From itlfd08vjz at yahoo.com Sat Nov 1 07:07:49 2003 From: itlfd08vjz at yahoo.com (Joanna Jenkins) Date: Fri, 31 Oct 2003 19:07:49 -0100 Subject: Boost Your Car's Gas Mileage 27%+.....damara Message-ID: <88ng$7gj-45afq9e28@rea0c> FUEL SAVER PRO This revolutionary device Boosts Gas Mileage 27%+ by helping fuel burn better using three patented processes from General Motors. Take a test drive Today - http://www.llat.org?axel=49 PROVEN TECHNOLOGY A certified U.S. Environmental Protection Agency (EPA) laboratory recently completed tests on the new Fuel Saver. The results were astounding! Master Service, a subsidiary of Ford Motor Company, also conducted extensive emissions testing and obtained similar, unheard of results. The achievements of the Fuel Saver is so noteworthy to the environmental community, that Commercial News has featured it as their cover story in their June, 2000 edition. Take a test drive Today - http://www.llat.org?axel=49 No more advertisements, thanks - http://www.aqmp.net/out5s/rem2e.asp doroyzeoqrkjwku sf twv From TORBAN at do.usbr.gov Sat Nov 1 10:05:52 2003 From: TORBAN at do.usbr.gov (Tom Orban) Date: Fri, 31 Oct 2003 16:05:52 -0700 Subject: SOLUTION: ssh not resolving host names on HP-UX 11i Message-ID: Just in case anyone else runs across this problem, maybe someone on this list can pass this along. Install HP Patch PHNE_27796 Patch Description: s700_800 11.11 libnss_dns DNS backend patch The preceding patch (PHNE_23574) was on some of the boxes that exhibited the problem, so 23574 is not enough. If the box showed the problem, it could only be fixed by installing PHNE_27796. Just a bit more background here, it turns out that the problem did *not* manifest itself on all of our 11i boxes, only the newer ones (rp8400's, B2600's). Can't figure any rhyme or reason as to why. The 11i boxes that ssh did work without the patch were L2000's, that were configured years ago. Needless to say, HP support was *useless* in this -- they said they don't support openssh-3.7.1p2. I kind of stumbled onto that patch, (since libnss_dns.1 is not a shared object for the ssh binary). But this is another story... Oh well, hope this helps someone in the future. -Tom >>> Tom Orban 10/28/03 11:09AM >>> I posted a message about this problem late last week, never heard anything back, so I have to assume other folks did get a working ssh (3.7.1p2) binary built on HP-UX 11i. Just to refresh, my ssh package that I built on HP-UX 11i works fine, except that the ssh binary doesn't seem to go to DNS to resolve host names. So the only way I can ssh to other machines is to put their host entries in my /etc/hosts file, or type their IP address instead of the hostname on the command line. Since that's a really unsustainable workaround, I've grabbed the 3.7.1p2 ssh binary that I built on an hp-ux 11.00 box and use it with the rest of the package that I build on 11i. Ugly, but it seems to work. Stripping down didn't make any difference, I still get the "ssh: hostname: host nor service provided, or not known" error message. FYI, I'm using the HP KRNG* package for /dev/*random, and build everything with the HP Ansi C compiler. From lucastm at poczta.onet.pl Sun Nov 2 07:52:31 2003 From: lucastm at poczta.onet.pl (=?iso-8859-2?Q?=A3ukasz_Walkiewicz?=) Date: Sat, 1 Nov 2003 21:52:31 +0100 Subject: None BSD Socket System and OpenSSH Message-ID: <000001c3a0ba$11fe8540$c365793e@liquid> Hello! I'm currently under considering moving OpenSSH to very orient Distributed Operating System called Amoeba. The system is non-unix but with some POSIX layer implementation. It runs using different protocol (FLIP) then TCP/IP and to communicate with other internet based hosts it uses TCP/IP server. This is quite challenging task. I have moved OpenSSL already, but only non-socket part of it. What I would like to know is if, OpenSSH uses some descriptor based functions from OpenSSL (Amoeba only supports file descriptors and no socket descriptors)? Greets, Lucas From smichaud at pobox.com Mon Nov 3 04:49:48 2003 From: smichaud at pobox.com (Steven Michaud) Date: Sun, 2 Nov 2003 11:49:48 -0600 (CST) Subject: Fix for USE_POSIX_THREADS in auth-pam.c Message-ID: I made a pretty bad mistake in the patch I submitted to this list on 10-29 -- in effect my mutex _didn't_ restrict access to the pam handle (sshpam_handle) to one thread at a time. My new patch (below) fixes this problem. I suppose this is a good example of the difficulty of programming threads :-( It also seems that you can use the thread code in auth-pam.c _without_ any mutex -- that's in effect what I've been doing for the past couple of weeks, without any ill effect (no crashes or other wierd behavior). But my system is very quiet. People with busier systems might still have trouble. I know the OpenSSH folks aren't interested. I'm posting this corrected patch for those adventurous types who might want to try to use threads to solve the "PAM state" proble This patch is against OpenSSH 3.7.1p2. Watch out for line breaks. diff -u -r src.old/auth-pam.c src/auth-pam.c --- src.old/auth-pam.c Sun Nov 2 10:41:47 2003 +++ src/auth-pam.c Sun Nov 2 10:41:46 2003 @@ -125,6 +125,90 @@ int pam_done; }; +#ifdef USE_POSIX_THREADS + +static pthread_mutexattr_t lock_attr; +static pthread_mutex_t sshpam_handle_lock; +static int sshpam_handle_lock_ready = 0; +static int sshpam_handle_lock_count = 0; +static pid_t process_id = 0; + +/* On Solaris, Linux and Darwin, PAM routines are said to only be + * thread-safe if each thread has a different PAM handle (which really + * means they're NOT thread-safe, but anyway). For our purposes, all + * threads must use the same handle (otherwise it will be difficult for + * them to share PAM state), so we need to protect access to + * sshpam_handle with a mutex. + * + * Auth-pam.c has many other global variables, which might in principle + * also need to be protected by mutexes. But none of the others is a + * handle into an external black box (like PAM). And in the current + * state of the code, only one other (sshpam_err) is ever changed from + * more than one thread. In any case, we can help by protecting whole + * blocks of PAM code at once. + */ +static void lock_pamh(void) +{ + pid_t pid_holder; + if (!process_id) + process_id = getpid(); + /* It's not safe to use pthread structures created for our parent + * (if we've been forked our pid will have changed). Reinitialize + * everything if this has happened (we know beforehand that these + * structures can't yet be in use in our process). + */ + else if (process_id != (pid_holder = getpid())) { + sshpam_handle_lock_ready = 0; + process_id = pid_holder; + sshpam_handle_lock_count = 0; + pthread_mutexattr_init(&lock_attr); + pthread_mutexattr_settype(&lock_attr, PTHREAD_MUTEX_RECURSIVE); + pthread_mutex_init(&sshpam_handle_lock, &lock_attr); + sshpam_handle_lock_ready = 1; + } + if (!sshpam_handle_lock_ready) + return; + ++sshpam_handle_lock_count; + pthread_mutex_lock(&sshpam_handle_lock); + --sshpam_handle_lock_count; + return; +} + +static void unlock_pamh(void) +{ + pid_t pid_holder; + if (!process_id) + process_id = getpid(); + else if (process_id != (pid_holder = getpid())) { + sshpam_handle_lock_ready = 0; + process_id = pid_holder; + sshpam_handle_lock_count = 0; + pthread_mutexattr_init(&lock_attr); + pthread_mutexattr_settype(&lock_attr, PTHREAD_MUTEX_RECURSIVE); + pthread_mutex_init(&sshpam_handle_lock, &lock_attr); + sshpam_handle_lock_ready = 1; + return; + } + if (!sshpam_handle_lock_ready) + return; + pthread_mutex_unlock(&sshpam_handle_lock); + return; +} + +#else /* #ifdef USE_POSIX_THREADS */ + +static void lock_pamh(void) +{ + return; +} + +static void unlock_pamh(void) +{ + return; +} + +#endif /* #ifdef USE_POSIX_THREADS */ + static void sshpam_free_ctx(void *); /* @@ -223,6 +307,7 @@ sshpam_conv.appdata_ptr = ctxt; buffer_init(&buffer); + lock_pamh(); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&sshpam_conv); if (sshpam_err != PAM_SUCCESS) @@ -230,6 +315,7 @@ sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; + unlock_pamh(); buffer_put_cstring(&buffer, "OK"); ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); buffer_free(&buffer); @@ -238,6 +324,7 @@ auth_fail: buffer_put_cstring(&buffer, pam_strerror(sshpam_handle, sshpam_err)); + unlock_pamh(); ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); buffer_free(&buffer); pthread_exit(NULL); @@ -270,20 +357,36 @@ { (void)arg; debug("PAM: cleanup"); - if (sshpam_handle == NULL) - return; - pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); - if (sshpam_cred_established) { - pam_setcred(sshpam_handle, PAM_DELETE_CRED); - sshpam_cred_established = 0; - } - if (sshpam_session_open) { - pam_close_session(sshpam_handle, PAM_SILENT); - sshpam_session_open = 0; - } - sshpam_authenticated = sshpam_new_authtok_reqd = 0; - pam_end(sshpam_handle, sshpam_err); - sshpam_handle = NULL; + if (sshpam_handle != NULL) { + lock_pamh(); + pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); + if (sshpam_cred_established) { + pam_setcred(sshpam_handle, PAM_DELETE_CRED); + sshpam_cred_established = 0; + } + if (sshpam_session_open) { + pam_close_session(sshpam_handle, PAM_SILENT); + sshpam_session_open = 0; + } + sshpam_authenticated = sshpam_new_authtok_reqd = 0; + pam_end(sshpam_handle, sshpam_err); + sshpam_handle = NULL; + unlock_pamh(); + } +#ifdef USE_POSIX_THREADS + else { + lock_pamh(); /* Update pthread variable state */ + unlock_pamh(); /* and possibly bleed off traffic */ + } + /* Free our pthread structures if it's safe to do so (if they were + * previously initialized and aren't currently in use in our process). + */ + if (!sshpam_handle_lock_count && sshpam_handle_lock_ready) { + sshpam_handle_lock_ready = 0; + pthread_mutexattr_destroy(&lock_attr); + pthread_mutex_destroy(&sshpam_handle_lock); + } +#endif } static int @@ -293,12 +396,35 @@ extern char *__progname; const char *pam_rhost, *pam_user; +#ifdef USE_POSIX_THREADS + /* (Re)initialize our pthread structures if it's safe to do so. Only + * free them if they were previously initialized and they aren't + * currently in use. + */ + lock_pamh(); /* Update pthread variable state */ + unlock_pamh(); /* and possibly bleed off traffic */ + if (!sshpam_handle_lock_count) { + if (sshpam_handle_lock_ready) { + sshpam_handle_lock_ready = 0; + pthread_mutexattr_destroy(&lock_attr); + pthread_mutex_destroy(&sshpam_handle_lock); + } + pthread_mutexattr_init(&lock_attr); + pthread_mutexattr_settype(&lock_attr, PTHREAD_MUTEX_RECURSIVE); + pthread_mutex_init(&sshpam_handle_lock, &lock_attr); + sshpam_handle_lock_ready = 1; + } +#endif + + lock_pamh(); if (sshpam_handle != NULL) { /* We already have a PAM context; check if the user matches */ sshpam_err = pam_get_item(sshpam_handle, PAM_USER, (const void **)&pam_user); - if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) + if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) { + unlock_pamh(); return (0); + } fatal_remove_cleanup(sshpam_cleanup, NULL); pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; @@ -309,6 +435,7 @@ if (sshpam_err != PAM_SUCCESS) { pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; + unlock_pamh(); return (-1); } pam_rhost = get_remote_name_or_ip(utmp_len, options.use_dns); @@ -317,6 +444,7 @@ if (sshpam_err != PAM_SUCCESS) { pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; + unlock_pamh(); return (-1); } #ifdef PAM_TTY_KLUDGE @@ -330,9 +458,11 @@ if (sshpam_err != PAM_SUCCESS) { pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; + unlock_pamh(); return (-1); } #endif + unlock_pamh(); fatal_add_cleanup(sshpam_cleanup, NULL); return (0); } @@ -531,7 +661,9 @@ u_int do_pam_account(void) { + lock_pamh(); sshpam_err = pam_acct_mgmt(sshpam_handle, 0); + unlock_pamh(); debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err); if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) @@ -552,38 +684,54 @@ void do_pam_session(void) { + const char *msg; + lock_pamh(); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); + if (sshpam_err != PAM_SUCCESS) { + msg = pam_strerror(sshpam_handle, sshpam_err); + unlock_pamh(); + fatal("PAM: failed to set PAM_CONV: %s", msg); + } sshpam_err = pam_open_session(sshpam_handle, 0); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: pam_open_session(): %s", - pam_strerror(sshpam_handle, sshpam_err)); + if (sshpam_err != PAM_SUCCESS) { + msg = pam_strerror(sshpam_handle, sshpam_err); + unlock_pamh(); + fatal("PAM: pam_open_session(): %s", msg); + } sshpam_session_open = 1; + unlock_pamh(); } void do_pam_set_tty(const char *tty) { + const char *msg; if (tty != NULL) { + lock_pamh(); debug("PAM: setting PAM_TTY to \"%s\"", tty); sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, tty); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: failed to set PAM_TTY: %s", - pam_strerror(sshpam_handle, sshpam_err)); + if (sshpam_err != PAM_SUCCESS) { + msg = pam_strerror(sshpam_handle, sshpam_err); + unlock_pamh(); + fatal("PAM: failed to set PAM_TTY: %s", msg); + } + unlock_pamh(); } } void do_pam_setcred(int init) { + const char *msg; + lock_pamh(); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); + if (sshpam_err != PAM_SUCCESS) { + msg = pam_strerror(sshpam_handle, sshpam_err); + unlock_pamh(); + fatal("PAM: failed to set PAM_CONV: %s", msg); + } if (init) { debug("PAM: establishing credentials"); sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED); @@ -593,14 +741,15 @@ } if (sshpam_err == PAM_SUCCESS) { sshpam_cred_established = 1; + unlock_pamh(); return; } + msg = pam_strerror(sshpam_handle, sshpam_err); + unlock_pamh(); if (sshpam_authenticated) - fatal("PAM: pam_setcred(): %s", - pam_strerror(sshpam_handle, sshpam_err)); + fatal("PAM: pam_setcred(): %s", msg); else - debug("PAM: pam_setcred(): %s", - pam_strerror(sshpam_handle, sshpam_err)); + debug("PAM: pam_setcred(): %s", msg); } int @@ -668,6 +817,7 @@ void do_pam_chauthtok(void) { + const char *msg; struct pam_conv pam_conv; pam_conv.conv = pam_chauthtok_conv; @@ -675,16 +825,22 @@ if (use_privsep) fatal("Password expired (unable to change with privsep)"); + lock_pamh(); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&pam_conv); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); + if (sshpam_err != PAM_SUCCESS) { + msg = pam_strerror(sshpam_handle, sshpam_err); + unlock_pamh(); + fatal("PAM: failed to set PAM_CONV: %s", msg); + } debug("PAM: changing password"); sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: pam_chauthtok(): %s", - pam_strerror(sshpam_handle, sshpam_err)); + if (sshpam_err != PAM_SUCCESS) { + msg = pam_strerror(sshpam_handle, sshpam_err); + unlock_pamh(); + fatal("PAM: pam_chauthtok(): %s", msg); + } + unlock_pamh(); } /* @@ -705,7 +861,9 @@ compound = xmalloc(len); snprintf(compound, len, "%s=%s", name, value); + lock_pamh(); ret = pam_putenv(sshpam_handle, compound); + unlock_pamh(); xfree(compound); #endif @@ -722,8 +880,12 @@ fetch_pam_environment(void) { #ifdef HAVE_PAM_GETENVLIST + char **retval; + lock_pamh(); debug("PAM: retrieving environment"); - return (pam_getenvlist(sshpam_handle)); + retval = pam_getenvlist(sshpam_handle); + unlock_pamh(); + return retval; #else return (NULL); #endif From nickhychi at yahoo.com.hk Mon Nov 3 17:29:20 2003 From: nickhychi at yahoo.com.hk (=?big5?q?Nick=20Chi?=) Date: Mon, 3 Nov 2003 14:29:20 +0800 (CST) Subject: Problem found in OpenSSH 3.7.1p2 with OpenSSL 0.9.7c installation on HP-UX11.0 Message-ID: <20031103062920.89279.qmail@web21001.mail.yahoo.com> Hi all, I found that OpenSSL 3.7.1p2 has problem with PAM (HP-UX) system (with setting of account deacticating by 3 invalid login attempts). User enters wrong password more than twice through SSH, his/her account will not be deactivated. User enters wrong password more than twice through FTP, his/her account will be deactivated . However, only further FTP session is blocked. SSH session can be established even the account is deactivated. Besides, I deactivate an account through SAM, both new FTP and SSH sessions will be blocked. I check that there is no such problem in OpenSSH 3.4p1. Any comments / suggestions? Thanks. Best Regards, Nick CHI _________________________________________________________ ??????????????... ???? ???? http://ringtone.yahoo.com.hk/ From cm77cmjp at yahoo.co.jp Tue Nov 4 01:52:23 2003 From: cm77cmjp at yahoo.co.jp (=?ISO-2022-JP?B?NTAwMBskQjFfMys2SCVRJUMlLxsoQiA=?=) Date: Mon, 03 Nov 2003 23:52:23 +0900 Subject: =?iso-2022-jp?b?GyRCTCQ+NUJ6OS05cCIoGyhC?= Message-ID: <20031103.1452220903@cm77cmjp-yahoo.co.jp> ? ?????????????????????? ?????????????????????????????? ?????????????????????????????????????????????????? ????bk77bkjp at yahoo.co.jp????????????????????????? ???????????TEL 0774-56-6428???????????? ??????5000??????????? ?? ?????????????????????????????????? ?????????????????????????????? ??????????????????????????????? ??????????????? ???????????????????????????????????? ???????????????????????????????????? ????????????????????????????????????? ??????????????????????????????????? ????????????????????????????????????? ????????????????????????????????????? ??????????????????????? ??????????????????????????????????? ??????????????????????????????????? ????????????????????????????????????????? ????http://starlake.dyns.cx/ ?? ???????????????????????? ???????????????????????? From aforster at br.ibm.com Tue Nov 4 03:07:35 2003 From: aforster at br.ibm.com (Antonio Paulo Salgado Forster) Date: Mon, 3 Nov 2003 15:07:35 -0100 Subject: Problems with PAM and PermitRootLogin without-password Message-ID: Hello all, I was running some tests with openssh 3.7.1p2 and I noticed that PermitRootLogin without-password does not work when PAM is enabled. In fact, when PAM is enabled, PermitRootLogin will work as "yes" if " without-password" is used, no matter what kind of authentication is used for root login. Is that a bug, I missed something in the configurations, or expected behavior? This is the output of a debugged session of ssh: debug1: sshd version OpenSSH_3.7.1p2 debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA socket: Address family not supported by protocol debug1: Bind to port 80 on 0.0.0.0. Server listening on 0.0.0.0 port 80. debug1: Server will not fork when running in debugging mode. Connection from x.x.x.x port 2319 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH_3.2*,OpenSSH_3.3*,OpenSSH_3.4*,OpenSSH_3.5* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user root service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for "root" debug1: PAM: setting PAM_RHOST to "x.x.x.x" debug1: PAM: setting PAM_TTY to "ssh" Failed none for root from x.x.x.x port 2319 ssh2 Failed none for root from x.x.x.x port 2319 ssh2 debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' Postponed keyboard-interactive for root from x.x.x.x port 2319 ssh2 Postponed keyboard-interactive/pam for root from x.x.x.x port 2319 ssh2 Accepted keyboard-interactive/pam for root from x.x.x.x port 2319 ssh2 Accepted keyboard-interactive/pam for root from x.x.x.x port 2319 ssh2 debug1: monitor_child_preauth: root has been authenticated by privileged process debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/pts/1 debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: PAM: setting PAM_TTY to "/dev/pts/1" debug1: PAM: establishing credentials debug1: Setting controlling tty using TIOCSCTTY. debug1: Received SIGCHLD. debug1: session_by_pid: pid 17636 debug1: session_exit_message: session 0 channel 0 pid 17636 debug1: session_exit_message: release channel 0 debug1: session_close: session 0 pid 17636 debug1: session_pty_cleanup: session 0 release /dev/pts/1 debug1: channel 0: free: server-session, nchannels 1 Connection closed by x.x.x.x Closing connection to x.x.x.x debug1: PAM: cleanup Thanks for the help. Forster From dan at D00M.integrate.com.ru Tue Nov 4 07:42:29 2003 From: dan at D00M.integrate.com.ru (Dan Yefimov) Date: Mon, 3 Nov 2003 23:42:29 +0300 (MSK) Subject: Problems with PAM and PermitRootLogin without-password In-Reply-To: Message-ID: On Mon, 3 Nov 2003, Antonio Paulo Salgado Forster wrote: > Hello all, > > I was running some tests with openssh 3.7.1p2 and I noticed that > PermitRootLogin without-password does not work when PAM is enabled. In > fact, when PAM is enabled, PermitRootLogin will work as "yes" if " > without-password" is used, no matter what kind of authentication is used > for root login. Is that a bug, I missed something in the configurations, > or expected behavior? This is the output of a debugged session of ssh: > > debug1: sshd version OpenSSH_3.7.1p2 > debug1: read PEM private key done: type RSA > debug1: private host key: #0 type 1 RSA > socket: Address family not supported by protocol > debug1: Bind to port 80 on 0.0.0.0. > Server listening on 0.0.0.0 port 80. > debug1: Server will not fork when running in debugging mode. > Connection from x.x.x.x port 2319 > debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 > debug1: match: OpenSSH_3.4p1 pat > OpenSSH_3.2*,OpenSSH_3.3*,OpenSSH_3.4*,OpenSSH_3.5* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2 > debug1: permanently_set_uid: 74/74 > debug1: list_hostkey_types: ssh-rsa > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug1: userauth-request for user root service ssh-connection method none > debug1: attempt 0 failures 0 > debug1: PAM: initializing for "root" > debug1: PAM: setting PAM_RHOST to "x.x.x.x" > debug1: PAM: setting PAM_TTY to "ssh" > Failed none for root from x.x.x.x port 2319 ssh2 > Failed none for root from x.x.x.x port 2319 ssh2 > debug1: userauth-request for user root service ssh-connection method > keyboard-interactive > debug1: attempt 1 failures 1 > debug1: keyboard-interactive devs > debug1: auth2_challenge: user=root devs= > debug1: kbdint_alloc: devices 'pam' > debug1: auth2_challenge_start: trying authentication method 'pam' > Postponed keyboard-interactive for root from x.x.x.x port 2319 ssh2 > Postponed keyboard-interactive/pam for root from x.x.x.x port 2319 ssh2 > Accepted keyboard-interactive/pam for root from x.x.x.x port 2319 ssh2 > Accepted keyboard-interactive/pam for root from x.x.x.x port 2319 ssh2 > debug1: monitor_child_preauth: root has been authenticated by privileged > process > debug1: Entering interactive session for SSH2. > debug1: server_init_dispatch_20 > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max > 16384 > debug1: input_session_request > debug1: channel 0: new [server-session] > debug1: session_new: init > debug1: session_new: session 0 > debug1: session_open: channel 0 > debug1: session_open: session 0: link with channel 0 > debug1: server_input_channel_open: confirm session > debug1: server_input_channel_req: channel 0 request pty-req reply 0 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req pty-req > debug1: Allocating pty. > debug1: session_pty_req: session 0 alloc /dev/pts/1 > debug1: server_input_channel_req: channel 0 request shell reply 0 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req shell > debug1: PAM: setting PAM_TTY to "/dev/pts/1" > debug1: PAM: establishing credentials > debug1: Setting controlling tty using TIOCSCTTY. > debug1: Received SIGCHLD. > debug1: session_by_pid: pid 17636 > debug1: session_exit_message: session 0 channel 0 pid 17636 > debug1: session_exit_message: release channel 0 > debug1: session_close: session 0 pid 17636 > debug1: session_pty_cleanup: session 0 release /dev/pts/1 > debug1: channel 0: free: server-session, nchannels 1 > Connection closed by x.x.x.x > Closing connection to x.x.x.x > debug1: PAM: cleanup > This is not a bug. According to the manual of an earlier version enabling PAM support may bypass setting of 'PasswordAuthentication' parameter. When you set 'PermitRootLogin without-password', you only disable password authentication for root, but keyboard-interactive authentication uses PAM. Depending on your PAM configuration this can lead to requesting the password from user being authenticated. To prevent this from happening I'd suggest you to disable challenge-response authentication because enabling it inherently enables keyboard-interactive authentication which is by default disabled. -- Sincerely Your, Dan. From aforster at br.ibm.com Tue Nov 4 08:59:05 2003 From: aforster at br.ibm.com (Antonio Paulo Salgado Forster) Date: Mon, 3 Nov 2003 20:59:05 -0100 Subject: Problems with PAM and PermitRootLogin without-password In-Reply-To: Message-ID: good one! Thanks! Forster Dan Yefimov on 03/11/2003 18:42:29 To: Antonio Paulo Salgado Forster/Brazil/IBM at IBMBR cc: openssh-unix-dev at mindrot.org Subject: Re: Problems with PAM and PermitRootLogin without-password On Mon, 3 Nov 2003, Antonio Paulo Salgado Forster wrote: > Hello all, > > I was running some tests with openssh 3.7.1p2 and I noticed that > PermitRootLogin without-password does not work when PAM is enabled. In > fact, when PAM is enabled, PermitRootLogin will work as "yes" if " > without-password" is used, no matter what kind of authentication is used > for root login. Is that a bug, I missed something in the configurations, > or expected behavior? This is the output of a debugged session of ssh: > > debug1: sshd version OpenSSH_3.7.1p2 > debug1: read PEM private key done: type RSA > debug1: private host key: #0 type 1 RSA > socket: Address family not supported by protocol > debug1: Bind to port 80 on 0.0.0.0. > Server listening on 0.0.0.0 port 80. > debug1: Server will not fork when running in debugging mode. > Connection from x.x.x.x port 2319 > debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 > debug1: match: OpenSSH_3.4p1 pat > OpenSSH_3.2*,OpenSSH_3.3*,OpenSSH_3.4*,OpenSSH_3.5* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2 > debug1: permanently_set_uid: 74/74 > debug1: list_hostkey_types: ssh-rsa > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug1: userauth-request for user root service ssh-connection method none > debug1: attempt 0 failures 0 > debug1: PAM: initializing for "root" > debug1: PAM: setting PAM_RHOST to "x.x.x.x" > debug1: PAM: setting PAM_TTY to "ssh" > Failed none for root from x.x.x.x port 2319 ssh2 > Failed none for root from x.x.x.x port 2319 ssh2 > debug1: userauth-request for user root service ssh-connection method > keyboard-interactive > debug1: attempt 1 failures 1 > debug1: keyboard-interactive devs > debug1: auth2_challenge: user=root devs= > debug1: kbdint_alloc: devices 'pam' > debug1: auth2_challenge_start: trying authentication method 'pam' > Postponed keyboard-interactive for root from x.x.x.x port 2319 ssh2 > Postponed keyboard-interactive/pam for root from x.x.x.x port 2319 ssh2 > Accepted keyboard-interactive/pam for root from x.x.x.x port 2319 ssh2 > Accepted keyboard-interactive/pam for root from x.x.x.x port 2319 ssh2 > debug1: monitor_child_preauth: root has been authenticated by privileged > process > debug1: Entering interactive session for SSH2. > debug1: server_init_dispatch_20 > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max > 16384 > debug1: input_session_request > debug1: channel 0: new [server-session] > debug1: session_new: init > debug1: session_new: session 0 > debug1: session_open: channel 0 > debug1: session_open: session 0: link with channel 0 > debug1: server_input_channel_open: confirm session > debug1: server_input_channel_req: channel 0 request pty-req reply 0 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req pty-req > debug1: Allocating pty. > debug1: session_pty_req: session 0 alloc /dev/pts/1 > debug1: server_input_channel_req: channel 0 request shell reply 0 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req shell > debug1: PAM: setting PAM_TTY to "/dev/pts/1" > debug1: PAM: establishing credentials > debug1: Setting controlling tty using TIOCSCTTY. > debug1: Received SIGCHLD. > debug1: session_by_pid: pid 17636 > debug1: session_exit_message: session 0 channel 0 pid 17636 > debug1: session_exit_message: release channel 0 > debug1: session_close: session 0 pid 17636 > debug1: session_pty_cleanup: session 0 release /dev/pts/1 > debug1: channel 0: free: server-session, nchannels 1 > Connection closed by x.x.x.x > Closing connection to x.x.x.x > debug1: PAM: cleanup > This is not a bug. According to the manual of an earlier version enabling PAM support may bypass setting of 'PasswordAuthentication' parameter. When you set 'PermitRootLogin without-password', you only disable password authentication for root, but keyboard-interactive authentication uses PAM. Depending on your PAM configuration this can lead to requesting the password from user being authenticated. To prevent this from happening I'd suggest you to disable challenge-response authentication because enabling it inherently enables keyboard-interactive authentication which is by default disabled. -- Sincerely Your, Dan. From morty at frakir.org Tue Nov 4 19:07:50 2003 From: morty at frakir.org (Mordechai T. Abzug) Date: Tue, 4 Nov 2003 03:07:50 -0500 Subject: ServerLiesWarning Message-ID: <20031104080750.GA10872@red-sonja.frakir.org> I'm trying to replace some sshv1 clients and servers in a modular way, and the "Server Lies" warning (when the server says the key has one more bit than it really has) is causing heartache. Per the FAQ, this is relatively benign. Here's a patch that allows an admin or user to disable the warning. - Morty diff -Nur openssh-3.7.1p2/readconf.c openssh-3.7.1p2-serverlieswarning/readconf.c --- openssh-3.7.1p2/readconf.c 2003-09-02 08:58:22.000000000 -0400 +++ openssh-3.7.1p2-serverlieswarning/readconf.c 2003-11-04 02:32:50.000000000 -0500 @@ -104,7 +104,7 @@ oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, oServerLiesWarning, oDeprecated, oUnsupported } OpCodes; @@ -166,6 +166,7 @@ { "batchmode", oBatchMode }, { "checkhostip", oCheckHostIP }, { "stricthostkeychecking", oStrictHostKeyChecking }, + { "serverlieswarning", oServerLiesWarning }, { "compression", oCompression }, { "compressionlevel", oCompressionLevel }, { "keepalive", oKeepAlives }, @@ -402,6 +403,10 @@ intptr = &options->verify_host_key_dns; goto parse_flag; + case oServerLiesWarning: + intptr = &options->server_lies_warning; + goto parse_flag; + case oStrictHostKeyChecking: intptr = &options->strict_host_key_checking; arg = strdelim(&s); @@ -856,6 +861,7 @@ options->no_host_authentication_for_localhost = - 1; options->rekey_limit = - 1; options->verify_host_key_dns = -1; + options->server_lies_warning = -1; } /* @@ -968,6 +974,8 @@ options->rekey_limit = 0; if (options->verify_host_key_dns == -1) options->verify_host_key_dns = 0; + if (options->server_lies_warning == -1) + options->server_lies_warning = 1; /* options->proxy_command should not be set by default */ /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ diff -Nur openssh-3.7.1p2/readconf.h openssh-3.7.1p2-serverlieswarning/readconf.h --- openssh-3.7.1p2/readconf.h 2003-09-02 08:58:22.000000000 -0400 +++ openssh-3.7.1p2-serverlieswarning/readconf.h 2003-11-04 02:19:21.000000000 -0500 @@ -82,6 +82,7 @@ char *bind_address; /* local socket address for connection to sshd */ char *smartcard_device; /* Smartcard reader device */ int verify_host_key_dns; /* Verify host key using DNS */ + int server_lies_warning; /* display warning about server lying */ int num_identity_files; /* Number of files for RSA/DSA identities. */ char *identity_files[SSH_MAX_IDENTITY_FILES]; diff -Nur openssh-3.7.1p2/ssh_config.5 openssh-3.7.1p2-serverlieswarning/ssh_config.5 --- openssh-3.7.1p2/ssh_config.5 2003-09-02 22:13:30.000000000 -0400 +++ openssh-3.7.1p2-serverlieswarning/ssh_config.5 2003-11-04 02:45:47.000000000 -0500 @@ -553,6 +553,12 @@ The default is .Dq yes . Note that this option applies to protocol version 1 only. +.It Cm ServerLiesWarning +Specifies whether or not the client should display the "Server lies" warning +when the server claims that a key is one bit longer than it is. +The default is +.Dq yes . +Disabling this allows better compatibility with older ssh versions. .It Cm SmartcardDevice Specifies which smartcard device to use. The argument to this keyword is the device diff -Nur openssh-3.7.1p2/sshconnect1.c openssh-3.7.1p2-serverlieswarning/sshconnect1.c --- openssh-3.7.1p2/sshconnect1.c 2003-09-02 08:51:17.000000000 -0400 +++ openssh-3.7.1p2-serverlieswarning/sshconnect1.c 2003-11-04 02:29:50.000000000 -0500 @@ -494,7 +494,8 @@ packet_get_bignum(server_key->rsa->n); rbits = BN_num_bits(server_key->rsa->n); - if (bits != rbits) { + if (bits == rbits + 1 && ! options.server_lies_warning) { + } else if (bits != rbits) { logit("Warning: Server lies about size of server public key: " "actual size is %d bits vs. announced %d.", rbits, bits); logit("Warning: This may be due to an old implementation of ssh."); @@ -506,7 +507,8 @@ packet_get_bignum(host_key->rsa->n); rbits = BN_num_bits(host_key->rsa->n); - if (bits != rbits) { + if (bits == rbits + 1 && ! options.server_lies_warning) { + } else if (bits != rbits) { logit("Warning: Server lies about size of server host key: " "actual size is %d bits vs. announced %d.", rbits, bits); logit("Warning: This may be due to an old implementation of ssh."); From matter at sover.net Wed Nov 5 06:48:34 2003 From: matter at sover.net (Matt Richards) Date: Tue, 4 Nov 2003 14:48:34 -0500 (EST) Subject: AIX patch for openssh-3.7.1p2 Message-ID: >> I mispoke. The problem actually is privledge separation and setauthdb. >> setauthdb requires root, sshd is not running as root during privledge >> separation, so the authentication fails. > > When running with Privilege Separation, there are 2 sshd's[1], one > running > as root and one not. aix_setauthdb() should always be called from the > privileged sshd process. > > If it's not, can you please post a debug (sshd -ddd) where it's > failing? After looking at it some more, it seems to be the setpcred call and set_authdb. Local users it seems to work okay, however AFS/DFS users, the setpcred fails. I believe it may have something to do with DCE, but I will investigate further. debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 24 debug3: mm_request_receive entering debug3: mm_newkeys_from_blob: 2013cf08(118) debug2: mac_init: found hmac-md5 debug3: mm_get_keystate: Waiting for second key debug3: mm_newkeys_from_blob: 2013cf08(118) debug2: mac_init: found hmac-md5 debug3: mm_get_keystate: Getting compression state debug3: mm_get_keystate: Getting Network I/O buffers debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end Failed to set process credentials debug1: Calling cleanup 0x20035490(0x0) debug2: User child is on pid 20572 debug3: mm_request_receive entering "Failed to set process credentials" comes from setpcred in do_setusercontext in session.c. > (Also, which AIX version, maintenance level and compiler are you > using?) AIX 4.3.3 ML 01 VisualAge C 5.0.2 AIX 5.1.0 ML 00 VisualAge C 5.1.0 AIX 5.2.0 ML 00 VisualAge C 5.2.0 > >>> I can't follow the changes to configure (which is a machine-generated >>> file). What is the issue with the loginfailed test? Could you post >>> a >>> patch against configure.ac, which is what autoconf uses to generate >>> configure? (preferably "diff -u"). >> >> The problem here is the configure test of: >> >> #ifndef loginfailed >> char *p = (char *) loginfailed; >> #endif >> >> loginfailed is not defined by the compiler and is picked up during the >> linking phase. The patch that I put in tests the linking phase rather >> than the compiling phase. The code above will always fail on AIX. > > That's the output of AC_CHECK_FUNC and it's an #ifndef and not #ifdef. > Can you please post the fragment of config.log where it's failing? configure:3281: checking whether loginfailed is declared configure:3303: /usr/vacpp/bin/cc -c -g -I/usr/local/include conftest.c >&5 "configure", line 3294.22: 1506-045 (S) Undeclared identifier loginfailed. configure:3306: $? = 1 configure: failed program was: #line 3287 "configure" #include "confdefs.h" #include int main () { #ifndef loginfailed char *p = (char *) loginfailed; #endif ; return 0; } configure:3322: result: no > >> AIX has an odd setup for wtmp. I originally patched the 1.2.27 >> version of >> ssh to use AIX's loginsuccess and loginfailed which will take care of >> wtmp and lastlog. It seems that openssh-3.7.1 changed it and put it >> under >> CUSTOM_FAILED_LOGIN define. Defining CUSTOM_FAILED_LOGIN, works for >> this >> version. > > CUSTOM_FAILED_LOGIN should be defined automatically be configure. > Again, > if it's not please post the the fragment from config.log where it > fails. CUSTOM_FAILED_LOGIN is not detected/tested by configure. It used to be part of the AIX build. It is not now. Perhaps it should be an AIX define instead of CUSTOM_FAILED_LOGIN. % grep CUSTOM configure % From dtucker at zip.com.au Wed Nov 5 11:14:15 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 05 Nov 2003 11:14:15 +1100 Subject: AIX patch for openssh-3.7.1p2 References: Message-ID: <3FA840D6.7A431B8E@zip.com.au> Matt Richards wrote: [snip] > After looking at it some more, it seems to be the setpcred call and > set_authdb. Local users it seems to work okay, however AFS/DFS users, > the setpcred fails. I believe it may have something to do with DCE, > but I will investigate further. [snip] > "Failed to set process credentials" comes from setpcred in > do_setusercontext in session.c. It looks like the AFS registry module doesn't support setpcred (along with loginsucess(), sigh). [snip] > > That's the output of AC_CHECK_FUNC and it's an #ifndef and not #ifdef. > > Can you please post the fragment of config.log where it's failing? > configure:3281: checking whether loginfailed is declared > configure:3303: /usr/vacpp/bin/cc -c -g -I/usr/local/include conftest.c > >&5 > "configure", line 3294.22: 1506-045 (S) Undeclared identifier loginfailed. The loginfailed() test in configure is just there to figure out how many arguments it takes. It's still used (as long as WITH_AIXAUTHENTICATE is defined, see below) if the test fails. It's done this way because earlier AIXes don't define it in the headers at all, and on those versions it takes 3 arguments. Some versions define it and take 3 args, and later versions (just 5.2 I think) define it and take 4 args. The compile test is specifically for the 4-argument version, so the logic is (or, at least, should be): if not defined use 3args else if test compile fails use 3args else use 4args [snip] > > CUSTOM_FAILED_LOGIN should be defined automatically be configure. > CUSTOM_FAILED_LOGIN is not detected/tested by configure. It used to be > part of the AIX build. It is not now. Perhaps it should be an AIX > define instead of CUSTOM_FAILED_LOGIN. Correction, CUSTOM_FAILED_LOGIN is defined in port-aix.h if WITH_AIXAUTHENTICATE is defined. It's WITH_AIXAUTHENTICATE that is detected by configure. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From matter at sover.net Thu Nov 6 01:29:45 2003 From: matter at sover.net (Matt Richards) Date: Wed, 5 Nov 2003 09:29:45 -0500 (EST) Subject: AIX patch for openssh-3.7.1p2 Message-ID: >It looks like the AFS registry module doesn't support setpcred (along with >loginsucess(), sigh). The AFS registry does support the loginsuccess and loginfailure (I have done it in other applications), however there seems to be a bug in setpcred/setauthdb which does not play nice with DCE. >The loginfailed() test in configure is just there to figure out how many >arguments it takes. It's still used (as long as WITH_AIXAUTHENTICATE is >defined, see below) if the test fails. I understand this part, put there are two loginfailed tests in configure. One is to test the existence of loginfailed and another to test how many arguments it takes. The test for the arguments is never executed if the loginfailed test fails. >Correction, CUSTOM_FAILED_LOGIN is defined in port-aix.h if >WITH_AIXAUTHENTICATE is defined. It's WITH_AIXAUTHENTICATE that is >detected by configure. That is correct, thanks for the info. I still believe that conf_wtmp_location=/var/adm/wtmp should still be added to the configure script. It is done that way for Next. From vinschen at redhat.com Thu Nov 6 03:15:48 2003 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 5 Nov 2003 17:15:48 +0100 Subject: [PATCH] contrip/cygwin: Reworking the installation support Message-ID: <20031105161548.GV18706@cygbert.vinschen.de> Hi, the below patch to contrib/cygwin is a major rework to allow various changes in the installation process on Cygwin machines. The important changes are: - New Makefile, providing a `cygwin-postinstall' target which allows to create a base installation as in the Cygwin distribution, which should be run right after a `make install'. - Additional information given in the README file, reworking some old information which wasn't accurate anymore. - Changing ssh-user-config to create file and directory permissions as correct as possible, also under Windows 2003 Server. - ssh-host-config: - Supporting the changes in Windows 2003 Server, which basically requires to create a new privileged account. The description *why* that's necessary is given in the script itself and in the README and is too boring to explain it in this mailing list ;-) - Try hard to create file and directory permissions and ownership as correct as possible. - Add two new command line options to allow full automated host configuration. - Don't create /etc/ssh_config and /etc/sshd_config from here scripts which are part of the ssh-host-config scipt itself, but instead create them from skeleton files, stored in /etc/defaults/etc. - Requires /bin/bash now instead of /bin/sh. This allows reading user input with readline support. - Removing an old configuration from /usr/local is removed from the script. This old style installation would be very old and should have gone already long ago. Well... I think that's it, basically. It would be nice if these changes could be applied to the contrib/cygwin directory. The new Makefile is given as diff against /dev/null, I hope that's ok. Thanks in advance, Corinna --- /dev/null 2003-11-05 17:11:29.944000000 +0100 +++ Makefile 2003-10-30 15:15:07.277580000 +0100 @@ -0,0 +1,56 @@ +srcdir=../.. +prefix=/usr +exec_prefix=$(prefix) +bindir=$(prefix)/bin +datadir=$(prefix)/share +docdir=$(datadir)/doc +sshdocdir=$(docdir)/openssh +cygdocdir=$(docdir)/Cygwin +sysconfdir=/etc +defaultsdir=$(sysconfdir)/defaults/etc +PRIVSEP_PATH=/var/empty +INSTALL=/usr/bin/install -c + +DESTDIR= + +all: + @echo + @echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'" + @echo "Be sure having DESTDIR set correctly!" + @echo + +move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config + $(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir) + mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir) + mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir) + +remove-empty-dir: + rm -rf $(DESTDIR)$(PRIVSEP_PATH) + +install-sshdoc: + $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir) + $(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS + $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog + $(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE + $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW + $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README + $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns + $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep + $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard + $(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff + $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO + $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG + +install-cygwindoc: README + $(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir) + $(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README + +install-doc: install-sshdoc install-cygwindoc + +install-scripts: ssh-host-config ssh-user-config + $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) + $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config + $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config + +cygwin-postinstall: move-config-files remove-empty-dir install-doc install-scripts + @echo "Cygwin specific configuration finished." Index: README =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/README,v retrieving revision 1.11 diff -p -u -r1.11 README --- README 22 Sep 2003 02:32:00 -0000 1.11 +++ README 5 Nov 2003 16:11:37 -0000 @@ -1,4 +1,49 @@ -This package is the actual port of OpenSSH to Cygwin 1.5. +This package describes important Cygwin specific stuff concerning OpenSSH. + +The binary package is usually built for recent Cygwin versions and might +not run on older versions. Please check http://cygwin.com/ for information +about current Cygwin releases. + +Build instructions are at the end of the file. + +=========================================================================== +Important change since 3.7.1p2-2: + +The ssh-host-config file doesn't create the /etc/ssh_config and +/etc/sshd_config files from builtin here-scripts anymore, but it uses +skeleton files installed in /etc/defaults/etc. + +Also it now tries hard to create appropriate permissions on files. +Same applies for ssh-user-config. + +After creating the sshd service with ssh-host-config, it's advisable to +call ssh-user-config for all affected users, also already exising user +configurations. In the latter case, file and directory permissions are +checked and changed, if requireed to match the host configuration. + +Important note for Windows 2003 Server users: +--------------------------------------------- + +2003 Server has a funny new feature. When starting services under SYSTEM +account, these services have nearly all user rights which SYSTEM holds... +except for the "Create a token object" right, which is needed to allow +public key authentication :-( + +There's no way around this, except for creating a substitute account which +has the appropriate privileges. Basically, this account should be member +of the administrators group, plus it should have the following user rights: + + Create a token object + Logon as a service + Replace a process level token + Increase Quota + +The ssh-host-config script asks you, if it should create such an account, +called "sshd_server". If you say "no" here, you're on your own. Please +follow the instruction in ssh-host-config exactly if possible. Note that +ssh-user-config sets the permissions on 2003 Server machines dependent of +whether a sshd_server account exists or not. +=========================================================================== =========================================================================== Important change since 3.4p1-2: @@ -114,54 +159,6 @@ ${SYSTEMROOT}/system32/drivers/etc/servi ssh 22/tcp #SSH daemon -=========================================================================== -The following restrictions only apply to Cygwin versions up to 1.3.1 -=========================================================================== - -Authentication to sshd is possible in one of two ways. -You'll have to decide before starting sshd! - -- If you want to authenticate via RSA and you want to login to that - machine to exactly one user account you can do so by running sshd - under that user account. You must change /etc/sshd_config - to contain the following: - - RSAAuthentication yes - - Moreover it's possible to use rhosts and/or rhosts with - RSA authentication by setting the following in sshd_config: - - RhostsAuthentication yes - RhostsRSAAuthentication yes - -- If you want to be able to login to different user accounts you'll - have to start sshd under system account or any other account that - is able to switch user context. Note that administrators are _not_ - able to do that by default! You'll have to give the following - special user rights to the user: - "Act as part of the operating system" - "Replace process level token" - "Increase quotas" - and if used via service manager - "Logon as a service". - - The system account does of course own that user rights by default. - - Unfortunately, if you choose that way, you can only logon with - NT password authentification and you should change - /etc/sshd_config to contain the following: - - PasswordAuthentication yes - RhostsAuthentication no - RhostsRSAAuthentication no - RSAAuthentication no - - However you can login to the user which has started sshd with - RSA authentication anyway. If you want that, change the RSA - authentication setting back to "yes": - - RSAAuthentication yes - Please note that OpenSSH does never use the value of $HOME to search for the users configuration files! It always uses the value of the pw_dir field in /etc/passwd as the home directory. @@ -169,7 +166,7 @@ If no home diretory is set in /etc/passw is used instead! You may use all features of the CYGWIN=ntsec setting the same -way as they are used by the `login' port on sources.redhat.com: +way as they are used by Cygwin's login(1) port: The pw_gecos field may contain an additional field, that begins with (upper case!) "U-", followed by the domain and the username @@ -186,6 +183,8 @@ way as they are used by the `login' port locuser::1104:513:John Doe,U-user,S-1-5-21-... +Note that the CYGWIN=ntsec setting is required for public key authentication. + SSH2 server and user keys are generated by the `ssh-*-config' scripts as well. @@ -194,15 +193,30 @@ configure are used for the Cygwin binary --prefix=/usr \ --sysconfdir=/etc \ - --libexecdir='${exec_prefix}/sbin' - -You must have installed the zlib and openssl packages to be able to + --libexecdir='$(sbindir)' \ + --localstatedir=/var \ + --datadir='$(prefix)/share' \ + --mandir='$(datadir)/man' \ + --with-tcp-wrappers + +If you want to create a Cygwin package, equivalent to the one +in the Cygwin binary distribution, install like this: + + mkdir /tmp/cygwin-ssh + cd $(builddir) + make install DESTDIR=/tmp/cygwin-ssh + cd $(srcdir)/contrib/cygwin + make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh + cd /tmp/cygwin-ssh + find * \! -type d | tar cvjfT my-openssh.tar.bz2 - + +You must have installed the zlib and openssl-devel packages to be able to build OpenSSH! Please send requests, error reports etc. to cygwin at cygwin.com. Have fun, -Corinna Vinschen +Corinna Vinschen Cygwin Developer Red Hat Inc. Index: ssh-host-config =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/ssh-host-config,v retrieving revision 1.12 diff -p -u -r1.12 ssh-host-config --- ssh-host-config 3 Nov 2003 07:59:29 -0000 1.12 +++ ssh-host-config 5 Nov 2003 16:11:37 -0000 @@ -1,6 +1,6 @@ -#!/bin/sh +#!/bin/bash # -# ssh-host-config, Copyright 2000, Red Hat Inc. +# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc. # # This file is part of the Cygwin port of OpenSSH. @@ -9,10 +9,7 @@ PREFIX=/usr # Directory where the config files are stored SYSCONFDIR=/etc - -# Subdirectory where an old package might be installed -OLDPREFIX=/usr/local -OLDSYSCONFDIR=${OLDPREFIX}/etc +LOCALSTATEDIR=/var progname=$0 auto_answer="" @@ -27,9 +24,11 @@ request() { if [ "${auto_answer}" = "yes" ] then + echo "$1 (yes/no) yes" return 0 elif [ "${auto_answer}" = "no" ] then + echo "$1 (yes/no) no" return 1 fi @@ -37,7 +36,7 @@ request() while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] do echo -n "$1 (yes/no) " - read answer + read -e answer done if [ "X${answer}" = "Xyes" ] then @@ -60,7 +59,7 @@ do option=$1 shift - case "$option" in + case "${option}" in -d | --debug ) set -x ;; @@ -73,21 +72,33 @@ do auto_answer=no ;; + -c | --cygwin ) + cygwin_value="$1" + shift + ;; + -p | --port ) port_number=$1 shift ;; + -w | --pwd ) + password_value="$1" + shift + ;; + *) echo "usage: ${progname} [OPTION]..." echo echo "This script creates an OpenSSH host configuration." echo echo "Options:" - echo " --debug -d Enable shell's debug output." - echo " --yes -y Answer all questions with \"yes\" automatically." - echo " --no -n Answer all questions with \"no\" automatically." - echo " --port -p sshd listens on port n." + echo " --debug -d Enable shell's debug output." + echo " --yes -y Answer all questions with \"yes\" automatically." + echo " --no -n Answer all questions with \"no\" automatically." + echo " --cygwin -c Use \"options\" as value for CYGWIN environment var." + echo " --port -p sshd listens on port n." + echo " --pwd -w Use \"pwd\" as password for user 'sshd_server'." echo exit 1 ;; @@ -96,8 +107,13 @@ do done # Check if running on NT -_sys="`uname -a`" -_nt=`expr "$_sys" : "CYGWIN_NT"` +_sys="`uname`" +_nt=`expr "${_sys}" : "CYGWIN_NT"` +# If running on NT, check if running under 2003 Server or later +if [ ${_nt} -gt 0 ] +then + _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` +fi # Check for running ssh/sshd processes first. Refuse to do anything while # some ssh processes are still running @@ -137,87 +153,33 @@ fi # Create /var/log and /var/log/lastlog if not already existing -if [ -f /var/log ] +if [ -f ${LOCALSTATEDIR}/log ] then - echo "Creating /var/log failed\!" + echo "Creating ${LOCALSTATEDIR}/log failed!" else - if [ ! -d /var/log ] + if [ ! -d ${LOCALSTATEDIR}/log ] then - mkdir -p /var/log + mkdir -p ${LOCALSTATEDIR}/log fi - if [ -d /var/log/lastlog ] + if [ -d ${LOCALSTATEDIR}/log/lastlog ] then - echo "Creating /var/log/lastlog failed\!" - elif [ ! -f /var/log/lastlog ] + chmod 777 ${LOCALSTATEDIR}/log/lastlog + elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ] then - cat /dev/null > /var/log/lastlog + cat /dev/null > ${LOCALSTATEDIR}/log/lastlog + chmod 666 ${LOCALSTATEDIR}/log/lastlog fi fi # Create /var/empty file used as chroot jail for privilege separation -if [ -f /var/empty ] +if [ -f ${LOCALSTATEDIR}/empty ] then - echo "Creating /var/empty failed\!" + echo "Creating ${LOCALSTATEDIR}/empty failed!" else - mkdir -p /var/empty - # On NT change ownership of that dir to user "system" - if [ $_nt -gt 0 ] + mkdir -p ${LOCALSTATEDIR}/empty + if [ ${_nt} -gt 0 ] then - chmod 755 /var/empty - chown system.system /var/empty - fi -fi - -# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't -# the same as ${PREFIX} - -old_install=0 -if [ "${OLDPREFIX}" != "${PREFIX}" ] -then - if [ -f "${OLDPREFIX}/sbin/sshd" ] - then - echo - echo "You seem to have an older installation in ${OLDPREFIX}." - echo - # Check if old global configuration files exist - if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ] - then - if request "Do you want to copy your config files to your new installation?" - then - cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR} - fi - fi - if request "Do you want to erase your old installation?" - then - rm -f ${OLDPREFIX}/bin/ssh.exe - rm -f ${OLDPREFIX}/bin/ssh-config - rm -f ${OLDPREFIX}/bin/scp.exe - rm -f ${OLDPREFIX}/bin/ssh-add.exe - rm -f ${OLDPREFIX}/bin/ssh-agent.exe - rm -f ${OLDPREFIX}/bin/ssh-keygen.exe - rm -f ${OLDPREFIX}/bin/slogin - rm -f ${OLDSYSCONFDIR}/ssh_host_key - rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub - rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key - rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub - rm -f ${OLDSYSCONFDIR}/ssh_config - rm -f ${OLDSYSCONFDIR}/sshd_config - rm -f ${OLDPREFIX}/man/man1/ssh.1 - rm -f ${OLDPREFIX}/man/man1/scp.1 - rm -f ${OLDPREFIX}/man/man1/ssh-add.1 - rm -f ${OLDPREFIX}/man/man1/ssh-agent.1 - rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1 - rm -f ${OLDPREFIX}/man/man1/slogin.1 - rm -f ${OLDPREFIX}/man/man8/sshd.8 - rm -f ${OLDPREFIX}/sbin/sshd.exe - rm -f ${OLDPREFIX}/sbin/sftp-server.exe - fi - old_install=1 + chmod 755 ${LOCALSTATEDIR}/empty fi fi @@ -255,52 +217,16 @@ then fi fi -# Create default ssh_config from here script +# Create default ssh_config from skeleton file in /etc/defaults/etc if [ ! -f "${SYSCONFDIR}/ssh_config" ] then echo "Generating ${SYSCONFDIR}/ssh_config file" - cat > ${SYSCONFDIR}/ssh_config << EOF -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for various options - -# Host * -# ForwardAgent no -# ForwardX11 no -# RhostsRSAAuthentication no -# RSAAuthentication yes -# PasswordAuthentication yes -# HostbasedAuthentication no -# BatchMode no -# CheckHostIP yes -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity -# IdentityFile ~/.ssh/id_dsa -# IdentityFile ~/.ssh/id_rsa -# Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc -# EscapeChar ~ -EOF - if [ "$port_number" != "22" ] + cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config + if [ "${port_number}" != "22" ] then echo "Host localhost" >> ${SYSCONFDIR}/ssh_config - echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config + echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config fi fi @@ -322,35 +248,35 @@ fi # Prior to creating or modifying sshd_config, care for privilege separation -if [ "$privsep_configured" != "yes" ] +if [ "${privsep_configured}" != "yes" ] then - if [ $_nt -gt 0 ] + if [ ${_nt} -gt 0 ] then echo "Privilege separation is set to yes by default since OpenSSH 3.3." echo "However, this requires a non-privileged account called 'sshd'." - echo "For more info on privilege separation read /usr/doc/openssh/README.privsep." + echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." echo - if request "Shall privilege separation be used?" + if request "Should privilege separation be used?" then privsep_used=yes grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes net user sshd >/dev/null 2>&1 && sshd_in_sam=yes - if [ "$sshd_in_passwd" != "yes" ] + if [ "${sshd_in_passwd}" != "yes" ] then - if [ "$sshd_in_sam" != "yes" ] + if [ "${sshd_in_sam}" != "yes" ] then echo "Warning: The following function requires administrator privileges!" - if request "Shall this script create a local user 'sshd' on this machine?" + if request "Should this script create a local user 'sshd' on this machine?" then - dos_var_empty=`cygpath -w /var/empty` - net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes - if [ "$sshd_in_sam" != "yes" ] + dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` + net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes + if [ "${sshd_in_sam}" != "yes" ] then echo "Warning: Creating the user 'sshd' failed!" fi fi fi - if [ "$sshd_in_sam" != "yes" ] + if [ "${sshd_in_sam}" != "yes" ] then echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" echo " Privilege separation set to 'no' again!" @@ -365,117 +291,41 @@ then fi else # On 9x don't use privilege separation. Since security isn't - # available it just adds useless addtional processes. + # available it just adds useless additional processes. privsep_used=no fi fi -# Create default sshd_config from here script or modify to add the -# missing privsep configuration option +# Create default sshd_config from skeleton files in /etc/defaults/etc or +# modify to add the missing privsep configuration option if [ ! -f "${SYSCONFDIR}/sshd_config" ] then echo "Generating ${SYSCONFDIR}/sshd_config file" - cat > ${SYSCONFDIR}/sshd_config << EOF -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -Port $port_number -#Protocol 2,1 -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# HostKey for protocol version 1 -#HostKey ${SYSCONFDIR}/ssh_host_key -# HostKeys for protocol version 2 -#HostKey ${SYSCONFDIR}/ssh_host_rsa_key -#HostKey ${SYSCONFDIR}/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 - -# Logging -#obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin yes -# The following setting overrides permission checks on host key files -# and directories. For security reasons set this to "yes" when running -# NT/W2K, NTFS and CYGWIN=ntsec. -StrictModes no - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys - -# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#KeepAlive yes -#UseLogin no -UsePrivilegeSeparation $privsep_used -#PermitUserEnvironment no -#Compression yes -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 - -# no default banner path -#Banner /some/path - -# override default of no subsystems -Subsystem sftp /usr/sbin/sftp-server -EOF -elif [ "$privsep_configured" != "yes" ] + sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ + s/^#Port 22/Port ${port_number}/ + s/^#StrictModes yes/StrictModes no/" \ + < ${SYSCONFDIR}/defaults/etc/sshd_config \ + > ${SYSCONFDIR}/sshd_config +elif [ "${privsep_configured}" != "yes" ] then echo >> ${SYSCONFDIR}/sshd_config - echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config + echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config fi # Care for services file _my_etcdir="/ssh-host-config.$$" -if [ $_nt -gt 0 ] +if [ ${_nt} -gt 0 ] then _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" _services="${_my_etcdir}/services" + # On NT, 27 spaces, no space after the hash + _spaces=" #" else _win_etcdir="${WINDIR}" _services="${_my_etcdir}/SERVICES" + # On 9x, 18 spaces (95 is very touchy), a space after the hash + _spaces=" # " fi _serv_tmp="${_my_etcdir}/srv.out.$$" @@ -494,29 +344,28 @@ then then echo "Removing sshd from ${_wservices}" else - echo "Removing sshd from ${_wservices} failed\!" + echo "Removing sshd from ${_wservices} failed!" fi rm -f "${_serv_tmp}" else - echo "Removing sshd from ${_wservices} failed\!" + echo "Removing sshd from ${_wservices} failed!" fi fi # Add ssh 22/tcp and ssh 22/udp to services if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] then - awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" - if [ -f "${_serv_tmp}" ] + if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" then if mv "${_serv_tmp}" "${_services}" then echo "Added ssh to ${_wservices}" else - echo "Adding ssh to ${_wservices} failed\!" + echo "Adding ssh to ${_wservices} failed!" fi rm -f "${_serv_tmp}" else - echo "Adding ssh to ${_wservices} failed\!" + echo "WARNING: Adding ssh to ${_wservices} failed!" fi fi @@ -541,11 +390,11 @@ then then echo "Removed sshd from ${_inetcnf}" else - echo "Removing sshd from ${_inetcnf} failed\!" + echo "Removing sshd from ${_inetcnf} failed!" fi rm -f "${_inetcnf_tmp}" else - echo "Removing sshd from ${_inetcnf} failed\!" + echo "Removing sshd from ${_inetcnf} failed!" fi fi @@ -563,33 +412,180 @@ then fi # On NT ask if sshd should be installed as service -if [ $_nt -gt 0 ] +if [ ${_nt} -gt 0 ] then - echo - echo "Do you want to install sshd as service?" - if request "(Say \"no\" if it's already installed as service)" + # But only if it is not already installed + if ! cygrunsrv -Q sshd > /dev/null 2>&1 then echo - echo "Which value should the environment variable CYGWIN have when" - echo "sshd starts? It's recommended to set at least \"ntsec\" to be" - echo "able to change user context without password." - echo -n "Default is \"binmode ntsec tty\". CYGWIN=" - read _cygwin - [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" - if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" + echo + echo "Warning: The following functions require administrator privileges!" + echo + echo "Do you want to install sshd as service?" + if request "(Say \"no\" if it's already installed as service)" then - chown system ${SYSCONFDIR}/ssh* - echo - echo "The service has been installed under LocalSystem account." + if [ $_nt2003 -gt 0 ] + then + grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes + if [ "${sshd_server_in_passwd}" = "yes" ] + then + # Drop sshd_server from passwd since it could have wrong settings + grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$ + rm -f ${SYSCONFDIR}/passwd + mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd + chmod g-w,o-w ${SYSCONFDIR}/passwd + fi + net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes + if [ "${sshd_server_in_sam}" != "yes" ] + then + echo + echo "You appear to be running Windows 2003 Server or later. On 2003 and" + echo "later systems, it's not possible to use the LocalSystem account" + echo "if sshd should allow passwordless logon (e. g. public key authentication)." + echo "If you want to enable that functionality, it's required to create a new" + echo "account 'sshd_server' with special privileges, which is then used to run" + echo "the sshd service under." + echo + echo "Should this script create a new local account 'sshd_server' which has" + if request "the required privileges?" + then + _admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group` + if [ -z "${_admingroup}" ] + then + echo "There's no group with SID S-1-5-32-544 (Local administrators group) in" + echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'" + echo "and restart this script." + exit 1 + fi + dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` + while [ "${sshd_server_in_sam}" != "yes" ] + do + if [ -n "${password_value}" ] + then + _password="${password_value}" + # Allow to ask for password if first try fails + password_value="" + else + echo + echo "Please enter a password for new user 'sshd_server'. Please be sure that" + echo "this password matches the password rules given on your system." + echo -n "Entering no password will exit the configuration. PASSWORD=" + read -e _password + if [ -z "${_password}" ] + then + echo + echo "Exiting configuration. No user sshd_server has been created," + echo "no sshd service installed." + exit 1 + fi + fi + net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes + if [ "${sshd_server_in_sam}" != "yes" ] + then + echo "Creating the user 'sshd_server' failed! Reason:" + cat /tmp/nu.$$ + rm /tmp/nu.$$ + fi + done + net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes + if [ "${sshd_server_in_admingroup}" != "yes" ] + then + echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!" + echo "Please add sshd_server to local group ${_admingroup} before" + echo "starting the sshd service!" + echo + fi + passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'` + if [ "${passwd_has_expiry_flags}" != "yes" ] + then + echo + echo "WARNING: User sshd_server has password expiry set to system default." + echo "Please check that password never expires or set it to your needs." + elif ! passwd -e sshd_server + then + echo + echo "WARNING: Setting password expiry for user sshd_server failed!" + echo "Please check that password never expires or set it to your needs." + fi + editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server && + editrights -a SeCreateTokenPrivilege -u sshd_server && + editrights -a SeDenyInteractiveLogonRight -u sshd_server && + editrights -a SeDenyNetworkLogonRight -u sshd_server && + editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server && + editrights -a SeIncreaseQuotaPrivilege -u sshd_server && + editrights -a SeServiceLogonRight -u sshd_server && + sshd_server_got_all_rights="yes" + if [ "${sshd_server_got_all_rights}" != "yes" ] + then + echo + echo "Assigning the appropriate privileges to user 'sshd_server' failed!" + echo "Can't create sshd service!" + exit 1 + fi + echo + echo "User 'sshd_server' has been created with password '${_password}'." + echo "If you change the password, please keep in mind to change the password" + echo "for the sshd service, too." + echo + echo "Also keep in mind that the user sshd_server needs read permissions on all" + echo "users' .ssh/authorized_keys file to allow public key authentication for" + echo "these users!. (Re-)running ssh-user-config for each user will set the" + echo "required permissions correctly." + echo + fi + fi + if [ "${sshd_server_in_sam}" = "yes" ] + then + mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd + fi + fi + if [ -n "${cygwin_value}" ] + then + _cygwin="${cygwin_value}" + else + echo + echo "Which value should the environment variable CYGWIN have when" + echo "sshd starts? It's recommended to set at least \"ntsec\" to be" + echo "able to change user context without password." + echo -n "Default is \"ntsec\". CYGWIN=" + read -e _cygwin + fi + [ -z "${_cygwin}" ] && _cygwin="ntsec" + if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] + then + if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" + then + echo + echo "The service has been installed under sshd_server account." + echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." + fi + else + if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" + then + echo + echo "The service has been installed under LocalSystem account." + echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." + fi + fi + fi + # Now check if sshd has been successfully installed. This allows to + # set the ownership of the affected files correctly. + if cygrunsrv -Q sshd > /dev/null 2>&1 + then + if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] + then + _user="sshd_server" + else + _user="system" + fi + chown "${_user}" ${SYSCONFDIR}/ssh* + chown "${_user}".544 ${LOCALSTATEDIR}/empty + if [ -f ${LOCALSTATEDIR}/log/sshd.log ] + then + chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log + fi fi fi -fi - -if [ "${old_install}" = "1" ] -then - echo - echo "Note: If you have used sshd as service or from inetd, don't forget to" - echo " change the path to sshd.exe in the service entry or in inetd.conf." fi echo Index: ssh-user-config =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/ssh-user-config,v retrieving revision 1.2 diff -p -u -r1.2 ssh-user-config --- ssh-user-config 22 Aug 2003 08:43:48 -0000 1.2 +++ ssh-user-config 5 Nov 2003 16:11:37 -0000 @@ -1,9 +1,12 @@ #!/bin/sh # -# ssh-user-config, Copyright 2000, Red Hat Inc. +# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc. # # This file is part of the Cygwin port of OpenSSH. +# Directory where the config files are stored +SYSCONFDIR=/etc + progname=$0 auto_answer="" auto_passphrase="no" @@ -33,6 +36,15 @@ request() fi } +# Check if running on NT +_sys="`uname -a`" +_nt=`expr "$_sys" : "CYGWIN_NT"` +# If running on NT, check if running under 2003 Server or later +if [ $_nt -gt 0 ] +then + _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` +fi + # Check options while : @@ -84,27 +96,27 @@ done # Ask user if user identity should be generated -if [ ! -f /etc/passwd ] +if [ ! -f ${SYSCONFDIR}/passwd ] then - echo '/etc/passwd is nonexistant. Please generate an /etc/passwd file' + echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" echo 'first using mkpasswd. Check if it contains an entry for you and' echo 'please care for the home directory in your entry as well.' exit 1 fi uid=`id -u` -pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < /etc/passwd` +pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd` if [ "X${pwdhome}" = "X" ] then - echo 'There is no home directory set for you in /etc/passwd.' + echo "There is no home directory set for you in ${SYSCONFDIR}/passwd." echo 'Setting $HOME is not sufficient!' exit 1 fi if [ ! -d "${pwdhome}" ] then - echo "${pwdhome} is set in /etc/passwd as your home directory" + echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" echo 'but it is not a valid directory. Cannot create user identity files.' exit 1 fi @@ -114,7 +126,7 @@ fi if [ "X${pwdhome}" = "X/" ] then # But first raise a warning! - echo 'Your home directory in /etc/passwd is set to root (/). This is not recommended!' + echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!" if request "Would you like to proceed anyway?" then pwdhome='' @@ -123,6 +135,17 @@ then fi fi +if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ] +then + echo + echo 'WARNING: group and other have been revoked write permission to your home' + echo " directory ${pwdhome}." + echo ' This is required by OpenSSH to allow public key authentication using' + echo ' the key files stored in your .ssh subdirectory.' + echo ' Revert this change ONLY if you know what you are doing!' + echo +fi + if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] then echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files." @@ -139,6 +162,21 @@ then fi fi +if [ $_nt -gt 0 ] +then + _user="system" + if [ $_nt2003 -gt 0 ] + then + grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server" + fi + if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh" + then + echo "${pwdhome}/.ssh couldn't be given the correct permissions." + echo "Please try to solve this problem first." + exit 1 + fi +fi + if [ ! -f "${pwdhome}/.ssh/identity" ] then if request "Shall I create an SSH1 RSA identity file for you?" @@ -193,6 +231,18 @@ then echo "Adding to ${pwdhome}/.ssh/authorized_keys" cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys" fi + fi +fi + +if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ] +then + if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys" + then + echo + echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys" + echo "failed. Please care for the correct permissions. The minimum requirement" + echo "is, the owner and ${_user} both need read permissions." + echo fi fi -- Corinna Vinschen Cygwin Developer Red Hat, Inc. From dtucker at zip.com.au Thu Nov 6 09:26:22 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 06 Nov 2003 09:26:22 +1100 Subject: AIX patch for openssh-3.7.1p2 References: Message-ID: <3FA9790E.5464AB70@zip.com.au> Matt Richards wrote: > > >It looks like the AFS registry module doesn't support setpcred (along > >with loginsucess(), sigh). > > The AFS registry does support the loginsuccess and loginfailure (I have > done it in other applications), however there seems to be a bug in > setpcred/setauthdb which does not play nice with DCE. Interesting. We've had reports that when using the AFS registry, loginsuccess() does not return a "last logged in at [time]" message. I don't know if AFS supports such a concept (I've never used it), or if the AFS module just doesn't return it, or if it only happens in a specific configuration (eg DCE as you suggest). > >The loginfailed() test in configure is just there to figure out how many > >arguments it takes. It's still used (as long as WITH_AIXAUTHENTICATE is > >defined, see below) if the test fails. > > I understand this part, put there are two loginfailed tests in configure. > One is to test the existence of loginfailed and another to test how > many arguments it takes. The test for the arguments is never executed if > the loginfailed test fails. That's right. If there is no function prototype for loginfailed, then the test program will link OK regardless of how many arguments it should really be given. (Whether or not it would do anything sane if run is another matter). If loginfailed isn't defined in usersec.h then you are running an older AIX and your loginfailed takes 3 arguments. Trying the test program will *incorrectly* identify it as taking 4 arguments, so we don't. [snip] > I still believe that > conf_wtmp_location=/var/adm/wtmp > should still be added to the configure script. It is done that way for > Next. Why? What problem does this solve? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Nick_Chi at manulife.com Mon Nov 3 15:29:22 2003 From: Nick_Chi at manulife.com (Nick_Chi at manulife.com) Date: Mon, 3 Nov 2003 12:29:22 +0800 Subject: Problem found in OpenSSH 3.7.1p2 with OpenSSL 0.9.7c installation on HP-UX11.0 Message-ID: Hi all, I found that OpenSSL 3.7.1p2 has problem with PAM (HP-UX) system (with setting of account deacticating by 3 invalid login attempts). User enters wrong password more than twice through SSH, his/her account will not be deactivated. User enters wrong password more than twice through FTP, his/her account will be deactivated . However, only further FTP session is blocked. SSH session can be established even the account is deactivated. Besides, I deactivate an account through SAM, both new FTP and SSH sessions will be blocked. I check that there is no such problem in OpenSSH 3.4p1. Any comments / suggestions? Thanks. Best Regards, Nick CHI Regional Technology Team, Regional I.T., I.T. Asia, Manulife International Limited Tel: (852) 2510 3273 Fax: (852) 2510 0244 Email: Nick_Chi at manulife.com ========================================================== This message is confidential and may also be privileged. If you are not the intended recipient, please notify me by return e-mail and delete this message from your system. If you are not the intended recipient, any use by you of this message is strictly prohibited. From nospam at magestower.net Thu Nov 6 23:59:42 2003 From: nospam at magestower.net (The Alchemist) Date: Thu, 06 Nov 2003 06:59:42 -0600 Subject: Problem found in OpenSSH 3.7.1p2 with OpenSSL 0.9.7c installation on HP-UX11.0 In-Reply-To: References: Message-ID: <3FAA45BE.5080200@magestower.net> *This message was transferred with a trial version of CommuniGate(tm) Pro* Are you using Darren's HP patches? Also, are these trusted or untrusted configurations? Nick_Chi at manulife.com wrote: >*This message was transferred with a trial version of CommuniGate(tm) Pro* >Hi all, > >I found that OpenSSL 3.7.1p2 has problem with PAM (HP-UX) system (with >setting of account deacticating by 3 invalid login attempts). > >User enters wrong password more than twice through SSH, his/her account >will not be deactivated. > >User enters wrong password more than twice through FTP, his/her account >will be deactivated . However, only further FTP session is blocked. SSH >session can be established even the account is deactivated. > >Besides, I deactivate an account through SAM, both new FTP and SSH sessions >will be blocked. > >I check that there is no such problem in OpenSSH 3.4p1. > >Any comments / suggestions? > >Thanks. > >Best Regards, > >Nick CHI >Regional Technology Team, >Regional I.T., >I.T. Asia, >Manulife International Limited >Tel: (852) 2510 3273 >Fax: (852) 2510 0244 >Email: Nick_Chi at manulife.com > >========================================================== > >This message is confidential and may also be privileged. If you are not >the intended recipient, please notify me by return e-mail and delete this >message from your system. If you are not the intended recipient, any use >by you of this message is strictly prohibited. > > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From matter at sover.net Fri Nov 7 01:11:41 2003 From: matter at sover.net (Matt Richards) Date: Thu, 6 Nov 2003 09:11:41 -0500 (EST) Subject: AIX patch for openssh-3.7.1p2 In-Reply-To: <3FA9790E.5464AB70@zip.com.au> Message-ID: >That's right. If there is no function prototype for loginfailed, then the >test program will link OK regardless of how many arguments it should >really be given. (Whether or not it would do anything sane if run is >another matter). >If loginfailed isn't defined in usersec.h then you are running an older >AIX and your loginfailed takes 3 arguments. Trying the test program will >*incorrectly* identify it as taking 4 arguments, so we don't. If seems that only AIX > 5.2.0.0 defines loginfailed in usersec.h, AIX < 5.2.0.0 does not. >> I still believe that >> conf_wtmp_location=/var/adm/wtmp >> should still be added to the configure script. It is done that way for >> Next. >> >> Why? What problem does this solve? Again, this seems related to the DCE/AFS/loginsuccess thing. If it worked, then this would not need to be needed. Thanks for spending time dealing with a pain like me. From Bagdoo.Jean at hydro.qc.ca Fri Nov 7 02:20:24 2003 From: Bagdoo.Jean at hydro.qc.ca (Bagdoo.Jean at hydro.qc.ca) Date: Thu, 6 Nov 2003 10:20:24 -0500 Subject: openssh-3.7.1p2 on HP-UX 10.20 Message-ID: <2D5048494293D411809800508BF900FC10F02BD5@msxcentral1.hydro.qc.ca> Hello, I have dowloaded all that is required to build a working OpenSSH on HP-UX 10.20 from the HP-UX Porting and Archibve centre (this seems to be the only way to go for 10.20). Make/install of all prerequisites has scucceeded. Now make of openssh-3.7.1p2 gives the following: gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/usr/local/openssl-0.9.7b/include -I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c getrrsetbyname.c getrrsetbyname.c: In function `getrrsetbyname': getrrsetbyname.c:191: warning: implicit declaration of function `res_init' getrrsetbyname.c:207: warning: implicit declaration of function `res_query' getrrsetbyname.c:265: `T_SIG' undeclared (first use in this function) getrrsetbyname.c:265: (Each undeclared identifier is reported only once getrrsetbyname.c:265: for each function it appears in.) getrrsetbyname.c: In function `parse_dns_response': getrrsetbyname.c:366: `HFIXEDSZ' undeclared (first use in this function) getrrsetbyname.c: In function `parse_dns_qsection': getrrsetbyname.c:437: warning: implicit declaration of function `dn_expand' *** Error exit code 1 Stop. *** Error exit code 1 Stop. Any clue? Thanks, Jean Bagdoo From mangoo at interia.pl Fri Nov 7 02:36:27 2003 From: mangoo at interia.pl (Tomasz Chmielewski) Date: Thu, 06 Nov 2003 16:36:27 +0100 Subject: SSH1 vs. SSH2 - compression level Message-ID: <3FAA6A7B.3040003@interia.pl> Hello, I was searching for this information virtually everywhere, but as I couldn't find it - I'm asking here. I was wondering, why setting the Compression Level was removed in SSH2, and if on, is always set to 6. In SSH1 it was possible to set the Compression Level from 1 to 9. I have made some tests with Compression Levels using scp: SSH1, compression 9 (highest available for SSH1), vs. SSH2, compression 6 (the only available for SSH2), and, no wonder, SSH1 *always* won, no matter if it was tar'red /etc (lots of txt files), a long pdf file, or even long avi file. Why not let the user what best suits him? Or maybe there is some way to turn it on in SSH2? Regards, Tomasz Chmielewski From jchen at pop500.gsfc.nasa.gov Fri Nov 7 03:21:10 2003 From: jchen at pop500.gsfc.nasa.gov (Jay Chen) Date: Thu, 06 Nov 2003 11:21:10 -0500 Subject: scp vs ftp performance on SGI IRIX???????? Message-ID: <5.2.1.1.0.20031106111924.02b76ec0@pop500.gsfc.nasa.gov> Hi, Running OpenSSH 3.5p1 or 3.7.1p2 on two SGI orgin 300 systems of IRIX 6.5.17 with 4 600MHz CPU and gigabits network. Transfer a 1GB file with ftp took 28 seconds. Transfer a 1GB file with scp took 148 seconds. Use "snoop" to capture all network packets between these two systems. Ftp tansmitted about 107840 packets, but scp transmitted about 763339 packets. Is this normal? Why? Also, did the same test on two IBM AIX 4.3.3 systems with 1 CPU and 10Mb network. Transfer a 1GB file with ftp took 1080 seconds Transfer a 1GB file with scp using blowfish took 1059 seconds. Ftp tansmitted about 207070 packets, but scp only transmitted only about 190290 packets. What a difference! Why? Thanks. Jay Chen From pasacki at sandia.gov Fri Nov 7 03:23:50 2003 From: pasacki at sandia.gov (Phil Sackinger) Date: Thu, 06 Nov 2003 09:23:50 -0700 Subject: scp vs ftp performance on SGI IRIX???????? In-Reply-To: <5.2.1.1.0.20031106111924.02b76ec0@pop500.gsfc.nasa.gov> References: <5.2.1.1.0.20031106111924.02b76ec0@pop500.gsfc.nasa.gov> Message-ID: <1068135830.13835.25.camel@sahp4671.sandia.gov> On Thu, 2003-11-06 at 09:21, Jay Chen wrote: > What a difference! Why? Coincidentally a topic of discussion recently on /. http://ask.slashdot.org/article.pl?sid=03/10/14/2134216&mode=nested&tid=126&tid=172&tid=95 From kumaresh_ind at gmx.net Fri Nov 7 03:26:48 2003 From: kumaresh_ind at gmx.net (Kumaresh) Date: Thu, 6 Nov 2003 21:56:48 +0530 Subject: openssh - problem displaying who command in shell References: <5.2.1.1.0.20031106111924.02b76ec0@pop500.gsfc.nasa.gov> Message-ID: <007a01c3a482$d0944eb0$230110ac@kurco> Hi All, In one of our HP-UX system, the display of the terminal settings is not working when I configure my .profile file with the shell command [who -Rm]. I use "who -Rm" in my .profile for root user. When I login thro ssh, sometimes, the current terminal details are not printed, when the shell [I am using ksh] commands in the .profile file is executed. When we introduce a sleep command in the profile file before this who command, all the time the current terminal details gets printed. Is this an issue with the sshd that the child reads the utmp entry before the tty and records are properly written to utmp? Do anyone shed some light, how we can avoid this? Advance Thanks, Kumaresh. ----- Original Message ----- From: "Jay Chen" To: Sent: Thursday, November 06, 2003 9:51 PM Subject: scp vs ftp performance on SGI IRIX???????? > Hi, > > Running OpenSSH 3.5p1 or 3.7.1p2 on two SGI orgin 300 systems of IRIX > 6.5.17 with > 4 600MHz CPU and gigabits network. > > Transfer a 1GB file with ftp took 28 seconds. > Transfer a 1GB file with scp took 148 seconds. > > Use "snoop" to capture all network packets between these two systems. Ftp > tansmitted > about 107840 packets, but scp transmitted about 763339 packets. > > Is this normal? Why? > > Also, did the same test on two IBM AIX 4.3.3 systems with 1 CPU and 10Mb > network. > > Transfer a 1GB file with ftp took 1080 seconds > Transfer a 1GB file with scp using blowfish took 1059 seconds. > Ftp tansmitted about 207070 packets, but scp only transmitted only about > 190290 packets. > > What a difference! Why? > > Thanks. > > Jay Chen > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003 From mouring at etoh.eviladmin.org Fri Nov 7 03:45:46 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 6 Nov 2003 10:45:46 -0600 (CST) Subject: scp vs ftp performance on SGI IRIX???????? In-Reply-To: <5.2.1.1.0.20031106111924.02b76ec0@pop500.gsfc.nasa.gov> Message-ID: On Thu, 6 Nov 2003, Jay Chen wrote: > Hi, > > Running OpenSSH 3.5p1 or 3.7.1p2 on two SGI orgin 300 systems of IRIX > 6.5.17 with > 4 600MHz CPU and gigabits network. > > Transfer a 1GB file with ftp took 28 seconds. > Transfer a 1GB file with scp took 148 seconds. > Which protocol? v1 or v2? what encryption is used? [..] > > What a difference! Why? > Could be as simple as the AIX server may be better at number crunching and the IRIX box can't encrypt fast enough to keep up with the stream of data. Good example is comparing a SS20 150mhz with a Intel 586 150mhz. The SS20 even at the speed of 150mhz is extremely poor at doing encyption. It was shown clearly in early version of OpenSSH v2 key exchange where it would "hang" for up to a minute and half. The Intel box cranked it right out and was done in less than half the time. - Ben From dan at doxpara.com Fri Nov 7 04:31:08 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 06 Nov 2003 18:31:08 +0100 Subject: scp vs ftp performance on SGI IRIX???????? In-Reply-To: References: Message-ID: <3FAA855C.7090909@doxpara.com> OpenSSH does not appear to be a CPU-bound process, i.e. it's not the crypto that's slowing us down. We should profile the SSH client and server to see where the bottleneck is. I've been meaning to do this for a while; I just know relatively little about bottleneck detection. --Dan From rick.jones2 at hp.com Fri Nov 7 06:27:40 2003 From: rick.jones2 at hp.com (Rick Jones) Date: Thu, 06 Nov 2003 11:27:40 -0800 Subject: scp vs ftp performance on SGI IRIX???????? References: <5.2.1.1.0.20031106111924.02b76ec0@pop500.gsfc.nasa.gov> Message-ID: <3FAAA0AC.D995D354@hp.com> Jay Chen wrote: > > Hi, > > Running OpenSSH 3.5p1 or 3.7.1p2 on two SGI orgin 300 systems of IRIX > 6.5.17 with > 4 600MHz CPU and gigabits network. > > Transfer a 1GB file with ftp took 28 seconds. > Transfer a 1GB file with scp took 148 seconds. > > Use "snoop" to capture all network packets between these two systems > . Ftp tansmitted about 107840 packets, but scp transmitted about > 763339 packets. So, 1GB is 1048576 KB. 1048576 KB divided by 107840 packets is 9956.8 bytes per packet. That seems rather odd because it is larger even than the bytes per packet I would expect if JumboFrame (9000 byte MTU) were enabled. Does Irix 6.5.17 do "large send" over the GbE NIC? Perhaps there is a "sendfile()-like" call in Irix 6.5.17 that the Irix FTP uses With the scp, that is more like 1406 bytes per packet, which is more consistent with an MTU of 1500 bytes. Or perhaps scp has some application-level block size - I can never remember the specifics of SSL !-( It is somewhat "consistent" that the case that sent ~7x the packets took ~7x the time. > Also, did the same test on two IBM AIX 4.3.3 systems with 1 CPU and > 10Mb network. > > Transfer a 1GB file with ftp took 1080 seconds > Transfer a 1GB file with scp using blowfish took 1059 seconds. > Ftp tansmitted about 207070 packets, but scp only transmitted only > about 190290 packets. In this case, it is showing >> 1460 bytes per packet which is I believe rather impossible for a 10Mb network - I don't think any 10 Mbit/s NICs do jumboframes and I'm confident that AIX 4.3.3 doesnot support large send - I believe that came-in with patches to AIX 5.mumble (it is one of the reasons IBM has the SPECweb scores they do) Now, if there is compression of some sort I suppose that might explain some of it. Any chance that either ftp or scp were compressing the data? It might be a good idea to take snapshots of the netstat statistics from before and after each transfer - it is possible that the snoop traces aren't getting all the packets. You can then run the before and after netstats through "beforeafter" which you can find at ftp://ftp.cup.hp.com/dist/networking/tools/ source is included and I suspect it would compile without too much trouble on Irix and AIX. rick jones -- Wisdom Teeth are impacted, people are affected by the effects of events. these opinions are mine, all mine; HP might not want them anyway... :) feel free to post, OR email to raj in cup.hp.com but NOT BOTH... From rick.jones2 at hp.com Fri Nov 7 06:33:03 2003 From: rick.jones2 at hp.com (Rick Jones) Date: Thu, 06 Nov 2003 11:33:03 -0800 Subject: scp vs ftp performance on SGI IRIX???????? References: Message-ID: <3FAAA1EF.2206E669@hp.com> > Could be as simple as the AIX server may be better at number crunching > and the IRIX box can't encrypt fast enough to keep up with the stream > of data. I suspect that the AIX box was network-bound - given there was a factor of 100 difference in the raw network speed available, I suspect there was quite a bit of idle time on the AIX system transfering with FTP and so plenty of cycles to be soaked-up by encryption. The Irix box was likely not network bound - 1GB of data in 28 seconds is ~36 MB/s, which suggests that either the Irix FTP didn't have a large enough TCP window, or it was already CPU bound on the FTP (since it was not doing GbE link-rate - and I'm ass-u-me-ing that the files were cached - if not cached, that could be a disc limit) I suspect there would have been fewer idle cycles waiting for the network, so the added overehead of encryption probably broke the cycle budget and either took the system even more CPU bound, or took it to a point of being CPU bound. rick jones -- Wisdom Teeth are impacted, people are affected by the effects of events. these opinions are mine, all mine; HP might not want them anyway... :) feel free to post, OR email to raj in cup.hp.com but NOT BOTH... From dtucker at zip.com.au Fri Nov 7 07:35:57 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 07 Nov 2003 07:35:57 +1100 Subject: scp vs ftp performance on SGI IRIX???????? References: <5.2.1.1.0.20031106111924.02b76ec0@pop500.gsfc.nasa.gov> Message-ID: <3FAAB0AD.3BF30999@zip.com.au> Jay Chen wrote: > Running OpenSSH 3.5p1 or 3.7.1p2 on two SGI orgin 300 systems of IRIX > 6.5.17 with > 4 600MHz CPU and gigabits network. > > Transfer a 1GB file with ftp took 28 seconds. > Transfer a 1GB file with scp took 148 seconds. > > Use "snoop" to capture all network packets between these two systems. Ftp > tansmitted > about 107840 packets, but scp transmitted about 763339 packets. Wild guess: does changing the shell pipe size (probably "ulimit -p") make any difference to scp? What's it set to by default? Also, do you have compression on or off? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From morty at frakir.org Fri Nov 7 08:02:06 2003 From: morty at frakir.org (Mordechai T. Abzug) Date: Thu, 6 Nov 2003 16:02:06 -0500 Subject: scp vs ftp performance on SGI IRIX???????? In-Reply-To: <3FAAA0AC.D995D354@hp.com> References: <5.2.1.1.0.20031106111924.02b76ec0@pop500.gsfc.nasa.gov> <3FAAA0AC.D995D354@hp.com> Message-ID: <20031106210206.GA11404@red-sonja.frakir.org> On Thu, Nov 06, 2003 at 11:27:40AM -0800, Rick Jones wrote: > So, 1GB is 1048576 KB. 1048576 KB divided by 107840 packets is > 9956.8 bytes per packet. That seems rather odd because it is larger > even than the bytes per packet I would expect if JumboFrame (9000 > byte MTU) were enabled. Where did the snoop run? If the snoop ran on one of the endpoints, it can interact with the actual data transfer. Dropped packets with sniffers are pretty normal, and under some OSs (don't know about IRIX), you can't rely on correct stats for dropped packets. Also, are the packet counts bidirectional or unidirectional -- ACKs matter. - Morty Abzug From dtucker at zip.com.au Fri Nov 7 09:04:53 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 07 Nov 2003 09:04:53 +1100 Subject: [openssh-commits] CVS: shitei.mindrot.org: openssh References: <20031106092751.84A7D27C189@shitei.mindrot.org> Message-ID: <3FAAC585.E2AF68F8@zip.com.au> Damien Miller wrote: > Log message: > - (djm) Clarify UsePAM consequences a little more Should go to 3.7.1 branch too? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From morty at frakir.org Sat Nov 8 08:21:59 2003 From: morty at frakir.org (Mordechai T. Abzug) Date: Fri, 7 Nov 2003 16:21:59 -0500 Subject: BUG: scp -q isn't quiet Message-ID: <20031107212159.GA2162@red-sonja.frakir.org> If I scp from/to a server that has a banner using scp -q, it still shows the banner. If I ssh -q to the same server, the banner is skipped. scp -o "LogLevel quiet" does the trick, but is excessively cumbersome. - Morty From djm at mindrot.org Sat Nov 8 08:26:26 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 07 Nov 2003 21:26:26 -0000 Subject: SSH1 vs. SSH2 - compression level In-Reply-To: <3FAA6A7B.3040003@interia.pl> References: <3FAA6A7B.3040003@interia.pl> Message-ID: <1068240628.28133.4.camel@sakura.mindrot.org> On Fri, 2003-11-07 at 02:36, Tomasz Chmielewski wrote: > Hello, > > I was searching for this information virtually everywhere, but as I > couldn't find it - I'm asking here. > > I was wondering, why setting the Compression Level was removed in SSH2, > and if on, is always set to 6. IIRC protocol 2 doesn't allow negotiation of compression levels, so we have to choose something. 6 is a good tradeoff between CPU and size. > In SSH1 it was possible to set the Compression Level from 1 to 9. > > I have made some tests with Compression Levels using scp: SSH1, > compression 9 (highest available for SSH1), vs. SSH2, compression 6 (the > only available for SSH2), and, no wonder, SSH1 *always* won, no matter > if it was tar'red /etc (lots of txt files), a long pdf file, or even > long avi file. I'm pretty surprised that compressionlevel made any difference with avi or pdf files, which are usually precompressed. Your speed differences were probably due to the fact that protocol 1 is more lightweight (crc instead of MAC, etc - thus also less secure). -d From dberezin at acs.rutgers.edu Sat Nov 8 09:07:36 2003 From: dberezin at acs.rutgers.edu (Dmitry Berezin) Date: Fri, 07 Nov 2003 17:07:36 -0500 Subject: Partial authentication Message-ID: <004901c3a57b$8d1aa540$5bd90680@rutgers.edu> Hello, I would like to bring up the topic of possibly including partial authentication functionality into OpneSSH again - it was discussed a few weeks ago. I believe that implementing auth vectors was suggested as a way to achieve this. The reasoning behind the need for partial auth is that there are cases when multiple methods of authentication are required for the user to be successfully authenticated (password and SecureID for example). I just want to find out if there are any active plans for building this, or if there is a decision not to include partial auth in OpenSSH. Thank you, -Dmitry. From markus at openbsd.org Mon Nov 10 20:36:09 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 10 Nov 2003 10:36:09 +0100 Subject: SSH1 vs. SSH2 - compression level In-Reply-To: <3FAA6A7B.3040003@interia.pl> References: <3FAA6A7B.3040003@interia.pl> Message-ID: <20031110093609.GF780@folly> On Thu, Nov 06, 2003 at 04:36:27PM +0100, Tomasz Chmielewski wrote: > Or maybe there is some way to turn it on in SSH2? no, the protocol does not allow negotiation. From norm at computac.com Tue Nov 11 01:52:51 2003 From: norm at computac.com (Norm Fredrick) Date: Mon, 10 Nov 2003 09:52:51 -0500 Subject: Request for subsystem 'sftp' failed on channel 0 Message-ID: <003501c3a79a$519d2080$62e311ac@pc98> Hello, I installed OpenSSH_3.7p1 on 2 AIX 4.3.3 servers last week and had this problem on both of them. On the first server I finally re-installed the package and that fixed it. I tried re-installing it multiple times on the second server and still have the same issue. I have checked everything that I can think of and spent many hours looking for a solution. Both servers have the same csh.cshrc and csh.login files. I don't have a personal .cshrc file on either server. I have many more servers to install this on and would appreciate any help I can get to solve this issue. Thank you. Here is some of what I have and see: OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003 % sftp localhost Connecting to localhost... norm at localhost's password: Request for subsystem 'sftp' failed on channel 0 Connection closed % sftp -s /usr/local/libexec/sftp-server localhost Connecting to localhost... norm at localhost's password: sftp> % sftp -P /usr/local/libexec/sftp-server Attaching to /usr/local/libexec/sftp-server.. sftp> sshd_config: # override default of no subsystems Subsystem sftp /usr/local/libexec/sftp-server .login: #!/bin/csh set path = ( /usr/bin /etc /usr/sbin /usr/local/bin /usr/local/libexec /usr/ucb $HOME/bin /usr/bin/X11 /sbin . ) setenv MAIL "/var/spool/mail/$LOGNAME" setenv MAILMSG "[YOU HAVE NEW MAIL]" #if ( -f "$MAIL" && ! -z "$MAIL") then # echo "$MAILMSG" #endif csh.login: # If LC_MESSAGES is set to "C at lft" and TERM is not set to "lft", # unset LC_MESSAGES. if ($?LC_MESSAGES) then if ("$LC_MESSAGES" == "C at lft" && "$TERM" != "lft") then unsetenv LC_MESSAGES endif endif Norm Fredrick Computac Inc. Network Administrator 603-298-5721 603-298-6189 Fax From morty at frakir.org Tue Nov 11 06:31:12 2003 From: morty at frakir.org (Mordechai T. Abzug) Date: Mon, 10 Nov 2003 14:31:12 -0500 Subject: BUG: scp -q isn't quiet In-Reply-To: <3FAF71EA.D0CA9FE7@zip.com.au> References: <20031107212159.GA2162@red-sonja.frakir.org> <3FAF71EA.D0CA9FE7@zip.com.au> Message-ID: <20031110193112.GA15491@red-sonja.frakir.org> On Mon, Nov 10, 2003 at 10:09:30PM +1100, Darren Tucker wrote: > "Mordechai T. Abzug" wrote: > > > > If I scp from/to a server that has a banner using scp -q, it still > > shows the banner. If I ssh -q to the same server, the banner is > > skipped. scp -o "LogLevel quiet" does the trick, but is excessively > > cumbersome. > > Maybe scp should pass "-q" through to ssh like so? [snip patch] Yes, perfect. Thanks! Question: should suggestions like this one also / instead be sent to some openbsd list? - Morty From mouring at etoh.eviladmin.org Tue Nov 11 11:04:29 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 10 Nov 2003 18:04:29 -0600 (CST) Subject: BUG: scp -q isn't quiet In-Reply-To: <20031110193112.GA15491@red-sonja.frakir.org> Message-ID: On Mon, 10 Nov 2003, Mordechai T. Abzug wrote: > On Mon, Nov 10, 2003 at 10:09:30PM +1100, Darren Tucker wrote: > > "Mordechai T. Abzug" wrote: > > > > > > If I scp from/to a server that has a banner using scp -q, it still > > > shows the banner. If I ssh -q to the same server, the banner is > > > skipped. scp -o "LogLevel quiet" does the trick, but is excessively > > > cumbersome. > > > > Maybe scp should pass "-q" through to ssh like so? > > [snip patch] > > Yes, perfect. Thanks! > > Question: should suggestions like this one also / instead be sent to > some openbsd list? > Just make sure it is tagged in bugzilla.mindrot.org. Both portable and OpenBSD coders are on this list. - Ben From dopheide at ncsa.uiuc.edu Wed Nov 12 09:24:57 2003 From: dopheide at ncsa.uiuc.edu (Mike Dopheide) Date: Tue, 11 Nov 2003 16:24:57 -0600 (CST) Subject: AIX KRB5CCNAME problem Message-ID: I believe there is a bug in how AIX handles the KRB5CCNAME environment variable. The symptom occurs when a root user restarts sshd while they have KRB5CCNAME set; all of the resulting client connections will inherit the same KRB5CCNAME variable. This can occur if the admin uses 'ksu' or some other kerberized method of obtaining root privileges. Investigating this problem, I stumbled across some code in session.c that confused me a bit. This code exists in the OpenSSH source from at least as far back as 3.1 to the current source tree. On about line 1087 of session.c we see this: #ifdef _AIX { char *cp; if ((cp = getenv("AUTHSTATE")) != NULL) child_set_env(&env, &envsize, "AUTHSTATE", cp); if ((cp = getenv("KRB5CCNAME")) != NULL) child_set_env(&env, &envsize, "KRB5CCNAME", cp); read_environment_file(&env, &envsize, "/etc/environment"); } #endif It seems to me that this section of code takes the KRB5CCNAME from sshd (if it exists) and hands it off to the child. My question is, why would you ever want to do this? The next section of code is what confused me: #ifdef KRB5 if (s->authctxt->krb5_ticket_file) child_set_env(&env, &envsize, "KRB5CCNAME", s->authctxt->krb5_ticket_file); #endif This would appear to overwrite KRB5CCNAME with (I'm assuming) the correct value. For some reason it doesn't. Any thoughts on what I'm missing? -Mike From dtucker at zip.com.au Fri Nov 7 11:32:00 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 07 Nov 2003 11:32:00 +1100 Subject: SSH1 vs. SSH2 - compression level References: <3FAA6A7B.3040003@interia.pl> Message-ID: <3FAAE800.E61BFC8D@zip.com.au> Tomasz Chmielewski wrote: [snip] > I was wondering, why setting the Compression Level was removed in SSH2, > and if on, is always set to 6. Unless I read it wrong, the SSHv2 protocol standard does not provide a way to set the compression level [0]. I don't know why this is, perhaps someone else knows the reasoning behind it? See section 5.2 here: http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-17.txt Compare with the SSHv1 RFC: http://www.zip.com.au/~dtucker/openssh/ssh-rfc-v1.txt (see the description of the SSH_CMSG_REQUEST_COMPRESSION packet type). [0] Ignoring implementation-specific extensions, eg "zlib-1 at openssh.com" through "zlib-9 at openssh.com" or something. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Mon Nov 10 22:09:30 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 10 Nov 2003 22:09:30 +1100 Subject: BUG: scp -q isn't quiet References: <20031107212159.GA2162@red-sonja.frakir.org> Message-ID: <3FAF71EA.D0CA9FE7@zip.com.au> "Mordechai T. Abzug" wrote: > > If I scp from/to a server that has a banner using scp -q, it still > shows the banner. If I ssh -q to the same server, the banner is > skipped. scp -o "LogLevel quiet" does the trick, but is excessively > cumbersome. Maybe scp should pass "-q" through to ssh like so? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: scp.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/scp.c,v retrieving revision 1.110 diff -u -p -r1.110 scp.c --- scp.c 8 Oct 2003 08:27:36 -0000 1.110 +++ scp.c 10 Nov 2003 11:09:30 -0000 @@ -268,6 +268,7 @@ main(int argc, char **argv) break; case 'q': showprogress = 0; + addargs(&args, "-q"); break; /* Server options. */ From dtucker at zip.com.au Wed Nov 12 10:58:36 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 12 Nov 2003 10:58:36 +1100 Subject: AIX KRB5CCNAME problem References: Message-ID: <3FB177AC.DCC2A67C@zip.com.au> Mike Dopheide wrote: > > I believe there is a bug in how AIX handles the KRB5CCNAME environment > variable. The symptom occurs when a root user restarts sshd while they > have KRB5CCNAME set; all of the resulting client connections will inherit > the same KRB5CCNAME variable. This can occur if the admin uses 'ksu' or > some other kerberized method of obtaining root privileges. [snip] > On about line 1087 of session.c we see this: [snip code] > It seems to me that this section of code takes the KRB5CCNAME from sshd > (if it exists) and hands it off to the child. My question is, why would > you ever want to do this? I've never used Kerberos on AIX but I would guess that this is to handle the case where KRB5CCNAME is set by one of the modules called by the AIX's authenticate() function. It would seem that KRB5CCNAME should be cleared from the sshd's environment when it starts up to prevent the situation you're describing. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Wed Nov 12 19:51:51 2003 From: markus at openbsd.org (Markus Friedl) Date: Wed, 12 Nov 2003 09:51:51 +0100 Subject: SSH1 vs. SSH2 - compression level In-Reply-To: <3FAAE800.E61BFC8D@zip.com.au> References: <3FAA6A7B.3040003@interia.pl> <3FAAE800.E61BFC8D@zip.com.au> Message-ID: <20031112085151.GB17892@folly> On Fri, Nov 07, 2003 at 11:32:00AM +1100, Darren Tucker wrote: > [0] Ignoring implementation-specific extensions, eg "zlib-1 at openssh.com" > through "zlib-9 at openssh.com" or something. yes, but i don't think it's worth the trouble. From dtucker at zip.com.au Wed Nov 12 20:29:25 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 12 Nov 2003 20:29:25 +1100 Subject: Request for subsystem 'sftp' failed on channel 0 References: <003501c3a79a$519d2080$62e311ac@pc98> Message-ID: <3FB1FD75.10E37E4E@zip.com.au> Norm Fredrick wrote: > I installed OpenSSH_3.7p1 on 2 AIX 4.3.3 servers You may want to consider using 3.7.1p2 instead. [snip] > % sftp localhost > Connecting to localhost... > norm at localhost's password: > Request for subsystem 'sftp' failed on channel 0 > Connection closed Try running the server in debug mode, this may give some indication as to why the channel open failed. In one session, run (as root): # /usr/local/sbin/sshd -ddd -p 2022 and in another, run: $ sftp -o Port=2022 localhost If there's nothing obvious, post the output of sshd to the list. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From nickhychi at yahoo.com.hk Wed Nov 12 21:34:10 2003 From: nickhychi at yahoo.com.hk (=?big5?q?Nick=20Chi?=) Date: Wed, 12 Nov 2003 18:34:10 +0800 (CST) Subject: Problem found in OpenSSH 3.7.1p2 with OpenSSL 0.9.7c installation on HP-UX11.0 Message-ID: <20031112103410.36252.qmail@web21002.mail.yahoo.com> Dear Sir. I am using Darren's HP patches in order to solve some problem found in HP-UX platform. Thanks. Rgds, Nick CHI Regional Technology Team, Regional I.T., I.T. Asia, Manulife International Limited Tel: (852) 2510 3273 Fax: (852) 2510 0244 Email: Nick_Chi at manulife.com _________________________________________________________ Shining Friends??????????... ???? ???? http://ringtone.yahoo.com.hk/ From mouring at etoh.eviladmin.org Thu Nov 13 01:34:21 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 12 Nov 2003 08:34:21 -0600 (CST) Subject: SSH1 vs. SSH2 - compression level In-Reply-To: <20031112085151.GB17892@folly> Message-ID: On Wed, 12 Nov 2003, Markus Friedl wrote: > On Fri, Nov 07, 2003 at 11:32:00AM +1100, Darren Tucker wrote: > > [0] Ignoring implementation-specific extensions, eg "zlib-1 at openssh.com" > > through "zlib-9 at openssh.com" or something. > > yes, but i don't think it's worth the trouble. > Agree I think it would just cause confusion and people will be whining that it doese not work with other ssh servers. - Ben From dan at doxpara.com Thu Nov 13 04:13:19 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 12 Nov 2003 09:13:19 -0800 Subject: SSH1 vs. SSH2 - compression level In-Reply-To: <20031112085151.GB17892@folly> References: <3FAA6A7B.3040003@interia.pl> <3FAAE800.E61BFC8D@zip.com.au> <20031112085151.GB17892@folly> Message-ID: <3FB26A2F.6030609@doxpara.com> Markus Friedl wrote: >On Fri, Nov 07, 2003 at 11:32:00AM +1100, Darren Tucker wrote: > > >>[0] Ignoring implementation-specific extensions, eg "zlib-1 at openssh.com" >>through "zlib-9 at openssh.com" or something. >> >> > >yes, but i don't think it's worth the trouble. > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > Hmmm. Here's a neat trick, which we can only do because the compression implementations tend to be stable: If client supports compression, receive some amount of compressed data from them and recompress it ourselves, looking for the closest match between how large the client's version of the data is vs. how large ours is. If level 9 yields 50 bytes and level 1 yields 120 bytes, and we received a 120 byte compressed message, output all further messages at level 1. We can even create a sample message (of SSH type IGNORE) with content specifically tuned to result in different sizes for different compression levels. This would allow us to improve the consistency of the results. It'd be one heck of a stunt :) --Dan From Nick_Chi at manulife.com Fri Nov 7 12:39:04 2003 From: Nick_Chi at manulife.com (Nick_Chi at manulife.com) Date: Fri, 7 Nov 2003 09:39:04 +0800 Subject: Problem found in OpenSSH 3.7.1p2 with OpenSSL 0.9.7c installation on HP-UX11.0 Message-ID: Dear Sir. I am using Darren's HP patches. Thanks. Rgds, Nick CHI Regional Technology Team, Regional I.T., I.T. Asia, Manulife International Limited Tel: (852) 2510 3273 Fax: (852) 2510 0244 Email: Nick_Chi at manulife.com To: Nick_Chi at manulife.com The Alchemist cc: openssh-unix-dev at mindrot.org 0.9.7c installation on HP-UX11.0 11/06/2003 08:59 PM *This message was transferred with a trial version of CommuniGate(tm) Pro* Are you using Darren's HP patches? Also, are these trusted or untrusted configurations? Nick_Chi at manulife.com wrote: >*This message was transferred with a trial version of CommuniGate(tm) Pro* >Hi all, > >I found that OpenSSL 3.7.1p2 has problem with PAM (HP-UX) system (with >setting of account deacticating by 3 invalid login attempts). > >User enters wrong password more than twice through SSH, his/her account >will not be deactivated. > >User enters wrong password more than twice through FTP, his/her account >will be deactivated . However, only further FTP session is blocked. SSH >session can be established even the account is deactivated. > >Besides, I deactivate an account through SAM, both new FTP and SSH sessions >will be blocked. > >I check that there is no such problem in OpenSSH 3.4p1. > >Any comments / suggestions? > >Thanks. > >Best Regards, > >Nick CHI >Regional Technology Team, >Regional I.T., >I.T. Asia, >Manulife International Limited >Tel: (852) 2510 3273 >Fax: (852) 2510 0244 >Email: Nick_Chi at manulife.com > >========================================================== > >This message is confidential and may also be privileged. If you are not >the intended recipient, please notify me by return e-mail and delete this >message from your system. If you are not the intended recipient, any use >by you of this message is strictly prohibited. > > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > ========================================================== This message is confidential and may also be privileged. If you are not the intended recipient, please notify me by return e-mail and delete this message from your system. If you are not the intended recipient, any use by you of this message is strictly prohibited. From r3r2 at yahoo.com Thu Nov 13 09:26:55 2003 From: r3r2 at yahoo.com (Ryan Robertson) Date: Wed, 12 Nov 2003 14:26:55 -0800 (PST) Subject: password aging Message-ID: <20031112222655.54472.qmail@web10801.mail.yahoo.com> I've compiled 3.7.1p2 on AIX 5.1 w/pam compiled in, but not enable in the sshd_config. Also applied Darrens 3.7.1p2 patch25. I am having issues w/password aging when maxage is set to anything >0. i dont believe this function was ever working (at least not in 3.5p1). Can anyone verify this? Thanks, Ryan __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree From dtucker at zip.com.au Thu Nov 13 09:43:07 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 13 Nov 2003 09:43:07 +1100 Subject: password aging References: <20031112222655.54472.qmail@web10801.mail.yahoo.com> Message-ID: <3FB2B77B.661F4DA1@zip.com.au> Ryan Robertson wrote: > > I've compiled 3.7.1p2 on AIX 5.1 w/pam compiled in, > but not enable in the sshd_config. Also applied > Darrens 3.7.1p2 patch25. I am having issues w/password > aging when maxage is set to anything >0. i dont > believe this function was ever working (at least not > in 3.5p1). > Can anyone verify this? Does it work if compiled without PAM? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From sca at infini.com Thu Nov 13 00:31:00 2003 From: sca at infini.com (sca at infini.com) Date: Wed, 12 Nov 2003 11:31:00 -0200 Subject: implantation juridique a l etranger Message-ID: From dopheide at ncsa.uiuc.edu Thu Nov 13 12:03:37 2003 From: dopheide at ncsa.uiuc.edu (Mike Dopheide) Date: Wed, 12 Nov 2003 19:03:37 -0600 (CST) Subject: AIX KRB5CCNAME problem In-Reply-To: <3FB177AC.DCC2A67C@zip.com.au> Message-ID: In case anyone else was having this problem, I've submitted a patch to OpenSSH's Bugzilla (Bug #757). -Mike > Mike Dopheide wrote: > > > > I believe there is a bug in how AIX handles the KRB5CCNAME environment > > variable. The symptom occurs when a root user restarts sshd while they > > have KRB5CCNAME set; all of the resulting client connections will inherit > > the same KRB5CCNAME variable. This can occur if the admin uses 'ksu' or > > some other kerberized method of obtaining root privileges. > [snip] > > On about line 1087 of session.c we see this: > [snip code] > > It seems to me that this section of code takes the KRB5CCNAME from sshd > > (if it exists) and hands it off to the child. My question is, why would > > you ever want to do this? > > I've never used Kerberos on AIX but I would guess that this is to handle > the case where KRB5CCNAME is set by one of the modules called by the AIX's > authenticate() function. > > It would seem that KRB5CCNAME should be cleared from the sshd's > environment when it starts up to prevent the situation you're describing. > > -- From Stephan.Hendl at lds.brandenburg.de Thu Nov 13 18:17:10 2003 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Thu, 13 Nov 2003 08:17:10 +0100 Subject: Problem with 3.7.1p2 on Reliant Unix Message-ID: Hi Group, recently I upgraded to v 3.7.1p2 on Reliant Unix (former SINIX). With sser root everything works fine, but with a "normal" user the session terminates.. I put the logfile of the "sshd -dddd" at the end. What is wrong? regard Stephan --------------- debug2: read_server_config: filename /etc/sshd_config debug1: sshd version OpenSSH_3.7.1p2 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 10.128.11.71 port 34100 debug1: Client protocol version 2.0; client software version OpenSSH_3.7.1p2 debug1: match: OpenSSH_3.7.1p2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.7.1p2 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: dh_gen_key: priv key bits set: 124/256 debug2: bits set: 1568/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 1587/3191 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user hendl service ssh-connection method none debug1: attempt 0 failures 0 debug3: allowed_user: today 12369 sp_expire -1 sp_lstchg 11954 sp_max -1 debug2: input_userauth_request: setting up authctxt for hendl debug2: input_userauth_request: try method none Failed none for hendl from 10.128.11.71 port 34100 ssh2 debug1: userauth-request for user hendl service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 2004/2000 (e=0/1) debug1: trying public key file /home/hendl/.ssh/authorized_keys debug3: secure_filename: checking '/home/hendl/.ssh' debug3: secure_filename: checking '/home/hendl' debug3: secure_filename: terminating check at '/home/hendl' debug1: matching key found: file /home/hendl/.ssh/authorized_keys, line 1 Found matching RSA key: 03:89:90:ee:9e:a9:2c:d1:00:6a:75:89:b7:de:8d:16 debug1: restore_uid: 0/1 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Postponed publickey for hendl from 10.128.11.71 port 34100 ssh2 debug1: userauth-request for user hendl service ssh-connection method publickey debug1: attempt 2 failures 1 debug2: input_userauth_request: try method publickey debug1: temporarily_use_uid: 2004/2000 (e=0/1) debug1: trying public key file /home/hendl/.ssh/authorized_keys debug3: secure_filename: checking '/home/hendl/.ssh' debug3: secure_filename: checking '/home/hendl' debug3: secure_filename: terminating check at '/home/hendl' debug1: matching key found: file /home/hendl/.ssh/authorized_keys, line 1 Found matching RSA key: 03:89:90:ee:9e:a9:2c:d1:00:6a:75:89:b7:de:8d:16 debug1: restore_uid: 0/1 debug1: ssh_rsa_verify: signature correct debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa Accepted publickey for hendl from 10.128.11.71 port 34100 ssh2 debug1: Entering interactive session for SSH2. debug2: fd 3 setting O_NONBLOCK debug2: fd 8 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/pts/5 debug3: tty_parse_modes: SSH2 n_bytes 256 debug3: tty_parse_modes: ospeed 38400 debug3: tty_parse_modes: ispeed 38400 debug3: tty_parse_modes: 1 3 debug3: tty_parse_modes: 2 28 debug3: tty_parse_modes: 3 127 debug3: tty_parse_modes: 4 21 debug3: tty_parse_modes: 5 4 debug3: tty_parse_modes: 6 0 debug3: tty_parse_modes: 7 0 debug3: tty_parse_modes: 8 17 debug3: tty_parse_modes: 9 19 debug3: tty_parse_modes: 10 26 debug3: tty_parse_modes: 12 18 debug3: tty_parse_modes: 13 23 debug3: tty_parse_modes: 14 22 debug3: tty_parse_modes: 18 15 debug3: tty_parse_modes: 30 0 debug3: tty_parse_modes: 31 0 debug3: tty_parse_modes: 32 0 debug3: tty_parse_modes: 33 0 debug3: tty_parse_modes: 34 0 debug3: tty_parse_modes: 35 0 debug3: tty_parse_modes: 36 1 debug3: tty_parse_modes: 37 0 debug3: tty_parse_modes: 38 1 debug3: tty_parse_modes: 39 0 debug3: tty_parse_modes: 40 0 debug3: tty_parse_modes: 41 0 debug3: tty_parse_modes: 50 1 debug3: tty_parse_modes: 51 1 debug3: tty_parse_modes: 52 0 debug3: tty_parse_modes: 53 1 debug3: tty_parse_modes: 54 1 debug3: tty_parse_modes: 55 1 debug3: tty_parse_modes: 56 0 debug3: tty_parse_modes: 57 0 debug3: tty_parse_modes: 58 0 debug3: tty_parse_modes: 59 1 debug3: tty_parse_modes: 60 1 debug3: tty_parse_modes: 61 1 debug3: tty_parse_modes: 62 0 debug3: tty_parse_modes: 70 1 debug3: tty_parse_modes: 71 0 debug3: tty_parse_modes: 72 1 debug3: tty_parse_modes: 73 0 debug3: tty_parse_modes: 74 0 debug3: tty_parse_modes: 75 0 debug3: tty_parse_modes: 90 1 debug3: tty_parse_modes: 91 1 debug3: tty_parse_modes: 92 0 debug3: tty_parse_modes: 93 0 debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell setsid: Not owner debug1: Received SIGCHLD. debug2: fd 4 setting TCP_NODELAY debug2: fd 10 setting O_NONBLOCK debug2: fd 9 is O_NONBLOCK debug2: notify_done: reading debug1: session_by_pid: pid 15341 debug1: session_exit_message: session 0 channel 0 pid 15341 debug2: channel 0: request exit-status debug1: session_exit_message: release channel 0 debug2: channel 0: write failed debug2: channel 0: close_write debug2: channel 0: output open -> closed debug1: session_close: session 0 pid 15341 debug1: session_pty_cleanup: session 0 release /dev/pts/5 debug2: channel 0: read<=0 rfd 10 len 0 debug2: channel 0: read failed debug2: channel 0: close_read debug2: channel 0: input open -> drain debug2: channel 0: ibuf empty debug2: channel 0: send eof debug2: channel 0: input drain -> closed debug2: channel 0: send close debug3: channel 0: will not send data after close debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: server-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1) debug3: channel 0: close_fds r -1 w -1 e -1 Connection closed by 10.128.11.71 Closing connection to 10.128.11.71 Dr. Stephan Hendl Systemmanagement ----------------------------------- Landesbetrieb f?r Datenverarbeitung und Statistik Land Brandenburg Adresse: 14467 Potsdam, Dortustr. 46 Telefon: +49-(0)331 39-471 Fax: +49-(0)331 27548-1187 Mobil: +49-(0)160 90 645 893 EMail: Stephan.Hendl at lds.brandenburg.de Internet: http://www.lds-bb.de From dtucker at zip.com.au Thu Nov 13 18:48:46 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 13 Nov 2003 18:48:46 +1100 Subject: Problem with 3.7.1p2 on Reliant Unix References: Message-ID: <3FB3375E.50041411@zip.com.au> Stephan Hendl wrote: > recently I upgraded to v 3.7.1p2 on Reliant Unix (former SINIX). With > sser root everything works fine, but with a "normal" user the session > terminates.. I put the logfile of the "sshd -dddd" at the end. What is > wrong? There were several changes after 3.7.1p2 relating to Reliant Unix. Please try a snapshot: http://www.openssh.com/portable.html#mirrors Alternatively, add these to config.h and rebuild (just "make", don't run configure again). #define SETEUID_BREAKS_SETUID 1 #define AC_DEFINE(BROKEN_SETREUID 1 #define BROKEN_SETREGID 1 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Nov 13 20:49:38 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 13 Nov 2003 20:49:38 +1100 Subject: [PATCH] Make PAM chauthtok_conv function into tty_conv Message-ID: <3FB353B2.87158E0A@zip.com.au> Hi All. Attached is a patch that converts pam_chauthtok_conv into a generic pam_tty_conv, which is used rather than null_conv for do_pam_session. This allows, for example, display of messages from PAM session modules. The accumulation of PAM messages into loginmsg won't help until there is a way to collect loginmsg from the monitor (see, eg, the patches for bug #463). This is because the authentication is postponed and the messages will be collected after the post-auth privsep split. Comments? OK? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: auth-pam.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v retrieving revision 1.78 diff -u -p -r1.78 auth-pam.c --- auth-pam.c 13 Nov 2003 08:52:31 -0000 1.78 +++ auth-pam.c 13 Nov 2003 09:35:56 -0000 @@ -52,6 +52,8 @@ RCSID("$Id: auth-pam.c,v 1.78 2003/11/13 #include "auth-options.h" extern ServerOptions options; +extern Buffer loginmsg; +extern int compat20; #define __unused @@ -421,13 +423,9 @@ sshpam_query(void *ctx, char **name, cha case PAM_AUTH_ERR: if (**prompts != NULL) { /* drain any accumulated messages */ -#if 0 /* XXX - not compatible with privsep */ - packet_start(SSH2_MSG_USERAUTH_BANNER); - packet_put_cstring(**prompts); - packet_put_cstring(""); - packet_send(); - packet_write_wait(); -#endif + debug("%s: %s", __func__, **prompts); + buffer_append(&loginmsg, **prompts, + strlen(**prompts)); xfree(**prompts); **prompts = NULL; } @@ -551,21 +549,6 @@ do_pam_account(void) } void -do_pam_session(void) -{ - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&null_conv); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); - sshpam_err = pam_open_session(sshpam_handle, 0); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: pam_open_session(): %s", - pam_strerror(sshpam_handle, sshpam_err)); - sshpam_session_open = 1; -} - -void do_pam_set_tty(const char *tty) { if (tty != NULL) { @@ -611,7 +594,7 @@ is_pam_password_change_required(void) } static int -pam_chauthtok_conv(int n, const struct pam_message **msg, +pam_tty_conv(int n, const struct pam_message **msg, struct pam_response **resp, void *data) { char input[PAM_MAX_MSG_SIZE]; @@ -620,7 +603,7 @@ pam_chauthtok_conv(int n, const struct p *resp = NULL; - if (n <= 0 || n > PAM_MAX_NUM_MSG) + if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO)) return (PAM_CONV_ERR); if ((reply = malloc(n * sizeof(*reply))) == NULL) @@ -662,6 +645,8 @@ pam_chauthtok_conv(int n, const struct p return (PAM_CONV_ERR); } +static struct pam_conv tty_conv = { pam_tty_conv, NULL }; + /* * XXX this should be done in the authentication phase, but ssh1 doesn't * support that @@ -669,15 +654,10 @@ pam_chauthtok_conv(int n, const struct p void do_pam_chauthtok(void) { - struct pam_conv pam_conv; - - pam_conv.conv = pam_chauthtok_conv; - pam_conv.appdata_ptr = NULL; - if (use_privsep) fatal("Password expired (unable to change with privsep)"); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&pam_conv); + (const void *)&tty_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); @@ -686,6 +666,21 @@ do_pam_chauthtok(void) if (sshpam_err != PAM_SUCCESS) fatal("PAM: pam_chauthtok(): %s", pam_strerror(sshpam_handle, sshpam_err)); +} + +void +do_pam_session(void) +{ + sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + (const void *)&tty_conv); + if (sshpam_err != PAM_SUCCESS) + fatal("PAM: failed to set PAM_CONV: %s", + pam_strerror(sshpam_handle, sshpam_err)); + sshpam_err = pam_open_session(sshpam_handle, 0); + if (sshpam_err != PAM_SUCCESS) + fatal("PAM: pam_open_session(): %s", + pam_strerror(sshpam_handle, sshpam_err)); + sshpam_session_open = 1; } /* From dtucker at zip.com.au Thu Nov 13 21:01:38 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 13 Nov 2003 21:01:38 +1100 Subject: [PATCH] Perform do_pam_chauthtok via SSH2 keyboard-interactive. Message-ID: <3FB35682.11F79072@zip.com.au> Hi All. Attached is a patch to perform pam_chauthtok via SSH2 keyboard-interactive. It should be simpler, but since Solaris seems to ignore the CHANGE_EXPIRED_AUTHTOK flag, it calls do_pam_account to check if it's expired. To minimise the change in behaviour, it also caches the result so pam_acct_mgmt still only gets called once. This doesn't seem to work on AIX 5.2, I don't know why. Works OK for me on Redhat, Solaris & HP-UX. I'm interested in reports of success or otherwise. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: acconfig.h =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/acconfig.h,v retrieving revision 1.168 diff -u -p -r1.168 acconfig.h --- acconfig.h 15 Oct 2003 06:57:57 -0000 1.168 +++ acconfig.h 13 Nov 2003 09:02:50 -0000 @@ -424,6 +424,9 @@ /* Define if HEADER.ad exists in arpa/nameser.h */ #undef HAVE_HEADER_AD +/* Define to disable pam_chauthtok via keyboard-interactive authentication */ +#undef DISABLE_KBDINT_CHAUTHTOK + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ Index: auth-pam.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v retrieving revision 1.78 diff -u -p -r1.78 auth-pam.c --- auth-pam.c 13 Nov 2003 08:52:31 -0000 1.78 +++ auth-pam.c 13 Nov 2003 09:02:24 -0000 @@ -52,6 +52,8 @@ RCSID("$Id: auth-pam.c,v 1.78 2003/11/13 #include "auth-options.h" extern ServerOptions options; +extern Buffer loginmsg; +extern int compat20; #define __unused @@ -117,6 +119,7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; struct pam_ctxt { sp_pthread_t pam_thread; @@ -231,6 +234,17 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; +#ifndef DISABLE_KBDINT_CHAUTHTOK + if (compat20) { + if (do_pam_account() && sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + sshpam_new_authtok_reqd = 0; /* XXX: reset fwd flags */ + } + } +#endif buffer_put_cstring(&buffer, "OK"); ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); buffer_free(&buffer); @@ -532,11 +546,16 @@ finish_pam(void) u_int do_pam_account(void) { + if (sshpam_account_status != -1) + return (sshpam_account_status); + sshpam_err = pam_acct_mgmt(sshpam_handle, 0); debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err); - if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) - return (0); + if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { + sshpam_account_status = 0; + return (sshpam_account_status); + } if (sshpam_err == PAM_NEW_AUTHTOK_REQD) { sshpam_new_authtok_reqd = 1; @@ -547,7 +566,8 @@ do_pam_account(void) no_x11_forwarding_flag |= 2; } - return (1); + sshpam_account_status = 1; + return (sshpam_account_status); } void Index: configure.ac =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v retrieving revision 1.173 diff -u -p -r1.173 configure.ac --- configure.ac 15 Oct 2003 06:57:57 -0000 1.173 +++ configure.ac 13 Nov 2003 09:00:50 -0000 @@ -105,6 +105,7 @@ case "$host" in AC_DEFINE(DISABLE_LASTLOG) AC_DEFINE(LOGIN_NEEDS_UTMPX) AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) + AC_DEFINE(DISABLE_KBDINT_CHAUTHTOK) ;; *-*-cygwin*) check_for_libcrypt_later=1 From dan at D00M.integrate.com.ru Fri Nov 14 00:11:33 2003 From: dan at D00M.integrate.com.ru (Dan Yefimov) Date: Thu, 13 Nov 2003 16:11:33 +0300 (MSK) Subject: password aging In-Reply-To: <20031112222655.54472.qmail@web10801.mail.yahoo.com> Message-ID: On Wed, 12 Nov 2003, Ryan Robertson wrote: > I've compiled 3.7.1p2 on AIX 5.1 w/pam compiled in, > but not enable in the sshd_config. Also applied > Darrens 3.7.1p2 patch25. I am having issues w/password > aging when maxage is set to anything >0. i dont > believe this function was ever working (at least not > in 3.5p1). > Can anyone verify this? > Please describe your problem in details. What exactly issues are you experiencing? The thing is that I have problems with password aging in stock openssh 3.7.1p2 with pam support both compiled in and enabled. When yser whose password has expired tries to log in the connection is being closed immediately after he enters his password. System logs contain messages as follows. Nov 5 18:48:51 pokemon sshd(pam_unix)[25216]: password - (old) token not obtained Nov 5 18:48:51 pokemon sshd[25216]: fatal: PAM: pam_chauthtok(): Authentication token manipulation error -- Sincerely Your, Dan. From jakob at openbsd.org Fri Nov 14 01:57:49 2003 From: jakob at openbsd.org (Jakob Schlyter) Date: Thu, 13 Nov 2003 08:57:49 -0600 (CST) Subject: sshfp (ssh+dns) code updated Message-ID: hi, I recently committed an update of the code that handles lookup of SSHFP resource records in DNS. this code is now included by default, the old DNS and DNSSEC defines has been removed. for more information, read about VerifyHostKeyDNS in ssh_config(5) and check out README.dns. feedback would be appreciated, jakob From peteflugstad at mchsi.com Fri Nov 14 02:22:10 2003 From: peteflugstad at mchsi.com (Pete Flugstad) Date: Thu, 13 Nov 2003 09:22:10 -0600 Subject: corrupt client keys question Message-ID: <3FB3A1A2.5070107@mchsi.com> summary: I have a situation in which a private RSA key has been corrupted, but it's still possible to log into a SSH server using that file. This is with OpenSSH 3.6.1p2 Debian. I have a SSH public/private key pair generated with "ssh-keygen -t rsa". I can use the private key to successfully log into a SSH server which has the public key in it's the authorized_keys file. I can also make a copy of the SSH private key, edit the file and change some characters, such as making them lowercase. Assuming that the ssh client will still read the file (which depends on where the file is corrupted) I can still use this corrupted file and STILL successfully log into the SSH server. Running openssl rsa -check on the corrupted private confirms it's corrupt: > $ openssl rsa -in rsa-corrupt1 -check > RSA key error: dmp1 not congruent to d > ... > $ I can understand the SSH client not checking that the private key is valid, but I would expect that this would be uncovered when the SSH server attempts to verify the signature? Anyone got a clue on how this is working, or am I just getting lucky on which part of the SSH private key I corrupt is not used for the signature? Thanks, Pete Flugstad From fischerdk at purefm.net Fri Nov 14 04:48:22 2003 From: fischerdk at purefm.net (Douglas K. Fischer) Date: Thu, 13 Nov 2003 12:48:22 -0500 Subject: password aging In-Reply-To: References: <20031112222655.54472.qmail@web10801.mail.yahoo.com> Message-ID: <6.0.1.1.0.20031113124344.031053c0@mailbox.purefm.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 3.7.1p2 with PrivSep and PAM. Users no longer receive notice in the 7 days prior to password expiration, and once their password expires, they are unable to login. As soon as they enter their password the SSH connection is terminated with the following in /var/log/secure: Oct 28 14:50:47 dumbledore sshd[1677]: fatal: Password expired (unable to change with privsep) I haven't bothered to investigate this further yet, not high enough in my priority queue. FWIW, Doug At 08:11 AM 11/13/2003, Dan Yefimov wrote: >On Wed, 12 Nov 2003, Ryan Robertson wrote: > > > I've compiled 3.7.1p2 on AIX 5.1 w/pam compiled in, > > but not enable in the sshd_config. Also applied > > Darrens 3.7.1p2 patch25. I am having issues w/password > > aging when maxage is set to anything >0. i dont > > believe this function was ever working (at least not > > in 3.5p1). > > Can anyone verify this? > > >Please describe your problem in details. What exactly issues are you >experiencing? The thing is that I have problems with password aging in stock >openssh 3.7.1p2 with pam support both compiled in and enabled. When yser >whose >password has expired tries to log in the connection is being closed >immediately >after he enters his password. System logs contain messages as follows. > >Nov 5 18:48:51 pokemon sshd(pam_unix)[25216]: password - (old) token not >obtained >Nov 5 18:48:51 pokemon sshd[25216]: fatal: PAM: pam_chauthtok(): >Authentication >token manipulation error >-- > > Sincerely Your, Dan. > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >------------------------------------------------------------ > >This email, and any included attachments, have been checked >by Norton AntiVirus Corporate Edition (Version 8.0), AVG >Email Server Edition 7.0, and Merak Email Server Integrated >Antivirus (Alwil Software's aVast! engine) and is certified >Virus Free. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBP7PD5p938qfSpraDEQKV9wCeOQBMGjcDLhK7PzRMJ1NeuydJkOYAniPF Ta7wvPIyp0h/dJB5eo5tUQ+p =S1MN -----END PGP SIGNATURE----- ------------------------------------------------------------ This email, and any included attachments, have been checked by Norton AntiVirus Corporate Edition (Version 8.0), AVG Email Server Edition 7.0, and Merak Email Server Integrated Antivirus (Alwil Software's aVast! engine) and is certified Virus Free. From dan at D00M.integrate.com.ru Fri Nov 14 05:24:36 2003 From: dan at D00M.integrate.com.ru (Dan Yefimov) Date: Thu, 13 Nov 2003 21:24:36 +0300 (MSK) Subject: password aging In-Reply-To: <6.0.1.1.0.20031113124344.031053c0@mailbox.purefm.net> Message-ID: On Thu, 13 Nov 2003, Douglas K. Fischer wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > 3.7.1p2 with PrivSep and PAM. Users no longer receive notice in the 7 days > prior to password expiration, and once their password expires, they are > unable to login. As soon as they enter their password the SSH connection is > terminated with the following in /var/log/secure: > > Oct 28 14:50:47 dumbledore sshd[1677]: fatal: Password expired (unable to > change with privsep) > > I haven't bothered to investigate this further yet, not high enough in my > priority queue. > Unfortunately changing expired password doesn't work with privilege separation enabled. Despite for 'UsePAM no' setting PAM is still used because of challenge-response authentication enabled. Even more, without PAM support compiled in sshd doesn't support password aging mechanism. So the only way to make password aging work (of course, if you still want it) is disabling privilege separation. If you choose to not use password aging in sshd you should disable challenge-response authentication. -- Sincerely Your, Dan. From Darxus at ChaosReigns.com Fri Nov 14 05:36:36 2003 From: Darxus at ChaosReigns.com (Darxus at ChaosReigns.com) Date: Thu, 13 Nov 2003 13:36:36 -0500 Subject: failure to attempt protocol v1 connection with v1 key Message-ID: <20031113183636.GQ29327@chaosreigns.com> If I do ssh -i /home/darxus/.ssh/somekey user at host Where somekey is an rsa1 key, and host is only running ssh protocol 1, it fails to connect with "Permission denied (publickey).". 1) I think the specified v1 key should encourage ssh to try v1. 2) I think, if v2 fails, it should try v1. This works when I add the "-1" argument. -- "I don't want people who want to dance, I want people who have to dance." --George Balanchine http://www.ChaosReigns.com From jmknoble at pobox.com Fri Nov 14 06:50:12 2003 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 13 Nov 2003 14:50:12 -0500 Subject: corrupt client keys question In-Reply-To: <3FB3A1A2.5070107@mchsi.com> References: <3FB3A1A2.5070107@mchsi.com> Message-ID: <20031113195012.GL18604@crawfish.ais.com> Circa 2003-11-13 09:22:10 -0600 dixit Pete Flugstad: : summary: I have a situation in which a private RSA key has been : corrupted, but it's still possible to log into a SSH server using that : file. This is with OpenSSH 3.6.1p2 Debian. : : I have a SSH public/private key pair generated with "ssh-keygen -t : rsa". I can use the private key to successfully log into a SSH server : which has the public key in it's the authorized_keys file. : : I can also make a copy of the SSH private key, edit the file and : change some characters, such as making them lowercase. Assuming that : the ssh client will still read the file (which depends on where the : file is corrupted) I can still use this corrupted file and STILL : successfully log into the SSH server. : : Running openssl rsa -check on the corrupted private confirms it's corrupt: : : > $ openssl rsa -in rsa-corrupt1 -check : > RSA key error: dmp1 not congruent to d : > ... : > $ : : I can understand the SSH client not checking that the private key is : valid, but I would expect that this would be uncovered when the SSH : server attempts to verify the signature? : : Anyone got a clue on how this is working, or am I just getting lucky : on which part of the SSH private key I corrupt is not used for the : signature? You sure you're not running ssh-agent with the (uncorrupted) key added to it? Can you reproduce this behavior on a -t rsa key that has a passphrase? -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) "We have guided missiles and misguided men." --Martin Luther King, Jr. From tim at multitalents.net Fri Nov 14 07:02:14 2003 From: tim at multitalents.net (Tim Rice) Date: Thu, 13 Nov 2003 12:02:14 -0800 (PST) Subject: Problem with 3.7.1p2 on Reliant Unix In-Reply-To: <3FB3375E.50041411@zip.com.au> References: <3FB3375E.50041411@zip.com.au> Message-ID: On Thu, 13 Nov 2003, Darren Tucker wrote: > Alternatively, add these to config.h and rebuild (just "make", don't run > configure again). > > #define SETEUID_BREAKS_SETUID 1 > #define AC_DEFINE(BROKEN_SETREUID 1 That should have been #define BROKEN_SETREUID 1 > #define BROKEN_SETREGID 1 -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dtucker at zip.com.au Fri Nov 14 07:47:34 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 14 Nov 2003 07:47:34 +1100 Subject: password aging References: Message-ID: <3FB3EDE6.F7520BC6@zip.com.au> Dan Yefimov wrote: [snip] > Unfortunately changing expired password doesn't work with privilege separation > enabled. Despite for 'UsePAM no' setting PAM is still used because of > challenge-response authentication enabled. Even more, without PAM support > compiled in sshd doesn't support password aging mechanism. So the only way to > make password aging work (of course, if you still want it) is disabling > privilege separation. If you choose to not use password aging in sshd you should > disable challenge-response authentication. You could also try one of the password expiry patches here: http://www.zip.com.au/~dtucker/openssh/ Coincidentally, I posted a small patch yesterday that does PAM password aging via SSH2 keyboard-interactive. http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106871866607969 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dbender at umn.edu Fri Nov 14 07:47:46 2003 From: dbender at umn.edu (Dave Bender) Date: Thu, 13 Nov 2003 14:47:46 -0600 Subject: User-specific settings Message-ID: A non-text attachment was scrubbed... Name: smime.p7m Type: application/pkcs7-mime Size: 4718 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031113/7a41a9f1/attachment.p7c From r3r2 at yahoo.com Fri Nov 14 08:00:38 2003 From: r3r2 at yahoo.com (Ryan Robertson) Date: Thu, 13 Nov 2003 13:00:38 -0800 (PST) Subject: password aging In-Reply-To: Message-ID: <20031113210038.49381.qmail@web10804.mail.yahoo.com> Actually, I stand corrected: I was accidentally running the older version of sshd instead of the one i was compiling. I did verify that both patch 24&25 do respect password aging. To clarify I was trying to login as a user that i knew had a password which was more than one week old. In theory AIX is supposed to lock you out if maxage=1, but it (sshd 3.5) didnt. Now if you have maxage=2, one week prior to your password expiring, it will remind you. Thanks again, Ryan __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree From dbender at umn.edu Fri Nov 14 08:09:07 2003 From: dbender at umn.edu (Dave Bender) Date: Thu, 13 Nov 2003 15:09:07 -0600 Subject: User-specific settings Message-ID: Synopsis: I've got two identical users on one machine. User 1 can set up a password-less connection to another machine; User 2 cannot. As best I can tell, both users are doing identical setup. Is there something else that's user-specfic that might be causing this? The steps I'm taking: rm -rf ~/.ssh cd ~/.ssh ssh-keygen -t dsa cat id_dsa.pub copy and paste to machine 2, ~/.ssh/authorized_keys2 from machine1 this command: ssh pwd will give give me the results of the pwd command when run by user 1. When run by user 2, it prompts for a password. Here's a portion of the debug (-vvv) output from the user who gets the password prompt: ... debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try privkey: /opt/home/user2/.ssh/identity debug3: no such identity: /opt/home/user2/.ssh/identity debug1: try privkey: /opt/home/user2/.ssh/id_rsa debug3: no such identity: /opt/home/user2/.ssh/id_rsa debug1: try pubkey: /opt/home/user2/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password ... Any help would be great. Dave From mouring at etoh.eviladmin.org Fri Nov 14 08:14:36 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 13 Nov 2003 15:14:36 -0600 (CST) Subject: User-specific settings In-Reply-To: Message-ID: Do you care to repost this in something that is READABLE and not as some hacked up s/mime document? - Ben On Thu, 13 Nov 2003, Dave Bender wrote: [NON-Text Body part not included] From stuge-openssh-unix-dev at cdy.org Fri Nov 14 10:27:22 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Fri, 14 Nov 2003 00:27:22 +0100 Subject: User-specific settings In-Reply-To: References: Message-ID: <20031113232720.GA32161@foo.birdnet.se> On Thu, Nov 13, 2003 at 03:09:07PM -0600, Dave Bender wrote: > copy and paste to machine 2, ~/.ssh/authorized_keys2 authorized_keys2 was removed a couple of versions ago. Use authorized_keys instead. //Peter From peteflugstad at mchsi.com Fri Nov 14 11:07:38 2003 From: peteflugstad at mchsi.com (Pete Flugstad) Date: Thu, 13 Nov 2003 18:07:38 -0600 Subject: corrupt client keys question In-Reply-To: <20031113195012.GL18604@crawfish.ais.com> References: <3FB3A1A2.5070107@mchsi.com> <20031113195012.GL18604@crawfish.ais.com> Message-ID: <3FB41CCA.9070100@mchsi.com> Jim Knoble wrote: > You sure you're not running ssh-agent with the (uncorrupted) key added > to it? yes, no SSH-agent running. > Can you reproduce this behavior on a -t rsa key that has a passphrase? Seems I can, which really scares me. Here are the files I'm working with. rsa-pass is freshly generated with "ssh-keygen -t rsa" and I used a passphrase (not a good one, but I used one): > [pete at taz tmp]$ ll > total 16 > -rw------- 1 pete pete 963 Nov 13 17:50 rsa-pass > -rw------- 1 pete pete 963 Nov 13 17:52 rsa-pass-corrupt > -rw------- 1 pete pete 218 Nov 13 17:51 rsa-pass-corrupt.pub > -rw------- 1 pete pete 218 Nov 13 17:50 rsa-pass.pub > [pete at taz tmp]$ cat rsa-pass > -----BEGIN RSA PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED > DEK-Info: DES-EDE3-CBC,210DCA300E488E36 > > r/oN1b4kfcCNX/8PtIe8yK6KdNXguSBX5W4OdbBhBaMKekhazj0QDLPdknwZyPUk > RN3oYZt+dL/HmioK+djoIKL0ZjloiJshNnzVNL8edTLQrIgeptNRausEakjq8gyn > P5WwMQqocdmq3c/ANcJEesi+rhrtiAm7MfHO5hKoBUhT17guhIY1DC2CzWbFa+hl > m1cM2+mmemqGMFkW8kZWqf9GPCzGyVWk6qbIWPLq2LplvJuGIrZiBY839juuN2/0 > g4FEUvgWmjW2+kOvsrr2rGY7okCDV7BF6Du0xURqVpW34Y+iP+yl7QSfZsRSAP1R > 7sMIvYx6gZaqfba0C3FDTNI+f4Zl126OpZBSdRY2Mn1/VW7FDN5GCH/L7xdVhlYr > DXJILsdArI03SPIVyMbQcSjepLtHywvSMY8Iw4vm5St1S9Zmr2MUeICgui9TZ3RQ > ji2+q3fM2WETGNm+PWP5eW96Sxd0AAz9AO55l8SGbXnMwMgtIj3+nrIquK3eatsu > xetIognL/tQJG4nO1umM4cs6IM8XdaeyZeUQayGq55mqOIhj0nASD4sWTRlVZPIx > K2Lti+u1ZKcBBkKaNIIY2ceMvsiL3PMNV1m3o2Es691WBCXtaXxoq28qJcjiXAvx > DzV9itbV9Ic1h6u7QnAHjk4OhnbQk83C3l6Ww+3/IfoGeCngL4DFA2/W2ABPLJcJ > 6EYdvAO5LqAvATA2WjaXexTIIQiRqtIoj3XOVsJ8cnyID8DY+bHRKIGOsRQc7TMf > o13PSOo5fl4fPaeqwPVJD+9KkWPyWQ+wDWb2gfEgiNSKqmcxlhXpRA== > -----END RSA PRIVATE KEY----- I copied rsa-pass to rsa-pass-corrupt, then edited it, changing a few characters from upper to lower case: > [pete at taz tmp]$ diff rsa-pass rsa-pass-corrupt > 14c14 > < K2Lti+u1ZKcBBkKaNIIY2ceMvsiL3PMNV1m3o2Es691WBCXtaXxoq28qJcjiXAvx > --- >> k2lti+u1ZKcBBkKaNIIY2ceMvsiL3PMNV1m3o2Es691WBCXtaXxoq28qJcjiXAvx I can verify that the rsa key is OK and rsa-pass-corrupt key is bogus: > [pete at taz tmp]$ openssl rsa -check -in rsa-pass > Enter pass phrase for rsa-pass: > RSA key ok > writing RSA key > -----BEGIN RSA PRIVATE KEY----- > MIICXAIBAAKBgQC07DC7+w+8xMkmRF4O+f4NF0kKJlzKtd2Q86Cw/SXeq63TZwjD > FwyHyxje3713ccb2D9y7GRMFfNHQWvuYRDvp6gZiT3Z1nuNX7bsZ7yWY3FwFql37 > nC6H28dReon7ipWKXWGQITl8lwUos3zkLTztmaF8q+Plvsdm3AMwXyRuGQIBIwKB > gQCqlY0JAqhwJ0FP91Fek++Ir44CQW1uq3kiRMq1gPfR8lNvjQhC6didSnaI/tc2 > GtGI6mJnQ4b2i6FAys/19zEraUXyHwQYmnfgaNZ2am/Ru8BVl5qzBJYqf8amEukP > Avl1WwtQt0+u7OKzN0quzDyii7takYsp0pMkMU290vHaewJBAO5fypNUZaawK221 > y3naumNrjvrcLlPewNu6E4Q0ZJLpUYOpdxkQ/wXHcLw/ANnk0OUYk9z1AAhhr7A6 > ESHXIV0CQQDCTOSD9u4eER91rXuISKLv3qeK1fgkarEytqzahTG2dRl5KDfJnazE > i1b6qNxbsvQv2Xk8U4rPTYkHAk4nRQftAkAUbpxVxWfMdYAQt8+cuvoIhY/pndgV > 0UO7D/MLVPKtgbaHoM+xsP/qjXAQIqhNMN60jRP8/w6hofkdu9WVL7JnAkEAhTwK > aR5aIz7xADxx9w08hzmXdSUB7RX12aHVnSgiFrayYbUtkZCw+81C9QYTchRPq8hT > Ig1mf4Wfykq5P3/K6wJBAK74oVXD+oYXPBWdqNQpq7EuOGW+jmnOM1aS312pJZ+h > 0LmZkA0djBpSEjwHjcOVEBHVRXz5VgOEOb2EfvMulTw= > -----END RSA PRIVATE KEY----- > [pete at taz tmp]$ openssl rsa -check -in rsa-pass-corrupt > Enter pass phrase for rsa-pass-corrupt: > RSA key error: dmp1 not congruent to d > writing RSA key > -----BEGIN RSA PRIVATE KEY----- > MIICXAIBAAKBgQC07DC7+w+8xMkmRF4O+f4NF0kKJlzKtd2Q86Cw/SXeq63TZwjD > FwyHyxje3713ccb2D9y7GRMFfNHQWvuYRDvp6gZiT3Z1nuNX7bsZ7yWY3FwFql37 > nC6H28dReon7ipWKXWGQITl8lwUos3zkLTztmaF8q+Plvsdm3AMwXyRuGQIBIwKB > gQCqlY0JAqhwJ0FP91Fek++Ir44CQW1uq3kiRMq1gPfR8lNvjQhC6didSnaI/tc2 > GtGI6mJnQ4b2i6FAys/19zEraUXyHwQYmnfgaNZ2am/Ru8BVl5qzBJYqf8amEukP > Avl1WwtQt0+u7OKzN0quzDyii7takYsp0pMkMU290vHaewJBAO5fypNUZaawK221 > y3naumNrjvrcLlPewNu6E4Q0ZJLpUYOpdxkQ/wXHcLw/ANnk0OUYk9z1AAhhr7A6 > ESHXIV0CQQDCTOSD9u4eER91rXuISKLv3qeK1fgkarEytqzahTG2dRl5KDfJnazE > i1b6qNxbsvQv2Xk8U4rPTYkHAk4nRQftAkAUbpxVxWfMdYAQt8+cuvoIhY/pndgV > XP7Sv4nQO2kVijaHoM+xsP/qjXAQIqhNMN60jRP8/w6hofkdu9WVL7JnAkEAhTwK > aR5aIz7xADxx9w08hzmXdSUB7RX12aHVnSgiFrayYbUtkZCw+81C9QYTchRPq8hT > Ig1mf4Wfykq5P3/K6wJBAK74oVXD+oYXPBWdqNQpq7EuOGW+jmnOM1aS312pJZ+h > 0LmZkA0djBpSEjwHjcOVEBHVRXz5VgOEOb2EfvMulTw= > -----END RSA PRIVATE KEY----- I added rsa-pass.pub to my ~/.ssh/authorized_keys and then tried to log in with rsa-pass: > [pete at taz tmp]$ ssh -v localhost -i rsa-pass > OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9, SSH protocols 1.5/2.0, OpenSSL 0x0090703f > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Rhosts Authentication disabled, originating port will not be trusted. > debug1: Connecting to localhost [127.0.0.1] port 22. > debug1: Connection established. > debug1: identity file rsa-pass type 1 > debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 > debug1: match: OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host 'localhost' is known and matches the RSA host key. > debug1: Found key in /home/pete/.ssh/known_hosts:21 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey,password,keyboard-interactive > debug1: Next authentication method: publickey > debug1: Offering public key: rsa-pass > debug1: Server accepts key: pkalg ssh-rsa blen 149 lastkey 0x80888a0 hint 0 > debug1: PEM_read_PrivateKey failed > debug1: read PEM private key done: type > Enter passphrase for key 'rsa-pass': > debug1: read PEM private key done: type RSA > debug1: Authentication succeeded (publickey). > debug1: channel 0: new [client-session] > debug1: Entering interactive session. > debug1: channel 0: request pty-req > debug1: channel 0: request shell > debug1: channel 0: open confirm rwindow 0 rmax 32768 > Linux taz 2.6.0-test9 #2 SMP Mon Oct 27 17:02:15 CST 2003 i686 GNU/Linux > No mail. > Last login: Thu Nov 13 17:56:20 2003 from taz > [pete at taz pete]$ > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: channel 0: rcvd eof > debug1: channel 0: output open -> drain > debug1: channel 0: obuf empty > debug1: channel 0: close_write > debug1: channel 0: output drain -> closed > debug1: channel 0: rcvd close > debug1: channel 0: close_read > debug1: channel 0: input open -> closed > debug1: channel 0: almost dead > debug1: channel 0: gc: notify user > debug1: channel 0: gc: user detached > debug1: channel 0: send close > debug1: channel 0: is dead > debug1: channel 0: garbage collecting > debug1: channel_free: channel 0: client-session, nchannels 1 > Connection to localhost closed. > debug1: Transferred: stdin 0, stdout 0, stderr 33 bytes in 15.5 seconds > debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 2.1 > debug1: Exit status 0 > [pete at taz tmp]$ Now with the corrupt key: > [pete at taz tmp]$ ssh -v localhost -i rsa-pass-corrupt > OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9, SSH protocols 1.5/2.0, OpenSSL 0x0090703f > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Rhosts Authentication disabled, originating port will not be trusted. > debug1: Connecting to localhost [127.0.0.1] port 22. > debug1: Connection established. > debug1: identity file rsa-pass-corrupt type 1 > debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 > debug1: match: OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host 'localhost' is known and matches the RSA host key. > debug1: Found key in /home/pete/.ssh/known_hosts:21 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey,password,keyboard-interactive > debug1: Next authentication method: publickey > debug1: Offering public key: rsa-pass-corrupt > debug1: Server accepts key: pkalg ssh-rsa blen 149 lastkey 0x80888e0 hint 0 > debug1: PEM_read_PrivateKey failed > debug1: read PEM private key done: type > Enter passphrase for key 'rsa-pass-corrupt': > debug1: read PEM private key done: type RSA > debug1: Authentication succeeded (publickey). > debug1: channel 0: new [client-session] > debug1: Entering interactive session. > debug1: channel 0: request pty-req > debug1: channel 0: request shell > debug1: channel 0: open confirm rwindow 0 rmax 32768 > Linux taz 2.6.0-test9 #2 SMP Mon Oct 27 17:02:15 CST 2003 i686 GNU/Linux > No mail. > Last login: Thu Nov 13 17:56:35 2003 from taz > [pete at taz pete]$ > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: channel 0: rcvd eof > debug1: channel 0: output open -> drain > debug1: channel 0: obuf empty > debug1: channel 0: close_write > debug1: channel 0: output drain -> closed > debug1: channel 0: rcvd close > debug1: channel 0: close_read > debug1: channel 0: input open -> closed > debug1: channel 0: almost dead > debug1: channel 0: gc: notify user > debug1: channel 0: gc: user detached > debug1: channel 0: send close > debug1: channel 0: is dead > debug1: channel 0: garbage collecting > debug1: channel_free: channel 0: client-session, nchannels 1 > Connection to localhost closed. > debug1: Transferred: stdin 0, stdout 0, stderr 33 bytes in 51.3 seconds > debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.6 > debug1: Exit status 0 > [pete at taz tmp]$ I reinstalled SSHD from the Debian archives to make sure I'm not running some kind of bogus SSH server and it still works. I'd be surprised if this had happened as I tend to be pretty careful and pretty aware of what's going on with this box. And, I've reproduced this behavior on our SSH port to vxWorks (which is where it came up in the first place). I can corrupt the key to the point where the ASN1 parse fails: > [pete at taz tmp]$ diff rsa-pass rsa-pass-corrupt2 > 10c10 > < 7sMIvYx6gZaqfba0C3FDTNI+f4Zl126OpZBSdRY2Mn1/VW7FDN5GCH/L7xdVhlYr > --- >> 7smivyx6gzaqfba0c3fdtni+f4zl126opzbsdry2mn1/vw7fdn5gch/L7xdVhlYr > 13,14c13,14 > < xetIognL/tQJG4nO1umM4cs6IM8XdaeyZeUQayGq55mqOIhj0nASD4sWTRlVZPIx > < K2Lti+u1ZKcBBkKaNIIY2ceMvsiL3PMNV1m3o2Es691WBCXtaXxoq28qJcjiXAvx > --- >> xetIognL/tQJG4nO1umM4cs6IM8Xdaeyzeuqaygq55mqoihj0nasd4swtrlvzpix >> k2lti+u1ZKcBBkKaNIIY2ceMvsiL3PMNV1m3o2Es691WBCXtaXxoq28qJcjiXAvx Then of course it doesn't work (as expected): > [pete at taz tmp]$ openssl rsa -check -in rsa-pass-corrupt2 > Enter pass phrase for rsa-pass-corrupt2: > unable to load Private Key > 29272:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: > 29272:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:935: > 29272:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:628: > 29272:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=p, Type=RSA > 29272:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:96: > 29272:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_pkey.c:117: > [pete at taz tmp]$ ssh -v localhost -i rsa-pass-corrupt2 > OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9, SSH protocols 1.5/2.0, OpenSSL 0x0090703f > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Rhosts Authentication disabled, originating port will not be trusted. > debug1: Connecting to localhost [127.0.0.1] port 22. > debug1: Connection established. > debug1: identity file rsa-pass-corrupt2 type -1 > debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 > debug1: match: OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host 'localhost' is known and matches the RSA host key. > debug1: Found key in /home/pete/.ssh/known_hosts:21 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey,password,keyboard-interactive > debug1: Next authentication method: publickey > debug1: Trying private key: rsa-pass-corrupt2 > debug1: PEM_read_PrivateKey failed > debug1: read PEM private key done: type > Enter passphrase for key 'rsa-pass-corrupt2': > debug1: PEM_read_PrivateKey failed > This is mighty strange. I'm still wondering if I've been rooted... If so, it's exceedingly well done. Pete From wbparsons at cshore.com Fri Nov 14 12:41:52 2003 From: wbparsons at cshore.com (Will Parsons) Date: Fri, 14 Nov 2003 01:41:52 +0000 (UTC) Subject: openssh-3.7.1p2 on HP-UX 10.20 References: <2D5048494293D411809800508BF900FC10F02BD5@msxcentral1.hydro.qc.ca> Message-ID: Bagdoo.Jean at hydro.qc.ca wrote: > Hello, > > I have dowloaded all that is required to build a working OpenSSH on HP-UX > 10.20 from the HP-UX Porting and Archibve centre (this seems to be the only > way to go for 10.20). Make/install of all prerequisites has scucceeded. Now > make of openssh-3.7.1p2 gives the following: > > gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. > -I/usr/local/openssl-0.9.7b/include -I/opt/zlib/include -D_HPUX_SOURCE > -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c > getrrsetbyname.c > getrrsetbyname.c: In function `getrrsetbyname': > getrrsetbyname.c:191: warning: implicit declaration of function `res_init' > getrrsetbyname.c:207: warning: implicit declaration of function `res_query' > getrrsetbyname.c:265: `T_SIG' undeclared (first use in this function) > getrrsetbyname.c:265: (Each undeclared identifier is reported only once > getrrsetbyname.c:265: for each function it appears in.) > getrrsetbyname.c: In function `parse_dns_response': > getrrsetbyname.c:366: `HFIXEDSZ' undeclared (first use in this function) > getrrsetbyname.c: In function `parse_dns_qsection': > getrrsetbyname.c:437: warning: implicit declaration of function `dn_expand' > *** Error exit code 1 > > Stop. > *** Error exit code 1 > > Stop. > > > Any clue? > > Thanks, > > > Jean Bagdoo I have just encountered the same problem under HP-UX 10.20, but using the native HP compiler rather than gcc. I have no idea what the problem is. Does anyone know where T_SIG or HFIXEDSZ are or should be defined? -- +----------------------------------------------------+ | Will Parsons | | Modified e-mail address: wbparsons at cshorexyz.com | | To reply: delete "xyz" from domain | +----------------------------------------------------+ From rick.jones2 at hp.com Fri Nov 14 13:12:47 2003 From: rick.jones2 at hp.com (Rick Jones) Date: Thu, 13 Nov 2003 18:12:47 -0800 Subject: openssh-3.7.1p2 on HP-UX 10.20 References: <2D5048494293D411809800508BF900FC10F02BD5@msxcentral1.hydro.qc.ca> Message-ID: <3FB43A1F.F32439C5@hp.com> Perhaps not all the requisite include files are being included? This is from an 11.0 system, but can be easily validated with a "man res_init" on the 10.20 systems: resolver(3N) resolver(3N) NAME res_query(), res_search(), res_mkquery(), res_send(), res_init(), dn_comp(), dn_expand(), herror() - resolver routines SYNOPSIS #include #include #include #include -- Wisdom Teeth are impacted, people are affected by the effects of events. these opinions are mine, all mine; HP might not want them anyway... :) feel free to post, OR email to raj in cup.hp.com but NOT BOTH... From dcole at keysoftsys.com Fri Nov 14 13:31:17 2003 From: dcole at keysoftsys.com (Darren Cole) Date: Thu, 13 Nov 2003 18:31:17 -0800 Subject: openssh-3.7.1p2 on HP-UX 10.20 In-Reply-To: References: <2D5048494293D411809800508BF900FC10F02BD5@msxcentral1.hydro.qc.ca> Message-ID: <9FE0753E-164A-11D8-9DD8-000A95E310BA@keysoftsys.com> They seem to defined in bind's nameserve_compat.h, and symbian's namser.h (google search on T_SIG, and seperate HFIXEDSZ search). Regardless they aren't anywhere on my 10.26 box. I #define them in one of the files for sshd with the values found in the above google search. This is not a good solution, but it did get things to compile with a recent copy of gcc and binutils . res_init and friends seem to link fine in the end and are in manpages for 10.26. This got ssh client working, but not the sshd server. I haven't gotten around to fixing sshd yet and don't know when I will. Darren Cole dcole at keysoftsys.com On Nov 13, 2003, at 17:41, Will Parsons wrote: > Bagdoo.Jean at hydro.qc.ca wrote: >> Hello, >> [ cut for brevity] >> getrrsetbyname.c:265: `T_SIG' undeclared (first use in this function) >> getrrsetbyname.c:265: (Each undeclared identifier is reported only >> once >> getrrsetbyname.c:265: for each function it appears in.) >> getrrsetbyname.c: In function `parse_dns_response': >> getrrsetbyname.c:366: `HFIXEDSZ' undeclared (first use in this >> function) >> getrrsetbyname.c: In function `parse_dns_qsection': >> getrrsetbyname.c:437: warning: implicit declaration of function >> `dn_expand' >> *** Error exit code 1 >> >> Stop. >> *** Error exit code 1 >> >> Stop. [ cut for brevity] >> Jean Bagdoo > > I have just encountered the same problem under HP-UX 10.20, but using > the > native HP compiler rather than gcc. I have no idea what the problem > is. > Does anyone know where T_SIG or HFIXEDSZ are or should be defined? > > -- > +----------------------------------------------------+ > | Will Parsons | > | Modified e-mail address: wbparsons at cshorexyz.com | > | To reply: delete "xyz" from domain | > +----------------------------------------------------+ From dan at doxpara.com Fri Nov 14 16:45:40 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Fri, 14 Nov 2003 06:45:40 +0100 Subject: corrupt client keys question In-Reply-To: <3FB41CCA.9070100@mchsi.com> References: <3FB3A1A2.5070107@mchsi.com> <20031113195012.GL18604@crawfish.ais.com> <3FB41CCA.9070100@mchsi.com> Message-ID: <3FB46C04.5010408@doxpara.com> Been investigating this. Preliminary evidence -- yup, keys can be corrupted pretty heavily, and still result in a successful login. Attached is a set of example keys, bounced around quite heavily. It appears certain bytes flat out do not affect the calculation, i.e. no matter what I put in there, the key still works. I'm actually not worried, yet -- my suspicion is that OpenSSL throws some extra bits into its saved keys, and that's what I'm corrupting. Still, this ain't encouraging: $ openssl.exe rsa -check -in id_rsa 3884:error:0407B080:rsa routines:RSA_check_key:p not prime:rsa_chk.c:84: 3884:error:0407B081:rsa routines:RSA_check_key:q not prime:rsa_chk.c:94: 3884:error:0407B07F:rsa routines:RSA_check_key:n does not equal p q:rsa_chk.c:104: 3884:error:0407B07B:rsa routines:RSA_check_key:d e not congruent to 1:rsa_chk.c:128: 3884:error:0407B07C:rsa routines:RSA_check_key:dmp1 not congruent to d:rsa_chk.c:144: 3884:error:0407B07D:rsa routines:RSA_check_key:dmq1 not congruent to d:rsa_chk.c:158: 3884:error:0306E06C:bignum routines:BN_mod_inverse:no inverse:bn_gcd.c:482: Pete Flugstad wrote: > Jim Knoble wrote: > >> You sure you're not running ssh-agent with the (uncorrupted) key added >> to it? > > > yes, no SSH-agent running. > >> Can you reproduce this behavior on a -t rsa key that has a passphrase? > > > Seems I can, which really scares me. Here are the files I'm working > with. rsa-pass is freshly generated with "ssh-keygen -t rsa" and I > used a passphrase (not a good one, but I used one): > >> [pete at taz tmp]$ ll >> total 16 >> -rw------- 1 pete pete 963 Nov 13 17:50 rsa-pass >> -rw------- 1 pete pete 963 Nov 13 17:52 rsa-pass-corrupt >> -rw------- 1 pete pete 218 Nov 13 17:51 >> rsa-pass-corrupt.pub >> -rw------- 1 pete pete 218 Nov 13 17:50 rsa-pass.pub >> [pete at taz tmp]$ cat rsa-pass >> -----BEGIN RSA PRIVATE KEY----- >> Proc-Type: 4,ENCRYPTED >> DEK-Info: DES-EDE3-CBC,210DCA300E488E36 >> >> r/oN1b4kfcCNX/8PtIe8yK6KdNXguSBX5W4OdbBhBaMKekhazj0QDLPdknwZyPUk >> RN3oYZt+dL/HmioK+djoIKL0ZjloiJshNnzVNL8edTLQrIgeptNRausEakjq8gyn >> P5WwMQqocdmq3c/ANcJEesi+rhrtiAm7MfHO5hKoBUhT17guhIY1DC2CzWbFa+hl >> m1cM2+mmemqGMFkW8kZWqf9GPCzGyVWk6qbIWPLq2LplvJuGIrZiBY839juuN2/0 >> g4FEUvgWmjW2+kOvsrr2rGY7okCDV7BF6Du0xURqVpW34Y+iP+yl7QSfZsRSAP1R >> 7sMIvYx6gZaqfba0C3FDTNI+f4Zl126OpZBSdRY2Mn1/VW7FDN5GCH/L7xdVhlYr >> DXJILsdArI03SPIVyMbQcSjepLtHywvSMY8Iw4vm5St1S9Zmr2MUeICgui9TZ3RQ >> ji2+q3fM2WETGNm+PWP5eW96Sxd0AAz9AO55l8SGbXnMwMgtIj3+nrIquK3eatsu >> xetIognL/tQJG4nO1umM4cs6IM8XdaeyZeUQayGq55mqOIhj0nASD4sWTRlVZPIx >> K2Lti+u1ZKcBBkKaNIIY2ceMvsiL3PMNV1m3o2Es691WBCXtaXxoq28qJcjiXAvx >> DzV9itbV9Ic1h6u7QnAHjk4OhnbQk83C3l6Ww+3/IfoGeCngL4DFA2/W2ABPLJcJ >> 6EYdvAO5LqAvATA2WjaXexTIIQiRqtIoj3XOVsJ8cnyID8DY+bHRKIGOsRQc7TMf >> o13PSOo5fl4fPaeqwPVJD+9KkWPyWQ+wDWb2gfEgiNSKqmcxlhXpRA== >> -----END RSA PRIVATE KEY----- > > > I copied rsa-pass to rsa-pass-corrupt, then edited it, changing a > few characters from upper to lower case: > >> [pete at taz tmp]$ diff rsa-pass rsa-pass-corrupt >> 14c14 >> < K2Lti+u1ZKcBBkKaNIIY2ceMvsiL3PMNV1m3o2Es691WBCXtaXxoq28qJcjiXAvx >> --- >> >>> k2lti+u1ZKcBBkKaNIIY2ceMvsiL3PMNV1m3o2Es691WBCXtaXxoq28qJcjiXAvx >> > > I can verify that the rsa key is OK and rsa-pass-corrupt key is bogus: > > > [pete at taz tmp]$ openssl rsa -check -in rsa-pass > > Enter pass phrase for rsa-pass: > > RSA key ok > > writing RSA key > > -----BEGIN RSA PRIVATE KEY----- > > MIICXAIBAAKBgQC07DC7+w+8xMkmRF4O+f4NF0kKJlzKtd2Q86Cw/SXeq63TZwjD > > FwyHyxje3713ccb2D9y7GRMFfNHQWvuYRDvp6gZiT3Z1nuNX7bsZ7yWY3FwFql37 > > nC6H28dReon7ipWKXWGQITl8lwUos3zkLTztmaF8q+Plvsdm3AMwXyRuGQIBIwKB > > gQCqlY0JAqhwJ0FP91Fek++Ir44CQW1uq3kiRMq1gPfR8lNvjQhC6didSnaI/tc2 > > GtGI6mJnQ4b2i6FAys/19zEraUXyHwQYmnfgaNZ2am/Ru8BVl5qzBJYqf8amEukP > > Avl1WwtQt0+u7OKzN0quzDyii7takYsp0pMkMU290vHaewJBAO5fypNUZaawK221 > > y3naumNrjvrcLlPewNu6E4Q0ZJLpUYOpdxkQ/wXHcLw/ANnk0OUYk9z1AAhhr7A6 > > ESHXIV0CQQDCTOSD9u4eER91rXuISKLv3qeK1fgkarEytqzahTG2dRl5KDfJnazE > > i1b6qNxbsvQv2Xk8U4rPTYkHAk4nRQftAkAUbpxVxWfMdYAQt8+cuvoIhY/pndgV > > 0UO7D/MLVPKtgbaHoM+xsP/qjXAQIqhNMN60jRP8/w6hofkdu9WVL7JnAkEAhTwK > > aR5aIz7xADxx9w08hzmXdSUB7RX12aHVnSgiFrayYbUtkZCw+81C9QYTchRPq8hT > > Ig1mf4Wfykq5P3/K6wJBAK74oVXD+oYXPBWdqNQpq7EuOGW+jmnOM1aS312pJZ+h > > 0LmZkA0djBpSEjwHjcOVEBHVRXz5VgOEOb2EfvMulTw= > > -----END RSA PRIVATE KEY----- > > [pete at taz tmp]$ openssl rsa -check -in rsa-pass-corrupt > > Enter pass phrase for rsa-pass-corrupt: > > RSA key error: dmp1 not congruent to d > > writing RSA key > > -----BEGIN RSA PRIVATE KEY----- > > MIICXAIBAAKBgQC07DC7+w+8xMkmRF4O+f4NF0kKJlzKtd2Q86Cw/SXeq63TZwjD > > FwyHyxje3713ccb2D9y7GRMFfNHQWvuYRDvp6gZiT3Z1nuNX7bsZ7yWY3FwFql37 > > nC6H28dReon7ipWKXWGQITl8lwUos3zkLTztmaF8q+Plvsdm3AMwXyRuGQIBIwKB > > gQCqlY0JAqhwJ0FP91Fek++Ir44CQW1uq3kiRMq1gPfR8lNvjQhC6didSnaI/tc2 > > GtGI6mJnQ4b2i6FAys/19zEraUXyHwQYmnfgaNZ2am/Ru8BVl5qzBJYqf8amEukP > > Avl1WwtQt0+u7OKzN0quzDyii7takYsp0pMkMU290vHaewJBAO5fypNUZaawK221 > > y3naumNrjvrcLlPewNu6E4Q0ZJLpUYOpdxkQ/wXHcLw/ANnk0OUYk9z1AAhhr7A6 > > ESHXIV0CQQDCTOSD9u4eER91rXuISKLv3qeK1fgkarEytqzahTG2dRl5KDfJnazE > > i1b6qNxbsvQv2Xk8U4rPTYkHAk4nRQftAkAUbpxVxWfMdYAQt8+cuvoIhY/pndgV > > XP7Sv4nQO2kVijaHoM+xsP/qjXAQIqhNMN60jRP8/w6hofkdu9WVL7JnAkEAhTwK > > aR5aIz7xADxx9w08hzmXdSUB7RX12aHVnSgiFrayYbUtkZCw+81C9QYTchRPq8hT > > Ig1mf4Wfykq5P3/K6wJBAK74oVXD+oYXPBWdqNQpq7EuOGW+jmnOM1aS312pJZ+h > > 0LmZkA0djBpSEjwHjcOVEBHVRXz5VgOEOb2EfvMulTw= > > -----END RSA PRIVATE KEY----- > > I added rsa-pass.pub to my ~/.ssh/authorized_keys and then tried to > log in with rsa-pass: > >> [pete at taz tmp]$ ssh -v localhost -i rsa-pass >> OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9, SSH protocols 1.5/2.0, OpenSSL >> 0x0090703f >> debug1: Reading configuration data /etc/ssh/ssh_config >> debug1: Rhosts Authentication disabled, originating port will not be >> trusted. >> debug1: Connecting to localhost [127.0.0.1] port 22. >> debug1: Connection established. >> debug1: identity file rsa-pass type 1 >> debug1: Remote protocol version 1.99, remote software version >> OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 >> debug1: match: OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 pat OpenSSH* >> debug1: Enabling compatibility mode for protocol 2.0 >> debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 >> debug1: SSH2_MSG_KEXINIT sent >> debug1: SSH2_MSG_KEXINIT received >> debug1: kex: server->client aes128-cbc hmac-md5 none >> debug1: kex: client->server aes128-cbc hmac-md5 none >> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent >> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent >> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY >> debug1: Host 'localhost' is known and matches the RSA host key. >> debug1: Found key in /home/pete/.ssh/known_hosts:21 >> debug1: ssh_rsa_verify: signature correct >> debug1: SSH2_MSG_NEWKEYS sent >> debug1: expecting SSH2_MSG_NEWKEYS >> debug1: SSH2_MSG_NEWKEYS received >> debug1: SSH2_MSG_SERVICE_REQUEST sent >> debug1: SSH2_MSG_SERVICE_ACCEPT received >> debug1: Authentications that can continue: >> publickey,password,keyboard-interactive >> debug1: Next authentication method: publickey >> debug1: Offering public key: rsa-pass >> debug1: Server accepts key: pkalg ssh-rsa blen 149 lastkey 0x80888a0 >> hint 0 >> debug1: PEM_read_PrivateKey failed >> debug1: read PEM private key done: type >> Enter passphrase for key 'rsa-pass': >> debug1: read PEM private key done: type RSA >> debug1: Authentication succeeded (publickey). >> debug1: channel 0: new [client-session] >> debug1: Entering interactive session. >> debug1: channel 0: request pty-req >> debug1: channel 0: request shell >> debug1: channel 0: open confirm rwindow 0 rmax 32768 >> Linux taz 2.6.0-test9 #2 SMP Mon Oct 27 17:02:15 CST 2003 i686 GNU/Linux >> No mail. >> Last login: Thu Nov 13 17:56:20 2003 from taz >> [pete at taz pete]$ >> debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 >> debug1: channel 0: rcvd eof >> debug1: channel 0: output open -> drain >> debug1: channel 0: obuf empty >> debug1: channel 0: close_write >> debug1: channel 0: output drain -> closed >> debug1: channel 0: rcvd close >> debug1: channel 0: close_read >> debug1: channel 0: input open -> closed >> debug1: channel 0: almost dead >> debug1: channel 0: gc: notify user >> debug1: channel 0: gc: user detached >> debug1: channel 0: send close >> debug1: channel 0: is dead >> debug1: channel 0: garbage collecting >> debug1: channel_free: channel 0: client-session, nchannels 1 >> Connection to localhost closed. >> debug1: Transferred: stdin 0, stdout 0, stderr 33 bytes in 15.5 seconds >> debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 2.1 >> debug1: Exit status 0 >> [pete at taz tmp]$ > > > Now with the corrupt key: > >> [pete at taz tmp]$ ssh -v localhost -i rsa-pass-corrupt >> OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9, SSH protocols 1.5/2.0, OpenSSL >> 0x0090703f >> debug1: Reading configuration data /etc/ssh/ssh_config >> debug1: Rhosts Authentication disabled, originating port will not be >> trusted. >> debug1: Connecting to localhost [127.0.0.1] port 22. >> debug1: Connection established. >> debug1: identity file rsa-pass-corrupt type 1 >> debug1: Remote protocol version 1.99, remote software version >> OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 >> debug1: match: OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 pat OpenSSH* >> debug1: Enabling compatibility mode for protocol 2.0 >> debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 >> debug1: SSH2_MSG_KEXINIT sent >> debug1: SSH2_MSG_KEXINIT received >> debug1: kex: server->client aes128-cbc hmac-md5 none >> debug1: kex: client->server aes128-cbc hmac-md5 none >> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent >> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent >> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY >> debug1: Host 'localhost' is known and matches the RSA host key. >> debug1: Found key in /home/pete/.ssh/known_hosts:21 >> debug1: ssh_rsa_verify: signature correct >> debug1: SSH2_MSG_NEWKEYS sent >> debug1: expecting SSH2_MSG_NEWKEYS >> debug1: SSH2_MSG_NEWKEYS received >> debug1: SSH2_MSG_SERVICE_REQUEST sent >> debug1: SSH2_MSG_SERVICE_ACCEPT received >> debug1: Authentications that can continue: >> publickey,password,keyboard-interactive >> debug1: Next authentication method: publickey >> debug1: Offering public key: rsa-pass-corrupt >> debug1: Server accepts key: pkalg ssh-rsa blen 149 lastkey 0x80888e0 >> hint 0 >> debug1: PEM_read_PrivateKey failed >> debug1: read PEM private key done: type >> Enter passphrase for key 'rsa-pass-corrupt': >> debug1: read PEM private key done: type RSA >> debug1: Authentication succeeded (publickey). >> debug1: channel 0: new [client-session] >> debug1: Entering interactive session. >> debug1: channel 0: request pty-req >> debug1: channel 0: request shell >> debug1: channel 0: open confirm rwindow 0 rmax 32768 >> Linux taz 2.6.0-test9 #2 SMP Mon Oct 27 17:02:15 CST 2003 i686 GNU/Linux >> No mail. >> Last login: Thu Nov 13 17:56:35 2003 from taz >> [pete at taz pete]$ >> debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 >> debug1: channel 0: rcvd eof >> debug1: channel 0: output open -> drain >> debug1: channel 0: obuf empty >> debug1: channel 0: close_write >> debug1: channel 0: output drain -> closed >> debug1: channel 0: rcvd close >> debug1: channel 0: close_read >> debug1: channel 0: input open -> closed >> debug1: channel 0: almost dead >> debug1: channel 0: gc: notify user >> debug1: channel 0: gc: user detached >> debug1: channel 0: send close >> debug1: channel 0: is dead >> debug1: channel 0: garbage collecting >> debug1: channel_free: channel 0: client-session, nchannels 1 >> Connection to localhost closed. >> debug1: Transferred: stdin 0, stdout 0, stderr 33 bytes in 51.3 seconds >> debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.6 >> debug1: Exit status 0 >> [pete at taz tmp]$ > > > I reinstalled SSHD from the Debian archives to make sure I'm not > running some kind of bogus SSH server and it still works. I'd be > surprised if this had happened as I tend to be pretty careful and > pretty aware of what's going on with this box. And, I've reproduced > this behavior on our SSH port to vxWorks (which is where it came up in > the first place). > > I can corrupt the key to the point where the ASN1 parse fails: > >> [pete at taz tmp]$ diff rsa-pass rsa-pass-corrupt2 >> 10c10 >> < 7sMIvYx6gZaqfba0C3FDTNI+f4Zl126OpZBSdRY2Mn1/VW7FDN5GCH/L7xdVhlYr >> --- >> >>> 7smivyx6gzaqfba0c3fdtni+f4zl126opzbsdry2mn1/vw7fdn5gch/L7xdVhlYr >> >> 13,14c13,14 >> < xetIognL/tQJG4nO1umM4cs6IM8XdaeyZeUQayGq55mqOIhj0nASD4sWTRlVZPIx >> < K2Lti+u1ZKcBBkKaNIIY2ceMvsiL3PMNV1m3o2Es691WBCXtaXxoq28qJcjiXAvx >> --- >> >>> xetIognL/tQJG4nO1umM4cs6IM8Xdaeyzeuqaygq55mqoihj0nasd4swtrlvzpix >>> k2lti+u1ZKcBBkKaNIIY2ceMvsiL3PMNV1m3o2Es691WBCXtaXxoq28qJcjiXAvx >> > > Then of course it doesn't work (as expected): > >> [pete at taz tmp]$ openssl rsa -check -in rsa-pass-corrupt2 >> Enter pass phrase for rsa-pass-corrupt2: >> unable to load Private Key >> 29272:error:0D07207B:asn1 encoding routines:ASN1_get_object:header >> too long:asn1_lib.c:140: >> 29272:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad >> object header:tasn_dec.c:935: >> 29272:error:0D06C03A:asn1 encoding >> routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:628: >> 29272:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested >> asn1 error:tasn_dec.c:566:Field=p, Type=RSA >> 29272:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 >> lib:d2i_pr.c:96: >> 29272:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 >> lib:pem_pkey.c:117: > > >> [pete at taz tmp]$ ssh -v localhost -i rsa-pass-corrupt2 >> OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9, SSH protocols 1.5/2.0, OpenSSL >> 0x0090703f >> debug1: Reading configuration data /etc/ssh/ssh_config >> debug1: Rhosts Authentication disabled, originating port will not be >> trusted. >> debug1: Connecting to localhost [127.0.0.1] port 22. >> debug1: Connection established. >> debug1: identity file rsa-pass-corrupt2 type -1 >> debug1: Remote protocol version 1.99, remote software version >> OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 >> debug1: match: OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 pat OpenSSH* >> debug1: Enabling compatibility mode for protocol 2.0 >> debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 >> debug1: SSH2_MSG_KEXINIT sent >> debug1: SSH2_MSG_KEXINIT received >> debug1: kex: server->client aes128-cbc hmac-md5 none >> debug1: kex: client->server aes128-cbc hmac-md5 none >> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent >> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent >> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY >> debug1: Host 'localhost' is known and matches the RSA host key. >> debug1: Found key in /home/pete/.ssh/known_hosts:21 >> debug1: ssh_rsa_verify: signature correct >> debug1: SSH2_MSG_NEWKEYS sent >> debug1: expecting SSH2_MSG_NEWKEYS >> debug1: SSH2_MSG_NEWKEYS received >> debug1: SSH2_MSG_SERVICE_REQUEST sent >> debug1: SSH2_MSG_SERVICE_ACCEPT received >> debug1: Authentications that can continue: >> publickey,password,keyboard-interactive >> debug1: Next authentication method: publickey >> debug1: Trying private key: rsa-pass-corrupt2 >> debug1: PEM_read_PrivateKey failed >> debug1: read PEM private key done: type >> Enter passphrase for key 'rsa-pass-corrupt2': >> debug1: PEM_read_PrivateKey failed > > > > > This is mighty strange. I'm still wondering if I've been rooted... > If so, it's exceedingly well done. > > Pete > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: id_rsa_good Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031114/bb859f95/attachment.ksh -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: id_rsa Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031114/bb859f95/attachment-0001.ksh -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: id_rsa.pub Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031114/bb859f95/attachment-0002.ksh From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Nov 14 21:58:55 2003 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Fri, 14 Nov 2003 11:58:55 +0100 Subject: openssh-3.7.1p2 on HP-UX 10.20 In-Reply-To: References: <2D5048494293D411809800508BF900FC10F02BD5@msxcentral1.hydro.qc.ca> Message-ID: <20031114105854.GA22944@serv01.aet.tu-cottbus.de> On Fri, Nov 14, 2003 at 01:41:52AM +0000, Will Parsons wrote: > Bagdoo.Jean at hydro.qc.ca wrote: > > Hello, > > > > I have dowloaded all that is required to build a working OpenSSH on HP-UX > > 10.20 from the HP-UX Porting and Archibve centre (this seems to be the only > > way to go for 10.20). Make/install of all prerequisites has scucceeded. Now > > make of openssh-3.7.1p2 gives the following: > > > > gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. > > -I/usr/local/openssl-0.9.7b/include -I/opt/zlib/include -D_HPUX_SOURCE > > -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c > > getrrsetbyname.c > > getrrsetbyname.c: In function `getrrsetbyname': > > getrrsetbyname.c:191: warning: implicit declaration of function `res_init' > > getrrsetbyname.c:207: warning: implicit declaration of function `res_query' > > getrrsetbyname.c:265: `T_SIG' undeclared (first use in this function) > > getrrsetbyname.c:265: (Each undeclared identifier is reported only once > > getrrsetbyname.c:265: for each function it appears in.) > > getrrsetbyname.c: In function `parse_dns_response': > > getrrsetbyname.c:366: `HFIXEDSZ' undeclared (first use in this function) > > getrrsetbyname.c: In function `parse_dns_qsection': > > getrrsetbyname.c:437: warning: implicit declaration of function `dn_expand' > > *** Error exit code 1 For me it seems, that the code in question is only compiled in, if --with-dns is during configuration. At least the original HP-UX 10.20 is shipped with Bind 4.x is missing the API required. I just had a look into my (self-installed) Bind 8.x header files and they seem to include the necessary declarations. You should therefore install bind8 and include the corresponding include file and library options to build against bind8. (Or maybe bind9, I never tried bind9's resolver libraries.) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From Stephan.Hendl at lds.brandenburg.de Sat Nov 15 00:11:47 2003 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Fri, 14 Nov 2003 14:11:47 +0100 Subject: Problem with 3.7.1p2 on Reliant Unix In-Reply-To: References: <3FB3375E.50041411@zip.com.au> Message-ID: <1068815507.2752.3.camel@hendl-0.ldspdm.ldsbb.lvnbb.de> Hallo again, I put the two lines of Tim instead of the three lines proposed by Darren in the config.h but it doesn'nt work... Stephan /* type to use in place of socklen_t if not defined */ #define socklen_t size_t #define BROKEN_SETREGID 1 #define BROKEN_SETREUID 1 /* ******************* Shouldn't need to edit below this line ************** */ #endif /* _CONFIG_H */ -----snip----- debug3: tty_make_modes: 90 1 debug3: tty_make_modes: 91 1 debug3: tty_make_modes: 92 0 debug3: tty_make_modes: 93 0 debug2: channel 0: request shell debug2: fd 5 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 debug3: Trying to reverse map address 10.128.11.71. Last login: Fri Nov 14 13:33:49 2003 from hendl-0 debug1: permanently_set_uid: 2004/2000 setuid 2004: Not owner debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed root at localhost: grep 2004 /etc/passwd hendl:x:2004:2000:Admin_LDS:/home/hendl:/sbin/ksh ----------------------- Am Do, 2003-11-13 um 21.02 schrieb Tim Rice: > On Thu, 13 Nov 2003, Darren Tucker wrote: > > > Alternatively, add these to config.h and rebuild (just "make", don't > run > > configure again). > > > > #define SETEUID_BREAKS_SETUID 1 > > #define AC_DEFINE(BROKEN_SETREUID 1 > > That should have been > #define BROKEN_SETREUID 1 > > > #define BROKEN_SETREGID 1 -- Stephan Hendl From peteflugstad at mchsi.com Sat Nov 15 01:34:16 2003 From: peteflugstad at mchsi.com (Pete Flugstad) Date: Fri, 14 Nov 2003 08:34:16 -0600 Subject: corrupt client keys question In-Reply-To: <3FB46C04.5010408@doxpara.com> References: <3FB3A1A2.5070107@mchsi.com> <20031113195012.GL18604@crawfish.ais.com> <3FB41CCA.9070100@mchsi.com> <3FB46C04.5010408@doxpara.com> Message-ID: <3FB4E7E8.9010203@mchsi.com> Dan Kaminsky wrote: > Been investigating this. Preliminary evidence -- yup, keys can be > corrupted pretty heavily, and still result in a successful login. Well, at least I'm not losing my mind :-). > Attached is a set of example keys, bounced around quite heavily. It > appears certain bytes flat out do not affect the calculation, i.e. no > matter what I put in there, the key still works. > > I'm actually not worried, yet -- my suspicion is that OpenSSL throws > some extra bits into its saved keys, and that's what I'm corrupting. My problem is this: if the numbers are messed up enough that "openssl rsa -check" sees that they are mathematically messed up, then how does this generate a valid authentication to the server? Pete From markus at openbsd.org Sat Nov 15 01:58:43 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 14 Nov 2003 15:58:43 +0100 Subject: corrupt client keys question In-Reply-To: <3FB4E7E8.9010203@mchsi.com> References: <3FB3A1A2.5070107@mchsi.com> <20031113195012.GL18604@crawfish.ais.com> <3FB41CCA.9070100@mchsi.com> <3FB46C04.5010408@doxpara.com> <3FB4E7E8.9010203@mchsi.com> Message-ID: <20031114145843.GA17546@folly> On Fri, Nov 14, 2003 at 08:34:16AM -0600, Pete Flugstad wrote: > My problem is this: if the numbers are messed up enough that "openssl > rsa -check" sees that they are mathematically messed up, then how does > this generate a valid authentication to the server? if they are part of the public and not part of the private key. From sca at infini.com Sat Nov 15 01:19:28 2003 From: sca at infini.com (sca at infini.com) Date: Fri, 14 Nov 2003 10:19:28 -0400 Subject: implantation juridique a l etranger Message-ID: <211b01c3aaba$50a05670$14bb3650@rjcptimxh> From peteflugstad at mchsi.com Sat Nov 15 04:10:55 2003 From: peteflugstad at mchsi.com (Pete Flugstad) Date: Fri, 14 Nov 2003 11:10:55 -0600 Subject: corrupt client keys question In-Reply-To: <20031114145843.GA17546@folly> References: <3FB3A1A2.5070107@mchsi.com> <20031113195012.GL18604@crawfish.ais.com> <3FB41CCA.9070100@mchsi.com> <3FB46C04.5010408@doxpara.com> <3FB4E7E8.9010203@mchsi.com> <20031114145843.GA17546@folly> Message-ID: <3FB50C9F.4050703@mchsi.com> Okay, some more info, just to clarify. Summary: as Markus notes, it basically depends on what part of the "private" key you corrupt. The PEM private key format used by OpenSSL is defined in PKCS#8, which in turn references the RSAPrivateKey format from PKCS#1: RSAPrivateKey ::= SEQUENCE { version Version, modulus INTEGER, -- n publicExponent INTEGER, -- e privateExponent INTEGER, -- d prime1 INTEGER, -- p prime2 INTEGER, -- q exponent1 INTEGER, -- d mod (p-1) exponent2 INTEGER, -- d mod (q-1) coefficient INTEGER, -- (inverse of q) mod p otherPrimeInfos OtherPrimeInfos OPTIONAL } Needless to say, there's a lot here, some or much of it is redudant and so not all of this is used for authentication (probably only n and e?). This data get's ASN.1 encoded, then that gets Base64 encoded. So corrupting one part of the Base64 encoded data may or may not break the ASN.1 decoding - if it does, then obviously the key is useless and the PEM load will fail. And depending on which of the fields above you end up corrupting, this also may or may not break the use of the key for authentication. openssl rsa -check runs a whole series of additional checks to make sure all the fields match. IMO, this is probably too expensive for the SSH client to be doing (can any OpenSSH guys comment?) So, long storry short - there's nothing here, move along :-). Sorry for any confusion, I should have researched more before I posted. Pete From tim at multitalents.net Sat Nov 15 05:17:05 2003 From: tim at multitalents.net (Tim Rice) Date: Fri, 14 Nov 2003 10:17:05 -0800 (PST) Subject: Problem with 3.7.1p2 on Reliant Unix In-Reply-To: <1068815507.2752.3.camel@hendl-0.ldspdm.ldsbb.lvnbb.de> References: <3FB3375E.50041411@zip.com.au> <1068815507.2752.3.camel@hendl-0.ldspdm.ldsbb.lvnbb.de> Message-ID: On Fri, 14 Nov 2003, Stephan Hendl wrote: > Hallo again, > > I put the two lines of Tim instead of the three lines proposed by Darren > in the config.h but it doesn'nt work... > Stephan > You will need all 3 lines. There was a cut and paste problem in 1 of the 3 Darren provided. #define SETEUID_BREAKS_SETUID 1 #define BROKEN_SETREUID 1 #define BROKEN_SETREGID 1 -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dan at doxpara.com Sat Nov 15 06:37:29 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Fri, 14 Nov 2003 11:37:29 -0800 Subject: corrupt client keys question In-Reply-To: <20031114145843.GA17546@folly> References: <3FB3A1A2.5070107@mchsi.com> <20031113195012.GL18604@crawfish.ais.com> <3FB41CCA.9070100@mchsi.com> <3FB46C04.5010408@doxpara.com> <3FB4E7E8.9010203@mchsi.com> <20031114145843.GA17546@folly> Message-ID: <3FB52EF9.50102@doxpara.com> >if they are part of the public and not part of the private key. > > > Er, p and q (the RSA primes) are most certainly NOT part of the public key. However, once you've calculated n and e from them, the extra values are only useful for performance reasons (key agility, for instance). Interesting that OpenSSL private keys are much more verbose than they need to be. --Dan From xg11uxwtl at yahoo.com Sun Nov 16 05:55:47 2003 From: xg11uxwtl at yahoo.com (Faustino Tomlinson) Date: Sun, 16 Nov 2003 00:55:47 +0600 Subject: LIVE LONGER with H-uman...G-rowth...H-ormone...carlin Message-ID: H-uman...G-rowth...H-ormone Therapy "Overall deterioration of the body that comes with growing old is not inevitable."---Dr. Daniel Rudman's in the New England Journal of Medicine. Follow me to longer living: http://www.mmv9.org?affil=49 Scientific research and evidence overwhelmingly demonstrates that, in addition to genetic and environmental factors, our body's reduced production of H-uman...G-rowth...H-ormone is a direct cause of aging. Between the ages of 20 to 70, our levels can fall by more than 75%. This may cause us to look and feel older and less energetic. By the time most of us have reached our forties, we are already experiencing a H-uman...G-rowth...H-ormone deficiency. Follow me to longer living: http://www.mmv9.org?affil=49 Our competitors charge as high as 65 dollars---get ours for less than 50. Follow me to longer living: http://www.mmv9.org?affil=49 No more advertisements, thanks - http://www.aqmp.net/out5s/rem2e.asp gibohzribvyp From macro at ds2.pg.gda.pl Sun Nov 16 05:27:00 2003 From: macro at ds2.pg.gda.pl (Maciej W. Rozycki) Date: Sat, 15 Nov 2003 19:27:00 +0100 (CET) Subject: [patch] 3.7.1p2: slogin symlink fixes Message-ID: Hello, There are three small problems with the "slogin" and "slogin.1" symlinks created upon installation: 1. "./" is included in the target path unnecessarily. 2. Symlinks are assumed to be available, while only hardlinks could. 3. EXEEXT is not respected for slogin. Here is a fix for both problems -- the "./" is simply removed, EXEEXT is added, the availability of symlinks is tested and the installation command is rewritten to work even with hardlinks. It works for me. Please apply. Maciej -- + Maciej W. Rozycki, Technical University of Gdansk, Poland + +--------------------------------------------------------------+ + e-mail: macro at ds2.pg.gda.pl, PGP key available + openssh-3.6.1p2-symlink.patch diff -up --recursive --new-file openssh-3.6.1p2.macro/Makefile.in openssh-3.6.1p2/Makefile.in --- openssh-3.6.1p2.macro/Makefile.in 2003-04-29 09:12:08.000000000 +0000 +++ openssh-3.6.1p2/Makefile.in 2003-05-06 20:55:54.000000000 +0000 @@ -48,6 +48,7 @@ LIBWRAP=@LIBWRAP@ AR=@AR@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ +LN_S=@LN_S@ PERL=@PERL@ SED=@SED@ ENT=@ENT@ @@ -263,9 +264,9 @@ install-files: scard-install $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(bindir)/slogin - ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin + cd $(DESTDIR)$(bindir) && $(LN_S) ssh$(EXEEXT) slogin$(EXEEXT) -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 - ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + cd $(DESTDIR)$(mandir)/$(mansubdir)1 && $(LN_S) ssh.1 slogin.1 if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \ fi diff -up --recursive --new-file openssh-3.6.1p2.macro/configure.ac openssh-3.6.1p2/configure.ac --- openssh-3.6.1p2.macro/configure.ac 2003-04-29 09:12:08.000000000 +0000 +++ openssh-3.6.1p2/configure.ac 2003-05-06 20:53:51.000000000 +0000 @@ -12,6 +12,7 @@ AC_C_BIGENDIAN AC_PROG_CPP AC_PROG_RANLIB AC_PROG_INSTALL +AC_PROG_LN_S AC_PATH_PROG(AR, ar) AC_PATH_PROGS(PERL, perl5 perl) AC_PATH_PROG(SED, sed) From yoshfuji at linux-ipv6.org Sun Nov 16 16:53:43 2003 From: yoshfuji at linux-ipv6.org (YOSHIFUJI Hideaki / =?iso-2022-jp?B?GyRCNUhGIzFRTEAbKEI=?=) Date: Sun, 16 Nov 2003 00:53:43 -0500 (EST) Subject: [patch] 3.7.1p2: slogin symlink fixes In-Reply-To: References: Message-ID: <20031116.005343.36698328.yoshfuji@linux-ipv6.org> Hello. In article (at Sat, 15 Nov 2003 19:27:00 +0100 (CET)), "Maciej W. Rozycki" says: > -rm -f $(DESTDIR)$(bindir)/slogin > - ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin > + cd $(DESTDIR)$(bindir) && $(LN_S) ssh$(EXEEXT) slogin$(EXEEXT) Why not: $(LN_S) ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin$(EXEEXT) > -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 > - ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 > + cd $(DESTDIR)$(mandir)/$(mansubdir)1 && $(LN_S) ssh.1 slogin.1 Why not: $(LN_S) ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 --yoshfuji From mouring at etoh.eviladmin.org Sun Nov 16 17:45:50 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 16 Nov 2003 00:45:50 -0600 (CST) Subject: [patch] 3.7.1p2: slogin symlink fixes In-Reply-To: Message-ID: On Sat, 15 Nov 2003, Maciej W. Rozycki wrote: > Hello, > > There are three small problems with the "slogin" and "slogin.1" symlinks > created upon installation: > > 1. "./" is included in the target path unnecessarily. > > 2. Symlinks are assumed to be available, while only hardlinks could. > Are we trying to solve a real world problem here? Or is just change for the sake of change? What platform do these two things cause hardships on? > 3. EXEEXT is not respected for slogin. > Can I get someone on Cygwin platform to verify this? That would be the only platform this affects. - Ben From gert at greenie.muc.de Mon Nov 17 04:30:25 2003 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 16 Nov 2003 18:30:25 +0100 Subject: [patch] 3.7.1p2: slogin symlink fixes In-Reply-To: <20031116.005343.36698328.yoshfuji@linux-ipv6.org>; from yoshfuji@linux-ipv6.org on Sun, Nov 16, 2003 at 12:53:43AM -0500 References: <20031116.005343.36698328.yoshfuji@linux-ipv6.org> Message-ID: <20031116183025.O12426@greenie.muc.de> Hi, On Sun, Nov 16, 2003 at 12:53:43AM -0500, YOSHIFUJI Hideaki / ?$B5HF#1QL@?(B wrote: > > -rm -f $(DESTDIR)$(bindir)/slogin > > - ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin > > + cd $(DESTDIR)$(bindir) && $(LN_S) ssh$(EXEEXT) slogin$(EXEEXT) > > Why not: > $(LN_S) ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin$(EXEEXT) Because that's not going to work for hard links. A hard link needs a real file to start with, so unless you specify the full path (which would make the symlink non-local) you need to be in the proper directory. gert -- Gert Doering Mobile communications ... right now writing from * ICE 1611 Berlin -> MUC * From vinschen at redhat.com Mon Nov 17 03:57:12 2003 From: vinschen at redhat.com (Corinna Vinschen) Date: Sun, 16 Nov 2003 17:57:12 +0100 Subject: [patch] 3.7.1p2: slogin symlink fixes In-Reply-To: References: Message-ID: <20031116165712.GA18706@cygbert.vinschen.de> On Sun, Nov 16, 2003 at 12:45:50AM -0600, Ben Lindstrom wrote: > On Sat, 15 Nov 2003, Maciej W. Rozycki wrote: > > There are three small problems with the "slogin" and "slogin.1" symlinks > > created upon installation: > > > > 1. "./" is included in the target path unnecessarily. > > > > 2. Symlinks are assumed to be available, while only hardlinks could. > > Are we trying to solve a real world problem here? Or is just change for > the sake of change? What platform do these two things cause hardships on? > > > 3. EXEEXT is not respected for slogin. > > Can I get someone on Cygwin platform to verify this? That would be the > only platform this affects. The above is a non-issue on Cygwin. EXEEXT isn't necessary for slogin. It's a symlink, not an executable and only executables should have the ".exe" suffix. I vaguely recall that I sent a patch once to remove EXEEXT from creating the slogin symlink. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. From macro at ds2.pg.gda.pl Tue Nov 18 03:32:29 2003 From: macro at ds2.pg.gda.pl (Maciej W. Rozycki) Date: Mon, 17 Nov 2003 17:32:29 +0100 (CET) Subject: [patch] 3.7.1p2: slogin symlink fixes In-Reply-To: References: Message-ID: On Sun, 16 Nov 2003, Ben Lindstrom wrote: > > There are three small problems with the "slogin" and "slogin.1" symlinks > > created upon installation: > > > > 1. "./" is included in the target path unnecessarily. > > > > 2. Symlinks are assumed to be available, while only hardlinks could. > > Are we trying to solve a real world problem here? Or is just change for > the sake of change? What platform do these two things cause hardships on? > > > 3. EXEEXT is not respected for slogin. > > Can I get someone on Cygwin platform to verify this? That would be the > only platform this affects. These are clean-ups of the usual kind I prepare during maintenance of software (I keep a repository of packaged software for MIPSel/Linux) and are not results of fatal problems for my platform. I try to get back to the maintainers of the affected software whenever I consider a change is clean enough for general use so that work does not happen to be duplicated. If you don't like the changes, then just disregard them -- I'll keep a private copy. Maciej -- + Maciej W. Rozycki, Technical University of Gdansk, Poland + +--------------------------------------------------------------+ + e-mail: macro at ds2.pg.gda.pl, PGP key available + From Bob.Edgar at commerzbankib.com Tue Nov 18 03:45:01 2003 From: Bob.Edgar at commerzbankib.com (Edgar, Bob) Date: Mon, 17 Nov 2003 17:45:01 +0100 Subject: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwords Message-ID: <9D248E1E43ABD411A9B600508BAF6E9B076B456B@xmx7fraib.fra.ib.commerzbank.com> Greetings, I know that part of the following has been discussed here before but please bear with me. We are running on Solaris versions 2.6 - 9 with a NISplus name service. The permissions on the NISplus password map have been modified to limit read access to the encrypted password field of the passwd table to only the entry owner and the table administrators. See: http://docs.sun.com/db/doc/801-6633/6i10dhc35?a=view This modification means that only a validated user can see the encrypted password field and further the user can see _only_ his or her own password, all other entries are returned as "*NP*". This behavior poses a chicken and egg problem: how can a user be authenticated when the password field is not visible? The PAM stack handles this by treating the supplied password as the key used to decrypt the user's secret key used when issuing requests to any secure RPC services. What all of the above means in terms of OpenSSH is that PasswordAuthentication will not function and that UsePAM is required. While this functions properly for normal users it has one very negative security implication with respect to root logins: PermitRootLogin is not respected when UsePAM is in effect. I submit that ignoring the PermitRootLogin directive is counter intuitive and that doing so opens a serious security hole for the unwary. As this behavior is documented it can be considered a feature but I would like to propose that this decision be revisited in light of the above. Pam support is now in keyboard-interactive and I have looked at the code enough to realize that the change is not "obvious by inspection". I would greatly appreciate any help anyone (Darren Tucker?) might provide in generating a patch that implements PermitRootLogin with UsePAM. Thanks for your time and apologies if the above is unclear or incorrect. bob The legal word: "This message only reflects the personal opinion of the author and must not be regarded as or considered to be any form of reference to the opinion of the Commerzbank AG or any of its affiliated companies." On the other hand, it probably doesn't accurately reflect the author's opinion either, but that's another story. So it goes. Copyright (C) 2003 MrBob, no rights reserved. From mouring at etoh.eviladmin.org Tue Nov 18 03:51:13 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 17 Nov 2003 10:51:13 -0600 (CST) Subject: [patch] 3.7.1p2: slogin symlink fixes In-Reply-To: Message-ID: On Mon, 17 Nov 2003, Maciej W. Rozycki wrote: > On Sun, 16 Nov 2003, Ben Lindstrom wrote: > > > > There are three small problems with the "slogin" and "slogin.1" symlinks > > > created upon installation: > > > > > > 1. "./" is included in the target path unnecessarily. > > > > > > 2. Symlinks are assumed to be available, while only hardlinks could. > > > > Are we trying to solve a real world problem here? Or is just change for > > the sake of change? What platform do these two things cause hardships on? > > > > > 3. EXEEXT is not respected for slogin. > > > > Can I get someone on Cygwin platform to verify this? That would be the > > only platform this affects. > > These are clean-ups of the usual kind I prepare during maintenance of > software (I keep a repository of packaged software for MIPSel/Linux) and > are not results of fatal problems for my platform. I try to get back to > the maintainers of the affected software whenever I consider a change is > clean enough for general use so that work does not happen to be > duplicated. If you don't like the changes, then just disregard them -- > I'll keep a private copy. > I just want to know if there is any good justifications. #3 is definitely wrong at least for Cygwin (which is the only platform that uses this hack), and #1/#2 I'd be willing to entertain if there was good justifications. I also worry it will break "fakeroot builds" (make DESTDIR=..) which is something I can't allow to happen since it would cause package building issues for at least Solaris and AIX. - Ben From macro at ds2.pg.gda.pl Tue Nov 18 04:17:59 2003 From: macro at ds2.pg.gda.pl (Maciej W. Rozycki) Date: Mon, 17 Nov 2003 18:17:59 +0100 (CET) Subject: [patch] 3.7.1p2: slogin symlink fixes In-Reply-To: References: Message-ID: On Mon, 17 Nov 2003, Ben Lindstrom wrote: > > software (I keep a repository of packaged software for MIPSel/Linux) and > > are not results of fatal problems for my platform. I try to get back to > > the maintainers of the affected software whenever I consider a change is > > clean enough for general use so that work does not happen to be > > duplicated. If you don't like the changes, then just disregard them -- > > I'll keep a private copy. > > I just want to know if there is any good justifications. #3 is definitely > wrong at least for Cygwin (which is the only platform that uses this > hack), and #1/#2 I'd be willing to entertain if there was good > justifications. I also worry it will break "fakeroot builds" (make > DESTDIR=..) which is something I can't allow to happen since it would > cause package building issues for at least Solaris and AIX. Since I use RPM for packaging, I can assure you DESTDIR doesn't get broken. Actually this is the recommended way of creating symlinks -- see the description for AC_PROG_LN_S in the autoconf manual -- and there is a suggestion similar to mine in the automake manual as well. Actually the automake suggestion covers #3 as well (I can't comment Cygwin as I don't use it, but I'm pretty confident automake authors know what they write). Maciej -- + Maciej W. Rozycki, Technical University of Gdansk, Poland + +--------------------------------------------------------------+ + e-mail: macro at ds2.pg.gda.pl, PGP key available + From djm at mindrot.org Tue Nov 18 10:50:01 2003 From: djm at mindrot.org (Damien Miller) Date: Tue, 18 Nov 2003 10:50:01 +1100 Subject: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwords In-Reply-To: <9D248E1E43ABD411A9B600508BAF6E9B076B456B@xmx7fraib.fra.ib.commerzbank.com> References: <9D248E1E43ABD411A9B600508BAF6E9B076B456B@xmx7fraib.fra.ib.commerzbank.com> Message-ID: <3FB95EA9.7050108@mindrot.org> Edgar, Bob wrote: > What all of the above means in terms of OpenSSH is that > PasswordAuthentication will not function and that UsePAM is required. > While this functions properly for normal users it has one very negative > security implication with respect to root logins: PermitRootLogin is > not respected when UsePAM is in effect. I submit that ignoring the > PermitRootLogin directive is counter intuitive and that doing so opens > a serious security hole for the unwary. As this behavior is documented > it can be considered a feature but I would like to propose that this > decision be revisited in light of the above. What is the problem with PermitRootLogin and UsePAM=yes? It works fine for me. -d From layers at netcom.com Wed Nov 19 03:54:59 2003 From: layers at netcom.com (layers at netcom.com) Date: Tue, 18 Nov 2003 11:54:59 -0500 Subject: It's very interesting Message-ID: <101101c3adf4$35651766$e3fad5a5@netcom.com> Hello. Openssh. My name is John Vachevski. A few days ago in Internet I found a new e-gold High Yield Investment Program. I invested 200$, and now I get about 3.5% (7$) everyday. They use automatic system, so I can request my money at any time, and right after Withdraw. This is fantastic. If you do not belive in it then please visit http://www.Stockgold.net?ref=john_v . Why do I tell you this? Because this is my business and I recieve 10% from the money you invest. You also will be able to recieve % from your refferals (people who registered using your link), this refferal link you will get right after registration. http://www.Stockgold.net?ref=john_v Sincerely, John Vachevski mailto:john_v at post.com For Unsubscribe please sent me mail to john_v at post.com. From djm at mindrot.org Tue Nov 18 22:46:01 2003 From: djm at mindrot.org (Damien Miller) Date: Tue, 18 Nov 2003 11:46:01 -0000 Subject: Testing of recent commits Message-ID: <1069155926.10951.61.camel@sakura.mindrot.org> There have been a few recent commits to portable OpenSSH that require testing. It would be appreciated if you could grab the 20031118 (or later) snapshot and give it a try on your platforms of choice. Ideally, "giving it a try" means running the regress tests, in addition to casual (non-production) use and reporting your experiences back to the list. The more platforms and compile-time options, the better. Please note that the new snapshots replace the experimental "gssapi" authentication method with an improved "gssapi-with-mic" method. The new method (which does *not* interoperate with the deprecated "gssapi" method) provides proper validation of the session ID between the client and the server. Some of the highlights (more in the ChangeLog): - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv, and use it for do_pam_session. Fixes problems like pam_motd not displaying anything. ok djm@ - jakob at cvs.openbsd.org 2003/11/12 16:39:58 [dns.c dns.h readconf.c ssh_config.5 sshconnect.c] update SSHFP validation. ok markus@ - markus at cvs.openbsd.org 2003/11/17 11:06:07 [auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h] [monitor_wrap.c monitor_wrap.h sshconnect2.c ssh-gss.h] replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob. - (djm) Bug #632: Don't call pam_end indirectly from within kbd-int conversation function - (djm) Export environment variables from authentication subprocess to parent. Part of Bug #717 -d From Bob.Edgar at commerzbankib.com Tue Nov 18 23:47:25 2003 From: Bob.Edgar at commerzbankib.com (Edgar, Bob) Date: Tue, 18 Nov 2003 13:47:25 +0100 Subject: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds Message-ID: <9D248E1E43ABD411A9B600508BAF6E9B076B4572@xmx7fraib.fra.ib.commerzbank.com> It works for the "yes" case but not for the "without-password" case. The function that checks (auth_root_allowed(auth_method) is special cased for "password". The Pam case sends "keyboard-interactive/pam" which like all other authentication methods except password succeeds. Here is a patch to make it work for me. Please feel free to criticize as appropriate. bob diff -r -u openssh-3.7.1p2-vanilla/auth.c openssh-3.7.1p2/auth.c --- openssh-3.7.1p2-vanilla/auth.c Tue Sep 2 23:32:46 2003 +++ openssh-3.7.1p2/auth.c Mon Nov 17 20:32:45 2003 @@ -315,7 +315,8 @@ return 1; break; case PERMIT_NO_PASSWD: - if (strcmp(method, "password") != 0) + if (strcmp(method, "password") != 0 + && strcmp(method, "keyboard-interactive/pam") != 0) return 1; break; case PERMIT_FORCED_ONLY: diff -r -u openssh-3.7.1p2-vanilla/monitor.c openssh-3.7.1p2/monitor.c --- openssh-3.7.1p2-vanilla/monitor.c Tue Sep 2 23:32:46 2003 +++ openssh-3.7.1p2/monitor.c Mon Nov 17 20:32:33 2003 @@ -306,7 +306,7 @@ authenticated = 0; #ifdef USE_PAM /* PAM needs to perform account checks after auth */ - if (options.use_pam) { + if (authenticated && options.use_pam) { Buffer m; buffer_init(&m); -----Original Message----- From: Damien Miller [mailto:djm at mindrot.org] Sent: Dienstag, 18. November 2003 00:50 To: Edgar, Bob Cc: openssh-unix-dev at mindrot.org Subject: Re: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwords Edgar, Bob wrote: > What all of the above means in terms of OpenSSH is that > PasswordAuthentication will not function and that UsePAM is required. > While this functions properly for normal users it has one very negative > security implication with respect to root logins: PermitRootLogin is > not respected when UsePAM is in effect. I submit that ignoring the > PermitRootLogin directive is counter intuitive and that doing so opens > a serious security hole for the unwary. As this behavior is documented > it can be considered a feature but I would like to propose that this > decision be revisited in light of the above. What is the problem with PermitRootLogin and UsePAM=yes? It works fine for me. -d -------------- next part -------------- A non-text attachment was scrubbed... Name: root.patch Type: application/octet-stream Size: 847 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20031118/90586e6c/attachment.obj From dtucker at zip.com.au Wed Nov 19 01:09:18 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 19 Nov 2003 01:09:18 +1100 Subject: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds References: <9D248E1E43ABD411A9B600508BAF6E9B076B4572@xmx7fraib.fra.ib.commerzbank.com> Message-ID: <3FBA280E.39121556@zip.com.au> "Edgar, Bob" wrote: > > It works for the "yes" case but not for the "without-password" case. > The function that checks (auth_root_allowed(auth_method) is special > cased for "password". The Pam case sends "keyboard-interactive/pam" > which like all other authentication methods except password succeeds. > > Here is a patch to make it work for me. Please feel free to criticize > as appropriate. [snip patch] The catch is PAM might not use any kind of password, it might use a super-secure two-factor authentication or something. In that case, "without-password" would be misleading. Maybe we need a more general "AllowedRootAuthMethods" option? Maybe not. Perhaps "PermitRootLogin pubkey-only"? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vinschen at redhat.com Wed Nov 19 01:43:31 2003 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 18 Nov 2003 15:43:31 +0100 Subject: Testing of recent commits In-Reply-To: <1069155926.10951.61.camel@sakura.mindrot.org> References: <1069155926.10951.61.camel@sakura.mindrot.org> Message-ID: <20031118144331.GA32723@cygbert.vinschen.de> On Tue, Nov 18, 2003 at 10:45:26PM +1100, Damien Miller wrote: > There have been a few recent commits to portable OpenSSH that require > testing. It would be appreciated if you could grab the 20031118 (or > later) snapshot and give it a try on your platforms of choice. I had no time to build latest openssh from CVS for a few weeks now and, unfortunately, a change from last month results in not being able to build on Cygwin: 20031015 - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always compiled in but disabled in config. The problem is that this change requires a system to have the DNS query functions and header files arpa/nameser.h and resolv.h which are not available on Cygwin. There exists an implementation but it's not part of Cygwin so far. Building OpenSSH works probably fine again, if the above change is reverted, including all code snippets, which were ifdef'd DNS before. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. From dan at D00M.integrate.com.ru Wed Nov 19 01:46:08 2003 From: dan at D00M.integrate.com.ru (Dan Yefimov) Date: Tue, 18 Nov 2003 17:46:08 +0300 (MSK) Subject: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds In-Reply-To: <9D248E1E43ABD411A9B600508BAF6E9B076B4572@xmx7fraib.fra.ib.commerzbank.com> Message-ID: On Tue, 18 Nov 2003, Edgar, Bob wrote: > It works for the "yes" case but not for the "without-password" case. > The function that checks (auth_root_allowed(auth_method) is special > cased for "password". The Pam case sends "keyboard-interactive/pam" > which like all other authentication methods except password succeeds. > > Here is a patch to make it work for me. Please feel free to criticize > as appropriate. > This patch will actually disable ANY type of root authentication made with PAM, regardless of whether it is a password-based or something other. Instead of patching OpenSSH you could configure PAM with line as follows (true at least for Linux-PAM): auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers This line should be inserted before reference to any other module of type 'auth' that performs actual authentication. The file /etc/ssh/denyusers should contain the only line containing 'root'. For other platforms using PAM other module providing the like functionality could be used. > bob > > diff -r -u openssh-3.7.1p2-vanilla/auth.c openssh-3.7.1p2/auth.c > --- openssh-3.7.1p2-vanilla/auth.c Tue Sep 2 23:32:46 2003 > +++ openssh-3.7.1p2/auth.c Mon Nov 17 20:32:45 2003 > @@ -315,7 +315,8 @@ > return 1; > break; > case PERMIT_NO_PASSWD: > - if (strcmp(method, "password") != 0) > + if (strcmp(method, "password") != 0 > + && strcmp(method, "keyboard-interactive/pam") != 0) > return 1; > break; > case PERMIT_FORCED_ONLY: > diff -r -u openssh-3.7.1p2-vanilla/monitor.c openssh-3.7.1p2/monitor.c > --- openssh-3.7.1p2-vanilla/monitor.c Tue Sep 2 23:32:46 2003 > +++ openssh-3.7.1p2/monitor.c Mon Nov 17 20:32:33 2003 > @@ -306,7 +306,7 @@ > authenticated = 0; > #ifdef USE_PAM > /* PAM needs to perform account checks after auth */ > - if (options.use_pam) { > + if (authenticated && options.use_pam) { > Buffer m; > > buffer_init(&m); > > > > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Dienstag, 18. November 2003 00:50 > To: Edgar, Bob > Cc: openssh-unix-dev at mindrot.org > Subject: Re: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus > passwords > > > Edgar, Bob wrote: > > > What all of the above means in terms of OpenSSH is that > > PasswordAuthentication will not function and that UsePAM is required. > > While this functions properly for normal users it has one very negative > > security implication with respect to root logins: PermitRootLogin is > > not respected when UsePAM is in effect. I submit that ignoring the > > PermitRootLogin directive is counter intuitive and that doing so opens > > a serious security hole for the unwary. As this behavior is documented > > it can be considered a feature but I would like to propose that this > > decision be revisited in light of the above. > > What is the problem with PermitRootLogin and UsePAM=yes? It works fine > for me. > -- Sincerely Your, Dan. From dan at D00M.integrate.com.ru Wed Nov 19 02:08:39 2003 From: dan at D00M.integrate.com.ru (Dan Yefimov) Date: Tue, 18 Nov 2003 18:08:39 +0300 (MSK) Subject: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds In-Reply-To: <3FBA280E.39121556@zip.com.au> Message-ID: On Wed, 19 Nov 2003, Darren Tucker wrote: > Maybe we need a more general "AllowedRootAuthMethods" option? Maybe not. > Perhaps "PermitRootLogin pubkey-only"? > IMHO for the future there'll be definitely need for something like the former option you suggested, but for now there may be enough the latter one. -- Sincerely Your, Dan. From Bob.Edgar at commerzbankib.com Wed Nov 19 02:24:02 2003 From: Bob.Edgar at commerzbankib.com (Edgar, Bob) Date: Tue, 18 Nov 2003 16:24:02 +0100 Subject: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds Message-ID: <9D248E1E43ABD411A9B600508BAF6E9B076B4578@xmx7fraib.fra.ib.commerzbank.com> First: yes, the patch disables root login for all PAM. But that's ok. Why? If "PermitRootLogin yes" is set then the behavior is as before. The patch gives an admin the choice to block all PAM/root logins (which are typically normal, plain vanilla, password logins). If more flexibility is required then the "yes" value will allow the PAM stack to decide. The PAM solution is clearly an option (thanks!) but not here (and I suspect many other sites as well). We have several hundred servers that would need to have a change to the PAM configuration. Sun doesn't supply a PAM module that supports the functionality required (at least, none that I am aware of) which means finding one or building one in-house. This option brings with it the usual risks with any development and is for that reason not attractive. Darren Tucker's comment about being misleading is, of course, true but I find the current state misleading as well but more dangerous. The system admin has configured the system and thinks that root logins with password are disabled but in fact they are not. Yes, as I acknowledged in my first post, it is documented so it is technically not a bug but this is the real world and I think the least surprises rule should apply here. bob -----Original Message----- From: Dan Yefimov [mailto:dan at D00M.integrate.com.ru] Sent: Dienstag, 18. November 2003 15:46 To: Edgar, Bob Cc: openssh-unix-dev at mindrot.org Subject: RE: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds On Tue, 18 Nov 2003, Edgar, Bob wrote: > It works for the "yes" case but not for the "without-password" case. > The function that checks (auth_root_allowed(auth_method) is special > cased for "password". The Pam case sends "keyboard-interactive/pam" > which like all other authentication methods except password succeeds. > > Here is a patch to make it work for me. Please feel free to criticize > as appropriate. > This patch will actually disable ANY type of root authentication made with PAM, regardless of whether it is a password-based or something other. Instead of patching OpenSSH you could configure PAM with line as follows (true at least for Linux-PAM): auth required pam_listfile.so item=user sense=deny file=/etc/ssh/denyusers This line should be inserted before reference to any other module of type 'auth' that performs actual authentication. The file /etc/ssh/denyusers should contain the only line containing 'root'. For other platforms using PAM other module providing the like functionality could be used. > bob > > diff -r -u openssh-3.7.1p2-vanilla/auth.c openssh-3.7.1p2/auth.c > --- openssh-3.7.1p2-vanilla/auth.c Tue Sep 2 23:32:46 2003 > +++ openssh-3.7.1p2/auth.c Mon Nov 17 20:32:45 2003 > @@ -315,7 +315,8 @@ > return 1; > break; > case PERMIT_NO_PASSWD: > - if (strcmp(method, "password") != 0) > + if (strcmp(method, "password") != 0 > + && strcmp(method, "keyboard-interactive/pam") != 0) > return 1; > break; > case PERMIT_FORCED_ONLY: > diff -r -u openssh-3.7.1p2-vanilla/monitor.c openssh-3.7.1p2/monitor.c > --- openssh-3.7.1p2-vanilla/monitor.c Tue Sep 2 23:32:46 2003 > +++ openssh-3.7.1p2/monitor.c Mon Nov 17 20:32:33 2003 > @@ -306,7 +306,7 @@ > authenticated = 0; > #ifdef USE_PAM > /* PAM needs to perform account checks after auth */ > - if (options.use_pam) { > + if (authenticated && options.use_pam) { > Buffer m; > > buffer_init(&m); > > > > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Dienstag, 18. November 2003 00:50 > To: Edgar, Bob > Cc: openssh-unix-dev at mindrot.org > Subject: Re: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus > passwords > > > Edgar, Bob wrote: > > > What all of the above means in terms of OpenSSH is that > > PasswordAuthentication will not function and that UsePAM is required. > > While this functions properly for normal users it has one very negative > > security implication with respect to root logins: PermitRootLogin is > > not respected when UsePAM is in effect. I submit that ignoring the > > PermitRootLogin directive is counter intuitive and that doing so opens > > a serious security hole for the unwary. As this behavior is documented > > it can be considered a feature but I would like to propose that this > > decision be revisited in light of the above. > > What is the problem with PermitRootLogin and UsePAM=yes? It works fine > for me. > -- Sincerely Your, Dan. From dan at D00M.integrate.com.ru Wed Nov 19 02:54:41 2003 From: dan at D00M.integrate.com.ru (Dan Yefimov) Date: Tue, 18 Nov 2003 18:54:41 +0300 (MSK) Subject: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds In-Reply-To: <9D248E1E43ABD411A9B600508BAF6E9B076B4578@xmx7fraib.fra.ib.commerzbank.com> Message-ID: On Tue, 18 Nov 2003, Edgar, Bob wrote: > First: yes, the patch disables root login for all PAM. But that's ok. > Why? If "PermitRootLogin yes" is set then the behavior is as before. The > patch gives an admin the choice to block all PAM/root logins (which are > typically normal, plain vanilla, password logins). If more flexibility is > required then the "yes" value will allow the PAM stack to decide. > > The PAM solution is clearly an option (thanks!) but not here (and I suspect > many other sites as well). We have several hundred servers that would need > to have a change to the PAM configuration. Sun doesn't supply a PAM module > that supports the functionality required (at least, none that I am aware of) > which means finding one or building one in-house. This option brings with it > the usual risks with any development and is for that reason not attractive. > > Darren Tucker's comment about being misleading is, of course, true but I > find > the current state misleading as well but more dangerous. The system admin > has > configured the system and thinks that root logins with password are disabled > but in fact they are not. Yes, as I acknowledged in my first post, it is > documented so it is technically not a bug but this is the real world and I > think the least surprises rule should apply here. > The current state is in no case misleading. As it was already meantioned by Damien Miller, 'PermitRootLogin no' setting is honoured. 'PermitRootLogin without-password' disables password authentication as such for root. But PAM is used only if challenge-response authentication is enabled. And it is 'PermitRootLogin without-password' disabling challenge-response authentication that is misleading. 'PermitRootLogin pubkey-only' or AllowedRootAuthMethods options suggested by Darren Tucker would be the more appropriate general solutions here. -- Sincerely Your, Dan. From markus at openbsd.org Wed Nov 19 03:16:06 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 18 Nov 2003 17:16:06 +0100 Subject: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds In-Reply-To: <3FBA280E.39121556@zip.com.au> References: <9D248E1E43ABD411A9B600508BAF6E9B076B4572@xmx7fraib.fra.ib.commerzbank.com> <3FBA280E.39121556@zip.com.au> Message-ID: <20031118161606.GA27801@folly> On Wed, Nov 19, 2003 at 01:09:18AM +1100, Darren Tucker wrote: > "Edgar, Bob" wrote: > > > > It works for the "yes" case but not for the "without-password" case. > > The function that checks (auth_root_allowed(auth_method) is special > > cased for "password". The Pam case sends "keyboard-interactive/pam" > > which like all other authentication methods except password succeeds. > > > > Here is a patch to make it work for me. Please feel free to criticize > > as appropriate. > [snip patch] > > The catch is PAM might not use any kind of password, it might use a > super-secure two-factor authentication or something. In that case, > "without-password" would be misleading. > > Maybe we need a more general "AllowedRootAuthMethods" option? Maybe not. > Perhaps "PermitRootLogin pubkey-only"? IMHO it's PAM's job to control access if PAM is used. From stuge-openssh-unix-dev at cdy.org Wed Nov 19 03:46:58 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Tue, 18 Nov 2003 17:46:58 +0100 Subject: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds In-Reply-To: <20031118161606.GA27801@folly> References: <9D248E1E43ABD411A9B600508BAF6E9B076B4572@xmx7fraib.fra.ib.commerzbank.com> <3FBA280E.39121556@zip.com.au> <20031118161606.GA27801@folly> Message-ID: <20031118164658.GD24560@foo.birdnet.se> On Tue, Nov 18, 2003 at 05:16:06PM +0100, Markus Friedl wrote: > IMHO it's PAM's job to control access if PAM is used. :) That's the idea, anyway. Not that I'm the expert, PAM already confuses me a bit, but I think the larger problem is that sshd wants to have some control over the authentication process in order to do a couple of things (pubkey, hostbased, Kerberos and GSSAPI that I can think of) on it's own. Maybe they {sh,c}ould be moved to PAM in some distant future, but even then everyone wont be using PAM. It remains the job of sshd. My point is that I agree with you on the responsibilities of PAM, but I think people will need to complement it with things like pubkey auth, or certificates, or even HTTP basic auth for a long time still. I know I do. //Peter From Bob.Edgar at commerzbankib.com Wed Nov 19 04:11:02 2003 From: Bob.Edgar at commerzbankib.com (Edgar, Bob) Date: Tue, 18 Nov 2003 18:11:02 +0100 Subject: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds Message-ID: <9D248E1E43ABD411A9B600508BAF6E9B076B457A@xmx7fraib.fra.ib.commerzbank.com> In principal, yes, but there are two points to consider. One is that the behavior of SSH changed from 3.5 (3.6?) to 3.7. It is not possible to implement to old behavior without adding a new PAM module and changing the PAM configuration at least on Solaris systems. It should also be noted that the same design change breaks connectivity with older versions of ssh.com client which don't support challenge-response. Remember too that I don't have an alternative to using PAM, the protected password fields in NIS+ (a good thing IMHO) require it. The second is that (at least to my knowledge) other programs like telnet, ftp and login do not rely upon the PAM stack for this purpose but have their own option to permit or forbid root access. This is still the behavior when SSH does it's password auth. Here again is the situation: UsePAM yes is incompatible with PasswordAuthentication. Currently "UsePAM yes" enabled has "PermitRootLogin yes" exhibiting the same behavior as "PermitRootLogin without-password" (what the PAM stack allows is ok). The change I submitted modifies the behavior for "PAM yes" and "PermitRootLogin without-password" to allow the administrator to block root access via PAM. The "PermitRootLogin yes" still follows the decision made by the PAM stack and thus allows for fancy authentication thingies. This change allows older configurations to continue to work without modification to the PAM config or additional modules without removing any functionality or control in the current implementation. If someone can provide a better fix for the problem described I'd be more than happy to adopt it. In the mean time, thanks for your time and comments. bob -----Original Message----- From: Markus Friedl [mailto:markus at openbsd.org] Sent: Dienstag, 18. November 2003 17:16 To: Darren Tucker Cc: Edgar, Bob; openssh-unix-dev at mindrot.org Subject: Re: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds On Wed, Nov 19, 2003 at 01:09:18AM +1100, Darren Tucker wrote: > "Edgar, Bob" wrote: > > > > It works for the "yes" case but not for the "without-password" case. > > The function that checks (auth_root_allowed(auth_method) is special > > cased for "password". The Pam case sends "keyboard-interactive/pam" > > which like all other authentication methods except password succeeds. > > > > Here is a patch to make it work for me. Please feel free to criticize > > as appropriate. > [snip patch] > > The catch is PAM might not use any kind of password, it might use a > super-secure two-factor authentication or something. In that case, > "without-password" would be misleading. > > Maybe we need a more general "AllowedRootAuthMethods" option? Maybe not. > Perhaps "PermitRootLogin pubkey-only"? IMHO it's PAM's job to control access if PAM is used. From Darren.Moffat at Sun.COM Wed Nov 19 04:14:58 2003 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Tue, 18 Nov 2003 09:14:58 -0800 (PST) Subject: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds In-Reply-To: <20031118164658.GD24560@foo.birdnet.se> Message-ID: On Tue, 18 Nov 2003, Peter Stuge wrote: > On Tue, Nov 18, 2003 at 05:16:06PM +0100, Markus Friedl wrote: > > IMHO it's PAM's job to control access if PAM is used. > > :) That's the idea, anyway. > > Not that I'm the expert, PAM already confuses me a bit, but I think the > larger problem is that sshd wants to have some control over the > authentication process in order to do a couple of things (pubkey, > hostbased, Kerberos and GSSAPI that I can think of) on it's own. > > Maybe they {sh,c}ould be moved to PAM in some distant future, but even then > everyone wont be using PAM. It remains the job of sshd. That isn't particularly easy to do (it also isn't likey to happen in OpenSSH since PAM doesn't exist on all platforms). One reason it isn't that easy to do is because ssh pubkey and GSSAPI need things off the wire, PAM doesn't have any direct access to the wire. PAM isn intended to do initial authentication. GSSAPI does not do inital authentication and that isn't what it was designed for. GSS auth shouldn't be done as a PAM module even if it could be. -- Darren J Moffat From nospam at magestower.net Wed Nov 19 05:05:22 2003 From: nospam at magestower.net (The Alchemist) Date: Tue, 18 Nov 2003 12:05:22 -0600 Subject: question on chroot patches Message-ID: <3FBA5F62.1080606@magestower.net> *This message was transferred with a trial version of CommuniGate(tm) Pro* When we last deployed OpenSSH (v. 3.4p1), we used a chroot patch supplied by John Furman. Does anyone know if that is still being maintained, and if so, where one may get it? If not, do any of the other chroot patches use the same configuration syntax? Specifically, it adds ChrootDir and ChrootUser to sshd_config. Thanks, --Jason From dtucker at zip.com.au Wed Nov 19 11:32:51 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 19 Nov 2003 11:32:51 +1100 Subject: Testing of recent commits References: <1069155926.10951.61.camel@sakura.mindrot.org> <20031118144331.GA32723@cygbert.vinschen.de> Message-ID: <3FBABA33.A8DB4A64@zip.com.au> Corinna Vinschen wrote: [current won't build on Cygwin] > 20031015 > - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c > openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always > compiled in but disabled in config. > > The problem is that this change requires a system to have the > DNS query functions and header files arpa/nameser.h and resolv.h > which are not available on Cygwin. There exists an implementation > but it's not part of Cygwin so far. That change matched one synced from OpenBSD where all of the "#ifdef DNS" fragments vanished. Maybe portable needs them back, or needs some dummy resolver functions in openbsd-compat? There's a chance some other platforms will have the same issue too. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From lindysandiego at yahoo.com Wed Nov 19 12:28:55 2003 From: lindysandiego at yahoo.com (Thomas Baden) Date: Tue, 18 Nov 2003 17:28:55 -0800 (PST) Subject: Testing of recent commits In-Reply-To: <3FBABA33.A8DB4A64@zip.com.au> Message-ID: <20031119012855.63036.qmail@web60501.mail.yahoo.com> Ran regression test on openssh-SNAP-20031118. OS: Solaris 5.8 on SPARC, YASSP, /dev/random. OpenSSL 0.9.7c. Forte 7 C compiler generating 64-bit code. Env Variables before configure: CC='cc -xtarget=ultra -xarch=v9 -D_XOPEN_SOURCE=500 -D__EXTENSIONS__ -L/usr/local/ssl/lib/64' CXX='CC -xtarget=ultra -xarch=v9 -D_XOPEN_SOURCE=500 -D__EXTENSIONS__ -L/usr/local/ssl/lib/64' Configure line: ./configure --without-rand-helper --without-prngd --with-pam --prefix=/opt/local --sysconfdir=/etc --with-ssl-dir=/opt/local/ssl Make tests ran with no reported errors. Cheers, -Thomas __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree From dan at doxpara.com Wed Nov 19 12:49:20 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 18 Nov 2003 17:49:20 -0800 Subject: Testing of recent commits In-Reply-To: <20031119012855.63036.qmail@web60501.mail.yahoo.com> References: <20031119012855.63036.qmail@web60501.mail.yahoo.com> Message-ID: <3FBACC20.10508@doxpara.com> Cygwin no longer compiles: kaminsky at avaya-8j8h5dc15 ~/openssh $ make if test ! -z ""; then \ /usr/bin/perl ./fixprogs ssh_prng_cmds ; \ fi (cd openbsd-compat && make) make[1]: Entering directory `/cygdrive/c/Documents and Settings/kaminsky/openssh/openbsd-compat' gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c bsd-arc4random.c In file included from ../openbsd-compat/openbsd-compat.h:40, from ../includes.h:173, from bsd-arc4random.c:25: ../openbsd-compat/getrrsetbyname.h:55:26: arpa/nameser.h: No such file or directory ../openbsd-compat/getrrsetbyname.h:57:20: resolv.h: No such file or directory make[1]: *** [bsd-arc4random.o] Error 1 make[1]: Leaving directory `/cygdrive/c/Documents and Settings/kaminsky/openssh/openbsd-compat' make: *** [openbsd-compat/libopenbsd-compat.a] Error 2 From mingzhao at ufl.edu Wed Nov 19 15:07:45 2003 From: mingzhao at ufl.edu (Ming) Date: Tue, 18 Nov 2003 23:07:45 -0500 Subject: ssh tunnel exits unexptected Message-ID: <3FBAEC91.30105@ufl.edu> Hi, I have setup a tunnel from server A to server B across WAN by running "ssh -l user_X -L port_A:server_B:port_B server_C -N". Server B is in a private network, so I have to establish the tunnel via server C, which is in the same LAN with B but has a public IP. The problem is, every time I start the tunnel on server B, the tunnel process will die nearly two hours later. And it always gives me the similar debugging message before it exits, e.g.: ... ... Read from remote host XXX: Connection reset by peer debug1: Transferred: stdin 0, stdout 0, stderr 69 bytes in 6959.0 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status -1 Could anyboday give me some clues? Are there any problems with server A or with server C? I doubt it's something about timeout or KeepAlive values. But as a regular user, I don't how to check and set them. Your suggestions will be greatly appreciated. Best regards, - Ming From dtucker at zip.com.au Wed Nov 19 16:16:39 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 19 Nov 2003 16:16:39 +1100 Subject: ssh tunnel exits unexptected References: <3FBAEC91.30105@ufl.edu> Message-ID: <3FBAFCB7.AA2D4681@zip.com.au> Ming wrote: > I have setup a tunnel from server A to server B across WAN by running > "ssh -l user_X -L port_A:server_B:port_B server_C -N". Server B is in a > private network, so I have to establish the tunnel via server C, which > is in the same LAN with B but has a public IP. > The problem is, every time I start the tunnel on server B, the tunnel > process will die nearly two hours later. And it always gives me the > similar debugging message before it exits, e.g.: [snip] I'd be willing to bet that there is a firewall with a 2-hour session timer, probably between the client and server C. If your sessions are idle (ie no traffic at all) when the timeout occurs, you can work around it by enabling a keepalive to keep the session "fresh". If the sessions are active when the timeout occurs, you need to talk to your firewall admin as no amount of fooling with SSH will help. The client-side KeepAlive option probably won't help since the default (system-wide) keepalive timer is normally 2 hours (unless you reduce the timer, how to do this varies between platforms). If you can, I suggest enabling ClientAliveInterval on the server set to maybe 600 seconds. Alternatively, you could also investigate one of the client-side keepalive patches (I don't have a URL for those handy). > Could anyboday give me some clues? Are there any problems with server A > or with server C? I doubt it's something about timeout or KeepAlive > values. But as a regular user, I don't how to check and set them. Your > suggestions will be greatly appreciated. Perhaps reading the man pages for ssh_config and sshd_config would be a good start? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Nov 19 18:41:48 2003 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 19 Nov 2003 08:41:48 +0100 Subject: Testing of recent commits In-Reply-To: <3FBABA33.A8DB4A64@zip.com.au> References: <1069155926.10951.61.camel@sakura.mindrot.org> <20031118144331.GA32723@cygbert.vinschen.de> <3FBABA33.A8DB4A64@zip.com.au> Message-ID: <20031119074148.GA29726@serv01.aet.tu-cottbus.de> On Wed, Nov 19, 2003 at 11:32:51AM +1100, Darren Tucker wrote: > Corinna Vinschen wrote: > [current won't build on Cygwin] > > 20031015 > > - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c > > openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always > > compiled in but disabled in config. > > > > The problem is that this change requires a system to have the > > DNS query functions and header files arpa/nameser.h and resolv.h > > which are not available on Cygwin. There exists an implementation > > but it's not part of Cygwin so far. > > That change matched one synced from OpenBSD where all of the "#ifdef DNS" > fragments vanished. Maybe portable needs them back, or needs some dummy > resolver functions in openbsd-compat? There's a chance some other > platforms will have the same issue too. It does break HP-UX 10.20: OpenSSH has been configured with the following options: User binaries: /usr/local/openssh1/bin System binaries: /usr/local/openssh1/sbin Configuration files: /etc/ssh1 Askpass program: /usr/local/openssh1/libexec/ssh-askpass Manual pages: /usr/local/openssh1/man/manX PID file: /var/run1 Privilege separation chroot path: /var/empty sshd default user PATH: /usr/local/openssh1/bin:/usr/bin:/usr/local/ bin Manpage format: man DNS support: PAM support: no KerberosV support: no Smartcard support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: yes Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Host: hppa2.0-hp-hpux10.20 Compiler: cc -Ae Compiler flags: -g -Ae +DAportable Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include -D_HPUX_SOURC E -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 Linker flags: -L/usr/local/ssl/lib -L/usr/local/lib Libraries: -lwrap -lz -lxnet -lsec -lcrypto ---------------------------------------------------------------------- cc -Ae -g -Ae +DAportable -I. -I.. -I. -I./.. -I/usr/local/ssl/include - I/usr/local/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 - DHAVE_CONFIG_H -c getrrsetbyname.c cc: "../openbsd-compat/glob.h", line 44: warning 617: Redeclaration of tag "stat " ignored. cc: "getrrsetbyname.c", line 265: error 1588: "T_SIG" undefined. cc: "getrrsetbyname.c", line 264: warning 563: Argument #3 is not the correct ty pe. cc: "getrrsetbyname.c", line 292: error 1563: Expression in if must be scalar. cc: "getrrsetbyname.c", line 366: error 1588: "HFIXEDSZ" undefined. cc: "getrrsetbyname.c", line 366: warning 563: Argument #3 is not the correct ty pe. cc: "getrrsetbyname.c", line 367: error 1603: Incompatible operands: assign oper ator. *** Error exit code 1 Stop. *** Error exit code 1 Stop. ---------------------------------------------------------------------- HP-UX 10.20 is shipped with Bind4. (BTW: Please note the "DNS support:" line.) I have Bind 8 libraries installed on my system, so I gave it another try: ---------------------------------------------------------------------- OpenSSH has been configured with the following options: User binaries: /usr/local/openssh1/bin System binaries: /usr/local/openssh1/sbin Configuration files: /etc/ssh1 Askpass program: /usr/local/openssh1/libexec/ssh-askpass Manual pages: /usr/local/openssh1/man/manX PID file: /var/run1 Privilege separation chroot path: /var/empty sshd default user PATH: /usr/local/openssh1/bin:/usr/bin:/usr/local/ bin Manpage format: man DNS support: PAM support: no KerberosV support: no Smartcard support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: yes Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Host: hppa2.0-hp-hpux10.20 Compiler: cc -Ae Compiler flags: -g -Ae +DAportable Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include -D_HPUX_SOURC E -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -I/usr/local/bind/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/lib -L/usr/local/bind/lib Libraries: -lwrap -lz -lxnet -lsec -lbind -lcrypto ---------------------------------------------------------------------- This time it will break in a more subtle manner: Bind 8 include files come with its own . By specifying -I/usr/local/bind/include the from Bind 8 will be used instead of the system file. As -D_XOPEN_SOURCE_EXTENDED=1 is specified in the HP-UX 10.20 configuration, htons() etc macros are no longer handled by but by . The shipped with Bind 8 however does not know about this subtle difference: it does not include this macros such that linking fails due to undefined symbols of htons() and friends. (You may consider this to be a bug in the Bind 8 distribution; I would however recommend to handle the DNS resolver lib problem inside OpenSSH instead of requiring the installation of a "patched up" Bind 8 on HP-UX 10.20. Note: I have verified that this issue is still valid up to 8.4.1) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From dtucker at zip.com.au Wed Nov 19 20:06:10 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 19 Nov 2003 20:06:10 +1100 Subject: 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwor ds References: <9D248E1E43ABD411A9B600508BAF6E9B076B4572@xmx7fraib.fra.ib.commerzbank.com> <3FBA280E.39121556@zip.com.au> <20031118161606.GA27801@folly> Message-ID: <3FBB3282.8210DB08@zip.com.au> Markus Friedl wrote: > > On Wed, Nov 19, 2003 at 01:09:18AM +1100, Darren Tucker wrote: [snip] > > Maybe we need a more general "AllowedRootAuthMethods" option? Maybe not. > > Perhaps "PermitRootLogin pubkey-only"? > > IMHO it's PAM's job to control access if PAM is used. I agree, however how can it make decisions involving SSH public-key authentications? Ie, how could you implement the equivalent of "PermitRootLogin pubkey-only" purely in PAM? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vinschen at redhat.com Wed Nov 19 20:44:26 2003 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 19 Nov 2003 10:44:26 +0100 Subject: Testing of recent commits In-Reply-To: <20031118144331.GA32723@cygbert.vinschen.de> References: <1069155926.10951.61.camel@sakura.mindrot.org> <20031118144331.GA32723@cygbert.vinschen.de> Message-ID: <20031119094426.GA8716@cygbert.vinschen.de> On Tue, Nov 18, 2003 at 03:43:31PM +0100, Corinna Vinschen wrote: > On Tue, Nov 18, 2003 at 10:45:26PM +1100, Damien Miller wrote: > > There have been a few recent commits to portable OpenSSH that require > > testing. It would be appreciated if you could grab the 20031118 (or > > later) snapshot and give it a try on your platforms of choice. > > I had no time to build latest openssh from CVS for a few weeks now > and, unfortunately, a change from last month results in not being > able to build on Cygwin: > > 20031015 > - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c > openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always > compiled in but disabled in config. > > The problem is that this change requires a system to have the > DNS query functions and header files arpa/nameser.h and resolv.h > which are not available on Cygwin. There exists an implementation > but it's not part of Cygwin so far. FYI, it's a resolver library called minires. I've build and installed it on my system and with a one-line-patch to configure.ac, OpenSSH builds fine on Cygwin without having to back out the above patch. I'm now trying to get minires into the Cygwin distribution so that OpenSSH can rely on a resolver lib also on Cygwin. This will be handled within the next few days. The current one-line patch necessary is *-*-cygwin*) check_for_libcrypt_later=1 - LIBS="$LIBS /usr/lib/textmode.o" + LIBS="$LIBS /usr/lib/textmode.o -lresolv" AC_DEFINE(HAVE_CYGWIN) AC_DEFINE(USE_PIPES) since due to the way minires exports the symbols, the current tests for libresolve in configure are failing on Cygwin. I'm talking about this with the minires developer first, so a patch can wait for a while. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. From ralf.hack at gxn.net Wed Nov 19 22:34:16 2003 From: ralf.hack at gxn.net (Ralf Hack) Date: Wed, 19 Nov 2003 11:34:16 +0000 Subject: Testing of recent commits Message-ID: >There have been a few recent commits to portable OpenSSH that require >testing. It would be appreciated if you could grab the 20031118 (or >later) snapshot and give it a try on your platforms of choice. > >Ideally, "giving it a try" means running the regress tests, in addition >to casual (non-production) use and reporting your experiences back to >the list. The more platforms and compile-time options, the better. > >Please note that the new snapshots replace the experimental "gssapi" >authentication method with an improved "gssapi-with-mic" method. The new >method (which does *not* interoperate with the deprecated "gssapi" >method) provides proper validation of the session ID between the client >and the server. Hi, I compiled 20031118 on debian:woody on intel without problems. Given some time constraints, I haven't been able to test it. However, I noticed that the bug preventing 'do_pam_session()' from getting compiled in for systems that have 'HAVE_SETPCRED' set, such as FreeBSD 4.7 (and apparently linux), is still there (session.c:do_setusercontext()). I think the following patch (similar to the one I submitted previously) should fix this. I am not sure how setpred() and PAM interact, so do take this patch with a grain of salt. --- session.c.orig Mon Nov 17 10:41:42 2003 +++ session.c Wed Nov 19 11:21:36 2003 @@ -1237,6 +1237,17 @@ fatal("Failed to set process credentials"); #endif /* HAVE_SETPCRED */ #ifdef HAVE_LOGIN_CAP + +# ifdef USE_PAM + /* + * Run do_pam_session() here too + */ + if (options.use_pam) { + do_pam_session(); + do_pam_setcred(0); + } +# endif /* USE_PAM */ + # ifdef __bsdi__ setpgid(0, 0); # endif @@ -1245,6 +1256,7 @@ perror("unable to set user context"); exit(1); From djm at mindrot.org Wed Nov 19 23:05:38 2003 From: djm at mindrot.org (Damien Miller) Date: Wed, 19 Nov 2003 12:05:38 -0000 Subject: Testing of recent commits In-Reply-To: References: Message-ID: <1069243495.10951.72.camel@sakura.mindrot.org> On Wed, 2003-11-19 at 22:34, Ralf Hack wrote: > However, I noticed that the bug preventing 'do_pam_session()' > from getting compiled in for systems that have 'HAVE_SETPCRED' set, > such as FreeBSD 4.7 (and apparently linux), is still there > (session.c:do_setusercontext()). I think the following patch > (similar to the one I submitted previously) should fix this. I am > not sure how setpred() and PAM interact, so do take this patch with a > grain of salt. I'm not sure I understand - do_pam_session() is already called later in do_setusercontext() - see line 1267. -d From ralf.hack at gxn.net Wed Nov 19 23:15:02 2003 From: ralf.hack at gxn.net (Ralf Hack) Date: Wed, 19 Nov 2003 12:15:02 +0000 Subject: Testing of recent commits In-Reply-To: <1069243495.10951.72.camel@sakura.mindrot.org> References: <1069243495.10951.72.camel@sakura.mindrot.org> Message-ID: Damien, do_pam_session() is only in the #else branch of HAVE_LOGIN_CAP and hence not compiled in for systems that have HAVE_LOGIN_CAP set. My last email stated wrongly HAVE_SETPCRED though - sorry about that. Ralf. >On Wed, 2003-11-19 at 22:34, Ralf Hack wrote: > >> However, I noticed that the bug preventing 'do_pam_session()' >> from getting compiled in for systems that have 'HAVE_SETPCRED' set, >> such as FreeBSD 4.7 (and apparently linux), is still there >> (session.c:do_setusercontext()). I think the following patch >> (similar to the one I submitted previously) should fix this. I am >> not sure how setpred() and PAM interact, so do take this patch with a >> grain of salt. > >I'm not sure I understand - do_pam_session() is already called later in >do_setusercontext() - see line 1267. > >-d From wtxa0kk at yahoo.com Wed Nov 19 00:32:44 2003 From: wtxa0kk at yahoo.com (Ricardo Mercer) Date: Tue, 18 Nov 2003 19:32:44 +0600 Subject: US STOCK MARKET - CYPM Acquisition - To Compete With DISNEY & PIXAR...haroun Message-ID: <9ko75bl7c92utk$ic$q2wn@tmd.jj.7v7pvvy> US Stock Market - Stock Profile of the Week Symbol: CYPM Market: OTCBB Sector: 3D Animation BREAKING NEWS - CYPM Acquires Profitable Joongang Movie Entertainment...CYPM To Compete With Pixar & Disney NEW YORK---PRIMEZONE---Cyper Media, Inc. (OTCBB: CYPM), a 3D animation studio currently producing ``The 5th Glacial Epoch,'' a 15 million dollar feature, has acquired Joongang Movie Entertainment Co., Ltd., a producer of animated content for the world-famous Pokemon series. Joongang is a profitable 13-year-old animation company with more than 60 different clients among OEM Japanese TV shows, and which also has numerous clients in Europe. Duk Jin Jang, CEO of Cyper said, ``Cyper will now be able to offer our combined clients traditional 2D along with 3D animation content, enabling the Company to compete profitably with world class animators such as Pixar and Disney.'' STOCK PROFILE OF THE WEEK We are very excited about our newest stock profile, Cyper Media, Inc. (OTCBB: CYPM). Not only has CYPM received a conditional commitment letter for 4 million of the 15 million dollar production budget for its CGI Animation Feature, "The 5th Glacial Epoch," it has also entered into a commitment for a 5 million dollar advance from an electronic game publisher. The money for its latest venture seems to be pouring in, but mere financing is just the beginning. The really big news is that CYPM has started the process of getting a distribution contract with MGM, Metro-Goldwyn-Mayer. The 4 million dollar commitment letter from Global Marine is subject to a letter of a conditional Distribution Letter from a major distributor, which CYPM has now secured. Cyper Media is looking to become a leading producer of 3D digital animation entertainment products for the world broadcast entertainment market. Cyper Media develops and produces 3D digital animation for television, short films, CGI feature films, home video, music video and multi-media applications such as video games. Cyper Media produces 3D digital animation by applying advanced hardware and software technology using computer systems throughout the production process. LICENSING & MERCHANDISING RIGHTS The Company intends to exploit the licensing and merchandising of its proprietary characters in order to generate revenue and to highten the popularity of its characters and programs. By licensing its proprietary characters to select manufacturers and distributors of consumer products such as toys, apparel, school supplies, house wares and books, the Company seeks to capture a portion of the growing licensing and merchandising market which features entertainment properties, such as animated characters. In 1995, this segment of the merchandising and licensing market had retail sales in the United States and Canada in excess of 16 billion dollars. OUTLINING THE THE OPPORTUNITIES The demand for animation programming and the business of animation production have expanded dramatically over the past decade. The revival of Disney's feature animation production in the 1990s, and the advent of new entrants like Paramount and DreamWorks SKG, have produced some of the biggest ever box office hits. The television market has also expanded, offering producers a voracious and lucrative market. Thanks to programs like The Simpsons and South Park, animation has started to become a staple element of prime-time television programming. Animation is an attractive investment because of its longevity, its ability to travel, and the potential to create ancillary revenue streams from home video, publishing, toys and other licensing activities. As well, the Academy Awards now recognizes Animation in a major category all its own. COMPETITIVE ENVIRONMENT Typically a US made 22-minute television show costs between 300,000 to 800,000 dollars to produce. Cyper can produce the same for a minimum of 80,000. This means many U.S.-based producers of animated programming such as Film Roman now have to subcontract some of the less creative and more labor-intensive components of its production process to animation studios located in low-cost labor countries, such as Korea. As the number of animated feature films and animated television programs expands, the demand for the services of overseas studios has expanded likewise. This demand may lead overseas studios to raise their fees, which may result in a rise in production costs, or an inability to contract with the Company's preferred overseas studios. HOW MUCH MONEY IS IN THIS INDUSTRY? The list of Top Ten grossing animated movies is impressive. The Lion King is at number one with a total gross of 312.8 million dollars. Shrek brings up second place with a whopping 267.6 million, and Monsters, Inc. takes third with 255.3 million. The other seven rounding out the list post an impressive Billion-plus. But the most recent animated feature that comes to mind is playing in theaters now. "Finding Nemo," sold about 70.6 million worth of tickets in its first three days, setting a new opening record for a cartoon, surpassing the 62.5 million bow of "Monsters, Inc." in November 2001. And although Nemo is a Walt Disney production, Disney no longer has a monopoly on animated features. In fact, of the Top 10 grossing animated features of all time, 4 are Walt Disney productions while Pixar, a newcomer in comparison, also has 4, with Fox and DreamWorks rounding out the list. But earnings for such movies don't stop at the box office. Just the opposite--they are only beginning. Merchandising from these movies, everything from lunch boxes to video games to DVD sales, from Wal-mart to McDonald's to Burger King, range in the billions of dollars--and never forget about the impending sequels. Sales are huge, and CYPM through Cyper (now with financing on the way and MGM on their side) is poised to make the climb to the top. It's only a matter of time. Find out more about CYPM @ www.cypermedia.com. Please note that Cyper Media had absolutley nothing to do with this report and is not a participant in any way. No more advertisements: www.4inch6.com/f.html Stock Market Watcher is an independent research firm. This report is based on Stock Market Watcher's independent analysis but also relies on information supplied by sources believed to be reliable. This report may not be the opinion of CYPM management. Stock Market Watcher has also been retained to research and issue reports on CYPM. Stock Market Watcher may from time to time purchase or sell CYPM common shares in the open market without notice. The information contained in this report shall not constitute, an offer to sell or solicitation of any offer to purchase any security. It is intended for information only. Some statements may contain so-called "forward-looking statements". Many factors could cause actual results to differ. Investors should consult with their Investment Advisor concerning CYPM. Copyright 2003 ? Stock Market Watcher Ltd. All Rights Reserved. This newsletter was distributed by MMS, Inc. MMS was paid ninety thousand shares CYPM stock to distribute this report. MMS is not affiiated with Stock Market Watcher and is not responsible for newsletter content. qfilpm ipckyyxq e kpggl gxbvplv gwqndia qrpkdbo fk gbxtg From scottra at wrq.com Thu Nov 20 12:09:58 2003 From: scottra at wrq.com (Scott Rankin) Date: Wed, 19 Nov 2003 17:09:58 -0800 Subject: Testing of recent commits Message-ID: <658860F1FF3F65478C90C5DF81CB7858304142@kang.na.wrq.com> Damien, > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Tuesday, November 18, 2003 3:45 AM > To: openssh-unix-dev at mindrot.org > Subject: Testing of recent commits > > > There have been a few recent commits to portable OpenSSH that require > testing. It would be appreciated if you could grab the 20031118 (or > later) snapshot and give it a try on your platforms of choice. > > Ideally, "giving it a try" means running the regress tests, > in addition > to casual (non-production) use and reporting your experiences back to > the list. The more platforms and compile-time options, the better. > > Please note that the new snapshots replace the experimental "gssapi" > authentication method with an improved "gssapi-with-mic" > method. The new > method (which does *not* interoperate with the deprecated "gssapi" > method) provides proper validation of the session ID between > the client > and the server. > > Some of the highlights (more in the ChangeLog): > > - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic > tty_conv, and use it for do_pam_session. Fixes problems like > pam_motd not displaying anything. ok djm@ > > - jakob at cvs.openbsd.org 2003/11/12 16:39:58 > [dns.c dns.h readconf.c ssh_config.5 sshconnect.c] > update SSHFP validation. ok markus@ > > - markus at cvs.openbsd.org 2003/11/17 11:06:07 > [auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h] > [monitor_wrap.c monitor_wrap.h sshconnect2.c ssh-gss.h] > replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; > test + ok jakob. > > - (djm) Bug #632: Don't call pam_end indirectly from within kbd-int > conversation function > > - (djm) Export environment variables from authentication > subprocess to > parent. Part of Bug #717 > > > -d > I tested on sgi IRIX 6.5.18m with gcc 3.3. make tests reported no errors. cheers, scott From scottra at wrq.com Thu Nov 20 12:39:39 2003 From: scottra at wrq.com (Scott Rankin) Date: Wed, 19 Nov 2003 17:39:39 -0800 Subject: Testing of recent commits Message-ID: <658860F1FF3F65478C90C5DF81CB7858304143@kang.na.wrq.com> Damien [snip] > > I tested on sgi IRIX 6.5.18m with gcc 3.3. > > make tests reported no errors. > > cheers, > scott > I also just tested openssh-SNAP-20031118 with MipsPro 7.4 on the same IRIX 6.5.18m system. make tests reported no errors. there was considerably more noise during complication than with gcc so I will see if I can throw together a diff... cheers, scott From omehashyin at gmx.net Thu Nov 20 14:02:58 2003 From: omehashyin at gmx.net (Herman) Date: Wed, 19 Nov 2003 19:02:58 -0800 Subject: GET latest softwares, 99% savings. Message-ID: <7188281069297378@p508A2F4B.dip.t-dialin.net> [1]http://81.180.98.39/ If you don't have enough money to buy needed software or think desired software isn't worth the price, then this service is right for you. We make software to be near you. Order any software you need for a low price. Some popular products from our price list: All programs you can download or order on cd-rom by airmail. 50$ Adobe Creative Suite (2 cds) 30$ Adobe PhotoShop CS 8.0 (1 cd) 55$ 3D Studio Max 6.0 (3 cds) 20$ Adobe Premiere Pro 7.0 (1 cd) 35$ Alias Wavefront Maya 5.0 Unlimited 35$ AutoCAD 2004 35$ Autodesk Architectural Desktop 2004 16$ Cakewalk Sonar 3 Producer Edition (3 cds) 25$ Canopus ProCoder 1.01.35 25$ Corel Draw 11 Graphic Suite 25$ Dragon Naturally Speaking Preferred 7.0 20$ Macromedia Dreamweaver MX 2004 v7.0 25$ Macromedia Fireworks MX 2004 v7.0 25$ Macromedia Flash MX 2004 v7.0 Professional 50$ Macromedia Studio MX 2004 (1 cd) 20$ Microsoft Money 2004 Deluxe (1 cd) 55$ Microsoft Office 2003 System Professional (5 cds) 25$ Microsoft Office 2003 Multilingual User Interface Pack (2 cds) 35$ Microsoft Project 2002 Pro 20$ Microsoft Publisher XP 2002 25$ Microsoft Visio for Enterprise Architects 2003 45$ Microsoft Windows XP Corporate Edition with SP1 35$ Microsoft Windows XP Professional 20$ Norton Antivirus 2004 Pro v10.0.0.109 16$ Norton SystemWorks 2003 (1 cd) 25$ OmniPage Pro 12 25$ Pinnacle Impression DVD Pro 2.2 (1 cd) 45$ PTC Pro Engineer Wildfire Datecode 2003370 (3 cds) 16$ PowerQuest Drive Image 7.01 Multilanguage (1 cd) 20$ Ulead DVD Workshop 1.2 99$ Microsoft Visual Studio .NET 2003 Enterprise Architect (8 cds) 20$ Winfax PRO 10.02 and, more, more. more!! Total today is 1418 products. price list - [2]http://81.180.98.39/p/ search - [3]http://81.180.98.39/e/ Mac users. We have some software for you too!!! Check it: [4]http://81.180.98.39/p/m/ Adobe Creative Suite (2 cds) for Mac Adobe Acrobat 6.0 Pro for Mac Adobe Illustrator 10 for Mac Adobe InDesign 2 for Mac Macromedia Flash MX 2004 v7.0 Professional for Mac Macromedia Studio MX 2004 for Mac (1 cd) Microsoft Office v.X for Mac QuarkXpress 6 Multilanguage for Mac and more!!! ---- To unsubscribe, please go to [5]http://81.180.98.39/unsub.html References 1. http://81.180.98.39/ 2. http://81.180.98.39/p/ 3. http://81.180.98.39/e/ 4. http://81.180.98.39/p/m/ 5. http://81.180.98.39/unsub.html From a_ga_l at fromru.com Thu Nov 20 20:38:10 2003 From: a_ga_l at fromru.com (Gallery-a) Date: Thu, 20 Nov 2003 09:38:10 -0000 Subject: Antonsen's Personal Exhibition - News of G|A (0000604687) Message-ID: <20031120124010.4BAB8305DA814BA4@fromru.com> Dear Ladies and Gentlemen, We would like to introduce you Ani Antonsen?s personal exhibition. She is an artist and in her country people call her ?A Queen of flowers?. And everyone who is going to look at her exhibition will understand why the article in a local paper, which has been published during one of her exhibitions, said so about her. You will be able to have a look on some of her paintings: http://www.gallery-a.ru/expo/antonsen.php Welcome to the exhibition! Gallery-A kurator P.S. Also available on our site E-Cards:http://www.gallery-a.ru/ecards/compose.php , more than 200 stylish E-Cards! Wallpapers: http://www.gallery-a.ru/luxury.php Sorry if that information not interesting for You and we disturb You with our message! For removing yor address from this mailing list just replay this message with word 'unsubscribe' in subject field (1259308189) From vinschen at redhat.com Thu Nov 20 21:36:16 2003 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 20 Nov 2003 11:36:16 +0100 Subject: Testing of recent commits In-Reply-To: <20031119094426.GA8716@cygbert.vinschen.de> References: <1069155926.10951.61.camel@sakura.mindrot.org> <20031118144331.GA32723@cygbert.vinschen.de> <20031119094426.GA8716@cygbert.vinschen.de> Message-ID: <20031120103616.GQ9027@cygbert.vinschen.de> On Wed, Nov 19, 2003 at 10:44:26AM +0100, Corinna Vinschen wrote: > On Tue, Nov 18, 2003 at 03:43:31PM +0100, Corinna Vinschen wrote: > > 20031015 > > - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c > > openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always > > compiled in but disabled in config. > > > > The problem is that this change requires a system to have the > > DNS query functions and header files arpa/nameser.h and resolv.h > > which are not available on Cygwin. There exists an implementation > > but it's not part of Cygwin so far. > > FYI, it's a resolver library called minires. [...] I'm now trying > to get minires into the Cygwin distribution so that OpenSSH can rely on a > resolver lib also on Cygwin. This will be handled within the next few days. > [...] due to the way minires exports the symbols, the current tests for > libresolve in configure are failing on Cygwin. I'm talking about this > with the minires developer first, so a patch can wait for a while. Another FYI: Minires is part of the Cygwin net distribution since today. The configure problem has been solved by introducing sort of weak symbols similar to the Linux libresolv.so. So, current OpenSSH finally builds and runs on Cygwin again, if the minires and minres-devel packages from the net distribution are installed. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. From mouring at etoh.eviladmin.org Fri Nov 21 01:39:33 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 20 Nov 2003 08:39:33 -0600 (CST) Subject: Testing of recent commits In-Reply-To: <20031120103616.GQ9027@cygbert.vinschen.de> Message-ID: On Thu, 20 Nov 2003, Corinna Vinschen wrote: [..] > Another FYI: Minires is part of the Cygwin net distribution since today. > The configure problem has been solved by introducing sort of weak symbols > similar to the Linux libresolv.so. > > So, current OpenSSH finally builds and runs on Cygwin again, if the minires > and minres-devel packages from the net distribution are installed. > I'm wondering if within the cygwin autoconf section if a check for minires should be preformanced and the compile should abort with an error about lack of an advanced resolver? BTW.. Thanks. I was not looking forward to the idea of adding the '#ifdef DNS' back in. =) - Ben From vinschen at redhat.com Fri Nov 21 01:57:19 2003 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 20 Nov 2003 15:57:19 +0100 Subject: Testing of recent commits In-Reply-To: References: <20031120103616.GQ9027@cygbert.vinschen.de> Message-ID: <20031120145719.GV9027@cygbert.vinschen.de> Hi Ben, On Thu, Nov 20, 2003 at 08:39:33AM -0600, Ben Lindstrom wrote: > On Thu, 20 Nov 2003, Corinna Vinschen wrote: > [..] > > Another FYI: Minires is part of the Cygwin net distribution since today. > > The configure problem has been solved by introducing sort of weak symbols > > similar to the Linux libresolv.so. > > > > So, current OpenSSH finally builds and runs on Cygwin again, if the minires > > and minres-devel packages from the net distribution are installed. > > I'm wondering if within the cygwin autoconf section if a check for minires > should be preformanced and the compile should abort with an error about > lack of an advanced resolver? hmm, I don't think so. The reason is, IMHO the configure script should now fail on all systems if the dependency to res_query couldn't be resolved and if the necessary resolv.h file couldn't be found. It's nothing special in Cygwin. You'll get the same problem on any system when you don't have all necessary devel packages installed. When I create the Cygwin net distro package for the next version of OpenSSH, I will also add a package dependency to minires and minires-devel. > BTW.. Thanks. I was not looking forward to the idea of adding the '#ifdef > DNS' back in. =) You're welcome. When looking into the problem two days ago, I saw that this would have been next to a nightmare... However, we're all more or less busy people, so one can't always keep up with the progress of all packages. A heads-up right after merging such a suspicious patch into the portable version would be nice(tm). Another, unrelated question: Any plans in the OpenBSD version, to remove all occurencies of __progname with calls to getprogname()? This would be a good idea, IMHO. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. From jakob at rfc.se Fri Nov 21 03:36:28 2003 From: jakob at rfc.se (Jakob Schlyter) Date: Thu, 20 Nov 2003 17:36:28 +0100 (CET) Subject: Testing of recent commits In-Reply-To: <20031120145719.GV9027@cygbert.vinschen.de> References: <20031120103616.GQ9027@cygbert.vinschen.de> <20031120145719.GV9027@cygbert.vinschen.de> Message-ID: On Thu, 20 Nov 2003, Corinna Vinschen wrote: > Another, unrelated question: Any plans in the OpenBSD version, to remove > all occurencies of __progname with calls to getprogname()? This would > be a good idea, IMHO. openbsd doesn't have getprogname() jakob From james at firstaidmusic.com Fri Nov 21 03:41:11 2003 From: james at firstaidmusic.com (James Dennis) Date: Thu, 20 Nov 2003 11:41:11 -0500 Subject: Question on function order Message-ID: <5949A20E-1B78-11D8-BFA4-000A958C5792@firstaidmusic.com> Could anyone point me to some information on why in HP-UX do_setusercontext() is called after log_getlastlog() and session_pty_req() but before on other things? It is making my chroot patch not behave correctly and I'd like to fix that. -James From vinschen at redhat.com Fri Nov 21 03:46:24 2003 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 20 Nov 2003 17:46:24 +0100 Subject: Testing of recent commits In-Reply-To: References: <20031120103616.GQ9027@cygbert.vinschen.de> <20031120145719.GV9027@cygbert.vinschen.de> Message-ID: <20031120164624.GA8794@cygbert.vinschen.de> On Thu, Nov 20, 2003 at 05:36:28PM +0100, Jakob Schlyter wrote: > On Thu, 20 Nov 2003, Corinna Vinschen wrote: > > > Another, unrelated question: Any plans in the OpenBSD version, to remove > > all occurencies of __progname with calls to getprogname()? This would > > be a good idea, IMHO. > > openbsd doesn't have getprogname() Oops, FreeBSD has, so I was sure... Sorry, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. From Nagib.N.Chahine at boeing.com Fri Nov 21 03:59:06 2003 From: Nagib.N.Chahine at boeing.com (Chahine, Nagib N) Date: Thu, 20 Nov 2003 08:59:06 -0800 Subject: Problem running SSH on IBM PPC440 processor, help appreciated Message-ID: <4543EA9DB1099E4583484B56803D0BFA0119C0CB@xch-sw-02.sw.nos.boeing.com> Hi, Sorry to bother you on this mailing list, however I tried everything else and I am desperate to get this running. Please send me any hints you can think of. I have installed openssh-3.7.1p2 on a ppc target and trying to connect to an sshd running on a redhat 9 with openssh-3.5p1. I keep getting the error "Disconnecting: Corrupted check bytes on input" no matter what I tried. I located the error message and turned debugging on in packet.c which dumps the content of the packet. What I see is a packet with length 5 bytes which confuses the client's side. I tried running the sshd version 3.7.1p2 to match the client I keep getting the same error. RUNNING WITH -1 OPTION: ----------------------- sh-2.05# ssh 192.168.1.1 -1 -l root incoming packet length= 267 read_poll plain: 0000 0000 0002 41f2 5ed2 a112 7e29 0000 0300 0006 2303 00d8 bf4a 5f8f 0f80 8fb9 6311 30d2 66cb e6e0 10c5 7cfe b7c2 60b4 ee32 97fe ed99 9606 8357 affb 10f7 578a 63ee 592c 9730 92b6 f3d2 8274 62cc 250d af16 5685 e40d d5eb b9d9 bbd8 4404 3bda 473e ccd4 6852 947d 90f9 5963 55cd 63f0 0c9b f564 e041 8100 0004 0000 0623 0400 a7f8 81dc 5627 07bc 7ab9 af88 daf8 ad7a ae43 6fbc bc8a 8f69 26e6 9481 f998 54f3 f5d5 d66d db13 366c ae9c fe6d 08c7 df7f 924c bce4 6ce9 0635 2200 b373 2b74 6d6f 96a6 4e65 3c21 a735 3e6a 6ab3 63c7 eeb4 4d1d 41c0 0c86 9818 bb0f 10df 9f8f a8dd bcc3 d3dc 807e f5dc 6080 7205 cf88 eb5d bef3 a4ce a17c 7853 70c9 ebab 7f7a 8601 0000 0002 0000 0048 0000 002c 3efb f1c5 stored_cheksum = 3efbf1c5 calculated_cheksum = 3efbf1c5 packet_send plain: 0000 0000 0303 41f2 5ed2 a112 7e29 03ff 7095 fd74 29ac 0a29 3201 8556 64bc 4b27 dc4d c8b2 e789 f1b0 7be5 899c b5a4 494e e114 7453 29f3 846e f923 5eea 35d4 07c7 c2d8 28f2 167f a5ba 01ad 6274 cfc1 c64c 9f24 da82 fbcd 6d81 1c66 4ff8 0484 1b62 12b8 d83e 37a2 00b3 abde 85f1 ca1b bf80 1864 8b6c d5c4 1ad8 819e 59b5 6331 ee5f 4814 cfb6 c439 dd42 edc0 a9f8 99fd 1969 0000 0003 705b 27e1 encrypted: 0000 0094 0000 0000 0303 41f2 5ed2 a112 7e29 03ff 7095 fd74 29ac 0a29 3201 8556 64bc 4b27 dc4d c8b2 e789 f1b0 7be5 899c b5a4 494e e114 7453 29f3 846e f923 5eea 35d4 07c7 c2d8 28f2 167f a5ba 01ad 6274 cfc1 c64c 9f24 da82 fbcd 6d81 1c66 4ff8 0484 1b62 12b8 d83e 37a2 00b3 abde 85f1 ca1b bf80 1864 8b6c d5c4 1ad8 819e 59b5 6331 ee5f 4814 cfb6 c439 dd42 edc0 a9f8 99fd 1969 0000 0003 705b 27e1 incoming packet length= 5 read_poll plain: a425 9ac0 a3f9 8a22 stored_cheksum = a3f98a22 calculated_cheksum = ec45aa79 Disconnecting: Corrupted check bytes on input. packet_send plain: 1a03 bc22 1896 9f52 0100 0000 1f43 6f72 7275 7074 6564 2063 6865 636b 2062 7974 6573 206f 6e20 696e 7075 742e 1f61 9863 encrypted: 0000 0028 f66c 265c b9d8 734d a622 507a 0ca2 1c47 37d5 6b23 d1e0 1bdd ed09 6461 3b87 df96 14a9 3698 d5e6 ee48 b758 8461 a2aa 0fc7 sh-2.05# RUNNING WITH -2 OPTION (partial dump) ------------------------------------- plain: 0000 0000 0015 encrypted: 0000 000c 0a15 0000 0000 0000 0000 0000 read_poll enc/full: 0000 0000 0000 0000 read/plain[21]: plain: 0000 0000 0005 0000 000c 7373 682d 7573 6572 6175 7468 encrypted: 442e 1233 1453 2f88 002f 2b0b e2bf d26f 38b7 eb9b dfb5 5003 6fda e4d4 ff8b 3bc0 2757 4ec5 884f e0db 94b5 e41e 5f2c 1c1d read_poll enc/full: 966f 20eb 8eb6 7ff2 5661 c8f0 7738 3de5 5e10 81e2 05ba e0af 9a0f 1cbc bc24 8687 b1bc 3e3e 13ec d372 13f8 91ae 5d18 f95e Disconnecting: Corrupted MAC on input. plain: 0000 0000 0001 0000 0002 0000 0017 436f 7272 7570 7465 6420 4d41 4320 6f6e 2069 6e70 7574 2e00 0000 00 encrypted: 9ba6 8f38 fb65 d36d 02a0 413a 2c02 debd 1a91 9f8b 305e 7614 88df 2ba1 72f7 f58e 4ecc 0398 220c 59b3 2c1d 197e 4ac4 9f30 f313 f2d4 1850 10c8 205e 3f83 45f5 b1f9 I would appreciate any hints from anyone who can give me some hints. Thanks Nagib Chahine From gert at greenie.muc.de Fri Nov 21 04:12:27 2003 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 20 Nov 2003 18:12:27 +0100 Subject: Testing of recent commits In-Reply-To: ; from jakob@rfc.se on Thu, Nov 20, 2003 at 05:36:28PM +0100 References: <20031120103616.GQ9027@cygbert.vinschen.de> <20031120145719.GV9027@cygbert.vinschen.de> Message-ID: <20031120181227.L23021@greenie.muc.de> Hi, On Thu, Nov 20, 2003 at 05:36:28PM +0100, Jakob Schlyter wrote: > > Another, unrelated question: Any plans in the OpenBSD version, to remove > > all occurencies of __progname with calls to getprogname()? This would > > be a good idea, IMHO. > > openbsd doesn't have getprogname() So let's add openbsd-compat/getprogname.c :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From mouring at etoh.eviladmin.org Fri Nov 21 04:26:34 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 20 Nov 2003 11:26:34 -0600 (CST) Subject: Testing of recent commits In-Reply-To: <20031120181227.L23021@greenie.muc.de> Message-ID: On Thu, 20 Nov 2003, Gert Doering wrote: > Hi, > > On Thu, Nov 20, 2003 at 05:36:28PM +0100, Jakob Schlyter wrote: > > > Another, unrelated question: Any plans in the OpenBSD version, to remove > > > all occurencies of __progname with calls to getprogname()? This would > > > be a good idea, IMHO. > > > > openbsd doesn't have getprogname() > > So let's add openbsd-compat/getprogname.c :-) > That's great.. Consider *UPSTREAM* where OpenBSD *DOES NOT HAVE* getprogname(). Besides.. what does it gain us over __progname? From dcole at keysoftsys.com Fri Nov 21 05:42:41 2003 From: dcole at keysoftsys.com (Darren Cole) Date: Thu, 20 Nov 2003 10:42:41 -0800 Subject: Testing of recent commits In-Reply-To: <20031119074148.GA29726@serv01.aet.tu-cottbus.de> References: <1069155926.10951.61.camel@sakura.mindrot.org> <20031118144331.GA32723@cygbert.vinschen.de> <3FBABA33.A8DB4A64@zip.com.au> <20031119074148.GA29726@serv01.aet.tu-cottbus.de> Message-ID: <5279843C-1B89-11D8-B4BD-000A95E310BA@keysoftsys.com> I get a very similar problem on HP-UX 10.26 as described by Lutz Jaenicke once I made this change (against current anonymous cvs): -----begin diff----- RCS file: /cvs/openssh/openbsd-compat/xcrypt.c,v retrieving revision 1.5 diff -u -r1.5 xcrypt.c --- openbsd-compat/xcrypt.c 25 Sep 2003 10:18:34 -0000 1.5 +++ openbsd-compat/xcrypt.c 19 Nov 2003 23:07:51 -0000 @@ -89,7 +89,7 @@ { char *pw_password = pw->pw_passwd; -# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && !defined(HAVE_SECUREWARE) struct spwd *spw = getspnam(pw->pw_name); if (spw != NULL) -----end diff----- The above is needed otherwise you can end up trying to define variable spw twice when you use shadow passwords on a Secureware enabled system (i.e. Trusted CMW HP-UX 10.26). I know there are other problems, but it got me to the below errors: gmake[1]: Entering directory `/home/oeddev/projects/openssh/openssh/openbsd-compat' gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. -I/opt/openssl/include -I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H -c getrrsetbyname.c getrrsetbyname.c: In function `getrrsetbyname': getrrsetbyname.c:191: warning: implicit declaration of function `res_init' getrrsetbyname.c:207: warning: implicit declaration of function `res_query' getrrsetbyname.c:265: error: `T_SIG' undeclared (first use in this function) getrrsetbyname.c:265: error: (Each undeclared identifier is reported only once getrrsetbyname.c:265: error: for each function it appears in.) getrrsetbyname.c: In function `parse_dns_response': getrrsetbyname.c:366: error: `HFIXEDSZ' undeclared (first use in this function) getrrsetbyname.c: In function `parse_dns_qsection': getrrsetbyname.c:437: warning: implicit declaration of function `dn_expand' gmake[1]: *** [getrrsetbyname.o] Error 1 gmake[1]: Leaving directory `/home/oeddev/projects/openssh/openssh/openbsd-compat' gmake: *** [openbsd-compat/libopenbsd-compat.a] Error 2 > ---------------------------------------------------------------------- > HP-UX 10.20 is shipped with Bind4. I am not quite sure what version of Bind our systems have, or even if bind is installed at all on fielded systems. Cygwin's solutions sounds like it was to include minires. Installing a newer bind (or whatever) really isn't the most desirable option here. I would rather see openssh continue to compile without the need for updated bind, additional minires, or some other extra piece of code. Just my two cents. -- Darren Cole Software Engineer email: dcole at keysoftsys.com From mouring at etoh.eviladmin.org Fri Nov 21 06:34:17 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 20 Nov 2003 13:34:17 -0600 (CST) Subject: Testing of recent commits In-Reply-To: <5279843C-1B89-11D8-B4BD-000A95E310BA@keysoftsys.com> Message-ID: I could have swore I was told it was not required, but I don't have HP/UX. And my initial check in comments actually elude to HP/UX maybe problematic. However, with your change we should do: pw_password = spw->sp_pwdp; -# endif -# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) +# elif defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) struct passwd_adjunct *spw; Because they are all exclusive cases. None of them should ever overlap. If your diff plus this one passes then submit a patch and I'll take care of it. - Ben On Thu, 20 Nov 2003, Darren Cole wrote: > I get a very similar problem on HP-UX 10.26 as described by Lutz > Jaenicke once I made this change > (against current anonymous cvs): > -----begin diff----- > RCS file: /cvs/openssh/openbsd-compat/xcrypt.c,v > retrieving revision 1.5 > diff -u -r1.5 xcrypt.c > --- openbsd-compat/xcrypt.c 25 Sep 2003 10:18:34 -0000 1.5 > +++ openbsd-compat/xcrypt.c 19 Nov 2003 23:07:51 -0000 > @@ -89,7 +89,7 @@ > { > char *pw_password = pw->pw_passwd; > > -# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) > +# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && > !defined(HAVE_SECUREWARE) > struct spwd *spw = getspnam(pw->pw_name); > > if (spw != NULL) > -----end diff----- > The above is needed otherwise you can end up trying to define variable > spw twice when you use shadow passwords on a Secureware enabled system > (i.e. Trusted CMW HP-UX 10.26). I know there are other problems, but > it got me to the below errors: > > gmake[1]: Entering directory > `/home/oeddev/projects/openssh/openssh/openbsd-compat' > gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I.. -I. -I./.. > -I/opt/openssl/include > -I/opt/zlib/include -D_HPUX_SOURCE -D_XOPEN_SOURCE > -D_XOPEN_SOURCE_EXTENDED=1 -DHAVE_CONFIG_H > -c getrrsetbyname.c > getrrsetbyname.c: In function `getrrsetbyname': > getrrsetbyname.c:191: warning: implicit declaration of function > `res_init' > getrrsetbyname.c:207: warning: implicit declaration of function > `res_query' > getrrsetbyname.c:265: error: `T_SIG' undeclared (first use in this > function) > getrrsetbyname.c:265: error: (Each undeclared identifier is reported > only once > getrrsetbyname.c:265: error: for each function it appears in.) > getrrsetbyname.c: In function `parse_dns_response': > getrrsetbyname.c:366: error: `HFIXEDSZ' undeclared (first use in this > function) > getrrsetbyname.c: In function `parse_dns_qsection': > getrrsetbyname.c:437: warning: implicit declaration of function > `dn_expand' > gmake[1]: *** [getrrsetbyname.o] Error 1 > gmake[1]: Leaving directory > `/home/oeddev/projects/openssh/openssh/openbsd-compat' > gmake: *** [openbsd-compat/libopenbsd-compat.a] Error 2 > > > ---------------------------------------------------------------------- > > HP-UX 10.20 is shipped with Bind4. > > I am not quite sure what version of Bind our systems have, or even if > bind is installed at all on fielded systems. Cygwin's solutions sounds > like it was to include minires. Installing a newer bind (or whatever) > really isn't the most desirable option here. I would rather see > openssh continue to compile without the need for updated bind, > additional minires, or some other extra piece of code. > > Just my two cents. > > -- > Darren Cole > Software Engineer > email: dcole at keysoftsys.com > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Nov 21 08:29:47 2003 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 20 Nov 2003 22:29:47 +0100 Subject: Testing of recent commits In-Reply-To: <5279843C-1B89-11D8-B4BD-000A95E310BA@keysoftsys.com> References: <1069155926.10951.61.camel@sakura.mindrot.org> <20031118144331.GA32723@cygbert.vinschen.de> <3FBABA33.A8DB4A64@zip.com.au> <20031119074148.GA29726@serv01.aet.tu-cottbus.de> <5279843C-1B89-11D8-B4BD-000A95E310BA@keysoftsys.com> Message-ID: <20031120212947.GA6258@serv01.aet.tu-cottbus.de> On Thu, Nov 20, 2003 at 10:42:41AM -0800, Darren Cole wrote: > >HP-UX 10.20 is shipped with Bind4. > > I am not quite sure what version of Bind our systems have, or even if > bind is installed at all on fielded systems. Cygwin's solutions sounds > like it was to include minires. Installing a newer bind (or whatever) > really isn't the most desirable option here. I would rather see > openssh continue to compile without the need for updated bind, > additional minires, or some other extra piece of code. At 10.20 the resolver routines are a part of libc. It does not matter whether you have a named installed or not. named itself is Bind 4: http://www.hp.com/products1/unix/operating/internet/dns.html "man resolver" will not reveal which actual software it is really based upon; its interface (say: the missing macros etc :-) indicate that it is 4.x based. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Nov 21 08:41:19 2003 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 20 Nov 2003 22:41:19 +0100 Subject: Testing of recent commits In-Reply-To: <20031120212947.GA6258@serv01.aet.tu-cottbus.de> References: <1069155926.10951.61.camel@sakura.mindrot.org> <20031118144331.GA32723@cygbert.vinschen.de> <3FBABA33.A8DB4A64@zip.com.au> <20031119074148.GA29726@serv01.aet.tu-cottbus.de> <5279843C-1B89-11D8-B4BD-000A95E310BA@keysoftsys.com> <20031120212947.GA6258@serv01.aet.tu-cottbus.de> Message-ID: <20031120214118.GC6258@serv01.aet.tu-cottbus.de> On Thu, Nov 20, 2003 at 10:29:47PM +0100, Lutz Jaenicke wrote: > On Thu, Nov 20, 2003 at 10:42:41AM -0800, Darren Cole wrote: > > >HP-UX 10.20 is shipped with Bind4. > > > > I am not quite sure what version of Bind our systems have, or even if > > bind is installed at all on fielded systems. Cygwin's solutions sounds > > like it was to include minires. Installing a newer bind (or whatever) > > really isn't the most desirable option here. I would rather see > > openssh continue to compile without the need for updated bind, > > additional minires, or some other extra piece of code. > > At 10.20 the resolver routines are a part of libc. It does not matter whether > you have a named installed or not. named itself is Bind 4: > http://www.hp.com/products1/unix/operating/internet/dns.html Following up to myself: this might mean that HP-UX 11.00 might be affected by similar problems. I don't know what version the resolver library is based on; I only have 10.20 around... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From dtucker at zip.com.au Fri Nov 21 09:15:53 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 21 Nov 2003 09:15:53 +1100 Subject: Testing of recent commits References: <1069155926.10951.61.camel@sakura.mindrot.org> <20031118144331.GA32723@cygbert.vinschen.de> <3FBABA33.A8DB4A64@zip.com.au> <20031119074148.GA29726@serv01.aet.tu-cottbus.de> <5279843C-1B89-11D8-B4BD-000A95E310BA@keysoftsys.com> <20031120212947.GA6258@serv01.aet.tu-cottbus.de> <20031120214118.GC6258@serv01.aet.tu-cottbus.de> Message-ID: <3FBD3D19.404A1F52@zip.com.au> Lutz Jaenicke wrote: > > Following up to myself: this might mean that HP-UX 11.00 might be affected > by similar problems. I don't know what version the resolver library is > based on; I only have 10.20 around... I can confirm that HP-UX 11.00 is OK. It's one of the platforms that is tested regularly on the tinderbox: http://dodgynet.dyndns.org/tinderbox/OpenSSH_Portable/status.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From sxw at inf.ed.ac.uk Fri Nov 21 09:50:05 2003 From: sxw at inf.ed.ac.uk (sxw at inf.ed.ac.uk) Date: Thu, 20 Nov 2003 22:50:05 +0000 (GMT) Subject: Testing of recent commits In-Reply-To: <3FBD3D19.404A1F52@zip.com.au> Message-ID: Darren, If you're interested I could probably find a machine here to do Linux GSSAPI builds for the tinderbox. Cheers, Simon. From dtucker at zip.com.au Fri Nov 21 10:19:46 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 21 Nov 2003 10:19:46 +1100 Subject: Testing of recent commits References: Message-ID: <3FBD4C12.842F03BC@zip.com.au> sxw at inf.ed.ac.uk wrote: > If you're interested I could probably find a machine here to do > Linux GSSAPI builds for the tinderbox. Sure! Better test coverage will hopefully mean less bugs in the shipping versions. You can do build only, or build-and-test. First the caveats: 1) You will be trusting anyone with OpenSSH commit access whatever privileges the tests run as. Some configs can be tested as a normal user, but some (eg PAM) require root. Note that unless you audit the code before you do "make install", you are already to a lesser degree. 2) Currently the regression tests don't test any authentication methods requiring user interaction (eg password, keyboard-interactive). It would be possible to do tests with "expect" but currently we don't. I don't know what level of interaction testing gssapi would require. 3) The machine will need to be able to run "cvs update" and send mail. I'll send you my test driver script so you can see what it does. You'll probably need to customize it. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Nov 21 15:01:14 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 21 Nov 2003 15:01:14 +1100 Subject: Testing of recent commits References: Message-ID: <3FBD8E0A.1EA52896@zip.com.au> Ben Lindstrom wrote: > I could have swore I was told it was not required, but I don't have > HP/UX. And my initial check in comments actually elude to HP/UX > maybe problematic. That was just a typo, fixed in rev 1.2. > However, with your change we should do: > > pw_password = spw->sp_pwdp; > -# endif > -# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) > +# elif defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) > struct passwd_adjunct *spw; > > Because they are all exclusive cases. None of them should ever overlap. I'm not sure they are exclusive. Since we removed getprpwnam in favour of getspnam on HP-UX, I think we're currently aiming for this or equivalent on HP-UX 10.x: if issecure() use getpwanam else use getspnam What about something like the attached (untested)? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: openbsd-compat/xcrypt.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/openbsd-compat/xcrypt.c,v retrieving revision 1.5 diff -u -p -r1.5 xcrypt.c --- openbsd-compat/xcrypt.c 25 Sep 2003 10:18:34 -0000 1.5 +++ openbsd-compat/xcrypt.c 21 Nov 2003 03:53:30 -0000 @@ -96,14 +96,14 @@ shadow_pw(struct passwd *pw) pw_password = spw->sp_pwdp; # endif # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) - struct passwd_adjunct *spw; - if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) - pw_password = spw->pwa_passwd; + struct passwd_adjunct *pwa; + if (issecure() && (pwa = getpwanam(pw->pw_name)) != NULL) + pw_password = pwa->pwa_passwd; # elif defined(HAVE_SECUREWARE) - struct pr_passwd *spw = getprpwnam(pw->pw_name); + struct pr_passwd *prpw = getprpwnam(pw->pw_name); - if (spw != NULL) - pw_password = spw->ufld.fd_encrypt; + if (prpw != NULL) + pw_password = prpw->ufld.fd_encrypt; # endif return pw_password; From mouring at etoh.eviladmin.org Fri Nov 21 15:45:17 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 20 Nov 2003 22:45:17 -0600 (CST) Subject: Testing of recent commits In-Reply-To: <3FBD8E0A.1EA52896@zip.com.au> Message-ID: On Fri, 21 Nov 2003, Darren Tucker wrote: > Ben Lindstrom wrote: > > I could have swore I was told it was not required, but I don't have > > HP/UX. And my initial check in comments actually elude to HP/UX > > maybe problematic. > > That was just a typo, fixed in rev 1.2. > > > However, with your change we should do: > > > > pw_password = spw->sp_pwdp; > > -# endif > > -# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) > > +# elif defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) > > struct passwd_adjunct *spw; > > > > Because they are all exclusive cases. None of them should ever overlap. > > I'm not sure they are exclusive. Since we removed getprpwnam in favour of > getspnam on HP-UX, I think we're currently aiming for this or equivalent > on HP-UX 10.x: > Umm.. They are exclusive. You can't have HAVE_SHADOW_H (without DISABLE_SHADOW) and HAVE_SECUREWARE set without compile errors. So yes they are exclusive and your patch does change that fact. And as far as I can see as of 1.5 the patch that was posted that added !HAVE_SECUREWARE solves an existing problem. Off hand I didn't see how your patch changed that issue. - Ben From dtucker at zip.com.au Fri Nov 21 16:18:32 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 21 Nov 2003 16:18:32 +1100 Subject: Testing of recent commits References: Message-ID: <3FBDA028.D25DC40E@zip.com.au> Ben Lindstrom wrote: > > On Fri, 21 Nov 2003, Darren Tucker wrote: [snip] > > I'm not sure they are exclusive. Since we removed getprpwnam in favour of > > getspnam on HP-UX, I think we're currently aiming for this or equivalent > > on HP-UX 10.x: > > Umm.. They are exclusive. You can't have HAVE_SHADOW_H (without > DISABLE_SHADOW) and HAVE_SECUREWARE set without compile errors. So yes > they are exclusive and your patch does change that fact. You're right that the code as it currently stands is. What I was getting at was that (AFAIK, I've never seen a Trusted 10.26 box) HP-UX 10.2x has both getspnam and getspanam so you could use both if it made sense (eg one for trusted and one for non-trusted). > And as far as I can see as of 1.5 the patch that was posted that added > !HAVE_SECUREWARE solves an existing problem. > > Off hand I didn't see how your patch changed that issue. The issue was redefinition of spw, right? I just renamed it. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From cmadams at hiwaay.net Fri Nov 21 16:21:22 2003 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 20 Nov 2003 23:21:22 -0600 Subject: Testing of recent commits In-Reply-To: <1069155926.10951.61.camel@sakura.mindrot.org> References: <1069155926.10951.61.camel@sakura.mindrot.org> Message-ID: <20031121052118.GB954896@hiwaay.net> Here is an updated patch for Tru64. I ran the regression tests with no problems (had to run as root because of SIA and no sudo) except for the reconfigure test hung (had to kill it); I haven't had a chance to look at that yet. The patch changes a couple of things: - auth-sia.c: the SIA functions leave the uid=0, euid=pw->pw_uid, and the "saved set uid"=0 (this is apparently not something you can look at or set directly). setuid(0) will set all three to 0, and then permanently_set_uid() works correctly (maybe permanently_set_uid() should make the setuid(0) call as the first thing?). I think the old setreuid() call was okay, because I think the "saved set uid" is cleared on exec(), but this way is sure. - configure.ac: DISABLE_FD_PASSING only needs to be defined once, and only when building with SIA (because SIA is the problem). Also, SIA takes care of locked accounts, so the password file entry shouldn't be looked at to determine if an account is locked. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. diff -ur openssh-dist/auth-sia.c openssh/auth-sia.c --- openssh-dist/auth-sia.c Mon Jun 2 19:25:48 2003 +++ openssh/auth-sia.c Thu Nov 20 22:42:02 2003 @@ -31,6 +31,7 @@ #include "log.h" #include "servconf.h" #include "canohost.h" +#include "uidswap.h" #include #include @@ -103,8 +104,8 @@ sia_ses_release(&ent); - if (setreuid(geteuid(), geteuid()) < 0) - fatal("setreuid: %s", strerror(errno)); + setuid(0); + permanently_set_uid(pw); } #endif /* HAVE_OSF_SIA */ diff -ur openssh-dist/configure.ac openssh/configure.ac --- openssh-dist/configure.ac Wed Oct 15 01:57:57 2003 +++ openssh/configure.ac Thu Nov 20 22:07:19 2003 @@ -409,14 +409,13 @@ LIBS="$LIBS -lsecurity -ldb -lm -laud" else AC_MSG_RESULT(no) + AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin") fi fi - AC_DEFINE(DISABLE_FD_PASSING) AC_DEFINE(BROKEN_GETADDRINFO) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) - AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin") ;; *-*-nto-qnx) From bob at proulx.com Fri Nov 21 18:25:05 2003 From: bob at proulx.com (Bob Proulx) Date: Fri, 21 Nov 2003 00:25:05 -0700 Subject: How to tell if key is encrypted? Message-ID: <20031121072505.GA20643@misery.proulx.com> I would like to automatically deduce in a script if an ssh key is encrypted or not. Basically in a very particular application I want to be the BOFH and enforce that users place a passphrase on their id_rsa key. If they don't put a passphrase I want to send them back to ssh-keygen until they do. I have not been able to deduce a way to detect this yet. Any hints? Thanks Bob From dtucker at zip.com.au Fri Nov 21 19:35:48 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 21 Nov 2003 19:35:48 +1100 Subject: How to tell if key is encrypted? References: <20031121072505.GA20643@misery.proulx.com> Message-ID: <3FBDCE64.9528750E@zip.com.au> Bob Proulx wrote: > > I would like to automatically deduce in a script if an ssh key is > encrypted or not. Basically in a very particular application I want > to be the BOFH and enforce that users place a passphrase on their > id_rsa key. If they don't put a passphrase I want to send them back > to ssh-keygen until they do. I have not been able to deduce a way to > detect this yet. Any hints? You can try having openssl load it with a null password: Passwordless key: $ openssl rsa -in /tmp/key -passin pass: -noout read RSA key $ echo $? 0 Key with a password: $ openssl rsa -in id_rsa -passin pass: -noout read RSA key unable to load key $ echo $? 1 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Fri Nov 21 22:25:20 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 21 Nov 2003 11:25:20 -0000 Subject: How to tell if key is encrypted? In-Reply-To: <20031121072505.GA20643@misery.proulx.com> References: <20031121072505.GA20643@misery.proulx.com> Message-ID: <1069413869.5467.5.camel@sakura.mindrot.org> On Fri, 2003-11-21 at 18:25, Bob Proulx wrote: > I would like to automatically deduce in a script if an ssh key is > encrypted or not. Basically in a very particular application I want > to be the BOFH and enforce that users place a passphrase on their > id_rsa key. If they don't put a passphrase I want to send them back > to ssh-keygen until they do. I have not been able to deduce a way to > detect this yet. Any hints? For protocol v2 keys: if openssl rsa -noout -passin pass:none -in /path/to/key ; then echo user is a dork fi -d From carin.andersson at ericsson.com Sat Nov 22 02:48:33 2003 From: carin.andersson at ericsson.com (Carin Andersson (HF/EAB)) Date: Fri, 21 Nov 2003 16:48:33 +0100 Subject: ssh code question Message-ID: <2EFFD98DEBD6FD42AA1B21153E7359753E0568@esealnt803.al.sw.ericsson.se> Hi, I have a question about the code for version openssh 3.7.1p1. In the file ssh.cc you address ssh_session2_setup in some way: channel_register_confirm(c->self, ssh_session2_setup); Do you address the function: static void ssh_session2_setup(int id, void * args) in the same file or is it something else you address? If it is that function please tell me why the ssh_session2_setup function don't have any parameters defined. Thanks, Carin Andersson Ericsson AB From andrey at us.ibm.com Sat Nov 22 04:20:25 2003 From: andrey at us.ibm.com (Andrey Ermolinskiy) Date: Fri, 21 Nov 2003 12:20:25 -0500 Subject: question on scalability Message-ID: Hello All, We have a Linux cluster application that uses openssh as its inter-node communication mechanism and we've recently run into a problem that points to a potential scalability issue in openssh code. Our client nodes systematically open ssh connections to the server node to execute an administrative command. When establishing socket connections, the server side sometimes fails to complete the TCP handshake with some of the clients. The final ACK coming from the client node would sometimes be dropped by server-side TCP, and the corresponding connection would never be added to sshd's accept queue. This leaves the ssh client command in a hung state, as it has completed its part of the TCP handshake and is ready to exchange data over the socket. This problem reveals itself in situations where 64 or more client nodes issue concurrent ssh requests to the server. Looking at sshd.c, I noticed that the daemon's listen socket is created with a very short backlog value (5), and we are certain that this is the cause of our problem. Is there a reason for using such a small value, as opposed to setting the backlog to SOMAXCONN? We need to scale our application to clusters with thousands of nodes and we are trying to determine whether openssh would permit us to achieve these scaling requirements. If the increase of sshd's backlog has no negative implications, we would like to see this value increased to SOMAXCONN. I think that such change would make openssh a more reliable tool for clustered environments. Any help or feedback from you would be appreciated. Thanks, - Andrey Ermolinskiy From djm at mindrot.org Sat Nov 22 10:15:02 2003 From: djm at mindrot.org (Damien Miller) Date: Fri, 21 Nov 2003 23:15:02 -0000 Subject: question on scalability In-Reply-To: References: Message-ID: <1069456449.5467.98.camel@sakura.mindrot.org> On Sat, 2003-11-22 at 04:20, Andrey Ermolinskiy wrote: > Hello All, > > We have a Linux cluster application that uses openssh as its inter-node > communication mechanism and we've recently run into a problem that points > to a potential scalability issue in openssh code. > > Our client nodes systematically open ssh connections to the server node to > execute an administrative command. When establishing socket connections, > the server side sometimes fails to complete the TCP handshake with some of > the clients. The final ACK coming from the client node would sometimes be > dropped by server-side TCP, and the corresponding connection would never be > added to sshd's accept queue. This leaves the ssh client command in a hung > state, as it has completed its part of the TCP handshake and is ready to > exchange data over the socket. This sounds like a TCP problem, not a ssh problem. If the ACK is dropped by the server end, then the client should just resend? > This problem reveals itself in situations where 64 or more client nodes > issue concurrent ssh requests to the server. > > Looking at sshd.c, I noticed that the daemon's listen socket is created > with a very short backlog value (5), and we are certain that this is the > cause of our problem. Is there a reason for using such a small value, as > opposed to setting the backlog to SOMAXCONN? I'm not sure why the backlog is set low, perhaps to offer some mitigation for connection flooding DoS attacks. Markus? -d From dcole at keysoftsys.com Sat Nov 22 10:17:44 2003 From: dcole at keysoftsys.com (Darren Cole) Date: Fri, 21 Nov 2003 15:17:44 -0800 Subject: Testing of recent commits In-Reply-To: References: Message-ID: Ben, Previously UseLogin was required to be set in the config if you wanted all the security setting applied, I assume this is still reasonable. Darren Tucker's suggested patch seems reasonable, though I didn't test it either. That would remove the need for some of the defines to be exclusive. There are some similar defines in auth, and for ease of coding any changes in xcrypt probably should be reflected there as well. I don't know when I'll get a chance to get 10.26 working completely again. Some other software porting is taking a priority, but as I get a chance I'll working on fixing it. Darren On Nov 20, 2003, at 11:34, Ben Lindstrom wrote: > > I could have swore I was told it was not required, but I don't have > HP/UX. And my initial check in comments actually elude to HP/UX > maybe problematic. > > However, with your change we should do: > > pw_password = spw->sp_pwdp; > -# endif > -# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) > +# elif defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) > struct passwd_adjunct *spw; > > Because they are all exclusive cases. None of them should ever > overlap. > > If your diff plus this one passes then submit a patch and I'll take > care of it. > > - Ben From dtucker at zip.com.au Sat Nov 22 11:41:36 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 22 Nov 2003 11:41:36 +1100 Subject: zlib missing when installing openssh-3.7.1p2 References: <11C84D46FE96B4439C3CD0DA294A5F8B023EB92A@KCCLUST06EVS1.ugd.att.com> Message-ID: <3FBEB0BF.11C5BB25@zip.com.au> "Pacelli, Louis M, ALABS" wrote: > > Hi, > I apologize for sending in this problem via email, but I had trouble using bugzilla. Please use openssh-unix-dev at mindrot.org for problems with OpenSSH Portable (ie anything that's not OpenBSD). > I'm trying to install openssh-3.7.1p2 > When I run the configure step, I get the following message: > > configure:5641: checking for deflate in -lz > configure:5668: cc -o conftest -g -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURC > E_EXTENDED=1 conftest.c -lz -lnsl -lxnet -lsec >&5 > + eval $CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LI > BS >&5 > + cc -o conftest -g -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 co > nftest.c -lz -lnsl -lxnet -lsec > + 1>& 5 > /usr/ccs/bin/ld: Can't find library: "z" > configure:5671: $? = 1 > configure: failed program was: > #line 5649 "configure" > #include "confdefs.h" > > /* Override any gcc2 internal prototype to avoid an error. */ > #ifdef __cplusplus > extern "C" > #endif > /* We use char because int might match the return type of a gcc2 > builtin and then its argument prototype would still apply. */ > char deflate (); > int > main () > { > deflate (); > ; > return 0; > } > configure:5688: result: no > configure:5698: error: *** zlib missing - please install first or check config.l > > I do have zlib installed. How can I make this script find zlib? Try using --with-zlib=/path/to/zlib (eg /usr/local if that's where you installed zlib). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From stuge-openssh-unix-dev at cdy.org Sat Nov 22 14:45:59 2003 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Sat, 22 Nov 2003 04:45:59 +0100 Subject: ssh code question In-Reply-To: <2EFFD98DEBD6FD42AA1B21153E7359753E0568@esealnt803.al.sw.ericsson.se> References: <2EFFD98DEBD6FD42AA1B21153E7359753E0568@esealnt803.al.sw.ericsson.se> Message-ID: <20031122034559.GA26862@foo.birdnet.se> On Fri, Nov 21, 2003 at 04:48:33PM +0100, Carin Andersson (HF/EAB) wrote: > Hi, > I have a question about the code for version openssh 3.7.1p1. In the file > ssh.cc you address ssh_session2_setup in some way: > channel_register_confirm(c->self, ssh_session2_setup); > > Do you address the function: static void ssh_session2_setup(int id, void > * args) in the same file or is it something else you address? > If it is that function please tell me why the ssh_session2_setup function > don't have any parameters defined. Without looking or knowing for sure, I'm guessing that the argument to that function is a callback, and when you pass pointers to functions, they never contain arguments. Since no parantheses are specified after the function name, it's not a call. Could be all out of the blue, though. //Peter From lpacelli at att.com Sat Nov 22 23:20:19 2003 From: lpacelli at att.com (Pacelli, Louis M, ALABS) Date: Sat, 22 Nov 2003 06:20:19 -0600 Subject: zlib missing when installing openssh-3.7.1p2 Message-ID: <11C84D46FE96B4439C3CD0DA294A5F8B023EB92E@KCCLUST06EVS1.ugd.att.com> Darren, Thanks for responding, but it still failed. I did as you suggested and sent a request to 'hostmaster at mindrot.org'. I appreciate your efforts. If you can think of anything else for me to try, please let me know. Thanks, Lou Pacelli (407)786-4231 -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Friday, November 21, 2003 7:42 PM To: Pacelli, Louis M, ALABS Cc: OpenSSH Devel List Subject: Re: zlib missing when installing openssh-3.7.1p2 "Pacelli, Louis M, ALABS" wrote: > > Hi, > I apologize for sending in this problem via email, but I had trouble using bugzilla. Please use openssh-unix-dev at mindrot.org for problems with OpenSSH Portable (ie anything that's not OpenBSD). > I'm trying to install openssh-3.7.1p2 > When I run the configure step, I get the following message: > > configure:5641: checking for deflate in -lz > configure:5668: cc -o conftest -g -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURC > E_EXTENDED=1 conftest.c -lz -lnsl -lxnet -lsec >&5 > + eval $CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LI > BS >&5 > + cc -o conftest -g -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 co > nftest.c -lz -lnsl -lxnet -lsec > + 1>& 5 > /usr/ccs/bin/ld: Can't find library: "z" > configure:5671: $? = 1 > configure: failed program was: > #line 5649 "configure" > #include "confdefs.h" > > /* Override any gcc2 internal prototype to avoid an error. */ > #ifdef __cplusplus > extern "C" > #endif > /* We use char because int might match the return type of a gcc2 > builtin and then its argument prototype would still apply. */ > char deflate (); > int > main () > { > deflate (); > ; > return 0; > } > configure:5688: result: no > configure:5698: error: *** zlib missing - please install first or check config.l > > I do have zlib installed. How can I make this script find zlib? Try using --with-zlib=/path/to/zlib (eg /usr/local if that's where you installed zlib). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bovfu at rocketmail.com Sun Nov 23 02:28:55 2003 From: bovfu at rocketmail.com (Persy) Date: Sat, 22 Nov 2003 07:28:55 -0800 Subject: 88 % of men @chieved erections in 30 minutes or less Message-ID: <5731981069514935@p2218-ipad03funabasi.chiba.ocn.ne.jp> We are dedicated to providing top quality generic alternatives to high price "name brand" lifestyle medications. This generic brand of Cyalis is an emerging tablet-based oral treatment for impotency & erectile dysfunction (ED) which is now available for you to buy online. It is proving highly successful in clinical trials and is generating major interest as a real alternative to other Sildenafil-based medications. Cyalus also works much faster than Sildenafil-based medications. In clinical trials, the majority of men who took the drug were able to engage in sexual intercourse within 30 minutes or less.The studies also indicated that Cyalus stays in the system for up to 30 hours. Credit Card Processing is performed by Pay Systems, who do not reveal your credit card details to us but generate a transaction number for your order. This order id # will be used to track your order. During the first 48 hours Pay Systems perform a series of fraud checks on the transaction and then after payment is confirmed, goods are shipped (payment by US check may cause delays in shipping). A Shipping Notification is emailed to you. If more than 4 days have passed and you have received no Shipping Notification please contact us immediately. Shipment is by Registered Mail (signature required) in plain packaging and takes up to 21 days although 14-16 is most common. Cost: 20 mg Pills Price per Pill Total 8 $9.88 $79.00 20 $7.44 $149 32 $7.15 $229 44 $6.78 $299 60 $6.32 $379 72 $6.10 $439 100 $5.99 $599 128 $5.85 $749 For more information or for ordering, please visit [1]http://www.pirgen.biz References 1. http://www.pirgen.biz/ From dtucker at zip.com.au Sun Nov 23 09:39:12 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 23 Nov 2003 09:39:12 +1100 Subject: zlib missing when installing openssh-3.7.1p2 References: <11C84D46FE96B4439C3CD0DA294A5F8B023EB92E@KCCLUST06EVS1.ugd.att.com> Message-ID: <3FBFE590.D6B4EC1@zip.com.au> "Pacelli, Louis M, ALABS" wrote: [snip configure error] > > I do have zlib installed. How can I make this script find zlib? Where is zlib installed? ie where are the files zlib.h and libz.a or libz.sl? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From lpacelli at att.com Sun Nov 23 09:52:46 2003 From: lpacelli at att.com (Pacelli, Louis M, ALABS) Date: Sat, 22 Nov 2003 16:52:46 -0600 Subject: zlib missing when installing openssh-3.7.1p2 Message-ID: <11C84D46FE96B4439C3CD0DA294A5F8B023EB92F@KCCLUST06EVS1.ugd.att.com> Darren, They are in /usr/local/zlib-1.1.4 Lou -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Saturday, November 22, 2003 5:39 PM To: Pacelli, Louis M, ALABS Cc: OpenSSH Devel List Subject: Re: zlib missing when installing openssh-3.7.1p2 "Pacelli, Louis M, ALABS" wrote: [snip configure error] > > I do have zlib installed. How can I make this script find zlib? Where is zlib installed? ie where are the files zlib.h and libz.a or libz.sl? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sun Nov 23 10:57:48 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 23 Nov 2003 10:57:48 +1100 Subject: zlib missing when installing openssh-3.7.1p2 References: <11C84D46FE96B4439C3CD0DA294A5F8B023EB92F@KCCLUST06EVS1.ugd.att.com> Message-ID: <3FBFF7FC.26E25B52@zip.com.au> "Pacelli, Louis M, ALABS" wrote: > > Darren, > They are in /usr/local/zlib-1.1.4 > Lou What does configure and the zlib section of config.log say when you do: ./configure --with-zlib=/usr/local/zlib-1.1.4 ? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From lpacelli at att.com Sun Nov 23 12:11:50 2003 From: lpacelli at att.com (Pacelli, Louis M, ALABS) Date: Sat, 22 Nov 2003 19:11:50 -0600 Subject: zlib missing when installing openssh-3.7.1p2 Message-ID: <11C84D46FE96B4439C3CD0DA294A5F8B023EB930@KCCLUST06EVS1.ugd.att.com> Darren, Thank you sooooooo much. When I ran it as you suggested below - the configure step ran fine. The make step also ran fine. When I ran the make install, the last part of the log looked as though there may be a problem: Generating public/private rsa1 key pair. Your identification has been saved in /usr/local/etc/ssh_host_key. Your public key has been saved in /usr/local/etc/ssh_host_key.pub. The key fingerprint is: cd:a5:2e:90:c7:e8:67:ac:15:32:82:4c:3f:e0:63:2f root at vandevap Generating public/private dsa key pair. Your identification has been saved in /usr/local/etc/ssh_host_dsa_key. Your public key has been saved in /usr/local/etc/ssh_host_dsa_key.pub. The key fingerprint is: 43:6e:ea:27:97:e5:d4:24:33:95:3a:a4:f0:70:7c:58 root at vandevap Generating public/private rsa key pair. Your identification has been saved in /usr/local/etc/ssh_host_rsa_key. Your public key has been saved in /usr/local/etc/ssh_host_rsa_key.pub. The key fingerprint is: 45:6a:09:ca:71:9b:65:ce:31:15:9a:50:ef:da:74:1f root at vandevap /usr/local/sbin/sshd -t -f /usr/local/etc/sshd_config Privilege separation user sshd does not exist *** Error exit code 255 (ignored) Is this OK or is something else wrong? Thanks, Lou -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Saturday, November 22, 2003 6:58 PM To: Pacelli, Louis M, ALABS Cc: OpenSSH Devel List Subject: Re: zlib missing when installing openssh-3.7.1p2 "Pacelli, Louis M, ALABS" wrote: > > Darren, > They are in /usr/local/zlib-1.1.4 > Lou What does configure and the zlib section of config.log say when you do: ./configure --with-zlib=/usr/local/zlib-1.1.4 ? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sun Nov 23 13:34:37 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 23 Nov 2003 13:34:37 +1100 Subject: zlib missing when installing openssh-3.7.1p2 References: <11C84D46FE96B4439C3CD0DA294A5F8B023EB930@KCCLUST06EVS1.ugd.att.com> Message-ID: <3FC01CBD.E28637D5@zip.com.au> "Pacelli, Louis M, ALABS" wrote: [snip] > Privilege separation user sshd does not exist > *** Error exit code 255 (ignored) > > Is this OK or is something else wrong? It's a warning. If you're going to use PrivilegeSeparation (which is on by default) you need to create a user for it. The details are in README.privsep. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From lpacelli at att.com Sun Nov 23 21:39:08 2003 From: lpacelli at att.com (Pacelli, Louis M, ALABS) Date: Sun, 23 Nov 2003 04:39:08 -0600 Subject: zlib missing when installing openssh-3.7.1p2 Message-ID: <11C84D46FE96B4439C3CD0DA294A5F8B023EB931@KCCLUST06EVS1.ugd.att.com> Darren, Thank you again for all your help. I really appreciate it. Lou Pacelli -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Saturday, November 22, 2003 9:35 PM To: Pacelli, Louis M, ALABS Cc: OpenSSH Devel List Subject: Re: zlib missing when installing openssh-3.7.1p2 "Pacelli, Louis M, ALABS" wrote: [snip] > Privilege separation user sshd does not exist > *** Error exit code 255 (ignored) > > Is this OK or is something else wrong? It's a warning. If you're going to use PrivilegeSeparation (which is on by default) you need to create a user for it. The details are in README.privsep. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From andrey at us.ibm.com Mon Nov 24 07:56:11 2003 From: andrey at us.ibm.com (Andrey Ermolinskiy) Date: Sun, 23 Nov 2003 15:56:11 -0500 Subject: question on scalability Message-ID: > This sounds like a TCP problem, not a ssh problem. If the ACK is dropped > by the server end, then the client should just resend? The behavior that we observed is that the client end does not automatically resend the ACK. Instead, the server end goes into a backoff-retry mode, in which it waits for some time, and then resends the SYNACK to the client. This causes the client to resubmit its ACK, after which the server makes anothr attempt to place the connection on the accept queue. The waiting timeout is intially 1 second and is doubled after each retry. If, after 5 retries (as defined by tcp_synack_retries tunable), the queue is still full, the server will quietly give up and will leave the connection in SYN_RCVD state forever. This hangs the client command because the client end has already entered the ESTABLISHED state, and is sitting in a socket call, presumably waiting for data. One could argue that it's a problem in the implementation of Linux TCP, and that the server end should terminate such connections with the RESET flag. Perhaps this condition hasn't been noticed because most socket application nowadays use a much larger value for backlog (typically, SOMAXCONN). The bottom line is that if it is safe to increase the backlog in openssh, doing this would probably prevent such conditions from occurring. Regards, Andrey From Nagib.N.Chahine at boeing.com Tue Nov 25 03:19:33 2003 From: Nagib.N.Chahine at boeing.com (Chahine, Nagib N) Date: Mon, 24 Nov 2003 08:19:33 -0800 Subject: Problem running SSH on IBM PPC440 processor, help appreciated Message-ID: <4543EA9DB1099E4583484B56803D0BFA0117FD71@xch-sw-02.sw.nos.boeing.com> Hi, Sorry to bother you on this mailing list, however I tried everything else and I am desperate to get this running. Please send me any hints you can think of. I have installed openssh-3.7.1p2 on a ppc target and trying to connect to an sshd running on a redhat 9 with openssh-3.5p1. I keep getting the error "Disconnecting: Corrupted check bytes on input" no matter what I tried. I located the error message and turned debugging on in packet.c which dumps the content of the packet. What I see is a packet with length 5 bytes which confuses the client's side. I tried running the sshd version 3.7.1p2 to match the client I keep getting the same error. RUNNING WITH -1 OPTION: ----------------------- sh-2.05# ssh 192.168.1.1 -1 -l root incoming packet length= 267 read_poll plain: 0000 0000 0002 41f2 5ed2 a112 7e29 0000 0300 0006 2303 00d8 bf4a 5f8f 0f80 8fb9 6311 30d2 66cb e6e0 10c5 7cfe b7c2 60b4 ee32 97fe ed99 9606 8357 affb 10f7 578a 63ee 592c 9730 92b6 f3d2 8274 62cc 250d af16 5685 e40d d5eb b9d9 bbd8 4404 3bda 473e ccd4 6852 947d 90f9 5963 55cd 63f0 0c9b f564 e041 8100 0004 0000 0623 0400 a7f8 81dc 5627 07bc 7ab9 af88 daf8 ad7a ae43 6fbc bc8a 8f69 26e6 9481 f998 54f3 f5d5 d66d db13 366c ae9c fe6d 08c7 df7f 924c bce4 6ce9 0635 2200 b373 2b74 6d6f 96a6 4e65 3c21 a735 3e6a 6ab3 63c7 eeb4 4d1d 41c0 0c86 9818 bb0f 10df 9f8f a8dd bcc3 d3dc 807e f5dc 6080 7205 cf88 eb5d bef3 a4ce a17c 7853 70c9 ebab 7f7a 8601 0000 0002 0000 0048 0000 002c 3efb f1c5 stored_cheksum = 3efbf1c5 calculated_cheksum = 3efbf1c5 packet_send plain: 0000 0000 0303 41f2 5ed2 a112 7e29 03ff 7095 fd74 29ac 0a29 3201 8556 64bc 4b27 dc4d c8b2 e789 f1b0 7be5 899c b5a4 494e e114 7453 29f3 846e f923 5eea 35d4 07c7 c2d8 28f2 167f a5ba 01ad 6274 cfc1 c64c 9f24 da82 fbcd 6d81 1c66 4ff8 0484 1b62 12b8 d83e 37a2 00b3 abde 85f1 ca1b bf80 1864 8b6c d5c4 1ad8 819e 59b5 6331 ee5f 4814 cfb6 c439 dd42 edc0 a9f8 99fd 1969 0000 0003 705b 27e1 encrypted: 0000 0094 0000 0000 0303 41f2 5ed2 a112 7e29 03ff 7095 fd74 29ac 0a29 3201 8556 64bc 4b27 dc4d c8b2 e789 f1b0 7be5 899c b5a4 494e e114 7453 29f3 846e f923 5eea 35d4 07c7 c2d8 28f2 167f a5ba 01ad 6274 cfc1 c64c 9f24 da82 fbcd 6d81 1c66 4ff8 0484 1b62 12b8 d83e 37a2 00b3 abde 85f1 ca1b bf80 1864 8b6c d5c4 1ad8 819e 59b5 6331 ee5f 4814 cfb6 c439 dd42 edc0 a9f8 99fd 1969 0000 0003 705b 27e1 incoming packet length= 5 read_poll plain: a425 9ac0 a3f9 8a22 stored_cheksum = a3f98a22 calculated_cheksum = ec45aa79 Disconnecting: Corrupted check bytes on input. packet_send plain: 1a03 bc22 1896 9f52 0100 0000 1f43 6f72 7275 7074 6564 2063 6865 636b 2062 7974 6573 206f 6e20 696e 7075 742e 1f61 9863 encrypted: 0000 0028 f66c 265c b9d8 734d a622 507a 0ca2 1c47 37d5 6b23 d1e0 1bdd ed09 6461 3b87 df96 14a9 3698 d5e6 ee48 b758 8461 a2aa 0fc7 sh-2.05# RUNNING WITH -2 OPTION (partial dump) ------------------------------------- plain: 0000 0000 0015 encrypted: 0000 000c 0a15 0000 0000 0000 0000 0000 read_poll enc/full: 0000 0000 0000 0000 read/plain[21]: plain: 0000 0000 0005 0000 000c 7373 682d 7573 6572 6175 7468 encrypted: 442e 1233 1453 2f88 002f 2b0b e2bf d26f 38b7 eb9b dfb5 5003 6fda e4d4 ff8b 3bc0 2757 4ec5 884f e0db 94b5 e41e 5f2c 1c1d read_poll enc/full: 966f 20eb 8eb6 7ff2 5661 c8f0 7738 3de5 5e10 81e2 05ba e0af 9a0f 1cbc bc24 8687 b1bc 3e3e 13ec d372 13f8 91ae 5d18 f95e Disconnecting: Corrupted MAC on input. plain: 0000 0000 0001 0000 0002 0000 0017 436f 7272 7570 7465 6420 4d41 4320 6f6e 2069 6e70 7574 2e00 0000 00 encrypted: 9ba6 8f38 fb65 d36d 02a0 413a 2c02 debd 1a91 9f8b 305e 7614 88df 2ba1 72f7 f58e 4ecc 0398 220c 59b3 2c1d 197e 4ac4 9f30 f313 f2d4 1850 10c8 205e 3f83 45f5 b1f9 I would appreciate any hints from anyone who can give me some hints. Thanks Nagib Chahine From jakehawkes2001 at yahoo.com Tue Nov 25 03:28:13 2003 From: jakehawkes2001 at yahoo.com (Jake Hawkes) Date: Mon, 24 Nov 2003 08:28:13 -0800 (PST) Subject: OT: reasoning behind open vs. closed SSH Message-ID: <20031124162813.17280.qmail@web41211.mail.yahoo.com> Let me preface this message by saying that the "General Discusion" mailing list archived was filled with 99% spam, so I though I'd post here instead to get some real people. My employer is using SSH to replace rcp, rsh and rlogin in its UNIX products. Our experience so far is that the commercial product is slow(1), and difficult to use in scripts where standard input and output are being used, especially if not attached to a terminal. (1) This could be caused by the type of authentication we are using Also, the support is woefull. One of our guys was on-site at a customer, called SSH up for support and was told that the problem he was having is a "known bug" and there is no way around it at the moment. My question is, what reasons should we go with the commercial product? Reasons given me have been: 1 - support 2 - legal liability 3 - upgrades and patches 4 - more secure All of these seem bunk to me. My company has told me that the reasons they are going with SSH from SSH Communications Security Corp are basing on a whitepaper entitled: SSH Secure Shell vs.Open Source Secure Shell: Deployment Considerations for Enterprises, Financial Institutions, and Government Agencies Instead of trying to explain the bias the artical has, perhaps I'll just quote the opening paragraphs: ================== "This paper discusses the differences between SSH Secure Shell, a commercial Secure Shell application developed by the original inventor of the Secure Shell protocol, SSH Communications Security Corp, and an open source application, OpenSSH. Open source applications play an important role in academia, home use, non-profit organizations, and non-commercial applications. In general, open source applications are sufficient when support and downtime do not play a critical role. Commercial applications satisfy the critical business needs of enterprises, government agencies, and financial institutions. Commercial applications provide features that are developed specifically to address customer needs and are supported by a professional organization. Many open source applications lack robust features that are needed in today?s business environments, including quick resolution to support issues." ================== Footnote: "? 2003 SSH Communications Security Corp. All rights reserved. ssh is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. The SSH logo, SSH2, and SSH Secure Shell are trademarks of SSH Communications Security Corp and may be registered in certain jurisdictions. All other names and marks are the property of their respective owners." ================== [ Full whitepaper available here http://www.infinitylimited.net/code/SSH%20vs%20OpenSSH%20-%20March%202003_FINAL.pdf ] Does anyone have any comments? ===== Jacob Hawkes, B. Eng (CSE) jakehawkes2001 at yahoo.com http://www.infinitylimited.net/ __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ From wendyp at cray.com Tue Nov 25 06:33:16 2003 From: wendyp at cray.com (Wendy Palm) Date: Mon, 24 Nov 2003 13:33:16 -0600 Subject: OT: reasoning behind open vs. closed SSH References: <20031124162813.17280.qmail@web41211.mail.yahoo.com> Message-ID: <3FC25CFC.6070906@cray.com> All I have to add is that we have quite a few really, really big customers who are using OpenSSH enterprise-wide and won't touch commercial ssh. These customers include commercial, educational, and federal government. I decided several years ago to port OpenSSH rather than commercial ssh for all our architectures due to the effective support I felt the open source community provided to the product. Besides the cost issue, we've found that any problem found (especially in the security arena) has been responded to very promptly and the open discussion regarding features and other bugs have aided debugging efforts significantly. Our customers recognize that and were very positive about OpenSSH rather than commercial ssh. I feel that OpenSSH's activities since my decision was made have validated my decision. Any security bug that has been found has been fixed and released much faster by OpenSSH than SSH Communications. If you're on the CERT list, you can tell. I've never come across a bug in OpenSSH that caused downtime in a released system. let's address the issues one at a time i'd be interested to see what evidence Bob Toxen has for the 4-1 ratio of bugs. Technical support - OpenSSH has an open mailing list and the ability for anyone to review the mail archives for bug reports and general discussion. granted, there is no guarantee of response, but the question is leveled at a much larger audience and generally, the questions that remain unanswered are resolved offline or for an unusual OS (that often companies just refuse to port to anyway). 'll let Ben or Marcus respond to the technical questions and regarding ssh and openssh interoperability. It's not an issue my customers have complained about. I'm pretty sure they all use OpenSSH exclusively. total cost of ownership - I completely disagree with the statement- "When major events occur, internal support for OpenSSH is time-consuming and can be very frustrating". I have found that fixed releases of OpenSSH come out much quicker than I expect. The paragraphs regarding pre-compiled binaries and support are so subjective that it's difficult to answer. Because I build and provide binaries to our customers, and do all the testing and debugging they mention, my customers don't have this problem. The worst thing that's happened to them is not enough entropy. liability - This is the real issue - This is the real balance that customers need to think about regarding commercial vs open source. Any site can get hacked into. Certifications - our customers have had no problem with security audits using OpenSSH. Embedded OpenSSH - Cray offers OpenSSH in an optional package. I provide pre-compiled binaries and support recompiled versions. I release 2-3 times per year and provide fix packages as needed. I've never seen anyone respond to a question with "that's a wierd configuration, we don't support it" in the mail archives. I've often seen "what is it you are trying to do?" and "here's how you do it". These are my opinions, I hope they help rather than confuse. Wendy Palm, Cray Inc. Jake Hawkes wrote: > Let me preface this message by saying that the "General Discusion" mailing list archived was > filled with 99% spam, so I though I'd post here instead to get some real people. > > My employer is using SSH to replace rcp, rsh and rlogin in its UNIX products. > > Our experience so far is that the commercial product is slow(1), and difficult to use in scripts > where standard input and output are being used, especially if not attached to a terminal. > > (1) This could be caused by the type of authentication we are using > > Also, the support is woefull. One of our guys was on-site at a customer, called SSH up for > support and was told that the problem he was having is a "known bug" and there is no way around it > at the moment. > > My question is, what reasons should we go with the commercial product? Reasons given me have > been: > 1 - support > 2 - legal liability > 3 - upgrades and patches > 4 - more secure > > All of these seem bunk to me. > > My company has told me that the reasons they are going with SSH from SSH Communications Security > Corp are basing on a whitepaper entitled: > > SSH Secure Shell vs.Open Source Secure Shell: > Deployment Considerations for Enterprises, Financial Institutions, and Government Agencies > > Instead of trying to explain the bias the artical has, perhaps I'll just quote the opening > paragraphs: > > ================== > "This paper discusses the differences between SSH Secure Shell, a commercial Secure Shell > application developed by the original inventor of the Secure Shell protocol, SSH Communications > Security Corp, and an open source application, OpenSSH. > > Open source applications play an important role in academia, home use, non-profit organizations, > and non-commercial applications. In general, open source applications are sufficient when support > and downtime do not play a critical role. > > Commercial applications satisfy the critical business needs of enterprises, government agencies, > and financial institutions. Commercial applications provide features that are developed > specifically to address customer needs and are supported by a professional organization. Many open > source applications lack robust features that are needed in today's business environments, > including quick resolution to support issues." > ================== > Footnote: > > "? 2003 SSH Communications Security Corp. All rights reserved. ssh is a registered > trademark of SSH Communications Security Corp in the United States and in certain other > jurisdictions. The SSH logo, SSH2, and SSH Secure Shell are trademarks of SSH Communications > Security Corp and may be registered in certain jurisdictions. All other names and marks are the > property of their respective owners." > ================== > [ Full whitepaper available here > http://www.infinitylimited.net/code/SSH%20vs%20OpenSSH%20-%20March%202003_FINAL.pdf ] > > Does anyone have any comments? > > > > ===== > Jacob Hawkes, B. Eng (CSE) > jakehawkes2001 at yahoo.com > http://www.infinitylimited.net/ > > __________________________________ > Do you Yahoo!? > Free Pop-Up Blocker - Get it now > http://companion.yahoo.com/ > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- wendy palm Cray Open Software Development, Cray Inc. wendyp at cray.com, 651-605-9154 From dcr8520 at amiga.org Tue Nov 25 05:37:02 2003 From: dcr8520 at amiga.org (Diego Casorran) Date: Mon, 24 Nov 2003 20:37:02 +0200 Subject: OpenSSH on AmigaOS... Message-ID: Hello!, I have succesfuly compiled OpenSSH on the AmigaOS platform.....all seems to work fine by now...except by sshd, it fail in monitor.c(monitor_sockletpair): socketpair() func with errno #46...so, I was wondering if there is some alternative I can use here ?. any help appreciated. Kind regards ps.: excuse my bad english.. -- Diego CR - http://Amiga.SourceForge.net Me encanta el trabajo... Me puedo sentar y ver como lo hacen durante horas. From markus at openbsd.org Tue Nov 25 04:44:40 2003 From: markus at openbsd.org (Markus Friedl) Date: Mon, 24 Nov 2003 18:44:40 +0100 Subject: Problem running SSH on IBM PPC440 processor, help appreciated Message-ID: <20031124174440.GC2143@folly> so is the packet decrypted correctly? or are both the HMAC and the decrypted packet wrong? In-Reply-To: <4543EA9DB1099E4583484B56803D0BFA0117FD71 at xch-sw-02.sw.nos.boeing.com> On Mon, Nov 24, 2003 at 08:19:33AM -0800, Chahine, Nagib N wrote: > Hi, > > Sorry to bother you on this mailing list, however I tried everything else and I am desperate to get this running. Please send me any hints you can think of. > > I have installed openssh-3.7.1p2 on a ppc target and trying to connect to an sshd running on a redhat 9 with openssh-3.5p1. I keep getting the error "Disconnecting: Corrupted check bytes on input" no matter what I tried. I located the error message and turned debugging on in packet.c which dumps the content of the packet. What I see is a packet with length 5 bytes which confuses the client's side. I tried running the sshd version 3.7.1p2 to match the client I keep getting the same error. From tim at multitalents.net Tue Nov 25 07:06:15 2003 From: tim at multitalents.net (Tim Rice) Date: Mon, 24 Nov 2003 12:06:15 -0800 (PST) Subject: OpenSSH on AmigaOS... In-Reply-To: References: Message-ID: On Mon, 24 Nov 2003, Diego Casorran wrote: > Hello!, > > I have succesfuly compiled OpenSSH on the AmigaOS platform.....all seems to > work fine by now...except by sshd, it fail in monitor.c(monitor_sockletpair): > socketpair() func with errno #46...so, I was wondering if there is some > alternative I can use here ?. > > any help appreciated. Does the problem go away if you put "UsePrivilegeSeparation no" in your sshd_config ? > > Kind regards > > ps.: excuse my bad english.. > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From Nagib.N.Chahine at boeing.com Tue Nov 25 07:50:29 2003 From: Nagib.N.Chahine at boeing.com (Chahine, Nagib N) Date: Mon, 24 Nov 2003 12:50:29 -0800 Subject: Problem running SSH on IBM PPC440 processor, help appreciated Message-ID: <4543EA9DB1099E4583484B56803D0BFA0119C0CC@xch-sw-02.sw.nos.boeing.com> I am not able to tell whether it is decripted correctly, however as you see from the messages, I know the connection is established correctly, one message is received and decoded correctly since the checksum matches, howver one message coming from the server with length 5 bytes gets handled incorrectly by the client which yields to a bad checksum. Any ideas?? Nagib -----Original Message----- From: Markus Friedl [mailto:markus at openbsd.org] Sent: Mon 11/24/2003 9:44 AM To: Chahine, Nagib N Cc: openssh-unix-dev at mindrot.org Subject: Re: Problem running SSH on IBM PPC440 processor, help appreciated so is the packet decrypted correctly? or are both the HMAC and the decrypted packet wrong? In-Reply-To: <4543EA9DB1099E4583484B56803D0BFA0117FD71 at xch-sw-02.sw.nos.boeing.com> On Mon, Nov 24, 2003 at 08:19:33AM -0800, Chahine, Nagib N wrote: > Hi, > > Sorry to bother you on this mailing list, however I tried everything else and I am desperate to get this running. Please send me any hints you can think of. > > I have installed openssh-3.7.1p2 on a ppc target and trying to connect to an sshd running on a redhat 9 with openssh-3.5p1. I keep getting the error "Disconnecting: Corrupted check bytes on input" no matter what I tried. I located the error message and turned debugging on in packet.c which dumps the content of the packet. What I see is a packet with length 5 bytes which confuses the client's side. I tried running the sshd version 3.7.1p2 to match the client I keep getting the same error. From gert at greenie.muc.de Tue Nov 25 08:37:00 2003 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 24 Nov 2003 22:37:00 +0100 Subject: OT: reasoning behind open vs. closed SSH In-Reply-To: <20031124162813.17280.qmail@web41211.mail.yahoo.com>; from jakehawkes2001@yahoo.com on Mon, Nov 24, 2003 at 08:28:13AM -0800 References: <20031124162813.17280.qmail@web41211.mail.yahoo.com> Message-ID: <20031124223659.V23021@greenie.muc.de> Hi, On Mon, Nov 24, 2003 at 08:28:13AM -0800, Jake Hawkes wrote: > Does anyone have any comments? A customer of mine uses OpenSSH to manage a large network of AIX machines installed all over the country (replacing the old telnet/rlogin based method). "It just works". (It didn't work at all times, but in those cases I've usually been able to figure out myself why it didn't work, and that was much quicker than the usual commercial hotline support you get - "have you upgraded to the latest version? your problem might automagically disappear if you do!") gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From mouring at etoh.eviladmin.org Tue Nov 25 15:09:05 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 24 Nov 2003 22:09:05 -0600 (CST) Subject: OT: reasoning behind open vs. closed SSH In-Reply-To: <20031124162813.17280.qmail@web41211.mail.yahoo.com> Message-ID: On Mon, 24 Nov 2003, Jake Hawkes wrote: > Let me preface this message by saying that the "General Discusion" > mailing list archived was filled with 99% spam, so I though I'd post > here instead to get some real people. > Hmm.. real people? I've been accused of a lot of things, but being a real person is not one. > My employer is using SSH to replace rcp, rsh and rlogin in its UNIX > products. > > Our experience so far is that the commercial product is slow(1), and > difficult to use in scripts where standard input and output are being > used, especially if not attached to a terminal. > Would be interesting to know what the problem is and if OpenSSH comes closer to solving it. > (1) This could be caused by the type of authentication we are using > > Also, the support is woefull. One of our guys was on-site at a > customer, called SSH up for support and was told that the problem he > was having is a "known bug" and there is no way around it at the moment. > > My question is, what reasons should we go with the commercial product? > Reasons given me have been: > 1 - support > 2 - legal liability This one has urked me. Everyone keeps claiming, "Oh closed source products are better due to legal liability." However when you ask any commerical company if they will pay for any product destruction or breach to a system. You'll see most of them laugh you out of the room. Not implying we provide any liability, but we don't pretend to do so either. > 3 - upgrades and patches > 4 - more secure > The rest are subject at best. > All of these seem bunk to me. > > My company has told me that the reasons they are going with SSH from > SSH Communications Security Corp are basing on a whitepaper entitled: > "Does your company depend on any Open Source products?" - Linux / OpenBSD / FreeBSD / NetBSD? - GCC? - Snort? - Apache? - Tomcat? If the answer is yes. Then you need to seriously suggest the person making the decision re-evaluate how business is done. Maybe they need to replace any open source product (or freeware) being used with commerical only. I think track record and community involvement speak volumes (Commerical and Open Source. Anyone skimming OpenSSH-UNIX-Dev@ list would see posts from NASA, IBM, Sun, Cray, HP, Redhat, Debian, US Military, universities (students and Systems admin), etc. And others prefer privacy in their questions and contact the team or individual developers. Would be great if half of the groups that contacted me would post here. It is impressive where OpenSSH is used. I hate statistical stuff myself and this one is getting dated: http://www.openssh.com/usage/ssh-stats.html (I believe there may be a newer versions somewhere.) It is also nice to know that OpenSSH and the greater OpenBSD team has someone awake 24/7 to review security issues and wake up enough of the OpenSSH team if a security release has to be done. As for technical, I've always been a fan of "let the product speak for itself". The more hot air you need to blow the more the company is covering up for their flaws. - Ben From chris at obelix.hedonism.cx Tue Nov 25 18:35:16 2003 From: chris at obelix.hedonism.cx (Christian Vogel) Date: Tue, 25 Nov 2003 08:35:16 +0100 Subject: OT: reasoning behind open vs. closed SSH In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, Nov 24, 2003 at 10:09:05PM -0600 References: <20031124162813.17280.qmail@web41211.mail.yahoo.com> Message-ID: <20031125083516.A1994@obelix.frop.org> Hi Ben, On Mon, Nov 24, 2003 at 10:09:05PM -0600, Ben Lindstrom wrote: > > 2 - legal liability > This one has urked me. Everyone keeps claiming, "Oh closed source > products are better due to legal liability." However when you ask any > commerical company if they will pay for any product destruction or breach > to a system. You'll see most of them laugh you out of the room. It's not about what the contract or license-agreement says, it's just about what the pointy-haired *think* when they buy something from $BIGNAME. Say, if they feel that some bug was introduced very negligent, they might just want to sue $BIGNAME anyhow, instead of 100 different individuals in the Free/OpenSource case...[1] Chris [1] This is not meant as an judgement about ssh.com but rather about commercial software in general! -- The problem with bad plans is, for each one created, there's an idiot somewhere willing to carry it out -- Kirk Mitchell From dtucker at zip.com.au Tue Nov 25 21:07:02 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 25 Nov 2003 21:07:02 +1100 Subject: Problem running SSH on IBM PPC440 processor, help appreciated References: <4543EA9DB1099E4583484B56803D0BFA0119C0CC@xch-sw-02.sw.nos.boeing.com> Message-ID: <3FC329C5.1346719F@zip.com.au> On Mon, Nov 24, 2003 at 08:19:33AM -0800, Chahine, Nagib N wrote: > I have installed openssh-3.7.1p2 on a ppc target and trying to > connect to an sshd running on a redhat 9 with openssh-3.5p1. I keep getting > the error "Disconnecting: Corrupted check bytes on input" no matter what I tried. When you built OpenSSL, did you run the "make test" target, and did all the tests pass? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Tue Nov 25 21:36:08 2003 From: markus at openbsd.org (Markus Friedl) Date: Tue, 25 Nov 2003 11:36:08 +0100 Subject: Problem running SSH on IBM PPC440 processor, help appreciated In-Reply-To: <4543EA9DB1099E4583484B56803D0BFA0119C0CC@xch-sw-02.sw.nos.boeing.com> References: <4543EA9DB1099E4583484B56803D0BFA0119C0CC@xch-sw-02.sw.nos.boeing.com> Message-ID: <20031125103608.GA29713@folly> On Mon, Nov 24, 2003 at 12:50:29PM -0800, Chahine, Nagib N wrote: > I am not able to tell whether it is decripted correctly, however as you see from the messages, I know the connection is established correctly, one message is received and decoded correctly since the checksum matches, howver one message coming from the server with length 5 bytes gets handled incorrectly by the client which yields to a bad checksum. if you want to figure out if encryption/decryption is broken you should enable this kind of debugging on both hosts and compare the plaintext/encrypted packets. From lpacelli at att.com Tue Nov 25 22:25:09 2003 From: lpacelli at att.com (Pacelli, Louis M, ALABS) Date: Tue, 25 Nov 2003 05:25:09 -0600 Subject: zlib/openssl/openssh for Solaris Message-ID: <11C84D46FE96B4439C3CD0DA294A5F8B1B579D@KCCLUST06EVS1.ugd.att.com> Darren, I went to install zlib/openssl and openssh on one of my Sun Servers(Solaris 2.7) and they would not install. Is there a website where I can get Sun versions of these products? Thanks, Lou -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Saturday, November 22, 2003 9:35 PM To: Pacelli, Louis M, ALABS Cc: OpenSSH Devel List Subject: Re: zlib missing when installing openssh-3.7.1p2 "Pacelli, Louis M, ALABS" wrote: [snip] > Privilege separation user sshd does not exist > *** Error exit code 255 (ignored) > > Is this OK or is something else wrong? It's a warning. If you're going to use PrivilegeSeparation (which is on by default) you need to create a user for it. The details are in README.privsep. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Nov 25 22:39:21 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 25 Nov 2003 22:39:21 +1100 Subject: zlib/openssl/openssh for Solaris References: <11C84D46FE96B4439C3CD0DA294A5F8B1B579D@KCCLUST06EVS1.ugd.att.com> Message-ID: <3FC33F69.5639D3F7@zip.com.au> "Pacelli, Louis M, ALABS" wrote: > > Darren, > I went to install zlib/openssl and openssh on one of my Sun > Servers(Solaris 2.7) and they would not install. Is there a website > where I can get Sun versions of these products? Try sunfreeware.com for pre-compiled binaries. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From lpacelli at att.com Tue Nov 25 22:45:34 2003 From: lpacelli at att.com (Pacelli, Louis M, ALABS) Date: Tue, 25 Nov 2003 05:45:34 -0600 Subject: zlib/openssl/openssh for Solaris Message-ID: <11C84D46FE96B4439C3CD0DA294A5F8B023EB93C@KCCLUST06EVS1.ugd.att.com> Darren, As always - thank you for your prompt support. Have a Happy Thanksgiving. Lou -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Tuesday, November 25, 2003 6:39 AM To: Pacelli, Louis M, ALABS Cc: OpenSSH Devel List Subject: Re: zlib/openssl/openssh for Solaris "Pacelli, Louis M, ALABS" wrote: > > Darren, > I went to install zlib/openssl and openssh on one of my Sun > Servers(Solaris 2.7) and they would not install. Is there a website > where I can get Sun versions of these products? Try sunfreeware.com for pre-compiled binaries. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Wed Nov 26 01:41:37 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Nov 2003 08:41:37 -0600 (CST) Subject: OT: reasoning behind open vs. closed SSH In-Reply-To: <20031125083516.A1994@obelix.frop.org> Message-ID: On Tue, 25 Nov 2003, Christian Vogel wrote: > Hi Ben, > > On Mon, Nov 24, 2003 at 10:09:05PM -0600, Ben Lindstrom wrote: > > > 2 - legal liability > > This one has urked me. Everyone keeps claiming, "Oh closed source > > products are better due to legal liability." However when you ask any > > commerical company if they will pay for any product destruction or breach > > to a system. You'll see most of them laugh you out of the room. > > It's not about what the contract or license-agreement says, > it's just about what the pointy-haired *think* when they buy something > from $BIGNAME. Say, if they feel that some bug was introduced very negligent, > they might just want to sue $BIGNAME anyhow, instead of 100 different > individuals in the Free/OpenSource case...[1] > But you see that is the problem. The EULA denies you that right (at least in the US). It has been upheld in a handful of lawsuits. Which is where the problem lies. CEO of the company can imagine all he wants to about suing his vendor, but unless it is a contractual breach he has zero rights to do so. Otherwise Microsoft would be sued back to the dark aged after the last year or two worth of damaged caused by "negliect". In the limited cases where a EULA may allow indeminification the upper limit on the risk is normally the cost of the shrinkwrap software. Which would barely cover the cost of someone looking in the direction of the damaged machine. The only argument I can give from a CEO standpoint about wanting a company is the ability to call up their CEO/President and bitch them out for not supporting a "loyal customer". As a result I may get a free mouse pad and reassurance that the problem is being "looked at". And I walk away with a false warm fuzzy. =) Honestly, I'd rather have someone speak straight up to me. - Ben From rjb38 at drexel.edu Wed Nov 26 02:55:31 2003 From: rjb38 at drexel.edu (Rich Bishop) Date: Tue, 25 Nov 2003 10:55:31 -0500 Subject: Strange behaviour w/ Solaris9 + pam_ldap + openssh 3.7.1p2 Message-ID: <3FC37B73.4050500@drexel.edu> Hello, I have a Solaris 9 system which is using Sun's pam_ldap to access user & group information in a Netscape 4.16DS. This was working fine until I upgraded ssh on the box. However, now I'm using 3.7.1p2 with pam support I have the following problem: If a user (local or ldap) enters the correct password everything works fine. Entering a wrong password results in the sshd process becoming unresponsive, until it eventually times out as set by LoginGraceTime in sshd_config. Normally, sshd should prompt for a password a number of times before closing the connection. Running sshd in debug mode under truss shows it going into a sleep state. I've done some searching on this - I found http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106743975716923&w=2 on the sshd-devel list but there are no follow ups as yet. I've been in touch with the original poster, but he hasn't resolved the problem. I'd be happy to provide any debugging information that would be useful in diagnosing the problem. Any assistance would be greatly appreciated. Thanks, Rich From Nagib.N.Chahine at boeing.com Wed Nov 26 03:14:05 2003 From: Nagib.N.Chahine at boeing.com (Chahine, Nagib N) Date: Tue, 25 Nov 2003 08:14:05 -0800 Subject: Problem running SSH on IBM PPC440 processor, help appreciated Message-ID: <4543EA9DB1099E4583484B56803D0BFA0119C0CD@xch-sw-02.sw.nos.boeing.com> Hi Darren, Thanks for your response, however there is no test target in the Makefile. There is a logintest: target and when I make it I get the following error: (cd openbsd-compat && make) make[1]: Entering directory `/home/nchahine/openssh-3.7.1p2/openbsd-compat' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/home/nchahine/openssh-3.7.1p2/openbsd-compat' gcc -o logintest logintest.o -L. -Lopenbsd-compat/ loginrec.o -lopenbsd-compat -lssh -lutil -l ./libssh.a(log.o): In function `do_log': /home/nchahine/openssh-3.7.1p2/log.c:396: undefined reference to `strnvis' /home/nchahine/openssh-3.7.1p2/log.c:396: relocation truncated to fit: R_PPC_REL24 strnvis collect2: ld returned 1 exit status make: *** [logintest] Error 1 -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Tue 11/25/2003 2:07 AM To: Chahine, Nagib N Cc: openssh-unix-dev at mindrot.org Subject: Re: Problem running SSH on IBM PPC440 processor, help appreciated On Mon, Nov 24, 2003 at 08:19:33AM -0800, Chahine, Nagib N wrote: > I have installed openssh-3.7.1p2 on a ppc target and trying to > connect to an sshd running on a redhat 9 with openssh-3.5p1. I keep getting > the error "Disconnecting: Corrupted check bytes on input" no matter what I tried. When you built OpenSSL, did you run the "make test" target, and did all the tests pass? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Wed Nov 26 03:39:56 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Nov 2003 10:39:56 -0600 (CST) Subject: Problem running SSH on IBM PPC440 processor, help appreciated In-Reply-To: <4543EA9DB1099E4583484B56803D0BFA0119C0CD@xch-sw-02.sw.nos.boeing.com> Message-ID: On Tue, 25 Nov 2003, Chahine, Nagib N wrote: > Hi Darren, > > Thanks for your response, however there is no test target in the > Makefile. There is a logintest: target and when I make it I get the > following error: > Try with an 's'. make tests - Ben From Nagib.N.Chahine at boeing.com Wed Nov 26 04:38:40 2003 From: Nagib.N.Chahine at boeing.com (Chahine, Nagib N) Date: Tue, 25 Nov 2003 09:38:40 -0800 Subject: Problem running SSH on IBM PPC440 processor, help appreciated Message-ID: <4543EA9DB1099E4583484B56803D0BFA0119C0CE@xch-sw-02.sw.nos.boeing.com> Thanks Ben, I was looking for test: and missed it. Ok when I make tests I get the following error: sh-2.05# make tests (cd openbsd-compat && make) make[1]: Entering directory `/home/nchahine/openssh-3.7.1p2/openbsd-compat' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/home/nchahine/openssh-3.7.1p2/openbsd-compat' /usr/bin/ar rv libssh.a authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cor - authfd.o r - authfile.o r - bufaux.o r - buffer.o r - canohost.o r - channels.o r - cipher.o r - cipher-aes.o r - cipher-bf1.o r - cipher-ctr.o r - cipher-3des1.o r - compat.o r - compress.o r - crc32.o r - deattack.o r - fatal.o r - hostfile.o r - log.o r - match.o r - moduli.o r - mpaux.o r - nchan.o r - packet.o r - readpass.o r - rsa.o r - tildexpand.o r - ttymodes.o r - xmalloc.o r - atomicio.o r - key.o r - dispatch.o r - kex.o r - mac.o r - uuencode.o r - misc.o r - rijndael.o r - ssh-dss.o r - ssh-rsa.o r - dh.o r - kexdh.o r - kexgex.o r - kexdhc.o r - kexgexc.o r - scard.o r - msg.o r - progressmeter.o r - dns.o r - entropy.o r - scard-opensc.o r - gss-genr.o ranlib libssh.a BUILDDIR=`pwd`; \ [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ [ -f `pwd`/regress/Makefile ] || \ ln -s ./regress/Makefile `pwd`/regress/Makefile ; \ TEST_SSH_SSH="${BUILDDIR}/ssh"; \ TEST_SSH_SSHD="${BUILDDIR}/sshd"; \ TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent"; \ TEST_SSH_SSHADD="${BUILDDIR}/ssh-add"; \ TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen"; \ TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan"; \ TEST_SSH_SFTP="${BUILDDIR}/sftp"; \ TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server"; \ cd ./regress || exit $?; \ make \ .OBJDIR="${BUILDDIR}/regress" \ .CURDIR="`pwd`" \ BUILDDIR="${BUILDDIR}" \ OBJ="${BUILDDIR}/regress/" \ PATH="${BUILDDIR}:${PATH}" \ TEST_SSH_SSH="${TEST_SSH_SSH}" \ TEST_SSH_SSHD="${TEST_SSH_SSHD}" \ TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" \ TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" \ TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" \ TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" \ TEST_SSH_SFTP="${TEST_SSH_SFTP}" \ TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" \ EXEEXT="" \ tests make[1]: Entering directory `/home/nchahine/openssh-3.7.1p2/regress' ssh-keygen -if /home/nchahine/openssh-3.7.1p2/regress/rsa_ssh2.prv | diff - /home/nchahine/openvcat /home/nchahine/openssh-3.7.1p2/regress/rsa_openssh.prv > /home/nchahine/openssh-3.7.1p2/regtchmod 600 /home/nchahine/openssh-3.7.1p2/regress//t2.out ssh-keygen -yf /home/nchahine/openssh-3.7.1p2/regress//t2.out | diff - /home/nchahine/openssh-3bssh-keygen -ef /home/nchahine/openssh-3.7.1p2/regress/rsa_openssh.pub >/home/nchahine/openssh-3bssh-keygen -if /home/nchahine/openssh-3.7.1p2/regress//rsa_secsh.pub | diff - /home/nchahine/opbrm -f /home/nchahine/openssh-3.7.1p2/regress/rsa_secsh.pub ssh-keygen -lf /home/nchahine/openssh-3.7.1p2/regress/rsa_openssh.pub |\ awk '{print $2}' | diff - /home/nchahine/openssh-3.7.1p2/regress/t4.ok 1c1 < 12:a7:8f:c9:3b:8c:bb:df:62:fc:a1:19:07:5d:2e:fd --- > 3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36 make[1]: *** [t4] Error 1 make[1]: Leaving directory `/home/nchahine/openssh-3.7.1p2/regress' make: *** [tests] Error 2 sh-2.05# Any clue?? Nagib -----Original Message----- From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] Sent: Tue 11/25/2003 8:39 AM To: Chahine, Nagib N Cc: Darren Tucker; openssh-unix-dev at mindrot.org Subject: RE: Problem running SSH on IBM PPC440 processor, help appreciated On Tue, 25 Nov 2003, Chahine, Nagib N wrote: > Hi Darren, > > Thanks for your response, however there is no test target in the > Makefile. There is a logintest: target and when I make it I get the > following error: > Try with an 's'. make tests - Ben From Nagib.N.Chahine at boeing.com Wed Nov 26 05:01:15 2003 From: Nagib.N.Chahine at boeing.com (Chahine, Nagib N) Date: Tue, 25 Nov 2003 10:01:15 -0800 Subject: Problem running SSH on IBM PPC440 processor, help appreciated Message-ID: <4543EA9DB1099E4583484B56803D0BFA0119C0CF@xch-sw-02.sw.nos.boeing.com> I ran make tests on my x86 redhat9.0 installation and got a lot further however, after running few tests is stopped here: run test rekey.sh ... run test stderr-data.sh ... make[1]: *** [t-exec] Error 1 make: *** [tests] Error 2 -----Original Message----- From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] Sent: Tue 11/25/2003 8:39 AM To: Chahine, Nagib N Cc: Darren Tucker; openssh-unix-dev at mindrot.org Subject: RE: Problem running SSH on IBM PPC440 processor, help appreciated On Tue, 25 Nov 2003, Chahine, Nagib N wrote: > Hi Darren, > > Thanks for your response, however there is no test target in the > Makefile. There is a logintest: target and when I make it I get the > following error: > Try with an 's'. make tests - Ben From tim at multitalents.net Wed Nov 26 05:29:12 2003 From: tim at multitalents.net (Tim Rice) Date: Tue, 25 Nov 2003 10:29:12 -0800 (PST) Subject: Problem running SSH on IBM PPC440 processor, help appreciated In-Reply-To: <4543EA9DB1099E4583484B56803D0BFA0119C0CD@xch-sw-02.sw.nos.boeing.com> References: <4543EA9DB1099E4583484B56803D0BFA0119C0CD@xch-sw-02.sw.nos.boeing.com> Message-ID: On Tue, 25 Nov 2003, Chahine, Nagib N wrote: > Hi Darren, > > Thanks for your response, however there is no test target in the Makefile. There is a logintest: target and when I make it I get the following error: > > (cd openbsd-compat && make) > make[1]: Entering directory `/home/nchahine/openssh-3.7.1p2/openbsd-compat' Darren asked you if OpenSSL's "make test" passed not OpenSSH. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dcr8520 at amiga.org Wed Nov 26 05:36:49 2003 From: dcr8520 at amiga.org (Diego Casorran) Date: Tue, 25 Nov 2003 20:36:49 +0200 Subject: OpenSSH on AmigaOS... In-Reply-To: Message-ID: Hello Tim, El lunes (24-11-2003), decias: > Does the problem go away if you put "UsePrivilegeSeparation no" in > your sshd_config ? ups..yes, although now seems to have a real problem.. seems like it could not read the file passwd, I tryed to link sshd with -lcrypt (as say the faq for Slackware) without luck... any idea? Thx, Kind regards -- Diego CR - http://Amiga.SourceForge.net Los pol?ticos deben leer ciencia ficci?n, no novelas del oeste e historias de detectives. -- Arthur C. Clarke From dcole at keysoftsys.com Wed Nov 26 06:47:43 2003 From: dcole at keysoftsys.com (Darren Cole) Date: Tue, 25 Nov 2003 11:47:43 -0800 Subject: OT: reasoning behind open vs. closed SSH In-Reply-To: <20031124162813.17280.qmail@web41211.mail.yahoo.com> References: <20031124162813.17280.qmail@web41211.mail.yahoo.com> Message-ID: <3BFE224F-1F80-11D8-97B3-000A95E310BA@keysoftsys.com> Jake, One company I worked for licensed the code from ssh to make modifications to the source, so that it supported their flavor of unix as they wanted it to. Eventually they moved to openssh. Another place (large hosting company during the height of the .com boom). Made custom modifications, and wouldn't even considered using anything but openssh. Currently I work on a HP-UX 10.26, and the only reasonable option for us is to port it ourselves. That is a whole lot cheaper using openssh, and easier. I'm on rare platform, that hardly anyone uses. Still the people on openssh list have been far more helpfully that any commercial support I have delt with. Besides I can always look at the actually mail archive, and figure out what is going on, or look at the code. It is has also generally be easier and faster than anytime I have tried to go through tech support. Granted in some cases it can be harder, or impossible to get open source through audits and certifications. Though I have only ever seen or heard of those problems was with some high assurance applications (such as US DoD related work, or similar). Darren Cole Software Engineer From Nagib.N.Chahine at boeing.com Wed Nov 26 06:49:08 2003 From: Nagib.N.Chahine at boeing.com (Chahine, Nagib N) Date: Tue, 25 Nov 2003 11:49:08 -0800 Subject: Problem running SSH on IBM PPC440 processor, help appreciated Message-ID: <4543EA9DB1099E4583484B56803D0BFA0117FD73@xch-sw-02.sw.nos.boeing.com> Sorry, I thought it was a mistype... What is SSL, did I not install something required?? Nagib -----Original Message----- From: Tim Rice [mailto:tim at multitalents.net] Sent: Tuesday, November 25, 2003 10:29 AM To: Chahine, Nagib N Cc: Darren Tucker; openssh-unix-dev at mindrot.org Subject: RE: Problem running SSH on IBM PPC440 processor, help appreciated On Tue, 25 Nov 2003, Chahine, Nagib N wrote: > Hi Darren, > > Thanks for your response, however there is no test target in the Makefile. There is a logintest: target and when I make it I get the following error: > > (cd openbsd-compat && make) > make[1]: Entering directory `/home/nchahine/openssh-3.7.1p2/openbsd-compat' Darren asked you if OpenSSL's "make test" passed not OpenSSH. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Wed Nov 26 06:54:06 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 25 Nov 2003 13:54:06 -0600 (CST) Subject: OpenSSH on AmigaOS... In-Reply-To: Message-ID: On Tue, 25 Nov 2003, Diego Casorran wrote: > > Hello Tim, > > El lunes (24-11-2003), decias: > > > Does the problem go away if you put "UsePrivilegeSeparation no" in > > your sshd_config ? > > ups..yes, although now seems to have a real problem.. seems like it could > not read the file passwd, I tryed to link sshd with -lcrypt (as say the faq > for Slackware) without luck... any idea? > > I've not touched AmigaOS in years, but what are you using for a password file? Is it in the same format as most UNIXes? What style of password encryption? (des? md5?) - Ben From dtucker at zip.com.au Wed Nov 26 15:09:04 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 26 Nov 2003 15:09:04 +1100 Subject: Problem running SSH on IBM PPC440 processor, help appreciated References: <4543EA9DB1099E4583484B56803D0BFA0117FD73@xch-sw-02.sw.nos.boeing.com> Message-ID: <3FC42760.DE79E819@zip.com.au> "Chahine, Nagib N" wrote: > > Sorry, I thought it was a mistype... > What is SSL, did I not install something required?? OpenSSL is what OpenSSH uses for its crypto functions (libcrypto.[a|so|sl]). It's required to build OpenSSH, so if you didn't install it yourself you probably have it as a system library. It looks like you may be having some kind of crypto problem, and verifying OpenSSL's functionality on your taget platform would be useful in tracking down your problem. BTW, what OS and compiler are you using on your PPC system? (I don't think you specified earlier, but I might have missed it.) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Nov 26 17:58:03 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 26 Nov 2003 17:58:03 +1100 Subject: Strange behaviour w/ Solaris9 + pam_ldap + openssh 3.7.1p2 References: <3FC37B73.4050500@drexel.edu> Message-ID: <3FC44EFB.A5E54033@zip.com.au> Rich Bishop wrote: > > I have a Solaris 9 system which is using Sun's pam_ldap to access user & > group information in a Netscape 4.16DS. This was working fine until I > upgraded ssh on the box. However, now I'm using 3.7.1p2 with pam support > I have the following problem: > > If a user (local or ldap) enters the correct password everything works > fine. Entering a wrong password results in the sshd process becoming > unresponsive, until it eventually times out as set by LoginGraceTime in > sshd_config. Normally, sshd should prompt for a password a number of > times before closing the connection. Running sshd in debug mode under > truss shows it going into a sleep state. > > I've done some searching on this - I found > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106743975716923&w=2 > on the sshd-devel list but there are no follow ups as yet. I've been in > touch with the original poster, but he hasn't resolved the problem. I'd > be happy to provide any debugging information that would be useful in > diagnosing the problem. It sounds like the PAM authentication thread is crashing (or possibly deadlocking) for some reason. If it's crashing, you can provide some useful diagnostics thusly: 1) Check if sshd left a core in / 1a) otherwise, turn on core dump saving with coreadm (sorry, can't provide more detail at the moment). 1b) run sshd until the problem occurs. 2) If ssh produces a core, feed it to gdb and provide a backtrace. In the build directory, run gdb ./sshd /path/to/core and at the gdb prompt, type "bt". Save the core dump and copy of sshd from the build dir (it has the debugging symbols) in case more info is required. You could also try a current snapshot as there have been several PAM-related fixes since the 3.7.1p2 release. Also, possibly related: http://bugzilla.mindrot.org/show_bug.cgi?id=740 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dcr8520 at amiga.org Wed Nov 26 17:00:04 2003 From: dcr8520 at amiga.org (Diego Casorran) Date: Wed, 26 Nov 2003 08:00:04 +0200 Subject: OpenSSH on AmigaOS... In-Reply-To: Message-ID: Hola Ben, El martes (25-11-2003), decias: > I've not touched AmigaOS in years, but what are you using for a password > file? Is it in the same format as most UNIXes? What style of password > encryption? (des? md5?) Im using GeekGadgets, do you know it? it is a BSD based unix emulation enviroment (www.geekgadgets.org), it is for Amiga what Cygwin is for Windows (but better :), and as you may noticed the crypt style are MD5. Kind regards. -- Diego CR - http://Amiga.SourceForge.net La ?nica cosa que hace que Dios no envie otra inundaci?n es que la primera no sirvi? de nada. -- Chamfort From mouring at etoh.eviladmin.org Wed Nov 26 18:21:50 2003 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 26 Nov 2003 01:21:50 -0600 (CST) Subject: OpenSSH on AmigaOS... In-Reply-To: Message-ID: On Wed, 26 Nov 2003, Diego Casorran wrote: > > Hola Ben, > > El martes (25-11-2003), decias: > > > I've not touched AmigaOS in years, but what are you using for a password > > file? Is it in the same format as most UNIXes? What style of password > > encryption? (des? md5?) > > Im using GeekGadgets, do you know it? it is a BSD based unix emulation > enviroment (www.geekgadgets.org), it is for Amiga what Cygwin is for > Windows (but better :), and as you may noticed the crypt style are MD5. > > And you did: ./configure [..] --with-md5-passwords ? Otherwise it will default to deshash. - Ben From S.Hamelsveld at rf.rabobank.nl Thu Nov 27 00:47:33 2003 From: S.Hamelsveld at rf.rabobank.nl (Hamelsveld van, S (Sven)) Date: Wed, 26 Nov 2003 14:47:33 +0100 Subject: Info Message-ID: <34C4E1392F32A549B9F2573F48F1A76E08004960@AMPHION.rabobank.corp> Hi, I've got a wee question. I log on to system A and there I'll load my .profile. From there I start an ssh session to system B and there I would like to have the same .profile as on system A. Is there a way I can use ssh for that ?? The reason I'm asking this is that on system B its a functional unix account and not everyone wants to have the same .profile. I cant use automount options bacause of all our firewalls :-) If anyone can helpme that would be great. Sven ================================================ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. ================================================ The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. From luc at suryo.com Wed Nov 26 15:25:41 2003 From: luc at suryo.com (Luc I. Suryo) Date: Tue, 25 Nov 2003 21:25:41 -0700 Subject: 64 bits/solaris : last/utmp/wtmp error Message-ID: <20031126042541.GA29034@voyager.suryo.com> hello tried the archives without success so hoping someone remember the fix. if compiled 64 bits openssh will not add a correct entry in wtmpx and the data/info get corrupted... so someone remembers what needed to be done to fix this? thanks -ls From Nagib.N.Chahine at boeing.com Thu Nov 27 03:30:52 2003 From: Nagib.N.Chahine at boeing.com (Chahine, Nagib N) Date: Wed, 26 Nov 2003 08:30:52 -0800 Subject: Problem running SSH on IBM PPC440 processor, help appreciated Message-ID: <4543EA9DB1099E4583484B56803D0BFA0119C0D0@xch-sw-02.sw.nos.boeing.com> I am running PPC kernel 2.4.21 gcc 2.95.4 from ELDK kit. I will try installing openSSL myself and run the test and see what happen. Thanks Nagib -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Tue 11/25/2003 8:09 PM To: Chahine, Nagib N Cc: openssh-unix-dev at mindrot.org Subject: Re: Problem running SSH on IBM PPC440 processor, help appreciated "Chahine, Nagib N" wrote: > > Sorry, I thought it was a mistype... > What is SSL, did I not install something required?? OpenSSL is what OpenSSH uses for its crypto functions (libcrypto.[a|so|sl]). It's required to build OpenSSH, so if you didn't install it yourself you probably have it as a system library. It looks like you may be having some kind of crypto problem, and verifying OpenSSL's functionality on your taget platform would be useful in tracking down your problem. BTW, what OS and compiler are you using on your PPC system? (I don't think you specified earlier, but I might have missed it.) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dan at doxpara.com Thu Nov 27 02:12:43 2003 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 26 Nov 2003 07:12:43 -0800 Subject: Info In-Reply-To: <34C4E1392F32A549B9F2573F48F1A76E08004960@AMPHION.rabobank.corp> References: <34C4E1392F32A549B9F2573F48F1A76E08004960@AMPHION.rabobank.corp> Message-ID: <3FC4C2EB.1030403@doxpara.com> Just write a simple script that allows people to launch profiles for themselve on demand. So, the user types in: $ setup bob_dobbs which then goes and runs: source .profdirs/bob_dobbs/.profile Simple. --Dan Hamelsveld van, S (Sven) wrote: >Hi, > >I've got a wee question. I log on to system A and there I'll load my .profile. From there I start an ssh session to system B and there I would like to have the same .profile as on system A. > >Is there a way I can use ssh for that ?? The reason I'm asking this is that on system B its a functional unix account and not everyone wants to have the same .profile. > >I cant use automount options bacause of all our firewalls :-) > >If anyone can helpme that would be great. > >Sven > > > > > >================================================ >De informatie opgenomen in dit bericht kan vertrouwelijk zijn en >is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht >onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en >de afzender direct te informeren door het bericht te retourneren. >================================================ >The information contained in this message may be confidential >and is intended to be exclusively for the addressee. Should you >receive this message unintentionally, please do not use the contents >herein and notify the sender immediately by return e-mail. >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From rjb38 at drexel.edu Thu Nov 27 04:23:29 2003 From: rjb38 at drexel.edu (Rich Bishop) Date: Wed, 26 Nov 2003 12:23:29 -0500 Subject: Strange behaviour w/ Solaris9 + pam_ldap + openssh 3.7.1p2 In-Reply-To: <3FC44EFB.A5E54033@zip.com.au> References: <3FC37B73.4050500@drexel.edu> <3FC44EFB.A5E54033@zip.com.au> Message-ID: <3FC4E191.8090809@drexel.edu> Darren Tucker wrote: >Rich Bishop wrote: > > >>I have a Solaris 9 system which is using Sun's pam_ldap to access user & >>group information in a Netscape 4.16DS. This was working fine until I >>upgraded ssh on the box. However, now I'm using 3.7.1p2 with pam support >>I have the following problem: >> >>If a user (local or ldap) enters the correct password everything works >>fine. Entering a wrong password results in the sshd process becoming >>unresponsive, until it eventually times out as set by LoginGraceTime in >>sshd_config. Normally, sshd should prompt for a password a number of >>times before closing the connection. Running sshd in debug mode under >>truss shows it going into a sleep state. >> >>I've done some searching on this - I found >>http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106743975716923&w=2 >>on the sshd-devel list but there are no follow ups as yet. I've been in >>touch with the original poster, but he hasn't resolved the problem. I'd >>be happy to provide any debugging information that would be useful in >>diagnosing the problem. >> >> > >It sounds like the PAM authentication thread is crashing (or possibly >deadlocking) for some reason. If it's crashing, you can provide some >useful diagnostics thusly: > >1) Check if sshd left a core in / >1a) otherwise, turn on core dump saving with coreadm (sorry, can't provide >more detail at the moment). >1b) run sshd until the problem occurs. >2) If ssh produces a core, feed it to gdb and provide a backtrace. In the >build directory, run gdb ./sshd /path/to/core and at the gdb prompt, type >"bt". > >Save the core dump and copy of sshd from the build dir (it has the >debugging symbols) in case more info is required. > >You could also try a current snapshot as there have been several >PAM-related fixes since the 3.7.1p2 release. > >Also, possibly related: >http://bugzilla.mindrot.org/show_bug.cgi?id=740 > > > I get the same behaviour from the latested snapshot After a little messing around I got a coredump I could use. Here's the backtrace (from release 3.7.1p2): #0 0x00030e54 in sshpam_thread_conv (n=1, msg=0xffbfb1a4, resp=0xffbff210, data=0x0) at auth-pam.c:168 #1 0xfeb24ecc in __get_authtok () from /usr/lib/security/pam_ldap.so.1 #2 0xfeb22678 in pam_sm_authenticate () from /usr/lib/security/pam_ldap.so.1 #3 0xff382e04 in run_stack () from /usr/lib/libpam.so.1 #4 0xff38310c in pam_authenticate () from /usr/lib/libpam.so.1 #5 0x00030fc8 in sshpam_thread (ctxtp=0x7a138) at auth-pam.c:230 #6 0x00030d3c in pthread_create (thread=0x7a138, attr=0x0, thread_start=0x30f4c , arg=0x0) at auth-pam.c:89 #7 0x00031350 in sshpam_init_ctx (authctxt=0x7a138) at auth-pam.c:367 #8 0x0002b778 in mm_answer_pam_init_ctx (socket=5, m=0xffbff528) at monitor.c:825 #9 0x0002aea0 in monitor_read (pmonitor=0x70018, ent=0x68fb4, pent=0xffbff5ac) at monitor.c:413 #10 0x0002ab0c in monitor_child_preauth (pmonitor=0x70018) at monitor.c:299 #11 0x0001a404 in privsep_preauth () at sshd.c:595 #12 0x0001b584 in main (ac=7884, av=0x7) at sshd.c:1472 Let me know if there's anything more I can provide (although I'll be away for Thankgiving weekend after today). Regards, Rich From dcr8520 at amiga.org Thu Nov 27 07:00:46 2003 From: dcr8520 at amiga.org (Diego Casorran) Date: Wed, 26 Nov 2003 22:00:46 +0200 Subject: OpenSSH on AmigaOS... In-Reply-To: Message-ID: Hola Ben, El mi?rcoles (26-11-2003), decias: > And you did: > > ./configure [..] --with-md5-passwords ? ups... no.. to avoid reconfiguration I have edited by hand md5crypt.c and openbsd-compat/xcrypt.c adding HAVE_MD5_PASSWORDS, and recompiled sshd, but unfortunately still doenst work :( Also, there seems to have other problem, since after the third pass intent the daemon exit itself, so may the password problem is due something else...(?) btw, I have compiled everything with -Dfork=vfork, due fork() is broken on AmigaOS v3.x ... but I think this is not the problem, (right?), as the others tools seems to work just fine.... Kind Regards. -- Diego CR - http://Amiga.SourceForge.net No s? con que armas se luchar? en la Tercera Guerra Mundial, pero en la Cuarta Guerra Mundial se luchar? con palos y piedras. -- Albert Einstein From djm at mindrot.org Thu Nov 27 10:15:29 2003 From: djm at mindrot.org (Damien Miller) Date: Thu, 27 Nov 2003 10:15:29 +1100 Subject: OpenSSH on AmigaOS... In-Reply-To: References: Message-ID: <3FC53411.10105@mindrot.org> Diego Casorran wrote: > btw, I have compiled everything with -Dfork=vfork, due fork() is broken on > AmigaOS v3.x ... but I think this is not the problem, (right?), as the others > tools seems to work just fine.... gah! vfork() is very different to fork(), no wonder you have problems. -d From Nagib.N.Chahine at boeing.com Thu Nov 27 10:44:05 2003 From: Nagib.N.Chahine at boeing.com (Chahine, Nagib N) Date: Wed, 26 Nov 2003 15:44:05 -0800 Subject: Problem running SSH on IBM PPC440 processor, help appreciated Message-ID: <4543EA9DB1099E4583484B56803D0BFA0119C0D1@xch-sw-02.sw.nos.boeing.com> To David and all who helped thanks.... What I had to do is the following: Install openSSl 0.9.7c and OpenSSH 3.7.1p2 on both my x86 redhat 9 system and my PPC target. Once installed everything works fine. I beleive my problem was openSSL mismatch between the client and server. Thanks Nagib -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Tue 11/25/2003 8:09 PM To: Chahine, Nagib N Cc: openssh-unix-dev at mindrot.org Subject: Re: Problem running SSH on IBM PPC440 processor, help appreciated "Chahine, Nagib N" wrote: > > Sorry, I thought it was a mistype... > What is SSL, did I not install something required?? OpenSSL is what OpenSSH uses for its crypto functions (libcrypto.[a|so|sl]). It's required to build OpenSSH, so if you didn't install it yourself you probably have it as a system library. It looks like you may be having some kind of crypto problem, and verifying OpenSSL's functionality on your taget platform would be useful in tracking down your problem. BTW, what OS and compiler are you using on your PPC system? (I don't think you specified earlier, but I might have missed it.) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Nov 27 12:26:45 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 27 Nov 2003 12:26:45 +1100 Subject: Problem running SSH on IBM PPC440 processor, help appreciated References: <4543EA9DB1099E4583484B56803D0BFA0119C0D1@xch-sw-02.sw.nos.boeing.com> Message-ID: <3FC552D5.B3F744E7@zip.com.au> "Chahine, Nagib N" wrote: > > To David and all who helped thanks.... > What I had to do is the following: > Install openSSl 0.9.7c and OpenSSH 3.7.1p2 on both my x86 redhat 9 > system and my PPC target. Once installed everything works fine. > I beleive my problem was openSSL mismatch between the client and server. I'm happy that it's now working for you. Barring bugs, a mismatch between OpenSSL library versions should make no difference (otherwise we would se *way* more interop problems), so I think it's more like likely that there was some kind of problem with one of the installations of OpenSSL. Since OpenSSL is compiled with very high optimization, it tends to push the envelope of compilers harder than most software. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Nov 28 00:31:14 2003 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 27 Nov 2003 14:31:14 +0100 Subject: Testing of recent commits In-Reply-To: <20031119074148.GA29726@serv01.aet.tu-cottbus.de> References: <1069155926.10951.61.camel@sakura.mindrot.org> <20031118144331.GA32723@cygbert.vinschen.de> <3FBABA33.A8DB4A64@zip.com.au> <20031119074148.GA29726@serv01.aet.tu-cottbus.de> Message-ID: <20031127133114.GA18382@serv01.aet.tu-cottbus.de> On Wed, Nov 19, 2003 at 08:41:48AM +0100, Lutz Jaenicke wrote: > On Wed, Nov 19, 2003 at 11:32:51AM +1100, Darren Tucker wrote: > > That change matched one synced from OpenBSD where all of the "#ifdef DNS" > > fragments vanished. Maybe portable needs them back, or needs some dummy > > resolver functions in openbsd-compat? There's a chance some other > > platforms will have the same issue too. ... > I have Bind 8 libraries installed on my system, so I gave it another try: > ---------------------------------------------------------------------- > OpenSSH has been configured with the following options: > User binaries: /usr/local/openssh1/bin > System binaries: /usr/local/openssh1/sbin > Configuration files: /etc/ssh1 > Askpass program: /usr/local/openssh1/libexec/ssh-askpass > Manual pages: /usr/local/openssh1/man/manX > PID file: /var/run1 > Privilege separation chroot path: /var/empty > sshd default user PATH: /usr/local/openssh1/bin:/usr/bin:/usr/local/ > bin > Manpage format: man > DNS support: > PAM support: no > KerberosV support: no > Smartcard support: no > S/KEY support: no > TCP Wrappers support: yes > MD5 password support: no > IP address in $DISPLAY hack: yes > Translate v4 in v6 hack: no > BSD Auth support: no > Random number source: OpenSSL internal ONLY > > Host: hppa2.0-hp-hpux10.20 > Compiler: cc -Ae > Compiler flags: -g -Ae +DAportable > Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include -D_HPUX_SOURC > E -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -I/usr/local/bind/include > Linker flags: -L/usr/local/ssl/lib -L/usr/local/lib -L/usr/local/bind/lib > Libraries: -lwrap -lz -lxnet -lsec -lbind -lcrypto > ---------------------------------------------------------------------- > > This time it will break in a more subtle manner: > Bind 8 include files come with its own . By specifying > -I/usr/local/bind/include the from Bind 8 will be used instead > of the system file. As -D_XOPEN_SOURCE_EXTENDED=1 is specified in the > HP-UX 10.20 configuration, htons() etc macros are no longer handled by > but by . The shipped with > Bind 8 however does not know about this subtle difference: it does not > include this macros such that linking fails due to undefined symbols of > htons() and friends. > (You may consider this to be a bug in the Bind 8 distribution; I would however > recommend to handle the DNS resolver lib problem inside OpenSSH instead > of requiring the installation of a "patched up" Bind 8 on HP-UX 10.20. > Note: I have verified that this issue is still valid up to 8.4.1) Updated information: I have now installed the latest Bind 8.4.3, still having this issue. After modifying the arpa/inet.h file provided as part of Bind 8 to include the necessary macros, OpenSSH compiles and passes regression tests (CVS as of 27 Nov 03). I have filed a bug report againts Bind 8 on HP-UX 10.20, which has been assigned [ISC-Bugs #10026]. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Nov 28 03:09:07 2003 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 27 Nov 2003 17:09:07 +0100 Subject: Testing of recent commits In-Reply-To: <20031127133114.GA18382@serv01.aet.tu-cottbus.de> References: <1069155926.10951.61.camel@sakura.mindrot.org> <20031118144331.GA32723@cygbert.vinschen.de> <3FBABA33.A8DB4A64@zip.com.au> <20031119074148.GA29726@serv01.aet.tu-cottbus.de> <20031127133114.GA18382@serv01.aet.tu-cottbus.de> Message-ID: <20031127160906.GA15854@serv01.aet.tu-cottbus.de> On Thu, Nov 27, 2003 at 02:31:14PM +0100, Lutz Jaenicke wrote: > Updated information: > I have now installed the latest Bind 8.4.3, still having this issue. > After modifying the arpa/inet.h file provided as part of Bind 8 to include > the necessary macros, OpenSSH compiles and passes regression tests > (CVS as of 27 Nov 03). > I have filed a bug report againts Bind 8 on HP-UX 10.20, which has been > assigned [ISC-Bugs #10026]. Ok. I have now concluded my tests: I have installed Bind 9.2.3-libraries on HP-UX 10.20 (so far I have only been using named from 9.x because the libraries are called "experimental" in the docs). I have been able to successfully build and "make tests" after some adjustments: - During "configure" I had to specify -I/usr/local/bind9/include and -L/usr/local/bind9/lib (optional, will depend on the setup) and had to set "-llwres -ldns" and "-DLWRES" (mandatory). - This will succeed during build (with HAVE_GETRRSETBYNAME manually set in config.h) but does fail during configure: there is no getrrsetbyname() in the libraries but a lwres_getrrsetbyname() function. The mapping is done in a macro in lwres/netdb.h which is correctly called from dns.c when LWRES is defined. In the automatic recognition in "configure", lwres/netdb.h is however not included, thus routine is not found as required. Sorry, I am not fluent in autoconf, so I cannot provide a patch. To summarize options for HP-UX 10.20: 1) make DNS support optional again 2) have people install Bind 8 and patch arpa/inet.h 3) have people install Bind 9 and fix the autoconf handling to actually support this setup. Option 1) will cause the least amount of traffic on the list and still allows people to choose "--with-dns" and 2) or 3). Options 2) and 3) will most likely lead to repeated problem reports for HP-UX 10.20 (don't know how widespread this version actually is). Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From cejkar at fit.vutbr.cz Fri Nov 28 04:37:08 2003 From: cejkar at fit.vutbr.cz (Rudolf Cejka) Date: Thu, 27 Nov 2003 18:37:08 +0100 Subject: Question about adding another parameter for OpenSSH Message-ID: <20031127173708.GA71816@fit.vutbr.cz> Hello, I need to allow for some people to execute ssh with one shared private key for remote executing command on various machines. However, it is not possible to set group permissions for private keys and it is possible to have just one private key file for one user. Please, is it possible to add patches into openssh development tree like these, so that standard behavior of ssh is not changed, but when option GroupPrivateKey is used with ssh, it is allowed to have group readable private key? Thank you very much. --- authfile.c.orig Thu Nov 27 15:01:01 2003 +++ authfile.c Thu Nov 27 16:50:39 2003 @@ -496,7 +496,7 @@ } static int -key_perm_ok(int fd, const char *filename) +key_perm_ok(int fd, const char *filename, int group_private_key) { struct stat st; @@ -510,7 +510,10 @@ #ifdef HAVE_CYGWIN if (check_ntsec(filename)) #endif - if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) { + if ((!group_private_key + && (st.st_uid == getuid()) && (st.st_mode & 077) != 0) + || (group_private_key && (st.st_uid == getuid() + || st.st_gid == getgid()) && (st.st_mode & 007) != 0)) { error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @"); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); @@ -525,14 +528,14 @@ Key * key_load_private_type(int type, const char *filename, const char *passphrase, - char **commentp) + char **commentp, int group_private_key) { int fd; fd = open(filename, O_RDONLY); if (fd < 0) return NULL; - if (!key_perm_ok(fd, filename)) { + if (!key_perm_ok(fd, filename, group_private_key)) { error("bad permissions: ignore key: %s", filename); close(fd); return NULL; @@ -558,7 +561,7 @@ Key * key_load_private(const char *filename, const char *passphrase, - char **commentp) + char **commentp, int group_private_key) { Key *pub, *prv; int fd; @@ -566,7 +569,7 @@ fd = open(filename, O_RDONLY); if (fd < 0) return NULL; - if (!key_perm_ok(fd, filename)) { + if (!key_perm_ok(fd, filename, group_private_key)) { error("bad permissions: ignore key: %s", filename); close(fd); return NULL; --- authfile.h.orig Thu Nov 27 16:28:31 2003 +++ authfile.h Thu Nov 27 16:28:42 2003 @@ -18,8 +18,8 @@ int key_save_private(Key *, const char *, const char *, const char *); Key *key_load_public(const char *, char **); Key *key_load_public_type(int, const char *, char **); -Key *key_load_private(const char *, const char *, char **); -Key *key_load_private_type(int, const char *, const char *, char **); +Key *key_load_private(const char *, const char *, char **, int); +Key *key_load_private_type(int, const char *, const char *, char **, int); Key *key_load_private_pem(int, int, const char *, char **); #endif --- readconf.c.orig Thu Nov 27 18:04:27 2003 +++ readconf.c Thu Nov 27 18:06:49 2003 @@ -105,7 +105,7 @@ oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, - oDeprecated, oUnsupported + oGroupPrivateKey, oDeprecated, oUnsupported } OpCodes; /* Textual representations of the tokens. */ @@ -188,6 +188,7 @@ { "rekeylimit", oRekeyLimit }, { "connecttimeout", oConnectTimeout }, { "addressfamily", oAddressFamily }, + { "groupprivatekey", oGroupPrivateKey }, { NULL, oBadOption } }; @@ -732,6 +733,10 @@ intptr = &options->enable_ssh_keysign; goto parse_flag; + case oGroupPrivateKey: + intptr = &options->group_private_key; + goto parse_flag; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -859,6 +864,7 @@ options->no_host_authentication_for_localhost = - 1; options->rekey_limit = - 1; options->verify_host_key_dns = -1; + options->group_private_key = -1; } /* @@ -973,6 +979,8 @@ options->rekey_limit = 0; if (options->verify_host_key_dns == -1) options->verify_host_key_dns = 0; + if (options->group_private_key == -1) + options->group_private_key = 0; /* options->proxy_command should not be set by default */ /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ --- readconf.h.orig Thu Nov 27 15:19:30 2003 +++ readconf.h Thu Nov 27 15:20:11 2003 @@ -87,6 +87,7 @@ int num_identity_files; /* Number of files for RSA/DSA identities. */ char *identity_files[SSH_MAX_IDENTITY_FILES]; Key *identity_keys[SSH_MAX_IDENTITY_FILES]; + int group_private_key; /* Local TCP/IP forward requests. */ int num_local_forwards; --- ssh.c.orig Thu Nov 27 16:31:08 2003 +++ ssh.c Thu Nov 27 16:30:46 2003 @@ -634,11 +634,13 @@ PRIV_START; sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, - _PATH_HOST_KEY_FILE, "", NULL); + _PATH_HOST_KEY_FILE, "", NULL, options.group_private_key); sensitive_data.keys[1] = key_load_private_type(KEY_DSA, - _PATH_HOST_DSA_KEY_FILE, "", NULL); + _PATH_HOST_DSA_KEY_FILE, "", NULL, + options.group_private_key); sensitive_data.keys[2] = key_load_private_type(KEY_RSA, - _PATH_HOST_RSA_KEY_FILE, "", NULL); + _PATH_HOST_RSA_KEY_FILE, "", NULL, + options.group_private_key); PRIV_END; if (options.hostbased_authentication == 1 && --- ssh_config.5.orig Thu Nov 27 17:40:32 2003 +++ ssh_config.5 Thu Nov 27 18:03:02 2003 @@ -349,6 +349,15 @@ Specifies a file to use for the global host key database instead of .Pa /etc/ssh/ssh_known_hosts . +.It Cm GroupPrivateKey +If this flag is set to +.Dq yes , +ssh will allow to have private key file with group permissions set. +If the option is set to +.Dq no , +only user is allowed to own the private key file. +The default is +.Dq no . .It Cm GSSAPIAuthentication Specifies whether authentication based on GSSAPI may be used, either using the result of a successful key exchange, or using GSSAPI user --- sshconnect1.c.orig Thu Nov 27 16:31:20 2003 +++ sshconnect1.c Thu Nov 27 16:32:05 2003 @@ -243,7 +243,8 @@ if (public->flags & KEY_FLAG_EXT) private = public; else - private = key_load_private_type(KEY_RSA1, authfile, "", NULL); + private = key_load_private_type(KEY_RSA1, authfile, "", NULL, + options.group_private_key); if (private == NULL && !options.batch_mode) { snprintf(buf, sizeof(buf), "Enter passphrase for RSA key '%.100s': ", comment); @@ -251,7 +252,8 @@ passphrase = read_passphrase(buf, 0); if (strcmp(passphrase, "") != 0) { private = key_load_private_type(KEY_RSA1, - authfile, passphrase, NULL); + authfile, passphrase, NULL, + options.group_private_key); quit = 0; } else { debug2("no passphrase given, try next key"); --- sshconnect2.c.orig Thu Nov 27 16:31:25 2003 +++ sshconnect2.c Thu Nov 27 16:36:38 2003 @@ -967,7 +967,8 @@ debug3("no such identity: %s", filename); return NULL; } - private = key_load_private_type(KEY_UNSPEC, filename, "", NULL); + private = key_load_private_type(KEY_UNSPEC, filename, "", NULL, + options.group_private_key); if (private == NULL) { if (options.batch_mode) return NULL; @@ -977,7 +978,8 @@ passphrase = read_passphrase(prompt, 0); if (strcmp(passphrase, "") != 0) { private = key_load_private_type(KEY_UNSPEC, filename, - passphrase, NULL); + passphrase, NULL, + options.group_private_key); quit = 0; } else { debug2("no passphrase given, try next key"); --- sshd.c.orig Thu Nov 27 16:33:07 2003 +++ sshd.c Thu Nov 27 16:35:19 2003 @@ -966,7 +966,7 @@ sensitive_data.have_ssh2_key = 0; for (i = 0; i < options.num_host_key_files; i++) { - key = key_load_private(options.host_key_files[i], "", NULL); + key = key_load_private(options.host_key_files[i], "", NULL, 0); sensitive_data.host_keys[i] = key; if (key == NULL) { error("Could not load host key: %s", --- ssh-add.c.orig Thu Nov 27 18:14:33 2003 +++ ssh-add.c Thu Nov 27 18:15:04 2003 @@ -142,12 +142,12 @@ return -1; } /* At first, try empty passphrase */ - private = key_load_private(filename, "", &comment); + private = key_load_private(filename, "", &comment, 0); if (comment == NULL) comment = xstrdup(filename); /* try last */ if (private == NULL && pass != NULL) - private = key_load_private(filename, pass, NULL); + private = key_load_private(filename, pass, NULL, 0); if (private == NULL) { /* clear passphrase since it did not work */ clear_pass(); @@ -160,7 +160,8 @@ xfree(comment); return -1; } - private = key_load_private(filename, pass, &comment); + private = key_load_private(filename, pass, + &comment, 0); if (private != NULL) break; clear_pass(); --- ssh-keygen.c.orig Thu Nov 27 18:15:47 2003 +++ ssh-keygen.c Thu Nov 27 18:16:19 2003 @@ -127,14 +127,14 @@ char *pass; Key *prv; - prv = key_load_private(filename, "", NULL); + prv = key_load_private(filename, "", NULL, 0); if (prv == NULL) { if (identity_passphrase) pass = xstrdup(identity_passphrase); else pass = read_passphrase("Enter passphrase: ", RP_ALLOW_STDIN); - prv = key_load_private(filename, pass, NULL); + prv = key_load_private(filename, pass, NULL, 0); memset(pass, 0, strlen(pass)); xfree(pass); } @@ -560,7 +560,7 @@ exit(1); } /* Try to load the file with empty passphrase. */ - private = key_load_private(identity_file, "", &comment); + private = key_load_private(identity_file, "", &comment, 0); if (private == NULL) { if (identity_passphrase) old_passphrase = xstrdup(identity_passphrase); @@ -569,7 +569,7 @@ read_passphrase("Enter old passphrase: ", RP_ALLOW_STDIN); private = key_load_private(identity_file, old_passphrase, - &comment); + &comment, 0); memset(old_passphrase, 0, strlen(old_passphrase)); xfree(old_passphrase); if (private == NULL) { @@ -672,7 +672,7 @@ perror(identity_file); exit(1); } - private = key_load_private(identity_file, "", &comment); + private = key_load_private(identity_file, "", &comment, 0); if (private == NULL) { if (identity_passphrase) passphrase = xstrdup(identity_passphrase); @@ -682,7 +682,8 @@ passphrase = read_passphrase("Enter passphrase: ", RP_ALLOW_STDIN); /* Try to load using the passphrase. */ - private = key_load_private(identity_file, passphrase, &comment); + private = key_load_private(identity_file, passphrase, + &comment, 0); if (private == NULL) { memset(passphrase, 0, strlen(passphrase)); xfree(passphrase); -- Rudolf Cejka http://www.fit.vutbr.cz/~cejkar Brno University of Technology, Faculty of Information Technology Bozetechova 2, 612 66 Brno, Czech Republic From cejkar at fit.vutbr.cz Fri Nov 28 04:38:30 2003 From: cejkar at fit.vutbr.cz (Rudolf Cejka) Date: Thu, 27 Nov 2003 18:38:30 +0100 Subject: Question about adding another parameter for OpenSSH In-Reply-To: <20031127173708.GA71816@fit.vutbr.cz> References: <20031127173708.GA71816@fit.vutbr.cz> Message-ID: <20031127173830.GA73626@fit.vutbr.cz> Rudolf Cejka wrote (2003/11/27): > ... > to add patches into openssh development tree like these, so that standard > behavior of ssh is not changed, but when option GroupPrivateKey is used > with ssh, it is allowed to have group readable private key? Oops, I forgot to write that patches are made against openssh-SNAP-20031121.tar.gz. -- Rudolf Cejka http://www.fit.vutbr.cz/~cejkar Brno University of Technology, Faculty of Information Technology Bozetechova 2, 612 66 Brno, Czech Republic From markus at openbsd.org Fri Nov 28 06:55:49 2003 From: markus at openbsd.org (Markus Friedl) Date: Thu, 27 Nov 2003 20:55:49 +0100 Subject: Question about adding another parameter for OpenSSH In-Reply-To: <20031127173708.GA71816@fit.vutbr.cz> References: <20031127173708.GA71816@fit.vutbr.cz> Message-ID: <20031127195549.GA2239@folly> On Thu, Nov 27, 2003 at 06:37:08PM +0100, Rudolf Cejka wrote: > I need to allow for some people to execute ssh with one shared private > key for remote executing command on various machines. However, it is not > possible to set group permissions for private keys and it is possible > to have just one private key file for one user. Please, is it possible > to add patches into openssh development tree like these, so that standard > behavior of ssh is not changed, but when option GroupPrivateKey is used > with ssh, it is allowed to have group readable private key? you can already use a group readable private key, unless you are the owner of the private key... From gmaapheoche at email.com Fri Nov 28 05:43:23 2003 From: gmaapheoche at email.com (Freddie) Date: Thu, 27 Nov 2003 18:43:23 +0000 Subject: Increase Your Self Confidence Message-ID: <3005931069958603@host62-7-145-77.webport.bt.net> Human Euphoria Attract The Opposite Sex Like Magic! Cologne for men and perfume for the women As seen on CNN, ABC and more.... - Become More Sexually Active - Get Approached More Often - Improve Business Relationships - Meet More People Anywhere - Increase Your Self Confidence Human Euphoria perfumes and colognes contain scientifically engineered pheromone concentrate that has proven effects on attracting the opposite sex. Just as animals use scents to attract others, humans possess the same senses which are incredibly powerful for sexual attraction! Feel the joy of euphoria and the power of attraction with this great new pheromone formula. [1]CLICK HERE FOR MORE INFORMATION [2]Unsubscribe References 1. http://domez.us/vpills/pher/ 2. http://domez.us/vpills/optout.html From wmertens at cisco.com Fri Nov 28 18:44:35 2003 From: wmertens at cisco.com (Wout Mertens) Date: Fri, 28 Nov 2003 08:44:35 +0100 (CET) Subject: Auto-compress mode for ssh Message-ID: Hi, I looked in the archives, but didn't see this asked for before: Would it be possible to have an "auto-compress" mode for ssh where compression is turned on automatically if it makes sense? You could turn it on if you don't care about cpu usage and lag, but just about the speed of transfer. The way I see it working is that when running uncompressed, ssh turns on compression every once in a while and sees if this results in higher throughput, turning on compression permanently if so. And the other way round of course. Wout. PS: Can you please copy me on replies? I'm not subscribed. From cejkar at fit.vutbr.cz Fri Nov 28 19:16:23 2003 From: cejkar at fit.vutbr.cz (Rudolf Cejka) Date: Fri, 28 Nov 2003 09:16:23 +0100 Subject: Question about adding another parameter for OpenSSH In-Reply-To: <20031127195549.GA2239@folly> References: <20031127173708.GA71816@fit.vutbr.cz> <20031127195549.GA2239@folly> Message-ID: <20031128081622.GA44295@fit.vutbr.cz> Markus Friedl wrote (2003/11/27): > you can already use a group readable private key, unless > you are the owner of the private key... Yes, this is what I used before - I simply hoped I do not need to use them, but it is not the reality. I'm part of the group, so it means just problems: Either I need root priviledges to change it to false owner, or have some blind user to install them, or I need to chmod g-r / chmod g+r for each use for myself, or I have to have two copies and select different files - and everything means illogical obstructions. -- Rudolf Cejka http://www.fit.vutbr.cz/~cejkar Brno University of Technology, Faculty of Information Technology Bozetechova 2, 612 66 Brno, Czech Republic From markus at openbsd.org Fri Nov 28 20:48:56 2003 From: markus at openbsd.org (Markus Friedl) Date: Fri, 28 Nov 2003 10:48:56 +0100 Subject: Auto-compress mode for ssh In-Reply-To: References: Message-ID: <20031128094856.GB22760@folly> currently there is not way. the ssh client could rekey and enable compression, but i don't see an easy way. On Fri, Nov 28, 2003 at 08:44:35AM +0100, Wout Mertens wrote: > Hi, > > I looked in the archives, but didn't see this asked for before: > > Would it be possible to have an "auto-compress" mode for ssh where > compression is turned on automatically if it makes sense? > > You could turn it on if you don't care about cpu usage and lag, but just > about the speed of transfer. > > The way I see it working is that when running uncompressed, ssh turns on > compression every once in a while and sees if this results in higher > throughput, turning on compression permanently if so. And the other way > round of course. > > Wout. > > PS: Can you please copy me on replies? I'm not subscribed. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From dcole at keysoftsys.com Sat Nov 29 06:31:57 2003 From: dcole at keysoftsys.com (Darren Cole) Date: Fri, 28 Nov 2003 11:31:57 -0800 Subject: Testing of recent commits In-Reply-To: <20031127160906.GA15854@serv01.aet.tu-cottbus.de> References: <1069155926.10951.61.camel@sakura.mindrot.org> <20031118144331.GA32723@cygbert.vinschen.de> <3FBABA33.A8DB4A64@zip.com.au> <20031119074148.GA29726@serv01.aet.tu-cottbus.de> <20031127133114.GA18382@serv01.aet.tu-cottbus.de> <20031127160906.GA15854@serv01.aet.tu-cottbus.de> Message-ID: <876ECBA6-21D9-11D8-97B3-000A95E310BA@keysoftsys.com> > To summarize options for HP-UX 10.20: > 1) make DNS support optional again > 2) have people install Bind 8 and patch arpa/inet.h > 3) have people install Bind 9 and fix the autoconf handling to actually > support this setup. > > Option 1) will cause the least amount of traffic on the list and still > allows > people to choose "--with-dns" and 2) or 3). Options 2) and 3) will most > likely lead to repeated problem reports for HP-UX 10.20 (don't know how > widespread this version actually is). > > Best regards, > Lutz > -- > Lutz Jaenicke > Lutz.Jaenicke at aet.TU-Cottbus.DE > http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > BTU Cottbus, Allgemeine Elektrotechnik > Universitaetsplatz 3-4, D-03044 Cottbus For some options 2 or 3 wont work. Option one will be preferred by me, or at least by hp-ux 10.26 (Trusted CMW). For our developer machines installing a new bind isn't a really big deal. So what. The problem is the installing it on fielded machines, which is a much bigger deal. It takes time, and probably wont be approved (regardless of the need by openssh). -- Darren Cole Software Engineer email: dcole at keysoftsys.com From llgneg at msn.com Sat Nov 29 07:29:44 2003 From: llgneg at msn.com (Nathan) Date: Fri, 28 Nov 2003 12:29:44 -0800 Subject: Softwares CDS all software under $15 and $99! Message-ID: <8414231070051384@12-230-73-110.client.attbi.com> [1]http://141.85.12.38/ If you don't have enough money to buy needed software or think desired software isn't worth the price, then this service is right for you. We make software to be near you. Order any software you need for a low price. Some popular products from our price list: All programs you can download or order on cd-rom by airmail. 50$ Adobe Creative Suite (2 cds) 30$ Adobe PhotoShop CS 8.0 (1 cd) 55$ 3D Studio Max 6.0 (3 cds) 20$ Adobe Premiere Pro 7.0 (1 cd) 35$ Alias Wavefront Maya 5.0 Unlimited 35$ AutoCAD 2004 35$ Autodesk Architectural Desktop 2004 16$ Cakewalk Sonar 3 Producer Edition (3 cds) 25$ Canopus ProCoder 1.01.35 25$ Corel Draw 11 Graphic Suite 25$ Dragon Naturally Speaking Preferred 7.0 20$ Macromedia Dreamweaver MX 2004 v7.0 25$ Macromedia Fireworks MX 2004 v7.0 25$ Macromedia Flash MX 2004 v7.0 Professional 50$ Macromedia Studio MX 2004 (1 cd) 20$ Microsoft Money 2004 Deluxe (1 cd) 55$ Microsoft Office 2003 System Professional (5 cds) 25$ Microsoft Office 2003 Multilingual User Interface Pack (2 cds) 35$ Microsoft Project 2002 Pro 20$ Microsoft Publisher XP 2002 25$ Microsoft Visio for Enterprise Architects 2003 45$ Microsoft Windows XP Corporate Edition with SP1 35$ Microsoft Windows XP Professional 20$ Norton Antivirus 2004 Pro v10.0.0.109 16$ Norton SystemWorks 2003 (1 cd) 25$ OmniPage Pro 12 25$ Pinnacle Impression DVD Pro 2.2 (1 cd) 45$ PTC Pro Engineer Wildfire Datecode 2003370 (3 cds) 16$ PowerQuest Drive Image 7.01 Multilanguage (1 cd) 20$ Ulead DVD Workshop 1.2 99$ Microsoft Visual Studio .NET 2003 Enterprise Architect (8 cds) 20$ Winfax PRO 10.02 and, more, more. more!! Total today is 1418 products. price list - [2]http://141.85.12.38/p/ search - [3]http://141.85.12.38/e/ Mac users. We have some software for you too!!! Check it: [4]http://141.85.12.38/p/m/ Adobe Creative Suite (2 cds) for Mac Adobe Acrobat 6.0 Pro for Mac Adobe Illustrator 10 for Mac Adobe InDesign 2 for Mac Macromedia Flash MX 2004 v7.0 Professional for Mac Macromedia Studio MX 2004 for Mac (1 cd) Microsoft Office v.X for Mac QuarkXpress 6 Multilanguage for Mac and more!!! ---- To unsubscribe, please go to [5]http://141.85.12.38/unsub.html References 1. http://141.85.12.38/ 2. http://141.85.12.38/p/ 3. http://141.85.12.38/e/ 4. http://141.85.12.38/p/m/ 5. http://141.85.12.38/unsub.html From dtucker at zip.com.au Sat Nov 29 16:00:21 2003 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 29 Nov 2003 16:00:21 +1100 Subject: Testing of recent commits References: <1069155926.10951.61.camel@sakura.mindrot.org> <20031118144331.GA32723@cygbert.vinschen.de> <3FBABA33.A8DB4A64@zip.com.au> <20031119074148.GA29726@serv01.aet.tu-cottbus.de> <20031127133114.GA18382@serv01.aet.tu-cottbus.de> <20031127160906.GA15854@serv01.aet.tu-cottbus.de> <876ECBA6-21D9-11D8-97B3-000A95E310BA@keysoftsys.com> Message-ID: <3FC827E4.3FC9DC06@zip.com.au> Darren Cole wrote: > > > To summarize options for HP-UX 10.20: > > 1) make DNS support optional again > > 2) have people install Bind 8 and patch arpa/inet.h > > 3) have people install Bind 9 and fix the autoconf handling to actually > > support this setup. [snip] > For some options 2 or 3 wont work. Option one will be preferred by me, > or at least by hp-ux 10.26 (Trusted CMW). For our developer machines > installing a new bind isn't a really big deal. So what. The problem > is the installing it on fielded machines, which is a much bigger deal. > It takes time, and probably wont be approved (regardless of the need by > openssh). Would you need to install BIND on the non-devel machines? I mean, if you built BIND with static rather than shared libraries the needed bits of code would get linked in and you wouldn't need to install anything else on the targets (ie the same as zlib and openssl are by default now). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.