.au> Markus Alt wrote: > This has worked fine for former versions of OpenSSH, but with 3.6.1p2, > /opt/freeware/lib apparently does not get added to blibpath during the > build. As a matter of fact, after installing the RPM, sshd refuses to > start as it cannot find libcrypto.a in /usr/lib or /lib. Yeah, there's a reason for this: "Portable OpenSSH: Dangerous AIX linker behavior" http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=105167884027821 > If I add 'export blibpath="/opt/freeware/lib:/usr/lib:/lib"' to the SPEC > file before running configure, all works well. But I would expect to get > /opt/freeware/lib added to blibpath automatically by the --with-ssl-dir > option. Good idea, but it would need to be sanity checked (eg --with-ssl-dir=../openssl-0.9.7b/ or --with-ssl-dir=/tmp/openssl-0.9.7b would produce exploitable binaries). It's only required if you're using an openssl shared library (which is still marked as as "experimental"). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Fri May 16 00:59:40 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 00:59:40 +1000 (EST) Subject: [Bug 207] Connect timeout patch Message-ID: <20030515145940.18580942FA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=207 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-05-16 00:59 ------- Patch applied - thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 16 01:01:28 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 01:01:28 +1000 (EST) Subject: [Bug 517] bad "put" arg parsing Message-ID: <20030515150128.71E0194407@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=517 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #299 is|0 |1 obsolete| | ------- Additional Comments From djm at mindrot.org 2003-05-16 01:01 ------- Created an attachment (id=302) --> (http://bugzilla.mindrot.org/attachment.cgi?id=302&action=view) Concise & correct patch I just realised that we have never handled escape characters at all. This diff adds escaping for quotes and the backslash character. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bbense at SLAC.Stanford.EDU Fri May 16 01:05:36 2003 From: bbense at SLAC.Stanford.EDU (Booker Bense) Date: Thu, 15 May 2003 08:05:36 -0700 (PDT) Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <3EC2D9F2.1070109@mindrot.org> References: <20030514150756.366349f9.jfh@cise.ufl.edu> <3EC2A611.614798C6@anl.gov> <3EC2D9F2.1070109@mindrot.org> Message-ID: On Thu, 15 May 2003, Damien Miller wrote: > Douglas E. Engert wrote: > > > Simon's excellent GSSPAI code is following along closely > > with the IETF "GSSAPI Authentication and Key Exchange for > > the Secure Shell Protocol" > > http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-06.txt > > > > So I would like to ask the OpenSSH developers to pick up Simon's > > GSSAPI modifications instead. > > The changes to the server to support kerberos-2 at ssh.com are about 30 > lines of new code in two files. - In my experience, that pretty much means they've got it wrong somewhere. Using the api correctly generally requires much more code than this. I will take a look today and try and provide useful comments. > > Simon's code: 36 files changed, 3321 insertions(+), 9 deletions(-) > > Please consider: > > a) kerberos-2 at ssh.com can coexist with Simon's code, should it be > merged at some future time; > > b) Simon's code consititutes two orders of magnitude more change > than what Markus committed; > > c) not all the developers are familiar with Kerberos and GSSAPI; > > d) Simon's code is still going through the IETF process, whereas > SSH.COM's is very minimal (basically a cleanup of the protocol 1 > Kerberos support) and therefore less likely to change; - Which was largely considered to be at best "broken" among people knowledgeable about kerberos. Plus the k5 API is not a standard and is subject to change, it's pretty clear to me that it is going to have to change based on the latest RFC for the wire protocol. > > e) being volunteers, our time is limited; and - Simon's code has been in use for years, looked at by experts in the field and is generally considered the "Right way to do this". Since your time is limited why not take advantage of all the work that has been done and gone through peer review, rather that a half hour hack? - There are lot's of people that would gladly work on this code. In general, most people in the kerberos world would like to drop support for telnet and krsh and move to a standard ssh code, but we cannot do this with the current SSH code base and nobody wants to deal with the broken ssh1 implementation. > > f) security problems have been caused in the past by large merges > - Kerberos security problems are almost always caused by incorrect use of the API. For good or ill, the straightforward approach is almost wrong, this is the reason that kerberos communtity is trying to encourage people to use GSSAPI ( an IETF standard ) rather than the adhoc native k5 API. - Booker C. Bense From altmark at de.ibm.com Fri May 16 01:03:08 2003 From: altmark at de.ibm.com (Markus Alt) Date: Thu, 15 May 2003 17:03:08 +0200 Subject: blibpath changes for AIX References: Message-ID: <3EC3AC2C.597DFAAA@de.ibm.com> Darren Tucker wrote: > > Markus Alt wrote: > > This has worked fine for former versions of OpenSSH, but with 3.6.1p2, > > /opt/freeware/lib apparently does not get added to blibpath during the > > build. As a matter of fact, after installing the RPM, sshd refuses to > > start as it cannot find libcrypto.a in /usr/lib or /lib. > > Yeah, there's a reason for this: > "Portable OpenSSH: Dangerous AIX linker behavior" > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=105167884027821 I've seen that. > > If I add 'export blibpath="/opt/freeware/lib:/usr/lib:/lib"' to the SPEC > > file before running configure, all works well. But I would expect to get > > /opt/freeware/lib added to blibpath automatically by the --with-ssl-dir > > option. > > Good idea, but it would need to be sanity checked (eg > --with-ssl-dir=../openssl-0.9.7b/ or --with-ssl-dir=/tmp/openssl-0.9.7b > would produce exploitable binaries). So the new behaviour is a kind of security measure if I understand this correctly. And I will have to judge whether I trust the installation in the given directory, but this will not happen automatically. Makes sense. Thanks for your quick response! Markus -- Markus Alt IBM Lab Boeblingen, Germany altmark at de.ibm.com From djm at mindrot.org Fri May 16 01:08:17 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 16 May 2003 01:08:17 +1000 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: References: <20030514150756.366349f9.jfh@cise.ufl.edu> <3EC2A611.614798C6@anl.gov> <3EC2D9F2.1070109@mindrot.org> Message-ID: <3EC3AD61.4050907@mindrot.org> Booker Bense wrote: >> The changes to the server to support kerberos-2 at ssh.com are about 30 >> lines of new code in two files. > > - In my experience, that pretty much means they've got it wrong > somewhere. Using the api correctly generally requires much more > code than this. I will take a look today and try and provide > useful comments. It is only 30 lines of new code as it is near-identical to the protocol 1 KrbV auth method. i.e. we got to reuse our existing infrastructure. -d From deengert at anl.gov Fri May 16 02:01:59 2003 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 15 May 2003 11:01:59 -0500 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdintpatch References: <20030514150756.366349f9.jfh@cise.ufl.edu> <3EC2A611.614798C6@anl.gov> <3EC2CE65.1080103@mindrot.org> Message-ID: <3EC3B9F7.A9DAADB0@anl.gov> All good points, but let me add some others below. Damien Miller wrote: > > Douglas E. Engert wrote: > > Simon's excellent GSSPAI code is following along closely with the IETF > > "GSSAPI Authentication and Key Exchange for the Secure Shell Protocol" > > http://www.ietf.org/internet-drafts/draft-ietf-secsh-gsskeyex-06.txt > > > > So I would like to ask the OpenSSH developers to pick up Simon's GSSAPI > > modifications instead. > > The changes to the server to support kerberos-2 at ssh.com are about 30 > lines of new code in two files. > > Simon's code: > > 36 files changed, 3321 insertions(+), 9 deletions(-) > > Please consider: > > a) kerberos-2 at ssh.com can coexist with Simon's code, should it be > merged at some future time; > Good, at least keep this in mind. > b) Simon's code consititutes two orders of magnitude more change > than what Markus committed; > Simon's code changes have been being updated for every verision of OpenSSH since at least 3.0.2. (You might want to take a poll as to how many sites are using it.) > c) not all the developers are familiar with Kerberos and GSSAPI; > There are other SSH products which are using the GSSAPI code, in particular some PC clients. We would like to see the OpenSSH servers support this. Interoperability between implementations, is very important. GSSAPI is being used in other environments, such as SASL, and FTP. There are other GSSAPI implementations, other then Kerberos, such as the Globus GSI which can use the same API interface. The developers don't need to be very familiar with Kerberos, but rather the API of the GSSAPI which has been a standard for years. And it is an API. There are multiple versions of Kerberos with different APIs. At least MIT and Hiemdal, and thier APIs do change from time to time. One of the PC vendors, can even use the Microsoft SSPI which uses the same wire protocol as Kerberos GSSAPI, so you can run it without any MIT or Hiemdal code at all on the PC. > d) Simon's code is still going through the IETF process, whereas > SSH.COM's is very minimal (basically a cleanup of the protocol 1 > Kerberos support) and therefore less likely to change; > It is very close to last call, and I expect it will happen very soon. > e) being volunteers, our time is limited; and Me too. Simon's mods are already done. > > f) security problems have been caused in the past by large merges > There may also be security questions about the SSH.COM kerberos mods. The way I understood it, the IETF secsh working group looked them over in the past and said no because of the problems, and went with the GSSAPI as all of the security issues are then contained in the GSS implementation. > -d -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From deengert at anl.gov Fri May 16 02:14:37 2003 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 15 May 2003 11:14:37 -0500 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch References: <3EC2D9F2.1070109@mindrot.org> <20030515143016.GF12398@folly> Message-ID: <3EC3BCED.CDCBD246@anl.gov> Markus Friedl wrote: > > To me simplicity of the server code is currently more important. > > The "kerberos-2" changes add _no_ new code that's executed by the > privileged part of sshd and only about 30 lines for the unprivileged > half of sshd. Really? But isn't that the point of privsep to do those critical security checks in the privileged half? If all the kerberos authentication is done in the unprivileged part, breaking into this process could lead to the authenetion being bypassed. It would seam that you would have to access the host keytab file from the privileged part at least, as it is normally owned by root. Or was this code already in the source. > > -markus > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From mouring at etoh.eviladmin.org Fri May 16 02:24:19 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 15 May 2003 11:24:19 -0500 (CDT) Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: Message-ID: My take on this whole bit. On Thu, 15 May 2003, Booker Bense wrote: > On Thu, 15 May 2003, Damien Miller wrote: > [..] > > e) being volunteers, our time is limited; and > > - Simon's code has been in use for years, looked at by > experts in the field and is generally considered the > "Right way to do this". Since your time is limited why > not take advantage of all the work that has been done > and gone through peer review, rather that a half hour > hack? > Because in the end we are held accountable. Not Simon, not you and not IETF. And simple straightforward solutions are easier to understand and audit then complex ones. > - There are lot's of people that would gladly work on > this code. In general, most people in the kerberos world > would like to drop support for telnet and krsh and move > to a standard ssh code, but we cannot do this with the > current SSH code base and nobody wants to deal with > the broken ssh1 implementation. > Not to degrade Simon's work. I know he has spent a lot of time, but I have to agree with Markus and others that large patches always seem to bite us in the ass. No matter how good intention they are. > > > > f) security problems have been caused in the past by large merges > > > > - Kerberos security problems are almost always caused by > incorrect use of the API. For good or ill, the straightforward > approach is almost wrong, this is the reason that kerberos > communtity is trying to encourage people to use GSSAPI > ( an IETF standard ) rather than the adhoc native k5 API. > You know what this tells me. Someone is overdoing the Kerberos API. Not be able to use the 'straightfoward approach' shows *BAD* design on their part. You'd think people would have learned this by now. Granted, Krb is not the only people with that problem either. After privsep came into existances the amount of hoops we've had to jump through to get sane security on some platform (mostly failing on a few.. IE Tru64) is just nuts. - Ben From bugzilla-daemon at mindrot.org Fri May 16 03:04:25 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 03:04:25 +1000 (EST) Subject: [Bug 518] _PATH_STDPATH can get redefined in includes.h if paths.h exists Message-ID: <20030515170425.0FD73942FD@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=518 rvz at lucent.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From rvz at lucent.com 2003-05-16 03:04 ------- Yes this is no longer a problem in version 3.6.1p2. I had no problems compiling this time. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bbense at SLAC.Stanford.EDU Fri May 16 03:44:33 2003 From: bbense at SLAC.Stanford.EDU (Booker Bense) Date: Thu, 15 May 2003 10:44:33 -0700 (PDT) Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: References: Message-ID: On Thu, 15 May 2003, Ben Lindstrom wrote: > > My take on this whole bit. > > On Thu, 15 May 2003, Booker Bense wrote: > > > On Thu, 15 May 2003, Damien Miller wrote: > > > [..] > > > e) being volunteers, our time is limited; and > > > > - Simon's code has been in use for years, looked at by > > experts in the field and is generally considered the > > "Right way to do this". Since your time is limited why > > not take advantage of all the work that has been done > > and gone through peer review, rather that a half hour > > hack? > > > > Because in the end we are held accountable. Not Simon, not > you and not IETF. - So you'd rather go with an implementation that has KNOWN flaws, just because it's short? > > And simple straightforward solutions are easier to understand > and audit then complex ones. > > > - There are lot's of people that would gladly work on > > this code. In general, most people in the kerberos world > > would like to drop support for telnet and krsh and move > > to a standard ssh code, but we cannot do this with the > > current SSH code base and nobody wants to deal with > > the broken ssh1 implementation. > > > > Not to degrade Simon's work. I know he has spent a lot of time, but > I have to agree with Markus and others that large patches always seem > to bite us in the ass. No matter how good intention they are. - Then you are never going to support GSSAPI and you should just say so and we can get on with our lives. If you're never going to do the right thing at least don't do the wrong thing. You should drop all support for kerberos. I'm perfectly fine with that, the people that are interested can fork a project to continue Simon's patches. Either do it right or don't do it. > > > > > > f) security problems have been caused in the past by large merges > > > > > > > - Kerberos security problems are almost always caused by > > incorrect use of the API. For good or ill, the straightforward > > approach is almost wrong, this is the reason that kerberos > > communtity is trying to encourage people to use GSSAPI > > ( an IETF standard ) rather than the adhoc native k5 API. > > > > You know what this tells me. Someone is overdoing the Kerberos > API. Not be able to use the 'straightfoward approach' shows > *BAD* design on their part. You'd think people would have > learned this by now. - No one is arguing that the krb5 API is should be used. THAT'S WHY THE GSSAPI standard was created, if you listen to anybody involved in the kerberos world they will tell you that applications should be using GSSAPI not the krb5 API's. We already know they are broken, that's why we're telling you not to use them. - Booker C. Bense From jfh at cise.ufl.edu Fri May 16 05:13:05 2003 From: jfh at cise.ufl.edu (James F.Hranicky) Date: Thu, 15 May 2003 15:13:05 -0400 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: References: Message-ID: <20030515151305.4a4ac52e.jfh@cise.ufl.edu> On Thu, 15 May 2003 10:44:33 -0700 (PDT) Booker Bense wrote: > - No one is arguing that the krb5 API is should be used. > THAT'S WHY THE GSSAPI standard was created, if you listen to > anybody involved in the kerberos world they will tell you that > applications should be using GSSAPI not the krb5 API's. We > already know they are broken, that's why we're telling you > not to use them. Do you have any links on the superiority of GSSAPI over native Krb5? A half-hearted google search didn't turn up anything obvious (to me :->). Thanks, ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh at cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- About politics: Don't worry about results It's the thought that counts From bbense at SLAC.Stanford.EDU Fri May 16 05:19:09 2003 From: bbense at SLAC.Stanford.EDU (Booker Bense) Date: Thu, 15 May 2003 12:19:09 -0700 (PDT) Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <3EC3AD61.4050907@mindrot.org> References: <20030514150756.366349f9.jfh@cise.ufl.edu> <3EC2A611.614798C6@anl.gov> <3EC2D9F2.1070109@mindrot.org> <3EC3AD61.4050907@mindrot.org> Message-ID: On Fri, 16 May 2003, Damien Miller wrote: > Booker Bense wrote: > >> The changes to the server to support kerberos-2 at ssh.com are about 30 > >> lines of new code in two files. > > > > - In my experience, that pretty much means they've got it wrong > > somewhere. Using the api correctly generally requires much more > > code than this. I will take a look today and try and provide > > useful comments. > > It is only 30 lines of new code as it is near-identical to the protocol > 1 KrbV auth method. i.e. we got to reuse our existing infrastructure. > - There are two problems with both implementations. 1. They don't use krb5_init_secure_context on the server side. 2. The don't check the mutual authentication packet that is returned from the server. Also, I would much rather see the server drop the connection if the client does not request mutual authentication. - The first is probably just nitpicking since it's not clear to me whether that code runs in a setuid executable or not[1]. But the second IMHO is fatally flawed. You could argue that it's not neccessary given that the host is already authenticated via the TSL layer, but it's flaw that can be exploited. IMHO, checking the mutual authentication is a requirement when you also implement tgt forwarding. - Booker C. Bense [1]- If it does there is a potential security hole. From bbense at SLAC.Stanford.EDU Fri May 16 07:42:06 2003 From: bbense at SLAC.Stanford.EDU (Booker Bense) Date: Thu, 15 May 2003 14:42:06 -0700 (PDT) Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <20030515151305.4a4ac52e.jfh@cise.ufl.edu> References: <20030515151305.4a4ac52e.jfh@cise.ufl.edu> Message-ID: On Thu, 15 May 2003, James F.Hranicky wrote: > On Thu, 15 May 2003 10:44:33 -0700 (PDT) > Booker Bense wrote: > > > - No one is arguing that the krb5 API is should be used. > > THAT'S WHY THE GSSAPI standard was created, if you listen to > > anybody involved in the kerberos world they will tell you that > > applications should be using GSSAPI not the krb5 API's. We > > already know they are broken, that's why we're telling you > > not to use them. > > Do you have any links on the superiority of GSSAPI over native Krb5? A > half-hearted google search didn't turn up anything obvious (to me :->). - Superiority is probably the wrong word to use. GSSAPI was designed by committee after all. GSSAPI's main advantages are 1. It's an industry standard with several competing implementations. It's used successfully in many protocols (i.e. anything that uses SASL...). 2. It's designed to be forward compatible with new security protocols. If used correctly, you only have to write the application once. 3. If you write GSSAPI code there is some chance it will be supportable on W2K's native SSPI API. Straight krb5 code will always require a 3rd party library on W2K. - There are some drawbacks to GSSAPI as well. It doesn't handle getting initial credentials, it's complex and there's no structure for negotiating authentication methods. - The problem with the krb5 API is actually that it's under-engineered and there is not the appropriate level of API for dealing with 3rd party protocols. The krb5sendauth and krb5recvauth pretty much do the right thing, but do require that you pass in a raw socket. The 'raw' krb5_mk_req, krb5_rd_req calls don't fully implement the protocol, there's a bunch of non-obvious stuff you need to hand code to do the mutual authentication. The "right" thing to do would be to abstract out the I/O layer and just let the security layer get on with it's business. This is pretty much what GSSAPI does. - Booker C. Bense From djm at mindrot.org Fri May 16 09:36:23 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 16 May 2003 09:36:23 +1000 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: References: Message-ID: <3EC42477.9090603@mindrot.org> Booker Bense wrote: >>>> Because in the end we are held accountable. Not Simon, not >>>> you and not IETF. >> >> - So you'd rather go with an implementation that has KNOWN flaws, >> just because it's short? Well our lists have been strangely silent on these flaws, considering we have been using the same code for our protocol 1 KrbV auth for years. -d From fcusack at fcusack.com Fri May 16 09:38:31 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Thu, 15 May 2003 16:38:31 -0700 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <3EC2D9F2.1070109@mindrot.org>; from djm@mindrot.org on Thu, May 15, 2003 at 10:06:10AM +1000 References: <20030514150756.366349f9.jfh@cise.ufl.edu> <3EC2A611.614798C6@anl.gov> <3EC2D9F2.1070109@mindrot.org> Message-ID: <20030515163831.A5738@google.com> On Thu, May 15, 2003 at 10:06:10AM +1000, Damien Miller wrote: > a) kerberos-2 at ssh.com can coexist with Simon's code, should it be > merged at some future time; > > b) Simon's code consititutes two orders of magnitude more change > than what Markus committed; Yet you just committed a large PAM change, probably broken (by your own statement when you announced the commit). I'd say the PAM change is more severe than the GSSAPI change (maybe not in sheer LOC, but certainly in scope). You will probably want to argue that FreeBSD's been using it for some time, but FreeBSD isn't really the reference PAM platform ... > c) not all the developers are familiar with Kerberos and GSSAPI; Of course not. Different developers work on different parts of the code. Get some developers that ARE familiar with krb5 and GSSAPI. To name two, Nicolas Williams and Simon Wilkinson are certainly pretty capable. > d) Simon's code is still going through the IETF process, whereas > SSH.COM's is very minimal (basically a cleanup of the protocol 1 > Kerberos support) and therefore less likely to change; ssh itself is still going through IETF. It's well known that kerberos-2 is broken; SSH.COM's code isn't even IN the IETF! Even if GSSAPI changes, it's not like you don't already have bunches of compability hacks in the code. SSH.COM's code, being proprietary, and having known broken bits, is more likely to change IMHO. > e) being volunteers, our time is limited; and See point (c). > f) security problems have been caused in the past by large merges See point (b). /fc From sxw at inf.ed.ac.uk Fri May 16 09:56:41 2003 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Fri, 16 May 2003 00:56:41 +0100 (BST) Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <3EC42477.9090603@mindrot.org> Message-ID: On Fri, 16 May 2003, Damien Miller wrote: > Booker Bense wrote: > > >>>> Because in the end we are held accountable. Not Simon, not > >>>> you and not IETF. > >> > >> - So you'd rather go with an implementation that has KNOWN flaws, > >> just because it's short? > > Well our lists have been strangely silent on these flaws, considering we > have been using the same code for our protocol 1 KrbV auth for years. I've seen assorted converstations about the issues with the Kerberos support in ssh protocol 1 code over the years. They've also been mentioned on various different mailing lists, including the ietf list. For me, the major issue is that these problems aren't really implementation flaws, but protocol ones. The ssh-1 protocol was deployed flaws and all, and represented the only option for workable Kerberos authentication in that protocol. With ssh version 2, there is the chance to actually get it right. Carrying forward the known and documented flaws in the v1 protocol to v2 seems like a missed opportunity. Cheers, Simon. From djm at mindrot.org Fri May 16 10:14:01 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 16 May 2003 10:14:01 +1000 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <20030515163831.A5738@google.com> References: <20030514150756.366349f9.jfh@cise.ufl.edu> <3EC2A611.614798C6@anl.gov> <3EC2D9F2.1070109@mindrot.org> <20030515163831.A5738@google.com> Message-ID: <3EC42D49.1080705@mindrot.org> Frank Cusack wrote: > On Thu, May 15, 2003 at 10:06:10AM +1000, Damien Miller wrote: >> a) kerberos-2 at ssh.com can coexist with Simon's code, should it be >> merged at some future time; >> >> b) Simon's code consititutes two orders of magnitude more change >> than what Markus committed; > > Yet you just committed a large PAM change, probably broken (by your > own statement when you announced the commit). I'd say the PAM change > is more severe than the GSSAPI change (maybe not in sheer LOC, but > certainly in scope). Rubbish, there is no comparison. For a start, the changes are shorter[1] (in LoC and scope) and remove as much code as they add. More importantly, I have been examining and merging the code (on and off) for six months. Finally, it changes code that was largely written by me in the first place, so I am familiar with it. I am yet to hear reports of breakage in the new PAM code, BTW. > You will probably want to argue that FreeBSD's been using it for some > time, but FreeBSD isn't really the reference PAM platform ... What is? Sun? Linux? As far as I am concerned they are all broken. OpenPAM certainly seems to be the least broken implementation, having had the opportunity to learn from the mistakes of others. (Though I think the brokenness starts with the standard and not any one implementation.) >> c) not all the developers are familiar with Kerberos and GSSAPI; > > Of course not. Different developers work on different parts of the code. > Get some developers that ARE familiar with krb5 and GSSAPI. To name two, > Nicolas Williams and Simon Wilkinson are certainly pretty capable. As Ben mentioned, they are not the ones who are called to account when things go bad. (please don't infer any criticism of Simon's code from my/our paranoia) >> d) Simon's code is still going through the IETF process, whereas >> SSH.COM's is very minimal (basically a cleanup of the protocol 1 >> Kerberos support) and therefore less likely to change; > > ssh itself is still going through IETF. It's well known that kerberos-2 > is broken; SSH.COM's code isn't even IN the IETF! Even if GSSAPI changes, > it's not like you don't already have bunches of compability hacks in the > code. SSH.COM's code, being proprietary, and having known broken bits, > is more likely to change IMHO. Repeating myself (yet again): the new protocol 2 Krb auth method is a near copy of what we have been using for protocol 1 for years. -d [1] 17 files changed, 828 insertions(+), 563 deletions(-) From djm at mindrot.org Fri May 16 10:18:13 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 16 May 2003 10:18:13 +1000 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: References: Message-ID: <3EC42E45.9010807@mindrot.org> Simon Wilkinson wrote: > On Fri, 16 May 2003, Damien Miller wrote: > >> Well our lists have been strangely silent on these flaws, considering we >> have been using the same code for our protocol 1 KrbV auth for years. > > I've seen assorted converstations about the issues with the Kerberos > support in ssh protocol 1 code over the years. They've also been mentioned > on various different mailing lists, including the ietf list. Could you summarise these arguments here? > For me, the major issue is that these problems aren't really > implementation flaws, but protocol ones. The ssh-1 protocol was deployed > flaws and all, and represented the only option for workable Kerberos > authentication in that protocol. With ssh version 2, there is the chance > to actually get it right. Carrying forward the known and documented flaws > in the v1 protocol to v2 seems like a missed opportunity. I think that refusing to add 30 lines of code to support a deployed authentication mechanism (which will be completely orthogonal to anything the IETF blesses) would be a missed opportunity. If people dislike kerberos-2 at ssh.com support, they are free to disable it. -d From fcusack at fcusack.com Fri May 16 10:27:19 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Thu, 15 May 2003 17:27:19 -0700 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <3EC42D49.1080705@mindrot.org>; from djm@mindrot.org on Fri, May 16, 2003 at 10:14:01AM +1000 References: <20030514150756.366349f9.jfh@cise.ufl.edu> <3EC2A611.614798C6@anl.gov> <3EC2D9F2.1070109@mindrot.org> <20030515163831.A5738@google.com> <3EC42D49.1080705@mindrot.org> Message-ID: <20030515172719.A5810@google.com> On Fri, May 16, 2003 at 10:14:01AM +1000, Damien Miller wrote: > (Though I think the brokenness [of PAM] starts with the standard and > not any one implementation.) The PAM standard is not broken. Attempts to fit it into something it isn't are what's broken. People always complain that protocol x,y,z are broken. Sometimes that's correct. Many times, it's just that it doesn't quite do what they want it to do, and because they have to shoehorn they claim that the protocol itself is broken. In the PAM case, it is my firm belief that it is quite well done. PAM is designed for telnet style, single-thread-of-execution authentications. What's broken is ssh password authentication, not PAM. /fc From bugzilla-daemon at mindrot.org Fri May 16 10:48:33 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 10:48:33 +1000 (EST) Subject: [Bug 487] Patches to fix ssh1 kerberos handling and some other items Message-ID: <20030516004833.441C79423D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=487 ------- Additional Comments From djm at mindrot.org 2003-05-16 10:48 ------- I am not sure I understand - nothing currently defines GSSAPI in our tree. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 16 10:50:32 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 10:50:32 +1000 (EST) Subject: [Bug 534] No option to use IPv6 connections by default Message-ID: <20030516005032.DC48F942D0@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=534 ------- Additional Comments From djm at mindrot.org 2003-05-16 10:50 ------- Created an attachment (id=303) --> (http://bugzilla.mindrot.org/attachment.cgi?id=303&action=view) Adds AddressFamily option to client ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From phil at ipom.com Fri May 16 11:00:07 2003 From: phil at ipom.com (Phil Dibowitz) Date: Thu, 15 May 2003 18:00:07 -0700 Subject: OpenSSH and KerbV Message-ID: <20030516010007.GF6663@earthlink.net> Is something special required for KerbV auth to work? I've enabled: KerberosAuthentication yes on some test boxes and it doesn't work. I do a kinit, and then ssh and it asks for a password. If you don't provide one, you don't get in. Also, the config file says that AFS (Andrew File System?) is required for Kerb Ticket Fwding... I'm not quite clear on why this is, and didn't find much in the docs... can anyone shed some light on this, we'd love to have KerbV ticket forwarding. And yes, we compiled OpenSSH with KerbV support. Thanks, -- Phil Dibowitz phil at ipom.com Freeware and Technical Pages Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 From djm at mindrot.org Fri May 16 11:13:23 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 16 May 2003 11:13:23 +1000 Subject: OpenSSH and KerbV In-Reply-To: <20030516010007.GF6663@earthlink.net> References: <20030516010007.GF6663@earthlink.net> Message-ID: <3EC43B33.8010307@mindrot.org> Phil Dibowitz wrote: > Is something special required for KerbV auth to work? I've enabled: > > KerberosAuthentication yes You didn't mention which version of OpenSSH you are using. If you are using a released version, KrbV only works with SSH protocol v.1. Try "ssh -1 yourhost". You may want to try a CVS snapshot. These contain a similar level of support for SSH protocol v.2. -d From sxw at inf.ed.ac.uk Fri May 16 11:20:09 2003 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Fri, 16 May 2003 02:20:09 +0100 (BST) Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <3EC42D49.1080705@mindrot.org> Message-ID: > Repeating myself (yet again): the new protocol 2 Krb auth method is a > near copy of what we have been using for protocol 1 for years. I've just checked the code, and it's not. The protocol v1 code returns a response packet from the server to the client. The v2 code doesn't do this (AIUI the kerberos-2 protocol doesn't support it), and so can't perform mutual authentication. In a quick pass of the code, I also think you're incorrectly using xfree() to free structures allocated by the Kerberos library. Cheers, Simon. From sxw at inf.ed.ac.uk Fri May 16 11:23:42 2003 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Fri, 16 May 2003 02:23:42 +0100 (BST) Subject: OpenSSH and KerbV In-Reply-To: <20030516010007.GF6663@earthlink.net> Message-ID: On Thu, 15 May 2003, Phil Dibowitz wrote: > Is something special required for KerbV auth to work? I've enabled: > > KerberosAuthentication yes > > on some test boxes and it doesn't work. I do a kinit, and then ssh > and it asks for a password. If you don't provide one, you don't get > in. The Kerberos V support that ships with current OpenSSH versions is only for ssh protocol 1. You can use this by forcing your connection to use protocol version 1 with the '-1' flag. If you want Kerberos V support for protocol version 2, then you need the patches available from http://www.sxw.org.uk/computing/patches/openssh.html > Also, the config file says that AFS (Andrew File System?) is required > for Kerb Ticket Fwding... I'm not quite clear on why this is, and > didn't find much in the docs... can anyone shed some light on this, > we'd love to have KerbV ticket forwarding. This is a hang over from the days when 'Kerberos' meant Kerberos IV. Kerberos V can do ticket forwarding without AFS. Both the bundled stuff, and my patches support ticket forwarding. Cheers, Simon. From phil at ipom.com Fri May 16 11:39:36 2003 From: phil at ipom.com (Phil Dibowitz) Date: Thu, 15 May 2003 18:39:36 -0700 Subject: OpenSSH and KerbV In-Reply-To: <3EC43B33.8010307@mindrot.org> References: <20030516010007.GF6663@earthlink.net> <3EC43B33.8010307@mindrot.org> Message-ID: <20030516013936.GI6663@earthlink.net> On Fri, May 16, 2003 at 11:13:23AM +1000, Damien Miller wrote: > You didn't mention which version of OpenSSH you are using. If you are > using a released version, KrbV only works with SSH protocol v.1. Try > "ssh -1 yourhost". 3.6.1p2. This doesn't work either, although atleast now it attempts. Verbose mode shows: debug1: Kerberos v5: krb5_mk_req failed: Server not found in Kerberos database > You may want to try a CVS snapshot. These contain a similar level of > support for SSH protocol v.2. Cool. When is this planned to be released into the wild? Thanks, -- Phil Dibowitz phil at ipom.com Freeware and Technical Pages Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 From phil at ipom.com Fri May 16 11:40:32 2003 From: phil at ipom.com (Phil Dibowitz) Date: Thu, 15 May 2003 18:40:32 -0700 Subject: OpenSSH and KerbV In-Reply-To: References: <20030516010007.GF6663@earthlink.net> Message-ID: <20030516014032.GJ6663@earthlink.net> On Fri, May 16, 2003 at 02:23:42AM +0100, Simon Wilkinson wrote: > The Kerberos V support that ships with current OpenSSH versions is only > for ssh protocol 1. You can use this by forcing your connection to use > protocol version 1 with the '-1' flag. > > If you want Kerberos V support for protocol version 2, then you need > the patches available from > http://www.sxw.org.uk/computing/patches/openssh.html Thanks. > This is a hang over from the days when 'Kerberos' meant Kerberos IV. > Kerberos V can do ticket forwarding without AFS. Both the bundled stuff, > and my patches support ticket forwarding. Hrm, really? I loose my tickets when I SSH from one host to the next. Is this also only an ssh1 thing? -- Phil Dibowitz phil at ipom.com Freeware and Technical Pages Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 From markus at openbsd.org Fri May 16 13:09:18 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 16 May 2003 05:09:18 +0200 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <3EC3BCED.CDCBD246@anl.gov> References: <3EC2D9F2.1070109@mindrot.org> <20030515143016.GF12398@folly> <3EC3BCED.CDCBD246@anl.gov> Message-ID: <20030516030918.GB8859@folly> On Thu, May 15, 2003 at 11:14:37AM -0500, Douglas E. Engert wrote: > > > Markus Friedl wrote: > > > > To me simplicity of the server code is currently more important. > > > > The "kerberos-2" changes add _no_ new code that's executed by the > > privileged part of sshd and only about 30 lines for the unprivileged > > half of sshd. > > Really? But isn't that the point of privsep to do those critical > security checks in the privileged half? If all the kerberos authentication > is done in the unprivileged part, breaking into this process could lead > to the authenetion being bypassed. It would seam that you would have to > access the host keytab file from the privileged part at least, as it is > normally owned by root. Or was this code already in the source. the code is the same that's used for ssh1. From bugzilla-daemon at mindrot.org Fri May 16 13:13:34 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 13:13:34 +1000 (EST) Subject: [Bug 83] PAM limits applied incorrectly (pam_session being called as non-root) Message-ID: <20030516031334.E0A9594302@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=83 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Component|sshd |PAM support ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 16 13:15:49 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 13:15:49 +1000 (EST) Subject: [Bug 240] ssh fails to handle errno == EHOSTUNREACH properly Message-ID: <20030516031549.2BD7494321@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=240 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From djm at mindrot.org 2003-05-16 13:15 ------- 4 months, no response == no bug ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 16 13:16:53 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 13:16:53 +1000 (EST) Subject: [Bug 241] When I kill scp, the underlying ssh child process remains alive Message-ID: <20030516031653.6093D94302@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=241 ------- Additional Comments From djm at mindrot.org 2003-05-16 13:16 ------- Could you please attach you patch in unified "diff -u" format to the bug, rather than pasting it into the comments field? Bugs in comments fields usually have to be manually reconstructed. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 16 13:22:57 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 13:22:57 +1000 (EST) Subject: [Bug 534] No option to use IPv6 connections by default Message-ID: <20030516032257.67CC394308@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=534 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2003-05-16 13:22 ------- Patch applied. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 16 13:29:59 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 13:29:59 +1000 (EST) Subject: [Bug 271] SSHD should unblock SIGCHLD - POSIX signal blocks survive exec() Message-ID: <20030516032959.0987894307@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=271 ------- Additional Comments From djm at mindrot.org 2003-05-16 13:29 ------- Could you verify this with a recent version, preferably including diag output. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 16 13:31:54 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 13:31:54 +1000 (EST) Subject: [Bug 326] Bug in AFS token forwarding Message-ID: <20030516033154.A4F5094307@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=326 ------- Additional Comments From djm at mindrot.org 2003-05-16 13:31 ------- Please attach your patch to the bug, rather than pasting it. Pasting patches corrupts them. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 16 13:58:28 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 13:58:28 +1000 (EST) Subject: [Bug 372] [RFE] [authkrb5] : KRB5CCNAME set to pointer Message-ID: <20030516035828.540D194309@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=372 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Component|sshd |Kerberos support ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mmartin at ncs.com.sg Fri May 16 13:59:52 2003 From: mmartin at ncs.com.sg (Martin Ferdinand R Magat) Date: Fri, 16 May 2003 11:59:52 +0800 Subject: SFTP on OS390 Message-ID: <19C34CD863B1D4118E2800508BAF663A075B8D54@stone.ncs.com.sg> Hello Anyone knows what is the error below? debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received. debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent. debug1: dh_gen_key: priv key bits set: 190/384. debug1: bits set: 1023/2049. debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT. Connection closed by 192.168.147.217. debug1: Calling cleanup 0xc0b5828(0x0). debug1: Calling cleanup 0xc11ad60(0x0). note: this was wheni i trying to connect SFTP from PC to openssh .. thanks From bugzilla-daemon at mindrot.org Fri May 16 14:03:29 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 14:03:29 +1000 (EST) Subject: [Bug 445] User DCE Credentials do not get forwarded to child session Message-ID: <20030516040329.834C994436@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=445 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Component|ssh |Kerberos support ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 16 14:03:52 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 14:03:52 +1000 (EST) Subject: [Bug 456] Krb5 ticket forwarding is tryied even if krb5 authentication failed Message-ID: <20030516040352.CF03C94435@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=456 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Component|sshd |Kerberos support ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 16 14:08:16 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 14:08:16 +1000 (EST) Subject: [Bug 487] Patches to fix ssh1 kerberos handling and some other items Message-ID: <20030516040816.8276794440@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=487 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Component|ssh |Kerberos support ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 16 14:08:48 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 14:08:48 +1000 (EST) Subject: [Bug 488] Patch for kerberos in clusters Message-ID: <20030516040848.4F3F494438@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=488 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Component|ssh |Kerberos support ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 16 15:24:08 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 15:24:08 +1000 (EST) Subject: [Bug 559] PAM fixes Message-ID: <20030516052408.5D6DF94329@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=559 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Component|sshd |PAM support ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 16 15:39:18 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 15:39:18 +1000 (EST) Subject: [Bug 564] new PAM code only calls pam_acct_mgmt for challenge-response clients Message-ID: <20030516053918.7F42394302@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=564 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Component|sshd |PAM support ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From phil at ipom.com Fri May 16 15:58:12 2003 From: phil at ipom.com (Phil Dibowitz) Date: Thu, 15 May 2003 22:58:12 -0700 Subject: OpenSSH and KerbV In-Reply-To: <20030516014032.GJ6663@earthlink.net> References: <20030516010007.GF6663@earthlink.net> <20030516014032.GJ6663@earthlink.net> Message-ID: <3EC47DF4.7060104@ipom.com> Phil Dibowitz wrote: > Hrm, really? I loose my tickets when I SSH from one host to the next. > Is this also only an ssh1 thing? > I hate to reply to my own post... but it occurs to me its probably required to have kerb authentication in order to have kerb ticket forwarding. Given that, kerb authentication IS working just fine if I use ssh1... (my kinit hadn't worked before and I didn't realize it). HOWEVER, ticket forwarding still fails: debug1: Kerberos v5 authentication accepted. debug1: Kerberos v5 TGT forwarding failed: KDC can't fulfill requested option Unfortunately my kerberos-fu is weak, so, I'm not sure if its a kerb thing or an ssh thing... Any help would be much appreciated. -- Phil Dibowitz phil at ipom.com Freeware and Technical Pages Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 From bugzilla-daemon at mindrot.org Fri May 16 16:11:29 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 16:11:29 +1000 (EST) Subject: [Bug 565] gcc 3.2.3 compiler warnings for openssh-3.6.1p2 on Solaris 7 Message-ID: <20030516061129.E6DC89432E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=565 ------- Additional Comments From djm at mindrot.org 2003-05-16 16:11 ------- Created an attachment (id=304) --> (http://bugzilla.mindrot.org/attachment.cgi?id=304&action=view) Fix a few of these A couple have been fixed in portable, the patch fixes a couple more. FYI - most of the warnings in cipher.c are OpenSSL compat goop. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri May 16 16:11:56 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 16:11:56 +1000 (EST) Subject: [Bug 568] Kerberos password auth/expiry kbdint patch Message-ID: <20030516061156.A57E494334@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=568 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Component|sshd |Kerberos support ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Fri May 16 16:12:13 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 16 May 2003 08:12:13 +0200 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: References: <3EC42D49.1080705@mindrot.org> Message-ID: <20030516061212.GA29525@folly> On Fri, May 16, 2003 at 02:20:09AM +0100, Simon Wilkinson wrote: > > > Repeating myself (yet again): the new protocol 2 Krb auth method is a > > near copy of what we have been using for protocol 1 for years. > > I've just checked the code, and it's not. Still it's a near copy. > The protocol v1 code returns a response packet from the server to the > client. The v2 code doesn't do this (AIUI the kerberos-2 protocol > doesn't support it), and so can't perform mutual authentication. SSH already provides server authentication. > In a quick pass of the code, I also think you're incorrectly using > xfree() to free structures allocated by the Kerberos library. yes, it seems so. -m From markus at openbsd.org Fri May 16 16:13:44 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 16 May 2003 08:13:44 +0200 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <20030515163831.A5738@google.com> References: <20030514150756.366349f9.jfh@cise.ufl.edu> <3EC2A611.614798C6@anl.gov> <3EC2D9F2.1070109@mindrot.org> <20030515163831.A5738@google.com> Message-ID: <20030516061343.GB29525@folly> On Thu, May 15, 2003 at 04:38:31PM -0700, Frank Cusack wrote: > Yet you just committed a large PAM change, probably broken (by your > own statement when you announced the commit). I'd say the PAM change > is more severe than the GSSAPI change (maybe not in sheer LOC, but > certainly in scope). The PAM change tries to simplify code. From markus at openbsd.org Fri May 16 16:19:31 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 16 May 2003 08:19:31 +0200 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: References: Message-ID: <20030516061931.GC29525@folly> On Thu, May 15, 2003 at 10:44:33AM -0700, Booker Bense wrote: > - Then you are never going to support GSSAPI and you should just > say so and we can get on with our lives. If the GSSAPI was simple integration would be more likely. > If you're never going to > do the right thing at least don't do the wrong thing. You should > drop all support for kerberos. That's another option. > I'm perfectly fine with that, the > people that are interested can fork a project to continue Simon's > patches. Is this a threat or a promise? -m From markus at openbsd.org Fri May 16 16:22:38 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 16 May 2003 08:22:38 +0200 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: References: <20030514150756.366349f9.jfh@cise.ufl.edu> <3EC2A611.614798C6@anl.gov> <3EC2D9F2.1070109@mindrot.org> <3EC3AD61.4050907@mindrot.org> Message-ID: <20030516062238.GD29525@folly> On Thu, May 15, 2003 at 12:19:09PM -0700, Booker Bense wrote: > But > the second IMHO is fatally flawed. You could argue that it's not > neccessary given that the host is already authenticated via the > TSL layer, but it's flaw that can be exploited. IMHO, checking > the mutual authentication is a requirement when you also > implement tgt forwarding. So we should add code that's 100 times as large just to have an additional way to authenticate a server that's already authenticated? From bugzilla-daemon at mindrot.org Fri May 16 16:30:48 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 16:30:48 +1000 (EST) Subject: [Bug 489] root login with PublicKeyAuthentication disabled Message-ID: <20030516063048.37F7C94456@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=489 ------- Additional Comments From djm at mindrot.org 2003-05-16 16:30 ------- Could you please attach a debug trace from the server when it fails? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From fcusack at fcusack.com Fri May 16 17:24:16 2003 From: fcusack at fcusack.com (Frank Cusack) Date: Fri, 16 May 2003 00:24:16 -0700 Subject: OpenSSH and KerbV In-Reply-To: <3EC47DF4.7060104@ipom.com>; from phil@ipom.com on Thu, May 15, 2003 at 10:58:12PM -0700 References: <20030516010007.GF6663@earthlink.net> <20030516014032.GJ6663@earthlink.net> <3EC47DF4.7060104@ipom.com> Message-ID: <20030516002416.B6217@google.com> On Thu, May 15, 2003 at 10:58:12PM -0700, Phil Dibowitz wrote: > Phil Dibowitz wrote: > > Hrm, really? I loose my tickets when I SSH from one host to the next. > > Is this also only an ssh1 thing? > > > > I hate to reply to my own post... but it occurs to me its probably > required to have kerb authentication in order to have kerb ticket > forwarding. Given that, kerb authentication IS working just fine if I > use ssh1... (my kinit hadn't worked before and I didn't realize it). > > HOWEVER, ticket forwarding still fails: > > debug1: Kerberos v5 authentication accepted. > debug1: Kerberos v5 TGT forwarding failed: KDC can't fulfill requested > option > > Unfortunately my kerberos-fu is weak, so, I'm not sure if its a kerb > thing or an ssh thing... Looks like your kdc is configured to not allow forwardable tickets. /fc From sxw at inf.ed.ac.uk Fri May 16 17:42:38 2003 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Fri, 16 May 2003 08:42:38 +0100 (BST) Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <20030516061212.GA29525@folly> Message-ID: On Fri, 16 May 2003, Markus Friedl wrote: > SSH already provides server authentication. Indeed, but only if the user correctly manages the ssh key information. Doing mutual authentication at the Kerberos layer can add additional assurance. IMHO, you're mis-using the Kerberos protocol by discarding the mutual auth packet. Lack of support for mutual authentication is one of the reasons cited in the IETF minutes for not adopting the kerberos-2 protocol. Cheers, Simon. From sxw at inf.ed.ac.uk Fri May 16 17:47:22 2003 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Fri, 16 May 2003 08:47:22 +0100 (BST) Subject: OpenSSH and KerbV In-Reply-To: <3EC47DF4.7060104@ipom.com> Message-ID: On Thu, 15 May 2003, Phil Dibowitz wrote: > I hate to reply to my own post... but it occurs to me its probably > required to have kerb authentication in order to have kerb ticket > forwarding. To do it securely, yes. > Given that, kerb authentication IS working just fine if I > use ssh1... (my kinit hadn't worked before and I didn't realize it). > > HOWEVER, ticket forwarding still fails: > > debug1: Kerberos v5 authentication accepted. > debug1: Kerberos v5 TGT forwarding failed: KDC can't fulfill requested > option You've either not requested forwardable tickets, or the servers host key is configured not to accept them. Use 'kinit -f' to acquire forwardable credentials. Cheers, Simon. From sxw at inf.ed.ac.uk Fri May 16 17:57:55 2003 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Fri, 16 May 2003 08:57:55 +0100 (BST) Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <3EC42E45.9010807@mindrot.org> Message-ID: On Fri, 16 May 2003, Damien Miller wrote: > Simon Wilkinson wrote: > Could you summarise these arguments here? The key problems with the ssh.com kerberos-2 support are: *) It doesn't perform mutual authentication *) It passes a TGT without authenticating the server *) It allows the use of a TGT _as a means of authentication_ IIRC these problems also existed in the original ssh-1 code, but were fixed in other trees before you adopted Dan Kouril's patches via FreeBSD. The only means of fixing them is to change the underlying protocol. Its harder in protocol v2, due to the way in which the ssh.com support is implemented in userauth. Passing a kerberos TGT _without_ authenticating the server, in the manner of the kerberos-tgt exchange, really isn't acceptable. > If people dislike kerberos-2 at ssh.com support, they are free to disable it. The problem is that you are providing Kerberos support based on a flawed, and possibly broken, protocol. People that don't read this mailing list won't be aware of that, and so won't know that they really should disable it unless they know what they're doing. Cheers, Simon. From phil at ipom.com Fri May 16 18:10:14 2003 From: phil at ipom.com (Phil Dibowitz) Date: Fri, 16 May 2003 01:10:14 -0700 Subject: OpenSSH and KerbV In-Reply-To: References: Message-ID: <3EC49CE6.7030604@ipom.com> Simon Wilkinson wrote: > You've either not requested forwardable tickets, or the servers host key > is configured not to accept them. Use 'kinit -f' to acquire forwardable > credentials. Aha! That makes it work. Thanks a ton. -- Phil Dibowitz phil at ipom.com Freeware and Technical Pages Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 From jan.iven at cern.ch Fri May 16 18:54:40 2003 From: jan.iven at cern.ch (Jan Iven) Date: 16 May 2003 10:54:40 +0200 Subject: KerberosIV support In-Reply-To: <3EC34244.5020104@mindrot.org> References: <3EC34244.5020104@mindrot.org> Message-ID: >>>>> "Damien" == Damien Miller writes: Damien> Hi All, The OpenBSD tree is likely to be dropping KerberosIV Damien> support very soon. We will ultimately follow suit, but if Damien> there are many Krb4 users we may give a transition period of Damien> a release or two. Damien> AFAIK we don't compile at all against MIT KrbIV because of Damien> library conflicts. Damien> So, who is using OpenSSH Krb4 support at the moment? We (CERN) do heavily use Krb4 auth & credential forwarding, coupled with AFS token passing. Will be some time before we can get rid of it, as it requires a complete (all platforms) transition to OpenAFS+Kerberos5 (no server-side compatibility Krb5<->4 translator, which would be fairly easy). I guess most sites with AFS are in a similar situation. Regards Jan From sfrost at snowman.net Fri May 16 21:54:38 2003 From: sfrost at snowman.net (Stephen Frost) Date: Fri, 16 May 2003 07:54:38 -0400 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <20030516061212.GA29525@folly> References: <3EC42D49.1080705@mindrot.org> <20030516061212.GA29525@folly> Message-ID: <20030516115438.GF8524@ns.snowman.net> * Markus Friedl (markus at openbsd.org) wrote: > On Fri, May 16, 2003 at 02:20:09AM +0100, Simon Wilkinson wrote: > > The protocol v1 code returns a response packet from the server to the > > client. The v2 code doesn't do this (AIUI the kerberos-2 protocol > > doesn't support it), and so can't perform mutual authentication. > > SSH already provides server authentication. That's crap, plain and simple. SSH should not pretend to be doing Kerberos authentication while really not. Either support proper Kerberos or don't and we'll continue to use Simon's patches which provide proper Kerberos support. It's a shame that SSH can't manage to do proper Kerberos support but pretending like it does when it doesn't is *much* worse. Stephen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030516/e83e34fb/attachment.bin From bugzilla-daemon at mindrot.org Fri May 16 23:15:37 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 16 May 2003 23:15:37 +1000 (EST) Subject: [Bug 489] root login with PublicKeyAuthentication disabled Message-ID: <20030516131537.847DE94457@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=489 jim.a.davidson at bt.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From jim.a.davidson at bt.com 2003-05-16 23:15 ------- Sorry to have wasted your time but as we can still use root to issue remote comands on the target machine,we don't care about getting a root login shell. Apologies. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From smoogen at lanl.gov Sat May 17 00:45:25 2003 From: smoogen at lanl.gov (Stephen Smoogen) Date: 16 May 2003 08:45:25 -0600 Subject: OpenSSH and KerbV In-Reply-To: <3EC47DF4.7060104@ipom.com> References: <20030516010007.GF6663@earthlink.net> <20030516014032.GJ6663@earthlink.net> <3EC47DF4.7060104@ipom.com> Message-ID: <1053096348.15800.4.camel@smoogen1.lanl.gov> WHen I have run into this problem in the past it has been a kerberos server/client problem and not with the ssh. We had this happen on machines that had older Cygnus versions of kerberos trying to get tickets from a MIT Kerberos 1.2.x server. To clear it out we made sure that the clients and servers were running the same code and then confirmed that the /etc/krb5.keytab on the client was the correct one from the server. On Thu, 2003-05-15 at 23:58, Phil Dibowitz wrote: > Phil Dibowitz wrote: > > Hrm, really? I loose my tickets when I SSH from one host to the next. > > Is this also only an ssh1 thing? > > > > I hate to reply to my own post... but it occurs to me its probably > required to have kerb authentication in order to have kerb ticket > forwarding. Given that, kerb authentication IS working just fine if I > use ssh1... (my kinit hadn't worked before and I didn't realize it). > > HOWEVER, ticket forwarding still fails: > > debug1: Kerberos v5 authentication accepted. > debug1: Kerberos v5 TGT forwarding failed: KDC can't fulfill requested > option > > Unfortunately my kerberos-fu is weak, so, I'm not sure if its a kerb > thing or an ssh thing... > > Any help would be much appreciated. > > -- > Phil Dibowitz phil at ipom.com > Freeware and Technical Pages Insanity Palace of Metallica > http://www.phildev.net/ http://www.ipom.com/ > > "They that can give up essential liberty to obtain a little temporary > safety deserve neither liberty nor safety." > - Benjamin Franklin, 1759 > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Stephen John Smoogen smoogen at lanl.gov Los Alamos National Labrador CCN-5 Sched 5/40 PH: 4-0645 (note new #) Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- From bugzilla-daemon at mindrot.org Sat May 17 02:09:38 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 17 May 2003 02:09:38 +1000 (EST) Subject: [Bug 326] Bug in AFS token forwarding Message-ID: <20030516160938.D5B1894495@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=326 ------- Additional Comments From alfw at stanford.edu 2003-05-17 02:09 ------- Created an attachment (id=305) --> (http://bugzilla.mindrot.org/attachment.cgi?id=305&action=view) Proposed fix for AFS token forwarding problem I did not adapt indentation to keep the patch short. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 17 04:03:28 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 17 May 2003 04:03:28 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20030516180328.8D8C894450@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 ------- Additional Comments From mouring at eviladmin.org 2003-05-17 04:03 ------- There really is no way to detect this without root. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Sat May 17 05:24:57 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 16 May 2003 21:24:57 +0200 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <20030516061931.GC29525@folly> References: <20030516061931.GC29525@folly> Message-ID: <20030516192456.GA16145@folly> On Fri, May 16, 2003 at 08:19:31AM +0200, Markus Friedl wrote: > On Thu, May 15, 2003 at 10:44:33AM -0700, Booker Bense wrote: > > - Then you are never going to support GSSAPI and you should just > > say so and we can get on with our lives. > > If the GSSAPI was simple integration would be more likely. just to repeat myself: a small patch for user authentication (no kex and other fancy things) for GSSAPI would be more likely accepted. From bbense at SLAC.Stanford.EDU Sat May 17 05:54:07 2003 From: bbense at SLAC.Stanford.EDU (Booker Bense) Date: Fri, 16 May 2003 12:54:07 -0700 (PDT) Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <20030516062238.GD29525@folly> References: <20030514150756.366349f9.jfh@cise.ufl.edu> <3EC2A611.614798C6@anl.gov> <3EC2D9F2.1070109@mindrot.org> <3EC3AD61.4050907@mindrot.org> <20030516062238.GD29525@folly> Message-ID: On Fri, 16 May 2003, Markus Friedl wrote: > On Thu, May 15, 2003 at 12:19:09PM -0700, Booker Bense wrote: > > But > > the second IMHO is fatally flawed. You could argue that it's not > > neccessary given that the host is already authenticated via the > > TSL layer, but it's flaw that can be exploited. IMHO, checking > > the mutual authentication is a requirement when you also > > implement tgt forwarding. > > So we should add code that's 100 times as large just to have an > additional way to authenticate a server that's already authenticated? > - The GSSAPI patches do a lot more than that and you know it. If it were my realm, I would insist on it. The server is not authenticated via kerberos, the TLS layer is subject to "social engineering" MITM attacks. Kerberos mutual authentication is not. But hey, it's clear to me that no matter what I or anybody else says you are not going to do anything different. There is one question I would like answered. Is there any chance ever of the current GSSAPI patches ever being adopted? What would have to happen in order for the patches to be adopted? - The code is already effectively forked, there just isn't a lot of support structure around the GSSAPI fork. This issue is going to come up with every release, I think you should a least have a rational answer. _ Booker C. Bense From deraadt at cvs.openbsd.org Sat May 17 06:09:40 2003 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Fri, 16 May 2003 14:09:40 -0600 Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: Your message of "Fri, 16 May 2003 12:54:07 PDT." Message-ID: <200305162009.h4GK9eKZ020446@cvs.openbsd.org> We have a very rational answer to the GSSAPI issue. The code is too large. Large blocks of code contain more errors. OpenSSH strives to be more secure for everyone, and not risk their security for a gigantic piece of functionality that less than < 0.001% of the user community wants. Simplicity reigns. OpenSSH is a security sensitive piece of software. Designing gigantic addons to try to improve security is a ridiculous mistake; I am still astounded by how many people keep building increasingly complicated components to be used in security sensitive applications. You want GSSAPI in OpenSSH? Start simplifying it so that we can trust it won't compromise the security of everyone else. This is your task, not ours. I can't believe people keep talking about MITM attacks when buffer overflows plague so many pieces of software. So you want to solve MITM attacks using how many lines of code that might have a buffer overflows, integer overflows, and who knows what else? Are you that completely out of touch with the current state of what is being attacked? I think this mail from me is being as nice as possible considering this constant bullshit that arrives in my mailbox about this; if this continued spew of rude mail from GSSAPI proponents keeps coming to the OpenSSH group, you might prepare for having even more Kerberos components being ripped out. Adjust your attitude. You may not talk to us like that. From mouring at etoh.eviladmin.org Sat May 17 06:05:15 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 16 May 2003 15:05:15 -0500 (CDT) Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: Message-ID: On Fri, 16 May 2003, Booker Bense wrote: > On Fri, 16 May 2003, Markus Friedl wrote: > > > On Thu, May 15, 2003 at 12:19:09PM -0700, Booker Bense wrote: > > > But > > > the second IMHO is fatally flawed. You could argue that it's not > > > neccessary given that the host is already authenticated via the > > > TSL layer, but it's flaw that can be exploited. IMHO, checking > > > the mutual authentication is a requirement when you also > > > implement tgt forwarding. > > > > So we should add code that's 100 times as large just to have an > > additional way to authenticate a server that's already authenticated? > > > > - The GSSAPI patches do a lot more than that and you know it. If Bingo..you hit the nail on the head. Can we say it a bit louder so the people in the back row can here you? =) > it were my realm, I would insist on it. The server is not > authenticated via kerberos, the TLS layer is subject to > "social engineering" MITM attacks. Kerberos mutual authentication > is not. But hey, it's clear to me that no matter what I or > anybody else says you are not going to do anything different. > There is one question I would like answered. > > Is there any chance ever of the current GSSAPI patches ever > being adopted? What would have to happen in order for the > patches to be adopted? > "Under 1,000 lines of code..." "A simple/reasonable subset of the GSSAPI specs." That is what I've heard from Markus and others on the issue publicly and privately. > - The code is already effectively forked, there just isn't > a lot of support structure around the GSSAPI fork. This issue > is going to come up with every release, I think you should > a least have a rational answer. > There "isn't a lot of support structure around . This issue is going to come up with every release[..]" For each one a reason has been given. IF you don't agree.. That is fine, but don't dismiss that a reason has been given. - Ben From bugzilla-daemon at mindrot.org Sat May 17 08:21:04 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 17 May 2003 08:21:04 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20030516222104.678D894495@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 ------- Additional Comments From djm at mindrot.org 2003-05-17 08:21 ------- Do we know what platforms are broken? If so, just put it in the big case() statement... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 17 09:38:19 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 17 May 2003 09:38:19 +1000 (EST) Subject: [Bug 225] Supression of login warning banner for noninteractive commands Message-ID: <20030516233819.E58C894265@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=225 ------- Additional Comments From djm at mindrot.org 2003-05-17 09:38 ------- Please attach your patch to the bug rather than pasting it into the comments field (which corrupts patches). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 17 09:44:58 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 17 May 2003 09:44:58 +1000 (EST) Subject: [Bug 238] sshd.pid file written AFTER key generation causes race condition Message-ID: <20030516234458.552B794225@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=238 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From djm at mindrot.org 2003-05-17 09:44 ------- I don't think we will change the default behaviour. I think it better that we record a pid only after the daemon is fully started up, to do otherwise would be misleading. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Sat May 17 10:47:28 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 17 May 2003 10:47:28 +1000 Subject: blibpath changes for AIX References: <3EC3AC2C.597DFAAA@de.ibm.com> Message-ID: <3EC586A0.D1FDB051@zip.com.au> Markus Alt wrote: > So the new behaviour is a kind of security measure if I understand this > correctly. And I will have to judge whether I trust the installation in > the given directory, but this will not happen automatically. Makes > sense. Yes, if you're using shared libraries and putting them somewhere unusual then you need to tell configure about it. It would be nice if the AIX linker only added a given directory to blibpath if there was a shared library there that it needed. If there were only static libraries in a given path then it would be used at link time but not added to blibpath. That way everything that currently works would still work but there would be less nasty surprises. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Sat May 17 15:18:38 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 17 May 2003 15:18:38 +1000 (EST) Subject: [Bug 14] Can't change expired /etc/shadow password without PAM Message-ID: <20030517051838.8B61B944C6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=14 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- BugsThisDependsOn| |463 ------- Additional Comments From dtucker at zip.com.au 2003-05-17 15:18 ------- Scott Burch found a bug in the PAM+PrivSep case which would cause password changes to fail. Binaries compiled without PAM are not affected. There's an updated patch against 3.6.1p2: http://www.zip.com.au/~dtucker/openssh/openssh-3.6.1p2-passexpire20.patch I'm not going to update the patch against -current until bug #463 is sorted out one way or another since it adds some infrastructure (Buffer loginmsg and a monitor call) that this patch needs. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla-daemon at mindrot.org Sat May 17 15:18:40 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 17 May 2003 15:18:40 +1000 (EST) Subject: [Bug 463] PrintLastLog doesn't work in privsep mode Message-ID: <20030517051840.53BE1944CE@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=463 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |14 nThis| | ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 17 17:15:26 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 17 May 2003 17:15:26 +1000 (EST) Subject: [Bug 569] Problem compiling openssh 3.6.1p2 Message-ID: <20030517071526.EE67994258@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=569 Summary: Problem compiling openssh 3.6.1p2 Product: Portable OpenSSH Version: -current Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: pierre42d at 9online.fr Hi, I try to compile openssh-3.6.1p2 on my GNU/Linux system with gcc-3.2 there was no problem with the configure, but for the make I got this : # gmake (cd openbsd-compat && gmake) gmake[1]: Entering directory `/tmp/openssh-3.6.1p2/openbsd-compat' gmake[1]: Nothing to be done for `all'. gmake[1]: Leaving directory `/tmp/openssh-3.6.1p2/openbsd-compat' gcc -s -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/local/BerkeleyDB.4.1/lib -lpthread -lgpm -lssh -lopenbsd-compat -lutil -lz -lnsl -lcrypto -lcrypt ./libssh.a(rsa.o): In function `rsa_generate_additional_parameters': rsa.o(.text+0x284): undefined reference to `BN_mod' rsa.o(.text+0x2b6): undefined reference to `BN_mod' collect2: ld returned 1 exit status gmake: *** [ssh] Error 1 It would be great if you could help me with this ! Best regards, Pierre. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 17 17:37:01 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 17 May 2003 17:37:01 +1000 (EST) Subject: [Bug 569] Problem compiling openssh 3.6.1p2 Message-ID: <20030517073701.30B7694262@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=569 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From djm at mindrot.org 2003-05-17 17:37 ------- *** This bug has been marked as a duplicate of 462 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat May 17 17:37:03 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 17 May 2003 17:37:03 +1000 (EST) Subject: [Bug 462] compile failure with openssl 0.9.7 Message-ID: <20030517073703.36F8B944DD@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=462 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pierre42d at 9online.fr ------- Additional Comments From djm at mindrot.org 2003-05-17 17:37 ------- *** Bug 569 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From linux_4ever at yahoo.com Sat May 17 22:03:12 2003 From: linux_4ever at yahoo.com (Steve G) Date: Sat, 17 May 2003 05:03:12 -0700 (PDT) Subject: opensshd fd_set definition problem Message-ID: <20030517120312.46686.qmail@web9605.mail.yahoo.com> Hello, I have been playing with valgrind + openssh-3.5p1 as distributed in Red Hat 9. In the report, I get this: ==1059== Invalid read of size 4 ==1059== at 0x40170B7D: vgAllRoadsLeadToRome_select (vg_intercept.c:612) ==1059== by 0x40170DF2: __select (vg_intercept.c:681) ==1059== by 0x804E4C6: (within /usr/sbin/sshd) ==1059== by 0x403DC5CC: __libc_start_main (in /lib/libc-2.3.2.so) ==1059== by 0x804C560: (within /usr/sbin/sshd) ==1059== Address 0x41363BFC is 0 bytes after a block of size 4 alloc'd ==1058== checked 5467064 bytes. This turns out to be around line 1261 in sshd.c: fd_set *fdset; ...snip... fdsetsz = howmany(maxfd+1, NFDBITS) * sizeof(fd_mask); fdset = (fd_set *)xmalloc(fdsetsz); ...snip... ret = select(maxfd+1, fdset, NULL, NULL, NULL); My question is why don't you use: fdsetsz = sizeof( fd_set ); The 2.4.20 Linux kernel defines fd_set like this: #define __NFDBITS (8 * sizeof(unsigned long)) #define __FD_SETSIZE 1024 #define __FDSET_LONGS (__FD_SETSIZE/__NFDBITS) typedef struct { unsigned long fds_bits [__FDSET_LONGS]; } __kernel_fd_set; This is a different size than the code in openssh. XFree86's Xpoll.h has a definition for fd_set, but its wrapped with #ifdef BSD. It's just like the one in openssh, but not used under linux. So, what's your thoughts? Could a test be put into configure and platforms that have fd_set use the sizeof(fd_set) and those that need the BSD style, do something different? I'm not sure what the effects of this problem are. Valgrind also shows an illegal memory write upon return from select. Best Regards, Steve Grubb __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com From bugzilla-daemon at mindrot.org Sun May 18 02:03:46 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 18 May 2003 02:03:46 +1000 (EST) Subject: [Bug 440] Protocol 1 server key generated at start up even when P1 not used Message-ID: <20030517160346.5A358944BA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=440 bruno at wolff.to changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | ------- Additional Comments From bruno at wolff.to 2003-05-18 02:03 ------- The problem still exists in 3.6.1, but upon rereading what I posted, I see I didn't describe the problem accurately. The problem occurs when running sshd with the -i option with both protocol 1 and protocol 2 enabled. If someone connects using protocol 2, the protocol 1 ephemeral key is still generated. You can see this by running sshd with the -ddd option. The ephemeral key generation is skipped if protocol 1 is disabled. But when the -i option is used even if protocol 1 is enabled if the current connection uses protocol 2 the generated ephemeral key will never be used. Hence not generating it under those conditions seems like a good idea. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun May 18 10:19:42 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 18 May 2003 10:19:42 +1000 (EST) Subject: [Bug 517] bad "put" arg parsing Message-ID: <20030518001942.ABECB94210@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=517 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|openssh-unix-dev at mindrot.org|openssh-bugs at mindrot.org ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Sun May 18 10:39:49 2003 From: djm at mindrot.org (Damien Miller) Date: Sun, 18 May 2003 10:39:49 +1000 Subject: Administrivia: New openssh-bugs@mindrot.org mailing list Message-ID: <3EC6D655.1080504@mindrot.org> Hi, Rather than melting my mailserver by sending every Bugzilla change to the ~700 member openssh-unix-dev mailing list, I have created a new read-only openssh-bugs list to receive this Bugzilla messages. If you would like to receive notifications of new or changed bugs, please subscribe to that list. The reply-to address on the new list points back to the openssh-unix-dev list, and all discussion will continue there. Thanks, Damien Miller From bugzilla-daemon at mindrot.org Sun May 18 11:23:50 2003 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 18 May 2003 11:23:50 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20030518012350.AE3F29420C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 ------- Additional Comments From mouring at eviladmin.org 2003-05-18 11:23 ------- Ok.. I did the audit and remember what I changed. The change I made may be racey since I replaced the fchdir() and added getcwd() to ensure more portable (AKA worked on NeXTStep). The only other platform I know that may be affected is Solaris (which currently does not define it). does Solaris and AIX support fchdir()? If so I'd love to revert out of my hack. I forsee NeXTStep going away very soon. So it may be a good time. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From smoogen at lanl.gov Mon May 19 07:24:23 2003 From: smoogen at lanl.gov (Stephen Smoogen) Date: Sun, 18 May 2003 15:24:23 -0600 (MDT) Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <200305162009.h4GK9eKZ020446@cvs.openbsd.org> Message-ID: Thankyou Markus and Theo for explaining the reasons for not including the current GSSAPI patches. I had asked on the list at least once, and had looked through the archives but never gotten much of a response. Also thankyou for being more pleasant in your responses than you might have needed to be (or what I am used to when you get your dander up.) I would have prefered seeing the GSSAPI work in their as it makes our windows/unix integration easier, but at this point, I see why it will need to be a seperate issue for a while. On Fri, 16 May 2003, Theo de Raadt wrote: -- Stephen John Smoogen smoogen at lanl.gov Los Alamos National Labrador CCN-5 Sched 5/40 PH: 5-8058 Ta-03 SM-261 MailStop P208 DP 17U Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- From dtucker at zip.com.au Mon May 19 09:43:54 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 19 May 2003 09:43:54 +1000 Subject: OpenSSH -current segfaults on HP-UX+gcc Message-ID: <3EC81ABA.EC473402@zip.com.au> Hi All. As of last night, sshd now segfaults on HP-UX (11.00, gcc 3.2.2) on startup. I've single-stepped through the code in freeaddrinfo and it's called with a valid *addrinfo, follows ai_next once then for some reason attempts to deref the second pointer which is NULL. Suspecting a compiler/optimization bug I recompiled fake-getaddrinfo.c without optimization but that made no difference. If I change the for loop to "for(;ai != NULL; next = ai ? ai->ai_next : NULL)" then it works, but I can't see why the code does not work as written. Any ideas? -Daz. # gdb -q ./sshd (gdb) set args -ddd -p 2022 -o UsePrivilegeSeparation=no (gdb) run Starting program: /home/dtucker/openssh-cvs/hpux/sshd -ddd -p 2022 -o UsePrivilegeSeparation=no [snip] Server listening on 0.0.0.0 port 2022. Program received signal SIGSEGV, Segmentation fault. 0x00047854 in freeaddrinfo (ai=0x0) at ../../openbsd-compat/fake-getaddrinfo.c:39 39 for(;ai != NULL; next = ai->ai_next) { (gdb) info args ai = (struct addrinfo *) 0x0 (gdb) bt #0 0x00047854 in freeaddrinfo (ai=0x0) at ../../openbsd-compat/fake-getaddrinfo.c:39 #1 0x00012340 in main (ac=2139032224, av=0x4) at ../sshd.c:1192 (gdb) frame 0 #0 0x00047854 in freeaddrinfo (ai=0x0) at ../../openbsd-compat/fake-getaddrinfo.c:39 39 for(;ai != NULL; next = ai->ai_next) { (gdb) list 34 void 35 freeaddrinfo(struct addrinfo *ai) 36 { 37 struct addrinfo *next; 38 39 for(;ai != NULL; next = ai->ai_next) { 40 free(ai); 41 ai = next; 42 } 43 } -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Mon May 19 09:50:54 2003 From: djm at mindrot.org (Damien Miller) Date: Mon, 19 May 2003 09:50:54 +1000 Subject: OpenSSH -current segfaults on HP-UX+gcc In-Reply-To: <3EC81ABA.EC473402@zip.com.au> References: <3EC81ABA.EC473402@zip.com.au> Message-ID: <3EC81C5E.7080905@mindrot.org> Darren Tucker wrote: > Hi All. > As of last night, sshd now segfaults on HP-UX (11.00, gcc 3.2.2) on > startup. > > I've single-stepped through the code in freeaddrinfo and it's called with > a valid *addrinfo, follows ai_next once then for some reason attempts to > deref the second pointer which is NULL. > > Suspecting a compiler/optimization bug I recompiled fake-getaddrinfo.c > without optimization but that made no difference. > > If I change the for loop to "for(;ai != NULL; next = ai ? ai->ai_next : > NULL)" then it works, but I can't see why the code does not work as > written. That would be my breakage - I'll fix. -d From deengert at anl.gov Tue May 20 00:43:12 2003 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 19 May 2003 09:43:12 -0500 Subject: OpenSSH, GSSAPI and the Grid Security Infrastructure - GSI References: Message-ID: <3EC8ED80.903FCBAF@anl.gov> Ben Lindstrom wrote: > > On Fri, 16 May 2003, Booker Bense wrote: > > > - The GSSAPI patches do a lot more than that and you know it. If > > Bingo..you hit the nail on the head. Can we say it a bit louder so > the people in the back row can here you? =) > There is another community of users, who want to use OpenSSH with the GSSAPI, but not with Kerberos. This is the grid computing community. A component of the Globus Toolkit, GSI is a GSSAPI implementation using X509 certificates, and it supports delegation. See http://www.globus.org and http://www-fp.globus.org/security/overview.html You might also be interested in the Globus Grid Forum, a user's group for the Grid. See http://www.ggf.org/ So including the GSSAPI modifications would address the needs of both the Grid community, and the Kerberos community. So please consider the adoption of Simon's modifications. -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From bbense at SLAC.Stanford.EDU Tue May 20 00:52:13 2003 From: bbense at SLAC.Stanford.EDU (Booker Bense) Date: Mon, 19 May 2003 07:52:13 -0700 (PDT) Subject: Kerberos and OpenSSH - Was:Kerberos password auth/expiry kbdint patch In-Reply-To: <200305162009.h4GK9eKZ020446@cvs.openbsd.org> References: <200305162009.h4GK9eKZ020446@cvs.openbsd.org> Message-ID: On Fri, 16 May 2003, Theo de Raadt wrote: > We have a very rational answer to the GSSAPI issue. > > The code is too large. Large blocks of code contain more errors. > OpenSSH strives to be more secure for everyone, and not risk their > security for a gigantic piece of functionality that less than < 0.001% > of the user community wants. > > I think this mail from me is being as nice as possible considering > this constant bullshit that arrives in my mailbox about this; if this > continued spew of rude mail from GSSAPI proponents keeps coming to the > OpenSSH group, you might prepare for having even more Kerberos > components being ripped out. Adjust your attitude. You may not talk > to us like that. - If you've been offended, my apologies. I'm just trying to convey what I believe to be a fundamental technical error. - Frankly, I would much prefer that you not provide any kerberos support if you aren't going to implement the protocol correctly. There are two issues here. 1. Adding the GSSAPI patches. 2. Adding the kerberos-2 at ssh.com code to the default distribution. - Clearly, your answer to the first is "never in a useful form". From xpto at yhaoo.com.br Tue May 20 12:03:08 2003 From: xpto at yhaoo.com.br (De um Amigo) Date: Tue, 20 May 2003 03:03:08 +0100 Subject: De um amigo Message-ID: <20030520015658.25CA494226@shitei.mindrot.org> INFORMACAO CONFIDENCIAL Prezado(a) Amigo(a): Esta carta/e-mail nada tem de semelhante As muitas "aldrabices" que circulam pela Internet. Ela ? uma mensagem rara que tem um conteUdo que pode modificar a sua vida para melhor. Assim, peco-lhe um pouco de paciencia, e que a leia com atencao, muita atencao, e no final, muito provavelmente, se sentira recompensado(a). Este e um assunto que certamente sera do seu interesse. Entao, por favor, pare para ler algo que vai resolver grande parte dos seus possiveis problemas. Nao vai levar mais do que alguns minutos. O meu nome e Joao Carlos e sou um pequeno empresario. No ano passado tive graves problemas financeiros. Endividei-me desmesuradamente devido a retracc?o do mercado para os produtos que vendia e tambem pelos altos juros que pagava na banca - contractos para capital de circulacao, etc.. Os meus amigos afastaram-se, com receio de pedidos de dinheiro emprestado ou avais bancarios. Passei a trabalhar com saldos bancarios negativos e os meus cartoes de credito acumularam uma divida enorme, os quais tinha usado para levar adiante o meu negocio e sustentar a minha familia de seis pessoas. Ja nao suportava as interminaveis ligacoes telefonicas dos credores, de cartas de cobranca de advogados e visitas de cobradores. Sendo cristao, sinceramente acreditava numa possivel solucao dos meus problemas. Apesar de muito abatido por tal situacao, comecei a rezar fervorosamente por ajuda. "Esta nao e uma carta para salvar sua alma". Esta carta pode mudar sua vida para sempre. Em Junho de 2002, recebi pelo correio electronico (e-mail) uma informacao inusitada. E claro, ela veio espontaneamente. Simplesmente pegaram no meu nome/e-mail em alguma base de dados ou de algum provedor. Gracas a Deus por isso! Depois de ter lido a informacao por varias vezes, mal pude acreditar no que os meus olhos tinham visto. Diante de mim estava uma estupenda maneira de resolver todos os meus problemas. Eu nao teria que investir quase nada, e mais, sem me endividar novamente. Logo peguei num papel e caneta e comecei a fazer alguns calculos. Conclui que o que iria fazer era um investimento baixissimo e, no minimo, ainda assim, teria minha aplica??o de volta. Pensei: "Por que nao? Pior do que eu ja estava nao podia ficar". Segui as instruccoes correcta e minuciosamente. Enviei, inicialmente, 250 e-mails e o dinheiro comecou a chegar. Vagarosamente no inicio, mas apos algumas semanas eu estava a receber mais e-mails do que poderia ler num dia. Passados tres meses, mais ou menos, o dinheiro parou de chegar. Como tinha feito um registro preciso do dinheiro recebido, fiquei estarrecido. O final totalizava ? 199.498,00 (Cento e noventa e nove mil, quatrocentos e noventa e oito ?uros). Fantastico!!! Paguei todas as minhas dividas, comprei um carro novo, uma bela casa e enviei de forma intercalada (quatro vezes de 250) mais 1.000 cartas/e-mails. Em quatro meses, aproximadamente, recebi ? 898.072,66 (Oitocentos e noventa e oito mil e setenta e dois ?uros e sessenta e seis centimos). Leia atentamente este programa. Ele pode mudar sua vida para sempre. Lembre-se: este programa nao funciona, se nao for colocado em pratica de forma correcta e como indicado nas instrucoes adiante. Esta e uma grande oportunidade, com pouquissimo custo ou risco. Se voce decidir participar, salve este arquivo no seu disco rigido ou disquete, passe o anti-virus, siga exactamente o programa, e voc? estara no caminho da sua seguranca financeira. Se voce e cristao e tem fe na providencia divina (a suprema sabedoria com que Deus conduz todas as coisas), e esta com problemas financeiros como eu estava, isto e um sinal. Deus o(a) abencoe! INSTRUCOES Siga exactamente as simples instrucoes abaixo, e em tres meses aproximadamente voce recebera mais de ? 100.000,00 (Cem mil ?uros). GARANTIDO. 1. Imediatamente, mande ? 1,00 (Um ?uro) para cada uma das seis pessoas que estao relacionadas na listagem abaixo. Da seguinte forma: deposite esta quantia (ou faca simplesmente uma transferencia bancaria) na conta-corrente delas e nao se aborreca caso tenha que ir a varias agencias bancarias. (Ha uma lei divina que exige algum sacrificio (imolacao) ou trabalho cansativo e arduo para se obter os resultados desejados.) 2. Quando depositar ? 1,00 (Um ?uro) na conta-corrente das seis pessoas da lista, voce precisa mandar um e-mail para cada uma delas dizendo: "Solicito que meu nome/e-mail seja incluido no seu cadastro de correspondencias". Esta e a chave do programa! Torna legalizada a operacao bancaria e fica de acordo com a legislacao vigente. A legislacao diz que todo dinheiro recebido deve ser trocado por um produto ou servico. Este ? o servico! (Posteriormente, as pessoas que fizerem depositos na sua conta-corrente farao o mesmo.) 3. Apos ter depositado ? 1,00 (Um ?uro) em cada uma das seis pessoas, digite uma nova lista. Em seguida tire o nome que esta no n?mero 1 (um) e mude os nomes restantes para uma posicao acima (o segundo nome passa para o nr 1, o terceiro para o nr. 2 e assim por diante). Em nenhuma hipotese mude a sequencia de nomes. Nao coloque o seu nome numa posicao diferente, pois nao funciona. O seu nome devera estar no nr. 6. (Caso voce mude a sequencia de nomes, isso denotara egoismo e contraria os principios basicos da solidariedade e fraternidade estabelecidos por lei divina - como voc? vera a frente.) 4. Pegue em 250 nomes/e-mails de alguma empresa que forneca listagens de e-mails. Ou tente consegui-los de qualquer outra forma (em classificados por exmplo) 5. Completada a etapa anterior (nr 4), insira os nomes/e-mails adquiridos nos arquivos de seu programa de E-Mails - outlook ou outro - e envie com esse mesmo texto. Voce devera salvar a sua lista no formato TXT ou Rich Text Format, porque muitas pessoas nao tem um processador de texto moderno - nos formatos sugeridos a carta/e-mail abre em qualquer computador. E bom enviar aos poucos, durante 5 a 10 dias, nao mais que isso. 6. Siga estrita e exactamente as instrucoes deste programa e dentro de aproximadamente 90 dias voce ir? receber, garantidos, mais de ? 100.000,00 (Cem mil ?uros) COMO FUNCIONA O PROGRAMA Digamos que voce tenha, por exemplo, um retorno de 3% dos e-mails enviados, o que e? uma estimativa bastante conservadora. Nas minhas duas tentativas tive mais do que 3% de retorno. 1. Quando voce manda 250 e-mails com a carta, cerca de 7 pessoas lhe mandam ? 1,00. 2. Essas 7 pessoas enviam 250 e-mails, cerca de 52 pessoas lhe mandam ? 1,00. 3. Essas 52 pessoas enviam 250 e-mails, cerca de 390 pessoas lhe mandam ? 1,00. 4. Essas 390 pessoas enviam 250 e-mails, cerca de 2.925 pessoas lhe mandam ? 1,00. 5. Essas 2.925 pessoas enviam 250 e-mails, cerca de 21.937 pessoas lhe mandam ? 1,00. 6. Essas 21.937 pessoas enviam 250 e-mails, cerca de 164.527 pessoas lhe mandam ? 1,00. E segue assim, numa progressao geometrica. Em algum ponto o seu nome saira da lista, dando oportunidade para outras pessoas. Mas, voce recebeu aproximadamente ? 199.498,00 (como aconteceu no meu caso). Isso funciona sempre. No exemplo acima, voce tera enviado 250 cartas/e-mails. Se voce enviar 1.000 cartas/e-mails, pode chegar a receber ? 898.072,66 - que foi o que recebi. Fantastico, nao e verdade? Se voce quiser, faca alguns calculos por si mesmo. Com esse tipo de retorno, mesmo com a crise em que estamos vivendo, voce podera alcancar 40% desses valores - o que significa 1% de retorno - o que ja pode mudar sua vida. Veja que, 40% de ? 898.072,66 sao ? 359.229,06. Participe e nao se arrependera. Acredite... tenha fe! Por fim, o programa so funciona se voce depositar ? 1,00 (Um ?uro) na conta-corrente de cada uma das seis pessoas adiante relacionadas, e enviar - a todas elas - um e-mail solicitando a inclusao de seu nome/e-mail na lista de correspondencias delas. Lembre-se que milhares de pessoas farao o mesmo em relacao a voce. EIS A RELACAO DAS PESSOAS PARA AS QUAIS VOCE FARA O DEPOSITO BANCARIO OU TRANSFERENCIA BANCARIA - ?1,00 (Um ?uro) OBS.: - (Basta chegar a qualquer dependencia do banco em questao e requerer para fazer o deposito naquele numero de conta ou simplesmente fazer uma transferencia bancaria via Internet (caso tenha esse servico disponivel com o seu banco) ou por Multibanco, utilizando sempre para o efeito o NIB da conta) 1. P. A. Ros?rio B. - Banco Totta & A?ores Agencia 325 Conta nr : 41377000001 NIB: 0018 0000 41377000001 97 E-mail: accb at portugalmail.com 2. J. T. G. F. - B. Santander Agencia 0338 Conta nr : 11033800200023186 NIB: 0030 0338 00200023186 86 E-mail: jtgf_carta at yahoo.com.br 3. L. Carlos S. Santander Agencia 0338 Conta nr: 11.0338.00200043044 NIB: 0030 033800200043044 70 E-Mail: lcarlos_carta at yahoo.com.br 4.P. C. Anjos - B. Santander Agencia - 0338 Conta nr: 11.0338.00200029605 NIB : 0030 0338 00200029605 35 E-mail : rmrsc at clix.pt 5.Ana Maria G. - B.E.S. Agencia - 0239 Conta nr :2391 6086 0006 NIB :0007 0239 0016 0860 00656 E-mail:amrip at hotmail.com 6.M. da Concei??o R. - B.E.S. Agencia - 0239 Conta nr. 2391 6086 4818 NIB :000702390016086481873 E-mail:maconce at aeiou.pt Obs.: Imprima essa lista. Importante: Repare que todos os nomes que constam da lista nao estao completos. Esse anonimato e propositado. Tem a finalidade de preservar as pessoas e, ao mesmo tempo, cumprir um ritual de varias tradicoes espirituais: "Fazer o Bem sem olhar a Quem". Faca o mesmo com o seu nome. OBSERVACOES 1. Nao envie essa mensagem como anexo, pois algumas pessoas evitam abrir com medo que contenha virus. 2. Siga exactamente as instrucoes contidas nesta carta/e-mail. 3. Nao mude, em nenhuma circunstancia, a sequencia dos nomes da listagem. A unica excepcao, evidentemente, e excluir o que estiver em primeiro lugar e incluir o seu nome na sexta posicao da lista. 4. Nao se esque?a de enviar um e-mail para cada uma das pessoas da listagem, solicitando que elas incluam seu nome/e-mail "na lista de correspondencias" delas. Isso caracteriza um servico e da respaldo legal aos depositos bancarios. 5. Como a importancia de ?1,00 (Um ?uro) e, na verdade, uma quantia irrisoria, faca imediatamente os depositos na conta-corrente dos nomes da listagem. Isso faz com que a circulacao monetaria permaneca activa e nao haja nenhuma interrupcao dos fluxos financeiros. COMENTARIO FINAL Como e que voce percebe o mundo e sua volta? Atraves dos cinco sentidos, e claro. Mas sera que nao existe nada alem do que os nossos sentidos percebem? A nossa percepcao esta restrita aos nossos orgaos sensoriais? So existe o mundo que nossos sentidos detectam? Estas perguntas nao sao novas. Elas tem sido motivo de reflexao para muitas geracoes de seres humanos. Porem, ainda assim, ha aqueles que so acreditam naquilo que veem ou sentem. Nao se preocupam com as indagacoes pertinentes a busca do misterio da vida. Sao os cepticos, os pessimistas. Acham que como pano de fundo das accoes dos homens so ha a dissimulacao, a vontade de enganar os outros em beneficio proprio. Entretanto, olhe la para fora. O que voce ve? A rua, automoveis, asfalto, pessoas e assim por diante. O mundo da materia. Sera que a sa isso que existe? Nao existe mais nada? Agora, volte a olhar com bastante atencao. Onde estao as ondas do radio que voce escuta? Onde estao as ondas da televisao que voce assiste? Voce nao as ve, mas sabe que elas existem. Isso para voce tem credibilidade. Ha milhoes de anos um asteroide, mais ou menos do tamanho do planeta Marte, colidiu com a Terra e surgiu a Lua. Depois dessa colisao, a Lua manteve uma distancia tao precisa em relacao ao nosso planeta, que pode controlar o fluxo e refluxo das mares nos oceanos da Terra. O Sol se estivesse um pouco mais longe, morreriamos de frio e se estivesse um pouco mais perto morreriamos devido ao seu fogo abrasador. Se Jupiter e Saturno nao estivessem numa posicao perfeitamente correcta no sistema solar, a falta da gravidade de ambos faria com que a Terra fosse bombardeada continuamente pelos detritos cosmicos. Sera que esse excepcional sistema surgiu por acaso? O acaso nao existe. O que existe e uma for?a extraordinaria, misteriosa, que tem poder sobre todas as coisas. Se voce pode acreditar nas ondas do radio e da televisao sem ve-las. Se admite que nao pode haver apenas coincidencias na formacao do nosso sistema solar. Por que nao admitir tambem a existencia de uma fonte de sabedoria e bondade que tudo envolve e protege? Por que nao admitir que essa forca esta alem dos nossos sentidos fisicos? Por ultimo, uma recomendacao. A melhor maneira de nos comunicar com essa forca "divina" e a oracao. Assim, se voce se resolver a dar-me um voto de confianca e participar neste maravilhoso programa, ao enviar sua quota de e-mails, faca uma oracao. E depois, aguarde com confianca e fe. Boa sorte! Cordialmente, Joao Carlos W.F. (Esta carta foi escrita por Joao Carlos W.F., e e a mesma (original) recebida pelos constantes da lista acima - voce podera usar a mesma ou modifica-la contando a sua propria historia, desde que seja VERDADEIRA) PS.: E melhor agir do que falar. Quem muito fala das suas ideias e planos, atrai a inveja, a descrenca e o "mau-olhado". Por isso, estas informacoes foram-lhe enviadas a si com caracter confidencial. ATENCAO: Caso esta carta chegue mais que uma vez a sua caixa de correio, por favor nao considere, e queira desculpar qualquer transtorno que lhe possa causar. Obrigado! cumprimentos From michael.leelun at citigroup.com Wed May 21 02:18:03 2003 From: michael.leelun at citigroup.com (Lee-Lun, Michael [IT]) Date: Tue, 20 May 2003 12:18:03 -0400 Subject: Sshd and domain authentication Message-ID: Is there a way to run sshd on a windows 2000 server and have ssh clients authenticate to it using domain level authentication? Mike From deengert at anl.gov Wed May 21 04:01:05 2003 From: deengert at anl.gov (Douglas E. Engert) Date: Tue, 20 May 2003 13:01:05 -0500 Subject: Sshd and domain authentication References: Message-ID: <3ECA6D61.52C36584@anl.gov> "Lee-Lun, Michael [IT]" wrote: > > Is there a way to run sshd on a windows 2000 server and have ssh clients > authenticate to it using domain level authentication? Almost. Windows 2000 uses Kerberos for authentication, and the SSPI which is an early version of the Kerberos GSSAPI. It uses the same protocol as the Kerberos GSSAPI. So if the ssh client and server use the GSSAPI then you are close. You still need a server for Windows. There may be one out there. > > Mike > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From scott.burch at camberwind.com Wed May 21 04:19:37 2003 From: scott.burch at camberwind.com (Scott Burch) Date: 20 May 2003 13:19:37 -0500 Subject: Sshd and domain authentication In-Reply-To: References: Message-ID: <1053453898.8826.10.camel@localhost> Mike, You can do this with pam_smb or the pam modules included with versions of samba where you compile the winbind component. I can provide more details ir you'd like. I don't do this, but I did play with the winbind component of samba to see how it worked, it was interesting but not really useful in the large distributed environment that I work in. Winbind maps Windows 2000 gids and rids into UNIX uids and gids..so essentially you can provide services on UNIX without creating a UNIX account for your Windows users. There is even this very scary module on Linux that can create home directories on the fly (obviously some things like ssh require a home directory to store .ssh, etc.), but this is not something I would do! If you want more details I can provide them. -Scott On Tue, 2003-05-20 at 11:18, Lee-Lun, Michael [IT] wrote: > Is there a way to run sshd on a windows 2000 server and have ssh clients > authenticate to it using domain level authentication? > > Mike > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Scott Burch From scott.burch at camberwind.com Wed May 21 04:19:37 2003 From: scott.burch at camberwind.com (Scott Burch) Date: 20 May 2003 13:19:37 -0500 Subject: Sshd and domain authentication In-Reply-To: References: Message-ID: <1053454764.8839.22.camel@localhost> Mike, This can be done using either pam_smb or the pam modules included with the winbind component of samba. The latter maps Windows rids and gids to UNIX uids and gids, so essentially you can give Windows users access to UNIX resources without creating duplicate UNIX accounts for those users. I've used both pieces of software to do various things and tested the winbind pieces of samba to see if it would work with ssh (for fun)..it did. For ssh you still have to create home directories (for .ssh, etc.). There is a pam module for Linux that will even create home directories on the fly (dangerous in my opinion), but might be useful to some people (this piece does not work on Solaris). I am not using winbind, because there wasn't yet centralized management of the mapping of rids/gids to uids/gids..it was on a server by server basis. I tend to use pam_smb in instances where some UNIX application needs only to get authentication...most of our users have accounts in the Active Directory, but not in UNIX (and creating a shell account just to authenticate is overkill). Ultimately all authentication will go through LDAP, but that whole system is not in place yet. If you want more details on any of this I can provide them offline. -Scott On Tue, 2003-05-20 at 11:18, Lee-Lun, Michael [IT] wrote: > Is there a way to run sshd on a windows 2000 server and have ssh clients > authenticate to it using domain level authentication? > > Mike > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Scott Burch From vinschen at redhat.com Wed May 21 04:23:42 2003 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 20 May 2003 20:23:42 +0200 Subject: Sshd and domain authentication In-Reply-To: <3ECA6D61.52C36584@anl.gov> References: <3ECA6D61.52C36584@anl.gov> Message-ID: <20030520182342.GA19367@cygbert.vinschen.de> On Tue, May 20, 2003 at 01:01:05PM -0500, Douglas E. Engert wrote: > > > "Lee-Lun, Michael [IT]" wrote: > > > > Is there a way to run sshd on a windows 2000 server and have ssh clients > > authenticate to it using domain level authentication? > > Almost. Windows 2000 uses Kerberos for authentication, and the SSPI which > is an early version of the Kerberos GSSAPI. It uses the same protocol as > the Kerberos GSSAPI. So if the ssh client and server use the GSSAPI then > you are close. > > You still need a server for Windows. There may be one out there. You can do this with a Cygwin sshd. But it needs a well maintained /etc/passwd and /etc/group files containing the domain accounts which are allowed to login. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From vinschen at redhat.com Wed May 21 05:40:40 2003 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 20 May 2003 21:40:40 +0200 Subject: Sshd and domain authentication In-Reply-To: References: Message-ID: <20030520194040.GB19367@cygbert.vinschen.de> On Tue, May 20, 2003 at 03:17:47PM -0400, Lee-Lun, Michael [IT] wrote: > This is what I am using now, but this won't work well in our environment. I > want to be able to let users login to an ssh host and use the NT domain to > authenticate directly without using etc/passwd. How can this be done? Without /etc/passwd not with Cygwin sshd. Please keep replies on list. I've redirected this mail back to the openssh-unix-dev mailing list. Corinna > -----Original Message----- > From: Corinna Vinschen [mailto:vinschen at redhat.com] > Sent: Tuesday, May 20, 2003 2:24 PM > To: 'openssh-unix-dev at mindrot.org' > Subject: Re: Sshd and domain authentication > > > On Tue, May 20, 2003 at 01:01:05PM -0500, Douglas E. Engert wrote: > > > > > > "Lee-Lun, Michael [IT]" wrote: > > > > > > Is there a way to run sshd on a windows 2000 server and have ssh > > > clients authenticate to it using domain level authentication? > > > > Almost. Windows 2000 uses Kerberos for authentication, and the SSPI > > which > > is an early version of the Kerberos GSSAPI. It uses the same protocol as > > the Kerberos GSSAPI. So if the ssh client and server use the GSSAPI then > > you are close. > > > > You still need a server for Windows. There may be one out there. > > You can do this with a Cygwin sshd. But it needs a well maintained > /etc/passwd and /etc/group files containing the domain accounts which are > allowed to login. > > Corinna > [...] -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From skeleten at shillest.net Wed May 21 07:26:02 2003 From: skeleten at shillest.net (Norihiko Murase) Date: Wed, 21 May 2003 06:26:02 +0900 Subject: One strange configure option for SIA Message-ID: <20030521062602.35a19d%skeleten@shillest.net> Hi, develop members: When I installed OpenSSH after reading the document INSTALL, I found one typo in this document. The configure option for OSF1's Security Integration Architecture is -ofssia, NOT -sia. The following is the patch for fixing this typo: ---(cut here)--- --- INSTALL.orig Thu Jul 25 13:36:25 2002 +++ INSTALL Wed May 21 06:21:12 2003 @@ -125,3 +125,3 @@ ---with-sia, --without-sia will enable or disable OSF1's Security +--with-osfsia, --without-osfsia will enable or disable OSF1's Security Integration Architecture. The default for OSF1 machines is enable. ---(cut here)--- --- Norihiko Murase From djm at mindrot.org Thu May 22 11:58:56 2003 From: djm at mindrot.org (Damien Miller) Date: Thu, 22 May 2003 11:58:56 +1000 Subject: Testing Message-ID: <3ECC2EE0.8070503@mindrot.org> Testing the new mailing list software, please ignore. -d From VBrimhall at novell.com Thu May 22 13:41:44 2003 From: VBrimhall at novell.com (Vince Brimhall) Date: Thu, 22 May 2003 03:41:44 -0000 Subject: Changes to OpenSSH for NetWare Message-ID: I have attached the diff file with the changes to existing OpenSSH source files to accomodate the NetWare platform. All changes are #ifdef wrapped using one in one of the following defines: HAVE_NETWARE - Building for NetWare USE_EDIR - Using eDirectory(TM) for authentication. NICI - Using Novell International Cryptography Infrastructure (NICI) I have successfully built the OpenSSH-3.5p1 source with my changes on RedHat 7.2 and 8.0. If an inline text diff would be easier to work with, I can provide that as well. Regards, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vince Brimhall Senior Software Engineer Web Services 801.861.1724 vbrimhall at novell.com Novell, Inc., The leading provider of Net Business Solutions http://www.novell.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: diff.txt Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030522/44b0e606/attachment.txt From ktaylor at eosdata.gsfc.nasa.gov Fri May 23 00:42:18 2003 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Thu, 22 May 2003 10:42:18 -0400 Subject: sshd crashing on IRIX (3.6.1p1) Message-ID: <3ECCE1CA.3080706@daac.gsfc.nasa.gov> Occasionally, we're noticing that sshd is core dumping on our IRIX 6.5.18f machine. The only time we've really noticed it is when users are logging in with putty from offsite (although I'm not really sure it's a client issue). The user manages to log in, sshd apparently core dumps, but the user is not logged out, the privilege separated user is still running their own personal sshd spawn, and the parent is 1, so the root owned sshd process is gone. wtmp is not updated, so the only way you can tell the user is logged in is by listing their processes. The end user doesn't notice that anything happened...and this doesn't ALWAYS happen, but I can't correlate any system event and this. It will happen when the system is first started, and it will happen when it's busier. dbx output of the core file lists this (removed user info): > 0 realfree(0x101522c8, 0x101520d8, 0x0, 0x6d642e63, 0x6d642e60, 0x1, 0x10166958, 0x0) ["/xlv86/patches/5015/work/irix/lib/libc/libc_n32_M4/gen/malloc.c":538, 0xfb24694] 1 cleanfree(0x0, 0x101520d8, 0x0, 0x6d642e63, 0x6d642e60, 0x1, 0x10166958, 0x0) ["/xlv86/patches/5015/work/irix/lib/libc/libc_n32_M4/gen/malloc.c":944, 0xfb24eac] 2 __malloc(0x260, 0x101520d8, 0x0, 0x6d642e63, 0x6d642e60, 0x1, 0x10166958, 0x0) ["/xlv86/patches/5015/work/irix/lib/libc/libc_n32_M4/gen/malloc.c":230, 0xfb240e0] 3 _malloc(0x0, 0x101520d8, 0x0, 0x6d642e63, 0x6d642e60, 0x1, 0x10166958, 0x0) ["/xlv86/patches/5015/work/irix/lib/libc/libc_n32_M4/gen/malloc.c":186, 0xfb23f4c] 4 xmalloc(size = 608) ["/usr/local/src/security/openssh-3.6.1p1/xmalloc.c":28, 0x10065934] 5 login_alloc_entry(pid = 13759, username = 0x101520d8 = "user", hostname = 0x101522a8 = "offsite.address.com", line = 0x1014a22c = "/dev/ttyq7") ["/usr/local/src/security/openssh-3.6.1p1/loginrec.c":325, 0x10048aa0] 6 record_login(pid = 13759, ttyname = 0x1014a22c = "/dev/ttyq7", user = 0x101520d8 = "user", uid = ####, host = 0x101522a8 = "offsite.address.com", addr = 0x7fff24b0, addrlen = 16) ["/usr/local/src/security/openssh-3.6.1p1/sshlogin.c":72, 0x1002be58] 7 mm_record_login(s = 0x1014a1f8, pw = 0x1015dbb8) ["/usr/local/src/security/openssh-3.6.1p1/monitor.c":1030, 0x10042c24] 8 mm_answer_pty(socket = 6, m = 0x7fff25a0) ["/usr/local/src/security/openssh-3.6.1p1/monitor.c":1080, 0x10042ecc] 9 monitor_read(pmonitor = 0x10152650, ent = 0x10137750, pent = (nil)) ["/usr/local/src/security/openssh-3.6.1p1/monitor.c":371, 0x10040ef4] 10 monitor_child_postauth(pmonitor = 0x10152650) ["/usr/local/src/security/openssh-3.6.1p1/monitor.c":334, 0x10040d4c] 11 privsep_postauth(authctxt = 0x10151560) ["/usr/local/src/security/openssh-3.6.1p1/sshd.c":665, 0x10025f18] 12 main(ac = 1, av = 0x7fff2fa4) ["/usr/local/src/security/openssh-3.6.1p1/sshd.c":1533, 0x10028a28] 13 __start() ["/xlv55/kudzu-apr12/work/irix/lib/libc/libc_n32_M4/csu/crt1text.s":177, 0x100249e8] Any helpful thoughts? -- ---------------------------------------------------------. Kevin Taylor \ Systems Administrator - DAAC, Code 902, Bldg 32, Rm N126A / Science Systems and Applications, Inc. \ Goddard Space Flight Center / Greenbelt, MD 20771 \ / Phone: (301) 614-5505 \ e-mail: ktaylor at daac.gsfc.nasa.gov / ----------------------------------------------------------' From hallucination at 24i.net Fri May 23 04:58:51 2003 From: hallucination at 24i.net (ug0522) Date: Fri, 23 May 2003 03:58:51 +0900 Subject: =?utf-8?b?wpbCosKPwrPCkcO4wo1Mwo3CkMKBwqbCjUTClV3CgsOJwoLDgsKC?= =?utf-8?b?wqvCgUnCgVHCjMK2wopvwozCqcKCwr/CgsOhwoLCpMKBw7TCgVE=?= Message-ID: <200305221858.h4MIwhK5022952@postoffice.telstra.net> http://dmmster.com . http://210.150.173.81/ . .?z?M???~?????????????????@donot at 24i.net .???z?M???~????????????48?????????????f?????????B . . .======================???@?h???b?O?????X============================ . .?@?@?@?@?@ ?@?????? Drug Shop HALLUCINATION ???????@?@?@?@?@?@?@?@?@?@ .==================================================================== . .???????????????????????????????????????????????????????????????????? ._/_/_/_/_/ ._/_/_/?@?@?@?@?@?@?@?@?@?@HALLUCINATION Weekly ._/_/_/?@?@?@?@?@?@?@?@?@?@ ?|Vol.2?| ._/_/_/_/_/ .???????????????????????????????????????????????????????????????????? . .????C??O??N??T??E??N??T??S?????????????????????????????????????????? .?? .???m?P?nNEW???i?????????????I?I .???m?Q?n?????I?g???????\??DMT?c?h .???m?R?n?K?????O?I?I?u???????????@?I?H?v .???m?S?n?????L?????y?[?????i?????????J?n?????m???? .???m?T?n???T???V???i?u?P?~?J???v???W?I .???m?U?n?????????i?????F 5/22?`5/?? ?j .???m?V?n?????N???[???????X???W???????? .?? .???????????????????????????????????????????????????????????????????? . .???\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?? .?b?@?@?@?@?@ ?????@http://210.150.173.81/?@???? .???\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?? . .*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c* .?T?C?g?????????????????????????????????A?????????????????????????? .*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c*?c* . . . . .======================?A?_???g?????????I?I============================ . .?@?@?@?@?@?????? ?A?_???g?V???b?v?@?V?[?N???b?g?h???[?? ???????@?@?@?@?@?@?@?@?@?@ .==================================================================== . .???????????????????????????????????????????????????????????????????? . .?????????I?I?v???~?A?A?_???g?O?b?c?????I?????????????I?????????????I . .???????????????????????????????????????????????????????????????????? . .???\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?? .?b?@?@?@ ?????@http://dj.st36.arena.ne.jp/SecretDream/?@???? .???\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?? From womaqakup at lobbyist.com Fri May 23 08:12:04 2003 From: womaqakup at lobbyist.com (FBI) Date: Fri, 23 May 2003 08:12:04 +1000 (EST) Subject: Openssh-unix-dev... You are suspected in several crimes. Message-ID: <20030522221204.40F7A27C18C@shitei.mindrot.org> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030523/74b76130/attachment.html From dtucker at zip.com.au Fri May 23 15:09:33 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 23 May 2003 15:09:33 +1000 Subject: sshd crashing on IRIX (3.6.1p1) References: <3ECCE1CA.3080706@daac.gsfc.nasa.gov> Message-ID: <3ECDAD0D.584B5BC0@zip.com.au> Kevin Taylor wrote: > Occasionally, we're noticing that sshd is core dumping on our IRIX > 6.5.18f machine. [snip] > Any helpful thoughts? Is there anything (eg a "fatal") in wherever syslog is sending sshd's logs (possibly authlog)? A change recently went into sshd so the monitor will pass some signals on to its child, but SEGV isn't one of them. Should the monitor shut down the child in this case too? It probably shouldn't pass the SEGV through but maybe it should send a SIGTERM instead? -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From ktaylor at eosdata.gsfc.nasa.gov Fri May 23 20:13:51 2003 From: ktaylor at eosdata.gsfc.nasa.gov (Kevin Taylor) Date: Fri, 23 May 2003 06:13:51 -0400 Subject: sshd crashing on IRIX (3.6.1p1) In-Reply-To: <3ECDAD0D.584B5BC0@zip.com.au> References: <3ECCE1CA.3080706@daac.gsfc.nasa.gov> <3ECDAD0D.584B5BC0@zip.com.au> Message-ID: <3ECDF45F.8030303@daac.gsfc.nasa.gov> Darren Tucker wrote: > Kevin Taylor wrote: > >>Occasionally, we're noticing that sshd is core dumping on our IRIX >>6.5.18f machine. > > [snip] > >>Any helpful thoughts? > > > Is there anything (eg a "fatal") in wherever syslog is sending sshd's > logs (possibly authlog)? > > A change recently went into sshd so the monitor will pass some signals > on to its child, but SEGV isn't one of them. Should the monitor shut > down the child in this case too? It probably shouldn't pass the SEGV > through but maybe it should send a SIGTERM instead? > I didn't see any fatals related to this particular crash, although we're only logging at the INFO level. Unfortunately, logging at a debug level might be more than we can handle. I do like the 'feature' that the user is not getting logged out in this case, but like you mention, it's probably not what should properly happen in the code. I've opened bugzilla case #574 on this. There's some more notes about things we've discovered in looking through the core dump. Apparently the system calls are listed in reverse order when looking through dbx, I didn't know that, so I was looking in the wrong place to start. We basically think that the problem might be stemming from the verify_reverse_mapping functions. We noticed in the core files that on occasion, sshd was garbling the hostname that people were logging in from, and after we disabled VerifyReverseMapping in the sshd_config, the core dumps seemed to have subsided, however I'd like to be able to turn that back on in the future, because it's a useful function at times. From djm at mindrot.org Sat May 24 02:13:14 2003 From: djm at mindrot.org (Damien Miller) Date: Sat, 24 May 2003 02:13:14 +1000 Subject: Administrivia: mailing list updates Message-ID: <3ECE489A.7080905@mindrot.org> Hi, You may have noticed some small changes to the list over the last few days. These are a result of the mailing list server and software being upgraded. This has brought several changes: 1. Automatic detection of bouncing subscribers. The newer version of the list software encodes an individual return-path address to detect recipients whose mail is bouncing. If too many bounces are detected, their subscription will be disabled. If you think this has happened to you, please use the list web interface to reactivate yourself. 2. Changes to list headers The upgrade to the newer version of Mailman changed the headers that are automatically added to each message that passes through the list. This will likely have broken some users' mail filtering software (it broke mine...). Use the X-Been-Here or List-Id headers to filter on, as these are unlikely to change. 3. Better Spam blocking I have also installed a recent version of SpamAssassin and have trained its Bayesing filtering with spam I have been collecting for around eight years (>15,000 messages). This was switched on a few minutes ago, so _hopefully_ we should see less spam on the list from now on. There may be a few more minor changes in the near future, the most notable of which will be the blocking of HTML email. Please report any problems to me. Thanks, Damien Miller From jason at devrandom.org Sat May 24 14:08:43 2003 From: jason at devrandom.org (Jason McCormick) Date: Sat, 24 May 2003 00:08:43 -0400 Subject: ssh-agent asking for passphrase on non-keyed connections Message-ID: <200305240008.43265.jason@devrandom.org> I'm running into some odd behavior that I can't figure out that I'm hoping someone can help me with. After years of SSH usage, I've decided to exchange one laziness for another and use ssh-agent. However I'm running into an odd instance where ssh is asking for the passphrase to my key stored in ~/.ssh/id_dsa when attempting to connect to a machine with nothing in ~/.ssh/authorized_keys and the key properly active in ssh-agent. For example: [user at host ~]$ ssh user at foo Last login: Mon May 12 15:06:33 2003 from host [user at foo ~]$ Never asks for a passphrase and I'm logged in perfectly. However now if I ssh to root on the same box (with no /root/.ssh/authorized_keys) I'm prompted for the passphrase for my key and then prompted for the password for root. For example: [user at host ~]$ ssh root at foo Enter passphrase for key '/home/user/.ssh/id_dsa': root at foo's password: Last login: Tue May 6 11:44:59 2003 from host [root at foo root]# After talking with Ben, I was under the impression that the correct/desired behavior is that I would only be prompted for the root at foo password. Any thoughts or suggestions on this? I didn't see anything in the FAQ or mailing list about this so I'm assuming I have a configuration glitch somewhere. -- Jason McCormick jason at devrandom.org GPG Key: http://www.devrandom.org/gpgkey.php GPG Fingerprint: 66C5 2B15 3E34 2B5E 5321 6147 303A DCE6 0A74 A19C From markus at openbsd.org Sat May 24 18:42:14 2003 From: markus at openbsd.org (Markus Friedl) Date: Sat, 24 May 2003 10:42:14 +0200 Subject: ssh-agent asking for passphrase on non-keyed connections In-Reply-To: <200305240008.43265.jason@devrandom.org> References: <200305240008.43265.jason@devrandom.org> Message-ID: <20030524084214.GB10789@folly> On Sat, May 24, 2003 at 12:08:43AM -0400, Jason McCormick wrote: > I'm running into some odd behavior that I can't figure out that I'm > hoping someone can help me with. After years of SSH usage, I've > decided to exchange one laziness for another and use ssh-agent. > However I'm running into an odd instance where ssh is asking for the > passphrase to my key stored in ~/.ssh/id_dsa when attempting to connect > to a machine with nothing in ~/.ssh/authorized_keys and the key > properly active in ssh-agent. For example: > > [user at host ~]$ ssh user at foo > Last login: Mon May 12 15:06:33 2003 from host > [user at foo ~]$ > > Never asks for a passphrase and I'm logged in perfectly. However now > if I ssh to root on the same box (with no /root/.ssh/authorized_keys) > I'm prompted for the passphrase for my key and then prompted for the > password for root. For example: > > [user at host ~]$ ssh root at foo > Enter passphrase for key '/home/user/.ssh/id_dsa': > root at foo's password: > Last login: Tue May 6 11:44:59 2003 from host > [root at foo root]# do you have ssh -vvv output? From lion_3875 at sina.com Sat May 24 19:40:52 2003 From: lion_3875 at sina.com (=?GB2312?Q?=C0=EE=B0=BA?=) Date: Sat, 24 May 2003 17:40:52 +0800 Subject: a question make me crazy Message-ID: <20030524094131.DD34127C188@shitei.mindrot.org> hi: Now, i have a headache for a embeded product, i need port openssh to this platform, it's arch is ARCA1(a chinese CPU), it's not important. ok, i compiled the openssh3.3.6p1 with arca1 compiler, it's ok. after i put it on the platform, a message show me on the screen----PRNG is not seeded. God! i search solution for a whole day, but no result. my openssl version is 0.9.6, my system have not the device RANDOM, may be caused by this reason? what can i do? copy a '/dev/random' and '/dev/urandom' to /dev on the ARCA1 platform from any where in x86 system? i tried, but failed. give me a solution for this problem please, it's really important for me. thanks a lot, linux fans lion_3875 at sina.com ??????? ?2003-05-24 From Jan.de.Haan at Essent.nl Sat May 24 20:17:35 2003 From: Jan.de.Haan at Essent.nl (Haan, de, Jan) Date: Sat, 24 May 2003 12:17:35 +0200 Subject: a question make me crazy Message-ID: <939E0CBCEF91D311861400508B62C07A059F0E29@NT-EXCH-ZW1> For what it's worth: no expert but you probably need another source of randomness on your ARCA1 platform for ssh. Search for a port of /dev/random or PRNG. Maybe ssh itself supports other sources, look for build options, something like '--random=' Sincerely, Jan. > hi: > > Now, i have a headache for a embeded product, i need port openssh to this > platform, > it's arch is ARCA1(a chinese CPU), it's not important. > > ok, i compiled the openssh3.3.6p1 with arca1 compiler, it's ok. > > after i put it on the platform, a message show me on the screen----PRNG is > not seeded. > > God! i search solution for a whole day, but no result. > > my openssl version is 0.9.6, my system have not the device RANDOM, may be > caused by this reason? > > what can i do? copy a '/dev/random' and '/dev/urandom' to /dev on the > ARCA1 platform from any where in x86 system? i tried, but failed. > > give me a solution for this problem please, it's really important for me. > > > thanks > a lot, linux fans > > lion_3875 at sina.com > > 2003-05-24 > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From jason at devrandom.org Mon May 26 03:08:47 2003 From: jason at devrandom.org (Jason McCormick) Date: Sun, 25 May 2003 13:08:47 -0400 Subject: ssh-agent asking for passphrase on non-keyed connections In-Reply-To: <20030524084214.GB10789@folly> References: <200305240008.43265.jason@devrandom.org> <20030524084214.GB10789@folly> Message-ID: <200305251308.48046.jason@devrandom.org> > do you have ssh -vvv output? I've put two outputs on my website so I don't clutter the list: http://www.devrandom.org/~jason/agent-success.txt http://www.devrandom.org/~jason/agent-failure.txt The first log is my successful session from my workstation to a server using my username 'jason'. The server has my key in ~/.ssh/authorized_keys. The second log is my ssh-ing to the same machine to root that has no ~/.ssh/authorized_keys file. From looking at the logs it looks as if SSH is going through ~/.ssh and trying anything it finds in id* while not acknowledging that ~/.ssh/id_dsa is already stored in the agent. -- Jason McCormick jason at devrandom.org GPG Key: http://www.devrandom.org/gpgkey.php GPG Fingerprint: 66C5 2B15 3E34 2B5E 5321 6147 303A DCE6 0A74 A19C From Stephan.Hendl at lds.brandenburg.de Mon May 26 19:36:19 2003 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Mon, 26 May 2003 11:36:19 +0200 Subject: Error on Reliant Unix: no controlling terminal Message-ID: Hi all, just I tried to upgrade openssh from 3.5p1 to 3.6.1p2 on Reliant Unix 5.45 and run into this error: root at soltest: tail /var/adm/log/messages .... May 23 15:45:28 soltest unix: sshd[4013]: Accepted password for root from 10.128.11.72 port 2624 ssh2 May 23 15:45:28 soltest unix: sshd[4101]: error: setsid: Not owner May 23 15:45:28 soltest unix: sshd[4101]: error: open /dev/tty failed - could not set controlling tty: No such device or address The shell tells me that she has no controlling tty root at soltest: ps ps: can't find controlling terminal root at soltest: bash bash: no job control in this shell The configure command was: ../configure --prefix=/opt/openssh --sysconfdir=/etc --with-privsep-user=sshd --with-zlib=/usr/local/lib --with-ssl-dir=/home/hendl/openssl-0..9.7b --with-tcp-wrappers=/home/hendl/tcp_wrappers_7.6 --with-rand-helper --with-default-path=/usr/bin:/usr/local/bin:/usr/sbin:/sbin:/opt/bin:/opt/openssh/bin Does anybody has a solution? Thanks! Stephan -- LDS Brandenburg Dr. Stephan Hendl fon: +49-(0)331-39 471 fax: +49-(0)331-27548 1187 mobil: +49-(0)160-90 645 893 EMail: stephan.hendl at lds.brandenburg.de From dtucker at zip.com.au Mon May 26 19:47:42 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 26 May 2003 19:47:42 +1000 Subject: Error on Reliant Unix: no controlling terminal References: Message-ID: <3ED1E2BE.37F55929@zip.com.au> Stephan Hendl wrote: > just I tried to upgrade openssh from 3.5p1 to 3.6.1p2 on Reliant Unix 5.45 and run into this error: > > root at soltest: tail /var/adm/log/messages > .... > May 23 15:45:28 soltest unix: sshd[4013]: Accepted password for root from 10.128.11.72 port 2624 ssh2 > May 23 15:45:28 soltest unix: sshd[4101]: error: setsid: Not owner > May 23 15:45:28 soltest unix: sshd[4101]: error: open /dev/tty failed - could not set controlling tty: No such device or address Try adding "#define STREAMS_PUSH_ACQUIRES_CTTY 1" to config.h and recompiling. Is Reliant a Sys-V derivative? We might need to to add it to the list of broken pty implementations. See [1] for the gory details. [1] http://bugzilla.mindrot.org/show_bug.cgi?id=245 -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Mon May 26 20:56:52 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 26 May 2003 12:56:52 +0200 Subject: ssh-agent asking for passphrase on non-keyed connections In-Reply-To: <200305251308.48046.jason@devrandom.org> References: <200305240008.43265.jason@devrandom.org> <20030524084214.GB10789@folly> <200305251308.48046.jason@devrandom.org> Message-ID: <20030526105652.GA80@folly> On Sun, May 25, 2003 at 01:08:47PM -0400, Jason McCormick wrote: > > do you have ssh -vvv output? > > From looking at the logs it looks as if SSH is going through ~/.ssh and > trying anything it finds in id* while not acknowledging that > ~/.ssh/id_dsa is already stored in the agent. yes, that's the problem. these keys are tried twice. this should be fixed in the next release. From markus at openbsd.org Mon May 26 20:59:24 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 26 May 2003 12:59:24 +0200 Subject: ssh-agent asking for passphrase on non-keyed connections In-Reply-To: <200305251308.48046.jason@devrandom.org> References: <200305240008.43265.jason@devrandom.org> <20030524084214.GB10789@folly> <200305251308.48046.jason@devrandom.org> Message-ID: <20030526105924.GA30903@folly> On Sun, May 25, 2003 at 01:08:47PM -0400, Jason McCormick wrote: > > do you have ssh -vvv output? > > I've put two outputs on my website so I don't clutter the list: > > http://www.devrandom.org/~jason/agent-success.txt > http://www.devrandom.org/~jason/agent-failure.txt > > The first log is my successful session from my workstation to a server > using my username 'jason'. The server has my key in > ~/.ssh/authorized_keys. The second log is my ssh-ing to the same > machine to root that has no ~/.ssh/authorized_keys file. is there a ~/.ssh/id_dsa.pub file? if not, then the ssh client does not know the public key and needs the passphrase, since it needs to figure out if the matching key is in root's ~/.ssh/authorized_keys file. From Stephan.Hendl at lds.brandenburg.de Mon May 26 21:54:33 2003 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Mon, 26 May 2003 13:54:33 +0200 Subject: Error on Reliant Unix: no controlling terminal Message-ID: Hi Darren, thank you - now it works!!! The System is a root at soltest: uname -a ReliantUNIX-N soltest 5.45 B1007 RM400 1/256 R4000 The system is a Sys-V, R4 derivate, similiar to ealier Solaris versions. Thanks oncemore Stephan -- LDS Brandenburg Dr. Stephan Hendl fon: +49-(0)331-39 471 fax: +49-(0)331-27548 1187 mobil: +49-(0)160-90 645 893 EMail: stephan.hendl at lds.brandenburg.de >>> Darren Tucker 05/26 11:47 >>> Stephan Hendl wrote: > just I tried to upgrade openssh from 3.5p1 to 3.6.1p2 on Reliant Unix 5.45 and run into this error: > > root at soltest: tail /var/adm/log/messages > .... > May 23 15:45:28 soltest unix: sshd[4013]: Accepted password for root from 10.128.11.72 port 2624 ssh2 > May 23 15:45:28 soltest unix: sshd[4101]: error: setsid: Not owner > May 23 15:45:28 soltest unix: sshd[4101]: error: open /dev/tty failed - could not set controlling tty: No such device or address Try adding "#define STREAMS_PUSH_ACQUIRES_CTTY 1" to config.h and recompiling. Is Reliant a Sys-V derivative? We might need to to add it to the list of broken pty implementations. See [1] for the gory details. [1] http://bugzilla.mindrot.org/show_bug.cgi?id=245 -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jason at devrandom.org Mon May 26 22:19:39 2003 From: jason at devrandom.org (Jason McCormick) Date: Mon, 26 May 2003 08:19:39 -0400 Subject: ssh-agent asking for passphrase on non-keyed connections In-Reply-To: <20030526105924.GA30903@folly> References: <200305240008.43265.jason@devrandom.org> <200305251308.48046.jason@devrandom.org> <20030526105924.GA30903@folly> Message-ID: <200305260819.39449.jason@devrandom.org> > is there a ~/.ssh/id_dsa.pub file? Ahhhh.... no I didn't leave the .pub file there, I moved it to authorized_keys. It seems to have the correct behaviour now but I'll test it further. Guess I should leave default-created files alone. :) -- Jason McCormick jason at devrandom.org GPG Key: http://www.devrandom.org/gpgkey.php GPG Fingerprint: 66C5 2B15 3E34 2B5E 5321 6147 303A DCE6 0A74 A19C From dtucker at zip.com.au Mon May 26 22:26:28 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 26 May 2003 22:26:28 +1000 Subject: Error on Reliant Unix: no controlling terminal References: Message-ID: <3ED207F4.F9034E5C@zip.com.au> Stephan Hendl wrote: [about "#define STREAMS_PUSH_ACQUIRES_CTTY 1"] > thank you - now it works!!! > > The System is a > root at soltest: uname -a > ReliantUNIX-N soltest 5.45 B1007 RM400 1/256 R4000 > > The system is a Sys-V, R4 derivate, similiar to ealier Solaris versions. OK, so Solaris needs it (BTW in -current the define is now called SSHD_ACQUIRES_CTTY since some Linuxes need it for a different reason), Reliant (which is *-sni-sysv*, right?) needs it, MP-RAS (is that *-ncr-sysv*?) needs it. Any other SysV-based systems need it? Does the attached patch work? It should fix Reliant and MP-RAS[1]. Note: you will need the CVS tree or a recent snapshot[2] to apply it, and you will need to run "autoreconf" to rebuild configure, then "./configure && make". [1] http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=105095786124907 [2] ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: configure.ac =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v retrieving revision 1.123 diff -u -r1.123 configure.ac --- configure.ac 19 May 2003 23:24:42 -0000 1.123 +++ configure.ac 26 May 2003 12:10:54 -0000 @@ -294,10 +294,11 @@ AC_DEFINE(USE_PIPES) ;; *-ncr-sysv*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" + CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=1 -D_XOPEN_SOURCE_EXTENDED=1 -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" LIBS="$LIBS -lc89" AC_DEFINE(USE_PIPES) + AC_DEFINE(SSHD_ACQUIRES_CTTY) ;; *-sni-sysv*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" @@ -306,6 +307,7 @@ IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) AC_DEFINE(IP_TOS_IS_BROKEN) + AC_DEFINE(SSHD_ACQUIRES_CTTY) # /usr/ucblib/libucb.a no longer needed on ReliantUNIX # Attention: always take care to bind libsocket and libnsl before libc, # otherwise you will find lots of "SIOCGPGRP errno 22" on syslog From ayamura at ayamura.org Tue May 27 03:19:42 2003 From: ayamura at ayamura.org (Ayamura KIKUCHI) Date: Tue, 27 May 2003 02:19:42 +0900 Subject: [patch] port-irix.c: refine jlimit support Message-ID: <863cj1wrpt.wl@sea.ayamura.org> --- openbsd-compat/port-irix.c.orig 2002-04-07 03:58:33.000000000 +0900 +++ openbsd-compat/port-irix.c 2003-05-27 02:11:07.620000380 +0900 @@ -7,6 +7,12 @@ #endif /* WITH_IRIX_PROJECT */ #ifdef WITH_IRIX_JOBS #include +#include +# if !defined(JLIMIT_CPU) +typedef __int64_t jid_t; +extern jid_t jlimit_startjob(char *, uid_t, char *); +# pragma optional jlimit_startjob +# endif #endif #ifdef WITH_IRIX_AUDIT #include @@ -27,10 +33,15 @@ #endif /* WITH_IRIX_JOBS */ #ifdef WITH_IRIX_JOBS - jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); - if (jid == -1) - fatal("Failed to create job container: %.100s", - strerror(errno)); + if (_MIPS_SYMBOL_PRESENT(jlimit_startjob)) { + jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); + if (jid == -1) { + if (errno == ENOPKG) + jid = 0; + else + fatal("Failed to create job container: %.100s", strerror(errno)); + } + } #endif /* WITH_IRIX_JOBS */ #ifdef WITH_IRIX_ARRAY /* initialize array session */ -- ayamura From mouring at etoh.eviladmin.org Tue May 27 03:19:51 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 26 May 2003 12:19:51 -0500 (CDT) Subject: [patch] port-irix.c: refine jlimit support In-Reply-To: <863cj1wrpt.wl@sea.ayamura.org> Message-ID: You sure this is complete? Last time someone proposed a patch like this it was incomplete. The patch from SGI was much more involved. - Ben On Tue, 27 May 2003, Ayamura KIKUCHI wrote: > --- openbsd-compat/port-irix.c.orig 2002-04-07 03:58:33.000000000 +0900 > +++ openbsd-compat/port-irix.c 2003-05-27 02:11:07.620000380 +0900 > @@ -7,6 +7,12 @@ > #endif /* WITH_IRIX_PROJECT */ > #ifdef WITH_IRIX_JOBS > #include > +#include > +# if !defined(JLIMIT_CPU) > +typedef __int64_t jid_t; > +extern jid_t jlimit_startjob(char *, uid_t, char *); > +# pragma optional jlimit_startjob > +# endif > #endif > #ifdef WITH_IRIX_AUDIT > #include > @@ -27,10 +33,15 @@ > #endif /* WITH_IRIX_JOBS */ > > #ifdef WITH_IRIX_JOBS > - jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); > - if (jid == -1) > - fatal("Failed to create job container: %.100s", > - strerror(errno)); > + if (_MIPS_SYMBOL_PRESENT(jlimit_startjob)) { > + jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); > + if (jid == -1) { > + if (errno == ENOPKG) > + jid = 0; > + else > + fatal("Failed to create job container: %.100s", strerror(errno)); > + } > + } > #endif /* WITH_IRIX_JOBS */ > #ifdef WITH_IRIX_ARRAY > /* initialize array session */ > > -- ayamura > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From ayamura at ayamura.org Tue May 27 05:16:40 2003 From: ayamura at ayamura.org (Ayamura KIKUCHI) Date: Tue, 27 May 2003 04:16:40 +0900 Subject: [patch] port-irix.c: refine jlimit support In-Reply-To: References: <863cj1wrpt.wl@sea.ayamura.org> Message-ID: <861xylwmav.wl@sea.ayamura.org> > You sure this is complete? Last time someone proposed a patch like this > it was incomplete. The patch from SGI was much more involved. I hope this is complete :-) I can compile the modified port-irix.c with MIPSpro Compilers and use it. /* ************************************************************************* * _MIPS_SYMBOL_PRESENT(_x) * * Returns 1 if the symbol '_x' is defined in the current * runtime environment. Returns 0 otherwise. * * NOTE: This is a valid check for any and all symbol types. ************************************************************************* */ -- ayamura From stuge-openssh-unix-dev at cdy.org Tue May 27 07:41:58 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Mon, 26 May 2003 23:41:58 +0200 Subject: [Ans.]openssh3.5p1 version ... Password aging problem??? In-Reply-To: References: <20030512135049.GB21130@foo.birdnet.se> Message-ID: <20030526214158.GB25045@foo.birdnet.se> On Mon, May 12, 2003 at 09:37:11AM -0500, Ben Lindstrom wrote: > On Mon, 12 May 2003, Peter Stuge wrote: > > > What is the status on interfacing with the system passwd command for > > changing passwords? It's only for non-PAM situations, but is it still > > > > Should I try to finish the prototype ASAP? > > Ugh.. Hell no. > > I believe the decision has been made to break from RFC and implement > password change ala 'ssh1' style. The RFC is just too restrictive. Ok. I'll probably finish it anyway just for fun, but I wont rush it then. Thanks! //Peter From stuge-openssh-unix-dev at cdy.org Tue May 27 07:45:39 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Mon, 26 May 2003 23:45:39 +0200 Subject: [Ans.]openssh3.5p1 version ... Password aging problem??? In-Reply-To: <3EC0C059.EC47E53B@zip.com.au> References: <014c01c31843$70e5f520$74f84bdc@skyhawk> <3EBF4862.8CEC2368@zip.com.au> <20030512135049.GB21130@foo.birdnet.se> <3EC0C059.EC47E53B@zip.com.au> Message-ID: <20030526214539.GC25045@foo.birdnet.se> On Tue, May 13, 2003 at 07:52:25PM +1000, Darren Tucker wrote: > The chat-script method is only applicable to SSH2 (with > MSG_USERAUTH_PASSWD_CHANGEREQ), if you want to support changes with > protocol 1 you still need passwd-in-session[1]. I think the argument is > that since it's needed anyway, using it for protocol 2 as well is the > smallest set of changes. Absolutely. > > My binary implementing this is currently 6384 bytes when strip:ed. > > How many lines of code is that? Don't forget the reason you're doing this > is so you don't need ~160 lines of platform-specific change functions > (that's for AIX and shadow platforms) which is 4416 bytes stripped on > Linux/i386. Definitions and data is 65 lines, code 95 lines. Probably 30 more lines of code before it's done. > [1] Someone (Frank?) proposed doing this via TIS challenge-response on > Protocol 1. By my reading of the RFC you only get one challenge and one > response so in order for that to work you'd need the user to respond with > something like "oldpassword,newpassword". Of course, I could be wrong. In any case, your first point is very valid. //Peter From glemtp at yahoo.com Thu May 29 00:05:47 2003 From: glemtp at yahoo.com (Greg Lambert) Date: Wed, 28 May 2003 07:05:47 -0700 (PDT) Subject: SSH1 security with Kerb5 Message-ID: <20030528140547.51639.qmail@web12203.mail.yahoo.com> Hi, I am trying to decide if it is worth the time to test the Kerberos support in a port I am working on of Openssh 3.5p1. Does using Kerb5 with SSH1 solve the security problems inherent in protocol 1 and bring it up to par with the security level of SSH2 or are there other issues that Kerb5 authentication won't help for SSH1? Thanks, Greg Lambert --------------------------------- Do you Yahoo!? Free online calendar with sync to Outlook(TM). From smoogen at lanl.gov Thu May 29 00:35:11 2003 From: smoogen at lanl.gov (Stephen Smoogen) Date: Wed, 28 May 2003 14:35:11 -0000 Subject: SSH1 security with Kerb5 In-Reply-To: <20030528140547.51639.qmail@web12203.mail.yahoo.com> References: <20030528140547.51639.qmail@web12203.mail.yahoo.com> Message-ID: <1054132519.12998.7.camel@smoogen1.lanl.gov> On Wed, 2003-05-28 at 08:05, Greg Lambert wrote: > Hi, > > I am trying to decide if it is worth the time to test the Kerberos > support in a port I am working on of Openssh 3.5p1. > > Does using Kerb5 with SSH1 solve the security problems inherent in > protocol 1 and bring it up to par with the security level of SSH2 > or are there other issues that Kerb5 authentication won't help for SSH1? There are additional problems with how ssh1 does kerb5 in how it passes Tickets and how it verifies the authenticity of the server. Depending on the kerberos person you talk to you are either lowering your security by using SSH1+Krb5 or just as vulnerable to SSH1 problems. The two approaches to doing KRB5 in ssh2 seem to be at loggerheads of simplicity versus verification. To do the verification of kerb tickets and server/host/user many are using GSSAPI. To be simple, the openssh team is implementing a method used by some ssh.com v2 code. It fixes a problem with passing tickets before verifying the user, but it does not do some other krb5 verifications that some kerberos people wish to see. -- Stephen John Smoogen smoogen at lanl.gov Los Alamos National Labrador CCN-5 Sched 5/40 PH: 4-0645 (note new #) Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- So shines a good deed in a weary world. = Willy Wonka -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030528/7e2b3c97/attachment.bin From croeder at asrr.arsusda.gov Thu May 29 03:39:41 2003 From: croeder at asrr.arsusda.gov (Carl E. Roeder) Date: Wed, 28 May 2003 13:39:41 -0400 (EDT) Subject: Execution problems with 3.4.p1 and 3.6.p1 Message-ID: Folks, I have installed openssh-3.1.p1 and 3.4.p1 successfully int the past. When I tried to install 3.6.p1 it would not start. The init script created an error message to the affect the it could not find *ELF*. I the tried to reinstall 3.4.p1. It's startup said Error 255 .../sshd .. bailing. I then installed Solaris patch for /dev/random and reinstalled 3.4.p1... I got error .... sshd: Cannot findELF Error 137 ... bailing. This is on SUN Solaris 8 with prngd and openssl-0.9.6j. The only changes have been Solaris Recommended_8 patches and Solaris security patches. Where can I find these Error messages? I'll checked the lists but was unable to find any references. Thanks for any assistance you can provide. Carl E. Roeder croeder at asrr.arsusda.gov U.S.Department of Agriculture Agricultural Research Service Alternate Crops and Systems Laboratory Beltsville, MD 20705 301/504-5844 fax 301/504-5823 From bachue at bachue.com Thu May 29 03:58:38 2003 From: bachue at bachue.com (Alejandro Forero Cuervo) Date: Wed, 28 May 2003 12:58:38 -0500 Subject: [patch] starting byte offset in transfers with scp In-Reply-To: <20030528140547.51639.qmail@web12203.mail.yahoo.com> References: <20030528140547.51639.qmail@web12203.mail.yahoo.com> Message-ID: <20030528175838.GA514@bachue.com> Hi. I made a patch for OpenSSH 3.6.1 that makes scp receive a -s option causing file tranfers to start at a specified position (byte offset). This is useful to resume broken file transfers. If the position specified is negative, the transfer will start after the last byte in the local version of the file. For example, I am regularly having to update my local copy of some logs using scp. Rather than transfer the logs entirely every time, I will do: $ scp -s -1 user at server:/path/log server.log scp will check the size for the (local) server.log file and use that as the starting position for the transfer, thus only transfering whatever has been appended after I last updated my copy. Previously I had to use something like: $ ssh -C user at server "dd bs=1 skip=`du -b server.log | cut -f1` if=/path/log" >>server.log It is also possible to specify a given byte offset as in: $ scp -s 5000 user at server:/path/log server.log As I said, when the offset is negative, scp will check the filesize for the local version of the file. This makes it easy to resume broken downloads (as the first example shows) but is not very useful for local to remote transfers (uploads). For those one must somehow figure the file size at the remote server and specify it explicitly. The value of -s is ignored for local to local transfers. It is respected for all other transfers (local to remote, remote to local and remote to remote). For this functionality to work all the versions of scp involved must be patched. If any is unpatched and the -s parameter is specified, the usage error will be given to the user. These problems do not occur if the -s parameter is not used (or if it is used with a value of 0). The patch is available at with MD5 1e188e93bb134fc92f97a83205fe2853. Please apply it to the official version if you deem it appropriate. I would like to see scp servers support this functionality. Thank you. Alejo. http://bachue.com/alejo Ps: I had already sent a message like this to the list, and I got May 27 00:56:21 azul postfix/smtp[32747]: 45D554105: to=, relay=mail1.mindrot.org[203.36.198.97], delay=6, status=sent (250 Ok: queued as 9363527C189) but I failed to receive it (or a message about it) and see it appear in the archives and thus decided I would resend it. -- The mere formulation of a problem is far more essential than its solution. -- Albert Einstein. $0='!/sfldbi!yjoV0msfQ!sfiupob!utvK'x44;print map{("\e[7m \e[0m",chr ord (chop$0)-1)[$_].("\n")[++$i%77]}split//,unpack'B*',pack'H*',($F='F'x19). "F0F3E0607879CC1E0F0F339F3FF399C666733333CCF87F99E6133999999E67CFFCCF3". "219CC1CCC033E7E660198CCE4E66798303873CCE60F3387$F"#Don't you love Perl? Alejo. http://bachue.com/alejo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030528/a2ac7e3e/attachment.bin From des at ofug.org Thu May 29 04:54:32 2003 From: des at ofug.org (Dag-Erling Smorgrav) Date: Wed, 28 May 2003 20:54:32 +0200 Subject: [PATCH] sshd unable to restart Message-ID: An embedded message was scrubbed... From: Tor.Egge at cvsup.no.freebsd.org Subject: sshd unable to restart Date: Sun, 25 May 2003 18:19:08 GMT Size: 2853 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030528/47273c0e/attachment.mht From Jeff.Koenig at experian.com Thu May 29 05:18:30 2003 From: Jeff.Koenig at experian.com (Koenig, Jeff) Date: Wed, 28 May 2003 12:18:30 -0700 Subject: Execution problems with 3.4.p1 and 3.6.p1 Message-ID: I think your problem is that you are using the wrong "strip" program. You want to use Sun's /usr/ccs/bin/strip instead of /usr/local/bin/strip. To test this out, try renaming the /usr/local/bin/strip to /usr/local/bin/strip_gcc Example: cd /usr/local/bin mv strip strip_gcc Then type "which strip" and your output should be: % which strip /usr/ccs/bin/strip Now try recompiling OpenSSH and it should work for you. You can do a search on Google newsgroups to find out more info on this: http://www.google.com/advanced_group_search?lr=lang_en Search for "/usr/ccs/bin/strip" and "ELF". Jeff > -----Original Message----- > From: Carl E. Roeder [mailto:croeder at asrr.arsusda.gov] > Sent: Wednesday, May 28, 2003 12:40 PM > To: openssh-unix-dev at mindrot.org > Subject: Execution problems with 3.4.p1 and 3.6.p1 > > > > Folks, > > I have installed openssh-3.1.p1 and 3.4.p1 successfully > int the past. When I tried to install 3.6.p1 it would > not start. The init script created an error message to > the affect the it could not find *ELF*. I the tried to > reinstall 3.4.p1. It's startup said Error 255 .../sshd .. bailing. > I then installed Solaris patch for /dev/random and reinstalled > 3.4.p1... I got error .... sshd: Cannot findELF Error 137 ... > bailing. > This is on SUN Solaris 8 with prngd and openssl-0.9.6j. > The only changes have been Solaris Recommended_8 patches and > Solaris security patches. > > Where can I find these Error messages? > I'll checked the lists but was unable to find any references. > > Thanks for any assistance you can provide. > > > Carl E. Roeder croeder at asrr.arsusda.gov > U.S.Department of Agriculture > Agricultural Research Service > Alternate Crops and Systems Laboratory > Beltsville, MD 20705 301/504-5844 fax 301/504-5823 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Thu May 29 07:57:45 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 29 May 2003 07:57:45 +1000 Subject: Execution problems with 3.4.p1 and 3.6.p1 References: Message-ID: <3ED530D9.A4DE8976@zip.com.au> "Carl E. Roeder" wrote: > I have installed openssh-3.1.p1 and 3.4.p1 successfully > int the past. When I tried to install 3.6.p1 it would > not start. The init script created an error message to > the affect the it could not find *ELF*. This is a known bug in GNU binutils. Upgrade it to binutils-2.13 or later, or change your path so /usr/ccs/bin is first. For details, see: http://sources.redhat.com/ml/bug-binutils/2002-q3/msg00034.html -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu May 29 08:01:15 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 29 May 2003 08:01:15 +1000 Subject: [PATCH] sshd unable to restart References: Message-ID: <3ED531AB.6AA2C34A@zip.com.au> Dag-Erling Smorgrav wrote: > In FreeBSD-CURRENT, sshd cores when it tries to restart after > receiving a SIGHUP, because the argv passed to execv() is not > terminated by a NULL pointer. This has already been addressed in the OpenSSH CVS tree: 20030515 - (djm) Bug #529: sshd doesn't work correctly after SIGHUP (copy argv correctly) -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Thu May 29 12:24:16 2003 From: djm at mindrot.org (Damien Miller) Date: Thu, 29 May 2003 12:24:16 +1000 Subject: [PATCH] sshd unable to restart In-Reply-To: References: Message-ID: <3ED56F50.3050100@mindrot.org> Dag-Erling Smorgrav wrote: > In FreeBSD-CURRENT, sshd cores when it tries to restart after > receiving a SIGHUP, because the argv passed to execv() is not > terminated by a NULL pointer. Thanks, that was bug #529, a fix was committed a couple of weeks ago. -d From openssh-dev at joelweber.com Thu May 29 15:33:44 2003 From: openssh-dev at joelweber.com (Joel N. Weber II) Date: Thu, 29 May 2003 01:33:44 -0400 Subject: patch to make openssh use gpg Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.red-bean.com/~nemo/openssh-gpg has a patch that adds support for using OpenPGP format keys for both host and user authentication, using gpg. The host key authentication makes use of the web of trust in a useful way; the user authentication may not be so useful in that regard. I'd like to see people test this code and send me feedback; having knowledgeable people read the code and make sure it seems to be correct would certainly be very helpful, but having the code get tested would also be helpful. At this point, I'd be interested in reports from people who test it and find that it works just fine, if that is actually happening. I think I've gotten the code to the point where I'm not going to improve it any furthur without feedback from others. And if you want your favorite OS distribution to include a version of openssh with this patch, consider sending them a feature request type bug report with a pointer to the patch. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (NetBSD) iD8DBQE+1ZuzNIJPyVx4GhgRAhWoAKCMStgRwaFOcc5mSpd6yRayPq+3/wCfT7xR 6pvjad36uBW8IyI0Ftel2T8= =7/i2 -----END PGP SIGNATURE----- From des at ofug.org Thu May 29 17:09:48 2003 From: des at ofug.org (Dag-Erling Smorgrav) Date: Thu, 29 May 2003 09:09:48 +0200 Subject: [PATCH] sshd unable to restart In-Reply-To: <3ED531AB.6AA2C34A@zip.com.au> (Darren Tucker's message of "Thu, 29 May 2003 08:01:15 +1000") References: <3ED531AB.6AA2C34A@zip.com.au> Message-ID: Darren Tucker writes: > This has already been addressed in the OpenSSH CVS tree: > > 20030515 > - (djm) Bug #529: sshd doesn't work correctly after SIGHUP (copy argv > correctly) This is weird, it's not in my copy of the OpenBSD CVS tree. There must be something wrong with my cvsup scripts. Thanks anyway! DES -- Dag-Erling Smorgrav - des at ofug.org From dtucker at zip.com.au Thu May 29 18:32:32 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 29 May 2003 18:32:32 +1000 Subject: [PATCH] sshd unable to restart References: <3ED531AB.6AA2C34A@zip.com.au> Message-ID: <3ED5C5A0.E714F861@zip.com.au> Dag-Erling Smorgrav wrote: > This is weird, it's not in my copy of the OpenBSD CVS tree. There > must be something wrong with my cvsup scripts. It's in OpenSSH Portable only. OpenBSD has setproctitle() so does not need to clobber argv. You probably want openssh at anoncvs.be.openbsd.org:/cvs module openssh. The changes are in sshd.c rev 1.242. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From des at ofug.org Fri May 30 00:37:14 2003 From: des at ofug.org (Dag-Erling Smorgrav) Date: Thu, 29 May 2003 16:37:14 +0200 Subject: [PATCH] sshd unable to restart In-Reply-To: <3ED5C5A0.E714F861@zip.com.au> (Darren Tucker's message of "Thu, 29 May 2003 18:32:32 +1000") References: <3ED531AB.6AA2C34A@zip.com.au> <3ED5C5A0.E714F861@zip.com.au> Message-ID: Darren Tucker writes: > It's in OpenSSH Portable only. OpenBSD has setproctitle() so does not > need to clobber argv. Hmm. In that case, I don't see why the bug affects FreeBSD, since we also have setproctitle(). Must be something wrong with my config.h. > You probably want openssh at anoncvs.be.openbsd.org:/cvs module openssh. > The changes are in sshd.c rev 1.242. Yep, I have that, but the cron job that was supposed to run 'cvs update' nightly was broken (as was the nightly OpenBSD cvsup job). I've fixed it now. Thanks! DES -- Dag-Erling Smorgrav - des at ofug.org From dtucker at zip.com.au Fri May 30 01:01:08 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 30 May 2003 01:01:08 +1000 Subject: [PATCH] sshd unable to restart References: <3ED531AB.6AA2C34A@zip.com.au> <3ED5C5A0.E714F861@zip.com.au> Message-ID: <3ED620B4.787D62A4@zip.com.au> Dag-Erling Smorgrav wrote: > Darren Tucker writes: > > It's in OpenSSH Portable only. OpenBSD has setproctitle() so does not > > need to clobber argv. > > Hmm. In that case, I don't see why the bug affects FreeBSD, since we > also have setproctitle(). Must be something wrong with my config.h. Currently Portable's sshd copies argv on all platforms regardless of whether it has setproctitle or not, just in case argv gets clobbered later. I guess you could have the following, which might be marginally cleaner: saved_argc = ac; saved_argv = av; #ifndef HAVE_SETPROCTITLE /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ [...] /* Prepare for later setproctitle emulation */ compat_init_setproctitle(ac, av); #endif OpenBSD's sshd doesn't have to deal with the argv clobbering case at all, so doesn't have the problem code. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From tnelson at infinedi.net Fri May 30 02:04:55 2003 From: tnelson at infinedi.net (Tim Nelson) Date: Thu, 29 May 2003 11:04:55 -500 Subject: should sh and scp be subsystems also? Message-ID: <3ed62fa7ced1b6.94759855@infinedi.net> I've run into several instances where I want to give users access only to scp or sftp. Now I know that there are custom shells out there with this ability. However, wouldn't it further simplify the core sshd code if sh and scp were implemented as subsystems, thereby lowering the chance of flaws in the core code? I wouldn't mind putting some work into doing this patch myself if it is approved by Markus or Theo. Regards, Tim From mouring at etoh.eviladmin.org Fri May 30 02:19:44 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 29 May 2003 11:19:44 -0500 (CDT) Subject: should sh and scp be subsystems also? In-Reply-To: <3ed62fa7ced1b6.94759855@infinedi.net> Message-ID: Your asking us to break RFC and current v1 compatiblity. I doubt anyone will take your patch seriously. Plus I doubt it will simplify anything. On Thu, 29 May 2003, Tim Nelson wrote: > I've run into several instances where I want to give users access only to scp or sftp. Now I know that there are custom shells out there with this ability. However, wouldn't it further simplify the core sshd code if sh and scp were implemented as subsystems, thereby lowering the chance of flaws in the core code? > I wouldn't mind putting some work into doing this patch myself if it is approved by Markus or Theo. > > Regards, > Tim > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From tushk at hotmail.com Fri May 30 07:37:30 2003 From: tushk at hotmail.com (Tushar Katarki) Date: Thu, 29 May 2003 17:37:30 -0400 Subject: SSH key_copy Message-ID: I am wondering why there is no utility for copying the Key structure in SSH. I am looking for something like this: key_copy(Key* dest, const Key* source); Do we have something like above? I noticed we have key_size, key_equals etc but no key_copy Thanks, Tushar _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus From openssh at roumenpetrov.info Fri May 30 16:37:28 2003 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Fri, 30 May 2003 09:37:28 +0300 Subject: current CVS md5crypt.c patch Message-ID: <3ED6FC28.4040908@roumenpetrov.info> missing ';' at end of line - cannot compile md5crypt.c -------------- next part -------------- A non-text attachment was scrubbed... Name: xx Type: application/x-java-vm Size: 298 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030530/a4c1fa5e/attachment.bin From Bob.Smart at csiro.au Fri May 30 17:29:25 2003 From: Bob.Smart at csiro.au (Bob.Smart at csiro.au) Date: Fri, 30 May 2003 17:29:25 +1000 Subject: krb5-1.2.8 on cygwin + kerberized ssh Message-ID: I have made a bit of progress since I compiled krb5-1.2.6. ./configure --with-cc=gcc --without-krb4 --disable-dns-for-kdc It would be nice if there was an option to just compile client stuff. The resolv library problem went away. I don't know if that was a change to krb5 or to cygwin. Bison problems also went away. Still need to add #include to src/util/ss/ss_internal.h, otherwise the linker gives _errno errors. I didn't have libutil installed when I did the configure and I found I needed to add -lutil to the link of login.krb5 in src/appl/bsd. After that everything seemed to work (against an AD KDC). I tried kinit, klist and telnet -a. It seemed to create the file in /tmp with appropriate NTFS security restrictions. Next I successfully compiled kerberized ssh. Now I can ssh without mucking with ssh keys everywhere. It would also be nice if openssh had an option for only compiling client stuff. Now I only need to integrate ms2mit and I'll be in SSO heaven [naturally ms2mit doesn't put the mit tgt in the right place for cygwin] I suspect that the client parts of krb5 and openssh don't require all that cygwin heavy lifting and could be compiled with mingw with a bit of effort. Given that kerberos is a unifying feature linking windows and unix it would be nice to see kerberos and kerberized apps in cygwin. Bob From albanard at hotmail.com Fri May 30 18:50:16 2003 From: albanard at hotmail.com (Al Banard) Date: Fri, 30 May 2003 18:50:16 +1000 Subject: Converting key between PEM and ASCII Message-ID: According to documentation for a switch which I'm getting SSH enabled, I need to convert my openssh public key to an ascii string to be compatible with the switch. The switch uses sshV1. Is there a way to do this? I've found nothing in the man pages or FAQ and have tried the -x -X (-i -e) arguments without success but I think they relate to a different translation anyway. Regards Al _________________________________________________________________ ninemsn Extra Storage is now available. 30MB of storage on ninemsn Groups - great for sharing photos and documents. Go to http://join.msn.com/?page=dept/home&pgmarket=en-au From chris at obelix.hedonism.cx Fri May 30 20:35:22 2003 From: chris at obelix.hedonism.cx (Christian Vogel) Date: Fri, 30 May 2003 12:35:22 +0200 Subject: Converting key between PEM and ASCII In-Reply-To: ; from albanard@hotmail.com on Fri, May 30, 2003 at 06:50:16PM +1000 References: Message-ID: <20030530123522.A14718@obelix.frop.org> Hi Al Banard, On Fri, May 30, 2003 at 06:50:16PM +1000, Al Banard wrote: > According to documentation for a switch which I'm getting SSH enabled, you might get more response, if you specified which kind of switch you meant. > I need to convert my openssh public key to an ascii string to be compatible > with the switch. The openssh-keys (~/.ssh/identity.pub for V1 and ~/.ssh/id_dsa.pub for V2) already are long ascii-strings.... emil:.ssh$ cat identity.pub 1024 37 1376....7123 chris at kurt Chris -- If you want a domain / you're asking for pain / and nsi gains / momentum. // And while you had wondered / why you felt pludered / they charged you one hundred / per centum. -- User Friendly (http://userfriendly.org/) From djm at mindrot.org Sat May 31 10:48:25 2003 From: djm at mindrot.org (Damien Miller) Date: Sat, 31 May 2003 10:48:25 +1000 Subject: Converting key between PEM and ASCII In-Reply-To: References: Message-ID: <3ED7FBD9.6060809@mindrot.org> Al Banard wrote: > According to documentation for a switch which I'm getting SSH enabled, > I need to convert my openssh public key to an ascii string to be compatible > with the switch. The switch uses sshV1. Is there a way to do this? I've > found nothing in the man pages or FAQ and have tried the -x -X (-i -e) > arguments without success but I think they relate to a different translation > anyway. You need to generate a SSH protocol 1 key first (ssh-keygen -t rsa1). Then all you need to do is "cat ~/.ssh/identity.pub". -d From djm at mindrot.org Sat May 31 10:49:28 2003 From: djm at mindrot.org (Damien Miller) Date: Sat, 31 May 2003 10:49:28 +1000 Subject: krb5-1.2.8 on cygwin + kerberized ssh In-Reply-To: References: Message-ID: <3ED7FC18.6020007@mindrot.org> Bob.Smart at csiro.au wrote: > I have made a bit of progress since I compiled > krb5-1.2.6. > > ./configure --with-cc=gcc --without-krb4 --disable-dns-for-kdc > > It would be nice if there was an option to just > compile client stuff. Just use the makefile targets directly: make ssh ssh-agent ssh-keygen sftp scp ssh-add -d From abartlet at samba.org Sat May 31 21:42:44 2003 From: abartlet at samba.org (Andrew Bartlett) Date: Sat, 31 May 2003 11:42:44 -0000 Subject: Sshd and domain authentication In-Reply-To: <1053453898.8826.10.camel@localhost> References: <1053453898.8826.10.camel@localhost> Message-ID: <1054381360.7149.216.camel@piglett> On Wed, 2003-05-21 at 04:19, Scott Burch wrote: > Mike, > > You can do this with pam_smb Please do not use pam_smb. pam_winbind is a much better idea, as pam_smb can be to easily spoofed on the network. Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet at samba.org Student Network Administrator, Hawker College abartlet at hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030531/250f176c/attachment.bin