OpenSSH 3.7 testing (Re: 3.6p1 bug on SCO OpenServer)

Colin Watson cjwatson at debian.org
Sat Sep 13 21:07:07 EST 2003 

Ben Lindstrom wrote:
>On this note I think it would be best to opening the floor for testing of
>the current CVS tree.  OpenSSH is in a feature lock and we should be in
>in sync with the OpenBSD tree (there may be stray patches, but hopefully
>nothing major).

Debian unstable, Linux/i386. Configured roughly in accordance with the
current Debian package as follows:

  LOGIN_PROGRAM=/bin/login ./configure --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib --mandir=/usr/share/man --with-tcp-wrappers --with-xauth=/usr/bin/X11/xauth --with-default-path=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin --with-superuser-path=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin --with-pam --with-4in6 --with-privsep-path=/var/run/sshd --without-rand-helper

  OpenSSH has been configured with the following options:
		       User binaries: /usr/bin
		     System binaries: /usr/sbin
		 Configuration files: /etc/ssh
		     Askpass program: /usr/lib/ssh-askpass
			Manual pages: /usr/share/man/manX
			    PID file: /var/run
    Privilege separation chroot path: /var/run/sshd
	      sshd default user PATH: /usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin
	    sshd superuser user PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin
		      Manpage format: doc
			 PAM support: yes
		  KerberosIV support: no
		   KerberosV support: no
		   Smartcard support: no
			 AFS support: no
		       S/KEY support: no
		TCP Wrappers support: yes
		MD5 password support: no
	 IP address in $DISPLAY hack: no
	    Use IPv4 by default hack: no
	     Translate v4 in v6 hack: yes
		    BSD Auth support: no
		Random number source: OpenSSL internal ONLY

		Host: i686-pc-linux-gnu
	    Compiler: gcc
      Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized
  Preprocessor flags:
	Linker flags:
	   Libraries: -lwrap -lpam -ldl -lutil -lz -lnsl -lcrypto

  PAM is enabled. You may need to install a PAM control file
  for sshd, otherwise password authentication may fail.
  Example PAM control files can be found in the contrib/
  subdirectory

Then:

  make CFLAGS='-g -O2 -Wall -Wpointer-arith -Wno-uninitialized -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\"'

Some compiler warnings:

  gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -DLOGIN_NO_ENDOPT -DSSHD_PAM_SERVICE=\"ssh\" -I. -I.  -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/ssh-rand-helper\" -DHAVE_CONFIG_H -c auth-pam.c
  auth-pam.c: In function `sshpam_thread':
  auth-pam.c:206: warning: dereferencing type-punned pointer will break strict-aliasing rules
  auth-pam.c: In function `sshpam_init':
  auth-pam.c:284: warning: dereferencing type-punned pointer will break strict-aliasing rules
  auth-pam.c: In function `do_pam_putenv':
  auth-pam.c:673: warning: unused variable `compound'

And an error:

  gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o uidswap.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o monitor_fdpass.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-sia.o md5crypt.o -L. -Lopenbsd-compat/  -lssh -lopenbsd-compat -lwrap -lpam -ldl -lutil -lz -lnsl -lcrypto
  openbsd-compat//libopenbsd-compat.a(xcrypt.o)(.text+0x5): In function `xcrypt':
  /home/cjwatson/src/debian/openssh/upstream/openssh/openbsd-compat/xcrypt.c:76: undefined reference to `crypt'
  collect2: ld returned 1 exit status
  make: *** [sshd] Error 1

My platform's libcrypto doesn't have a crypt() symbol. It used to be
that crypt() was only needed if !defined(USE_PAM), but now it's needed
unconditionally (unnecessarily)?

I worked around this by adding -lcrypt, and continued. All regression
tests pass. However, when I tried testing sshd manually I noticed that
the PAM session modules configured on my system no longer seem to be
called (most noticeably the motd doesn't get displayed, despite
pam_motd). I first found that SSHD_PAM_SERVICE no longer works: minimal
patch follows, but perhaps somebody will want to restore the old argv[0]
behaviour. Even after that, though, I'm still having problems. sshd's
debug output suggests that pam_open_session() is being called (as uid 0)
but for some reason isn't doing what it should. I'm going to keep
investigating.

Index: auth-pam.c
===================================================================
RCS file: /cvs/openssh/auth-pam.c,v
retrieving revision 1.70
diff -p -u -r1.70 auth-pam.c
--- auth-pam.c	2 Sep 2003 13:18:53 -0000	1.70
+++ auth-pam.c	13 Sep 2003 10:58:12 -0000
@@ -289,7 +289,8 @@ sshpam_init(const char *user)
 		sshpam_handle = NULL;
 	}
 	debug("PAM: initializing for \"%s\"", user);
-	sshpam_err = pam_start("sshd", user, &null_conv, &sshpam_handle);
+	sshpam_err =
+	    pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
 	if (sshpam_err != PAM_SUCCESS) {
 		pam_end(sshpam_handle, sshpam_err);
 		sshpam_handle = NULL;

>The major things that have changed is PAM and Kerb/GSS support.

Am I right in saying that Kerberos V support has been completely merged?
I'd like to get rid of our separate patched openssh-krb5 source package
if possible, although I think we'll still need a separate build for
Kerberos to avoid unwanted library linkage.

Cheers,

-- 
Colin Watson                                       [cjwatson at debian.org]

More information about the openssh-unix-dev mailing list