From mouring at etoh.eviladmin.org Sun Aug 1 03:17:28 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 31 Jul 2004 12:17:28 -0500 (CDT) Subject: Improvment In-Reply-To: <410B660F.1090004@freesurf.fr> Message-ID: Few initial comments 1. No one will bother to even look at your patch unless you follow how the current code is format. 2. Nor will anyone want to dig through a single patch to see how one of the 3 or 4 features you wrote was implemented. ONE patch.. ONE feature. On Sat, 31 Jul 2004, Teka wrote: > Hi everybody, > > I love openssh but some features are missing in sftp. > So i have implemented some control features on sftp, like > "stay in home" features and bandwidth limit (upload / download). "stay in home" AKA chroot. If you implement it any other way it is too easy to miss something or get confused by the odd path the user tytped in. I personally don't see why bandwidth limiting should be at an application level. It should be higher. But that is just me. > To limit the user on sftp only, i have started a new shell with config file > to apply new settings available in sftp-server :-). > one can already limit to sftp only. It is via SSH keys. There are a few shells like rssh that also can do this limiting. - Ben From jakehawkes2001 at yahoo.com Sun Aug 1 05:04:20 2004 From: jakehawkes2001 at yahoo.com (Jake Hawkes) Date: Sat, 31 Jul 2004 12:04:20 -0700 (PDT) Subject: SSH scanning attempt vias "guest" and "admin" accounts Message-ID: <20040731190420.34408.qmail@web41213.mail.yahoo.com> There has been some discussion on the gentoo security list of late about a new attempt to find ssh vulnerabilities. No one has reported a successfull break in as far as I know, but I though the cross post couldn't hurt. Dan Margolis (krispykringle at gentoo.org) has put together some notes about it. http://dev.gentoo.org/~krispykringle/sshnotes.txt Regards, Jake ===== Jacob Hawkes, B. Eng (CSE) jakehawkes2001 at yahoo.com http://www.infinitylimited.net/ __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail From libove at felines.org Mon Aug 2 04:03:39 2004 From: libove at felines.org (Jay Libove) Date: Sun, 1 Aug 2004 14:03:39 -0400 Subject: SSH login attempts: tcpdump packet capture Message-ID: I got a packet capture of one of the SSH2 sessions trying to log in as a couple of illegal usernames. The contents of one packet suggests an attempt to buffer overflow the SSH server; ethereal's SSH decoding says "overly large value". It didn't seem to work against my system (I see no strange processes running; all files changed in past ten days look normal). I am cross-posting this message and the attached tcpdump packet capture file to the following places to let better people than I analyze it: openssh-unix-dev at mindrot.org secureshell at securityfocus.com full-disclosure at lists.netsys.com vulnwatch at vulnwatch.org -Jay Libove, CISSP From andrewg at felinemenace.org Mon Aug 2 22:10:41 2004 From: andrewg at felinemenace.org (andrewg at felinemenace.org) Date: Mon, 2 Aug 2004 05:10:41 -0700 Subject: OpenSSH SRP 3.8.1p1 patch Message-ID: <20040802121041.GD24672@felinemenace.org> G'day, First off, I'm not subscribed to the list, so if there are any responses that should be directed to me, feel free to CC me in :) The below url is an updated patch of Professor Tom's earlier SRP patches for SSH. The only things changed was so that it would compile on a newer openssh version. For more information regarding SRP, see http://srp.stanford.edu This isn't intended to be applied by mainstream, just more for people who are interested in a SRP enabled OpenSSH. I haven't looked at whether or not this patch follows the various RFC related things regarding SRP and SSH or so, so it might not be 'correct'. The MD5 sum of the patch is 24567992f8eca9384e33862cd056f4fb openssh-srp-3.8.1p1.diff.gz and can be found at http://felinemenace.org/code/openssh-srp-3.8.1p1.diff.gz The extensiveness of testing for this patch has been to see if it compiles, and would authenticate a user (which it did so.). If anything breaks, you get to keep both pieces ;) Enjoy, Andrew Griffiths From bozy at fgm.com.cy Mon Aug 2 21:57:45 2004 From: bozy at fgm.com.cy (Alexey Bozrikov) Date: Mon, 2 Aug 2004 14:57:45 +0300 Subject: Problem building OpenSSH-3.8p1 on AIX 4.2.1 and 4.3.3 systems Message-ID: <651117926500.20040802145745@fgm.com.cy> Dear Sirs, just tried to compile openssh-3.8p1 on two IBM RS6000 boxes (models 390 and F50) having AIX 4.2.1.0 and AIX 4.3.3.11 (all maintenance levels applied). I use IBM 'XLC' compiler version 3.1 (xlC.C 3.1.4.0 with xcC.rte 4.0.2.0 and xlC.aix43.rte 4.0.2.1). On both machines there was a slight problem when compiling, because both and files were included, resulting in duplicate definition of some variables. This is quote from './configure' output: configure:16988: xlc_r -c -O2 -I/usr/local/ssl/include -I/usr/local/include conftest.c >&5 "/usr/include/utmpx.h", line 90.8: 1506-334 (S) Identifier utmp_data has already been defined on line 90 of "/usr/include/utmp.h". "configure", line 16981.16: 1506-045 (S) Undeclared identifier UTMPX_FILE. I am not sure how this should be done properly, so I just commented out these three lines in 'includes.h': #ifdef HAVE_UTMP_H # include #endif After this (rude) change everything compiled and built fine and seems to work OK. There is no such problem on AIX 5.1 L systems with either IBM Visual Age C 6.0 or gcc-3.3.3 - everything compiles and builds 'out of the box'. Kind regards Alexey ** When it rains, it pours. From andreas at conectiva.com.br Tue Aug 3 06:33:35 2004 From: andreas at conectiva.com.br (Andreas) Date: Mon, 2 Aug 2004 17:33:35 -0300 Subject: OpenSSH SRP 3.8.1p1 patch In-Reply-To: <20040802121041.GD24672@felinemenace.org> References: <20040802121041.GD24672@felinemenace.org> Message-ID: <20040802203335.GG30448@conectiva.com.br> On Mon, Aug 02, 2004 at 05:10:41AM -0700, andrewg at felinemenace.org wrote: > The below url is an updated patch of Professor Tom's earlier SRP patches for > SSH. The only things changed was so that it would compile on a newer openssh > version. For more information regarding SRP, see http://srp.stanford.edu Isn't this patented by Phoenix Technologies Ltd? http://www.ietf.org/ietf/IPR/PHOENIX-SRP-RFC2945.txt From tom at arcot.com Tue Aug 3 07:49:28 2004 From: tom at arcot.com (Tom Wu) Date: Mon, 02 Aug 2004 14:49:28 -0700 Subject: OpenSSH SRP 3.8.1p1 patch In-Reply-To: <20040802203335.GG30448@conectiva.com.br> References: <20040802121041.GD24672@felinemenace.org> <20040802203335.GG30448@conectiva.com.br> Message-ID: <410EB6E8.8080107@arcot.com> Andreas wrote: > On Mon, Aug 02, 2004 at 05:10:41AM -0700, andrewg at felinemenace.org wrote: > >>The below url is an updated patch of Professor Tom's earlier SRP patches for >>SSH. The only things changed was so that it would compile on a newer openssh >>version. For more information regarding SRP, see http://srp.stanford.edu > > > Isn't this patented by Phoenix Technologies Ltd? > http://www.ietf.org/ietf/IPR/PHOENIX-SRP-RFC2945.txt No, that is only an offer to license under RAND terms IF some technology is covered under the SPEKE patent. There has not been any claim or substantiation that SPEKE technology covers the math used in SRP. Tom > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Tom Wu Chief Security Architect Arcot Systems (408) 969-6124 From andreas at conectiva.com.br Tue Aug 3 06:57:20 2004 From: andreas at conectiva.com.br (Andreas) Date: Mon, 2 Aug 2004 17:57:20 -0300 Subject: OpenSSH SRP 3.8.1p1 patch In-Reply-To: <410EB6E8.8080107@arcot.com> References: <20040802121041.GD24672@felinemenace.org> <20040802203335.GG30448@conectiva.com.br> <410EB6E8.8080107@arcot.com> Message-ID: <20040802205720.GI30448@conectiva.com.br> On Mon, Aug 02, 2004 at 02:49:28PM -0700, Tom Wu wrote: > >Isn't this patented by Phoenix Technologies Ltd? > >http://www.ietf.org/ietf/IPR/PHOENIX-SRP-RFC2945.txt > > No, that is only an offer to license under RAND terms IF some technology > is covered under the SPEKE patent. There has not been any claim or > substantiation that SPEKE technology covers the math used in SRP. Here is an email that talks about these issues from the point of view of an implementation in Kerberos: http://mailman.mit.edu/pipermail/krbdev/2004-January/002251.html I guess they don't want to be the first to implement it and see if it will attract heat from lawyers. From tom at arcot.com Tue Aug 3 10:13:28 2004 From: tom at arcot.com (Tom Wu) Date: Mon, 02 Aug 2004 17:13:28 -0700 Subject: OpenSSH SRP 3.8.1p1 patch In-Reply-To: <20040802205720.GI30448@conectiva.com.br> References: <20040802121041.GD24672@felinemenace.org> <20040802203335.GG30448@conectiva.com.br> <410EB6E8.8080107@arcot.com> <20040802205720.GI30448@conectiva.com.br> Message-ID: <410ED8A8.8020307@arcot.com> Andreas wrote: > On Mon, Aug 02, 2004 at 02:49:28PM -0700, Tom Wu wrote: > >>>Isn't this patented by Phoenix Technologies Ltd? >>>http://www.ietf.org/ietf/IPR/PHOENIX-SRP-RFC2945.txt >> >>No, that is only an offer to license under RAND terms IF some technology >>is covered under the SPEKE patent. There has not been any claim or >>substantiation that SPEKE technology covers the math used in SRP. > > > Here is an email that talks about these issues from the point of view of > an implementation in Kerberos: > > http://mailman.mit.edu/pipermail/krbdev/2004-January/002251.html > > I guess they don't want to be the first to implement it and see if it will > attract heat from lawyers. I'll talk to Jeffrey about his comments, as I believe the issue is closed in the "other direction", i.e. other projects, both OSS and commercial, have already used SRP without paying a dime in licensing fees. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev Tom -- Tom Wu Chief Security Architect Arcot Systems (408) 969-6124 From mouring at etoh.eviladmin.org Tue Aug 3 10:15:34 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 2 Aug 2004 19:15:34 -0500 (CDT) Subject: OpenSSH SRP 3.8.1p1 patch In-Reply-To: <410ED8A8.8020307@arcot.com> Message-ID: On Mon, 2 Aug 2004, Tom Wu wrote: > >>>Isn't this patented by Phoenix Technologies Ltd? > >>>http://www.ietf.org/ietf/IPR/PHOENIX-SRP-RFC2945.txt > >> > >>No, that is only an offer to license under RAND terms IF some technology > >>is covered under the SPEKE patent. There has not been any claim or > >>substantiation that SPEKE technology covers the math used in SRP. > > [..] > > I'll talk to Jeffrey about his comments, as I believe the issue is > closed in the "other direction", i.e. other projects, both OSS and > commercial, have already used SRP without paying a dime in licensing fees. > Not to beat a deadhorse.. But the IPR released by IETF states they are "investigating how it relates". Has Phoenix ever submitted a formal document from their legal department to IETF or stated publicly stated that they have "closed" the issue and that SRP *DOESN'T* fall under their Patent 6,226,383? The best I've ever seen is you and others saying "Oh there is no problem." Which is not comforting in the least. I think if you and Stanford really wish to put this to bed I'd ensure that the IETF gets another email stated it doesn't conflict to add to the above URL that was posted. If Phoenix legal department is not willing to do that than I think it's best to avoid the technology. - Ben From tom at arcot.com Tue Aug 3 11:15:59 2004 From: tom at arcot.com (Tom Wu) Date: Mon, 02 Aug 2004 18:15:59 -0700 Subject: OpenSSH SRP 3.8.1p1 patch In-Reply-To: References: Message-ID: <410EE74F.10401@arcot.com> Ben Lindstrom wrote: > > Not to beat a deadhorse.. But the IPR released by IETF states they are > "investigating how it relates". Has Phoenix ever submitted a formal > document from their legal department to IETF or stated publicly stated > that they have "closed" the issue and that SRP *DOESN'T* fall under their > Patent 6,226,383? Is there any precedent for this, though? Has any corporation in recent memory said, "sure, it's okay to use this competing techology, instead of licensing ours"? If they can remain silent and get the benefit of the doubt, they'll do it. > The best I've ever seen is you and others saying "Oh there is no > problem." Which is not comforting in the least. That's not what we're saying - it's more along the lines of "The burden of proof is on the claimant, Phoenix in this case, and they haven't produced any convincing evidence." > I think if you and Stanford really wish to put this to bed I'd ensure that > the IETF gets another email stated it doesn't conflict to add to the above > URL that was posted. If Phoenix legal department is not willing to do > that than I think it's best to avoid the technology. The problem with this stance is that it allows anyone to deny access to a competitor's technology, especially in the OSS/Free software space, simply by making a vague IP assertion and then refusing to issue an "all clear", akin to SCO's behavior with Linux. I don't think rewarding bad faith and behavior is a good idea. > - Ben > Tom -- Tom Wu Chief Security Architect Arcot Systems (408) 969-6124 From tjiva at ing.hj.se Tue Aug 3 11:01:55 2004 From: tjiva at ing.hj.se (Tjavdar Ivanov) Date: Tue, 3 Aug 2004 03:01:55 +0200 (CEST) Subject: Command-line parsing bug? In-Reply-To: <20040730145110.GA20343@pasternak.w.lub.pl> References: <20040730145110.GA20343@pasternak.w.lub.pl> Message-ID: Hi Michal and thanks a lot! Preceding with pathname worked fine. I should have thought of it myself, I'm probably growing older. Still, I suppose that it might be a good idea if this exception is mentioned in the man-page. (Remember those old days when we tried to figure out how to remove a file starting with a dash. After much cursing we RTFM, and there it was: "rm -- -foo", et voil?, the file was gone!). I suppose that files with ":" might be not so exceptional these days (well, except on Macs). Myself, I ran upon this difficulty when I tried to scp a bunch of photos, all of them named after date and time of creation (yyyy-mm-dd__hh:mm:ss.jpg), which can be quite a common naming convention in these digital camera ages. Tjanks again and I hope you have nice summer holidays, //Tj. On Fri, 30 Jul 2004, Michal Pasternak wrote: > Tjavdar Ivanov [Fri, Jul 30, 2004 at 04:43:30PM +0200]: > > > > Hi, > > > > There seems to be no way to scp a file containig ":" in its name, e.g., > > > > scp file-with-colon-in-its-name: user at localhost: > > Try: > > scp ./file-with-colon-in-its-name: user at localhost: > > -- > The programmers you'll be able to hire to work on a Java project won't be as > smart as the ones you could get to work on a project written in Python. > -- seen at http://www.paulgraham.com/gh.html > Tjavdar Ivanov Dept. of Mathematics, School of Engineering, J?nk?ping University, P.O Box 1026 : SE-551 11 J?nk?ping, Sweden tel. 036-15 78 56 (off), 036-10 04 08 (h), 0709-20 36 11 (mobile) From sunmedia at tiger.odn.ne.jp Tue Aug 3 11:28:39 2004 From: sunmedia at tiger.odn.ne.jp (sunmedia at tiger.odn.ne.jp) Date: Tue, 03 Aug 2004 10:28:39 +0900 Subject: =?iso-2022-jp?b?GyRCTCQ+NUJ6OS05cCIoGyhCIBskQjNKMEIhKkVFT0MbKEI=?= =?iso-2022-jp?b?GyRCMkNGfjgiSE5HZCF1OWIyQUdjPGgbKEI=?= Message-ID: <20040803020303372.00000.80.clc13700@ke235yotrhx0hm8.smtp01.odn.ne.jp> ??????????????????????? ????????????????????????????????? ???????????????????? ??????????????????????? ?????????????????? ????????????????? ?????????? ????????5-28-28 042-708-0888 ????????????????? ???????????????????????? ???????????????????????? ???????????????????? sunmedia at tiger.odn.ne.jp?????????????? ????REFUSE?????????? ???????????????????????????????? ??? ?????????????? ??? ???????????????????????/???? ??? ???????????????????????????????? ????????????????,????????????????? ???????????????????????????????? ???????????????????????????????? ?????????????????????????????????????????????? ???????????????????????????????? ??? ????????????????? ? ???????????????????? ? ??,??? ???????????????????????? ? ??,??? ???????????????? ? ???,??? ???????????? ???????????? ??http://www.sun-media.co.jp/personal/personal_01.html ???????????????????????????? ??????????????????????? ?????????????? ??http://www.sun-media.co.jp/ ???????????????????????????? ??????????????????????? ???????????????????????????????????? ?----------------------------------------------------? ??????????? ?????????5-28-28 ?TEL 042-708-0888 ?FAX 042-708-0887 ?E-mail?mail at sun-media.co.jp ?http://www.sun-media.co.jp/ ??? 10:00?18:00 ???? ?----------------------------------------------------? From dwmw2 at infradead.org Wed Aug 4 20:44:12 2004 From: dwmw2 at infradead.org (David Woodhouse) Date: Wed, 04 Aug 2004 11:44:12 +0100 Subject: How create multiples ssh on same host without asking same password In-Reply-To: <20040701171211.GA15913@folly> References: <40E3F138.10609@mindrot.org> <20040701171211.GA15913@folly> Message-ID: <1091616251.4383.2616.camel@hades.cambridge.redhat.com> On Thu, 2004-07-01 at 19:12 +0200, Markus Friedl wrote: > no, it's better to do it this way > > Host foo > ControlMaster yes > ControlPath /wathever/you/want > Host bar > ControlPath /wathever/you/want > > so after > ssh foo > you can use > ssh bar > to connect to foo via the first connection. So then you set CVS_RSH, RSYNC_RSH, IMAP_RSH etc. to a shell script which tries to detect whether a master is already running, and changes from foo to bar if it is? That's _vile_ :) Surely it's better to do it this way: Host * ControlMaster auto ControlPath ~/.ssh-sockets/%h-%p-%u -- dwmw2 From eddy at cdf-imaging.com Thu Aug 5 01:06:13 2004 From: eddy at cdf-imaging.com (Edward Flick) Date: Wed, 04 Aug 2004 10:06:13 -0500 Subject: OpenSSH SRP 3.8.1p1 patch In-Reply-To: <410EE74F.10401@arcot.com> References: <410EE74F.10401@arcot.com> Message-ID: <4110FB65.7090000@cdf-imaging.com> Tom Wu wrote: > That's not what we're saying - it's more along the lines of "The burden > of proof is on the claimant, Phoenix in this case, and they haven't > produced any convincing evidence." Its not proof thats scaring people off, its accusations. I also really wish you would address them more directly in a public forum. And get this issue finalized. >> I think if you and Stanford really wish to put this to bed I'd ensure >> that >> the IETF gets another email stated it doesn't conflict to add to the >> above >> URL that was posted. If Phoenix legal department is not willing to do >> that than I think it's best to avoid the technology. > > > The problem with this stance is that it allows anyone to deny access to > a competitor's technology, especially in the OSS/Free software space, > simply by making a vague IP assertion and then refusing to issue an "all > clear", akin to SCO's behavior with Linux. I don't think rewarding bad > faith and behavior is a good idea. Yes, but the problem with ignoring it means extremely slow uptake of SRP technology. In this lawyer ruled age of computing, people cower behind their worries of being sued because of inheriting an IP issue. The fundamental flaw here isn't that the claimant is asserting a falsehood, it is the fact that people are listening to it. You may not be abliged to put this issue to rest, but in the best interest of your project, and to the good that it could do in general, you might want to go ahead and do just that. Edward From andreas at conectiva.com.br Thu Aug 5 01:31:13 2004 From: andreas at conectiva.com.br (Andreas) Date: Wed, 4 Aug 2004 12:31:13 -0300 Subject: OpenSSH SRP 3.8.1p1 patch In-Reply-To: <4110FB65.7090000@cdf-imaging.com> References: <410EE74F.10401@arcot.com> <4110FB65.7090000@cdf-imaging.com> Message-ID: <20040804153113.GB32190@conectiva.com.br> On Wed, Aug 04, 2004 at 10:06:13AM -0500, Edward Flick wrote: > Yes, but the problem with ignoring it means extremely slow uptake of SRP > technology. In this lawyer ruled age of computing, people cower behind > their worries of being sued because of inheriting an IP issue. The I'm ashamed of even thinking this, but sometimes I whish either Stanford or Phoenix would sue each other so that we could get this over with :) From tom at arcot.com Thu Aug 5 06:44:12 2004 From: tom at arcot.com (Tom Wu) Date: Wed, 04 Aug 2004 13:44:12 -0700 Subject: OpenSSH SRP 3.8.1p1 patch In-Reply-To: <4110FB65.7090000@cdf-imaging.com> References: <410EE74F.10401@arcot.com> <4110FB65.7090000@cdf-imaging.com> Message-ID: <41114A9C.6080507@arcot.com> Edward Flick wrote: > Its not proof thats scaring people off, its accusations. I also really > wish you would address them more directly in a public forum. And get > this issue finalized. I believe I have done exactly that at every opportunity. I've made my position on this issue abundantly clear. Perhaps you can give an example of what you would like to see. > Yes, but the problem with ignoring it means extremely slow uptake of SRP > technology. In this lawyer ruled age of computing, people cower behind But the uptake appears to be occuring anyway, both in OSS and commercial applications. Some parties are cowering, as you say, but some have taken a closer look at the issue and are not cowering. > their worries of being sued because of inheriting an IP issue. The > fundamental flaw here isn't that the claimant is asserting a falsehood, Technically, there is not even an assertion, but really a rumor, that is being believed by some. > it is the fact that people are listening to it. You may not be abliged > to put this issue to rest, but in the best interest of your project, and > to the good that it could do in general, you might want to go ahead and > do just that. Again, perhaps more concrete examples would help. You can take this off-list if you think that would make more sense. > > Edward > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev Tom -- Tom Wu Chief Security Architect Arcot Systems (408) 969-6124 From djm at mindrot.org Thu Aug 5 09:40:17 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 05 Aug 2004 09:40:17 +1000 Subject: How create multiples ssh on same host without asking same password In-Reply-To: <1091616251.4383.2616.camel@hades.cambridge.redhat.com> References: <40E3F138.10609@mindrot.org> <20040701171211.GA15913@folly> <1091616251.4383.2616.camel@hades.cambridge.redhat.com> Message-ID: <411173E1.8010603@mindrot.org> David Woodhouse wrote: > So then you set CVS_RSH, RSYNC_RSH, IMAP_RSH etc. to a shell script > which tries to detect whether a master is already running, and changes > from foo to bar if it is? That's _vile_ :) > > Surely it's better to do it this way: > > Host * > ControlMaster auto > ControlPath ~/.ssh-sockets/%h-%p-%u Maybe later, but not yet. From debian-br-bounces at listas.cipsga.org.br Thu Aug 5 10:21:11 2004 From: debian-br-bounces at listas.cipsga.org.br (debian-br-bounces at listas.cipsga.org.br) Date: Wed, 04 Aug 2004 21:21:11 -0300 Subject: =?iso-8859-1?q?Sua_mensagem_para_a_lista_Debian-BR_aguarda_aprov?= =?iso-8859-1?q?a=E7=E3o?= Message-ID: Seu email para 'Debian-BR' com o assunto Movie document Esta em espera at? que o moderador da lista revise-a para aprova??o. A raz?o de estar em espera ?: Postagem por n?o membro para uma lista somente de membros Ou a mensagem ser? postada a lsita, ou receber? uma notifica??o da decis?o do moderador. Se desejar cancelar esta postagem, visite o seguinte endere?o: http://listas.cipsga.org.br/cgi-bin/mailman/confirm/debian-br/521dfa76b680210eacdb04f26fbbbe2befc73503 From marko.mocnik at nimbus.at Thu Aug 5 23:25:04 2004 From: marko.mocnik at nimbus.at (marko.mocnik at nimbus.at) Date: Thu, 5 Aug 2004 15:25:04 +0200 Subject: No error when identity file not readable Message-ID: Hi! I was trying to start ssh from a scheduled task in Windows 2000. I got the message "Enter passphrase for key '.ssh/identity':" Well the passphrase I set was empty, so that should not have happen. I traced this problem to the method key_load_public_type(int type, const char *filename, char **commentp) in authfile.c If the file cannot be opened (in my case the "System" user was not authorized to do so) this method returns NULL without an appropriate message. The calling method load_identity_file(char *filename) in sshconnect2.c doesn not handle any error cases. So, if the key_load_public_type returns NULL, this method thinks there is a password on the keyfile, regardless what really happened. So after this I tried to set the permissions for the file to 777, which was another bad Idea ;) But this time I got a message: Failed to add the host to the list of known hosts (ssh/known_hosts). @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0777 for 'xbackup/testdir/.ssh/identity' are too open. It is recommended that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: .ssh/identity Enter passphrase for key '.ssh/identity': But still there is the prompt to enter a passphrase. Im not sure if this really is a bug, since everything works, besides the wrong messages. I just am reporting this to set an apropriate end to my 2 day long debugging session... ;)) Regards, Marko Mocnik From jeff at rubysoft.com Fri Aug 6 05:12:16 2004 From: jeff at rubysoft.com (Jeff Hansen) Date: Thu, 5 Aug 2004 14:12:16 -0500 (CDT) Subject: LocalForward and RemoteForward bind patch Message-ID: FINALLY, it's here. You can now tell SSH which address to bind to for every single port forwarding option! This patch allows you to pass the following as ssh command line options: ssh -L 192.168.1.55:1234:localhost:80 -R ::11:22:aa:bb/80/localhost/80 etc. Or as normal config file options: LocalForward ::11:22:33/1234 localhost/80 RemoteForward 1.2.3.4:80 localhost:80 It will also accept the old-style forwarding options just fine. It would be cool if this could be put into the main branch some day so that everyone can enjoy this functionality. If I'm mistaken, and OpenSSH already had this sort of functionality, please let me know as I don't subscribe to this list. I knew people on this list would enjoy this patch, however. The gateway ports options just don't cut it for me, so I wrote this patch. It's backwards compatible with old ssh servers and clients, and I've tested it quite a bit. Let me know if there are any problems with it. -Jeff Hansen jeff at rubysoft.com -------------- next part -------------- diff -u -r openssh-3.8p1/channels.c openssh-3.8p1-localbind/channels.c --- openssh-3.8p1/channels.c 2004-01-20 16:02:09.000000000 -0800 +++ openssh-3.8p1-localbind/channels.c 2004-08-05 12:55:16.101830360 -0700 @@ -86,6 +86,7 @@ * network (which might be behind a firewall). */ typedef struct { + char *listen_host; /* Address to listen on */ char *host_to_connect; /* Connect to 'host'. */ u_short port_to_connect; /* Connect to 'port'. */ u_short listen_port; /* Remote side should listen port number. */ @@ -2146,8 +2147,7 @@ char ntop[NI_MAXHOST], strport[NI_MAXSERV]; success = 0; - host = (type == SSH_CHANNEL_RPORT_LISTENER) ? - listen_addr : host_to_connect; + host = host_to_connect; if (host == NULL) { error("No forward host name."); @@ -2167,7 +2167,8 @@ hints.ai_flags = gateway_ports ? AI_PASSIVE : 0; hints.ai_socktype = SOCK_STREAM; snprintf(strport, sizeof strport, "%d", listen_port); - if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) + if (getaddrinfo (listen_addr==NULL?NULL:strlen(listen_addr)>0?listen_addr:NULL, + strport, &hints, &aitop) != 0) packet_disconnect("getaddrinfo: fatal error"); for (ai = aitop; ai; ai = ai->ai_next) { @@ -2222,28 +2223,28 @@ success = 1; } if (success == 0) - error("channel_setup_fwd_listener: cannot listen to port: %d", - listen_port); + error("channel_setup_fwd_listener: cannot listen to port: %s/%d", + listen_addr == NULL ? "0.0.0.0" : listen_addr, listen_port); freeaddrinfo(aitop); return success; } /* protocol local port fwd, used by ssh (and sshd in v1) */ int -channel_setup_local_fwd_listener(u_short listen_port, +channel_setup_local_fwd_listener(const char *listen_host, u_short listen_port, const char *host_to_connect, u_short port_to_connect, int gateway_ports) { return channel_setup_fwd_listener(SSH_CHANNEL_PORT_LISTENER, - NULL, listen_port, host_to_connect, port_to_connect, gateway_ports); + listen_host, listen_port, host_to_connect, port_to_connect, gateway_ports); } /* protocol v2 remote port fwd, used by sshd */ int channel_setup_remote_fwd_listener(const char *listen_address, - u_short listen_port, int gateway_ports) + u_short listen_port, const char *bind_address, int gateway_ports) { return channel_setup_fwd_listener(SSH_CHANNEL_RPORT_LISTENER, - listen_address, listen_port, NULL, 0, gateway_ports); + bind_address, listen_port, listen_address, 0, gateway_ports); } /* @@ -2252,7 +2253,7 @@ */ void -channel_request_remote_forwarding(u_short listen_port, +channel_request_remote_forwarding(const char *listen_host, u_short listen_port, const char *host_to_connect, u_short port_to_connect) { int type, success = 0; @@ -2263,7 +2264,8 @@ /* Send the forward request to the remote side. */ if (compat20) { - const char *address_to_bind = "0.0.0.0"; + const char *address_to_bind = + listen_host == NULL ? "0.0.0.0" : listen_host; packet_start(SSH2_MSG_GLOBAL_REQUEST); packet_put_cstring("tcpip-forward"); packet_put_char(1); /* boolean: want reply */ @@ -2297,6 +2299,7 @@ } } if (success) { + permitted_opens[num_permitted_opens].listen_host = listen_host == NULL ? NULL : xstrdup(listen_host); permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; permitted_opens[num_permitted_opens].listen_port = listen_port; @@ -2335,7 +2338,7 @@ #endif /* Initiate forwarding */ - channel_setup_local_fwd_listener(port, hostname, host_port, gateway_ports); + channel_setup_local_fwd_listener(NULL, port, hostname, host_port, gateway_ports); /* Free the argument string. */ xfree(hostname); diff -u -r openssh-3.8p1/channels.h openssh-3.8p1-localbind/channels.h --- openssh-3.8p1/channels.h 2003-10-01 23:17:00.000000000 -0700 +++ openssh-3.8p1-localbind/channels.h 2004-08-05 09:44:22.159094328 -0700 @@ -199,9 +199,9 @@ void channel_input_port_forward_request(int, int); int channel_connect_to(const char *, u_short); int channel_connect_by_listen_address(u_short); -void channel_request_remote_forwarding(u_short, const char *, u_short); -int channel_setup_local_fwd_listener(u_short, const char *, u_short, int); -int channel_setup_remote_fwd_listener(const char *, u_short, int); +void channel_request_remote_forwarding(const char *, u_short, const char *, u_short); +int channel_setup_local_fwd_listener(const char *, u_short, const char *, u_short, int); +int channel_setup_remote_fwd_listener(const char *, u_short, const char *, int); /* x11 forwarding */ diff -u -r openssh-3.8p1/clientloop.c openssh-3.8p1-localbind/clientloop.c --- openssh-3.8p1/clientloop.c 2004-08-05 08:59:57.478187000 -0700 +++ openssh-3.8p1-localbind/clientloop.c 2004-08-05 09:44:51.134689368 -0700 @@ -549,13 +549,13 @@ goto out; } if (local) { - if (channel_setup_local_fwd_listener(fwd_port, buf, + if (channel_setup_local_fwd_listener(NULL, fwd_port, buf, fwd_host_port, options.gateway_ports) < 0) { logit("Port forwarding failed."); goto out; } } else - channel_request_remote_forwarding(fwd_port, buf, + channel_request_remote_forwarding(NULL, fwd_port, buf, fwd_host_port); logit("Forwarding port."); out: diff -u -r openssh-3.8p1/misc.c openssh-3.8p1-localbind/misc.c --- openssh-3.8p1/misc.c 2003-11-03 01:07:14.000000000 -0800 +++ openssh-3.8p1-localbind/misc.c 2004-08-05 11:49:12.019462480 -0700 @@ -141,6 +141,19 @@ return (old); } +int strcount( char *str, char c ) +{ + int count = 0; + + if( str == NULL ) + return -1; + + while( *str != 0 && *str != ' ' && *str != '\t' ) + if( *(str++) == c ) + count++; + return count; +} + struct passwd * pwcopy(struct passwd *pw) { diff -u -r openssh-3.8p1/misc.h openssh-3.8p1-localbind/misc.h --- openssh-3.8p1/misc.h 2003-08-24 18:16:21.000000000 -0700 +++ openssh-3.8p1-localbind/misc.h 2004-08-05 11:02:08.916639344 -0700 @@ -14,6 +14,7 @@ char *chop(char *); char *strdelim(char **); +int strcount( char *, char ); void set_nonblock(int); void unset_nonblock(int); void set_nodelay(int); diff -u -r openssh-3.8p1/readconf.c openssh-3.8p1-localbind/readconf.c --- openssh-3.8p1/readconf.c 2004-08-05 08:59:24.775159000 -0700 +++ openssh-3.8p1-localbind/readconf.c 2004-08-05 12:53:24.203841440 -0700 @@ -203,8 +203,8 @@ */ void -add_local_forward(Options *options, u_short port, const char *host, - u_short host_port) +add_local_forward(Options *options, const char *listen_host, u_short port, + const char *host, u_short host_port) { Forward *fwd; #ifndef NO_IPPORT_RESERVED_CONCEPT @@ -215,6 +215,7 @@ if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION); fwd = &options->local_forwards[options->num_local_forwards++]; + fwd->listen_host = listen_host == NULL ? NULL : xstrdup(listen_host); fwd->port = port; fwd->host = xstrdup(host); fwd->host_port = host_port; @@ -226,14 +227,15 @@ */ void -add_remote_forward(Options *options, u_short port, const char *host, - u_short host_port) +add_remote_forward(Options *options, const char *listen_host, u_short port, + const char *host, u_short host_port) { Forward *fwd; if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("Too many remote forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION); fwd = &options->remote_forwards[options->num_remote_forwards++]; + fwd->listen_host = listen_host == NULL ? NULL : xstrdup(listen_host); fwd->port = port; fwd->host = xstrdup(host); fwd->host_port = host_port; @@ -281,11 +283,12 @@ char *line, const char *filename, int linenum, int *activep) { - char buf[256], *s, **charptr, *endofnumber, *keyword, *arg; + char buf[256], buf2[256], *s, **charptr, *endofnumber, *keyword, *arg; int opcode, *intptr, value; size_t len; u_short fwd_port, fwd_host_port; char sfwd_host_port[6]; + char sfwd_port[6]; /* Strip trailing whitespace */ for(len = strlen(line) - 1; len > 0; len--) { @@ -645,13 +648,32 @@ case oLocalForward: case oRemoteForward: + buf[0] = '\0'; + arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing port argument.", filename, linenum); - if ((fwd_port = a2port(arg)) == 0) - fatal("%.200s line %d: Bad listen port.", - filename, linenum); + + int slash_count = strcount( arg, '/' ); + int colon_count = strcount( arg, ':' ); + + if( slash_count == 1 || colon_count == 1 ) + { + if (sscanf(arg, "%255[^:]:%5[0-9]", buf2, sfwd_port) != 2 && + sscanf(arg, "%255[^/]/%5[0-9]", buf2, sfwd_port) != 2) + fatal("%.200s line %d: Bad bind_address forwarding specification.", + filename, linenum); + if ((fwd_port = a2port(sfwd_port)) == 0) + fatal("%.200s line %d: Bad forwarding port.", + filename, linenum); + } else + { + buf2[0] = '\0'; + if ((fwd_port = a2port(arg)) == 0) + fatal("%.200s line %d: Bad listen port.", + filename, linenum); + } arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing second argument.", @@ -665,10 +687,10 @@ filename, linenum); if (*activep) { if (opcode == oLocalForward) - add_local_forward(options, fwd_port, buf, + add_local_forward(options, strlen(buf2) > 0 ? buf2 : NULL, fwd_port, buf, fwd_host_port); else if (opcode == oRemoteForward) - add_remote_forward(options, fwd_port, buf, + add_remote_forward(options, strlen(buf2) > 0 ? buf2 : NULL, fwd_port, buf, fwd_host_port); } break; @@ -683,7 +705,7 @@ fatal("%.200s line %d: Badly formatted port number.", filename, linenum); if (*activep) - add_local_forward(options, fwd_port, "socks", 0); + add_local_forward(options, NULL, fwd_port, "socks", 0); break; case oClearAllForwardings: diff -u -r openssh-3.8p1/readconf.h openssh-3.8p1-localbind/readconf.h --- openssh-3.8p1/readconf.h 2004-08-05 08:59:24.776158000 -0700 +++ openssh-3.8p1-localbind/readconf.h 2004-08-05 09:56:20.538884000 -0700 @@ -21,6 +21,7 @@ /* Data structure for representing a forwarding request. */ typedef struct { + char *listen_host; /* Host to forward. */ u_short port; /* Port to forward. */ char *host; /* Host to connect. */ u_short host_port; /* Port to connect on host. */ @@ -113,7 +114,7 @@ int process_config_line(Options *, const char *, char *, const char *, int, int *); -void add_local_forward(Options *, u_short, const char *, u_short); -void add_remote_forward(Options *, u_short, const char *, u_short); +void add_local_forward(Options *, const char *, u_short, const char *, u_short); +void add_remote_forward(Options *, const char *, u_short, const char *, u_short); #endif /* READCONF_H */ diff -u -r openssh-3.8p1/serverloop.c openssh-3.8p1-localbind/serverloop.c --- openssh-3.8p1/serverloop.c 2004-01-20 16:02:50.000000000 -0800 +++ openssh-3.8p1-localbind/serverloop.c 2004-08-05 12:27:29.649169672 -0700 @@ -988,7 +988,7 @@ } else { /* Start listening on the port */ success = channel_setup_remote_fwd_listener( - listen_address, listen_port, options.gateway_ports); + listen_address, listen_port, !strcmp(listen_address,"0.0.0.0")?NULL:listen_address, options.gateway_ports); } xfree(listen_address); } diff -u -r openssh-3.8p1/ssh.c openssh-3.8p1-localbind/ssh.c --- openssh-3.8p1/ssh.c 2003-12-16 21:33:11.000000000 -0800 +++ openssh-3.8p1-localbind/ssh.c 2004-08-05 12:58:46.419857160 -0700 @@ -174,8 +174,8 @@ fprintf(stderr, " -c cipher Select encryption algorithm\n"); fprintf(stderr, " -m macs Specify MAC algorithms for protocol version 2.\n"); fprintf(stderr, " -p port Connect to this port. Server must be on the same port.\n"); - fprintf(stderr, " -L listen-port:host:port Forward local port to remote address\n"); - fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n"); + fprintf(stderr, " -L [listen-host:]listen-port:host:port Forward local port to remote address\n"); + fprintf(stderr, " -R [listen-host:]listen-port:host:port Forward remote port to local address\n"); fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname); fprintf(stderr, " forward them to the other side by connecting to host:port.\n"); fprintf(stderr, " -D port Enable dynamic application-level port forwarding.\n"); @@ -202,10 +202,10 @@ int main(int ac, char **av) { - int i, opt, exit_status; + int i, opt, exit_status, localbind = 0; u_short fwd_port, fwd_host_port; char sfwd_port[6], sfwd_host_port[6]; - char *p, *cp, *line, buf[256]; + char *p, *cp, *line, buf[256], buf2[256]; struct stat st; struct passwd *pw; int dummy; @@ -418,10 +418,16 @@ case 'L': case 'R': + buf[0] = 0; if (sscanf(optarg, "%5[0123456789]:%255[^:]:%5[0123456789]", sfwd_port, buf, sfwd_host_port) != 3 && sscanf(optarg, "%5[0123456789]/%255[^/]/%5[0123456789]", - sfwd_port, buf, sfwd_host_port) != 3) { + sfwd_port, buf, sfwd_host_port) != 3 && + (localbind = 1) && // Set localbind to TRUE + sscanf(optarg, "%255[^:]:%5[0123456789]:%255[^:]:%5[0123456789]", + buf2, sfwd_port, buf, sfwd_host_port) != 4 && + sscanf(optarg, "%255[^/]/%5[0123456789]/%255[^/]/%5[0123456789]", + buf2, sfwd_port, buf, sfwd_host_port) != 4) { fprintf(stderr, "Bad forwarding specification '%s'\n", optarg); @@ -435,11 +441,11 @@ exit(1); } if (opt == 'L') - add_local_forward(&options, fwd_port, buf, - fwd_host_port); + add_local_forward(&options, localbind ? buf2 : NULL, + fwd_port, buf, fwd_host_port); else if (opt == 'R') - add_remote_forward(&options, fwd_port, buf, - fwd_host_port); + add_remote_forward(&options, localbind ? buf2 : NULL, + fwd_port, buf, fwd_host_port); break; case 'D': @@ -449,7 +455,7 @@ optarg); exit(1); } - add_local_forward(&options, fwd_port, "socks", 0); + add_local_forward(&options, NULL, fwd_port, "socks", 0); break; case 'C': @@ -840,11 +846,13 @@ /* Initiate local TCP/IP port forwardings. */ for (i = 0; i < options.num_local_forwards; i++) { - debug("Connections to local port %d forwarded to remote address %.200s:%d", + debug("Connections to local port %.200s:%d forwarded to remote address %.200s:%d", + options.local_forwards[i].listen_host, options.local_forwards[i].port, options.local_forwards[i].host, options.local_forwards[i].host_port); success += channel_setup_local_fwd_listener( + options.local_forwards[i].listen_host, options.local_forwards[i].port, options.local_forwards[i].host, options.local_forwards[i].host_port, @@ -855,11 +863,13 @@ /* Initiate remote TCP/IP port forwardings. */ for (i = 0; i < options.num_remote_forwards; i++) { - debug("Connections to remote port %d forwarded to local address %.200s:%d", + debug("Connections to remote port %.200s:%d forwarded to local address %.200s:%d", + options.remote_forwards[i].listen_host, options.remote_forwards[i].port, options.remote_forwards[i].host, options.remote_forwards[i].host_port); channel_request_remote_forwarding( + options.remote_forwards[i].listen_host, options.remote_forwards[i].port, options.remote_forwards[i].host, options.remote_forwards[i].host_port); From djm at mindrot.org Fri Aug 6 10:42:31 2004 From: djm at mindrot.org (Damien Miller) Date: Fri, 06 Aug 2004 10:42:31 +1000 Subject: LocalForward and RemoteForward bind patch In-Reply-To: References: Message-ID: <4112D3F7.4020902@mindrot.org> Jeff Hansen wrote: > FINALLY, it's here. > > You can now tell SSH which address to bind to for every single port > forwarding option! This patch allows you to pass the following as ssh > command line options: There has been a patch to do just this for a little while. It just needs testing before we merge it. http://bugzilla.mindrot.org/show_bug.cgi?id=413 -d From mouring at etoh.eviladmin.org Fri Aug 6 13:34:49 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 5 Aug 2004 22:34:49 -0500 (CDT) Subject: LocalForward and RemoteForward bind patch In-Reply-To: <4112D3F7.4020902@mindrot.org> Message-ID: On Fri, 6 Aug 2004, Damien Miller wrote: > Jeff Hansen wrote: > > > FINALLY, it's here. > > > > You can now tell SSH which address to bind to for every single port > > forwarding option! This patch allows you to pass the following as ssh > > command line options: > > There has been a patch to do just this for a little while. It just > needs testing before we merge it. > > http://bugzilla.mindrot.org/show_bug.cgi?id=413 > [.. in channels.c ..] @@ -2312,7 +2333,14 @@ /* Send the forward request to the remote side. */ if (compat20) { - const char *address_to_bind = "0.0.0.0"; + const char *address_to_bind; + if (listen_host == NULL) + address_to_bind = "127.0.0.1"; + else if (listen_host[0] == '\0' || strcmp(listen_host, "*")==0) [..] Ain't it a bit wrong to hard code 127.0.0.1 here without consulting if we are in ipv4 vs ipv6 mode? I assume this would break if the person is assuming pure ipv6 connection everywhere. - Ben From djm at mindrot.org Fri Aug 6 13:29:56 2004 From: djm at mindrot.org (Damien Miller) Date: Fri, 06 Aug 2004 13:29:56 +1000 Subject: LocalForward and RemoteForward bind patch In-Reply-To: References: Message-ID: <4112FB34.5060004@mindrot.org> Ben Lindstrom wrote: > > On Fri, 6 Aug 2004, Damien Miller wrote: > > >>Jeff Hansen wrote: >> >> >>>FINALLY, it's here. >>> >>>You can now tell SSH which address to bind to for every single port >>>forwarding option! This patch allows you to pass the following as ssh >>>command line options: >> >>There has been a patch to do just this for a little while. It just >>needs testing before we merge it. >> >>http://bugzilla.mindrot.org/show_bug.cgi?id=413 >> > > [.. in channels.c ..] > @@ -2312,7 +2333,14 @@ > > /* Send the forward request to the remote side. */ > if (compat20) { > - const char *address_to_bind = "0.0.0.0"; > + const char *address_to_bind; > + if (listen_host == NULL) > + address_to_bind = "127.0.0.1"; > + else if (listen_host[0] == '\0' || strcmp(listen_host, > "*")==0) > [..] > > Ain't it a bit wrong to hard code 127.0.0.1 here without consulting if we > are in ipv4 vs ipv6 mode? I assume this would break if the person is > assuming pure ipv6 connection everywhere. Yes - that is one of the outstanding issues in the bug (my characterization of it "just needing testing" was overly optimistic) -d From =?iso-2022-jp?B?GyRCI0sjMiNJISElJiUnJVYhISUoJXMlPyE8JVclaSUkJTobKEIgICBH?= Fri Aug 6 21:11:55 2004 From: =?iso-2022-jp?B?GyRCI0sjMiNJISElJiUnJVYhISUoJXMlPyE8JVclaSUkJTobKEIgICBH?= (=?iso-2022-jp?B?GyRCI0sjMiNJISElJiUnJVYhISUoJXMlPyE8JVclaSUkJTobKEIgICBH?=) Date: Fri, 6 Aug 2004 21:11:55 +1000 (EST) Subject: =?iso-2022-jp?b?GyRCTCQ+NUcnOS05cCIoISEbKEIxOBskQjZYISEhVkl3GyhC?= =?iso-2022-jp?b?GyRCQi8lNSUkJUgzV0w/QGs4QCEqQTQ5cT1pISEyaDR8GyhC?= =?iso-2022-jp?b?GyRCRSpJd0IvJTUlJCVIO09GMCFXGyhC?= Message-ID: <11d901c47ba6$c00e0b70$0701a8c0@af03> -------------------------------------------------------------------- ???????????????????????? ????????????????????????? ??????????????????????????? gals at mx17.freecom.ne.jp???????????? ?????????????????????????????? ??????? Powered by ???? ???? gals at mx17.freecom.ne.jp ------------------------------------------------------------------- ?????????????????????????????_a_l_s__?_a_t_e_ ? ?????? ?als ?ate?? ?? ? ?? ?????http://www.galsgate.com/ ?????? ?????2004/8/06 ??? ?????????????????????????????????? ????????????????????????????????????? ?? * ? *"???"*??????????????????! ??????????? "?????"? http://www.galsgate.com/mail/index1.html??????? * ????? *?? ?*?????* ? ??????????als ?ate???????? " *???*" ????????http://www.galsgate.com/????????? ????? ???? ? ??????????????? ?????? ???? ?????????????? ????????????????????????????????????? From glasses-muffler at 56118.jp Sun Aug 8 21:58:40 2004 From: glasses-muffler at 56118.jp (=?ISO-2022-JP?B?GyRCJF4kahsoQg==?=) Date: Sun, 08 Aug 2004 20:58:40 +0900 Subject: =?iso-2022-jp?b?GyRCPVBEJSRHJC0kXiQ5JCshKRsoQg==?= Message-ID: <20040808115620.6215327C187@shitei.mindrot.org> ????????!! 1.??????OK 2.??????OK 3.??????OK 4.??????OK 5.??????OK 6.??????OK 7.??????OK 8.18?????NG http://www.56114.jp/hosuto ????????????????????? ??????????????? ?????????????????H?????? ?????????????????? http://www.56114.jp/hosuto From louise.swift at hants.gov.uk Tue Aug 10 00:48:00 2004 From: louise.swift at hants.gov.uk (Swift, Louise) Date: Mon, 9 Aug 2004 15:48:00 +0100 Subject: ssh remote command fuser problem Message-ID: I've set up public/private key authentication between a Solaris 9 system running SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0. and a Soalris 8 system running OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004 Cannot get remote command fuser to work (although other commands ok) I've got ssh and sftp and scp finally to work, but I am left with one problem, I can use ssh from sol9 to sol8 to start a remote session. I can ssh from sol9 to sol8 to execute some remote commands, but not fuser i.e. all from the solaris 9 system ssh userid at anothersol9 ls works fine ssh userid at anothersol9 fuser afile works fine ssh userid at sol8 ls works fine ssh userid at sol8 fuser afile fails, I get select: Bad file number Having seen this type of message before when it was to do with paths, I have tried the following... created a logical link from /usr/bin/fuser to the /usr/sbin/bin/fuser , still got the same 'select: Bad file number' created a test file in the home directory of the userid on the sol8 (server) system and tried ssh userid at sol8 ./test and it worked ok, so I tried creating a logical link from the home directory of userid on sol8 called fuser poinint to /usr/sbin/fuser and tried again ssh userid at sol8 ./fuser a file and it still failed with 'select: Bad file number' . I even tried copying fuser to home directory of userid on sol8 , and even though ssh userid at sol8 ./test works , ssh userid at sol8 ./fuser a file still fails I'm really stuck , any help/hints gratefully received > Louise Swift > IT Services (rm 415) > Hampshire County Council > Elizabeth II Court, The Castle, > Winchester, Hants SO23 8US > Tel: +44 (0)1962 847427 > Fax: +44 (0)1962 847434 > HPSN: 200 7427 Louise.Swift at hants.gov.uk From andreas at conectiva.com.br Tue Aug 10 07:50:27 2004 From: andreas at conectiva.com.br (Andreas) Date: Mon, 9 Aug 2004 18:50:27 -0300 Subject: Question about AllowUsers and AllowGroups Message-ID: <20040809215027.GH11074@conectiva.com.br> While testing some AllowUsers and AllowGroups combinations I was surprised to find that one cannot be used to override the other. For example: AllowGroups administrators AllowUsers john If john is *not* part of the administrators group, then access is being denied. Is this the expected behaviour? This would force me to create another group just for ssh, something like ssh-admins. This other excerpt works as expected, at least for me: AllowGroups administrators DenyUsers johnadmin If johnadmin is part of the administrators group, he is still denied access. This all with openssh-3.8.1p1 on Linux. From mouring at etoh.eviladmin.org Tue Aug 10 08:17:15 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 9 Aug 2004 17:17:15 -0500 (CDT) Subject: Question about AllowUsers and AllowGroups In-Reply-To: <20040809215027.GH11074@conectiva.com.br> Message-ID: This has been brought up before.. I supplied a patch.. It was turned down because this is the same syntax/design as the older ssh releases. I personally think it is a misfeature or broken, but to fix it now would more than likely mean picking new sshd_config names and stop supporting the ones. - Ben On Mon, 9 Aug 2004, Andreas wrote: > While testing some AllowUsers and AllowGroups combinations I was surprised > to find that one cannot be used to override the other. For example: > > AllowGroups administrators > AllowUsers john > > If john is *not* part of the administrators group, then access is being denied. > Is this the expected behaviour? This would force me to create another group just > for ssh, something like ssh-admins. > > This other excerpt works as expected, at least for me: > > AllowGroups administrators > DenyUsers johnadmin > > If johnadmin is part of the administrators group, he is still denied access. > > This all with openssh-3.8.1p1 on Linux. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From croix-de-fleur at mega-network.com Tue Aug 10 22:15:20 2004 From: croix-de-fleur at mega-network.com (=?ISO-2022-JP?B?GyRCPU89dyEmPGM6ShsoQg==?=) Date: Tue, 10 Aug 2004 21:15:20 +0900 Subject: =?iso-2022-jp?b?GyRCO341axsoQjUwMDAbJEIxXzBKPmUhIyUoJUMlQSQiGyhC?= =?iso-2022-jp?b?GyRCJGobKEI=?= Message-ID: <20040810123043.7AC0F27C189@shitei.mindrot.org> ????????????????? http://www.web-wave.com/shosuto ?????????????????????????????????????? ???????????????? ?????????????????????H?????? ?????????????????? http://www.web-wave.com/shosuto From BGRVZCPFDD at emailaccount.com Tue Aug 10 19:30:21 2004 From: BGRVZCPFDD at emailaccount.com (gigantic Lilly ) Date: Tue, 10 Aug 2004 11:30:21 +0200 Subject: Scientific Shock Message-ID: Ecstasy Time. Supersize your banana with our formula **Star**: http://www.herballylarge.info/pgf/track.php?id=56 From mlambert at csc.com Thu Aug 12 00:02:57 2004 From: mlambert at csc.com (Mike Lambertson) Date: Wed, 11 Aug 2004 10:02:57 -0400 Subject: Problem with OpenSSH 3.7.1p2 Message-ID: I was just forced to upgrade to OpenSSH 3.7.1p2 for security reasons. This has apparently caused a problem with PHP/libcurl: [...conf.d]$ /etc/init.d/httpd restart Stopping httpd: [FAILED] Starting httpd: Syntax error on line 6 of /etc/httpd/conf.d/php.conf: Cannot load /etc/httpd/modules/libphp4.so into server: /usr/lib/libcurl.so.2: undefined symbol: ENGINE_load_private_key I have searched for a solution to this and come up dry, even on openssh.com. On a local forum it has been suggested that I need a version of libcurl to be compatible with OpenSSH 3.7.1p2. If so, what version would that be? If not, what would you suggest? Otherwise I need to revert to OpenSSH 3.5 Other info: RedHat 9.0 PHP 4.2.2 Thanks, Mike ---------------------------------------------------------------------------------------- This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ---------------------------------------------------------------------------------------- From mouring at etoh.eviladmin.org Thu Aug 12 00:45:48 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 11 Aug 2004 09:45:48 -0500 (CDT) Subject: Problem with OpenSSH 3.7.1p2 In-Reply-To: Message-ID: On Wed, 11 Aug 2004, Mike Lambertson wrote: > I was just forced to upgrade to OpenSSH 3.7.1p2 for security reasons. This > has apparently caused a problem with PHP/libcurl: > > [...conf.d]$ /etc/init.d/httpd restart > Stopping httpd: [FAILED] > Starting httpd: Syntax error on line 6 of /etc/httpd/conf.d/php.conf: > Cannot load /etc/httpd/modules/libphp4.so into server: > /usr/lib/libcurl.so.2: undefined symbol: ENGINE_load_private_key > That's an OpenSSL issue.. not an OpenSSH issue. - Ben From dtucker at zip.com.au Thu Aug 12 00:34:19 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 12 Aug 2004 00:34:19 +1000 Subject: Problem with OpenSSH 3.7.1p2 In-Reply-To: References: Message-ID: <411A2E6B.8020501@zip.com.au> Mike Lambertson wrote: > I was just forced to upgrade to OpenSSH 3.7.1p2 for security reasons. This > has apparently caused a problem with PHP/libcurl: > > [...conf.d]$ /etc/init.d/httpd restart > Stopping httpd: [FAILED] > Starting httpd: Syntax error on line 6 of /etc/httpd/conf.d/php.conf: > Cannot load /etc/httpd/modules/libphp4.so into server: > /usr/lib/libcurl.so.2: undefined symbol: ENGINE_load_private_key > > I have searched for a solution to this and come up dry, even on > openssh.com. > > On a local forum it has been suggested that I need a version of libcurl to > be compatible with OpenSSH 3.7.1p2. If so, what version would that be? If > not, what would you suggest? Neither libcurl nor OpenSSH would care about the other. Your error looks like either libcurl or php is built against a different version of the OpenSSL library to what you have installed. The other possibility is that LD_LIBRARY_PATH has changed or something. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Aug 12 08:46:16 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 12 Aug 2004 08:46:16 +1000 Subject: Solaris password requirements not enforced In-Reply-To: <411A7308.7050200@net.com> References: <4106AEFA.8030506@net.com> <4108DF56.9070502@zip.com.au> <1092248325.3784.78.camel@braveheart> <411A7308.7050200@net.com> Message-ID: <411AA1B8.7090607@zip.com.au> Srinivas Gopaladasu wrote: > My only problem which I think probably be easily fixed is, any messages > by Solaris are not displayed. > For ex, it shows as below: [...] > Any idea why the messages from Solaris are suppressed? As soon as the PAM call completes, the keyboard-interactive machinery considers the authentication attempt complete and no further keyboard-interactive messages are sent for that round. PAM ERROR_MSG and TEXT_INFO messages are collected and sent with the prompts to the user. The upshot is any ERROR_MSG or TEXT_INFO messages sent after PROMPT_ECHO* will not be displayed if the authentication fails. If the authentication succeeds, the remaining messages are stored for display to the user after login. It would be possible within the protocol to have a final message in the kbdint round with the message in the "instruction" field but zero prompts. I don't know how hard that would be to implement. There's a couple of other options (USERAUTH_BANNER, eg [1] or packet_disconnect). [1] http://bugzilla.mindrot.org/show_bug.cgi?id=892 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From srinivas_gopaladasu at net.com Thu Aug 12 09:00:24 2004 From: srinivas_gopaladasu at net.com (Srinivas Gopaladasu) Date: Wed, 11 Aug 2004 16:00:24 -0700 Subject: Solaris password requirements not enforced References: <4106AEFA.8030506@net.com> <4108DF56.9070502@zip.com.au> <1092248325.3784.78.camel@braveheart> <411A7308.7050200@net.com> <411AA1B8.7090607@zip.com.au> Message-ID: <411AA508.8000704@net.com> Darren Tucker wrote: > Srinivas Gopaladasu wrote: > >> My only problem which I think probably be easily fixed is, any >> messages by Solaris are not displayed. >> For ex, it shows as below: > > [...] > >> Any idea why the messages from Solaris are suppressed? > I thought it will be easy to fix, but unfortuantely not. > > As soon as the PAM call completes, the keyboard-interactive machinery > considers the authentication attempt complete and no further > keyboard-interactive messages are sent for that round. > > PAM ERROR_MSG and TEXT_INFO messages are collected and sent with the > prompts to the user. The upshot is any ERROR_MSG or TEXT_INFO > messages sent after PROMPT_ECHO* will not be displayed if the > authentication fails. If the authentication succeeds, the remaining > messages are stored for display to the user after login. > > It would be possible within the protocol to have a final message in > the kbdint round with the message in the "instruction" field but zero > prompts. I don't know how hard that would be to implement. There's a > couple of other options (USERAUTH_BANNER, eg [1] or packet_disconnect). I did not get this. Can you please give me more details how I can atleast display the error messages? Or will you be able to give me a patch? Thanks Srini > > > [1] http://bugzilla.mindrot.org/show_bug.cgi?id=892 > From dtucker at zip.com.au Thu Aug 12 18:11:05 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 12 Aug 2004 18:11:05 +1000 Subject: Solaris password requirements not enforced In-Reply-To: <1092265050.5654.4.camel@braveheart> References: <4106AEFA.8030506@net.com> <4108DF56.9070502@zip.com.au> <1092248325.3784.78.camel@braveheart> <411A7308.7050200@net.com> <411AA1B8.7090607@zip.com.au> <1092265050.5654.4.camel@braveheart> Message-ID: <411B2619.20603@zip.com.au> Darren J Moffat wrote: > On Wed, 2004-08-11 at 15:46, Darren Tucker wrote: >>PAM ERROR_MSG and TEXT_INFO messages are collected and sent with the >>prompts to the user. The upshot is any ERROR_MSG or TEXT_INFO messages >>sent after PROMPT_ECHO* will not be displayed if the authentication >>fails. If the authentication succeeds, the remaining messages are >>stored for display to the user after login. > > I don't think that is the correct thing to do. I think OpenSSH does > this because it is preempting what it believes the content and meaning > of messages after a PROMPT_ECHO* might mean. The whole point of PAM is > that the application doesn't drive the conversation with the end user > the modules and the configuration of the PAM stack do. I happen to agree. I was trying to explain current behaviour, not justify it. > I believe that sshd should just send what ever PAM gives it to the > client. If it turns out that leaks security relevant information that > isn't the fault of sshd it is the fault of the PAM module. I agree with that too, however I'm not sure if the existing kbdint framework can easily be modified to send zero-prompt kbdint messages, so another mechanism (eg USERAUTH_BANNER) might be needed instead. I accept that OpenSSH's PAM support has rough edges, but we're trying to file those off, one edge at a time (see the change logs [1] since 3.8.1p1). It will never be perfect: I think there are a couple of architectural mismatches between the PAM API and the SSH2 protocol but it can (and, hopefully, will) improve. (secureshell at securityfocus removed, the moderator is not approving posts to this thread because they're cross-posted) [1] http://cvsweb.mindrot.org/index.cgi/openssh/auth-pam.c -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From frauke.lehmann at gmx.de Thu Aug 12 04:11:33 2004 From: frauke.lehmann at gmx.de (Frauke Lehmann) Date: Wed, 11 Aug 2004 20:11:33 +0200 Subject: [OT] Survey about FS/OS developers Message-ID: <1092247892.1916.1340.camel@goliath.local> Sorry for any cross-posting! Hello, My name is Frauke Lehmann and I'm writing my master thesis about the social formation of free software/open source (FS/OS) developers. A questionnaire is one part of my research - besides interviews and observations. It would be really nice, if you supported my survey by filling in my questionnaire (takes 20-30 min). I understand FS/OS developers as people who are writing code (obviously), but also those that write documentation, do translations, design GUIs, or people that take care of the project's infrastructure (mailing lists etc.) or answer users' questions. I'm going to publish my thesis (once it's done) on my website (http://userpage.fu-berlin.de/~egal/. It will be freely available in German (the orginal) and as an English translation (after some time) and it will be allowed to distribute it freely. If you have any questions about my project, please feel free and email me. Thanks for taking the time reading this mail and hopefully filling in the questionnaire. Which you will find at http://userpage.fu-berlin.de/~egal/ Frauke Lehmann ps: Sorry, if this isn't the proper lists to send my request to. If it is not, it would be nice, if you forwarded it the right one. From dtucker at zip.com.au Thu Aug 12 18:23:10 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 12 Aug 2004 18:23:10 +1000 Subject: Solaris password requirements not enforced In-Reply-To: <411AA508.8000704@net.com> References: <4106AEFA.8030506@net.com> <4108DF56.9070502@zip.com.au> <1092248325.3784.78.camel@braveheart> <411A7308.7050200@net.com> <411AA1B8.7090607@zip.com.au> <411AA508.8000704@net.com> Message-ID: <411B28EE.7000804@zip.com.au> Srinivas Gopaladasu wrote: > Darren Tucker wrote: > >> It would be possible within the protocol to have a final message in >> the kbdint round with the message in the "instruction" field but zero >> prompts. I don't know how hard that would be to implement. There's a >> couple of other options (USERAUTH_BANNER, eg [1] or packet_disconnect). > > I did not get this. It's an example of passing messages from, in this case, PAM account modules through the privsep master/slave arrangement and back to the user via USERAUTH_BANNER. It's not directly applicable to your problem unless you do some hacking on it. > Can you please give me more details how I can atleast display the error > messages? If you disable pam_chauthtok in sshpam_thread [1] then sshd will fall back to exec'ing /usr/bin/passwd (if privsep is on) or pam_chauthtok() in the session (if privsep is off). > Or will you be able to give me a patch? Not right now, possibly later. [1] In sshpam_thread in auth-pam.c, find this block: if (compat20) { if (!do_pam_account()) goto auth_fail; and change "compat20" to "0" (ie zero) then recompile. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Darren.Moffat at Sun.COM Thu Aug 12 04:18:45 2004 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Wed, 11 Aug 2004 11:18:45 -0700 Subject: Solaris password requirements not enforced In-Reply-To: <4108DF56.9070502@zip.com.au> References: <4106AEFA.8030506@net.com> <4108DF56.9070502@zip.com.au> Message-ID: <1092248325.3784.78.camel@braveheart> On Thu, 2004-07-29 at 04:28, Darren Tucker wrote: > Srinivas Gopaladasu wrote: > > The Solaris password requirements like > > a. no empty password > > b. minimum 6 chars > > etc for a regular user are not enforced when a password expired user is > > changing password at the SSH login prompt. > > It would appear that those restrictions are implemented in > /usr/bin/passwd and not the PAM modules. Not true they are implemented in pam_unix or pam_authtok_check (which you have depends on your Solaris 8 patch level). > Since sshd just calls > pam_chauthtok(), if PAM allows changing to a short or empty password, > then that's what happens. This is probably a bug or design misfeature > in the Solaris PAM module (others, eg LinuxPAM, enforce such restrictions). Or a bug in how OpenSSH calls PAM on Solaris and a design difference between the Solaris and LinuxPAM modules. If OpenSSH is calling pam_chauthtok when its real uid is 0 then the Solaris pam_unix and pam_authtok_check modules assume that this is root changing a users password and thus the restrictions need not apply so the checks are not run. -- Darren J Moffat From michal at pasternak.w.lub.pl Thu Aug 12 18:30:44 2004 From: michal at pasternak.w.lub.pl (Michal Pasternak) Date: Thu, 12 Aug 2004 10:30:44 +0200 Subject: [OT] Survey about FS/OS developers In-Reply-To: <1092247892.1916.1340.camel@goliath.local> References: <1092247892.1916.1340.camel@goliath.local> Message-ID: <20040812083044.GA31395@pasternak.w.lub.pl> Frauke Lehmann [Wed, Aug 11, 2004 at 08:11:33PM +0200]: > Sorry for any cross-posting! Just don't do that. This way you don't have to be sorry for it. > ps: Sorry, if this isn't the proper lists to send my request to. So why did you sent it anyway, without checking first, if it is a proper list? The purpose of the list is not kept secret, it's public. > If it is not, it would be nice, if you forwarded it the right one. Sorry, I don't think we spread spam. Try your local LUG to get contacts. Thank you, -- m -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040812/1b9facf4/attachment.bin From Darren.Moffat at Sun.COM Thu Aug 12 08:57:30 2004 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Wed, 11 Aug 2004 15:57:30 -0700 Subject: Solaris password requirements not enforced In-Reply-To: <411AA1B8.7090607@zip.com.au> References: <4106AEFA.8030506@net.com> <4108DF56.9070502@zip.com.au> <1092248325.3784.78.camel@braveheart> <411A7308.7050200@net.com> <411AA1B8.7090607@zip.com.au> Message-ID: <1092265050.5654.4.camel@braveheart> On Wed, 2004-08-11 at 15:46, Darren Tucker wrote: > PAM ERROR_MSG and TEXT_INFO messages are collected and sent with the > prompts to the user. The upshot is any ERROR_MSG or TEXT_INFO messages > sent after PROMPT_ECHO* will not be displayed if the authentication > fails. If the authentication succeeds, the remaining messages are > stored for display to the user after login. I don't think that is the correct thing to do. I think OpenSSH does this because it is preempting what it believes the content and meaning of messages after a PROMPT_ECHO* might mean. The whole point of PAM is that the application doesn't drive the conversation with the end user the modules and the configuration of the PAM stack do. I believe that sshd should just send what ever PAM gives it to the client. If it turns out that leaks security relevant information that isn't the fault of sshd it is the fault of the PAM module. It is a reasonably common practice (on Solaris at least) to provide an option that can be given to the PAM module to suppress its messages. In addition to that proper configuration of the PAM stack should eliminate trying later modules or ensuring that all modules are tried depending on what policy the admin wants. -- Darren J Moffat From supportirrigation at servicemagic.com Thu Aug 12 22:43:06 2004 From: supportirrigation at servicemagic.com (Orders) Date: Thu, 12 Aug 2004 13:43:06 +0100 Subject: Update your software Message-ID: visit us http://www.goodsoft4u.info/ Microsoft Windows XP Professional - 50 Adobe Photoshop 7.0 - 60 Microsoft Office XP Professional - 100 Microsoft Windows 2000 Professional - 50 Adobe PageMaker 7.0 - 60 Adobe Illustrator 10 - 80 Corel Draw Graphics Suite 11 - 120 Norton Antivirus 2004 Professional - 15 Borland Delphi 7 Professional - 70 Adobe Acrobat 6.0 Professional - 100 Adobe Acrobat 6.0 Proffessional - 100 Adobe Photoshop cs - 80 System Works 2004 Professional - 40 Microsoft SQL Server 2000 Enterprise Edition - 200 Windows 2000 Server - 50 Linux Redhat 7.3 - 200 Office 2003 Professional - 110 Quark Express 6.0 - 60 Macromedia Studio MX 2004 - 180.00 Adobe InDesign CS - 100.00 Adobe Illustrator CS - 90.00 Easy CD & DVD Creator 6 - 29.99 Ahead Nero v6.3 Powerpack - 40.00 Symantec WinFax PRO v10.03 - 40.00 .. and more ! visit us http://www.goodsoft4u.info/ inferences similitude occupancy breezes patronage orbiter Lincoln solos plush tracers renderings mistrusted sordid wriggling numerical curlers civilians esquires budgeting trains behalf mediate lists portended priory hellish namesake effigy changeover Whitfield renaming grabbers quickened Yoder From dtucker at zip.com.au Thu Aug 12 23:55:20 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 12 Aug 2004 23:55:20 +1000 Subject: Pending OpenSSH release, call for testing. Message-ID: <411B76C8.6000208@zip.com.au> Hi All. OpenSSH is getting ready for a release soon, so we are asking for all interested parties to test a snapshot. Changes include: * sshd will now re-exec itself for each new connection (the "-e" option is required when running sshd in debug mode). * PAM password authentication has been (re)added. * Interface improvements to sftp(1) * Many bug fixes and improvements, for details see the ChangeLog and http://bugzilla.mindrot.org/show_bug.cgi?id=822 The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable snapshots are available at: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ or one of its mirrors listed at http://www.openssh.com/portable.html#ftp Please test! Running the regression tests supplied with Portable does not require installation and is a simply: $ ./configure && make tests Testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev. Thanks, -Daz. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From tsi at ualberta.ca Fri Aug 13 00:28:26 2004 From: tsi at ualberta.ca (Marc Aurele La France) Date: Thu, 12 Aug 2004 08:28:26 -0600 (MDT) Subject: Pending OpenSSH release, call for testing. In-Reply-To: <411B76C8.6000208@zip.com.au> Message-ID: On Thu, 12 Aug 2004, Darren Tucker wrote: > OpenSSH is getting ready for a release soon, so we are asking for all > interested parties to test a snapshot. Because of PAM password authentication, I've been running since the 29th the 20040728 snapshot on a cluster now in pre-production testing. I have no problems to report other than my need to look further into bug #52. Thanks. Marc. +----------------------------------+-----------------------------------+ | Marc Aurele La France | work: 1-780-492-9310 | | Computing and Network Services | fax: 1-780-492-1729 | | 352 General Services Building | email: tsi at ualberta.ca | | University of Alberta +-----------------------------------+ | Edmonton, Alberta | | | T6G 2H1 | Standard disclaimers apply | | CANADA | | +----------------------------------+-----------------------------------+ XFree86 developer and VP. ATI driver and X server internals. From vinschen at redhat.com Fri Aug 13 02:22:52 2004 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 12 Aug 2004 18:22:52 +0200 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <411B76C8.6000208@zip.com.au> References: <411B76C8.6000208@zip.com.au> Message-ID: <20040812162252.GO1819@cygbert.vinschen.de> Hi Darren, On Aug 12 23:55, Darren Tucker wrote: > Hi All. > OpenSSH is getting ready for a release soon, so we are asking for > all interested parties to test a snapshot. there's a typo in bsd-misc.c, which creates a common symbol __progname even if the system provides one. That's a problem when linking on Cygwin, since in that case the linker creates the symbol instead of matching it against the dll exported symbol __imp____progname. Patch attached. The testsuite fails on Cygwin in the "pass multiple env, accept multiple env" test in envpass.sh. I don't know why since it's no problem to send env. variables usually. Corinna Index: openbsd-compat/bsd-misc.c =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-misc.c,v retrieving revision 1.23 diff -p -u -r1.23 bsd-misc.c --- openbsd-compat/bsd-misc.c 17 Jul 2004 04:07:42 -0000 1.23 +++ openbsd-compat/bsd-misc.c 12 Aug 2004 16:18:17 -0000 @@ -19,7 +19,7 @@ RCSID("$Id: bsd-misc.c,v 1.23 2004/07/17 04:07:42 dtucker Exp $"); -#ifndef HAVE__PROGNAME +#ifndef HAVE___PROGNAME char *__progname; #endif -- Corinna Vinschen Cygwin Co-Project Leader Red Hat, Inc. From deengert at anl.gov Fri Aug 13 02:37:29 2004 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 12 Aug 2004 11:37:29 -0500 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <411B76C8.6000208@zip.com.au> References: <411B76C8.6000208@zip.com.au> Message-ID: <411B9CC9.4030902@anl.gov> Darren Tucker wrote: > Hi All. > OpenSSH is getting ready for a release soon, so we are asking for > all interested parties to test a snapshot. Appears to work on Solaris 9 with GSSAPI using MIT krb5-1.3.2. > > Changes include: > > * sshd will now re-exec itself for each new connection (the "-e" option > is required when running sshd in debug mode). > > * PAM password authentication has been (re)added. > > * Interface improvements to sftp(1) > > * Many bug fixes and improvements, for details see the ChangeLog and > http://bugzilla.mindrot.org/show_bug.cgi?id=822 > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable snapshots are available at: > ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ > or one of its mirrors listed at http://www.openssh.com/portable.html#ftp > > Please test! Running the regression tests supplied with Portable > does not require installation and is a simply: > $ ./configure && make tests > > Testing on suitable non-production systems is also appreciated. > Please send reports of success or failure to openssh-unix-dev. > > Thanks, > -Daz. > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From dtucker at zip.com.au Fri Aug 13 18:41:11 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 13 Aug 2004 18:41:11 +1000 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <20040812162252.GO1819@cygbert.vinschen.de> References: <411B76C8.6000208@zip.com.au> <20040812162252.GO1819@cygbert.vinschen.de> Message-ID: <411C7EA7.2010303@zip.com.au> Corinna Vinschen wrote: > there's a typo in bsd-misc.c, which creates a common symbol __progname > even if the system provides one. That's a problem when linking on Cygwin, > since in that case the linker creates the symbol instead of matching it > against the dll exported symbol __imp____progname. Patch attached. Applied, thanks. > The testsuite fails on Cygwin in the "pass multiple env, accept multiple env" > test in envpass.sh. I don't know why since it's no problem to send > env. variables usually. Not sure about that one. Will investigate if I get a chance. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Aug 13 19:45:13 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 13 Aug 2004 19:45:13 +1000 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <20040812162252.GO1819@cygbert.vinschen.de> References: <411B76C8.6000208@zip.com.au> <20040812162252.GO1819@cygbert.vinschen.de> Message-ID: <411C8DA9.1010100@zip.com.au> Corinna Vinschen wrote: > The testsuite fails on Cygwin in the "pass multiple env, accept multiple env" > test in envpass.sh. I don't know why since it's no problem to send > env. variables usually. I took a quick look. The failure is a little earlier at "test environment passing: pass env, don't accept". It looks like a false alarm, but I'm not sure what to do other than skip this test on Cygwin. $ make tests LTESTS=envpass [...] run test envpass.sh ... test environment passing: pass env, don't accept environment found test environment passing: don't pass env, accept test environment passing: pass single env, accept single env test environment passing: pass multiple env, accept multiple env failed environment passing This appears to be due to this fragment of session.c: #ifdef HAVE_CYGWIN /* * The Windows environment contains some setting which are * important for a running system. They must not be dropped. */ copy_environment(environ, &env, &envsize); #endif The test environment (_XXX*) variables are set in the shell and get inherited by ssh, then by sshd (which is run by ssh as a proxycommand). On most platforms, only selected environment variables are copied, but on Cygwin all are, including the _XXX ones. They are not accepted by sshd but are nonetheless present in the shell sshd runs and thus the test fails. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Fri Aug 13 20:18:36 2004 From: djm at mindrot.org (Damien Miller) Date: Fri, 13 Aug 2004 20:18:36 +1000 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <411C8DA9.1010100@zip.com.au> References: <411B76C8.6000208@zip.com.au> <20040812162252.GO1819@cygbert.vinschen.de> <411C8DA9.1010100@zip.com.au> Message-ID: <411C957C.8090401@mindrot.org> Darren Tucker wrote: > Corinna Vinschen wrote: > >>The testsuite fails on Cygwin in the "pass multiple env, accept multiple env" >>test in envpass.sh. I don't know why since it's no problem to send >>env. variables usually. > > > I took a quick look. The failure is a little earlier at "test > environment passing: pass env, don't accept". It looks like a false > alarm, but I'm not sure what to do other than skip this test on Cygwin. > > $ make tests LTESTS=envpass > [...] > run test envpass.sh ... > test environment passing: pass env, don't accept > environment found > test environment passing: don't pass env, accept > test environment passing: pass single env, accept single env > test environment passing: pass multiple env, accept multiple env > failed environment passing > > This appears to be due to this fragment of session.c: > > #ifdef HAVE_CYGWIN > /* > * The Windows environment contains some setting which are > * important for a running system. They must not be dropped. > */ > copy_environment(environ, &env, &envsize); I'd really like to see this restricted to copy just the environment variables that are needed. -d From wknox at mitre.org Fri Aug 13 22:12:07 2004 From: wknox at mitre.org (William R. Knox) Date: Fri, 13 Aug 2004 08:12:07 -0400 (EDT) Subject: Pending OpenSSH release, call for testing. In-Reply-To: <411B76C8.6000208@zip.com.au> References: <411B76C8.6000208@zip.com.au> Message-ID: Passes all tests on Solaris 8, including the ability to reset expired passwords both with UsePAM on and off. One oddity in the configure was the following message: checking sys/ptms.h usability... no checking sys/ptms.h presence... yes configure: WARNING: sys/ptms.h: present but cannot be compiled configure: WARNING: sys/ptms.h: check for missing prerequisite headers? configure: WARNING: sys/ptms.h: see the Autoconf documentation configure: WARNING: sys/ptms.h: section "Present But Cannot Be Compiled" configure: WARNING: sys/ptms.h: proceeding with the preprocessor's result configure: WARNING: sys/ptms.h: in the future, the compiler will take precedence configure: WARNING: ## ------------------------------------------ ## configure: WARNING: ## Report this to the AC_PACKAGE_NAME lists. ## configure: WARNING: ## ------------------------------------------ ## checking for sys/ptms.h... yes Built with the following options: OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin (If PATH is set in /etc/default/login it will be used instead. If used, ensure the path to scp is present, otherwise scp will not work.) Manpage format: man PAM support: yes KerberosV support: no Smartcard support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Host: sparc-sun-solaris2.8 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: Linker flags: Libraries: -lwrap -lpam -ldl -lresolv -lcrypto -lrt -lz -lsocket -lnsl SVR4 style packages are supported with "make package"\n PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory WARNING: the operating system that you are using does not appear to support either the getpeereid() API nor the SO_PEERCRED getsockopt() option. These facilities are used to enforce security checks to prevent unauthorised connections to ssh-agent. Their absence increases the risk that a malicious user can connect to your agent. Bill Knox Lead Operating Systems Programmer/Analyst The MITRE Corporation On Thu, 12 Aug 2004, Darren Tucker wrote: > Date: Thu, 12 Aug 2004 23:55:20 +1000 > From: Darren Tucker > To: openssh-unix-dev at mindrot.org > Subject: Pending OpenSSH release, call for testing. > > Hi All. > OpenSSH is getting ready for a release soon, so we are asking for all > interested parties to test a snapshot. > > Changes include: > > * sshd will now re-exec itself for each new connection (the "-e" option > is required when running sshd in debug mode). > > * PAM password authentication has been (re)added. > > * Interface improvements to sftp(1) > > * Many bug fixes and improvements, for details see the ChangeLog and > http://bugzilla.mindrot.org/show_bug.cgi?id=822 > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable snapshots are available at: > ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ > or one of its mirrors listed at http://www.openssh.com/portable.html#ftp > > Please test! Running the regression tests supplied with Portable does > not require installation and is a simply: > $ ./configure && make tests > > Testing on suitable non-production systems is also appreciated. Please > send reports of success or failure to openssh-unix-dev. > > Thanks, > -Daz. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From vinschen at redhat.com Fri Aug 13 22:45:20 2004 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 13 Aug 2004 14:45:20 +0200 Subject: [PATCH] Only copy basic Windows environment (was Re: Pending OpenSSH release, call for testing.) In-Reply-To: <411C957C.8090401@mindrot.org> References: <411B76C8.6000208@zip.com.au> <20040812162252.GO1819@cygbert.vinschen.de> <411C8DA9.1010100@zip.com.au> <411C957C.8090401@mindrot.org> Message-ID: <20040813124520.GV1819@cygbert.vinschen.de> On Aug 13 20:18, Damien Miller wrote: > Darren Tucker wrote: > > This appears to be due to this fragment of session.c: > > > > #ifdef HAVE_CYGWIN > > /* > > * The Windows environment contains some setting which are > > * important for a running system. They must not be dropped. > > */ > > copy_environment(environ, &env, &envsize); > > I'd really like to see this restricted to copy just the environment > variables that are needed. Like this? Index: session.c =================================================================== RCS file: /cvs/openssh_cvs/session.c,v retrieving revision 1.287 diff -p -u -r1.287 session.c --- session.c 12 Aug 2004 12:40:25 -0000 1.287 +++ session.c 13 Aug 2004 12:41:28 -0000 @@ -979,7 +979,13 @@ do_setup_env(Session *s, const char *she * The Windows environment contains some setting which are * important for a running system. They must not be dropped. */ - copy_environment(environ, &env, &envsize); + { + char **p; + + p = fetch_windows_environment(); + copy_environment(p, &env, &envsize); + free_windows_environment(p); + } #endif #ifdef GSSAPI Index: openbsd-compat/bsd-cygwin_util.c =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.c,v retrieving revision 1.12 diff -p -u -r1.12 bsd-cygwin_util.c --- openbsd-compat/bsd-cygwin_util.c 18 Apr 2004 11:15:45 -0000 1.12 +++ openbsd-compat/bsd-cygwin_util.c 13 Aug 2004 12:41:28 -0000 @@ -38,6 +38,7 @@ RCSID("$Id: bsd-cygwin_util.c,v 1.12 200 #include #include #include +#include "xmalloc.h" #define is_winnt (GetVersion() < 0x80000000) #define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec")) @@ -96,7 +97,6 @@ has_capability(int what) */ if (!inited) { struct utsname uts; - char *c; if (!uname(&uts)) { int major_high = 0, major_low = 0, minor = 0; @@ -234,6 +234,59 @@ register_9x_service(void) GetProcAddress(kerneldll, "RegisterServiceProcess"))) return; RegisterServiceProcess(0, 1); +} + +#define NL(x) x, (sizeof (x) - 1) +#define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0])) + +static struct wenv { + const char *name; + size_t namelen; +} wenv_arr[] = { + { NL("ALLUSERSPROFILE=") }, + { NL("COMMONPROGRAMFILES=") }, + { NL("COMPUTERNAME=") }, + { NL("COMSPEC=") }, + { NL("NUMBER_OF_PROCESSORS=") }, + { NL("OS=") }, + { NL("PATH=") }, + { NL("PATHEXT=") }, + { NL("PROCESSOR_ARCHITECTURE=") }, + { NL("PROCESSOR_IDENTIFIER=") }, + { NL("PROCESSOR_LEVEL=") }, + { NL("PROCESSOR_REVISION=") }, + { NL("PROGRAMFILES=") }, + { NL("SYSTEMDRIVE=") }, + { NL("SYSTEMROOT=") }, + { NL("TMP=") }, + { NL("TEMP=") }, + { NL("WINDIR=") }, +}; + +char ** +fetch_windows_environment(void) +{ + char **e, **p; + int i, idx = 0; + + p = xmalloc(WENV_SIZ * sizeof(char *)); + p[idx] = NULL; + for (e = environ; *e; ++e) { + for (i = 0; i < WENV_SIZ; ++i) { + if (!strncmp(*e, wenv_arr[i].name, + wenv_arr[i].namelen)) { + p[idx] = *e; + p[++idx] = NULL; + } + } + } + return p; +} + +void +free_windows_environment(char **p) +{ + xfree(p); } #endif /* HAVE_CYGWIN */ Index: openbsd-compat/bsd-cygwin_util.h =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.h,v retrieving revision 1.10 diff -p -u -r1.10 bsd-cygwin_util.h --- openbsd-compat/bsd-cygwin_util.h 7 Aug 2003 06:28:16 -0000 1.10 +++ openbsd-compat/bsd-cygwin_util.h 13 Aug 2004 12:41:28 -0000 @@ -46,6 +46,8 @@ int binary_pipe(int fd[2]); int check_nt_auth(int, struct passwd *); int check_ntsec(const char *); void register_9x_service(void); +char **fetch_windows_environment(void); +void free_windows_environment(char **); #define open binary_open #define pipe binary_pipe Corinna -- Corinna Vinschen Cygwin Co-Project Leader Red Hat, Inc. From mlambert at csc.com Sat Aug 14 00:07:31 2004 From: mlambert at csc.com (Mike Lambertson) Date: Fri, 13 Aug 2004 10:07:31 -0400 Subject: Problem with OpenSSH 3.7.1p2 Message-ID: Darren Yep, it was SSL. By reading the history file and "rpm -q openssl", I discovered that the person doing the OpenSSH install also did an install of OpenSSL (required due to dependencies). But the version of OpenSSL was *earlier* that the one already on my system - version 0.9.6-k27 versus 0.9.7a-20.2 . The old version of SSH and SSL were restored and the system is running fine again. Next I have to try the new SSH with my current SSL. Thanks for your help. Mike From admorten at umich.edu Sat Aug 14 00:19:34 2004 From: admorten at umich.edu (Andrew Mortensen) Date: Fri, 13 Aug 2004 10:19:34 -0400 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <411B76C8.6000208@zip.com.au> References: <411B76C8.6000208@zip.com.au> Message-ID: On Aug 12, 2004, at 9:55 AM, Darren Tucker wrote: > Hi All. > OpenSSH is getting ready for a release soon, so we are asking for all > interested parties to test a snapshot. All passed on Mac OS X 10.3.5, with the exception of agent-getpeereid (not supported), agent-ptrace (failed when SUDO is set). I did have the multiplex.sh (transfer) hang on me during my first run of make tests, but it went through without a hitch on the next pass. andrew -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2365 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040813/ae5a9782/attachment.bin From mouring at etoh.eviladmin.org Sat Aug 14 01:32:49 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 13 Aug 2004 10:32:49 -0500 (CDT) Subject: Pending OpenSSH release, call for testing. In-Reply-To: Message-ID: On Fri, 13 Aug 2004, Andrew Mortensen wrote: > On Aug 12, 2004, at 9:55 AM, Darren Tucker wrote: > > > Hi All. > > OpenSSH is getting ready for a release soon, so we are asking for all > > interested parties to test a snapshot. > > All passed on Mac OS X 10.3.5, with the exception of agent-getpeereid > (not supported), agent-ptrace (failed when SUDO is set). I did have the > multiplex.sh (transfer) hang on me during my first run of make tests, > but it went through without a hitch on the next pass. > The getpeereid is to be expected. I had sent a bug report, since they have manpages, but no API. The next release should have the API exposed I'm told. As for agent-ptrace, I looked at it for a week before having to give up at the time for real work. I couldn't get a valid test case that acted the same (AIX, OS/X, Linux and OpenBSD). It's almost as if the 'chmod g+s' is being ignored and the OS is letting gdb attach to it. As a result, I'd been a bit leary on sending to Apple. I may just file one of the failure and leave it at that for the time being (hate doing that. I perfer only submitting solid debug information. Mainly when it is not their in-tree version also). - Ben From mouring at etoh.eviladmin.org Sat Aug 14 02:20:20 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 13 Aug 2004 11:20:20 -0500 (CDT) Subject: [PATCH] Only copy basic Windows environment (was Re: Pending OpenSSH release, call for testing.) In-Reply-To: <20040813124520.GV1819@cygbert.vinschen.de> Message-ID: On Fri, 13 Aug 2004, Corinna Vinschen wrote: [..] > +free_windows_environment(char **p) > +{ > + xfree(p); > } > Memory leak galore... please free each pointer on that pointer list. - Ben From vinschen at redhat.com Sat Aug 14 02:57:45 2004 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 13 Aug 2004 18:57:45 +0200 Subject: [PATCH] Only copy basic Windows environment (was Re: Pending OpenSSH release, call for testing.) In-Reply-To: References: <20040813124520.GV1819@cygbert.vinschen.de> Message-ID: <20040813165745.GY1819@cygbert.vinschen.de> On Aug 13 11:20, Ben Lindstrom wrote: > On Fri, 13 Aug 2004, Corinna Vinschen wrote: > > [..] > > +free_windows_environment(char **p) > > +{ > > + xfree(p); > > } > > > > Memory leak galore... please free each pointer on that pointer list. Nope. These pointers are pointers into the global environ array. Corinna -- Corinna Vinschen Cygwin Co-Project Leader Red Hat, Inc. From cmadams at hiwaay.net Sat Aug 14 05:14:29 2004 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 13 Aug 2004 14:14:29 -0500 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <411B76C8.6000208@zip.com.au> References: <411B76C8.6000208@zip.com.au> Message-ID: <20040813191429.GC1477567@hiwaay.net> Once upon a time, Darren Tucker said: > OpenSSH is getting ready for a release soon, so we are asking for > all interested parties to test a snapshot. The 2004-08-13 snapshot looks good on Tru64. For once, I tested it _before_ the release. :-) -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From metaform at bellsouth.net Sat Aug 14 09:05:27 2004 From: metaform at bellsouth.net (Metaform Solutions, Inc.) Date: Fri, 13 Aug 2004 19:05:27 -0400 Subject: OpenSSH and passphrase query Message-ID: <411D4937.4010708@bellsouth.net> I would like to propose to the developers to have OpenSSH, upon return of the passphrase query, to have the hostname of the system it was running on appear before the passphrase query. This would help those that use IBMs dsh command, as it is a parallel command, the output of which is from any system not in any particular order. By adding this in would help to know what system it is coming from. Thanks, Scott Gruber Metaform Solutions, Inc. From vitalizer.everysmile at fire-fire-fire.com Sat Aug 14 18:58:50 2004 From: vitalizer.everysmile at fire-fire-fire.com (=?ISO-2022-JP?B?GyRCP006ShsoQg==?=) Date: Sat, 14 Aug 2004 17:58:50 +0900 Subject: =?iso-2022-jp?b?GyRCTV81YUlUS34kSj9NOkokLCFEGyhC?= Message-ID: <20040814085624.472F927C187@shitei.mindrot.org> http://www.000-net.com/hitotuma/ ???????????????????????????!! ??????????????????????? ???????????????????????????? ?????????????????????????????? ?????!!???????????????????????????????????????????????!! http://www.000-net.com/hitotuma/ From dtucker at zip.com.au Sun Aug 15 14:10:09 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 15 Aug 2004 14:10:09 +1000 Subject: Pending OpenSSH release, call for testing. In-Reply-To: References: <411B76C8.6000208@zip.com.au> Message-ID: <411EE221.5010100@zip.com.au> William R. Knox wrote: > Passes all tests on Solaris 8, including the ability to reset expired > passwords both with UsePAM on and off. One oddity in the configure > was the following message: > > checking sys/ptms.h usability... no > checking sys/ptms.h presence... yes > configure: WARNING: sys/ptms.h: present but cannot be compiled > configure: WARNING: sys/ptms.h: check for missing prerequisite headers? > configure: WARNING: sys/ptms.h: see the Autoconf documentation > configure: WARNING: sys/ptms.h: section "Present But Cannot Be Compiled" > configure: WARNING: sys/ptms.h: proceeding with the preprocessor's result > configure: WARNING: sys/ptms.h: in the future, the compiler will take precedence > configure: WARNING: ## ------------------------------------------ ## > configure: WARNING: ## Report this to the AC_PACKAGE_NAME lists. ## > configure: WARNING: ## ------------------------------------------ ## > checking for sys/ptms.h... yes OK, this is because sys/ptms.h requires sys/streams.h to be included first (for the definition of queue_t). The attached patch fixes it (and sets the bug-list macro so the warning has the right address on it too). You will need to run "autoconf" to rebuild configure if you try this patch. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-configure-ptms_h.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040815/75152a4a/attachment.ksh From jason at devrandom.org Sun Aug 15 14:34:03 2004 From: jason at devrandom.org (Jason McCormick) Date: Sun, 15 Aug 2004 00:34:03 -0400 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <411B76C8.6000208@zip.com.au> References: <411B76C8.6000208@zip.com.au> Message-ID: <200408150034.03914.jason@devrandom.org> > OpenSSH is getting ready for a release soon, so we are asking for > all interested parties to test a snapshot. Regression testing still does not completely successfully on Gentoo (current ~x86 build): run test dynamic-forward.sh ... Waiting for forwarded connections to terminate... The following connections are open: #1 direct-tcpip: listening port 4243 for localhost port 4242, connect from 127.0.0.1 port 33749 (t4 r2 i0/0 o3/0 fd 10/10 cfd -1) FATAL: Unable to connect to relay host, errno=111 ssh_exchange_identification: Connection closed by remote host cmp: EOF on /home/jason/code/openssh/regress/ls.copy corrupted copy of /bin/ls FATAL: Unable to connect to relay host, errno=111 ssh_exchange_identification: Connection closed by remote host cmp: EOF on /home/jason/code/openssh/regress/ls.copy corrupted copy of /bin/ls FATAL: Unable to connect to relay host, errno=111 ssh_exchange_identification: Connection closed by remote host cmp: EOF on /home/jason/code/openssh/regress/ls.copy corrupted copy of /bin/ls FATAL: Unable to connect to relay host, errno=111 ssh_exchange_identification: Connection closed by remote host cmp: EOF on /home/jason/code/openssh/regress/ls.copy corrupted copy of /bin/ls failed dynamic forwarding make[1]: *** [t-exec] Error 1 make[1]: Leaving directory `/home/jason/code/openssh/regress' make: *** [tests] Error 2 I traded some e-mails with Darren about this for 3.8 but we never came up with a solution other than it seemed to have something to do with connect. Normaly everyday usage doesn't seem to be affected. Anyone else out there with Gentoo able to complete 'make tests' to rule out my box being crazy? -- Jason McCormick jason at devrandom.org GPG Key ID: 96D6CF63 From dtucker at zip.com.au Sun Aug 15 14:47:19 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 15 Aug 2004 14:47:19 +1000 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <200408150034.03914.jason@devrandom.org> References: <411B76C8.6000208@zip.com.au> <200408150034.03914.jason@devrandom.org> Message-ID: <411EEAD7.6070803@zip.com.au> Jason McCormick wrote: > Regression testing still does not completely successfully on Gentoo > (current ~x86 build): > > run test dynamic-forward.sh ... > Waiting for forwarded connections to terminate... > The following connections are open: > #1 direct-tcpip: listening port 4243 for localhost port 4242, connect > from 127.0.0.1 port 33749 (t4 r2 i0/0 o3/0 fd 10/10 cfd -1) > FATAL: Unable to connect to relay host, errno=111 To save anyone else from looking it up: errno 111 == ECONNREFUSED > I traded some e-mails with Darren about this for 3.8 but we never came > up with a solution other than it seemed to have something to do with > connect. Normaly everyday usage doesn't seem to be affected. Anyone > else out there with Gentoo able to complete 'make tests' to rule out my > box being crazy? If you run a port forward normally from the command line and do and lsof on ssh's pid what port is in listening on? Ditto for sshd with remote forwarding. Other wild guesses: do you have a loopback interface and is it up? What does "localhost" resolve to? Maybe it's a IPv6 vs. IPv4 thing? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sun Aug 15 15:02:36 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 15 Aug 2004 15:02:36 +1000 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <411EEAD7.6070803@zip.com.au> References: <411B76C8.6000208@zip.com.au> <200408150034.03914.jason@devrandom.org> <411EEAD7.6070803@zip.com.au> Message-ID: <411EEE6C.6070807@zip.com.au> Darren Tucker wrote: > Jason McCormick wrote: > >> Regression testing still does not completely successfully on Gentoo >> (current ~x86 build): >> >> run test dynamic-forward.sh ... >> Waiting for forwarded connections to terminate... >> The following connections are open: >> #1 direct-tcpip: listening port 4243 for localhost port 4242, >> connect from 127.0.0.1 port 33749 (t4 r2 i0/0 o3/0 fd 10/10 cfd -1) >> FATAL: Unable to connect to relay host, errno=111 > > > To save anyone else from looking it up: errno 111 == ECONNREFUSED [...] > Other wild guesses: do you have a loopback interface and is it up? What > does "localhost" resolve to? Maybe it's a IPv6 vs. IPv4 thing? Another guess: iptables rules? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From begvimciwn at letterbox.org Sun Aug 15 21:22:29 2004 From: begvimciwn at letterbox.org (BOSS Ledford) Date: Sun, 15 Aug 2004 13:22:29 +0200 Subject: Scientific Shock Message-ID: <8501935212.75339@203.118.140.8> Miracles do happen?. Grow the banana inside your pants Safe&Confidential: http://www.superherbalonline.com/pgf/track.php?id=56 From Robert.Dahlem at gmx.net Mon Aug 16 00:02:35 2004 From: Robert.Dahlem at gmx.net (Robert Dahlem) Date: Sun, 15 Aug 2004 16:02:35 +0200 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <411B76C8.6000208@zip.com.au> Message-ID: <20040815140006.0E9BB27C187@shitei.mindrot.org> On Thu, 12 Aug 2004 23:55:20 +1000, Darren Tucker wrote: > OpenSSH is getting ready for a release soon, so we are asking for >all interested parties to test a snapshot. > Changes include: >* PAM password authentication has been (re)added. I tested this on Solaris 8/sparc with all current recommended patches. As far as I can see everything works fine. I'm currently in the process of implementing something like an intruder lockout mechanism based on some hacking to pam_tally.so from Linux-PAM- 0.77. Please do not comment that this is an invitation to DOS attacks. I know it. The suits won't understand and call it "a known risk". I would expect any text to appear on the client terminal that the server sends through the PAM conversation function with msg_type PAM_ERROR_MSG or PAM_TEXT_INFO. Well, at least with telnet this works already. But who wants telnet anyway? :-) By some fiddling with debug() I can prove that the text sent by the PAM module is seen by sshpam_passwd_conv() on the server side, but I can't see that text on the client side. Can anyone please give me a pointer where to look? Regards, Robert From stuge-openssh-unix-dev at cdy.org Mon Aug 16 03:51:34 2004 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Sun, 15 Aug 2004 19:51:34 +0200 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <200408150034.03914.jason@devrandom.org> References: <411B76C8.6000208@zip.com.au> <200408150034.03914.jason@devrandom.org> Message-ID: <20040815175134.GB3578@foo.birdnet.se> On Sun, Aug 15, 2004 at 12:34:03AM -0400, Jason McCormick wrote: > Anyone else out there with Gentoo able to complete 'make tests' to > rule out my box being crazy? I also run Gentoo. First, autoreconf says: (but works) autoheader-2.59: WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot' autoheader-2.59: WARNING: and `config.h.top', to define templates for `config.h.in' autoheader-2.59: WARNING: is deprecated and discouraged. autoheader-2.59: autoheader-2.59: WARNING: Using the third argument of `AC_DEFINE' and autoheader-2.59: WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without autoheader-2.59: WARNING: `acconfig.h': autoheader-2.59: autoheader-2.59: WARNING: AC_DEFINE([NEED_FUNC_MAIN], 1, autoheader-2.59: [Define if a function `main' is needed.]) autoheader-2.59: autoheader-2.59: WARNING: More sophisticated templates can also be produced, see the autoheader-2.59: WARNING: documentation. ..then, make tests fail on yes-head: (patch attached) run test yes-head.sh ... head: -2000' option is obsolete; use -n 2000' Try ead --help' for more information. yes|head returns 0 lines instead of 2000 head: -2000' option is obsolete; use -n 2000' Try ead --help' for more information. yes|head returns 0 lines instead of 2000 failed yes pipe head ..after I patch, dynamic-forward is skipped: run test dynamic-forward.sh ... skipped (no suitable ProxyCommand found) ..but make tests doesn't fail. //Peter -------------- next part -------------- Index: yes-head.sh =================================================================== RCS file: /cvs/openssh/regress/yes-head.sh,v retrieving revision 1.3 diff -u -r1.3 yes-head.sh --- yes-head.sh 12 Sep 2003 20:21:14 -0000 1.3 +++ yes-head.sh 15 Aug 2004 17:44:24 -0000 @@ -4,7 +4,7 @@ tid="yes pipe head" for p in 1 2; do - lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | head -2000"' | (sleep 3 ; wc -l)` + lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | head -n 2000"' | (sleep 3 ; wc -l)` if [ $? -ne 0 ]; then fail "yes|head test failed" lines = 0; From djm at mindrot.org Mon Aug 16 09:52:08 2004 From: djm at mindrot.org (Damien Miller) Date: Mon, 16 Aug 2004 09:52:08 +1000 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <20040815175134.GB3578@foo.birdnet.se> References: <411B76C8.6000208@zip.com.au> <200408150034.03914.jason@devrandom.org> <20040815175134.GB3578@foo.birdnet.se> Message-ID: <411FF728.2090607@mindrot.org> Peter Stuge wrote: > On Sun, Aug 15, 2004 at 12:34:03AM -0400, Jason McCormick wrote: > >>Anyone else out there with Gentoo able to complete 'make tests' to >>rule out my box being crazy? > > > I also run Gentoo. First, autoreconf says: (but works) > > autoheader-2.59: WARNING: Using auxiliary files such as `acconfig.h', > `config.h.bot' > autoheader-2.59: WARNING: and `config.h.top', to define templates for > `config.h.in' > autoheader-2.59: WARNING: is deprecated and discouraged. > autoheader-2.59: > autoheader-2.59: WARNING: Using the third argument of `AC_DEFINE' and > autoheader-2.59: WARNING: `AC_DEFINE_UNQUOTED' allows to define a > template without > autoheader-2.59: WARNING: `acconfig.h': > autoheader-2.59: > autoheader-2.59: WARNING: AC_DEFINE([NEED_FUNC_MAIN], 1, > autoheader-2.59: [Define if a function `main' is needed.]) > autoheader-2.59: > autoheader-2.59: WARNING: More sophisticated templates can also be > produced, see the > autoheader-2.59: WARNING: documentation. These are harmless. If someone wants to volunteer to go through configure.ac and convert all the AC_DEFINE{,_UNQUOTED} to the autoconf-2.5x style, then we can get rid of these warnings sooner. > run test yes-head.sh ... > head: -2000' option is obsolete; use -n 2000' That is just silly, did GNU deliberately break their head? -d From djm at mindrot.org Mon Aug 16 10:20:45 2004 From: djm at mindrot.org (Damien Miller) Date: Mon, 16 Aug 2004 10:20:45 +1000 Subject: [PATCH] Only copy basic Windows environment (was Re: Pending OpenSSH release, call for testing.) In-Reply-To: <20040813124520.GV1819@cygbert.vinschen.de> References: <411B76C8.6000208@zip.com.au> <20040812162252.GO1819@cygbert.vinschen.de> <411C8DA9.1010100@zip.com.au> <411C957C.8090401@mindrot.org> <20040813124520.GV1819@cygbert.vinschen.de> Message-ID: <411FFDDD.1020508@mindrot.org> Thanks. Could you create a bug for this in bugzilla and attach the patch? It is a bit to late for this release, but I don't want it to get lost. -d Corinna Vinschen wrote: > On Aug 13 20:18, Damien Miller wrote: > >>Darren Tucker wrote: >> >>>This appears to be due to this fragment of session.c: >>> >>>#ifdef HAVE_CYGWIN >>> /* >>> * The Windows environment contains some setting which are >>> * important for a running system. They must not be dropped. >>> */ >>> copy_environment(environ, &env, &envsize); >> >>I'd really like to see this restricted to copy just the environment >>variables that are needed. > > > Like this? > > Index: session.c > =================================================================== > RCS file: /cvs/openssh_cvs/session.c,v > retrieving revision 1.287 > diff -p -u -r1.287 session.c > --- session.c 12 Aug 2004 12:40:25 -0000 1.287 > +++ session.c 13 Aug 2004 12:41:28 -0000 > @@ -979,7 +979,13 @@ do_setup_env(Session *s, const char *she > * The Windows environment contains some setting which are > * important for a running system. They must not be dropped. > */ > - copy_environment(environ, &env, &envsize); > + { > + char **p; > + > + p = fetch_windows_environment(); > + copy_environment(p, &env, &envsize); > + free_windows_environment(p); > + } > #endif > > #ifdef GSSAPI > Index: openbsd-compat/bsd-cygwin_util.c > =================================================================== > RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.c,v > retrieving revision 1.12 > diff -p -u -r1.12 bsd-cygwin_util.c > --- openbsd-compat/bsd-cygwin_util.c 18 Apr 2004 11:15:45 -0000 1.12 > +++ openbsd-compat/bsd-cygwin_util.c 13 Aug 2004 12:41:28 -0000 > @@ -38,6 +38,7 @@ RCSID("$Id: bsd-cygwin_util.c,v 1.12 200 > #include > #include > #include > +#include "xmalloc.h" > #define is_winnt (GetVersion() < 0x80000000) > > #define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec")) > @@ -96,7 +97,6 @@ has_capability(int what) > */ > if (!inited) { > struct utsname uts; > - char *c; > > if (!uname(&uts)) { > int major_high = 0, major_low = 0, minor = 0; > @@ -234,6 +234,59 @@ register_9x_service(void) > GetProcAddress(kerneldll, "RegisterServiceProcess"))) > return; > RegisterServiceProcess(0, 1); > +} > + > +#define NL(x) x, (sizeof (x) - 1) > +#define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0])) > + > +static struct wenv { > + const char *name; > + size_t namelen; > +} wenv_arr[] = { > + { NL("ALLUSERSPROFILE=") }, > + { NL("COMMONPROGRAMFILES=") }, > + { NL("COMPUTERNAME=") }, > + { NL("COMSPEC=") }, > + { NL("NUMBER_OF_PROCESSORS=") }, > + { NL("OS=") }, > + { NL("PATH=") }, > + { NL("PATHEXT=") }, > + { NL("PROCESSOR_ARCHITECTURE=") }, > + { NL("PROCESSOR_IDENTIFIER=") }, > + { NL("PROCESSOR_LEVEL=") }, > + { NL("PROCESSOR_REVISION=") }, > + { NL("PROGRAMFILES=") }, > + { NL("SYSTEMDRIVE=") }, > + { NL("SYSTEMROOT=") }, > + { NL("TMP=") }, > + { NL("TEMP=") }, > + { NL("WINDIR=") }, > +}; > + > +char ** > +fetch_windows_environment(void) > +{ > + char **e, **p; > + int i, idx = 0; > + > + p = xmalloc(WENV_SIZ * sizeof(char *)); > + p[idx] = NULL; > + for (e = environ; *e; ++e) { > + for (i = 0; i < WENV_SIZ; ++i) { > + if (!strncmp(*e, wenv_arr[i].name, > + wenv_arr[i].namelen)) { > + p[idx] = *e; > + p[++idx] = NULL; > + } > + } > + } > + return p; > +} > + > +void > +free_windows_environment(char **p) > +{ > + xfree(p); > } > > #endif /* HAVE_CYGWIN */ > Index: openbsd-compat/bsd-cygwin_util.h > =================================================================== > RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.h,v > retrieving revision 1.10 > diff -p -u -r1.10 bsd-cygwin_util.h > --- openbsd-compat/bsd-cygwin_util.h 7 Aug 2003 06:28:16 -0000 1.10 > +++ openbsd-compat/bsd-cygwin_util.h 13 Aug 2004 12:41:28 -0000 > @@ -46,6 +46,8 @@ int binary_pipe(int fd[2]); > int check_nt_auth(int, struct passwd *); > int check_ntsec(const char *); > void register_9x_service(void); > +char **fetch_windows_environment(void); > +void free_windows_environment(char **); > > #define open binary_open > #define pipe binary_pipe > > > Corinna > From jason at devrandom.org Mon Aug 16 12:31:43 2004 From: jason at devrandom.org (Jason McCormick) Date: Sun, 15 Aug 2004 22:31:43 -0400 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <20040815175134.GB3578@foo.birdnet.se> References: <411B76C8.6000208@zip.com.au> <200408150034.03914.jason@devrandom.org> <20040815175134.GB3578@foo.birdnet.se> Message-ID: <200408152231.46530.jason@devrandom.org> > run test dynamic-forward.sh ... > skipped (no suitable ProxyCommand found) This is the test that fails on Gentoo. Can you get connect from http://www.taiyo.co.jp/~gotoh/ssh/connect.html and try it out? (The source is http://www.taiyo.co.jp/~gotoh/ssh/connect.c and is linked wrong from the page). Just compile it and put it in /usr/local/bin, rehash your path and see if 'make tests' completes. For the record, if I remove connect from the path, everything completes properly but I get the same warning you get as above about not being able to run dynamic-forward.sh. I'll try this test on my Fedora boxes tomorrow. -- Jason McCormick jason at devrandom.org GPG Key ID: 96D6CF63 From jason at devrandom.org Mon Aug 16 12:37:12 2004 From: jason at devrandom.org (Jason McCormick) Date: Sun, 15 Aug 2004 22:37:12 -0400 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <411FF728.2090607@mindrot.org> References: <411B76C8.6000208@zip.com.au> <20040815175134.GB3578@foo.birdnet.se> <411FF728.2090607@mindrot.org> Message-ID: <200408152237.13631.jason@devrandom.org> > > run test yes-head.sh ... > > head: -2000' option is obsolete; use -n 2000' > > That is just silly, did GNU deliberately break their head? GNU's coreutils is trying to comply with POSIX 1003.1-2001 compliant. Supposedly the standard doesn't allow this. Here's the blurb from the info page: On older systems, head supports an obsolete option -countoptions, which is recognized only if it is specified first. count is a decimal number optionally followed by a size letter (b, k, m) as in -c, or l to mean count by lines, or other option letters (cqv). POSIX 1003.1-2001 (see Standards conformance) does not allow this; use -c count or -n count instead. The "see Standards conformance" references: http://www.tug.org/texinfohtml/coreutils.html#Standards-conformance I'll file a patch to use -n -- Jason McCormick jason at devrandom.org GPG Key ID: 96D6CF63 From adminovercoats at daplus.us Mon Aug 16 11:46:00 2004 From: adminovercoats at daplus.us (Pcolvin) Date: Mon, 16 Aug 2004 10:46:00 +0900 Subject: Updates Message-ID: Dear client! We added new O E N software. Vlslt our site http://www.celnderx.biz/ SuSe Linux 9.1 Professional Edition - 50 Pinnacle Studio 9 - 30 Borland Optimizeit Suite 6 - 80 Delphi 8 Architect - 130 Encore DVD V 1.0 PC - 90 Adobe Audition V 1.0 PC - 80 Adobe Streamline 4.0 - 60 Adobe Atmosphere 1.0 - 60 ACT! 6 for 2004 - 90 DVD Copy Plus - 30 321 Studios - DVD X Copy Platinum - 70 DVD X Maker - 25 Games X Copy - 25 QuarkXPress 6 - 110 QuarkXPress 6 Passport - 120 Red Hat Enterprise Linux AS Premium Edition - 150 RedHat Linux 9.0 - 60 3D Home Architect V 6 Deluxe - 15 Roxio Easy Media Creator 7 - 30 QuickBooks Premier 2004 - 110 TurboTax Premier Home & Business TY2003 - 40 Diskeeper 8 Professional - 25 Bryce 5 - 50 Corel KnockOut 2 - 50 Corel Photobook - 25 Maya 6.0 Unlimited - 150 AutoCAD Electrical 2005 - 110 AutoCAD Mechanical 2005 DX - 120 Autodesk software Goldmine Business Contact Manager 6.5 - 59 Nero V 6.0 Ultra Edition CD/DVD Burning Suite - 30 and Apple, Linux software on http://www.celnderx.biz/ northerner resins corporal obviously Bialystok wholesaler waist broaching intellect solvent unpacked highways Lakehurst hookup sustain staircases tooling blinding rewards softness loaning bland Janeiro placenta Hodgkin delighting homeowner Qatar brownish latter campaigner sailed bicep From clamat at telus.net Mon Aug 16 14:12:38 2004 From: clamat at telus.net (Matthew Clarke) Date: Sun, 15 Aug 2004 21:12:38 -0700 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <200408152237.13631.jason@devrandom.org> References: <411B76C8.6000208@zip.com.au> <20040815175134.GB3578@foo.birdnet.se> <411FF728.2090607@mindrot.org> <200408152237.13631.jason@devrandom.org> Message-ID: <20040816041238.GA945@ds0.van.maves.ca> dimanche, le 15 ao?t, 2004, Jason McCormick nous a dit ceci: > > > run test yes-head.sh ... > > > head: -2000' option is obsolete; use -n 2000' > > > > That is just silly, did GNU deliberately break their head? > > GNU's coreutils is trying to comply with POSIX 1003.1-2001 compliant. > Supposedly the standard doesn't allow this. Here's the blurb from the > info page: > > On older systems, head supports an obsolete option -countoptions, > which is recognized only if it is specified first. count is a > decimal number optionally followed by a size letter (b, k, m) as in > -c, or l to mean count by lines, or other option letters (cqv). > POSIX 1003.1-2001 (see Standards conformance) does not allow this; > use -c count or -n count instead. > > The "see Standards conformance" references: > http://www.tug.org/texinfohtml/coreutils.html#Standards-conformance > > I'll file a patch to use -n Most configure scripts need "sed"; you can always reduce the number of external dependencies and side-step this issue by going farther back in time and using: foo | sed '2000q' instead of: foo | head -n 2000 Heh. This would even work on my AIX 2.2 boxes that don't have a "head" command. (Not that OpenSSH runs on those anyway, for lots of other reasons.) Matt. -- For a successful technology, reality must take precedence over public relations, for nature cannot be fooled. -- Richard P. Feynman From mouring at etoh.eviladmin.org Mon Aug 16 15:04:17 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 16 Aug 2004 00:04:17 -0500 (CDT) Subject: Pending OpenSSH release, call for testing. In-Reply-To: <20040816041238.GA945@ds0.van.maves.ca> Message-ID: On Sun, 15 Aug 2004, Matthew Clarke wrote: [..] > > Most configure scripts need "sed"; you can always reduce the number of > external dependencies and side-step this issue by going farther back in > time and using: > > foo | sed '2000q' > Then you run into the sed issues. Like Solaris' horrible line size limits on their older version. Kinda sucks that FSF had to break rank. I'm sure a lot of people are going to run into this problem in the near future. Kinda like the whole crap around 'nslookup' and the removal of '-' in Linux's 'ps' program. Stupid things done for stupid reasons. - Ben From Petr.Smetana at t-mobile.cz Mon Aug 16 17:58:42 2004 From: Petr.Smetana at t-mobile.cz (Petr.Smetana at t-mobile.cz) Date: Mon, 16 Aug 2004 09:58:42 +0200 Subject: openssh for windows - bug ? Message-ID: Good morning, I would like to send you a bug with openssh for windows - versions OpenSSH_3.7.1p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003 OpenSSH_3.8.1p1, OPENSSL 0.9.7.d 17 Mar 2004 When I try to execute a remote command via ssh from unix machine to windows machine with openssh installed, the return code of ssh is always 0 even if remote command fails. Example : ssh initiated from unix to windows (unix ssh version OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f) amd4 at hkmds1$ ssh bscsp at srvr15.rdm.cz \( /c/progra~1/openssh/bin/ls /d/f* \) ;echo $? /c/progra~1/openssh/bin/ls: /d/f*: No such file or directory 0 Correct behaviour : (unix ssh version OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f) ssh initiated from unix to unix : amd4 at hkmds1$ ssh amd4 at amd ls /d/f* ;echo $? /d/f* not found 2 Even if I use the same versions on both windows machines, the return codes of executed commands are 0 . Regards Petr Smetana ---------- Disclaimer ---------- Informace obsa?en? v tomto e-mailu jsou ur?eny v?lu?n? pro pot?eby jeho adres?ta. Text nebo p??lohy mohou obsahovat utajovan? informace, informace pova?ovan? spole?nost? T-Mobile za obchodn? tajemstv?, p??padn? jin? informace podl?haj?c? ochran? dle p??slu?n?ch pr?vn?ch p?edpis?. Pokud V?m tento e-mail byl omylem doru?en, zdr?te se, pros?m, jak?koli manipulace s textem ?i p??lohami, jako je kop?rov?n?, p?esm?rov?n?, zp??stupn?n? dal?? osob? a podobn?. O chybn?m doru?en? informujte odes?latele a e-mail v?etn? p??loh vyma?te ze sv?ho po??ta?e. The information contained within this e-mail is intended only for the person or entity to which it is addressed. The text or attachments may contain confidential information, information considered a trade secret by T-Mobile or, as the case may be, other information subject to protection under the relevant legal regulations. If you receive this e-mail by mistake, please refrain from copying, forwarding or disclosing the text or attachments to other persons, etc. Inform the sender of the mistaken delivery and delete the e-mail, including all attachments, from your computer. From dtucker at zip.com.au Mon Aug 16 22:00:17 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 16 Aug 2004 22:00:17 +1000 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <20040815140006.0E9BB27C187@shitei.mindrot.org> References: <20040815140006.0E9BB27C187@shitei.mindrot.org> Message-ID: <4120A1D1.7040909@zip.com.au> Robert Dahlem wrote: [...] > I'm currently in the process of implementing something like an intruder > lockout mechanism based on some hacking to pam_tally.so from Linux-PAM- > 0.77. Please do not comment that this is an invitation to DOS attacks. I > know it. The suits won't understand and call it "a known risk". Well, that seems to suggest whose accounts to test it on, does it not? :-) > I would expect any text to appear on the client terminal that the server > sends through the PAM conversation function with msg_type PAM_ERROR_MSG > or PAM_TEXT_INFO. Well, at least with telnet this works already. But who > wants telnet anyway? :-) > > By some fiddling with debug() I can prove that the text sent by the PAM > module is seen by sshpam_passwd_conv() on the server side, but I can't > see that text on the client side. Can anyone please give me a pointer > where to look? It's almost certainly not due to your module. This question came up on secureshell at securityfocus too, this is a repost of my answer there: [quote] As soon as the PAM call completes, the keyboard-interactive machinery considers the authentication attempt complete and no further keyboard-interactive messages are sent for that round. PAM ERROR_MSG and TEXT_INFO messages are collected and sent with the prompts to the user. The upshot is any ERROR_MSG or TEXT_INFO messages sent after PROMPT_ECHO* will not be displayed if the authentication fails. If the authentication succeeds, the remaining messages are stored for display to the user after login. It would be possible within the protocol to have a final message in the kbdint round with the message in the "instruction" field but zero prompts. I don't know how hard that would be to implement. There's a couple of other options (USERAUTH_BANNER, eg [1] or packet_disconnect). [1] http://bugzilla.mindrot.org/show_bug.cgi?id=892 [/quote] -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vinschen at redhat.com Tue Aug 17 00:30:47 2004 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 16 Aug 2004 16:30:47 +0200 Subject: [PATCH] Only copy basic Windows environment (was Re: Pending OpenSSH release, call for testing.) In-Reply-To: <411FFDDD.1020508@mindrot.org> References: <411B76C8.6000208@zip.com.au> <20040812162252.GO1819@cygbert.vinschen.de> <411C8DA9.1010100@zip.com.au> <411C957C.8090401@mindrot.org> <20040813124520.GV1819@cygbert.vinschen.de> <411FFDDD.1020508@mindrot.org> Message-ID: <20040816143047.GA1859@cygbert.vinschen.de> On Aug 16 10:20, Damien Miller wrote: > Thanks. > > Could you create a bug for this in bugzilla and attach the patch? It is > a bit to late for this release, but I don't want it to get lost. I can do that, but I don't quite understand why it is too late. It's just a tiny patch and the next version isn't released yet. Corinna -- Corinna Vinschen Cygwin Co-Project Leader Red Hat, Inc. From stuge-openssh-unix-dev at cdy.org Tue Aug 17 02:32:28 2004 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Mon, 16 Aug 2004 18:32:28 +0200 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <200408152231.46530.jason@devrandom.org> References: <411B76C8.6000208@zip.com.au> <200408150034.03914.jason@devrandom.org> <20040815175134.GB3578@foo.birdnet.se> <200408152231.46530.jason@devrandom.org> Message-ID: <20040816163228.GA16935@foo.birdnet.se> On Sun, Aug 15, 2004 at 10:31:43PM -0400, Jason McCormick wrote: > > run test dynamic-forward.sh ... > > skipped (no suitable ProxyCommand found) > > This is the test that fails on Gentoo. Can you get connect from > http://www.taiyo.co.jp/~gotoh/ssh/connect.html and try it out? (The > source is http://www.taiyo.co.jp/~gotoh/ssh/connect.c and is linked > wrong from the page). Just compile it and put it in /usr/local/bin, > rehash your path and see if 'make tests' completes. run test dynamic-forward.sh ... Waiting for forwarded connections to terminate... The following connections are open: #1 direct-tcpip: listening port 4243 for localhost port 4242, connect from 127.0.0.1 port 33192 (t4 r2 i0/0 o0/0 fd 10/10 cfd -1) ok dynamic forwarding [..] run test reexec.sh ... test config passing reexec tests: proto 1 reexec tests: proto 2 test reexec fallback FATAL: no sshd running on port 4242 make[1]: *** [t-exec] Error 1 make[1]: Leaving directory /home/ossh/ossh_testing/openssh/regress' make: *** [tests] Error 2 //Peter From stuge-openssh-unix-dev at cdy.org Tue Aug 17 02:33:18 2004 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Mon, 16 Aug 2004 18:33:18 +0200 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <200408152237.13631.jason@devrandom.org> References: <411B76C8.6000208@zip.com.au> <20040815175134.GB3578@foo.birdnet.se> <411FF728.2090607@mindrot.org> <200408152237.13631.jason@devrandom.org> Message-ID: <20040816163318.GB16935@foo.birdnet.se> On Sun, Aug 15, 2004 at 10:37:12PM -0400, Jason McCormick wrote: > I'll file a patch to use -n I attached one to the first mail. Should it go into bugzilla instead? //Peter From deengert at anl.gov Tue Aug 17 08:42:52 2004 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 16 Aug 2004 17:42:52 -0500 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <411B76C8.6000208@zip.com.au> References: <411B76C8.6000208@zip.com.au> Message-ID: <4121386C.4050800@anl.gov> Darren Tucker wrote: > Hi All. > OpenSSH is getting ready for a release soon, so we are asking for > all interested parties to test a snapshot. > The call to ssh_gssapi_krb5_storecreds() will call do_pam_putenv() to add the KRB5CCNAME to the PAM environment. But this call is too late to be useful for any PAM modules. The call to ssh_gssapi_storecreds needs to be moved from the do_exec to the do_setusercontext before the call to do_pam_session. If this is done, I can remove the last of my local changes from OpenSSH. This change was to call to a routine to get an AFS PAG and token using the Kerberos cache obtained by either GSSAPI, Krb5 or PAM. I have this working as a PAM session routine on Solaris. This would also mean that eventually the USE_AFS code could also be dropped as this can be done by PAM. It also takes away the pressure of trying to get OS vendors to compile OpenSSH with USE_AFS, thus making it easier to use OpenSSH and OpenAFS using the vendor's supplied OPenSSH executables. Attached is a modification to move the ssh_gssapi_storecreds call. I can submit this as a bug if needed. Thanks. -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: session.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040816/ad8b31b2/attachment.ksh From dtucker at zip.com.au Tue Aug 17 13:06:57 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 17 Aug 2004 13:06:57 +1000 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <20040816163228.GA16935@foo.birdnet.se> References: <411B76C8.6000208@zip.com.au> <200408150034.03914.jason@devrandom.org> <20040815175134.GB3578@foo.birdnet.se> <200408152231.46530.jason@devrandom.org> <20040816163228.GA16935@foo.birdnet.se> Message-ID: <41217651.9090108@zip.com.au> Peter Stuge wrote: > run test dynamic-forward.sh ... > Waiting for forwarded connections to terminate... > The following connections are open: > #1 direct-tcpip: listening port 4243 for localhost port 4242, > connect from 127.0.0.1 port 33192 (t4 r2 i0/0 o0/0 fd 10/10 cfd -1) > ok dynamic forwarding That's a harmless warning, it's just the result of ssh/ssh exitting slightly before the command using the forwarding. > run test reexec.sh ... > test config passing > reexec tests: proto 1 > reexec tests: proto 2 > test reexec fallback > FATAL: no sshd running on port 4242 > make[1]: *** [t-exec] Error 1 > make[1]: Leaving directory /home/ossh/ossh_testing/openssh/regress' > make: *** [tests] Error 2 That's possibly a problem. What platform is it? You can you try the approximate equivalent by starting sshd in debug mode, deleting the sshd and trying to connect. This should work, but the test above indicates it doesn't. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jason at devrandom.org Tue Aug 17 13:53:44 2004 From: jason at devrandom.org (Jason McCormick) Date: Mon, 16 Aug 2004 23:53:44 -0400 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <20040816163228.GA16935@foo.birdnet.se> References: <411B76C8.6000208@zip.com.au> <200408152231.46530.jason@devrandom.org> <20040816163228.GA16935@foo.birdnet.se> Message-ID: <200408162353.44249.jason@devrandom.org> I believe I've found the cause of the failing tests in dynamic-foward.sh. Through a bunch of testing, I've discovered that the testing script wasn't giving the ssh forwarding command time to tear down from the protocol 1 tests after the -HUP to the process before trying to establish the protocol 2 tests. All of the protocol 1 tests always ran successfully and the collision occurred when the protocol 2 tests tried to start. The script found there was already an ssh running on port 4243, moved on and then died as soon as it tried to connect to it to run the tests since the listener on port 4243 was reaped by then. Adding a sleep step to the script always allows this to complete properly. Why this is different between Fedora and Gentoo I'm not sure. My one box is Gentoo running ~x86 and exhibits this problem. My Fedora box is Core 2 and does not exhibit this behavior. Both are Linux 2.6, GNU coreutils 5.2.1, gcc 3.3, etc.. . The only difference that comes to mind is that the FC2 box is a 400Mhz PIII vs 1.3Ghz Athlon. I've attached a patch to this post and will also file the patch to Bugzilla if there's no objections. It fixes the regression test on Gentoo and doesn't seem to break anything in Fedora. Thoughts? Peter can you try this patch? -- Jason McCormick jason at devrandom.org GPG Key ID: 96D6CF63 -------------- next part -------------- A non-text attachment was scrubbed... Name: dynamic-forward.sh.patch Type: text/x-diff Size: 271 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040816/99fb106e/attachment.bin From jason at devrandom.org Tue Aug 17 13:57:11 2004 From: jason at devrandom.org (Jason McCormick) Date: Mon, 16 Aug 2004 23:57:11 -0400 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <41217651.9090108@zip.com.au> References: <411B76C8.6000208@zip.com.au> <20040816163228.GA16935@foo.birdnet.se> <41217651.9090108@zip.com.au> Message-ID: <200408162357.12286.jason@devrandom.org> > That's possibly a problem. What platform is it? > > You can you try the approximate equivalent by starting sshd in debug > mode, deleting the sshd and trying to connect. This should work, but > the test above indicates it doesn't. I wouldn't be surprised if it's a symptom of the problem(?) with Gentoo I just posted -- that the ssh listener on 4242 hasn't terminated by the time the next test is trying to start. Peter, try my patch and see if all your tests conclude. -- Jason McCormick jason at devrandom.org GPG Key ID: 96D6CF63 From bob at proulx.com Tue Aug 17 15:23:18 2004 From: bob at proulx.com (Bob Proulx) Date: Mon, 16 Aug 2004 23:23:18 -0600 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <200408152237.13631.jason@devrandom.org> References: <411B76C8.6000208@zip.com.au> <20040815175134.GB3578@foo.birdnet.se> <411FF728.2090607@mindrot.org> <200408152237.13631.jason@devrandom.org> Message-ID: <20040817052318.GA28377@misery.proulx.com> Jason McCormick wrote: > Damien Miller wrote: > > > run test yes-head.sh ... > > > head: -2000' option is obsolete; use -n 2000' > > > > That is just silly, did GNU deliberately break their head? The -NUMBER format had been marked as obsolescent in POSIX 1003.2-1992. The later POSIX 1003.1-2001 no longer allows it even as an extension. > GNU's coreutils is trying to comply with POSIX 1003.1-2001 compliant. > Supposedly the standard doesn't allow this. Here's the blurb from the > info page: > > On older systems, head supports an obsolete option -countoptions, > which is recognized only if it is specified first. count is a > decimal number optionally followed by a size letter (b, k, m) as in > -c, or l to mean count by lines, or other option letters (cqv). > POSIX 1003.1-2001 (see Standards conformance) does not allow this; > use -c count or -n count instead. > > The "see Standards conformance" references: > http://www.tug.org/texinfohtml/coreutils.html#Standards-conformance The next paragraph is an important one: The GNU utilities normally conform to the version of POSIX that is standard for your system. To cause them to conform to a different version of POSIX, define the `_POSIX2_VERSION' environment variable to a value of the form YYYYMM specifying the year and month the standard was adopted. Two values are currently supported for `_POSIX2_VERSION': `199209' stands for POSIX 1003.2-1992, and `200112' stands for POSIX 1003.1-2001. For example, if you are running older software that assumes an older version of POSIX and uses `sort +1', `head -1', or `tail +1', you can work around the compatibility problems by setting `_POSIX2_VERSION=199209' in your environment. Basically if libc defines _POSIX2_VERSION to be 200112 then conformance to that standard is defined. If _POSIX2_VERSION is defined to be 199209 then conformance to that standard is defined. cd /usr/include grep _POSIX2_VERSION *.h unistd.h:#define _POSIX2_VERSION 200112L So on my system the defined standards level is 200112 and in that standard -NUMBER is not allowed. I could refuse the 1003.1-2001 standard, set that define to 199209 and then recompile my system. That would keep the old behavior. I can also override that with an environment variable to override the compiled in system default on a process basis. But whether you love them or hate them conformance to standards is important. I choose to conform. Basically you get whatever behavior you want and specify. This is not a GNU thing but a POSIX standards conformance thing. If you want POSIX 1003.2-1992 behavior then define that for your system. You get to choose. Bob From gert at greenie.muc.de Tue Aug 17 18:11:45 2004 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 17 Aug 2004 10:11:45 +0200 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <20040817052318.GA28377@misery.proulx.com>; from bob@proulx.com on Mon, Aug 16, 2004 at 11:23:18PM -0600 References: <411B76C8.6000208@zip.com.au> <20040815175134.GB3578@foo.birdnet.se> <411FF728.2090607@mindrot.org> <200408152237.13631.jason@devrandom.org> <20040817052318.GA28377@misery.proulx.com> Message-ID: <20040817101145.U17247@greenie.muc.de> Hi, On Mon, Aug 16, 2004 at 11:23:18PM -0600, Bob Proulx wrote: > But whether you love them or hate them conformance to standards is > important. I choose to conform. Basically you get whatever behavior > you want and specify. This is not a GNU thing but a POSIX standards > conformance thing. If you want POSIX 1003.2-1992 behavior then define > that for your system. You get to choose. Nice argument, but a *major* pain for people providing software to run on older systems as well as on recent systems. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From albert at users.sf.net Wed Aug 18 02:12:25 2004 From: albert at users.sf.net (Albert Cahalan) Date: 17 Aug 2004 12:12:25 -0400 Subject: Pending OpenSSH release, call for testing. Message-ID: <1092759145.5761.1470.camel@cube> Ben Lindstrom writes: [complaining about "head -2000" not working] > Kinda sucks that FSF had to break rank. I'm sure a > lot of people are going to run into this problem in > the near future. Simply put, the FSF is wrong. I just looked at the latest revision of the standard. The standard requires that _users_ of head not rely on "head -2000" usage. The standard does not in any way prohibit the head implementation from supporting non-conformant users. That is, an implementation is allowed to add vendor-specific options that are not in the standard. So we want: -1, -2, -3, -4, ... and so on. To open a file named "-4", you need the "--" option. If the "head -2000" syntax isn't supported, it would be an error. You'd do "head -- -2000" to open a file with the name "-2000". So, let bug-coreutils at gnu.org know. Here's the standard: http://www.opengroup.org/onlinepubs/009695399/utilities/head.html > Kinda like the whole crap around 'nslookup' and the > removal of '-' in Linux's 'ps' program. Stupid > things done for stupid reasons. The '-' was not removed from Linux ps. Linux ps fully conforms to the standards, as well as supporting old BSD syntax as much as possible. Try it: ps -ef ps -el ps -elf ps -u root ps -uroot # now guess what "ps -uax" means It's just like Solaris, HP-UX, UnixWare, IRIX, and every other POSIX or real UNIX system. Just like with AIX and Tru64, you can leave off the '-' if you want the non-standard BSD options. Most BSD users would leave off the '-' anyway; why type the extra character? I wrote the new ps, and I use "ps aux" all the time. It's not getting killed. I might kill the ability to fall back to BSD parsing when you do "ps -aux" and a user named "x" doesn't exist, allowing you to get a proper error message -- maybe you wanted user "X", or you forgot to create a user named "x". Heck, I even allow mixing the options: ps -uroot u ps u -u root ps -e e f -f ps -ef ef From keoki at camelot.physics.wm.edu Wed Aug 18 04:57:22 2004 From: keoki at camelot.physics.wm.edu (keoki seu) Date: Tue, 17 Aug 2004 14:57:22 -0400 Subject: password echoes on `ssh $host passwd` Message-ID: <20040817185722.GA3200@imperfectly.physics.wm.edu> Hello, When i ssh to a machine and run a command which asks for masked characters (ie a password), the characters which supposed to not show up echo to the screen. I use a public/private key, so there isnt any ssh authentication. castor:~$ ssh -V OpenSSH_3.8.1, OpenSSL 0.9.7d 17 Mar 2004 castor:~$ dmesg|head -2 OpenBSD 3.6-beta (GENERIC) #3: Thu Aug 12 00:01:53 EDT 2004 keoki at castor.my.domain:/usr/src/sys/arch/i386/compile/GENERIC castor:~$ ssh castor passwd Old password:neato I am wondering if this behavior is expected? I have also seen this using a sudo command, `ssh $computer sudo $cmd`. If sudo is configured to ask for a password, those characters will echo to the terminal. thanks, keoki From Todd.Miller at courtesan.com Wed Aug 18 05:10:11 2004 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Tue, 17 Aug 2004 13:10:11 -0600 Subject: password echoes on `ssh $host passwd` In-Reply-To: Your message of "Tue, 17 Aug 2004 14:57:22 EDT." <20040817185722.GA3200@imperfectly.physics.wm.edu> References: <20040817185722.GA3200@imperfectly.physics.wm.edu> Message-ID: <200408171910.i7HJABIc030783@xerxes.courtesan.com> That is because the passwd command has no way to turn off echo w/o access to a tty. If you run "ssh -t command" the sshd on the other end will allocate a tty and thing will act as you expect. - todd From keoki at camelot.physics.wm.edu Wed Aug 18 05:12:34 2004 From: keoki at camelot.physics.wm.edu (keoki seu) Date: Tue, 17 Aug 2004 15:12:34 -0400 Subject: password echoes on `ssh $host passwd` In-Reply-To: <200408171910.i7HJABIc030783@xerxes.courtesan.com> References: <20040817185722.GA3200@imperfectly.physics.wm.edu> <200408171910.i7HJABIc030783@xerxes.courtesan.com> Message-ID: <20040817191233.GA3563@imperfectly.physics.wm.edu> On Tue, Aug 17, 2004 at 01:10:11PM -0600, Todd C. Miller wrote: > That is because the passwd command has no way to turn off echo > w/o access to a tty. If you run "ssh -t command" the sshd on the > other end will allocate a tty and thing will act as you expect. Thank you for the quick reply! keoki From srinivas_gopaladasu at net.com Wed Aug 18 05:46:08 2004 From: srinivas_gopaladasu at net.com (Srinivas Gopaladasu) Date: Tue, 17 Aug 2004 12:46:08 -0700 Subject: sftp with a user defined shell Message-ID: <41226080.8070003@net.com> Hi, I have a different behavior using sftp compared to ftp for a user with a user defined shell on a solaris machine. ftp rejects any user having a user defined shell. sftp is allowing the user with user defined shell, unfortunately as the sftp client bails out saying the following message: "Received message too long 537548147" Is it because the user shell, outputting lot of text? I am OK with this behaviour, if no traces of the initiated session is left behind. But the problem for me is that the user shell is left behind running myuser1 7015 0.1 0.1 1680 1256 ? S 12:38:03 0:00 /bin/csh /bin/my_sh -c /opt/openssh/libexec/sftp As my_sh needs a tty and because of a bug in that, it runs in a while loop and takes up lot of cpu. If only sftp supports only the shells returned from "getusershell" function, sftp would be consistent with ftp and my problem will be solved. Do we have any patch for this? I appreciate any thoughts, comments and help to solve my problem. Thanks Srini From mouring at etoh.eviladmin.org Wed Aug 18 07:06:29 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 17 Aug 2004 16:06:29 -0500 (CDT) Subject: sftp with a user defined shell In-Reply-To: <41226080.8070003@net.com> Message-ID: There is one major difference in sftp vs ftp. ftp uses the $SHELL as an "allow or disallow" switch. Where as ssh actually calles the user's $SHELL to run sftp-server. Thus if you have any garabage being displayed during an non-interactive login (Eg output if you run: ssh site.com true) it will stop sftp-server from working correctly. - Ben On Tue, 17 Aug 2004, Srinivas Gopaladasu wrote: > Hi, > > I have a different behavior using sftp compared to ftp for a user with a > user defined shell on a solaris machine. > > ftp rejects any user having a user defined shell. > sftp is allowing the user with user defined shell, unfortunately as the > sftp client bails out saying the following message: > "Received message too long 537548147" > > Is it because the user shell, outputting lot of text? > > I am OK with this behaviour, if no traces of the initiated session is > left behind. > But the problem for me is that the user shell is left behind running > myuser1 7015 0.1 0.1 1680 1256 ? S 12:38:03 0:00 /bin/csh > /bin/my_sh -c /opt/openssh/libexec/sftp > > As my_sh needs a tty and because of a bug in that, it runs in a while > loop and takes up lot of cpu. > > If only sftp supports only the shells returned from "getusershell" > function, sftp would be consistent with ftp and my problem will be solved. > Do we have any patch for this? > > I appreciate any thoughts, comments and help to solve my problem. > > Thanks > Srini > > > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From jiwen at hawaii.edu Wed Aug 18 07:26:17 2004 From: jiwen at hawaii.edu (Jiwen Liu) Date: Tue, 17 Aug 2004 11:26:17 -1000 (HST) Subject: (no subject) Message-ID: Hi All, I got email address from www.openssh.com and I think it might be a good resource that can provide some helps on my problem. I have a problem during running configure script. When I invoked the configure, the error in config.log file showed that gcc: installation problem, cannot exec `/opt/gcc/lib/gcc-lib/hppa2.0-hp-hpux10.20/3.3.2/cc1': Arg list too long . Do you know how to walk around it? The OS is HP-UX 10.20 platform, and gcc version 3.3.2. I have run the same stuffs about configuration, compilation and installation on Solaris 5.7, Solaris 5.8, HP-UX 11 and IBM Linux by using same GCC version (3.3.2) and there were not any problems at all. Any suggestions and comments are all welcomed. Appreciate your help Jiwen From mouring at etoh.eviladmin.org Wed Aug 18 08:31:41 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 17 Aug 2004 17:31:41 -0500 (CDT) Subject: sftp with a user defined shell In-Reply-To: <41228223.5060405@net.com> Message-ID: On Tue, 17 Aug 2004, Srinivas Gopaladasu wrote: > > Ben Lindstrom wrote: > > >There is one major difference in sftp vs ftp. > > > >ftp uses the $SHELL as an "allow or disallow" switch. Where as ssh > >actually calles the user's $SHELL to run sftp-server. > > > Can you provide any info, why the difference? > Because ftpd listens on 21 directly. Where sftp basicly does 'ssh site.com sftp-server' (Ignoring details of subsystems to simplify stuff). Thus it talks to ssh which then runs the sftp-server program. Same is true for scp. > >Thus if you have any garabage being displayed during an non-interactive > >login (Eg output if you run: ssh site.com true) it will stop sftp-server > >from working correctly. > > > > Any suggestion, how I can solve my problem? > As stated: ssh site.com true You should get like: $ ssh site.org true Enter passphrase for key '/private/home/mouring/.ssh/id_dsa': $ the below depending on if you have public key setup or not. $ ssh site.org true Password: $ If you get anything else you need to look at your shell startup scripts. And clean them out. This was much has already been coverted in http://www.openssh.com/faq.html#2.9 - Ben From GILBERT.R.LOOMIS at saic.com Wed Aug 18 08:19:57 2004 From: GILBERT.R.LOOMIS at saic.com (Loomis, Rip) Date: Tue, 17 Aug 2004 18:19:57 -0400 Subject: Problems compiling OpenSSH [no version info] on HP-UX 10.20 was: (no subject) Message-ID: <4E25ECBBC03F874CBAD03399254ADFDE10527E@US-Columbia-CIST.mail.saic.com> Aloha Jiwen (I used to get kama'aina discounts, but no longer)-- First, you didn't tell us what OpenSSH source code version you're trying to compile. Without that info there are any number of possible problems--so I'll assume (for now) that you're using the latest released portable version of OpenSSH. Please reply with specific version info. The fact that things are blowing up during the configure script tells me that you may have a problem that has more to do with the shell interpreter than with the compiler--if you've got a working compiler, you might have some luck just by compiling and installing a recent bash(1) or your favorite flavor of shell. Nevertheless: If you're installing an almost brand new version of GCC on a very old version of HP-UX--are you sure that the compiler works properly? Have you tried other reasonable tests, like using GCC to compile itself natively? And (since this has been a problem for me before with weird error messages) did you compile all the necessary support libraries yourself? (Things like OpenSSL and zlib)? If not, then where did you get those support libraries? Going back to the configure script issue and probable causes: The specific problem you're seeing isn't one I've seen before, but I've compiled OpenSSH on HP-UX 10.20 before and had no issues (well, apart from the fact that IIRC there were issues with translating hostnames and IPs into things useful to log...or was that an antiquated IRIX version?). I'll take a look tomorrow and see if I've still got a useful HP-UX 10.20 compile host and what GCC version it has installed, and then try to compile latest OpenSSH (and the pre-release version that we've all been asked to try.) Overall, though, I'm betting on a non-fun interaction between really-really-old Bourne shell implementations, recent configure scripts, and general HP-UX oddities. --Rip -- Rip Loomis, CISSP // SAIC Enterprise Security Solutions Brainbench MVP for Internet Security www.brainbench.com > -----Original Message----- > From: > openssh-unix-dev-bounces+gilbert.r.loomis=cpmx.saic.com at mindro > t.org > [mailto:openssh-unix-dev-bounces+gilbert.r.loomis=cpmx.saic.co > m at mindrot.org] On Behalf Of Jiwen Liu > Sent: Tuesday, August 17, 2004 5:26 PM > To: openssh-unix-dev at mindrot.org > Subject: (no subject) > > > Hi All, > > I got email address from www.openssh.com and I think it might > be a good > resource that can provide some helps on my problem. > > I have a problem during running configure script. When I invoked the > configure, the error in config.log file showed that gcc: installation > problem, cannot exec > `/opt/gcc/lib/gcc-lib/hppa2.0-hp-hpux10.20/3.3.2/cc1': Arg > list too long . > Do you know how to walk around it? > > The OS is HP-UX 10.20 platform, and gcc version 3.3.2. > > I have run the same stuffs about configuration, compilation and > installation on Solaris 5.7, Solaris 5.8, HP-UX 11 and IBM Linux > by using same GCC version (3.3.2) and there were not any > problems at all. > > Any suggestions and comments are all welcomed. > > Appreciate your help > > Jiwen > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From drearwig at hotmail.com Wed Aug 18 08:42:00 2004 From: drearwig at hotmail.com (Doug Martin) Date: Tue, 17 Aug 2004 15:42:00 -0700 Subject: SSHD Bug with Pam/Winbind on FreeBSD ver5.2 Message-ID: I've reproduced this bug in versions openssh-3.7p1 and openssh-3.8p1 I've verfived that it works PERFECTLY in versions openssh-3.6p1 and openssh-2.9p2 I have not tested any other versions. The problem is sshd will not authenticate passwords off a NT4 domain using winbind and pam. Broken Debug output is: debug1: PAM: initializing for "user" debug1: PAM: setting PAM_RHOST to "user.domain.com" Failed none for user from 192.168.1.21 port 3971 ssh2 Failed none for user from 192.168.1.21 port 3971 ssh2 debug1: userauth-request for user user service ssh-connection method password debug1: attempt 1 failures 1 Failed password for user from 192.168.1.21 port 3971 ssh2 Failed password for user from 192.168.1.21 port 3971 ssh2 Working Debug output is: debug1: Starting up PAM with username "user" debug1: PAM setting rhost to "user.domain.com" Failed none for user from 192.168.1.21 port 3948 ssh2 Failed none for user from 192.168.1.21 port 3948 ssh2 debug1: userauth-request for user user service ssh-connection method password debug1: attempt 1 failures 1 debug1: PAM Password authentication accepted for user "user" Accepted password for user from 192.168.1.21 port 3948 ssh2 Accepted password for user from 192.168.1.21 port 3948 ssh2 debug1: monitor_child_preauth: user has been authenticated by privileged process debug1: Entering interactive session for SSH2. To reproduce: Build openssh with --with-pam option Install samba Your smb.conf should be running in: security = domain And your /etc/pam.d/sshd should look like this: # auth auth sufficient pam_winbind.so auth sufficient pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_unix.so no_warn try_first_pass account sufficient pam_winbind.so account required pam_unix.so session required pam_permit.so password required pam_unix.so no_warn try_first_pass And just attempt to login using a domain user/pass I'm using an older version of sshd now, but I thought I would report the problem because I spent many hours finding it. I'm also not on this list so please reply to me with questions. Thank you! _________________________________________________________________ Is your PC infected? Get a FREE online computer virus scan from McAfee? Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 From supporttraces at medusa-art.com Tue Aug 17 22:14:53 2004 From: supporttraces at medusa-art.com (Pierson) Date: Tue, 17 Aug 2004 20:14:53 +0800 Subject: Microsoft updates Message-ID: http://www.softgoeshome.com/ Microsoft Windows XP Professional - 50 Adobe Photoshop 7.0 - 60 Microsoft Office XP Professional - 100 Microsoft Windows 2000 Professional - 50 Adobe PageMaker 7.0 - 60 Adobe Illustrator 10 - 80 Corel Draw Graphics Suite 11 - 120 Norton Antivirus 2004 Professional - 15 Borland Delphi 7 Professional - 70 Adobe Acrobat 6.0 Professional - 100 Adobe Acrobat 6.0 Proffessional - 100 Adobe Photoshop cs - 80 System Works 2004 Professional - 40 Microsoft SQL Server 2000 Enterprise Edition - 200 Windows 2000 Server - 50 Linux Redhat 7.3 - 200 Office 2003 Professional - 110 Quark Express 6.0 - 60 Macromedia Studio MX 2004 - 180.00 Adobe InDesign CS - 100.00 Adobe Illustrator CS - 90.00 Easy CD & DVD Creator 6 - 29.99 Ahead Nero v6.3 Powerpack - 40.00 Symantec WinFax PRO v10.03 - 40.00 .. and a lot more http://www.softgoeshome.com/ Suwanee emphasize dietitian garment admixed peptide usurp sprinters tracing Dominican expectedly syndrome whines Tombigbee assured slashes skylights abhorring villas sprouted inflate statesman beatings regrets flawlessly trigger absently sorts liken Waldron ribbing assembler madhouse feast From dtucker at zip.com.au Wed Aug 18 12:28:43 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 18 Aug 2004 12:28:43 +1000 Subject: SSHD Bug with Pam/Winbind on FreeBSD ver5.2 In-Reply-To: References: Message-ID: <4122BEDB.6060308@zip.com.au> Doug Martin wrote: > I've reproduced this bug in versions openssh-3.7p1 and openssh-3.8p1 > > I've verfived that it works PERFECTLY in versions openssh-3.6p1 and > openssh-2.9p2 > > I have not tested any other versions. > > The problem is sshd will not authenticate passwords off a NT4 domain > using winbind and pam. [...] > Failed password for user from 192.168.1.21 port 3971 ssh2 > Failed password for user from 192.168.1.21 port 3971 ssh2 See: http://bugzilla.mindrot.org/show_bug.cgi?id=874 This is fixed in 3.9p1 which has just been released. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Wed Aug 18 18:58:51 2004 From: markus at openbsd.org (Markus Friedl) Date: Wed, 18 Aug 2004 10:58:51 +0200 Subject: OpenSSH 3.9 released Message-ID: <20040818085851.GA2949@folly> OpenSSH 3.9 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters. We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18 For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu Changes since OpenSSH 3.8: ============================ * Added new "IdentitiesOnly" option to ssh(1), which specifies that it should use keys specified in ssh_config, rather than any keys in ssh-agent(1) * Make sshd(8) re-execute itself on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things * Add strict permission and ownership checks to programs reading ~/.ssh/config NB ssh(1) will now exit instead of trying to process a config with poor ownership or permissions * Implemented the ability to pass selected environment variables between the client and the server. See "AcceptEnv" in sshd_config(5) and "SendEnv" in ssh_config(5) for details * Added a "MaxAuthTries" option to sshd(8), allowing control over the maximum number of authentication attempts permitted per connection * Added support for cancellation of active remote port forwarding sessions. This may be performed using the ~C escape character, see "Escape Characters" in ssh(1) for details * Many sftp(1) interface improvements, including greatly enhanced "ls" support and the ability to cancel active transfers using SIGINT (^C) * Implement session multiplexing: a single ssh(1) connection can now carry multiple login/command/file transfer sessions. Refer to the "ControlMaster" and "ControlPath" options in ssh_config(5) for more information * The sftp-server has improved support for non-POSIX filesystems (e.g. FAT) * Portable OpenSSH: Re-introduce support for PAM password authentication, in addition to the keyboard-interactive driver. PAM password authentication is less flexible, and doesn't support pre-authentication password expiry but runs in-process so Kerberos tokens, etc are retained * Improved and more extensive regression tests * Many bugfixes and small improvements Checksums: ========== - MD5 (openssh-3.9.tgz) = 93f48bfcc1560895ae53de6bfc41689b - MD5 (openssh-3.9p1.tar.gz) = 8e1774d0b52aff08f817f3987442a16e Reporting Bugs: =============== - please read http://www.openssh.com/report.html and http://bugzilla.mindrot.org/ OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice. From stuge-openssh-unix-dev at cdy.org Wed Aug 18 19:26:33 2004 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 18 Aug 2004 11:26:33 +0200 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <200408162353.44249.jason@devrandom.org> References: <411B76C8.6000208@zip.com.au> <200408152231.46530.jason@devrandom.org> <20040816163228.GA16935@foo.birdnet.se> <200408162353.44249.jason@devrandom.org> Message-ID: <20040818092633.GA1908@foo.birdnet.se> On Mon, Aug 16, 2004 at 11:53:44PM -0400, Jason McCormick wrote: > I've attached a patch to this post and will also file the patch to > Bugzilla if there's no objections. It fixes the regression test on > Gentoo and doesn't seem to break anything in Fedora. > > Thoughts? Peter can you try this patch? Sure. run test dynamic-forward.sh ... Waiting for forwarded connections to terminate... The following connections are open: #1 direct-tcpip: listening port 4243 for localhost port 4242, connect from 127.0.0.1 port 34796 (t4 r2 i0/0 o3/0 fd 10/10 cfd -1) ok dynamic forwarding [..] run test reexec.sh ... test config passing reexec tests: proto 1 reexec tests: proto 2 test reexec fallback reexec tests: proto 1 reexec tests: proto 2 test reexec fallback without privsep reexec tests: proto 1 reexec tests: proto 2 ok reexec tests make[1]: Leaving directory /home/ossh/ossh_testing/openssh/regress' Works well! //Peter From glasses-muffler at 56118.jp Wed Aug 18 23:24:57 2004 From: glasses-muffler at 56118.jp (=?ISO-2022-JP?B?GyRCP006ShsoQg==?=) Date: Wed, 18 Aug 2004 22:24:57 +0900 Subject: =?iso-2022-jp?b?GyRCTV81YUlUS34kSj9NOkokLCFEGyhC?= Message-ID: <20040818132231.425EF27C187@shitei.mindrot.org> http://www.000-net.com/hitotuma/ ???????????????????????????!! ??????????????????????? ???????????????????????????? ?????????????????????????????? ?????!!???????????????????????????????????????????????!! http://www.000-net.com/hitotuma/ From bob at proulx.com Thu Aug 19 00:17:46 2004 From: bob at proulx.com (Bob Proulx) Date: Wed, 18 Aug 2004 08:17:46 -0600 Subject: Problems compiling OpenSSH [no version info] on HP-UX 10.20 was: (no subject) In-Reply-To: <4E25ECBBC03F874CBAD03399254ADFDE10527E@US-Columbia-CIST.mail.saic.com> References: <4E25ECBBC03F874CBAD03399254ADFDE10527E@US-Columbia-CIST.mail.saic.com> Message-ID: <20040818141746.GA18376@misery.proulx.com> Loomis, Rip wrote: > Going back to the configure script issue and probable > causes: The specific problem you're seeing isn't one > I've seen before, The error was "Arg list too long". Here is some FAQ information about it so I won't repeat it here. http://www.gnu.org/software/coreutils/faq/coreutils-faq.html#Argument%20list%20too%20long > but I've compiled OpenSSH on HP-UX 10.20 before and had no issues Me too. No issues. > (well, apart from the fact that IIRC there were issues with > translating hostnames and IPs into things useful to log...or was > that an antiquated IRIX version?). Works fine for me. Must have been the IRIX version. :-) Bob From jiwen at hawaii.edu Thu Aug 19 02:45:01 2004 From: jiwen at hawaii.edu (Jiwen Liu) Date: Wed, 18 Aug 2004 06:45:01 -1000 (HST) Subject: Problems compiling OpenSSH [no version info] on HP-UX 10.20 w as: (no subject) In-Reply-To: <4E25ECBBC03F874CBAD03399254ADFDE105286@US-Columbia-CIST.mail.saic.com> References: <4E25ECBBC03F874CBAD03399254ADFDE105286@US-Columbia-CIST.mail.saic.com> Message-ID: Aloha Rip Thanks for your quick response. I did compile OpenSSH stuffs by using GCC 2.95.2 first, the error is the same. Since there are no issues on other platforms by using GCC 3.3.2, I tried to take a luck on HP-UX 10.20 by using GCC 3.3.2. Unfortunately, it is same, even at the same line What I am guessing is that it could be from some system environment variable setting, but I am not sure what they are. I did read the web link about FAQ on coreuitls before raising a help, and I thought it might be not helpful for this "configure" issue at this moment. Now I am going to use bash instead of Bourne Shall to see if the configuration scripts works. Again, Mahalo Jiwen On Wed, 18 Aug 2004, Loomis, Rip wrote: > Aloha Jiwen-- > I'm not sure you saw the message below, which was only > sent to the list. Having seen your other message to > me, I would suggest trying to compile OpenSSH using > GCC 2.95.2 -- that's what I've got installed on my HP-UX > systems and I've had no problem with it. Was there a > specific reason that you wanted to upgrade to GCC 3.3.2? > > You might also try compiling the OpenSSH 3.9.p1 release, > which just came out last night--but I don't think it > will fix this problem. The more I think about it, the > more I wonder if compiling bash might help--bash might > be better able to handle the options for this compile. > > There's no really sensible way to work around the configure > script, since it sets things up in several places and > gets you ready to run "make". > > Hope this helps--and please CC any follow-up messages > to the openssh-dev list so that other folks can see > what problems you're having--there are a lot of folks > there who might be better able to help. > > If I get a chance today then I'll be compiling 3.9p1 > on HP-UX 10.20 and I'll let you know how it goes--it > will probably take a while though since my 10.20 systems > are old and slow, and I'll need to update OpenSSH first. > > --Rip > > -----Original Message----- > From: openssh-unix-dev-bounces+gilbert.r.loomis=cpmx.saic.com at mindrot.org > [mailto:openssh-unix-dev-bounces+gilbert.r.loomis=cpmx.saic.com at mindrot.org] > On Behalf Of bob at proulx.com > Sent: Wednesday, August 18, 2004 10:18 AM > To: openssh-unix-dev at mindrot.org > Subject: Re: Problems compiling OpenSSH [no version info] on HP-UX 10.20 > was: (no subject) > > > Loomis, Rip wrote: > > Going back to the configure script issue and probable > > causes: The specific problem you're seeing isn't one > > I've seen before, > > The error was "Arg list too long". Here is some FAQ information about > it so I won't repeat it here. > > > http://www.gnu.org/software/coreutils/faq/coreutils-faq.html#Argument%20list > %20too%20long > > > but I've compiled OpenSSH on HP-UX 10.20 before and had no issues > > Me too. No issues. > > > (well, apart from the fact that IIRC there were issues with > > translating hostnames and IPs into things useful to log...or was > > that an antiquated IRIX version?). > > Works fine for me. Must have been the IRIX version. :-) > > Bob > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From greg at zerothree.com Thu Aug 19 01:08:16 2004 From: greg at zerothree.com (greg at zerothree.com) Date: Wed, 18 Aug 2004 08:08:16 -0700 Subject: SecureCRT, OpenSSH, and keys Message-ID: <20040818150816.GA2154@zerothree.com> Hello all. I have been searching the web for a formula to get openssh and securecrt ssh2 keys working properly. Does anyone have a set of directions? I have attempted creating keys in securecrt and converting them (ssh-keygen) to OpenSSH keys. I have attempted using OpenSSH's keys, but nothing seems to take. Any advice will help. Thank you. OpenSSH v3.8 SecurCRT v4.1.7 -g From drearwig at hotmail.com Thu Aug 19 04:26:49 2004 From: drearwig at hotmail.com (Doug Martin) Date: Wed, 18 Aug 2004 11:26:49 -0700 Subject: SSHD Bug with Pam/Winbind on FreeBSD ver5.2 Message-ID: This issue has not been resolved in version openssh-3.9p1 Running in debug mode it just hangs at debug1: fd 11 setting O_NONBLOCK debug1: Setting controlling tty using TIOCSCTTY. That's less infromation then before. I appreciate all of your assistance. >Doug Martin wrote: >>I've reproduced this bug in versions openssh-3.7p1 and openssh-3.8p1 >> >>I've verfived that it works PERFECTLY in versions openssh-3.6p1 and >>openssh-2.9p2 >> >>I have not tested any other versions. >> >>The problem is sshd will not authenticate passwords off a NT4 domain using >>winbind and pam. >[...] >>Failed password for user from 192.168.1.21 port 3971 ssh2 >>Failed password for user from 192.168.1.21 port 3971 ssh2 > >See: http://bugzilla.mindrot.org/show_bug.cgi?id=874 >This is fixed in 3.9p1 which has just been released. > >-- >Darren Tucker (dtucker at zip.com.au) >GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience >usually comes from bad judgement. _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From sclodic at teaser.fr Thu Aug 19 05:05:13 2004 From: sclodic at teaser.fr (Stephane Clodic) Date: Wed, 18 Aug 2004 21:05:13 +0200 Subject: SecureCRT, OpenSSH, and keys In-Reply-To: <20040818150816.GA2154@zerothree.com> References: <20040818150816.GA2154@zerothree.com> Message-ID: <20040818190513.GQ72935@qube.teaser.fr> On Wed, Aug 18, 2004 at 08:08:16AM -0700, greg at zerothree.com wrote: > Hello all. Hello > I have been searching the web for a formula to get openssh and securecrt ssh2 keys working properly. Does anyone have a set of directions? > > I have attempted creating keys in securecrt and converting them (ssh-keygen) to OpenSSH keys. I have attempted using OpenSSH's keys, but nothing seems to take. Any advice will help. Thank you. > > OpenSSH v3.8 > SecurCRT v4.1.7 If you have generate your identities keys (priv & pub) from SecureCRT, simply upload your (windows) Identity.pub file to the remote host. Guessing this one is running OpenSSH, simply do a ssh-keygen -i -f Identity.pub >> ~/.ssh/authorized-keys Then you should be able to logging into remote host from SecureCRT with pubkey auth. I don't know how to convert SecureCRT priv key. Please note to avoid some trouble to convert priv key between OpenSSH and SSH.com (from/to) : (temporaly) suppress the pass-phrase do the trick :) PuTTY-(key)gen is also a nice tool for key conversion ;) (and more) Cya -- Stephane Clodic France Teaser From cmadams at hiwaay.net Thu Aug 19 08:37:11 2004 From: cmadams at hiwaay.net (Chris Adams) Date: Wed, 18 Aug 2004 17:37:11 -0500 Subject: Trying regression tests Message-ID: <20040818223711.GI764770@hiwaay.net> I know it is just after a release, but I'm trying to see how the regression tests look on Tru64. I hadn't had a chance to really look at them before because I didn't have sudo installed on Tru64 (now I do). Anyway, for the 3.9p1 release, all of them run except for a couple of problems: - agent-ptrace fails; it looks like setgid isn't enough to kill tracing under Tru64, and I can't find anything that looks like it will (like Linux's prctl). - reconfigure hangs; the script appears to get stuck in a loop. I tried turning on shell tracing; it looks like it is hanging when the script is called with "$TEST_SHELL -n $SCRIPT" to check it for errors. Using TEST_SHELL=/bin/ksh makes it work. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From jdvf at optonline.net Thu Aug 19 10:44:31 2004 From: jdvf at optonline.net (John Devitofranceschi) Date: Wed, 18 Aug 2004 20:44:31 -0400 Subject: Trying regression tests In-Reply-To: <20040818223711.GI764770@hiwaay.net> Message-ID: <000a01c48585$b1190cd0$6601a8c0@rover> Same for me on Solaris 2.6 with the reconfigure hang. Using ksh for $TEST_SHELL fixes it for me too. jd -----Original Message----- From: openssh-unix-dev-bounces+jdvf=optonline.net at mindrot.org [mailto:openssh-unix-dev-bounces+jdvf=optonline.net at mindrot.org] On Behalf Of Chris Adams Sent: Wednesday, August 18, 2004 6:37 PM To: openssh-unix-dev at mindrot.org Subject: Trying regression tests I know it is just after a release, but I'm trying to see how the regression tests look on Tru64. I hadn't had a chance to really look at them before because I didn't have sudo installed on Tru64 (now I do). Anyway, for the 3.9p1 release, all of them run except for a couple of problems: - agent-ptrace fails; it looks like setgid isn't enough to kill tracing under Tru64, and I can't find anything that looks like it will (like Linux's prctl). - reconfigure hangs; the script appears to get stuck in a loop. I tried turning on shell tracing; it looks like it is hanging when the script is called with "$TEST_SHELL -n $SCRIPT" to check it for errors. Using TEST_SHELL=/bin/ksh makes it work. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From JP_Golf at lb.bcentral.com Thu Aug 19 11:51:59 2004 From: JP_Golf at lb.bcentral.com (JP's Golf) Date: Wed, 18 Aug 2004 18:51:59 -0700 Subject: JP's Golf Online Message-ID: Year end blowout sales on all products. www.jpgolf.com All major manufacturers of clubs, balls, and bags. www.jpgolf.com _______________________________________________________________________ Powered by List Builder To unsubscribe follow the link: http://lb.bcentral.com/ex/sp?c=18568&s=44F0949D7D16C947&m=10 From johnpell at mac.com Thu Aug 19 17:41:33 2004 From: johnpell at mac.com (John Davidorff Pell) Date: Thu, 19 Aug 2004 00:41:33 -0700 Subject: sftp with a user defined shell In-Reply-To: <41238695.6050406@net.com> References: <41226080.8070003@net.com> <41238695.6050406@net.com> Message-ID: <31D33002-F1B3-11D8-842E-0003934F6406@mac.com> in bash, you can check if the variable $- includes the letter i in it. If it does, then its interactive. If you check the man page for your shell, it should tell you how to determine if it is interactive. It is likely something similar. For example, in many shells you can check if the prompt variable is set ($PS1 in bash). You can also check if stdout is a tty. If it is interactive, it almost certainly is, and if it is not, then it almost certainly is not. (though both are possible.) I just noticed that you said your shell requires a tty... Why? You said your shell was "rc"? take a look at http://www.star.le.ac.uk/~tjg/rc/ There is also a mailing list that you can ask on for the specifics of your shell and how to tell if it is interactive. May I ask why you have output from the shell anyway? JP P.S. I've cc'd the list again. :-) On 18 Aug 2004, at 09:40, Srinivas Gopaladasu wrote: > I am not sure how I find out if the shell is launched interactively or > non-interactively? > > John Davidorff Pell wrote: >> the shell is broken, or the user's rc files are broken. A shell >> should not output any text if it is run as non-interactive. >> >> On 17 Aug 2004, at 12:46, Srinivas Gopaladasu wrote: >>> [...] >>> the sftp client bails out saying the following message: >>> "Received message too long 537548147" >>> >>> Is it because the user shell, outputting lot of text? >>> [...] >>> As my_sh needs a tty and because of a bug in that, it runs in a >>> while loop and takes up lot of cpu. >>> [...] -- Blood is thicker than water... and much tastier. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2426 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040819/2df1979e/attachment.bin From openssh at roumenpetrov.info Thu Aug 19 17:02:59 2004 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Thu, 19 Aug 2004 10:02:59 +0300 Subject: Announce: X.509 certificates support in OpenSSH-3.9p1 Message-ID: <412450A3.2040801@roumenpetrov.info> Hi All, Diffs of "X.509v3 certificates support for OpenSSH" versions g4(Compatibility) and h(Validator) for OpenSSH-3.9p1 are ready for download. Please visit "http://roumenpetrov.info/openssh" for more information. Features: * "x509v3-sign-rsa" and "x509v3-sign-dss" public key algorithms * certificate verification * certificate validation o CRL o OCSP (optional and experimental feature) * "x509v3-sign-rsa" MD5 and SHA-1 signatures * OpenSSH agent with certificates * strong regresion tests * detailed manual pages * README.x509v3 Note: OCSP is available in "Validator" version only and require OpenSSL 0.9.7+ Regards, Roumen Petrov From ahakrrk-spiral at tv-taro.com Fri Aug 20 05:37:05 2004 From: ahakrrk-spiral at tv-taro.com (=?ISO-2022-JP?B?GyRCPU89dyEmPGM6ShsoQg==?=) Date: Fri, 20 Aug 2004 04:37:05 +0900 Subject: =?iso-2022-jp?b?GyRCO341axsoQjUwMDAbJEIxXzBKPmUhIyUoJUMlQSQiGyhC?= =?iso-2022-jp?b?GyRCJGobKEI=?= Message-ID: <20040819215146.340C127C187@shitei.mindrot.org> ????????????????? http://www.web-wave.com/shosuto ?????????????????????????????????????? ???????????????? ?????????????????????H?????? ?????????????????? http://www.web-wave.com/shosuto From openssh at roumenpetrov.info Thu Aug 19 17:02:59 2004 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Thu, 19 Aug 2004 10:02:59 +0300 Subject: Announce: X.509 certificates support in OpenSSH-3.9p1 Message-ID: <412450A3.2040801@roumenpetrov.info> Hi All, Diffs of "X.509v3 certificates support for OpenSSH" versions g4(Compatibility) and h(Validator) for OpenSSH-3.9p1 are ready for download. Please visit "http://roumenpetrov.info/openssh" for more information. Features: * "x509v3-sign-rsa" and "x509v3-sign-dss" public key algorithms * certificate verification * certificate validation o CRL o OCSP (optional and experimental feature) * "x509v3-sign-rsa" MD5 and SHA-1 signatures * OpenSSH agent with certificates * strong regresion tests * detailed manual pages * README.x509v3 Note: OCSP is available in "Validator" version only and require OpenSSL 0.9.7+ Regards, Roumen Petrov From jenkinsdumber at netscape.net Fri Aug 20 18:55:13 2004 From: jenkinsdumber at netscape.net (jenkinsdumber at netscape.net) Date: Fri, 20 Aug 2004 18:55:13 +1000 (EST) Subject: RE MY RESPONSE. Message-ID: <20040820085513.1E2DE27C18D@shitei.mindrot.org> I am Jenkins Dunbar the former minister for land,mine and energy in Liberia.Due to the political problems in my country,i was forced to step down along side the former president(Charles Taylor). I decided to seek for someone who is trustworthy that can help me claim and invest a certain amount of money. During my tenure in the office,I was able to lay my hands on a huge amount of money with my influence and position. I deposited this money in a trunk box with a security company in Europe through diplomatic means.But because of the present political climate in my country,I appeal to you to keep this private. I am seeking your assistance to stand as the beneficiary to the deposited consignment.All necessary documents relating to this transaction will be forwarded to you in the process of actualizing this transaction. Please let me remind you again that I will like to invest this funds in any business venture that will be profitable,of course with your assistance.You will be entitled to 20% of the total amount.Please signify your interest by replying through the same email address jenkinsdunbar at netscape.net Best Regards, Jenkins Dunbar From ixtab at sharif.edu Fri Aug 20 22:43:17 2004 From: ixtab at sharif.edu (ixtab at sharif.edu) Date: Fri, 20 Aug 2004 12:43:17 +0000 Subject: updates In-Reply-To: References: Message-ID: <7BC47CJ7JJDC91A2@sharif.edu> New Q E M software QuickBooks Premier 2004 - 110 Maya 6.0 Unlimited - 150 Goldmine Business Contact Manager 6.5 - 59 Maya 6.0 Unlimited - 150 Adobe Audition V 1.0 PC - 80 321 Studios - DVD X Copy Platinum - 70 Delphi 8 Architect - 130 Corel Photobook - 25 Borland Optimizeit Suite 6 - 80 Borland Optimizeit Suite 6 - 80 Linux, Apple software and a lot more http://www.bolguarou.biz/ From cmadams at hiwaay.net Sat Aug 21 00:45:06 2004 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 20 Aug 2004 09:45:06 -0500 Subject: Trying regression tests In-Reply-To: <20040818223711.GI764770@hiwaay.net> References: <20040818223711.GI764770@hiwaay.net> Message-ID: <20040820144506.GA1442100@hiwaay.net> Once upon a time, Chris Adams said: > I know it is just after a release, but I'm trying to see how the > regression tests look on Tru64. I hadn't had a chance to really look at > them before because I didn't have sudo installed on Tru64 (now I do). > > Anyway, for the 3.9p1 release, all of them run except for a couple of > problems: > > - agent-ptrace fails; it looks like setgid isn't enough to kill tracing > under Tru64, and I can't find anything that looks like it will (like > Linux's prctl). Is there any standard that documents when a process will be traceable? I don't see anything in SUSv3. IOW: should this be considered an OS bug or just an unavailable feature? I see this test is already skipped for a couple of OSes, so I guess (at least for now) the suggested patch would be: diff -urN openssh-3.9p1-dist/regress/agent-ptrace.sh openssh-3.9p1/regress/agent-ptrace.sh --- openssh-3.9p1-dist/regress/agent-ptrace.sh Fri Nov 14 19:13:17 2003 +++ openssh-3.9p1/regress/agent-ptrace.sh Fri Aug 20 09:44:21 2004 @@ -5,7 +5,7 @@ if have_prog uname ; then case `uname` in - AIX|CYGWIN*) + AIX|CYGWIN*|OSF1) echo "skipped (not supported on this platform)" exit 0 ;; > - reconfigure hangs; the script appears to get stuck in a loop. I tried > turning on shell tracing; it looks like it is hanging when the script > is called with "$TEST_SHELL -n $SCRIPT" to check it for errors. Using > TEST_SHELL=/bin/ksh makes it work. Another way to fix this (without explicitly changing the shell) is to set the environment variable BIN_SH=xpg4 (this causes calls to /bin/sh to use a POSIX compliant shell, /bin/ksh, instead of a Bourne shell). Suggested patch: diff -urN openssh-3.9p1-dist/regress/test-exec.sh openssh-3.9p1/regress/test-exec.sh --- openssh-3.9p1-dist/regress/test-exec.sh Wed Aug 18 17:35:47 2004 +++ openssh-3.9p1/regress/test-exec.sh Fri Aug 20 09:39:38 2004 @@ -3,6 +3,10 @@ #SUDO=sudo +# For Tru64 to get a POSIX shell +BIN_SH=xpg4 +export BIN_SH + if [ ! -z "$TEST_SSH_PORT" ]; then PORT="$TEST_SSH_PORT" else -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From downtime at slagheap.net Sat Aug 21 06:33:22 2004 From: downtime at slagheap.net (downtime at slagheap.net) Date: Fri, 20 Aug 2004 13:33:22 -0700 Subject: problem compiling OpenSSH 3.9 on OpenBSD 3.4 Message-ID: <2DD3DB4E-F2E8-11D8-899C-000393D16F58@slagheap.net> Please pardon any user idiocy involved, but I applied the OpenBSD 3.4 patch to the 3.9 sources on both my i386 and sparc64 OpenBSD 3.4 boxes, and get the same error: cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o uidswap.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o -L/usr/src/usr.bin/ssh/sshd/../lib/obj -lssh -lgssapi -lkrb5 -lkafs -lcrypto -lutil -lz -ldes -lwrap sshd.o: In function `main': sshd.o(.text+0x1ed4): undefined reference to `closefrom' sshd.o(.text+0x1ee4): undefined reference to `closefrom' collect2: ld returned 1 exit status *** Error code 1 Stop in /usr/src/usr.bin/ssh/sshd (line 122 of /usr/share/mk/bsd.prog.mk). *** Error code 1 Stop in /usr/src/usr.bin/ssh. What did I screw up? -peter From mouring at etoh.eviladmin.org Sat Aug 21 07:14:45 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 20 Aug 2004 16:14:45 -0500 (CDT) Subject: problem compiling OpenSSH 3.9 on OpenBSD 3.4 In-Reply-To: <2DD3DB4E-F2E8-11D8-899C-000393D16F58@slagheap.net> Message-ID: Have you looked at the revised patch for 3.4? - Ben On Fri, 20 Aug 2004 downtime at slagheap.net wrote: > > Please pardon any user idiocy involved, but I applied the OpenBSD 3.4 > patch to the 3.9 sources on both my i386 and sparc64 OpenBSD 3.4 boxes, > and get the same error: > > cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o > auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o uidswap.o > auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o > auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o > auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o > auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o > auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o > -L/usr/src/usr.bin/ssh/sshd/../lib/obj -lssh -lgssapi -lkrb5 -lkafs > -lcrypto -lutil -lz -ldes -lwrap > sshd.o: In function `main': > sshd.o(.text+0x1ed4): undefined reference to `closefrom' > sshd.o(.text+0x1ee4): undefined reference to `closefrom' > collect2: ld returned 1 exit status > *** Error code 1 > > Stop in /usr/src/usr.bin/ssh/sshd (line 122 of > /usr/share/mk/bsd.prog.mk). > *** Error code 1 > > Stop in /usr/src/usr.bin/ssh. > > What did I screw up? > > -peter > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From lantrewi at freemint.de Sat Aug 21 07:17:13 2004 From: lantrewi at freemint.de (lantrewi at freemint.de) Date: Fri, 20 Aug 2004 21:17:13 +0000 Subject: updates In-Reply-To: References: Message-ID: Symantec WinFax PRO v10.03 - 40 Adobe Illustrator CS - 90 Windows 2000 Server - 50 Adobe InDesign CS - 100 Microsoft Office XP Professional - 100 Symantec WinFax PRO v10.03 - 40 Quark Express 6.0 - 60 Norton Antivirus 2004 Professional - 15 Adobe PageMaker 7.0 - 60 Adobe Photoshop cs - 80 and a lot more http://www.memoriasoft.com/ From downtime at slagheap.net Sat Aug 21 07:21:59 2004 From: downtime at slagheap.net (downtime at slagheap.net) Date: Fri, 20 Aug 2004 14:21:59 -0700 Subject: problem compiling OpenSSH 3.9 on OpenBSD 3.4 In-Reply-To: References: Message-ID: D'oh! I shoulda known ... just didn't see any mention of it anywhere. Thanks, and sorry! -peter On Aug 20, 2004, at 2:14 PM, Ben Lindstrom wrote: > Have you looked at the revised patch for 3.4? > > - Ben > > On Fri, 20 Aug 2004 downtime at slagheap.net wrote: > >> >> Please pardon any user idiocy involved, but I applied the OpenBSD 3.4 >> patch to the 3.9 sources on both my i386 and sparc64 OpenBSD 3.4 >> boxes, >> and get the same error: >> >> cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o >> auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o uidswap.o >> auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o >> auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o >> auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o >> auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o >> kexgexs.o >> auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o >> -L/usr/src/usr.bin/ssh/sshd/../lib/obj -lssh -lgssapi -lkrb5 -lkafs >> -lcrypto -lutil -lz -ldes -lwrap >> sshd.o: In function `main': >> sshd.o(.text+0x1ed4): undefined reference to `closefrom' >> sshd.o(.text+0x1ee4): undefined reference to `closefrom' >> collect2: ld returned 1 exit status >> *** Error code 1 >> >> Stop in /usr/src/usr.bin/ssh/sshd (line 122 of >> /usr/share/mk/bsd.prog.mk). >> *** Error code 1 >> >> Stop in /usr/src/usr.bin/ssh. >> >> What did I screw up? >> >> -peter >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >> > From me at cb.ws Sat Aug 21 10:40:57 2004 From: me at cb.ws (me at cb.ws) Date: Sat, 21 Aug 2004 01:40:57 +0100 Subject: BUG - ssh issue and variation - Plus implementation problem for linux Message-ID: <4126A829.12973.B6C62D1@localhost> Please have a look at: http://www.experts- exchange.com/Networking/Linux_Networking/Q_21101467 .html and my responses to it. It is reasonably easy to get around the problem on Cygwin, and the windows version with putty doesn't appear to be a problem...but how is one supposed to deal with it in the linux. Perhaps a need to alter the sanity checks for the scp inpur args? Best regards Peter Edmond From mdb at juniper.net Sat Aug 21 11:15:27 2004 From: mdb at juniper.net (Mark D. Baushke) Date: Fri, 20 Aug 2004 18:15:27 -0700 Subject: BUG - ssh issue and variation - Plus implementation problem for linux In-Reply-To: Mail from me@cb.ws dated Sat, 21 Aug 2004 01:40:57 BST <4126A829.12973.B6C62D1@localhost> References: <4126A829.12973.B6C62D1@localhost> Message-ID: <12988.1093050927@juniper.net> In a standard URL syntax, @ may be replaced by %40, I suppose that might be an extension worth considering for sftp and/or scp... That is, you would use this command: scp xxx.xxx%40xxx.com at ftp.xxxx.net:~/test.txt . However, it may be easier for now to consider using $HOME/.ssh/config to help you in this case: --------------- Host ftp.xxxx.net User xxx.xxx at xxx.com --------------- and the command would then be scp ftp.xxxx.net:~/test.txt . which is typically much easier to type as well. Good luck, -- Mark me at cb.ws writes: > Please have a look at: > > http://www.experts-exchange.com/Networking/Linux_Networking/Q_21101467.html > > and my responses to it. It is reasonably easy to > get around the problem on Cygwin, and the windows > version with putty doesn't appear to be a > problem...but how is one supposed to deal with it > in the linux. Perhaps a need to alter the sanity > checks for the scp inpur args? From selvesteen at hotpop.com Sat Aug 21 19:47:20 2004 From: selvesteen at hotpop.com (Michael selvesteen) Date: Sat, 21 Aug 2004 15:17:20 +0530 Subject: openssh-unix-dev Digest, Vol 16, Issue 9 In-Reply-To: <20040816045111.F19A827C336@shitei.mindrot.org> References: <20040816045111.F19A827C336@shitei.mindrot.org> Message-ID: <41271A28.1040409@hotpop.com> Hello, We tested OpenSSH 3.9 in Hp-UX platforms for Passwordauthentication under PAM modules. We started the SSH Daemon with following settings: Usepam yes ChallengeResponseAuthentication yes passwordauthentication yes The client is invoked with ssh -o'Passwordauthentication yes' localhost -vvv. The debug traces shows that the authentication suceed as keyboard-interactive. However the expected output should be "password" . Is it so? Debug traces: sshd: debug2: load_server_config: filename /opt/ssh/etc/sshd_config debug2: load_server_config: done config len = 331 debug2: parse_server_config: config /opt/ssh/etc/sshd_config len 331 ssh: debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 0 debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64) debug1: Authentication succeeded (keyboard-interactive). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 -- Michael From dtucker at zip.com.au Sat Aug 21 20:01:09 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 21 Aug 2004 20:01:09 +1000 Subject: openssh-unix-dev Digest, Vol 16, Issue 9 In-Reply-To: <41271A28.1040409@hotpop.com> References: <20040816045111.F19A827C336@shitei.mindrot.org> <41271A28.1040409@hotpop.com> Message-ID: <41271D65.70601@zip.com.au> Michael selvesteen wrote: > We tested OpenSSH 3.9 in Hp-UX platforms for Passwordauthentication > under PAM modules. We started the SSH Daemon with following settings: > > Usepam yes > ChallengeResponseAuthentication yes > passwordauthentication yes > > The client is invoked with ssh -o'Passwordauthentication yes' localhost > -vvv. The debug traces shows that the authentication suceed as > keyboard-interactive. > > However the expected output should be "password" . Is it so? For SSHv2 connections, you need to set PreferredAuthentications rather than PasswordAuthentication. By default, PreferredAuthentications will try keyboard-interactive before password. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From me at cb.ws Sat Aug 21 22:16:33 2004 From: me at cb.ws (me at cb.ws) Date: Sat, 21 Aug 2004 13:16:33 +0100 Subject: BUG - ssh issue and variation - Plus implementation problem for linux In-Reply-To: <12988.1093050927@juniper.net> References: Mail from me@cb.ws dated Sat, 21 Aug 2004 01:40:57 BST <4126A829.12973.B6C62D1@localhost> Message-ID: <41274B31.14313.DE93C9F@localhost> Thankyou for the response. I've posted in the board, so that others can benefit from your comments as well. Best regards Peter To: me at cb.ws Copies to: openssh-unix-dev at mindrot.org Subject: Re: BUG - ssh issue and variation - Plus implementation problem for linux From: "Mark D. Baushke" Date sent: Fri, 20 Aug 2004 18:15:27 -0700 > In a standard URL syntax, @ may be replaced by %40, I suppose that > might be an extension worth considering for sftp and/or scp... That > is, you would use this command: > > scp xxx.xxx%40xxx.com at ftp.xxxx.net:~/test.txt . > > However, it may be easier for now to consider using $HOME/.ssh/config > to help you in this case: > > --------------- > Host ftp.xxxx.net > User xxx.xxx at xxx.com > --------------- > > and the command would then be > > scp ftp.xxxx.net:~/test.txt . > > which is typically much easier to type as well. > > Good luck, > -- Mark > > me at cb.ws writes: > > > Please have a look at: > > > > http://www.experts-exchange.com/Networking/Linux_Networking/Q_211014 > > 67.html > > > > and my responses to it. It is reasonably easy to > > get around the problem on Cygwin, and the windows > > version with putty doesn't appear to be a > > problem...but how is one supposed to deal with it > > in the linux. Perhaps a need to alter the sanity > > checks for the scp inpur args? From vinschen at redhat.com Mon Aug 23 03:21:31 2004 From: vinschen at redhat.com (Corinna Vinschen) Date: Sun, 22 Aug 2004 19:21:31 +0200 Subject: [PATCH] openbsd-compat/mktemp.c: Compile time error with gcc 3.4 Message-ID: <20040822172131.GN27978@cygbert.vinschen.de> Hi, the below patch avoids a compile time error on Cygwin, when using gcc 3.4.x. The #ifdef is superfluous anyway. Thanks, Corinna Index: openbsd-compat/mktemp.c =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/mktemp.c,v retrieving revision 1.6 diff -p -u -r1.6 mktemp.c --- openbsd-compat/mktemp.c 24 Nov 2003 02:33:34 -0000 1.6 +++ openbsd-compat/mktemp.c 22 Aug 2004 17:19:13 -0000 @@ -40,11 +40,6 @@ static char rcsid[] = "$OpenBSD: mktemp.c,v 1.17 2003/06/02 20:18:37 millert Exp $"; #endif /* LIBC_SCCS and not lint */ -#ifdef HAVE_CYGWIN -#define open binary_open -extern int binary_open(); -#endif - static int _gettemp(char *, int *, int, int); int -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From gfaber32 at yahoo.com Mon Aug 23 11:14:40 2004 From: gfaber32 at yahoo.com (George Faber) Date: Sun, 22 Aug 2004 18:14:40 -0700 (PDT) Subject: OOB packets and port forwarding Message-ID: <20040823011440.62634.qmail@web41502.mail.yahoo.com> I have an application that uses a 1-byte OOB packet for a heartbeat signal. It appears that openssh blocks these packets when I use it to forward to a remote port. The application works fine when connected to the server using the port forward, but all heartbeat packets are stripped out from the socket data. Is this intentional? Is it a bug? I've tried several versions of openssh without success. Any hints or help will be very appreciated. Thanks, George __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail From djm at mindrot.org Mon Aug 23 12:54:53 2004 From: djm at mindrot.org (Damien Miller) Date: Mon, 23 Aug 2004 12:54:53 +1000 Subject: OOB packets and port forwarding In-Reply-To: <20040823011440.62634.qmail@web41502.mail.yahoo.com> References: <20040823011440.62634.qmail@web41502.mail.yahoo.com> Message-ID: <41295C7D.3000904@mindrot.org> George Faber wrote: > I have an application that uses a 1-byte OOB packet > for a heartbeat signal. It appears that openssh blocks > these packets when I use it to forward to a remote > port. > The application works fine when connected to the > server > using the port forward, but all heartbeat packets are > stripped out from the socket data. > > Is this intentional? Is it a bug? I've tried several > versions of openssh without success. > > Any hints or help will be very appreciated. By OOB data, I presume you mean TCP segments with URG flag set? The SSH protocol does not have the means to preserve these across a port forwarding. It may be possible to add, but it would require a protocol extension, perhaps using SSH_MSG_CHANNEL_EXTENDED_DATA. -d From dtucker at zip.com.au Mon Aug 23 22:03:58 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 23 Aug 2004 22:03:58 +1000 Subject: SSHD Bug with Pam/Winbind on FreeBSD ver5.2 In-Reply-To: References: Message-ID: <4129DD2E.9000107@zip.com.au> Doug Martin wrote: >> Doug Martin wrote: [...] >>> Failed password for user from 192.168.1.21 port 3971 ssh2 >>> Failed password for user from 192.168.1.21 port 3971 ssh2 > > This issue has not been resolved in version openssh-3.9p1 > > Running in debug mode it just hangs at > debug1: fd 11 setting O_NONBLOCK > debug1: Setting controlling tty using TIOCSCTTY. > > That's less infromation then before. Setting the controlling tty is post-authentication so assuming you have't changed your config then PAM+password authentication is working. What you're seeing is a different issue. A couple of things to try: force the debug output to stderr ("/path/to/sshd -ddde") and also try without reexec ("-r"). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From boracay777jp at yahoo.co.jp Mon Aug 23 21:17:01 2004 From: boracay777jp at yahoo.co.jp (boracay777jp at yahoo.co.jp) Date: Mon, 23 Aug 2004 20:17:01 +0900 (JST) Subject: =?iso-2022-jp?b?GyRCIXokKjg1NSQkRyQ5JCshKRsoQg==?= Message-ID: <8370296.1093268102559.JavaMail.root@sv1.boracay.jp> ????????????????? ????????????????? ??????????(;_;) ??????????????? ?????????????????? ????????(ToT)?????????? ???????????????? ??????????????????????? ????????????????... From bigtrail777 at yahoo.co.jp Tue Aug 24 06:14:23 2004 From: bigtrail777 at yahoo.co.jp (bigtrail777 at yahoo.co.jp) Date: Tue, 24 Aug 2004 05:14:23 +0900 Subject: =?iso-2022-jp?b?GyRCMys2SDxUJCxCMz1QJDckRiQkJF4kOSEqGyhC?= Message-ID: ?????? ??????????????? ????(???????????URL??????????? ?????????????? ? http://beingmail.dyndns.dk/scripts/deleteform.html http://bestmail.no-ip.info/scripts/deleteform.html ????????? ??????????????? ??????????? ??TEL 0774-55-6699 ?1?????????30??????????????? ???????????????????????? ??????????????????????????????????! ??????????????????? ??????,?????????????????????????? ???????????????????????? http://beingmail.dyndns.dk/ http://bestmail.no-ip.info/ http://bigmail.minidns.net/ ???? From mr349 at cam.ac.uk Tue Aug 24 18:30:10 2004 From: mr349 at cam.ac.uk (Mike Rose) Date: Tue, 24 Aug 2004 09:30:10 +0100 (BST) Subject: Possible problem with hostbased protocol 1 rhosts authentication Message-ID: I found this problem when working with the Suse9.1 distribution, but have since reproduced it with a vanilla build of Openssh (openssh-3.9p1.tar.gz). Basically I cannot get a command like this: XXXX>ssh -vvv -1 -o "RhostsAuthentication yes" AAAA to work. Yes the appropriate settings are in the servers sshd_config file. Hostbased protocol 1 ssh using rhosts between computers is something we normally do as we have some Dec Alphas, otherwise we would only be using protocol 2 which is fine for hostbased authent using rhosts. " ssh -vvv -1 -o "RhostsAuthentication yes" AAAA OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 1 debug1: Connecting to AAAA [AAAA] port 22. debug1: Allocated local port 1023. debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /u/XXXXXX/mr/.ssh/identity type -1 debug1: Remote protocol version 1.5, remote software version 1.2.27 debug1: no match: 1.2.27 debug1: Local version string SSH-1.5-OpenSSH_3.8p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts debug3: check_host_in_hostfile: match line 73 debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts debug3: check_host_in_hostfile: match line 73 debug1: Host 'AAAA' is known and matches the RSA1 host key. debug1: Found key in /u/XXXXXX/mr/.ssh/known_hosts:73 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug2: cipher_init: set keylen (16 -> 32) debug2: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Doing password authentication. mr at tcm30's password: " # This is ssh server systemwide configuration file. " Port 22 ListenAddress 0.0.0.0 HostKey /etc/ssh_host_key RandomSeed /etc/ssh_random_seed ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 7200 PermitRootLogin yes IgnoreRhosts no StrictModes yes QuietMode no X11Forwarding yes X11DisplayOffset 10 FascistLogging no PrintMotd yes KeepAlive yes SyslogFacility DAEMON RhostsAuthentication yes RhostsRSAAuthentication yes RSAAuthentication no PasswordAuthentication yes PermitEmptyPasswords no UseLogin no " The rest of the detail is in the attached text file. I hope that is enough info. regards, Mike Rose -------------- next part -------------- . How to reproduce: XXXXX:~> ssh -vvv -1 -o "RhostsAuthentication yes" AAAA OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 1 debug1: Connecting to AAAA [AAAA] port 22. debug1: Allocated local port 1023. debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /u/XXXXXX/mr/.ssh/identity type -1 debug1: Remote protocol version 1.5, remote software version 1.2.27 debug1: no match: 1.2.27 debug1: Local version string SSH-1.5-OpenSSH_3.8p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts debug3: check_host_in_hostfile: match line 73 debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts debug3: check_host_in_hostfile: match line 73 debug1: Host 'AAAA' is known and matches the RSA1 host key. debug1: Found key in /u/XXXXXX/mr/.ssh/known_hosts:73 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug2: cipher_init: set keylen (16 -> 32) debug2: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Doing password authentication. mr at tcm30's password: 2. This is not working: rhosts based ssh using protocol 1. 3. Error messages and logfiles The server is setup to accept hostbased authentication using rhosts: sshd_config (from DEC Alpha): " # This is ssh server systemwide configuration file. Port 22 ListenAddress 0.0.0.0 HostKey /etc/ssh_host_key RandomSeed /etc/ssh_random_seed ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 7200 PermitRootLogin yes IgnoreRhosts no StrictModes yes QuietMode no X11Forwarding yes X11DisplayOffset 10 FascistLogging no PrintMotd yes KeepAlive yes SyslogFacility DAEMON RhostsAuthentication yes RhostsRSAAuthentication yes RSAAuthentication no PasswordAuthentication yes PermitEmptyPasswords no UseLogin no " The ssh_config file on the client: " # This is the ssh client system-wide configuration file. See ssh(1) # for more information. This file provides defaults for users, and # the values can be changed in per-user configuration files or on the # command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options # Host * # ForwardAgent no # ForwardX11 no # RhostsAuthentication yes # RhostsRSAAuthentication yes # RSAAuthentication yes # PasswordAuthentication yes # FallBackToRsh no # UseRsh no # BatchMode no # CheckHostIP yes StrictHostKeyChecking no UsePrivilegedPort yes # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # EscapeChar ~ Host * ForwardX11 yes # For version 2 hostbased authent using .rhosts/.shosts + known_host entry. HostbasedAuthentication yes ForwardX11Trusted yes # For version 1 hostbased authentication to work UsePrivilegedPort yes " rhosts based authent also does not work with protocol 1 from a Suse 9.1 computer to a suse 9.1 computer. sshd_config on suse ssh server: " # This is the sshd server system-wide configuration file. See sshd(8) # for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Changes start here, mr349, 07/01/2004 #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging # Use AUTH mode so that ssh messages go into /var/log/messages SyslogFacility AUTH #SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 600 #PermitRootLogin yes #StrictModes yes #RSAAuthentication yes # We do not like this one to be turned on. PubkeyAuthentication no #AuthorizedKeysFile .ssh/authorized_keys # Read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts no # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # (enabled in TCM) RhostsRSAAuthentication yes # similar for protocol version 2 # (enabled in TCM) HostbasedAuthentication yes # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication # IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options # KerberosAuthentication automatically enabled if keyfile exists #KerberosAuthentication yes #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # AFSTokenPassing automatically enabled if k_hasafs() is true #AFSTokenPassing yes # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no # Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server " snippet from /var/adm/messages (on Dec Alpha): " Aug 24 09:05:41 AAAA sshd[126034]: connect from XXXX Aug 24 09:05:41 AAAA sshd[126034]: log: Connection from XXXX port 38875 Aug 24 09:06:06 AAAA sshd[126034]: fatal: Connection closed by remote host. " Our Redhat 7.3 version of Openssh (the ssh exe) happily does protocol 1 hostbased authent from an RH7.3 computer to a DEC Alpha or from a RH7.3 computer to a Suse 9.1 computer. In addition to this if I use the RH7.3 ssh executable on a Suse 9.1 computer and ssh using protocol 1 to a RH7.3 computer or a DEC Alpha: " XXXX:/temp/mr> ./ssh -1 -v -F ./ssh_config BBBB OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x009060df debug1: Reading configuration data ./ssh_config debug1: restore_uid debug1: ssh_connect: getuid 500 geteuid 0 anon 0 debug1: Connecting to BBBB [BBBB] port 22. debug1: Allocated local port 1020. debug1: temporarily_use_uid: 500/266 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /u/blah/mr/.ssh/identity type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.1p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'BBBB' is known and matches the RSA1 host key. debug1: Found key in /u/blah/mr/.ssh/known_hosts:35 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying rhosts authentication. debug1: Remote: Accepted for XXXX [XXXX] by /etc/hosts.equiv. debug1: Requesting pty. debug1: Requesting X11 forwarding with authentication spoofing. debug1: fd 3 setting TCP_NODELAY debug1: Requesting shell. debug1: Entering interactive session. Last login: Tue Aug 24 09:12:45 2004 from XXXX Unauthorised access forbidden (Computer Misuse Act 1990) All IT Syndicate Rules apply to this system Red Hat Linux release 7.3 (Valhalla) Linux 2.4.20-34.7.legacy BBBB:~> " The rh7.3 ssh executable will also perform protocol hostbased authent from a Suse9.1 computer to a Suse9.1 computer: " XXXX>./ssh -1 -v -F ./ssh_config BBBB OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x009060df debug1: Reading configuration data ./ssh_config debug1: restore_uid debug1: ssh_connect: getuid 500 geteuid 0 anon 0 debug1: Connecting to BBBB [BBBB] port 22. debug1: Allocated local port 1018. debug1: temporarily_use_uid: 500/266 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /u/blah/mr/.ssh/identity type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8p1 debug1: match: OpenSSH_3.8p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.1p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'BBBB' is known and matches the RSA1 host key. debug1: Found key in /u/blah/mr/.ssh/known_hosts:71 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying rhosts or /etc/hosts.equiv with RSA host authentication. debug1: Remote: Accepted for XXXX [::ffff:XXXX] by /etc/hosts.equiv. debug1: Received RSA challenge for host key from server. debug1: Sending response to host key RSA challenge. debug1: Remote: Rhosts with RSA host authentication accepted. debug1: Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server. debug1: Requesting pty. debug1: Requesting X11 forwarding with authentication spoofing. debug1: fd 3 setting TCP_NODELAY debug1: Requesting shell. debug1: Entering interactive session. Last login: Tue Aug 24 09:15:42 2004 from XXXX Unauthorised access forbidden (Computer Misuse Act 1990) All IT Syndicate Rules apply to this system Suse Linux release 9.1 " Maybe this is a problem with the newer version of Openssh?? From henriettamayer_md at dp.dk Tue Aug 24 23:54:40 2004 From: henriettamayer_md at dp.dk (Henrietta Mayer) Date: Tue, 24 Aug 2004 09:54:40 -0400 Subject: Get discount drugs without prescription Message-ID: Discount generic drugs. save over 70% todays specials, Viagra, retails for $15, we sell for 3!!! Prozac, retails for $6, we sell for $1.50!! - Private Online ordering! - World wide shipping! - No Prescription required!! Check it out: http://therxshop.net/?index No thanks: http://therxshop.net/rm.html From hqnau at angelfire.com Wed Aug 25 04:13:35 2004 From: hqnau at angelfire.com (Marcia , MSc, MBA, PhD) Date: Tue, 24 Aug 2004 11:13:35 -0700 Subject: your new student # Message-ID: Greetings, This is a Limited special offer directly from our admissions office. You are now qualified to obtain a Degree from a prestigious university. NO required tests, classes, books, or interviews...degree's are given based on life experiences. Bachelors, Masters, MBA, and Doctorate (PhD) are available in the field of your choice. Discrete and Very affordable - Everyone eligible. No one is turned down. We send the certificate to all countries (WORLDWIDE) Click below and fill out a short form and you will be on your way to a better future. http://gobetterpay.com/?partid=wh6 Marcia , MSc, MBA, PhD Director Of Admissions No future offers: http://gobetterpay.com/st.html Henter3pow1zeal Cheavyweight From imorgan at nas.nasa.gov Wed Aug 25 02:01:43 2004 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Tue, 24 Aug 2004 09:01:43 -0700 (PDT) Subject: Possible problem with hostbased protocol 1 rhosts authentication In-Reply-To: from "Mike Rose" at Aug 24, 2004 09:30:10 AM Message-ID: <200408241601.i7OG1irg009858@sun601.nas.nasa.gov> On Tue Aug 24 01:30:10 2004, Mike Rose wrote: > > I found this problem when working with the Suse9.1 distribution, but have > since reproduced it with a vanilla build of Openssh > (openssh-3.9p1.tar.gz). Basically I cannot get a command like this: > > XXXX>ssh -vvv -1 -o "RhostsAuthentication yes" AAAA > > to work. Yes the appropriate settings are in the servers sshd_config file. > > Hostbased protocol 1 ssh using rhosts between computers is something we > normally do as we have some Dec Alphas, otherwise we would only be using > protocol 2 which is fine for hostbased authent using rhosts. Do you mean RhostsRSAAuthentication? I believe that RhostsAuthentication was dropped some time ago. Also, note that the ssh binary is no longer setuid root. (It hasn't been for quite some time.) For version 2, ssh uses the setuid root binary, ssh-keysign, when doing Hostbased authentication. However, ssh does not use this binary when using protocol 1. To use RhostsRSAAuthentication for any user other than root, you must make the ssh binary setuid root and accept any risks therof. > > " > ssh -vvv -1 -o "RhostsAuthentication yes" AAAA > OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug2: ssh_connect: needpriv 1 > debug1: Connecting to AAAA [AAAA] port 22. > debug1: Allocated local port 1023. > debug1: Connection established. > debug1: read PEM private key done: type DSA > debug1: read PEM private key done: type RSA > debug1: identity file /u/XXXXXX/mr/.ssh/identity type -1 > debug1: Remote protocol version 1.5, remote software version 1.2.27 > debug1: no match: 1.2.27 > debug1: Local version string SSH-1.5-OpenSSH_3.8p1 > debug1: Waiting for server public key. > debug1: Received server public key (768 bits) and host key (1024 bits). > debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 73 > debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 73 > debug1: Host 'AAAA' is known and matches the RSA1 host key. > debug1: Found key in /u/XXXXXX/mr/.ssh/known_hosts:73 > debug1: Encryption type: 3des > debug1: Sent encrypted session key. > debug2: cipher_init: set keylen (16 -> 32) > debug2: cipher_init: set keylen (16 -> 32) > debug1: Installing crc compensation attack detector. > debug1: Received encrypted confirmation. > debug1: Doing password authentication. > mr at tcm30's password: > " > > # This is ssh server systemwide configuration file. > " > Port 22 > ListenAddress 0.0.0.0 > HostKey /etc/ssh_host_key > RandomSeed /etc/ssh_random_seed > ServerKeyBits 768 > LoginGraceTime 600 > KeyRegenerationInterval 7200 > PermitRootLogin yes > IgnoreRhosts no > StrictModes yes > QuietMode no > X11Forwarding yes > X11DisplayOffset 10 > FascistLogging no > PrintMotd yes > KeepAlive yes > SyslogFacility DAEMON > RhostsAuthentication yes > RhostsRSAAuthentication yes > RSAAuthentication no > PasswordAuthentication yes > PermitEmptyPasswords no > UseLogin no > " > > > The rest of the detail is in the attached text file. > > > I hope that is enough info. > > regards, > > Mike Rose -- Iain Morgan NAS Desktop Support Group From myang at lexmark.com Wed Aug 25 08:19:04 2004 From: myang at lexmark.com (myang at lexmark.com) Date: Tue, 24 Aug 2004 18:19:04 -0400 Subject: (no subject) Message-ID: From Robert.Dahlem at gmx.net Wed Aug 25 21:47:09 2004 From: Robert.Dahlem at gmx.net (Robert Dahlem) Date: Wed, 25 Aug 2004 13:47:09 +0200 Subject: Default path to identity file Message-ID: <20040825114425.2615127C187@shitei.mindrot.org> Hi, The name of the identity file defaults to what fill_default_options() in readconf.c does: SSH_PROTO_1: "~/%.100s", _PATH_SSH_CLIENT_IDENTITY SSH_PROTO_2: "~/%.100s", _PATH_SSH_CLIENT_ID_RSA "~/%.100s", _PATH_SSH_CLIENT_ID_DSA Identity files are always expanded by tilde_expand_filename() which gets the name of the home directory from getpwuid(my_uid)->pw_dir. This is not what I expect (well, hope :-) when my UID is 0 but I'm not root. In other words: my username is dahlem, my UID is 0, my HOME dir is /home/dahlem. Ssh does not use /home/dahlem/.ssh/id_rsa but /.ssh/id_rsa. When I use "slogin remote -l dahlem" on the server side sshd doesn't search for my public key in /.ssh/authorized_keys but in /home/dahlem/.ssh/authorized_keys. At least this is a little inconsistent. It is not an alternative to define "IdentityFile /home/dahlem/.ssh/id_rsa" in /home/dahlem/.ssh/config: ssh is consistent on this side and uses /.ssh/config . Would a patch to read the name of the configuration file from an environment variable be accepted? I am able to provide such a patch. Regards, Robert From mr349 at cam.ac.uk Wed Aug 25 22:46:13 2004 From: mr349 at cam.ac.uk (Mike Rose) Date: Wed, 25 Aug 2004 13:46:13 +0100 (BST) Subject: Possible problem with hostbased protocol 1 rhosts authentication In-Reply-To: <200408241601.i7OG1irg009858@sun601.nas.nasa.gov> References: <200408241601.i7OG1irg009858@sun601.nas.nasa.gov> Message-ID: > On Tue Aug 24 01:30:10 2004, Mike Rose wrote: > > > > I found this problem when working with the Suse9.1 distribution, but have > > since reproduced it with a vanilla build of Openssh > > (openssh-3.9p1.tar.gz). Basically I cannot get a command like this: > > > > XXXX>ssh -vvv -1 -o "RhostsAuthentication yes" AAAA > > > > to work. Yes the appropriate settings are in the servers sshd_config file. > > > > Hostbased protocol 1 ssh using rhosts between computers is something we > > normally do as we have some Dec Alphas, otherwise we would only be using > > protocol 2 which is fine for hostbased authent using rhosts. > > Do you mean RhostsRSAAuthentication? I believe that RhostsAuthentication was > dropped some time ago. Also, note that the ssh binary is no longer setuid root. > (It hasn't been for quite some time.) Darn, yes, you are quite right. ssh was setuid root for what I was trying. > > For version 2, ssh uses the setuid root binary, ssh-keysign, when doing > Hostbased authentication. However, ssh does not use this binary when > using protocol 1. To use RhostsRSAAuthentication for any user other than root, > you must make the ssh binary setuid root and accept any risks therof. Yup, we have had to until the last DEC stops. Many thanks for your reply to silly me. > > > > > " > > ssh -vvv -1 -o "RhostsAuthentication yes" AAAA > > OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004 > > debug1: Reading configuration data /etc/ssh/ssh_config > > debug1: Applying options for * > > debug2: ssh_connect: needpriv 1 > > debug1: Connecting to AAAA [AAAA] port 22. > > debug1: Allocated local port 1023. > > debug1: Connection established. > > debug1: read PEM private key done: type DSA > > debug1: read PEM private key done: type RSA > > debug1: identity file /u/XXXXXX/mr/.ssh/identity type -1 > > debug1: Remote protocol version 1.5, remote software version 1.2.27 > > debug1: no match: 1.2.27 > > debug1: Local version string SSH-1.5-OpenSSH_3.8p1 > > debug1: Waiting for server public key. > > debug1: Received server public key (768 bits) and host key (1024 bits). > > debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts > > debug3: check_host_in_hostfile: match line 73 > > debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts > > debug3: check_host_in_hostfile: match line 73 > > debug1: Host 'AAAA' is known and matches the RSA1 host key. > > debug1: Found key in /u/XXXXXX/mr/.ssh/known_hosts:73 > > debug1: Encryption type: 3des > > debug1: Sent encrypted session key. > > debug2: cipher_init: set keylen (16 -> 32) > > debug2: cipher_init: set keylen (16 -> 32) > > debug1: Installing crc compensation attack detector. > > debug1: Received encrypted confirmation. > > debug1: Doing password authentication. > > mr at tcm30's password: > > " > > > > # This is ssh server systemwide configuration file. > > " > > Port 22 > > ListenAddress 0.0.0.0 > > HostKey /etc/ssh_host_key > > RandomSeed /etc/ssh_random_seed > > ServerKeyBits 768 > > LoginGraceTime 600 > > KeyRegenerationInterval 7200 > > PermitRootLogin yes > > IgnoreRhosts no > > StrictModes yes > > QuietMode no > > X11Forwarding yes > > X11DisplayOffset 10 > > FascistLogging no > > PrintMotd yes > > KeepAlive yes > > SyslogFacility DAEMON > > RhostsAuthentication yes > > RhostsRSAAuthentication yes > > RSAAuthentication no > > PasswordAuthentication yes > > PermitEmptyPasswords no > > UseLogin no > > " > > > > > > The rest of the detail is in the attached text file. > > > > > > I hope that is enough info. > > > > regards, > > > > Mike Rose > > > -- > Iain Morgan > NAS Desktop Support Group > From mr349 at cam.ac.uk Wed Aug 25 23:43:26 2004 From: mr349 at cam.ac.uk (Mike Rose) Date: Wed, 25 Aug 2004 14:43:26 +0100 (BST) Subject: Possible problem with hostbased protocol 1 rhosts authentication In-Reply-To: References: <200408241601.i7OG1irg009858@sun601.nas.nasa.gov> Message-ID: What about this section of man ssh: " SSH protocol version 1 First, if the machine the user logs in from is listed in /etc/hosts.equiv or /etc/ssh/shosts.equiv on the remote machine, and the user names are the same on both sides, the user is immediately permitted to log in. Second, if .rhosts or .shosts exists in the user's home directory on the remote machine and contains a line containing the name of the client machine and the name of the user on that machine, the user is permitted to log in. This form of authentication alone is normally not allowed by the server because it is not secure. " Am I being silly or does this part of man ssh need to be edited slightly to say that host keys also need to be used (/etc/ssh/ssh_known_hosts for example): " debug1: Trying rhosts or /etc/hosts.equiv with RSA host authentication. debug1: Remote: Accepted for XXXX [XXXX] by /etc/hosts.equiv. debug1: Remote: Your host key cannot be verified: unknown or invalid host key. debug1: Server refused our rhosts authentication or host key. On Wed, 25 Aug 2004, Mike Rose wrote: > > On Tue Aug 24 01:30:10 2004, Mike Rose wrote: > > > > > > I found this problem when working with the Suse9.1 distribution, but have > > > since reproduced it with a vanilla build of Openssh > > > (openssh-3.9p1.tar.gz). Basically I cannot get a command like this: > > > > > > XXXX>ssh -vvv -1 -o "RhostsAuthentication yes" AAAA > > > > > > to work. Yes the appropriate settings are in the servers sshd_config file. > > > > > > Hostbased protocol 1 ssh using rhosts between computers is something we > > > normally do as we have some Dec Alphas, otherwise we would only be using > > > protocol 2 which is fine for hostbased authent using rhosts. > > > > Do you mean RhostsRSAAuthentication? I believe that RhostsAuthentication was > > dropped some time ago. Also, note that the ssh binary is no longer setuid root. > > (It hasn't been for quite some time.) > > Darn, yes, you are quite right. > ssh was setuid root for what I was trying. > > > > For version 2, ssh uses the setuid root binary, ssh-keysign, when doing > > Hostbased authentication. However, ssh does not use this binary when > > using protocol 1. To use RhostsRSAAuthentication for any user other than root, > > you must make the ssh binary setuid root and accept any risks therof. > > Yup, we have had to until the last DEC stops. > > Many thanks for your reply to silly me. > > > > > > > > > > " > > > ssh -vvv -1 -o "RhostsAuthentication yes" AAAA > > > OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004 > > > debug1: Reading configuration data /etc/ssh/ssh_config > > > debug1: Applying options for * > > > debug2: ssh_connect: needpriv 1 > > > debug1: Connecting to AAAA [AAAA] port 22. > > > debug1: Allocated local port 1023. > > > debug1: Connection established. > > > debug1: read PEM private key done: type DSA > > > debug1: read PEM private key done: type RSA > > > debug1: identity file /u/XXXXXX/mr/.ssh/identity type -1 > > > debug1: Remote protocol version 1.5, remote software version 1.2.27 > > > debug1: no match: 1.2.27 > > > debug1: Local version string SSH-1.5-OpenSSH_3.8p1 > > > debug1: Waiting for server public key. > > > debug1: Received server public key (768 bits) and host key (1024 bits). > > > debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts > > > debug3: check_host_in_hostfile: match line 73 > > > debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts > > > debug3: check_host_in_hostfile: match line 73 > > > debug1: Host 'AAAA' is known and matches the RSA1 host key. > > > debug1: Found key in /u/XXXXXX/mr/.ssh/known_hosts:73 > > > debug1: Encryption type: 3des > > > debug1: Sent encrypted session key. > > > debug2: cipher_init: set keylen (16 -> 32) > > > debug2: cipher_init: set keylen (16 -> 32) > > > debug1: Installing crc compensation attack detector. > > > debug1: Received encrypted confirmation. > > > debug1: Doing password authentication. > > > mr at tcm30's password: > > > " > > > > > > # This is ssh server systemwide configuration file. > > > " > > > Port 22 > > > ListenAddress 0.0.0.0 > > > HostKey /etc/ssh_host_key > > > RandomSeed /etc/ssh_random_seed > > > ServerKeyBits 768 > > > LoginGraceTime 600 > > > KeyRegenerationInterval 7200 > > > PermitRootLogin yes > > > IgnoreRhosts no > > > StrictModes yes > > > QuietMode no > > > X11Forwarding yes > > > X11DisplayOffset 10 > > > FascistLogging no > > > PrintMotd yes > > > KeepAlive yes > > > SyslogFacility DAEMON > > > RhostsAuthentication yes > > > RhostsRSAAuthentication yes > > > RSAAuthentication no > > > PasswordAuthentication yes > > > PermitEmptyPasswords no > > > UseLogin no > > > " > > > > > > > > > The rest of the detail is in the attached text file. > > > > > > > > > I hope that is enough info. > > > > > > regards, > > > > > > Mike Rose > > > > > > -- > > Iain Morgan > > NAS Desktop Support Group > > > From mouring at etoh.eviladmin.org Thu Aug 26 00:47:02 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 25 Aug 2004 09:47:02 -0500 (CDT) Subject: Default path to identity file In-Reply-To: <20040825114425.2615127C187@shitei.mindrot.org> Message-ID: On Wed, 25 Aug 2004, Robert Dahlem wrote: [..] > > Identity files are always expanded by tilde_expand_filename() which gets > the name of the home directory from getpwuid(my_uid)->pw_dir. > > This is not what I expect (well, hope :-) when my UID is 0 but I'm not > root. > It's in bad form to have more than one UID 0 account. Heck any duplicate UID in general. A lot of software can't correctly identify which users and thus it will assume the first one found in a linear search of the password file. - Ben From Robert.Dahlem at gmx.net Thu Aug 26 01:32:07 2004 From: Robert.Dahlem at gmx.net (Robert Dahlem) Date: Wed, 25 Aug 2004 17:32:07 +0200 Subject: Default path to identity file In-Reply-To: Message-ID: <20040825152916.9074527C187@shitei.mindrot.org> On Wed, 25 Aug 2004 09:47:02 -0500 (CDT), Ben Lindstrom wrote: >> Identity files are always expanded by tilde_expand_filename() which >> gets the name of the home directory from getpwuid(my_uid)->pw_dir. >> >> This is not what I expect (well, hope :-) when my UID is 0 but I'm not >> root. >It's in bad form to have more than one UID 0 account. Heck any duplicate >UID in general. A lot of software can't correctly identify which users >and thus it will assume the first one found in a linear search of the >password file. Tell the suits. :-( Requirement is to not administrate as root but under an account for the use of one single named person. There is a german saying "vom Regen in die Traufe kommen", which dict.leo.org translates to "out of the frying pan into the fire". You get it? Regards, Robert From Robert.Dahlem at gmx.net Thu Aug 26 03:29:22 2004 From: Robert.Dahlem at gmx.net (Robert Dahlem) Date: Wed, 25 Aug 2004 19:29:22 +0200 Subject: sshd 3.9p1 under Reliant Unix 5.45: getpeername: Operation not supported on transport endpoint Message-ID: <20040825172631.77AD527C189@shitei.mindrot.org> The following is special to sshd 3.9p1 under ReliantUnix 5.45. It does not occur under ReliantUnix 5.43 nor under Solaris 5.8: `pwd`/sshd-3.9 -e -D -d -d -d Now connecting from outside [...] debug1: inetd sockets after dupping: 3, 3 debug1: get_port() calls get_sock_port(3) debug1: getpeername failed: Operation not supported on transport endpoint lsof proves FD 3 is an established TCP connection. It does not occur when sshd is started with -r to prevent usage of the new re-exec mechanism. I'm pretty sure it's something weird with ReliantUnix 5.45 concerning inherited sockets. Anyone here having a pointer where to start the chase? Regards, Robert From tim at multitalents.net Thu Aug 26 03:50:57 2004 From: tim at multitalents.net (Tim Rice) Date: Wed, 25 Aug 2004 10:50:57 -0700 (PDT) Subject: sshd 3.9p1 under Reliant Unix 5.45: getpeername: Operation not supported on transport endpoint In-Reply-To: <20040825172631.77AD527C189@shitei.mindrot.org> References: <20040825172631.77AD527C189@shitei.mindrot.org> Message-ID: On Wed, 25 Aug 2004, Robert Dahlem wrote: > > The following is special to sshd 3.9p1 under ReliantUnix 5.45. It does > not occur under ReliantUnix 5.43 nor under Solaris 5.8: [snip] > Anyone here having a pointer where to start the chase? Send us the output of configure starting with OpenSSH has been configured with the following options: > > Regards, > Robert > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dave-openssh-post-20040825 at centerclick.org Thu Aug 26 08:14:50 2004 From: dave-openssh-post-20040825 at centerclick.org (Dave Johnson) Date: Wed, 25 Aug 2004 18:14:50 -0400 Subject: [patch] sshd with re-exec disabled causes stdin to get closed. Message-ID: <16685.3930.901849.334013@wellington.i202.centerclick.org> I ran into a bug while testing 3.9p1. If you start sshd with -r (re-exec disabled), once the daemon is forked to handle a client, the child closes stdin by accident. This causes FD 0 to get re-used by the next open call which eventually you end up with a mess. In the perticual case I saw, the pty fd ended up on FD 0 was closed by do_exec_pty(), pty_make_controlling_tty() then opened a new ttyfd as 0, and do_exec_pty() duped it dup2(0,0), dup2(0,1), dup2(0,2), then called close(ttyfd); which closed 0! Patch against openssh-3.9p1 is attached. -- Dave From Robert.Dahlem at gmx.net Thu Aug 26 16:15:43 2004 From: Robert.Dahlem at gmx.net (Robert Dahlem) Date: Thu, 26 Aug 2004 08:15:43 +0200 Subject: sshd 3.9p1 under Reliant Unix 5.45: getpeername: Operation not supported on transport endpoint In-Reply-To: Message-ID: <20040826061252.9E32E27C187@shitei.mindrot.org> On Wed, 25 Aug 2004 10:50:57 -0700 (PDT), Tim Rice wrote: >> The following is special to sshd 3.9p1 under ReliantUnix 5.45. It does >> not occur under ReliantUnix 5.43 nor under Solaris 5.8: >[snip] >> Anyone here having a pointer where to start the chase? >Send us the output of configure starting with > OpenSSH has been configured with the following options: Here we go: OpenSSH has been configured with the following options: User binaries: /opt/bin System binaries: /opt/bin Configuration files: /etc/ssh Askpass program: /opt/bin/ssh-askpass Manual pages: /usr/share/man/manX PID file: /etc/ssh Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/bin (If PATH is set in /etc/default/login it will be used instead. If used, ensure the path to scp is present, otherwise scp will not work.) Manpage format: man PAM support: no KerberosV support: no Smartcard support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: yes Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Host: mips-sni-sysv4 Compiler: cc Compiler flags: -O Preprocessor flags: -I/opt/lib/ssl/include Linker flags: -L/opt/lib/ssl/lib -s Libraries: -lcrypto -lz -lsocket -lnsl -ldl -lgen -lresolv SVR4 style packages are supported with "make package" WARNING: the operating system that you are using does not appear to support either the getpeereid() API nor the SO_PEERCRED getsockopt() option. These facilities are used to enforce security checks to prevent unauthorised connections to ssh-agent. Their absence increases the risk that a malicious user can connect to your agent. Regards, Robert From flash at itp.tu-graz.ac.at Thu Aug 26 16:59:16 2004 From: flash at itp.tu-graz.ac.at (Christian Pfaffel) Date: 26 Aug 2004 08:59:16 +0200 Subject: Default path to identity file In-Reply-To: <20040825152916.9074527C187@shitei.mindrot.org> References: <20040825152916.9074527C187@shitei.mindrot.org> Message-ID: <7gr7pupepn.fsf@faeppc20.tu-graz.ac.at> "Robert Dahlem" writes: > On Wed, 25 Aug 2004 09:47:02 -0500 (CDT), Ben Lindstrom wrote: > > >> Identity files are always expanded by tilde_expand_filename() which > >> gets the name of the home directory from getpwuid(my_uid)->pw_dir. > >> > >> This is not what I expect (well, hope :-) when my UID is 0 but I'm not > >> root. > > >It's in bad form to have more than one UID 0 account. Heck any duplicate > >UID in general. A lot of software can't correctly identify which users > >and thus it will assume the first one found in a linear search of the > >password file. > > Tell the suits. :-( Requirement is to not administrate as root but under > an account for the use of one single named person. There is a german > saying "vom Regen in die Traufe kommen", which dict.leo.org translates to > "out of the frying pan into the fire". You get it? > > Regards, > Robert > If you feel lucky you could try to code something like that for ssh.c char * logname; logname = getlogin ( void ); change the calls in load_public_identity_files(void) from tilde_expand_filename() to tilde_expand_filename(...,original_real_uid,logname) hack tilde_expand to use getpwnam() instead of getpwuid() if original_real_uid = 0 I would not do that though. Maybe it is just simpler/safer (see getlogin(3)) to talk the suits into adjusting their policy. regards, Christian -- Christian Pfaffel Technische Universit?t Graz Telefon: +43 / 316 / 873 - 81 90 Institut f?r Theoretische Physik Telefax: +43 / 316 / 873 - 86 78 Petersgasse 16, A-8010 Graz http://fubphpc.tu-graz.ac.at/~flash/pubkey.gpg From djm at mindrot.org Thu Aug 26 20:48:19 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 26 Aug 2004 20:48:19 +1000 Subject: [patch] sshd with re-exec disabled causes stdin to get closed. In-Reply-To: <16685.3930.901849.334013@wellington.i202.centerclick.org> References: <16685.3930.901849.334013@wellington.i202.centerclick.org> Message-ID: <412DBFF3.5060508@mindrot.org> Dave Johnson wrote: > I ran into a bug while testing 3.9p1. > > If you start sshd with -r (re-exec disabled), once the daemon is > forked to handle a client, the child closes stdin by accident. > > This causes FD 0 to get re-used by the next open call which eventually > you end up with a mess. In the perticual case I saw, the pty fd > ended up on FD 0 was closed by do_exec_pty(), > pty_make_controlling_tty() then opened a new ttyfd as 0, and > do_exec_pty() duped it dup2(0,0), dup2(0,1), dup2(0,2), then called > close(ttyfd); which closed 0! > > Patch against openssh-3.9p1 is attached. Could you resend the patch or post it on a website (or bugzilla) - the mailing list server eats any attachments that aren't text/plain. -d From clifford at clifford.at Thu Aug 26 22:16:38 2004 From: clifford at clifford.at (Clifford Wolf) Date: Thu, 26 Aug 2004 14:16:38 +0200 Subject: OpenSSH PATCH: OpenCommand and CloseCommand Message-ID: <20040826121638.GB18450@clifford.at> Hi, the attached patch adds support for the keywords "OpenCommand" and "CloseCommand" to ssh_config. They are commands which are executed before the connection is established (or ProxyCommand started) and after the connection has been closed (or ProxyCommand ended). this is usefull for stuff like portknocking or (that's what I wrote the patch for) talking with trapdoor2 (http://oss.linbit.com/trapdoor2/). it would be great to see that patch applied (or compareable functionality implemented) in one of the coming openssh releases. yours, - clifford PS: I'm not subscribed to this list, so please CC me on replies. -- ____ ___ ____ _ __ _ _ www.rocklinux.org | _ \ / _ \ / ___| |/ / | | (_)_ __ _ ___ __ | |_) | | | | | | ' / | | | | '_ \| | | \ \/ / | _ <| |_| | |___| . \ | |___| | | | | |_| |> < Clifford Wolf |_| \_\\___/ \____|_|\_\ |_____|_|_| |_|\__,_/_/\_\ www.clifford.at checking whether the linker (ld -static) supports shared libraries... yes -------------- next part -------------- This is a patch for OpenSSH 3.8p1 by Clifford Wolf ========================================================================= This patch adds OpenCommand and CloseCommand keywords to ssh_config. This commands are run before the connection is established and after it has been closed. It can be used e.g. to open trapdoors or establish tunnels. openssh-3.8p1/readconf.c | 20 +++++++++- openssh-3.8p1/readconf.h | 2 + openssh-3.8p1/ssh.0 | 2 + openssh-3.8p1/ssh.1 | 2 + openssh-3.8p1/ssh.c | 10 +++++ openssh-3.8p1/ssh_config.0 | 13 ++++++ openssh-3.8p1/ssh_config.5 | 18 +++++++++ openssh-3.8p1/sshconnect.c | 87 +++++++++++++++++++++++++++++++++++++++++++++ openssh-3.8p1/sshconnect.h | 4 ++ 9 files changed, 156 insertions(+), 2 deletions(-) Index: ssh.1 --- openssh-3.8p1.orig/ssh.1 (.../.transvn:beginning) (revision 25) +++ openssh-3.8p1/ssh.1 (revision 25) @@ -614,6 +614,7 @@ .It CheckHostIP .It Cipher .It Ciphers +.It CloseCommand .It ClearAllForwardings .It Compression .It CompressionLevel @@ -639,6 +640,7 @@ .It MACs .It NoHostAuthenticationForLocalhost .It NumberOfPasswordPrompts +.It OpenCommand .It PasswordAuthentication .It Port .It PreferredAuthentications Index: sshconnect.h --- openssh-3.8p1.orig/sshconnect.h (.../.transvn:beginning) (revision 25) +++ openssh-3.8p1/sshconnect.h (revision 25) @@ -34,6 +34,10 @@ }; int +ssh_run_command(const char *type, const char *host, u_short port, + const char *run_command); + +int ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int, int, const char *); Index: ssh.c --- openssh-3.8p1.orig/ssh.c (.../.transvn:beginning) (revision 25) +++ openssh-3.8p1/ssh.c (revision 25) @@ -606,6 +606,11 @@ strcmp(options.proxy_command, "none") == 0) options.proxy_command = NULL; + /* Execute open command, if set */ + if (options.open_command != NULL && + strcmp(options.open_command, "none") != 0) + ssh_run_command("open", host, options.port, options.open_command); + /* Open a connection to the remote host. */ if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts, @@ -725,6 +730,11 @@ if (proxy_command_pid > 1) kill(proxy_command_pid, SIGHUP); + /* Execute close command, if set */ + if (options.close_command != NULL && + strcmp(options.close_command, "none") != 0) + ssh_run_command("close", host, options.port, options.close_command); + return exit_status; } Index: ssh.0 --- openssh-3.8p1.orig/ssh.0 (.../.transvn:beginning) (revision 25) +++ openssh-3.8p1/ssh.0 (revision 25) @@ -354,6 +354,7 @@ CheckHostIP Cipher Ciphers + CloseCommand ClearAllForwardings Compression CompressionLevel @@ -379,6 +380,7 @@ MACs NoHostAuthenticationForLocalhost NumberOfPasswordPrompts + OpenCommand PasswordAuthentication Port PreferredAuthentications Index: readconf.h --- openssh-3.8p1.orig/readconf.h (.../.transvn:beginning) (revision 25) +++ openssh-3.8p1/readconf.h (revision 25) @@ -72,6 +72,8 @@ char *hostname; /* Real host to connect. */ char *host_key_alias; /* hostname alias for .ssh/known_hosts */ char *proxy_command; /* Proxy command for connecting the host. */ + char *open_command; /* Open command for before connecting the host. */ + char *close_command; /* Close command for after connecting the host. */ char *user; /* User to log in as. */ int escape_char; /* Escape character; -2 = none */ Index: readconf.c --- openssh-3.8p1.orig/readconf.c (.../.transvn:beginning) (revision 25) +++ openssh-3.8p1/readconf.c (revision 25) @@ -93,7 +93,8 @@ oPasswordAuthentication, oRSAAuthentication, oChallengeResponseAuthentication, oXAuthLocation, oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, - oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, + oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, + oOpenCommand, oCloseCommand, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, @@ -149,6 +150,8 @@ { "identityfile2", oIdentityFile }, /* alias */ { "hostname", oHostName }, { "hostkeyalias", oHostKeyAlias }, + { "opencommand", oOpenCommand }, + { "closecommand", oCloseCommand }, { "proxycommand", oProxyCommand }, { "port", oPort }, { "cipher", oCipher }, @@ -537,10 +540,21 @@ charptr = &options->smartcard_device; goto parse_string; + case oOpenCommand: + case oCloseCommand: case oProxyCommand: if (s == NULL) fatal("%.200s line %d: Missing argument.", filename, linenum); - charptr = &options->proxy_command; + switch (opcode) { + case oOpenCommand: + charptr = &options->open_command; + break; + case oCloseCommand: + charptr = &options->close_command; + break; + default: + charptr = &options->proxy_command; + } len = strspn(s, WHITESPACE "="); if (*activep && *charptr == NULL) *charptr = xstrdup(s + len); @@ -853,6 +867,8 @@ options->num_identity_files = 0; options->hostname = NULL; options->host_key_alias = NULL; + options->open_command = NULL; + options->close_command = NULL; options->proxy_command = NULL; options->user = NULL; options->escape_char = -1; Index: sshconnect.c --- openssh-3.8p1.orig/sshconnect.c (.../.transvn:beginning) (revision 25) +++ openssh-3.8p1/sshconnect.c (revision 25) @@ -55,6 +55,93 @@ static void warn_changed_key(Key *); /* + * Run the given command + */ +int +ssh_run_command(const char *type, const char *host, u_short port, const char *run_command) +{ + Buffer command; + const char *cp; + char *command_string; + pid_t pid; + char strport[NI_MAXSERV]; + int status; + + /* Convert the port number into a string. */ + snprintf(strport, sizeof strport, "%hu", port); + + /* + * Build the final command string in the buffer by making the + * appropriate substitutions to the given proxy command. + * + * Use "exec" to avoid "sh -c" processes on some platforms + * (e.g. Solaris) + */ + buffer_init(&command); + buffer_append(&command, "exec ", 5); + + for (cp = run_command; *cp; cp++) { + if (cp[0] == '%' && cp[1] == '%') { + buffer_append(&command, "%", 1); + cp++; + continue; + } + if (cp[0] == '%' && cp[1] == 'h') { + buffer_append(&command, host, strlen(host)); + cp++; + continue; + } + if (cp[0] == '%' && cp[1] == 'p') { + buffer_append(&command, strport, strlen(strport)); + cp++; + continue; + } + buffer_append(&command, cp, 1); + } + buffer_append(&command, "\0", 1); + + /* Get the final command string. */ + command_string = buffer_ptr(&command); + + debug("Executing %s command: %.500s", type, command_string); + + /* Fork and execute the proxy command. */ + if ((pid = fork()) == 0) { + char *argv[10]; + + /* Child. Permanently give up superuser privileges. */ + seteuid(original_real_uid); + setuid(original_real_uid); + + argv[0] = _PATH_BSHELL; + argv[1] = "-c"; + argv[2] = command_string; + argv[3] = NULL; + + execv(argv[0], argv); + perror(argv[0]); + exit(1); + } + /* Parent. */ + if (pid < 0) + fatal("fork failed: %.100s", strerror(errno)); + else { + waitpid(pid, &status, 0); + if ( WIFSIGNALED(status) ) + fatal("%s command '%.500s' failed: cought signal %d", + type, command_string, WTERMSIG(status)); + if ( WEXITSTATUS(status) ) + fatal("%s command '%.500s' failed: returned %d", + type, command_string, WEXITSTATUS(status)); + } + + /* Free the command name. */ + buffer_free(&command); + + /* Indicate OK return */ + return 0; +} +/* * Connect to the given ssh server using a proxy command. */ static int Index: ssh_config.0 --- openssh-3.8p1.orig/ssh_config.0 (.../.transvn:beginning) (revision 25) +++ openssh-3.8p1/ssh_config.0 (revision 25) @@ -100,6 +100,13 @@ Specifies whether to use compression. The argument must be ``yes'' or ``no''. The default is ``no''. + CloseCommand + Specifies the command to run after the connection to the server + has been closed. The command string extends to the end of the + line, and is executed with /bin/sh. In the command string, `%h' + will be substituted by the host name to connect and `%p' by the + port. + CompressionLevel Specifies the compression level to use if compression is enabled. The argument must be an integer from 1 (fast) to 9 (slow, best). @@ -273,6 +280,12 @@ Specifies the number of password prompts before giving up. The argument to this keyword must be an integer. Default is 3. + OpenCommand + Specifies the command to run before the connection to the server + is opened. The command string extends to the end of the line, + and is executed with /bin/sh. In the command string, `%h' will + be substituted by the host name to connect and `%p' by the port. + PasswordAuthentication Specifies whether to use password authentication. The argument to this keyword must be ``yes'' or ``no''. The default is Index: ssh_config.5 --- openssh-3.8p1.orig/ssh_config.5 (.../.transvn:beginning) (revision 25) +++ openssh-3.8p1/ssh_config.5 (revision 25) @@ -215,6 +215,15 @@ .Dq no . The default is .Dq no . +.It Cm CloseCommand +Specifies the command to run after the connection to the server has been closed. +The command string extends to the end of the line, and is executed with +.Pa /bin/sh . +In the command string, +.Ql %h +will be substituted by the host name to connect and +.Ql %p +by the port. .It Cm CompressionLevel Specifies the compression level to use if compression is enabled. The argument must be an integer from 1 (fast) to 9 (slow, best). @@ -446,6 +455,15 @@ Specifies the number of password prompts before giving up. The argument to this keyword must be an integer. Default is 3. +.It Cm OpenCommand +Specifies the command to run before the connection to the server is opened. +The command string extends to the end of the line, and is executed with +.Pa /bin/sh . +In the command string, +.Ql %h +will be substituted by the host name to connect and +.Ql %p +by the port. .It Cm PasswordAuthentication Specifies whether to use password authentication. The argument to this keyword must be Generated by Transvn 0.15. From dave-openssh-post-20040825 at centerclick.org Thu Aug 26 22:25:23 2004 From: dave-openssh-post-20040825 at centerclick.org (Dave Johnson) Date: Thu, 26 Aug 2004 08:25:23 -0400 Subject: [patch] sshd with re-exec disabled causes stdin to get closed. In-Reply-To: <16685.3930.901849.334013@wellington.i202.centerclick.org> References: <16685.3930.901849.334013@wellington.i202.centerclick.org> Message-ID: <16685.54963.770980.931896@wellington.i202.centerclick.org> Dave Johnson writes: > > I ran into a bug while testing 3.9p1. > > If you start sshd with -r (re-exec disabled), once the daemon is > forked to handle a client, the child closes stdin by accident. > > This causes FD 0 to get re-used by the next open call which eventually > you end up with a mess. In the perticual case I saw, the pty fd > ended up on FD 0 was closed by do_exec_pty(), > pty_make_controlling_tty() then opened a new ttyfd as 0, and > do_exec_pty() duped it dup2(0,0), dup2(0,1), dup2(0,2), then called > close(ttyfd); which closed 0! > > Patch against openssh-3.9p1 is attached. Patch is now also at: http://centerclick.org/reexec.patch -- Dave From djm at mindrot.org Thu Aug 26 22:34:58 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 26 Aug 2004 22:34:58 +1000 Subject: OpenSSH PATCH: OpenCommand and CloseCommand In-Reply-To: <20040826121638.GB18450@clifford.at> References: <20040826121638.GB18450@clifford.at> Message-ID: <412DD8F2.1040304@mindrot.org> Clifford Wolf wrote: > Hi, > > the attached patch adds support for the keywords "OpenCommand" and > "CloseCommand" to ssh_config. They are commands which are executed before > the connection is established (or ProxyCommand started) and after the > connection has been closed (or ProxyCommand ended). IMO This is exactly the sort of thing that should be implemented using a wrapper script and not in ssh. -d From clifford at clifford.at Thu Aug 26 22:59:28 2004 From: clifford at clifford.at (Clifford Wolf) Date: Thu, 26 Aug 2004 14:59:28 +0200 Subject: OpenSSH PATCH: OpenCommand and CloseCommand In-Reply-To: <412DD8F2.1040304@mindrot.org> References: <20040826121638.GB18450@clifford.at> <412DD8F2.1040304@mindrot.org> Message-ID: <20040826125928.GD18450@clifford.at> Hi Damien, On Thu, Aug 26, 2004 at 10:34:58PM +1000, Damien Miller wrote: > > the attached patch adds support for the keywords "OpenCommand" and > > "CloseCommand" to ssh_config. They are commands which are executed before > > the connection is established (or ProxyCommand started) and after the > > connection has been closed (or ProxyCommand ended). > > IMO This is exactly the sort of thing that should be implemented using > a wrapper script and not in ssh. But that would mean to implement the matching for the target host twice (once in the wrapper script and once in ssh's ssh_config parsing) and passing -S all the time when calling scp. This would add much complexiticity to the side of the end user. You could also argue that ProxyCommand could be implemented using a local running service (can be even implemented using inetd without any scripting) and not by ssh directly. It's simply much easier for the end user with the ProxyCommand option.. yours, - clifford -- +++>+>++++++[<+++++++>-]<..>++>++++++[<+++++>-]<.>>++++++[<+++++++++++>-]<. >++>>++++[<++++[<+++++++>-]>-]<<.>+>>++++[<++++[<++++++>-]>-]<<.++++++++.<- ---.>---.<<<<-.>>>>---.<---.<<.<+..>.>>---.>>++++>>++++[<++++[<+++++++>-]>- ]<<..----.<<<--------.<<++++..>>>>>+++++++...<<<<<-.>>>>.<++++.---.>+++..<+ +++++.+++.>--.<<<<.>>>>---.<++.<<<+.>>>>+.++++.---.<----.>>--.<<<<<.>.<---- ..>.>+++++++++.>>>>>>++++[<++++[<+++++>-]>-]<<.+++++.<<<<<<+.>.>.>-.--.+++. >++++++.+++.-------.<++.<<<.>.>>>.>-.<--.<<<<++..>.<---..>>>>>>>++++++++++. Life is not fair, but the root password helps! From mouring at etoh.eviladmin.org Fri Aug 27 00:05:50 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 26 Aug 2004 09:05:50 -0500 (CDT) Subject: OpenSSH PATCH: OpenCommand and CloseCommand In-Reply-To: <20040826121638.GB18450@clifford.at> Message-ID: On Thu, 26 Aug 2004, Clifford Wolf wrote: > Hi, > > the attached patch adds support for the keywords "OpenCommand" and > "CloseCommand" to ssh_config. They are commands which are executed before > the connection is established (or ProxyCommand started) and after the > connection has been closed (or ProxyCommand ended). > > this is usefull for stuff like portknocking or (that's what I wrote the > patch for) talking with trapdoor2 (http://oss.linbit.com/trapdoor2/). > The ProxyCommand should run for the length of the ssh session. Why can't you implement it fully using that? Seems to make more sense. - Ben From clifford at clifford.at Fri Aug 27 00:32:19 2004 From: clifford at clifford.at (Clifford Wolf) Date: Thu, 26 Aug 2004 16:32:19 +0200 Subject: OpenSSH PATCH: OpenCommand and CloseCommand In-Reply-To: References: <20040826121638.GB18450@clifford.at> Message-ID: <20040826143219.GA24302@clifford.at> On Thu, Aug 26, 2004 at 09:05:50AM -0500, Ben Lindstrom wrote: > > the attached patch adds support for the keywords "OpenCommand" and > > "CloseCommand" to ssh_config. They are commands which are executed before > > the connection is established (or ProxyCommand started) and after the > > connection has been closed (or ProxyCommand ended). > > > > this is usefull for stuff like portknocking or (that's what I wrote the > > patch for) talking with trapdoor2 (http://oss.linbit.com/trapdoor2/). > > The ProxyCommand should run for the length of the ssh session. Why can't > you implement it fully using that? Seems to make more sense. Running the "to-do-before-stuff", running netcat, running the "to-do- afterwards-stuff" ? No, that's not nice. If the connection itself is just a plain TCP session ssh should do it on it's own imo .. yours, - clifford -- #!/usr/bin/perl $p="1"x1002;for$c(2..1000){if($p=~/^.{$c}0/){next;};printf"%3d\%s", $c,++$x%14?" ":"\n";while($p=~s/^((.{$c})+)1/${1}0/){}}$_="lPSFZQ". "SJNFTZBUZ\n";y:B-Zl;:a-x M/:;print; GnuPG Fingerprint = B492 B326 89D2 AC1A 0F38 706E 3CD2 04B1 FA4A 0DD1 From mouring at etoh.eviladmin.org Fri Aug 27 00:41:21 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 26 Aug 2004 09:41:21 -0500 (CDT) Subject: OpenSSH PATCH: OpenCommand and CloseCommand In-Reply-To: <20040826143219.GA24302@clifford.at> Message-ID: On Thu, 26 Aug 2004, Clifford Wolf wrote: > On Thu, Aug 26, 2004 at 09:05:50AM -0500, Ben Lindstrom wrote: > > > the attached patch adds support for the keywords "OpenCommand" and > > > "CloseCommand" to ssh_config. They are commands which are executed before > > > the connection is established (or ProxyCommand started) and after the > > > connection has been closed (or ProxyCommand ended). > > > > > > this is usefull for stuff like portknocking or (that's what I wrote the > > > patch for) talking with trapdoor2 (http://oss.linbit.com/trapdoor2/). > > > > The ProxyCommand should run for the length of the ssh session. Why can't > > you implement it fully using that? Seems to make more sense. > > Running the "to-do-before-stuff", running netcat, running the "to-do- > afterwards-stuff" ? No, that's not nice. If the connection itself is just a > plain TCP session ssh should do it on it's own imo .. > $ cat MyProxy.sh #!/bin/ksh RunKnockSoftware netcat $1 $2 $3 RunUnKnockSoftware $ Along with "ProxyCommand MyProxy.sh .." Please tell me how something like this fails? Don't care if you dislike it or not. We want to know WHY it is soo much better to implement a pre/post proxy instead of doing something like that above? If it is technical reason then it should be looked at and considered to be resolved. - Ben From tim at multitalents.net Fri Aug 27 07:52:08 2004 From: tim at multitalents.net (Tim Rice) Date: Thu, 26 Aug 2004 14:52:08 -0700 (PDT) Subject: sshd 3.9p1 under Reliant Unix 5.45: getpeername: Operation not supported on transport endpoint In-Reply-To: <200408260615.i7Q6FkMX029292@trr.multitalents.net> References: <200408260615.i7Q6FkMX029292@trr.multitalents.net> Message-ID: On Thu, 26 Aug 2004, Robert Dahlem wrote: > On Wed, 25 Aug 2004 10:50:57 -0700 (PDT), Tim Rice wrote: > > >>> The following is special to sshd 3.9p1 under ReliantUnix 5.45. It > does >>> not occur under ReliantUnix 5.43 nor under Solaris 5.8: [snip] > Libraries: -lcrypto -lz -lsocket -lnsl -ldl -lgen -lresolv Just for fun try editing your Makefiles so LIBS are -lcrypto -lz -ldl -lgen -lsocket -lresolv -lnsl and then "make clean && make" -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From pjt at acm.jhu.edu Fri Aug 27 12:09:09 2004 From: pjt at acm.jhu.edu (pjt at acm.jhu.edu) Date: Fri, 27 Aug 2004 02:09:09 +0000 Subject: updates In-Reply-To: <90J339GKA17HD013@mindrot.org> References: <90J339GKA17HD013@mindrot.org> Message-ID: New Q E M software Corel Photobook - 25 DVD Copy Plus - 30 Corel KnockOut 2 - 50 Goldmine Business Contact Manager 6.5 - 59 Corel KnockOut 2 - 50 Maya 6.0 Unlimited - 150 Autodesk software 321 Studios - DVD X Copy Platinum - 70 SuSe Linux 9.1 Professional Edition - 50 Red Hat Enterprise Linux AS Premium Edition - 150 Linux, Apple software and a lot more http://www.bolguarou.biz/ From dave-openssh-post-20040825 at centerclick.org Sat Aug 28 01:19:15 2004 From: dave-openssh-post-20040825 at centerclick.org (Dave Johnson) Date: Fri, 27 Aug 2004 11:19:15 -0400 Subject: [patch] v1 empty pass with PAM disabled still prompts for pass fix. Message-ID: <16687.20723.841022.214218@wellington.i202.centerclick.org> Setup: ------ config.h: #define USE_PAM 1 sshd_config: PasswordAuthentication yes PermitEmptyPasswords yes UsePAM no ------ With the above config, and a user with no password, logging in with v2 gives no password prompt (because auth-method none works), but in v1, a password is still prompted for (empty is accepted though, just have to press enter). If UsePAM is enabled, no prompt is displayed, with UsePAM off it isn't. Attached patch fixes this issue. -- Dave -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: emptypass.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040827/35d1042d/attachment.ksh From Robert.Dahlem at gmx.net Sat Aug 28 04:31:10 2004 From: Robert.Dahlem at gmx.net (Robert Dahlem) Date: Fri, 27 Aug 2004 20:31:10 +0200 Subject: sshd 3.9p1 under Reliant Unix 5.45: getpeername: Operation not supported on transport endpoint In-Reply-To: Message-ID: <20040827182821.587F027C187@shitei.mindrot.org> On Thu, 26 Aug 2004 14:52:08 -0700 (PDT), Tim Rice wrote: >>>> The following is special to sshd 3.9p1 under ReliantUnix 5.45. It >>>> does not occur under ReliantUnix 5.43 nor under Solaris 5.8: >[snip] >> Libraries: -lcrypto -lz -lsocket -lnsl -ldl -lgen -lresolv >Just for fun try editing your Makefiles so LIBS are > -lcrypto -lz -ldl -lgen -lsocket -lresolv -lnsl >and then "make clean && make" It's not related to library order (doesn't change the behaviour). Meanwhile I broke it down to something strange. In sshd.c you will find this piece of code in main(): /* Start listening for a socket, unless started from inetd. */ if (inetd_flag) { int fd; startup_pipe = -1; if (rexeced_flag) { close(REEXEC_CONFIG_PASS_FD); sock_in = sock_out = dup(STDIN_FILENO); Under ReliantUnix 5.43 you can do successful getpeername(STDIN_FILENO, ...) getpeername(sock_in, ...) after this. Under ReliantUnix 5.45 getpeername(STDIN_FILENO, ...) is successful getpeername(sock_in, ...) returns -1, errno=EOPNOTSUPP Can it be that my dup() is somehow broken? This wouldn't leave much to work on this machine, would it? Regards, Robert From glen at imodulo.com Sat Aug 28 04:42:48 2004 From: glen at imodulo.com (Glen Nakamura) Date: Fri, 27 Aug 2004 08:42:48 -1000 Subject: OpenSSH-3.9p1 permanently_set_uid behavior on Linux Message-ID: <20040827184248.GA815@modulo.internal> Aloha, I'm curious about the following code at line 203 in uidswap.c: /* Try restoration of GID if changed (test clearing of saved gid) */ if (old_gid != pw->pw_gid && (setgid(old_gid) != -1 || setegid(old_gid) != -1)) fatal("%s: was able to restore old [e]gid", __func__); This causes permanently_set_uid to fail in the following case: $ su Password: ???????? # newgrp bin # ssh remotehost permanently_set_uid: was able to restore old [e]gid # Is this the desired behavior or should the code special case running as root? - Glen Nakamura From Robert.Dahlem at gmx.net Sat Aug 28 04:44:28 2004 From: Robert.Dahlem at gmx.net (Robert Dahlem) Date: Fri, 27 Aug 2004 20:44:28 +0200 Subject: sshd 3.9p1 under Reliant Unix 5.45: getpeername: Operation not supported on transport endpoint In-Reply-To: <20040827182821.587F027C187@shitei.mindrot.org> Message-ID: <20040827184133.94E5027C2FD@shitei.mindrot.org> On Fri, 27 Aug 2004 20:31:10 +0200, Robert Dahlem wrote: > sock_in = sock_out = dup(STDIN_FILENO); >Under ReliantUnix 5.43 you can do successful > getpeername(STDIN_FILENO, ...) > getpeername(sock_in, ...) >after this. >Under ReliantUnix 5.45 > getpeername(STDIN_FILENO, ...) is successful > getpeername(sock_in, ...) returns -1, errno=EOPNOTSUPP >Can it be that my dup() is somehow broken? This wouldn't leave much to >work on this machine, would it? Changed sock_in = sock_out = dup(STDIN_FILENO); to sock_in = sock_out = fcntl(STDIN_FILENO, F_DUPFD); Now it works. What's that? Any thoughts? Regards, Robert From Robert.Dahlem at gmx.net Sat Aug 28 04:54:59 2004 From: Robert.Dahlem at gmx.net (Robert Dahlem) Date: Fri, 27 Aug 2004 20:54:59 +0200 Subject: OpenSSH-3.9p1 permanently_set_uid behavior on Linux In-Reply-To: <20040827184248.GA815@modulo.internal> Message-ID: <20040827185204.79A1C27C187@shitei.mindrot.org> On Fri, 27 Aug 2004 08:42:48 -1000, Glen Nakamura wrote: >$ su >Password: ???????? ># newgrp bin ># ssh remotehost >permanently_set_uid: was able to restore old [e]gid ># > >Is this the desired behavior or should the code special case running as >root? Darren posted a patch in comp.security.ssh which helped me with this. Go to groups.google.com and search for msgid:cge5kt$grt$1 at gate.dodgy.net.au Regards, Robert From Robert.Dahlem at gmx.net Sat Aug 28 05:14:41 2004 From: Robert.Dahlem at gmx.net (Robert Dahlem) Date: Fri, 27 Aug 2004 21:14:41 +0200 Subject: sshd 3.9p1 under Reliant Unix 5.45: getpeername: Operation not supported on transport endpoint In-Reply-To: <20040827184133.94E5027C2FD@shitei.mindrot.org> Message-ID: <20040827191151.5044A27C18B@shitei.mindrot.org> On Fri, 27 Aug 2004 20:44:28 +0200, Robert Dahlem wrote: > sock_in = sock_out = fcntl(STDIN_FILENO, F_DUPFD); Oops. Should be sock_in = sock_out = fcntl(STDIN_FILENO, F_DUPFD, 0); instead. Regards, Robert From djm at mindrot.org Sat Aug 28 11:11:16 2004 From: djm at mindrot.org (Damien Miller) Date: Sat, 28 Aug 2004 11:11:16 +1000 Subject: sshd 3.9p1 under Reliant Unix 5.45: getpeername: Operation not supported on transport endpoint In-Reply-To: <20040827191151.5044A27C18B@shitei.mindrot.org> References: <20040827191151.5044A27C18B@shitei.mindrot.org> Message-ID: <412FDBB4.4070605@mindrot.org> Robert Dahlem wrote: > On Fri, 27 Aug 2004 20:44:28 +0200, Robert Dahlem wrote: > > >> sock_in = sock_out = fcntl(STDIN_FILENO, F_DUPFD); > > > Oops. Should be > > sock_in = sock_out = fcntl(STDIN_FILENO, F_DUPFD, 0); It looks like your dup() is indeed broken. It should be too hard to have a replacement function (or #define) to transparently cope with this. What is your platform type, as reported after "Host: " at the end of a configure run? -d From wertmane at comcast.net Sat Aug 28 11:27:23 2004 From: wertmane at comcast.net (Eric Wertman) Date: Fri, 27 Aug 2004 21:27:23 -0400 Subject: column width and xterms Message-ID: <000001c48c9e$2c012350$0100a8c0@monolith> In the last few versions of openssh (3.7.1p1, 3.8p1, and 3.9) I've had an interesting problem with the window scaling on AIX. The line will start to wrap regardless of what that actual width of my terminal window is. I've mostly been using Darren Tucker's packages, but since I've been annoyed by the problem for a while, I decided to try and compile my own... and I find the same problem that way. Seems to be the same on AIX 4.3.3ml10 and AIX 5.2ml02 (and 03). Anyone seen this, or know of a fix? Thanks! Eric From glen at montreal.hcl.com Sat Aug 28 04:49:00 2004 From: glen at montreal.hcl.com (Glen Matthews) Date: Fri, 27 Aug 2004 14:49:00 -0400 Subject: Terminal modes Message-ID: <00aa01c48c66$840a31f0$1b01040a@montreal.hcl.com> Hi, I'm trying to use connect to an openssh server, setting some terminal modes, and they don't seem to do what I want. Specifically, I'm trying to disable echo from the server - hence the four modes in the sshd trace below (53 for example is ECHO). I've looked at the code. 0 would indicate that the option is negated in the c_lflag field. And it seems like the modes are applied to the pty successfully (else one would get an error: Setting tty modes failed: ) ... Yet I still get input echoed on the session. Any ideas? Are these modes not doing what I would expect them to do? Glen Matthews -------server trace extract--------- debug1: server_input_channel_open: ctype session rchan 0 win 3000 max 35000 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request x11-req reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req x11-req debug2: fd 10 setting O_NONBLOCK debug2: fd 10 is O_NONBLOCK debug1: channel 1: new [X11 inet listener] debug2: fd 11 setting O_NONBLOCK debug2: fd 11 is O_NONBLOCK debug1: channel 2: new [X11 inet listener] debug1: server_input_channel_req: channel 0 request pty-req reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug3: mm_request_send entering: type 25 debug3: mm_pty_allocate: waiting for MONITOR_ANS_PTY debug3: mm_request_receive_expect entering: type 26 debug3: mm_request_receive entering debug3: monitor_read: checking request 25 debug3: mm_answer_pty entering debug1: session_new: init debug1: session_new: session 0 debug3: mm_request_send entering: type 26 debug3: Trying to reverse map address 10.4.1.27. debug3: mm_answer_pty: tty /dev/pts/3 ptyfd 4 debug3: mm_request_receive entering debug1: session_pty_req: session 0 alloc /dev/pts/3 debug3: tty_parse_modes: SSH2 n_bytes 21 debug3: tty_parse_modes: 53 0 debug3: tty_parse_modes: 54 0 debug3: tty_parse_modes: 55 0 debug3: tty_parse_modes: 56 0 debug1: server_input_channel_req: channel 0 request shell reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug2: fd 6 setting TCP_NODELAY debug2: fd 13 setting O_NONBLOCK debug2: fd 12 is O_NONBLOCK From Robert.Dahlem at gmx.net Sat Aug 28 17:34:28 2004 From: Robert.Dahlem at gmx.net (Robert Dahlem) Date: Sat, 28 Aug 2004 09:34:28 +0200 Subject: sshd 3.9p1 under Reliant Unix 5.45: getpeername: Operation not supported on transport endpoint In-Reply-To: <412FDBB4.4070605@mindrot.org> Message-ID: <20040828073144.C9BF627C189@shitei.mindrot.org> On Sat, 28 Aug 2004 11:11:16 +1000, Damien Miller wrote: >> sock_in = sock_out = fcntl(STDIN_FILENO, F_DUPFD, 0); >It looks like your dup() is indeed broken. It should be too hard to have >a replacement function (or #define) to transparently cope with this. >What is your platform type, as reported after "Host: " at the end of a >configure run? Host: mips-sni-sysv4 Would you accept a patch like #define dup(fd) fcntl(fd, F_DUPFD, 0) for this platform? Regards, Robert From Robert.Dahlem at gmx.net Sun Aug 29 04:03:50 2004 From: Robert.Dahlem at gmx.net (Robert Dahlem) Date: Sat, 28 Aug 2004 20:03:50 +0200 Subject: sshd 3.9p1 under Reliant Unix 5.45: getpeername: Operation not supported on transport endpoint In-Reply-To: <20040828073144.C9BF627C189@shitei.mindrot.org> Message-ID: <20040828180102.A04B127C189@shitei.mindrot.org> On Sat, 28 Aug 2004 09:34:28 +0200, Robert Dahlem wrote: >>> sock_in = sock_out = fcntl(STDIN_FILENO, F_DUPFD, 0); >>It looks like your dup() is indeed broken. It should be too hard to >>have a replacement function (or #define) to transparently cope with >>this. >>What is your platform type, as reported after "Host: " at the end of a >>configure run? >Host: mips-sni-sysv4 I tried to write a small program to reproduce the behaviour for the ReliantUnix maintenance people but failed until yet. Basically it look's to me like: newsock=accept(...); dup2(newsock, STDIN_FILENO); dup2(STDIN_FILENO, STDOUT_FILENO); execv(...); /* exec'ed program */ sock_in = sock_out = dup(STDIN_FILENO); getpeername(sock_in); /* bang */ Damien, it guess re-exec is your code: could you give me a pointer to what re-exec does to this fd beside the obvious? Regards, Robert From sales at hktel.com Sun Aug 29 15:48:56 2004 From: sales at hktel.com (Man_Bond_Communications_Limited) Date: Sun, 29 Aug 2004 15:48:56 +1000 (EST) Subject: Your Hong Kong Call Centre Message-ID: <20040829054856.6DBFA27C18D@shitei.mindrot.org> If you are setting up a Call Centre in Hong Kong, our company can provide: 1. Dedicated Hong Kong Fax Line (US$20.00 per month) Unlimited fax receiving and every incoming fax will be converted into TIFF file and forwarded to your email address. 2. Dedicated Hong Kong Phone Line (US$20.00 per month + IDD Charges) Every incoming call will be forwarded to your company phone number. Details please email manbond at hktel.com Man Bond Communications Limited Block F1, 13/F., Tuen Mun Industrial Centre No. 76, Pui To Road, Tuen Mun, Hong Kong Phone : 852-2780-3257 Fax : 852-2385-2631 Webpage: http://www.hktel.com ********************************************************************* If you wish to be removed from our list, please return our email with Removal at the Subject: line. ********************************************************************* From dtucker at zip.com.au Sun Aug 29 15:53:25 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 29 Aug 2004 15:53:25 +1000 Subject: sshd 3.9p1 under Reliant Unix 5.45: getpeername: Operation not supported on transport endpoint In-Reply-To: <20040828073144.C9BF627C189@shitei.mindrot.org> References: <20040828073144.C9BF627C189@shitei.mindrot.org> Message-ID: <41316F55.9010607@zip.com.au> Robert Dahlem wrote: > On Sat, 28 Aug 2004 11:11:16 +1000, Damien Miller wrote: >>It looks like your dup() is indeed broken. It should be too hard to have >>a replacement function (or #define) to transparently cope with this. [...] > Host: mips-sni-sysv4 > > Would you accept a patch like > > #define dup(fd) fcntl(fd, F_DUPFD, 0) > > for this platform? I think that would be OK. Does the attached patch work? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-dup-fcntl.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040829/1dad8309/attachment.ksh From dtucker at zip.com.au Sun Aug 29 18:09:42 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 29 Aug 2004 18:09:42 +1000 Subject: OpenSSH-3.9p1 permanently_set_uid behavior on Linux In-Reply-To: <20040827184248.GA815@modulo.internal> References: <20040827184248.GA815@modulo.internal> Message-ID: <41318F46.6000802@zip.com.au> Glen Nakamura wrote: > I'm curious about the following code at line 203 in uidswap.c: > > /* Try restoration of GID if changed (test clearing of saved gid) */ > if (old_gid != pw->pw_gid && > (setgid(old_gid) != -1 || setegid(old_gid) != -1)) > fatal("%s: was able to restore old [e]gid", __func__); > > This causes permanently_set_uid to fail in the following case: > > $ su > Password: ???????? > # newgrp bin > # ssh remotehost > permanently_set_uid: was able to restore old [e]gid > # > > Is this the desired behavior or should the code special case running as root? It's desired behaviour for permanently_set_uid(), but it should be special-cased in ssh and ssh-keysign (because uid==0 *is* special: unlike most uids it can set its gid to whatever it wants). I think something like the attached is needed (applies to -current but the changes are simple to backport to 3.9p1). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-ssh-ruid2.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040829/79a91ce3/attachment.ksh From dtucker at zip.com.au Sun Aug 29 20:05:10 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 29 Aug 2004 20:05:10 +1000 Subject: column width and xterms In-Reply-To: <000001c48c9e$2c012350$0100a8c0@monolith> References: <000001c48c9e$2c012350$0100a8c0@monolith> Message-ID: <4131AA56.4010803@zip.com.au> Eric Wertman wrote: > In the last few versions of openssh (3.7.1p1, 3.8p1, and 3.9) I've had an > interesting problem with the window scaling on AIX. The line will start to > wrap regardless of what that actual width of my terminal window is. I've > mostly been using Darren Tucker's packages, but since I've been annoyed by > the problem for a while, I decided to try and compile my own... and I find > the same problem that way. Seems to be the same on AIX 4.3.3ml10 and AIX > 5.2ml02 (and 03). > > Anyone seen this, or know of a fix? Is that logging in to an AIX box, or logging into another box from an AIX client? I've heard of that when the OS (I think it was Debian but I could be wrong) doesn't set the width properly before you run ssh. Does the problem persist if you run "stty cols 80 rows 25" on the client before running ssh? What about resizing the window? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sun Aug 29 20:19:21 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 29 Aug 2004 20:19:21 +1000 Subject: Default path to identity file In-Reply-To: <20040825114425.2615127C187@shitei.mindrot.org> References: <20040825114425.2615127C187@shitei.mindrot.org> Message-ID: <4131ADA9.2070605@zip.com.au> Robert Dahlem wrote: > Identity files are always expanded by tilde_expand_filename() which gets > the name of the home directory from getpwuid(my_uid)->pw_dir. > > This is not what I expect (well, hope :-) when my UID is 0 but I'm not > root. [...] > It is not an alternative to define "IdentityFile > /home/dahlem/.ssh/id_rsa" in /home/dahlem/.ssh/config: ssh is consistent > on this side and uses /.ssh/config . alias ssh="ssh -o IdentityFile=/home/dahlem/.ssh/id_rsa" or alias ssh="ssh -F /home/dahlem/.ssh/config" ? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sun Aug 29 20:39:58 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 29 Aug 2004 20:39:58 +1000 Subject: Trying regression tests In-Reply-To: <20040820144506.GA1442100@hiwaay.net> References: <20040818223711.GI764770@hiwaay.net> <20040820144506.GA1442100@hiwaay.net> Message-ID: <4131B27E.5090303@zip.com.au> Chris Adams wrote: [...] >>- agent-ptrace fails; it looks like setgid isn't enough to kill tracing >> under Tru64, and I can't find anything that looks like it will (like >> Linux's prctl). > > Is there any standard that documents when a process will be traceable? > I don't see anything in SUSv3. IOW: should this be considered an OS bug > or just an unavailable feature? I don't think the behaviour is mandated anywhere, so I'd call in an unavailable feature. > I see this test is already skipped for > a couple of OSes, so I guess (at least for now) the suggested patch > would be: Applied, thanks. >>- reconfigure hangs; the script appears to get stuck in a loop. I tried >> turning on shell tracing; it looks like it is hanging when the script >> is called with "$TEST_SHELL -n $SCRIPT" to check it for errors. Using >> TEST_SHELL=/bin/ksh makes it work. > > Another way to fix this (without explicitly changing the shell) This I haven't applied. Does putting TEST_SHELL=ksh into the configure block (similar to the *-*-sco3.2v4* entry) resolve the problem? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sun Aug 29 22:20:21 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 29 Aug 2004 22:20:21 +1000 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <411B76C8.6000208@zip.com.au> References: <411B76C8.6000208@zip.com.au> Message-ID: <4131CA05.4030906@zip.com.au> Darren Tucker wrote: > OpenSSH is getting ready for a release soon, so we are asking for > all interested parties to test a snapshot. I want to thank everyone for their efforts in testing, it was much appreciated. I have attempted to collect all of the stuff uncovered during testing but was not critical enough to make the release. I think they've all now been committed except for those listed below. If you found something that's not on that list and not in tomorrow's snapshot then please assume it's been missed and re-send it. Remaining known issues are: * tests hanging during $TEST_SHELL -n script (Tru64, Solaris 2.6) Setting TEST_SHELL=ksh in the configure block seems to be the right solution to this? * head -1/head -n1 with recent GNU utils (bug #912) Need to decide on what to do. head -n may not work on older platforms. * Only copy basic Windows environment (bug #915) Patch awaiting review. * ssh_gssapi_storecreds called to late for PAM (bug #918) Someone who knows krb5/gssapi want to comment on that one? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jau at iki.fi Sun Aug 29 23:05:32 2004 From: jau at iki.fi (Jukka A. Ukkonen) Date: Sun, 29 Aug 2004 16:05:32 +0300 (EEST) Subject: uidswap.c breaks ssh when originating user is root Message-ID: <200408291305.i7TD5W0N081451@cs78135006.pp.htv.fi> EHLO, Somehow I don't think it makes any sense to test whether the gid/egid can be changed, if the original uid happened to be root. Root can always change the gid/egid anyhow. So, I would like to propose the following change to 3.9p1... --- uidswap.c.orig Sun Aug 29 15:43:57 2004 +++ uidswap.c Sun Aug 29 15:44:05 2004 @@ -201,7 +201,7 @@ #endif /* Try restoration of GID if changed (test clearing of saved gid) */ - if (old_gid != pw->pw_gid && + if (old_uid && (old_gid != pw->pw_gid) && (setgid(old_gid) != -1 || setegid(old_gid) != -1)) fatal("%s: was able to restore old [e]gid", __func__); After this change also root can again use ssh-3.9p1. I hope this helps. Cheers, // jau .--- ..- -.- -.- .- .- .-.-.- ..- -.- -.- --- -. . -. / Jukka A. Ukkonen, Mawit Ltd, Finland /__ M.Sc. (sw-eng & cs) (Phone) +358-500-606-671 / Internet: Jukka.Ukkonen(a)Mawit.Com (Home) +358-9-6215-280 / Internet: ukkonen(a)nic.funet.fi v Internet: jau(a)iki.fi .--- .- ..- ...-.- .. -.- .. .-.-.- ..-. .. + + + + My opinions are mine and mine alone, not my employers. + + + + From stuge-openssh-unix-dev at cdy.org Sun Aug 29 23:28:09 2004 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Sun, 29 Aug 2004 15:28:09 +0200 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <4131CA05.4030906@zip.com.au> References: <411B76C8.6000208@zip.com.au> <4131CA05.4030906@zip.com.au> Message-ID: <20040829132809.GA12028@foo.birdnet.se> On Sun, Aug 29, 2004 at 10:20:21PM +1000, Darren Tucker wrote: > * head -1/head -n1 with recent GNU utils (bug #912) > Need to decide on what to do. head -n may not work on older > platforms. Indeed. Those older platforms shouldn't mind that POSIX version environment variable, though. //Peter From wertmane at comcast.net Mon Aug 30 02:56:01 2004 From: wertmane at comcast.net (Eric Wertman) Date: Sun, 29 Aug 2004 12:56:01 -0400 Subject: column width and xterms In-Reply-To: <4131AA56.4010803@zip.com.au> References: <000001c48c9e$2c012350$0100a8c0@monolith> <4131AA56.4010803@zip.com.au> Message-ID: <41320AA1.5000902@comcast.net> The client doesn't seem to matter... mostly I see the behavior running an xterm through eXceed or using PuTTy, but that' just a function of how I get my work done. The problem usually occurs when I initially re-size the window. If I ssh in, and maximize the window, the column width change isn't picked up. Seems like if I use `su` or `clear` (or ssh to another box from there) after I resize the window the problem will sometimes go away. I'm going to try tomorrow and verify the exact circumstances when it doesn't. Thanks; Eric Darren Tucker wrote: > Eric Wertman wrote: > >> In the last few versions of openssh (3.7.1p1, 3.8p1, and 3.9) I've had an >> interesting problem with the window scaling on AIX. The line will >> start to >> wrap regardless of what that actual width of my terminal window is. I've >> mostly been using Darren Tucker's packages, but since I've been >> annoyed by >> the problem for a while, I decided to try and compile my own... and I >> find >> the same problem that way. Seems to be the same on AIX 4.3.3ml10 and AIX >> 5.2ml02 (and 03). >> >> Anyone seen this, or know of a fix? > > > Is that logging in to an AIX box, or logging into another box from an > AIX client? > > I've heard of that when the OS (I think it was Debian but I could be > wrong) doesn't set the width properly before you run ssh. Does the > problem persist if you run "stty cols 80 rows 25" on the client before > running ssh? What about resizing the window? > From vinschen at redhat.com Mon Aug 30 18:52:34 2004 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 30 Aug 2004 10:52:34 +0200 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <4131CA05.4030906@zip.com.au> References: <411B76C8.6000208@zip.com.au> <4131CA05.4030906@zip.com.au> Message-ID: <20040830085234.GA17670@cygbert.vinschen.de> Hi Darren, On Aug 29 22:20, Darren Tucker wrote: > * Only copy basic Windows environment (bug #915) > Patch awaiting review. I've attached a new patch with your suggestions (attachment id=706). Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From Robert.Dahlem at gmx.net Tue Aug 31 05:29:03 2004 From: Robert.Dahlem at gmx.net (Robert Dahlem) Date: Mon, 30 Aug 2004 21:29:03 +0200 Subject: sshd 3.9p1 under Reliant Unix 5.45: getpeername: Operation not supported on transport endpoint In-Reply-To: <41316F55.9010607@zip.com.au> Message-ID: <20040830192606.E3FCD27C187@shitei.mindrot.org> On Sun, 29 Aug 2004 15:53:25 +1000, Darren Tucker wrote: >>>It looks like your dup() is indeed broken. It should be too hard to >>>have a replacement function (or #define) to transparently cope with >>>this. >> Host: mips-sni-sysv4 >> Would you accept a patch like >> #define dup(fd) fcntl(fd, F_DUPFD, 0) >> for this platform? >I think that would be OK. Does the attached patch work? It's quite embarrassing but I have to confess that this doesn't work too. Looks like I did my "successful" test with -r. Sorry for the confusion. :-( Some further investigations and (kind of desparate) experiments: I cannot do neither getpeername() nor getsockname() on the dup()ed socket as long as sock_in gets a value of 3. This (original code) doesn't work: sock_in = sock_out = dup(STDIN_FILENO); /* 3 */ This doesn't work too: sock_in = sock_out = dup(STDIN_FILENO); close(sock_in); sock_in = sock_out = dup(STDIN_FILENO); /* 3 */ This doesn't work too: sock_in = sock_out = fcntl(STDIN_FILENO, F_DUPFD, 0); /* 3 */ This works: sock_in = sock_out = fcntl(STDIN_FILENO, F_DUPFD, 4); /* 4 */ This works too: sock_in = sock_out = dup(STDIN_FILENO); sock_in = sock_out = dup(STDIN_FILENO); /* 4 */ This works too: sock_in = sock_out = dup(STDIN_FILENO); sock_in = sock_out = dup(sock_in); /* 4 */ To summarise: Reliant Unix 5.45 dislikes the situation when the result of dup() is 3. Perhaps someone here on the list has a helpful pointer what to research next. Regards, Robert From deengert at anl.gov Tue Aug 31 06:44:54 2004 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 30 Aug 2004 15:44:54 -0500 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <4131CA05.4030906@zip.com.au> References: <411B76C8.6000208@zip.com.au> <4131CA05.4030906@zip.com.au> Message-ID: <413391C6.9000501@anl.gov> Darren Tucker wrote: > Darren Tucker wrote: > >> OpenSSH is getting ready for a release soon, so we are asking for >> all interested parties to test a snapshot. > > > * ssh_gssapi_storecreds called to late for PAM (bug #918) > Someone who knows krb5/gssapi want to comment on that one? > (I wrote the bug report, but can comment on it as well.) The idea is to pass on to a pam session routine the KRB5CCNAME environment variable. This can be used with a pam_openafs session routine to get a PAG and AFS token for example. The KRB5CCNAME is the pointer to the Kerberos ticket cache with the delegated credeltials from GSSAPI. the AFS aklog can use this to get an AFS token. gss-serv-krb5.c already had a call to do_pam_putenv to add the KRB5CCNAME to the pam_environment. This was in 3.8. But the call to ssh_gssapi_storecreds in session.c which eventually calls the do_pam_putenv is called AFTER the do_pam_session. Thus the KRB5CCNAME is not passed in to the pam session routine. This mod moves the call to ssh_gssapi_storecreds before the call to do_pam_session. In the following traces, the pam_sm_open_session lines are written to stderr by my test pam routine. A sample trace without this mod: Accepted gssapi-with-mic for uuuuuu from nnn.nnn.nnn.nnn port 40883 ssh2 pam_sm_open_session flag=0 pam_sm_open_session pid=16163 uid=0 euid=0 pam_sm_open_session, pw_dir=/afs/my.cell/usr/uuuuuu pam_sm_open_session Kenv=(none) <------------ no KRB5CCNAME debug1: PAM: reinitializing credentials With this mod: Accepted gssapi-with-mic for uuuuuu from nnn.nnn.nnn.nnn port 1261 ssh2 debug1: temporarily_use_uid: 100/100 (e=0/100) debug1: restore_uid: 0/100 pam_sm_open_session flag=0 pam_sm_open_session pid=15900 uid=0 euid=0 pam_sm_open_session, pw_dir=/afs/my.cell/usr/uuuuuu pam_sm_open_session Kenv=FILE:/tmp/krb5cc_100_y15900 <---- found KRB5CCNAME debug1: PAM: reinitializing credentials Note: If this mod is added, even if the kafs lib is not available, sshd can still be used with AFS. This would allow one to use a vendor's build of OpenSSH even if not built with AFS. One would not need to do a rebuild! All that is need is for OpenAFS to provide the pam session routine, thus making for a clean separation of OpenSSH and OpenAFS. Eventually the USE_AFS code could be removed from OpenSSH. Unfortunately, if the system does not have PAM, then one would still needs to use the older methods. There are three ways a Kerberos ticket cache could be ceated in OpenSSH: (1) delegated by the GSSAPI, (2) by ChallengeResponse and PAM, (3) created by the auth-krb5 from entering a user/password, (1) is coverd by the above. (2) can be taken care of internally by pam_krb5 (3) needs an aditional mod. I can submit this mod as a bug for case (3) if you want. --- ,auth-krb5.c Sat Aug 14 08:55:37 2004 +++ auth-krb5.c Mon Aug 30 14:31:30 2004 @@ -187,6 +187,11 @@ snprintf(authctxt->krb5_ccname, len, "FILE:%s", authctxt->krb5_ticket_file); +#ifdef USE_PAM + if (options.use_pam) + do_pam_putenv("KRB5CCNAME",authctxt->krb5_ccname); +#endif + out: restore_uid(); -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From rootman at web.de Tue Aug 31 18:14:48 2004 From: rootman at web.de (Frank Beckmann) Date: Tue, 31 Aug 2004 10:14:48 +0200 Subject: ssh / ssh-agent hang on exit Message-ID: <1251553520@web.de> Hi :-) we use ssh-agent, on exit it hangs # ^D unset SSH_AUTH_SOCK; unset SSH_AGENT_PID; echo Agent pid 15151 killed; :-( under OpenSSH_3.6.1p2 we have no problems with the agent. Frank client putty OS Solaris8 _______________________________________________________ WEB.DE Video-Mail - Sagen Sie mehr mit bewegten Bildern Informationen unter: http://freemail.web.de/?mc=021199 From dtucker at zip.com.au Tue Aug 31 21:22:51 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 31 Aug 2004 21:22:51 +1000 Subject: ssh / ssh-agent hang on exit In-Reply-To: <1251553520@web.de> References: <1251553520@web.de> Message-ID: <41345F8B.8000009@zip.com.au> Frank Beckmann wrote: > we use ssh-agent, on exit it hangs > # ^D > unset SSH_AUTH_SOCK; > unset SSH_AGENT_PID; > echo Agent pid 15151 killed; > :-( This seems to work OK on my Solaris 8 box. Is the agent still showing in the process list? Perhaps it's something else other than the agent causing the hang, is there any other long-running processes? $ eval `ssh-agent` Agent pid 426 $ eval `ssh-agent -k` Agent pid 426 killed $ exit logout Connection to localhost closed. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From michael at mhill.net Tue Aug 31 16:02:53 2004 From: michael at mhill.net (Michael Hill) Date: Tue, 31 Aug 2004 00:02:53 -0600 Subject: Submitting code Message-ID: <20040831060253.GB12710@toybox.mhill.net> Hello, all. When packaging OpenSSH releases, for a long time I've been converting the man pages for sshd and ssh into sample config files, to ensure that the options described in the config files were up to date with those actually supplied by the code. Nearly two years ago, I tired of the tedious manual process and wrote a Perl script to do the work for me. It's called man2config.pl, and I'd like to submit it for possible inclusion with the OpenSSH code (OpenBSD base as well as portable). I am attaching a tbz2 file containing the output generated from the 3.9p1 release; I hope it's a small enough attachment to avoid annoying anybody. :^) Please note that the generated configs contain about five default settings that I consider important; these are set within the script, and can be changed if need be. Please let me know if/how I should submit the Perl script. Thanks for your time & consideration. -- --Michael ------------------------------------------------------------------------------- Michael Hill <>< Isaiah 9:6 | michael AT mhill DOT net | # find / -name '*[Bb][Aa][Ss][Ee]*' \ Aerospace/Software Engineer | > -user your -print | xargs chown us:cats http://www.qadas.com/~msh/ | ---In a marketplace (like the one of ideas), not everything has equal value!--- Did you ever notice that everybody in favor of abortion has already been born?! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040831/5e8d572d/attachment.bin From glen at montreal.hcl.com Tue Aug 31 23:08:21 2004 From: glen at montreal.hcl.com (Glen Matthews) Date: Tue, 31 Aug 2004 09:08:21 -0400 Subject: Terminal mode (repost) Message-ID: <005201c48f5b$96ffa9f0$1b01040a@montreal.hcl.com> Hi, I posted this before (I thought) but I'll give it another try (looks like it arrived on the list on Saturday). :-( I'm trying to connect to an openssh server, and setting some terminal modes. However, they don't seem to do what I want. Specifically, I'm trying to disable echo from the server - hence the four modes in the sshd trace below (53 for example is ECHO). I've looked at the code. 0 would indicate that the option is negated in the c_lflag field. And it seems like the modes are applied to the pty successfully (else one would get an error: Setting tty modes failed: ) ... Yet I still get input echoed on the session. Any ideas? Are these modes not doing what I would expect them to do? Glen Matthews -------server trace extract--------- debug1: server_input_channel_open: ctype session rchan 0 win 3000 max 35000 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request x11-req reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req x11-req debug2: fd 10 setting O_NONBLOCK debug2: fd 10 is O_NONBLOCK debug1: channel 1: new [X11 inet listener] debug2: fd 11 setting O_NONBLOCK debug2: fd 11 is O_NONBLOCK debug1: channel 2: new [X11 inet listener] debug1: server_input_channel_req: channel 0 request pty-req reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug3: mm_request_send entering: type 25 debug3: mm_pty_allocate: waiting for MONITOR_ANS_PTY debug3: mm_request_receive_expect entering: type 26 debug3: mm_request_receive entering debug3: monitor_read: checking request 25 debug3: mm_answer_pty entering debug1: session_new: init debug1: session_new: session 0 debug3: mm_request_send entering: type 26 debug3: Trying to reverse map address 10.4.1.27. debug3: mm_answer_pty: tty /dev/pts/3 ptyfd 4 debug3: mm_request_receive entering debug1: session_pty_req: session 0 alloc /dev/pts/3 debug3: tty_parse_modes: SSH2 n_bytes 21 debug3: tty_parse_modes: 53 0 debug3: tty_parse_modes: 54 0 debug3: tty_parse_modes: 55 0 debug3: tty_parse_modes: 56 0 debug1: server_input_channel_req: channel 0 request shell reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug2: fd 6 setting TCP_NODELAY debug2: fd 13 setting O_NONBLOCK debug2: fd 12 is O_NONBLOCK