From dlssh at leach.net.au Wed Sep 1 03:23:41 2004 From: dlssh at leach.net.au (David Leach) Date: Wed, 1 Sep 2004 01:23:41 +0800 (SGT) Subject: [PATCH] supporting a remote scp path option in scp Message-ID: <4620.192.168.0.3.1093973021.squirrel@www.leach.net.au> Hi there, I've written some enhancements to scp.c and pathnames.h to enable the scp to arbitrarily set the remote scp path. (eg $ scp -e /usr/bin/scp foo user at bar:foo) I did read the "scp: command not found" FAQ entry but I'm not quite sure why we can't do this, unless it's because enhancements to scp are no longer a priority. Any other reason why it "is the way it is" other than that? The patch is below, all I've really done is replaced char cmd[CMDNEEDS] with char *rspcmd throughout. Forgive any dodgy coding, I'm not a developer during the day :). I haven't been able to test the patch below because I don't have a handy openbsd box, I have tested a patch under the portable version that seems to work fine. Let me know if I'm better off providing that. My reason for wanting is that it means server side scripts that wrap around forced commands can tie scp down to the absolute path. Incidentally, if there is a reason why anyone thinks this is a bad idea, please let me know. Regards, David. --- pathnames.h Mon Jul 12 01:48:47 2004 +++ pathnames.h Wed Sep 1 00:48:12 2004 @@ -45,6 +45,8 @@ */ #define _PATH_SSH_DAEMON_PID_FILE _PATH_SSH_PIDDIR "/sshd.pid" +#define _PATH_SCP_REMOTE_PROGRAM "/usr/bin/scp" + /* * The directory in user\'s home directory in which the files reside. The * directory should be world-readable (though not all files are). --- scp.c Thu Aug 12 05:44:32 2004 +++ scp.c Wed Sep 1 00:48:51 2004 @@ -102,6 +102,9 @@ /* This is the program to execute for the secured connection. ("ssh" or -S) */ char *ssh_program = _PATH_SSH_PROGRAM; +/* This is the program to execute for the remote scp. ("scp" or -e) */ +char *scp_remote_program = _PATH_SCP_REMOTE_PROGRAM; + /* This is used to store the pid of ssh_program */ pid_t do_cmd_pid = -1; @@ -198,8 +201,8 @@ int errs, remin, remout; int pflag, iamremote, iamrecursive, targetshouldbedirectory; -#define CMDNEEDS 64 -char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */ +char *rscpcmd; /* must hold scp_remote_program + "-r -p -d\0" */ + int response(void); void rsource(char *, struct stat *); @@ -212,12 +215,13 @@ int main(int argc, char **argv) { - int ch, fflag, tflag, status; + int ch, fflag, tflag, status, rscpcmdlen; double speed; char *targ, *endp; extern char *optarg; extern int optind; + rscpcmdlen = 1; args.list = NULL; addargs(&args, "ssh"); /* overwritten with ssh_program */ addargs(&args, "-x"); @@ -225,7 +229,7 @@ addargs(&args, "-oClearAllForwardings yes"); fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:")) != -1) + while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:e:")) != -1) switch (ch) { /* User-visible flags. */ case '1': @@ -255,9 +259,14 @@ break; case 'p': pflag = 1; + rscpcmdlen += 3; break; case 'r': iamrecursive = 1; + rscpcmdlen += 3; + break; + case 'e': + scp_remote_program = xstrdup(optarg); break; case 'S': ssh_program = xstrdup(optarg); @@ -265,6 +274,7 @@ case 'v': addargs(&args, "-v"); verbose_mode = 1; + rscpcmdlen += 3; break; case 'q': addargs(&args, "-q"); @@ -274,6 +284,7 @@ /* Server options. */ case 'd': targetshouldbedirectory = 1; + rscpcmdlen += 3; break; case 'f': /* "from" */ iamremote = 1; @@ -316,8 +327,11 @@ remin = remout = -1; do_cmd_pid = -1; + rscpcmdlen += strlen(scp_remote_program); + rscpcmd = xmalloc(rscpcmdlen); /* Command to be executed on remote system using "ssh". */ - (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s", + (void) snprintf(rscpcmd, rscpcmdlen, "%s%s%s%s%s", + scp_remote_program, verbose_mode ? " -v" : "", iamrecursive ? " -r" : "", pflag ? " -p" : "", targetshouldbedirectory ? " -d" : ""); @@ -347,6 +361,7 @@ errs = 1; } } + xfree(rscpcmd); exit(errs != 0); } @@ -383,7 +398,7 @@ len = strlen(ssh_program) + strlen(argv[i]) + strlen(src) + (tuser ? strlen(tuser) : 0) + strlen(thost) + strlen(targ) + - strlen(ssh_options) + CMDNEEDS + 20; + strlen(ssh_options) + strlen(rscpcmd) + 20; bp = xmalloc(len); if (host) { *host++ = 0; @@ -403,7 +418,7 @@ "%s%s %s -n " "-l %s %s %s %s '%s%s%s:%s'", ssh_program, verbose_mode ? " -v" : "", - ssh_options, suser, host, cmd, src, + ssh_options, suser, host, rscpcmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); } else { @@ -412,7 +427,7 @@ "exec %s%s %s -n %s " "%s %s '%s%s%s:%s'", ssh_program, verbose_mode ? " -v" : "", - ssh_options, host, cmd, src, + ssh_options, host, rscpcmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); } @@ -423,9 +438,9 @@ (void) xfree(bp); } else { /* local to remote */ if (remin == -1) { - len = strlen(targ) + CMDNEEDS + 20; + len = strlen(targ) + strlen(rscpcmd) + 20; bp = xmalloc(len); - (void) snprintf(bp, len, "%s -t %s", cmd, targ); + (void) snprintf(bp, len, "%s -t %s", rscpcmd, targ); host = cleanhostname(thost); if (do_cmd(host, tuser, bp, &remin, &remout, argc) < 0) @@ -473,9 +488,9 @@ suser = pwd->pw_name; } host = cleanhostname(host); - len = strlen(src) + CMDNEEDS + 20; + len = strlen(src) + strlen(rscpcmd) + 20; bp = xmalloc(len); - (void) snprintf(bp, len, "%s -f %s", cmd, src); + (void) snprintf(bp, len, "%s -f %s", rscpcmd, src); if (do_cmd(host, suser, bp, &remin, &remout, argc) < 0) { (void) xfree(bp); ++errs; @@ -1013,7 +1028,7 @@ { (void) fprintf(stderr, "usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n" - " [-l limit] [-o ssh_option] [-P port] [-S program]\n" + " [-l limit] [-o ssh_option] [-P port] [-S program] [-e program]\n" " [[user@]host1:]file1 [...] [[user@]host2:]file2\n"); exit(1); } From cycloon at is-root.org Wed Sep 1 04:14:44 2004 From: cycloon at is-root.org (Christian Gut) Date: Tue, 31 Aug 2004 20:14:44 +0200 Subject: scp does a local copy when ommiting : Message-ID: <1093976084.17439.11.camel@vertex.home.cycloon.org> Hi, I run into this quiet often: If you forget to add the : after the hostname you want to copy a file to, then scp does a simple local copy. This is quiet confusing if you dont notice it: "scp foo.txt server.bar.com:" (copies the file to remote homedir) "scp foo.txt server.bar.com" (creates the new file server.bar.com) I don't know if this behaviour is intended or even needed, but if not I would be glad if this could be fixed to prevent some mistakes. Thanks Christian Gut -- Christian Gut -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040831/c875ab55/attachment.bin From djm at mindrot.org Wed Sep 1 08:05:00 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 01 Sep 2004 08:05:00 +1000 Subject: scp does a local copy when ommiting : In-Reply-To: <1093976084.17439.11.camel@vertex.home.cycloon.org> References: <1093976084.17439.11.camel@vertex.home.cycloon.org> Message-ID: <4134F60C.6090401@mindrot.org> Christian Gut wrote: > Hi, > > I run into this quiet often: > > If you forget to add the : after the hostname you want to copy a file > to, then scp does a simple local copy. This is quiet confusing if you > dont notice it: > > "scp foo.txt server.bar.com:" (copies the file to remote homedir) > "scp foo.txt server.bar.com" (creates the new file server.bar.com) > > I don't know if this behaviour is intended or even needed, but if not I > would be glad if this could be fixed to prevent some mistakes. This would be a major change to scp's argument parsing - something we don't want to do. I'm sure that there are scripts out there that depend on this behaviour (which derives from 20+ year old rcp). -d From dan at doxpara.com Wed Sep 1 08:39:09 2004 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 31 Aug 2004 15:39:09 -0700 Subject: scp does a local copy when ommiting : In-Reply-To: <4134F60C.6090401@mindrot.org> References: <1093976084.17439.11.camel@vertex.home.cycloon.org> <4134F60C.6090401@mindrot.org> Message-ID: <4134FE0D.2070907@doxpara.com> Damien Miller wrote: >Christian Gut wrote: > > >>Hi, >> >>I run into this quiet often: >> >>If you forget to add the : after the hostname you want to copy a file >>to, then scp does a simple local copy. This is quiet confusing if you >>dont notice it: >> >>"scp foo.txt server.bar.com:" (copies the file to remote homedir) >>"scp foo.txt server.bar.com" (creates the new file server.bar.com) >> >>I don't know if this behaviour is intended or even needed, but if not I >>would be glad if this could be fixed to prevent some mistakes. >> >> > >This would be a major change to scp's argument parsing - something we >don't want to do. I'm sure that there are scripts out there that depend >on this behaviour (which derives from 20+ year old rcp). > >-d > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > Compromise -- could we set an environment variable to disable self-copies like this? I've made this error hundreds of times. --Dan From djm at mindrot.org Wed Sep 1 08:41:54 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 01 Sep 2004 08:41:54 +1000 Subject: scp does a local copy when ommiting : In-Reply-To: <4134FE0D.2070907@doxpara.com> References: <1093976084.17439.11.camel@vertex.home.cycloon.org> <4134F60C.6090401@mindrot.org> <4134FE0D.2070907@doxpara.com> Message-ID: <4134FEB2.2050405@mindrot.org> Dan Kaminsky wrote: > Compromise -- could we set an environment variable to disable > self-copies like this? I've made this error hundreds of times. we don't want to add knobs and buttons either. Help finish off sftp if you want a sane replacement, it just needs: - recursive operations - a better commandline parser (e.g. that supports local->remote copies) -d From cycloon at is-root.org Wed Sep 1 15:57:51 2004 From: cycloon at is-root.org (Christian Gut) Date: Wed, 01 Sep 2004 07:57:51 +0200 Subject: scp does a local copy when ommiting : In-Reply-To: <4134F60C.6090401@mindrot.org> References: <1093976084.17439.11.camel@vertex.home.cycloon.org> <4134F60C.6090401@mindrot.org> Message-ID: <1094018271.17439.18.camel@vertex.home.cycloon.org> On Wed, 2004-09-01 at 00:05, Damien Miller wrote: > > If you forget to add the : after the hostname you want to copy a file > > to, then scp does a simple local copy. This is quiet confusing if you > > dont notice it: > > > > "scp foo.txt server.bar.com:" (copies the file to remote homedir) > > "scp foo.txt server.bar.com" (creates the new file server.bar.com) > > > > I don't know if this behaviour is intended or even needed, but if not I > > would be glad if this could be fixed to prevent some mistakes. > > This would be a major change to scp's argument parsing - something we > don't want to do. I'm sure that there are scripts out there that depend > on this behaviour (which derives from 20+ year old rcp). Well, I nearly expected something like this. Its just so annoying.. But thanks for your reply anyway. -- Christian Gut -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040901/cd74e4a3/attachment.bin From huaraz at moeller.plus.com Wed Sep 1 19:05:22 2004 From: huaraz at moeller.plus.com (Markus Moeller) Date: Wed, 01 Sep 2004 10:05:22 +0100 Subject: Pending OpenSSH release, call for testing. Message-ID: <20040901090305.A403D27C187@shitei.mindrot.org> Could you add to this release a patch which allows gssapi to be used on a multihomed server please ? There have been several proposals in the past to fix this in ssh_gssapi_acquire_cred . . - if (gethostname(lname, MAXHOSTNAMELEN)) - return (-1); + lname = get_local_hostname(packet_get_connection_in()); . . Thank you Markus On Monday 30 August 2004 21:44, Douglas E. Engert wrote: > Darren Tucker wrote: > > Darren Tucker wrote: > >> OpenSSH is getting ready for a release soon, so we are asking for > >> all interested parties to test a snapshot. > > > > * ssh_gssapi_storecreds called to late for PAM (bug #918) > > Someone who knows krb5/gssapi want to comment on that one? > > (I wrote the bug report, but can comment on it as well.) > > The idea is to pass on to a pam session routine > the KRB5CCNAME environment variable. This can be used with a > pam_openafs session routine to get a PAG and AFS token for example. > > The KRB5CCNAME is the pointer to the Kerberos ticket cache with the > delegated credeltials from GSSAPI. the AFS aklog can use this to > get an AFS token. > > gss-serv-krb5.c already had a call to do_pam_putenv to add the > KRB5CCNAME to the pam_environment. This was in 3.8. But the > call to ssh_gssapi_storecreds in session.c which eventually calls the > do_pam_putenv is called AFTER the do_pam_session. Thus the > KRB5CCNAME is not passed in to the pam session routine. > > This mod moves the call to ssh_gssapi_storecreds before the > call to do_pam_session. > > In the following traces, the pam_sm_open_session lines are written to > stderr by my test pam routine. > > A sample trace without this mod: > > Accepted gssapi-with-mic for uuuuuu from nnn.nnn.nnn.nnn port 40883 ssh2 > pam_sm_open_session flag=0 > pam_sm_open_session pid=16163 uid=0 euid=0 > pam_sm_open_session, pw_dir=/afs/my.cell/usr/uuuuuu > pam_sm_open_session Kenv=(none) <------------ no KRB5CCNAME > debug1: PAM: reinitializing credentials > > With this mod: > > Accepted gssapi-with-mic for uuuuuu from nnn.nnn.nnn.nnn port 1261 ssh2 > debug1: temporarily_use_uid: 100/100 (e=0/100) > debug1: restore_uid: 0/100 > pam_sm_open_session flag=0 > pam_sm_open_session pid=15900 uid=0 euid=0 > pam_sm_open_session, pw_dir=/afs/my.cell/usr/uuuuuu > pam_sm_open_session Kenv=FILE:/tmp/krb5cc_100_y15900 <---- found KRB5CCNAME > debug1: PAM: reinitializing credentials > > Note: If this mod is added, even if the kafs lib is not available, > sshd can still be used with AFS. This would allow one > to use a vendor's build of OpenSSH even if not built with AFS. > One would not need to do a rebuild! All that is need is for OpenAFS > to provide the pam session routine, thus making for a clean separation > of OpenSSH and OpenAFS. Eventually the USE_AFS code could be removed > from OpenSSH. > > Unfortunately, if the system does not have PAM, then one would > still needs to use the older methods. > > There are three ways a Kerberos ticket cache could be ceated > in OpenSSH: > (1) delegated by the GSSAPI, > (2) by ChallengeResponse and PAM, > (3) created by the auth-krb5 from entering a user/password, > > (1) is coverd by the above. > (2) can be taken care of internally by pam_krb5 > (3) needs an aditional mod. > > I can submit this mod as a bug for case (3) if you want. > > > --- ,auth-krb5.c Sat Aug 14 08:55:37 2004 > +++ auth-krb5.c Mon Aug 30 14:31:30 2004 > @@ -187,6 +187,11 @@ > snprintf(authctxt->krb5_ccname, len, "FILE:%s", > authctxt->krb5_ticket_file); > > +#ifdef USE_PAM > + if (options.use_pam) > + do_pam_putenv("KRB5CCNAME",authctxt->krb5_ccname); > +#endif > + > out: > restore_uid(); From f_mohr at yahoo.de Wed Sep 1 19:43:31 2004 From: f_mohr at yahoo.de (Frank Mohr) Date: Wed, 01 Sep 2004 11:43:31 +0200 Subject: sshd reexec mechanism Message-ID: <413599C3.9029AB16@yahoo.de> Hi is there any documentation on the new reexec mechanism in sshd? (didn't find find much about it here on the list) Background of this question: I added a session numbering to our internal version to help keeping all log messages of one client connection together. In 3.9p1 the current number gets lost when the sshd is restartet in the reexec mechanism. I'd like to find a way to pass the number to the new process (maybe I'll add a cmd line option) instead of disabling reexec. Frank From markus at openbsd.org Wed Sep 1 20:52:01 2004 From: markus at openbsd.org (Markus Friedl) Date: Wed, 1 Sep 2004 12:52:01 +0200 Subject: sshd reexec mechanism In-Reply-To: <413599C3.9029AB16@yahoo.de> References: <413599C3.9029AB16@yahoo.de> Message-ID: <20040901105201.GA19835@folly> you have to extend {send,recv}_rexec_state in sshd.c On Wed, Sep 01, 2004 at 11:43:31AM +0200, Frank Mohr wrote: > I'd like to find a way to pass the number to the new process > (maybe I'll add a cmd line option) instead of disabling reexec. From Carsten.Benecke at rrz.uni-hamburg.de Thu Sep 2 00:46:56 2004 From: Carsten.Benecke at rrz.uni-hamburg.de (Dr. Carsten Benecke) Date: Wed, 01 Sep 2004 16:46:56 +0200 Subject: openssh-3.9p1: no pam_close_session() invocation Message-ID: <4135E0E0.203@rrz.uni-hamburg.de> Hello, I would like to point to this problem again as I have not seen a reply to my original posting: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=106458208520320&w=2 and the problem still exists in version 3.9p1. After closing a ssh-session the pam_close_session() function is not invoked. Enabling PrivilegeSeparation (UsePrivilegeSeparation yes) does not help. Could someone acknowledge the problem, or even better, could some openssh developer fix it? With kind regards CB -- Dr. Carsten Benecke, Regionales Rechenzentrum, Universit?t Hamburg, Schl?terstr. 70, D-20146 Hamburg, Tel.: ++49 40 42838 3097, Fax: ++49 40 42838 3096, mailto: Carsten.Benecke at rrz.uni-hamburg.de From v_t_m at seznam.cz Thu Sep 2 03:44:33 2004 From: v_t_m at seznam.cz (=?iso-8859-2?Q?V=E1clav=20Tomec?=) Date: Wed, 01 Sep 2004 19:44:33 +0200 (CEST) Subject: Patches AuthSelect + SecurID + logging updated for 3.9p1 Message-ID: <298943.971361-11165-20692678-1094060673@email.seznam.cz> Hello, I've updated all my patches for OpenSSH 3.9p1. http://sweb.cz/v_t_m/ Vaclav ____________________________________________________________ Anonymn? p?ipojen? k internetu od Seznamu http://ad.seznam.cz/clickthru?spotId=74638 From k at metropipe.net Thu Sep 2 07:48:37 2004 From: k at metropipe.net (Kenny) Date: Wed, 1 Sep 2004 16:48:37 -0500 Subject: per-user bandwidth monitoring. Message-ID: <200409011648.51005.k@metropipe.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, I am interested in patching openssh to provide per-user bandwidth monitoring. We are working on a project that uses ssh in tunneling mode. I was thinking about implimenting a patch for monitoring bandwidth usage and wondered if anyone is already working on this. My initial idea is to use the spawned process id and find which private key was accepted for authentication. I would then look up the open sockets for that particular process and monitor bandwidth for them using the pcap library. The approach outlined above would enable monitoring based on ssh key and not on ip address, so multiple users coming the same ip address (such as from a nat'd firewall setup) would be monitored correctly. If anyone has any comments or suggestions, please respond :-) /Kenny http://www.metropipe.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBNkO645NbQGIfM7IRAlnGAJ9OKzZEQsbpTOmXBCJ1B84u9swVxgCg4834 jiwUCdmOimnm5XedmWgyR3o= =Qzia -----END PGP SIGNATURE----- From f_mohr at yahoo.de Thu Sep 2 19:57:18 2004 From: f_mohr at yahoo.de (Frank Mohr) Date: Thu, 02 Sep 2004 11:57:18 +0200 Subject: sshd reexec mechanism References: <413599C3.9029AB16@yahoo.de> <20040901105201.GA19835@folly> Message-ID: <4136EE7E.9ECD6CB9@yahoo.de> Markus Friedl wrote: > > you have to extend {send,recv}_rexec_state in sshd.c > thanks session numbering works again Frank From ludek.rasek at r73.info Thu Sep 2 21:51:19 2004 From: ludek.rasek at r73.info (ludek.rasek) Date: Thu, 2 Sep 2004 13:51:19 +0200 Subject: contribution - pkcs11 smart card support Message-ID: <20040902114150.M16427@r73.info> Hello, I have just finished development of PKCS#11 smartcard support into OpenSSH. It is based on existing approach implemented in sectok and OpenSC support. It means it supports private key stored on PKCS#11 device. I have developed it on Linux platform and tested on Windows using Cygwin and after some minor code cealn-up I'm ready to post a patch. Are you (especially maintaners) interested in such patch? It would be nice if it become standard part of OpenSSH codebase. Regards Ludek Rasek From djm at mindrot.org Fri Sep 3 11:29:07 2004 From: djm at mindrot.org (Damien Miller) Date: Fri, 03 Sep 2004 11:29:07 +1000 Subject: contribution - pkcs11 smart card support In-Reply-To: <20040902114150.M16427@r73.info> References: <20040902114150.M16427@r73.info> Message-ID: <4137C8E3.9000906@mindrot.org> ludek.rasek wrote: > Hello, > > I have just finished development of PKCS#11 smartcard support into OpenSSH. > > It is based on existing approach implemented in sectok and OpenSC support. > It means it supports private key stored on PKCS#11 device. > > I have developed it on Linux platform and tested on Windows using Cygwin and > after some minor code cealn-up I'm ready to post a patch. > > Are you (especially maintaners) interested in such patch? It would be nice if > it become standard part of OpenSSH codebase. Please send the patch to the list, I'm interested. What underlying smartcard library are you using? -d From Jimmy.Covington at mail.va.gov Sat Sep 4 01:48:55 2004 From: Jimmy.Covington at mail.va.gov (Covington, Jimmy D. (NGIT)) Date: Fri, 3 Sep 2004 10:48:55 -0500 Subject: OpenSSH and Solaris 9/Native LDAP Message-ID: <5225ED6C43EFCE418A84E01CF9CF196904AC5F@vaaacexc8.aac.va.gov> I am trying to get the latest version of openssh to work on a Solaris 9 native ldap client. We have a feature in ldap called "User must change password after reset" enabled. According to the openssh docs, it says that it will work with the "other" accounts listed in the /etc/pam.conf. We have tried a lot of different entries in the /etc/pam.conf. Does anyone have any ideas on how to get this to work? Jim Covington UNIX Systems Engineer Northrup Grumman Veterans Administration Austin Automation Center 1615 Woodward St. Austin, Texas 78772-7830 Phone: (512) 326-6635 From dtucker at zip.com.au Sat Sep 4 14:16:46 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 04 Sep 2004 14:16:46 +1000 Subject: openssh-3.9p1: no pam_close_session() invocation In-Reply-To: <4135E0E0.203@rrz.uni-hamburg.de> References: <4135E0E0.203@rrz.uni-hamburg.de> Message-ID: <413941AE.6060603@zip.com.au> Dr. Carsten Benecke wrote: > After closing a ssh-session the pam_close_session() function is not > invoked. Enabling PrivilegeSeparation (UsePrivilegeSeparation yes) does > not help. That appears to be the case. I have opened a bug (with patch): http://bugzilla.mindrot.org/show_bug.cgi?id=926 Could you please try the patch and let us know if it resolves the problem? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From gonzalo_camacho_hg at telesp.com.br Sun Sep 5 19:29:38 2004 From: gonzalo_camacho_hg at telesp.com.br (Gonzalo Camacho) Date: Sun, 05 Sep 2004 02:29:38 -0700 Subject: Get great prices on medications Message-ID: <295f01c4932a$21ac21d3$496c778f@jmsonline.co.uk> Discount generic drugs. save over 70% todays specials, Viagra, retails for $15, we sell for 3!!! Prozac, retails for $6, we sell for $1.50!! - Private Online ordering! - World wide shipping! - No Prescription required!! Check it out: http://4drugs123.com/?index No thanks: http://4drugs123.com/rm.html From amk at krell.zikzak.de Mon Sep 6 22:12:54 2004 From: amk at krell.zikzak.de (Andreas M. Kirchwitz) Date: Mon, 6 Sep 2004 14:12:54 +0200 Subject: OpenSSH 3.9p1 bug, .hushlogin is ignored Message-ID: <20040906121253.GA621@krell.zikzak.de> Hello Darren! Hello OpenSSH (portable) users! After updating from OpenSSH 3.8.1p1 to OpenSSH 3.9p1 on my Fedora Core 2 Linux box, the "sshd" no longer respects "~/.hushlogin" to get a quiet and silent login. Now I get the noisy "Last login: somedate from somehost" line. I really loved that feature. ;-) The problem is related to a change in "session.c", function do_child(). In line 1426, the following code has been added to the portable version of OpenSSH: /* * PAM session modules in do_setusercontext may have * generated messages, so if this in an interactive * login then display them too. */ if (command == NULL) display_loginmsg(); According to the ChangeLog: 20040701 - (dtucker) [session.c] Call display_loginmsg again after do_pam_session. Ensures messages from PAM modules are displayed when privsep=no. Unfortunately, this breaks .hushlogin. As long as I run "ssh somehost somecommand", it obviously works as expected, but if I do "ssh somehost", I get the "Last login:" line. If I remove the code segment, ".hushlogin" works again. (No big deal. ;-) Although "if (command == NULL)" could be replaced by a call to "if (!check_quietlogin(s, command))" to fix the problem, the double access to ".hushlogin" wouldn't be good programming style. If it's needed more than once, the result of check_quietlogin() could be cached somewhere to avoid unnecessary access to the filesystem. However, besides this (my beloved .hushlogin ;-), OpenSSH 3.9p1 is really good work. Keep up the good work! Greetings, Andreas From ruben at ugr.es Tue Sep 7 03:14:21 2004 From: ruben at ugr.es (Ruben) Date: Mon, 06 Sep 2004 19:14:21 +0200 Subject: scp bug: escaped characters in files prevent copying Message-ID: <413C9AED.3010908@ugr.es> When copying a file with an escaped character, scp removes the escaping character before sending to the host. Is there a way to circunvent this? Some examples follow (linux machines) A: touch file\(new\) B: scp user at A:file\(new\) . user at A password: bash: -c: line 1: syntax error near unexpected token `(' bash: -c: line 1: `scp -f (' A: touch file\ 1 B: scp user at A:file\ 1 . user at A password: scp: A: No such file or directory scp: B: No such file or directory B: scp user at A:file\\ 1 . user at A password: bash: -c: line 3: syntax error: unexpected end of file cp: cannot stat `B': No such file or directory From clamat at telus.net Tue Sep 7 06:18:48 2004 From: clamat at telus.net (Matthew Clarke) Date: Mon, 6 Sep 2004 13:18:48 -0700 Subject: scp bug: escaped characters in files prevent copying In-Reply-To: <413C9AED.3010908@ugr.es> References: <413C9AED.3010908@ugr.es> Message-ID: <20040906201848.GA2238@ds0.van.maves.ca> lundi, le 6 septembre, 2004, Ruben nous a dit ceci: > When copying a file with an escaped character, scp removes the escaping > character before > sending to the host. > Is there a way to circunvent this? > Some examples follow (linux machines) > > A: touch file\(new\) > B: scp user at A:file\(new\) . > user at A password: > bash: -c: line 1: syntax error near unexpected token `(' > bash: -c: line 1: `scp -f (' > > A: touch file\ 1 > B: scp user at A:file\ 1 . > user at A password: > scp: A: No such file or directory > scp: B: No such file or directory > > B: scp user at A:file\\ 1 . > user at A password: > bash: -c: line 3: syntax error: unexpected end of file > cp: cannot stat `B': No such file or directory It's not scp removing the escaping character, it's the local shell that processes that escaping character, so scp never sees it. You have to protect the escaped characters from both the local and remote shells, and protect the escaping characters from the local shell so SCP can see them and pass them to the other side for the remote shell to process. System A: % touch file\(new\) System B: % scp A:file\\\(new\\\) . file(new) 100% 0 0.0KB/s 00:00 % ls -l file* -rw-r----- 1 clamat clamat 0 Sep 6 13:11 file(new) B% -- For a successful technology, reality must take precedence over public relations, for nature cannot be fooled. -- Richard P. Feynman From sws at sci.pam.szczecin.pl Wed Sep 8 00:28:42 2004 From: sws at sci.pam.szczecin.pl (Slawomir Stanczak) Date: Tue, 07 Sep 2004 16:28:42 +0200 Subject: OpenSSH 3.9p1 - Solaris/SPARC Message-ID: <413DC59A.60707@sci.pam.szczecin.pl> Hello, I use OpenSSH version 3.8.1p1. It works very good. I compile new version OpenSSH 3.9p1 but I get following warning: configure: WARNING: sys/ptms.h: present but cannot be compiled configure: WARNING: sys/ptms.h: check for missing prerequisite headers? configure: WARNING: sys/ptms.h: see the Autoconf documentation configure: WARNING: sys/ptms.h: section "Present But Cannot Be Compiled" configure: WARNING: sys/ptms.h: proceeding with the preprocessor's result configure: WARNING: sys/ptms.h: in the future, the compiler will take precedence configure: WARNING: ## ------------------------------------------ ## configure: WARNING: ## Report this to the AC_PACKAGE_NAME lists. ## configure: WARNING: ## ------------------------------------------ ## and also following info: WARNING: the operating system that you are using does not appear to support either the getpeereid() API nor the SO_PEERCRED getsockopt() option. These facilities are used to enforce security checks to prevent unauthorised connections to ssh-agent. Their absence increases the risk that a malicious user can connect to your agent. I use: System Solaris 9/SPARC gcc - 3.3.2 autoconf - 2.59 automake - 1.9 Is it bug in openssh, solaris, gcc or autoconf ? Tanks for your help. Slawek -- S?awomir Sta?czak PAM/Szczecin/Poland email: sws[AT]ams.edu.pl tel. +48 91 4800796 From nkukard at lbsd.net Wed Sep 8 02:28:24 2004 From: nkukard at lbsd.net (Nigel Kukard) Date: Tue, 7 Sep 2004 18:28:24 +0200 Subject: Please review openssh patch for selinux In-Reply-To: <41377E8A.2030707@redhat.com> References: <200408241818.40064.russell@coker.com.au> <41371628.2020408@redhat.com> <1094130607.17265.47.camel@moss-spartans.epoch.ncsc.mil> <200409022338.20644.russell@coker.com.au> <1094136369.17265.128.camel@moss-spartans.epoch.ncsc.mil> <413741A3.3070305@redhat.com> <1094153919.17265.375.camel@moss-spartans.epoch.ncsc.mil> <41377927.3080703@redhat.com> <1094155198.17265.389.camel@moss-spartans.epoch.ncsc.mil> <41377E8A.2030707@redhat.com> Message-ID: <20040907162824.GU10151@lbsd.net> As posted, here is an updated patch which allows openssh to be built with non-selinux config. (Hi openssh guys, forwarding this to you incase you interested including it into the devel version of openssh. Please let us know if you have any suggestions or changes that need to be made) Regards Nigel Kukard On Thu, Sep 02, 2004 at 04:11:54PM -0400, Daniel J Walsh wrote: > New SSH patch. > > Provides the capability of doing > > ssh hostname -l root/sysadm_r > > suggested by Collin. > > I used the / instead of : to preserve the BSD syntax. > > Comments? > > > Dan > -------------- next part -------------- Author: Daniel J Walsh Date: 02/09/2004 Source: selinux at tycho.nsa.gov mailing list ChangeLog: 07/09/2004 - Nigel Kukard o Fixed patch to work with non-selinux configuration Changes: Makefile.in | 2 auth.h | 3 + auth1.c | 11 +++++ auth2.c | 17 +++++++ config.h.in | 3 + configure.ac | 13 ++++++ contrib/redhat/sshd.init | 9 ++++ monitor.c | 29 +++++++++++++ monitor.h | 2 monitor_wrap.c | 18 ++++++++ monitor_wrap.h | 3 + selinux.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++ selinux.h | 10 ++++ session.c | 8 +++ sshpty.c | 8 +++ 15 files changed, 234 insertions(+), 3 deletions(-) diff -u --new-file --recursive openssh-3.9p1_vanilla/Makefile.in openssh-3.9p1_selinux/Makefile.in --- openssh-3.9p1_vanilla/Makefile.in 2004-08-15 13:01:37.000000000 +0200 +++ openssh-3.9p1_selinux/Makefile.in 2004-09-07 17:41:15.000000000 +0200 @@ -76,7 +76,7 @@ sshconnect.o sshconnect1.o sshconnect2.o SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ - sshpty.o sshlogin.o servconf.o serverloop.o \ + sshpty.o sshlogin.o servconf.o serverloop.o selinux.o \ auth.o auth1.o auth2.o auth-options.o session.o \ auth-chall.o auth2-chall.o groupaccess.o \ auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ diff -u --new-file --recursive openssh-3.9p1_vanilla/auth.h openssh-3.9p1_selinux/auth.h --- openssh-3.9p1_vanilla/auth.h 2004-05-24 02:36:23.000000000 +0200 +++ openssh-3.9p1_selinux/auth.h 2004-09-07 18:03:09.000000000 +0200 @@ -57,6 +57,9 @@ char *service; struct passwd *pw; /* set if 'valid' */ char *style; +#ifdef WITH_SELINUX + char *role; +#endif void *kbdintctxt; #ifdef BSD_AUTH auth_session_t *as; diff -u --new-file --recursive openssh-3.9p1_vanilla/auth1.c openssh-3.9p1_selinux/auth1.c --- openssh-3.9p1_vanilla/auth1.c 2004-08-12 14:40:25.000000000 +0200 +++ openssh-3.9p1_selinux/auth1.c 2004-09-07 18:04:03.000000000 +0200 @@ -284,6 +284,9 @@ { u_int ulen; char *user, *style = NULL; +#ifdef WITH_SELINUX + char *role=NULL; +#endif /* Get the name of the user that we wish to log in as. */ packet_read_expect(SSH_CMSG_USER); @@ -292,11 +295,19 @@ user = packet_get_string(&ulen); packet_check_eom(); +#ifdef WITH_SELINUX + if ((role = strchr(user, '/')) != NULL) + *role++ = '\0'; +#endif + if ((style = strchr(user, ':')) != NULL) *style++ = '\0'; authctxt->user = user; authctxt->style = style; +#ifdef WITH_SELINUX + authctxt->role = role; +#endif /* Verify that the user is a valid user. */ if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) diff -u --new-file --recursive openssh-3.9p1_vanilla/auth2.c openssh-3.9p1_selinux/auth2.c --- openssh-3.9p1_vanilla/auth2.c 2004-08-12 14:40:25.000000000 +0200 +++ openssh-3.9p1_selinux/auth2.c 2004-09-07 18:06:25.000000000 +0200 @@ -133,6 +133,9 @@ Authctxt *authctxt = ctxt; Authmethod *m = NULL; char *user, *service, *method, *style = NULL; +#ifdef WITH_SELINUX + char *role = NULL; +#endif int authenticated = 0; if (authctxt == NULL) @@ -144,6 +147,11 @@ debug("userauth-request for user %s service %s method %s", user, service, method); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); +#ifdef WITH_SELINUX + if ((role = strchr(user, '/')) != NULL) + *role++ = 0; +#endif + if ((style = strchr(user, ':')) != NULL) *style++ = 0; @@ -170,8 +178,15 @@ use_privsep ? " [net]" : ""); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; - if (use_privsep) +#ifdef WITH_SELINUX + authctxt->role = role ? xstrdup(role) : NULL; +#endif + if (use_privsep) { mm_inform_authserv(service, style); +#ifdef WITH_SELINUX + mm_inform_authrole(role); +#endif + } } else if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { packet_disconnect("Change of username or service not allowed: " diff -u --new-file --recursive openssh-3.9p1_vanilla/config.h.in openssh-3.9p1_selinux/config.h.in --- openssh-3.9p1_vanilla/config.h.in 2004-08-17 14:54:51.000000000 +0200 +++ openssh-3.9p1_selinux/config.h.in 2004-09-07 17:41:15.000000000 +0200 @@ -265,6 +265,9 @@ /* Define if you want Kerberos 5 support */ #undef KRB5 +/* Define if have want SELinux support */ +#undef WITH_SELINUX + /* Define this if you are using the Heimdal version of Kerberos V5 */ #undef HEIMDAL diff -u --new-file --recursive openssh-3.9p1_vanilla/configure.ac openssh-3.9p1_selinux/configure.ac --- openssh-3.9p1_vanilla/configure.ac 2004-08-16 15:12:06.000000000 +0200 +++ openssh-3.9p1_selinux/configure.ac 2004-09-07 17:41:15.000000000 +0200 @@ -2218,6 +2218,18 @@ [#include ]) ]) +# Check whether user wants SELinux support +SELINUX_MSG="no" +AC_ARG_WITH(selinux, + [ --with-selinux Enable SELinux support], + [ if test "x$withval" != "xno" ; then + AC_DEFINE(WITH_SELINUX) + SELINUX_MSG="yes" + AC_CHECK_HEADERS(selinux.h) + LIBS="$LIBS -lselinux" + fi + ]) + # Check whether user wants Kerberos 5 support KRB5_MSG="no" AC_ARG_WITH(kerberos5, @@ -2973,6 +2985,7 @@ echo " Manpage format: $MANTYPE" echo " PAM support: $PAM_MSG" echo " KerberosV support: $KRB5_MSG" +echo " SELinux support: $SELINUX_MSG" echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" diff -u --new-file --recursive openssh-3.9p1_vanilla/contrib/redhat/sshd.init openssh-3.9p1_selinux/contrib/redhat/sshd.init --- openssh-3.9p1_vanilla/contrib/redhat/sshd.init 2002-05-10 04:19:23.000000000 +0200 +++ openssh-3.9p1_selinux/contrib/redhat/sshd.init 2004-09-07 17:41:15.000000000 +0200 @@ -35,6 +35,9 @@ if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then chmod 600 $RSA1_KEY chmod 644 $RSA1_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $RSA1_KEY.pub + fi success $"RSA1 key generation" echo else @@ -51,6 +54,9 @@ if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then chmod 600 $RSA_KEY chmod 644 $RSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $RSA_KEY.pub + fi success $"RSA key generation" echo else @@ -67,6 +73,9 @@ if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then chmod 600 $DSA_KEY chmod 644 $DSA_KEY.pub + if [ -x /sbin/restorecon ]; then + /sbin/restorecon $DSA_KEY.pub + fi success $"DSA key generation" echo else diff -u --new-file --recursive openssh-3.9p1_vanilla/monitor.c openssh-3.9p1_selinux/monitor.c --- openssh-3.9p1_vanilla/monitor.c 2004-07-17 09:05:14.000000000 +0200 +++ openssh-3.9p1_selinux/monitor.c 2004-09-07 18:01:38.000000000 +0200 @@ -127,6 +127,10 @@ int mm_answer_sesskey(int, Buffer *); int mm_answer_sessid(int, Buffer *); +#ifdef WITH_SELINUX +int mm_answer_authrole(int, Buffer *); +#endif + #ifdef USE_PAM int mm_answer_pam_start(int, Buffer *); int mm_answer_pam_account(int, Buffer *); @@ -178,6 +182,9 @@ {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, +#ifdef WITH_SELINUX + {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, +#endif #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, @@ -602,6 +609,9 @@ else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); +#ifdef WITH_SELINUX + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); +#endif monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } @@ -646,6 +656,25 @@ return (0); } +#ifdef WITH_SELINUX +int +mm_answer_authrole(int sock, Buffer *m) +{ + monitor_permit_authentications(1); + + authctxt->role = buffer_get_string(m, NULL); + debug3("%s: style=%s", + __func__, authctxt->role); + + if (strlen(authctxt->role) == 0) { + xfree(authctxt->role); + authctxt->role = NULL; + } + + return (0); +} +#endif + int mm_answer_authpassword(int sock, Buffer *m) { diff -u --new-file --recursive openssh-3.9p1_vanilla/monitor.h openssh-3.9p1_selinux/monitor.h --- openssh-3.9p1_vanilla/monitor.h 2003-11-17 13:18:22.000000000 +0200 +++ openssh-3.9p1_selinux/monitor.h 2004-09-07 18:08:22.000000000 +0200 @@ -30,7 +30,7 @@ enum monitor_reqtype { MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, - MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, + MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE, MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, diff -u --new-file --recursive openssh-3.9p1_vanilla/monitor_wrap.c openssh-3.9p1_selinux/monitor_wrap.c --- openssh-3.9p1_vanilla/monitor_wrap.c 2004-07-17 09:05:14.000000000 +0200 +++ openssh-3.9p1_selinux/monitor_wrap.c 2004-09-07 18:14:58.000000000 +0200 @@ -274,6 +274,24 @@ buffer_free(&m); } +/* Inform the privileged process about role */ +#ifdef WITH_SELINUX +void +mm_inform_authrole(char *role) +{ + Buffer m; + + debug3("%s entering", __func__); + + buffer_init(&m); + buffer_put_cstring(&m, role ? role : ""); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); + + buffer_free(&m); +} +#endif + /* Do the password authentication */ int mm_auth_password(Authctxt *authctxt, char *password) diff -u --new-file --recursive openssh-3.9p1_vanilla/monitor_wrap.h openssh-3.9p1_selinux/monitor_wrap.h --- openssh-3.9p1_vanilla/monitor_wrap.h 2004-06-22 04:56:02.000000000 +0200 +++ openssh-3.9p1_selinux/monitor_wrap.h 2004-09-07 18:13:13.000000000 +0200 @@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); void mm_inform_authserv(char *, char *); +#ifdef WITH_SELINUX +void mm_inform_authrole(char *); +#endif struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); diff -u --new-file --recursive openssh-3.9p1_vanilla/selinux.c openssh-3.9p1_selinux/selinux.c --- openssh-3.9p1_vanilla/selinux.c 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.9p1_selinux/selinux.c 2004-09-07 17:41:15.000000000 +0200 @@ -0,0 +1,101 @@ +#include "includes.h" +#include "auth.h" +#include "log.h" + +#ifdef WITH_SELINUX +#include +#include +#include +#include +#include +extern Authctxt *the_authctxt; + +static const security_context_t selinux_get_user_context(const char *name) { + security_context_t user_context=NULL; + if (get_default_context(name,NULL,&user_context)) { + if (security_getenforce() > 0) + fatal("Failed to get default security context for %s.", name); + else + error("Failed to get default security context for %s. Continuing in permissve mode", name); + } else { + if (the_authctxt) { + char *role=the_authctxt->role; + if (role != NULL && role[0]) { + char *type; + if (get_default_type(role, &type) < 0) { + if (security_getenforce() > 0) + fatal("Failed to get default type for role %s, user %s.", role, name); + else + error("Failed to get default type for role %s, user %s. Continuing in permissive mode", role, name); + } else { + context_t newcon=context_new(user_context); + if (context_role_set(newcon, role) != 0) { + context_free(newcon); + if (security_getenforce() > 0) + fatal("Failed to set role %s for %s.", role, name); + else + error("Failed to set role %s for %s. Continuing in permissive mode", role, name); + } else if (context_type_set(newcon, type) != 0) { + context_free(newcon); + if (security_getenforce() > 0) + fatal("Failed to set type %s for %s.", role, name); + else + error("Failed to set type %s for %s. Continuing in permissive mode", role, name); + } else { + freecon(user_context); + user_context = strdup(context_str(newcon)); + context_free(newcon); + } + } + } + } + } + return user_context; +} + +void setup_selinux_pty(const char *name, const char *tty) { + if (is_selinux_enabled() > 0) { + security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL; + + user_context=selinux_get_user_context(name); + + if (getfilecon(tty, &old_tty_context) < 0) { + error("getfilecon(%.100s) failed: %.100s", tty, strerror(errno)); + } else { + if (security_compute_relabel(user_context,old_tty_context, + SECCLASS_CHR_FILE, + &new_tty_context) != 0) { + error("security_compute_relabel(%.100s) failed: %.100s", tty, + strerror(errno)); + } else { + if (setfilecon (tty, new_tty_context) != 0) + error("setfilecon(%.100s, %s) failed: %.100s", + tty, new_tty_context, + strerror(errno)); + freecon(new_tty_context); + } + freecon(old_tty_context); + } + if (user_context) { + freecon(user_context); + } + } +} + +void setup_selinux_exec_context(char *name) { + + if (is_selinux_enabled() > 0) { + security_context_t user_context=selinux_get_user_context(name); + if (setexeccon(user_context)) { + if (security_getenforce() > 0) + fatal("Failed to set exec security context %s for %s.", user_context, name); + else + error("Failed to set exec security context %s for %s. Continuing in permissive mode", user_context, name); + } + if (user_context) { + freecon(user_context); + } + } +} + +#endif /* WITH_SELINUX */ diff -u --new-file --recursive openssh-3.9p1_vanilla/selinux.h openssh-3.9p1_selinux/selinux.h --- openssh-3.9p1_vanilla/selinux.h 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.9p1_selinux/selinux.h 2004-09-07 17:41:16.000000000 +0200 @@ -0,0 +1,10 @@ +#ifndef __SELINUX_H_ +#define __SELINUX_H_ +#ifdef WITH_SELINUX +extern void setup_selinux_pty(const char *name, const char *tty); +extern void setup_selinux_exec_context(const char *name); +#else +inline void setup_selinux_pty(const char *name, const char *tty) {} +inline void setup_selinux_exec_context(const char *name) {} +#endif /* WITH_SELINUX */ +#endif /* __SELINUX_H_ */ diff -u --new-file --recursive openssh-3.9p1_vanilla/session.c openssh-3.9p1_selinux/session.c --- openssh-3.9p1_vanilla/session.c 2004-08-12 14:40:25.000000000 +0200 +++ openssh-3.9p1_selinux/session.c 2004-09-07 17:41:56.000000000 +0200 @@ -58,6 +58,10 @@ #include "session.h" #include "monitor_wrap.h" +#ifdef WITH_SELINUX +#include "selinux.h" +#endif + #if defined(KRB5) && defined(USE_AFS) #include #endif @@ -1304,6 +1308,10 @@ #endif if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); + +#ifdef WITH_SELINUX + setup_selinux_exec_context(pw->pw_name); +#endif } static void diff -u --new-file --recursive openssh-3.9p1_vanilla/sshpty.c openssh-3.9p1_selinux/sshpty.c --- openssh-3.9p1_vanilla/sshpty.c 2004-06-22 04:56:02.000000000 +0200 +++ openssh-3.9p1_selinux/sshpty.c 2004-09-07 17:42:39.000000000 +0200 @@ -22,6 +22,10 @@ #include "log.h" #include "misc.h" +#ifdef WITH_SELINUX +#include "selinux.h" +#endif + #ifdef HAVE_PTY_H # include #endif @@ -200,6 +204,10 @@ fatal("stat(%.100s) failed: %.100s", tty, strerror(errno)); +#ifdef WITH_SELINUX + setup_selinux_pty(pw->pw_name, tty); +#endif + if (st.st_uid != pw->pw_uid || st.st_gid != gid) { if (chown(tty, pw->pw_uid, gid) < 0) { if (errno == EROFS && -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040907/0c2e1d93/attachment.bin From dtucker at zip.com.au Wed Sep 8 06:58:33 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 08 Sep 2004 06:58:33 +1000 Subject: OpenSSH 3.9p1 - Solaris/SPARC In-Reply-To: <413DC59A.60707@sci.pam.szczecin.pl> References: <413DC59A.60707@sci.pam.szczecin.pl> Message-ID: <413E20F9.5030907@zip.com.au> Slawomir Stanczak wrote: > I use OpenSSH version 3.8.1p1. It works very good. > I compile new version OpenSSH 3.9p1 but I get following > warning: [snip autoconf and getpeereid warnings] > Is it bug in openssh, solaris, gcc or autoconf ? No, they're both warnings. The first one is because the autoconf folks appear to be changing the way the AC_CHECK_HEADERS macro work (and, to their credit, they're providing sufficient warning). This particular instance has already been fixed in the development version. The second one is also a warning about Solaris' lack of any way to figure out who owns the process connecting to a Unix domain socket (at least, any that we know about, if there *is* a way then we'd like to use it). The risk here is that if the perms on the agent socket get messed up then a malicious user could trick your agent into authenticating a connection for them. This has always been the case on many platforms, but the warning for such platforms is new. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From martin.schmidt at jielo.de Wed Sep 8 07:51:40 2004 From: martin.schmidt at jielo.de (Martin Schmidt) Date: Tue, 7 Sep 2004 23:51:40 +0200 Subject: Announce Openssh with telnet Message-ID: <200409072351.41134.martin.schmidt@jielo.de> Hi, I would not consider it a real bug, or security problem, but I wonder, why my sshd declares itself when I do a telnet on port 22: telnet localhost 22 Trying ::1... Connected to localhost. Escape character is '^]'. SSH-1.99-OpenSSH_3.7.1p2 Would it not be better, not to show anything at all, so that someone just trying, whats up on port 22 does not see what programm with witch version is running ? mit freundlichen Gr??en Martin Schmidt Tel: 09843/988095 Fax: 09843/988096 email: martin.schmidt at jielo.de From mouring at etoh.eviladmin.org Wed Sep 8 07:55:31 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 7 Sep 2004 16:55:31 -0500 (CDT) Subject: Announce Openssh with telnet In-Reply-To: <200409072351.41134.martin.schmidt@jielo.de> Message-ID: Because there are too many bugs in too many servers and the clients need to know how to work around them. Along with the fact it tells you if you can use v1, v2 or either protocal.. If at some point in the future we have a solid RFC and no more changes and most older stuff goes away (and the RFC lets us) then we can drop it. - Ben On Tue, 7 Sep 2004, Martin Schmidt wrote: > Hi, > > I would not consider it a real bug, or security problem, but I wonder, why my > sshd declares itself when I do a telnet on port 22: > > > telnet localhost 22 > Trying ::1... > Connected to localhost. > Escape character is '^]'. > SSH-1.99-OpenSSH_3.7.1p2 > > > Would it not be better, not to show anything at all, so that someone just > trying, whats up on port 22 does not see what programm with witch version is > running ? > > > mit freundlichen Gr??en > > Martin Schmidt > > Tel: 09843/988095 > Fax: 09843/988096 > email: martin.schmidt at jielo.de > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From djm at mindrot.org Wed Sep 8 08:14:35 2004 From: djm at mindrot.org (Damien Miller) Date: Wed, 08 Sep 2004 08:14:35 +1000 Subject: Announce Openssh with telnet In-Reply-To: <200409072351.41134.martin.schmidt@jielo.de> References: <200409072351.41134.martin.schmidt@jielo.de> Message-ID: <413E32CB.7040702@mindrot.org> Martin Schmidt wrote: > Hi, > > I would not consider it a real bug, or security problem, but I wonder, why my > sshd declares itself when I do a telnet on port 22: This has been discussed over a dozen time on this list and in bugzilla. Please check the archives. -d From supportcontend at cooldictionary.com Wed Sep 8 10:10:24 2004 From: supportcontend at cooldictionary.com (Pjgrizel) Date: Tue, 07 Sep 2004 20:10:24 -0400 Subject: new soft Message-ID: New QEM software http://www.allsoftbest.info/ Adobe InDesign CS - 100.00 Gaston Adobe InDesign CS - 100.00 soapy Adobe InDesign CS - 100.00 seduction Adobe InDesign CS - 100.00 sympathies Adobe InDesign CS - 100.00 container Adobe InDesign CS - 100.00 dropout Adobe InDesign CS - 100.00 founded Adobe InDesign CS - 100.00 lazybones Adobe InDesign CS - 100.00 belaboring Adobe InDesign CS - 100.00 otter Adobe InDesign CS - 100.00 removal Adobe InDesign CS - 100.00 leads Adobe InDesign CS - 100.00 isomorphic http://www.allsoftbest.info/ From vitalizer.everysmile at fire-fire-fire.com Wed Sep 8 20:34:24 2004 From: vitalizer.everysmile at fire-fire-fire.com (=?ISO-2022-JP?B?GyRCPU89dyEmPGM6ShsoQg==?=) Date: Wed, 08 Sep 2004 19:34:24 +0900 Subject: =?iso-2022-jp?b?GyRCIVQkNDZhPWo9UEQlJVslOSVISmc9OCFVGyhC?= Message-ID: <20040908103125.A026927C187@shitei.mindrot.org> http://www.star-pearch.com/mdhosuto ???????????? ????8000??17000? ?????? 8000??3???20? ?48??!! ????18????????? ????????????????????????????????????? ?????????????????? ?????????????????????????????? ?????????????????? ?????? http://www.star-pearch.com/mdhosuto From arassin at gmail.com Wed Sep 8 23:23:11 2004 From: arassin at gmail.com (Anthony) Date: Wed, 8 Sep 2004 13:23:11 +0000 Subject: AIX compilation issues - openssh V 3.8.1p1 and 3.9p1 Message-ID: <864afd8604090806237bbb4287@mail.gmail.com> I'm getting the following error when I compile openssh with IBM's xlc compiler. /usr/vac/bin/xlc -g -I. -I.. -I. -I./.. -I/opt/freeware/include -I/usr/local/include -DHAVE_CONFIG_H -c bsd-arc4random.c "/usr/include/syms.h", line 288.9: 1506-213 (S) Macro name T_NULL cannot be redefined. "/usr/include/syms.h", line 288.9: 1506-358 (I) "T_NULL" is defined on line 150 of /usr/include/arpa/onameser_compat.h. make[1]: *** [bsd-arc4random.o] Error 1 make[1]: Leaving directory `/build/openssh/aix52/openssh-3.8.1p1/openbsd-compat' make: *** [openbsd-compat/libopenbsd-compat.a] Error 2 I realize that both onameser_compat.h and syms.h are part of the system include files, but I was wondering if anyone had any ideas on how I can get past this. I can comment out the T_NULL in onameser_compat.h and the compile works, but I don't like doing that. OS ver: AIX 5.2 ML4 Compiler: Visual Age C for AIX 5.0.2.0 Openssh ver: 3.8.1p1 and 3.9p1 >From /usr/include/syms.h: #define T_NULL 0 >From /usr/include/arpa/onameser_compat.h: #define T_NULL 10 /* null resource record */ From torsten.foertsch at gmx.net Thu Sep 9 01:35:30 2004 From: torsten.foertsch at gmx.net (Torsten Foertsch) Date: Wed, 8 Sep 2004 17:35:30 +0200 Subject: [PATCH]Extending user@host syntax Message-ID: <200409081735.35579.torsten.foertsch@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, the following patch extends the user at host syntax on the ssh command line to allow an additional HostKeyAlias and Port to be given as a single argument, eg: ssh user at localhost%8022,www.tdl.com is equivalent to ssh -o 'HostKeyAlias www.tdl.com' -p 8022 user at localhost The patch is particularly useful when ssh is called from other programs or scripts and the ssh connection is to be established on top of a tunnel. Consider for example a CVS repository that is connected using ssh through a tunnel. The CVS/Root file contains the path to the CVS root as: user at www.tld.com:/path/to/cvs There is no way to specify a port number or a HostKeyAlias. With the patch the CVS/Root can contain: user at localhost%8022,www.tld.com:/path/to/cvs and the connection is made through the tunnel. I know I can achieve a similar result using .ssh/config: Host host_nickname Hostname localhost Port 8022 HostKeyAlias www.tld.com and specify the CVS root as user at host_nickname:/path/to/cvs However, I think my patch is rather a feature than a bug. Are there any chances to get it included in openssh? Torsten diff -Naur openssh-3.9p1/ssh.c openssh-3.9p1.new/ssh.c - --- openssh-3.9p1/ssh.c 2004-08-15 09:23:34.000000000 +0200 +++ openssh-3.9p1.new/ssh.c 2004-09-08 16:12:58.000000000 +0200 @@ -157,7 +157,8 @@ "usage: ssh [-1246AaCfghkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n" " [-D port] [-e escape_char] [-F configfile] [-i identity_file]\n" " [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]\n" - -" [-p port] [-R port:host:hostport] [-S ctl] [user@]hostname [command]\n" +" [-p port] [-R port:host:hostport] [-S ctl]\n" +" [user@]hostname[%%port][,host_key_alias] [command]\n" ); exit(1); } @@ -176,7 +177,7 @@ int i, opt, exit_status; u_short fwd_port, fwd_host_port; char sfwd_port[6], sfwd_host_port[6]; - - char *p, *cp, *line, buf[256]; + char *p, *cp, *line, buf[256], *host_key_aliasp; struct stat st; struct passwd *pw; int dummy; @@ -474,6 +475,28 @@ host = ++cp; } else host = *av; + + host_key_aliasp = 0; + if (strrchr(host, '%')) { + cp = strrchr(host, '%'); + *cp++ = '\0'; + if (strrchr(cp, ',')) { + host_key_aliasp = strrchr(cp, ','); + *host_key_aliasp++ = '\0'; + } + options.port = a2port(cp); + if (options.port == 0) { + fprintf(stderr, "Bad port '%s'\n", cp); + exit(1); + } + } else if (strrchr(host, ',')) { + host_key_aliasp = strrchr(host, ','); + *host_key_aliasp++ = '\0'; + } + + if (host_key_aliasp) + options.host_key_alias = xstrdup(host_key_aliasp); + if (ac > 1) { optind = optreset = 1; goto again; -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBPybHwicyCTir8T4RAjo+AKCS/aowItuYao9OVIWtOx1KrEKdpgCfX7ev DpGUBfblAUpXfJSWsgSdwo0= =nnlY -----END PGP SIGNATURE----- From dtucker at zip.com.au Thu Sep 9 10:38:53 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 09 Sep 2004 10:38:53 +1000 Subject: AIX compilation issues - openssh V 3.8.1p1 and 3.9p1 In-Reply-To: <864afd8604090806237bbb4287@mail.gmail.com> References: <864afd8604090806237bbb4287@mail.gmail.com> Message-ID: <413FA61D.2000409@zip.com.au> Anthony wrote: > I'm getting the following error when I compile openssh with IBM's xlc compiler. > > /usr/vac/bin/xlc -g -I. -I.. -I. -I./.. -I/opt/freeware/include > -I/usr/local/include -DHAVE_CONFIG_H -c bsd-arc4random.c > "/usr/include/syms.h", line 288.9: 1506-213 (S) Macro name T_NULL > cannot be redefined. > "/usr/include/syms.h", line 288.9: 1506-358 (I) "T_NULL" is defined on > line 150 of /usr/include/arpa/onameser_compat.h. > make[1]: *** [bsd-arc4random.o] Error 1 > make[1]: Leaving directory `/build/openssh/aix52/openssh-3.8.1p1/openbsd-compat' > make: *** [openbsd-compat/libopenbsd-compat.a] Error 2 > > I realize that both onameser_compat.h and syms.h are part of the > system include files, but I was wondering if anyone had any ideas on > how I can get past this. I can comment out the T_NULL in > onameser_compat.h and the compile works, but I don't like doing that. Try adding this to the openssh code just before the #include that pulls in the second conflicting define: #ifdef T_NULL # undef T_NULL #endif If it works, let us know... -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Sep 9 23:15:32 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 09 Sep 2004 23:15:32 +1000 Subject: OpenSSH and Solaris 9/Native LDAP In-Reply-To: <5225ED6C43EFCE418A84E01CF9CF196904AC5F@vaaacexc8.aac.va.gov> References: <5225ED6C43EFCE418A84E01CF9CF196904AC5F@vaaacexc8.aac.va.gov> Message-ID: <41405774.4010300@zip.com.au> Covington, Jimmy D. (NGIT) wrote: > I am trying to get the latest version of openssh to work on a Solaris 9 > native ldap client. We have a feature in ldap called "User must change > password after reset" enabled. According to the openssh docs, it says that > it will work with the "other" accounts listed in the /etc/pam.conf. Actually it will use argv[0] (usually "sshd") if it's present, otherwise it will use "other". > We have > tried a lot of different entries in the /etc/pam.conf. Does anyone have any > ideas on how to get this to work? Did you enable PAM at build time and in sshd_config (ie "UsePAM yes")? If PAM reports the account's password is expired then sshd should force a change. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From sunmedia at s8.dion.ne.jp Fri Sep 10 12:10:11 2004 From: sunmedia at s8.dion.ne.jp (=?ISO-2022-JP?B?GyRCM3Q8MDJxPFIlNSVzJWElRyUjJSIbKEI=?=) Date: Fri, 10 Sep 2004 11:10:11 +0900 Subject: =?iso-2022-jp?b?GyRCTCQ+NUJ6OS05cCIoGyhCIBskQjNKMEIhKkVFT0MbKEI=?= =?iso-2022-jp?b?GyRCMkNGfjgiSE5HZCF1OWIyQUdjPGgbKEI=?= Message-ID: <20040910021958359.00000.160.a692990630@K-WAKAMI.dmail.s8.dion.ne.jp> ??????????????????????? ????????????????????????????????? ???????????????????? ??????????????????????? ?????????????????? ????????????????? ?????????? ????????5-28-28 042-708-0888 ????????????????? ???????????????????????? ???????????????????????? ????????????????????? sunmedia at s8.dion.ne.jp?????????????? ????REFUSE?????????? ???????????????????????????????? ??? ??????????????? ??? ?????????????????????????/???? ??? ???????????????????????????????? ????????????????,????????????????? ???????????????????????????????? ???????????????????????????????? ?????????????????????????????????????????????? ???????????????????????????????? ??? ????????????????? ? ???????????????????? ????? ? ??,??? ???????????????????????? ? ??,??? ???????????????? ? ???,??? ???????????? ???????????? ??http://www.sun-media.co.jp/personal/personal_01.html ???????????????????????????? ??????????????????????? ???????????? ???????????,???? ??http://www.sun-media.co.jp/ ???????????????????????????? ??????????????????????? ???????????????????????????????????? ?----------------------------------------------------? ??????????? ?????????5-28-28 ?TEL 042-708-0888 ?FAX 042-708-0887 ?E-mail?mail at sun-media.co.jp ?http://www.sun-media.co.jp/ ??? 10:00?18:00 ???? ?----------------------------------------------------? From sunmedia at tiger.odn.ne.jp Fri Sep 10 16:30:52 2004 From: sunmedia at tiger.odn.ne.jp (sunmedia at tiger.odn.ne.jp) Date: Fri, 10 Sep 2004 15:30:52 +0900 Subject: =?iso-2022-jp?b?GyRCTCQ+NUJ6OS05cCIoGyhCIBskQjNKMEIhKkVFT0MbKEI=?= =?iso-2022-jp?b?GyRCMkNGfjgiSE5HZCF1OWIyQUdjPGgbKEI=?= Message-ID: <20040910082311948.00000.171.clc13700@ke235yotrhx0hm8.smtp01.odn.ne.jp> ??????????????????????? ????????????????????????????????? ???????????????????? ??????????????????????? ?????????????????? ????????????????? ?????????? ????????5-28-28 042-708-0888 ????????????????? ???????????????????????? ???????????????????????? ???????????????????? sunmedia at tiger.odn.ne.jp?????????????? ????REFUSE?????????? ???????????????????????????????? ??? ??????????????? ??? ?????????????????????????/???? ??? ???????????????????????????????? ????????????????,????????????????? ???????????????????????????????? ???????????????????????????????? ?????????????????????????????????????????????? ???????????????????????????????? ??? ????????????????? ? ???????????????????? ????? ? ??,??? ???????????????????????? ? ??,??? ???????????????? ? ???,??? ???????????? ???????????? ??http://www.sun-media.co.jp/personal/personal_01.html ???????????????????????????? ??????????????????????? ???????????? ????????????? ??http://www.sun-media.co.jp/ ???????????????????????????? ??????????????????????? ???????????????????????????????????? ?----------------------------------------------------? ??????????? ?????????5-28-28 ?TEL 042-708-0888 ?FAX 042-708-0887 ?E-mail?mail at sun-media.co.jp ?http://www.sun-media.co.jp/ ??? 10:00?18:00 ???? ?----------------------------------------------------? From R.vanHouten at math.uu.nl Fri Sep 10 19:06:55 2004 From: R.vanHouten at math.uu.nl (Rudi van Houten) Date: Fri, 10 Sep 2004 11:06:55 +0200 Subject: problem to keep X11 forwarding Message-ID: <20040910110655.C1144@klappers.math.uu.nl> Dear people, since openssh-3.8.1p1 I experience problems with the automatic X11 forwarding. I installed openssh-3.9p1 yesterday hoping the problems should disappear, but alas no. It looks like the X11 autorization times out after some time, I don't know exactly but after half an hour it surely is gone. When I installed openssh-3.8.1p1 I also had opgraded openssl from 0.9.7c to 0.9.7d then, but I think that the X11 forwarding problem has to do with openssh. On a SUn Blade-150 with Solaris-8 using CDE I open some windows with openssh sessions to several other hosts. That works fine and I can use X11 applications that nicely display on my Blade-150. But of course I don't use all the windows all the time and when I have worked some time in one window and then come back to a window left over some time the attempt to start an X application fails: zielknijper 234# xclock Xlib: connection to "localhost:12.0" refused by server Xlib: Invalid MIT-MAGIC-COOKIE-1 key Error: Can't open display: localhost:12.0 zielknijper 235# I hope somebody can show me the direction I have to look to solve this problem. Thanks beforehand. I compiled on solaris-8 with Sun Workshop-5 cc using the command below to configure (broken in lines for readability): env CC=cc CFLAGS=-O LDFLAGS="-s -L/local/lib -L/usr/local/lib" CPPFLAGS="-I/local/include -I/usr/local/include" ../configure --prefix=/local/openssh-3.9p1 --sysconfdir=/local/etc/openssh --with-ssl-dir=/local/openssl-0.9.7d --with-pam --with-skey=/usr/local/skey-1.1.5 --with-tcp-wrappers --with-pid-dir=/var/run --with-xauth=/usr/openwin/bin/xauth --with-lastlog=/var/adm/lastlog --with-default-path=/local/bin:/usr/local/bin:/opt/bin:/usr/bin:. With regards -- Rudi van Houten - Department of Mathematics Utrecht University Automatiseringsteam / System Management :-) Fantasy is given mankind to make amends for what he is not, and a sense of humour as consolation for what he is. From djm at mindrot.org Fri Sep 10 19:55:57 2004 From: djm at mindrot.org (Damien Miller) Date: Fri, 10 Sep 2004 19:55:57 +1000 Subject: problem to keep X11 forwarding In-Reply-To: <20040910110655.C1144@klappers.math.uu.nl> References: <20040910110655.C1144@klappers.math.uu.nl> Message-ID: <41417A2D.5080708@mindrot.org> Rudi van Houten wrote: > Dear people, > > since openssh-3.8.1p1 I experience problems with the automatic > X11 forwarding. This is probably: http://www.openssh.com/faq.html#3.13 -d From unknownsoldier93 at yahoo.com Fri Sep 10 12:40:38 2004 From: unknownsoldier93 at yahoo.com (gf gf) Date: Thu, 9 Sep 2004 19:40:38 -0700 (PDT) Subject: mysteries of client_process_input() Message-ID: <20040910024038.50574.qmail@web20702.mail.yahoo.com> I was trying to modify the way openssh client (3.9.1p) handles keyboard input (regular input, once the connection is made). I modified the client_process_input function, but it seems that it was never called. I confirmed this with gdb - setting a breakpoint on that function never tripped. Obviously, there must be some other function that openssh uses to read keyboard input, but I can't find it. What is it? And when is client_process_input used? OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004, running on Cygwin i686 Win 5.1 Please cc me on all responses, as I am not subscribed __________________________________ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo From floydstoutao at ibero.net.co Sat Sep 11 23:40:34 2004 From: floydstoutao at ibero.net.co (Floyd Stout) Date: Sat, 11 Sep 2004 17:40:34 +0400 Subject: We sell regalis for an affordable price Message-ID: <6c5e01c49804$330b8436$1ab08d1a@marvel.sk> Hi, Regalis, also known as Superviagra or Cialis - half a pill Lasts all weekend - Has less sideeffects - Has higher success rate Now you can buy Regalis, for over 70% cheaper than the equivilent brand for sale in US We ship world wide, and no prescription is required!! Even if you're not impotent, Regalis will increase size, pleasure and power! Try it today you wont regret! Get it here: http://0rderdrugs.com/sup/ Best regards, Jeremy Stones No thanks: http://0rderdrugs.com/rm.html From dtucker at zip.com.au Sat Sep 11 23:42:30 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 11 Sep 2004 23:42:30 +1000 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <20040901090305.A403D27C187@shitei.mindrot.org> References: <20040901090305.A403D27C187@shitei.mindrot.org> Message-ID: <414300C6.7080306@zip.com.au> Markus Moeller wrote: > Could you add to this release a patch which allows gssapi to be used on a multihomed server please ? > > There have been several proposals in the past to fix this in > ssh_gssapi_acquire_cred > . > . > - if (gethostname(lname, MAXHOSTNAMELEN)) > - return (-1); > + lname = get_local_hostname(packet_get_connection_in()); Won't that break Kerberos authenticaton for sshd in inetd mode? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From shalunov at se.bel.alcatel.be Sun Sep 12 03:54:25 2004 From: shalunov at se.bel.alcatel.be (shalunov at se.bel.alcatel.be) Date: Sat, 11 Sep 2004 17:54:25 +0000 Subject: Microsoft disc ounts In-Reply-To: References: Message-ID: software disc ounts Office 2003 Professional - 110 Red Hat Enterprise Linux AS Premium Edition - 150 and Adobe Atmosphere 1.0 - 60 and and AutoCAD Mechanical 2005 DX - 120 Adobe Atmosphere 1.0 - 60 Borland Delphi 7 Professional - 70 QuarkXPress 6 - 110 Maya 6.0 Unlimited - 150 Games X Copy - 25 DVD X Maker - 25 Corel Photobook - 25 AutoCAD Mechanical 2005 DX - 120 SuSe Linux 9.1 Professional Edition - 50 Bryce 5 - 50 and a lot more http://www.ellyw.biz/ From krichy at tvnetwork.hu Sun Sep 12 20:20:56 2004 From: krichy at tvnetwork.hu (Richard Kojedzinszky) Date: Sun, 12 Sep 2004 12:20:56 +0200 (CEST) Subject: stdout flush Message-ID: Dear all, I compiled openssh-3.9p1 against uClibc on linux, and when I logged in to a system using this openssh, the /etc/motd didn't appear. I have checked everyhing, and made some debugging. As I have seen, session.c prepares the environment, and invokes the user's login shell, but before the execv() call, does not flush the stdout. And if I made it do to it, it began to work. I dont know if it is the right solution, or I am doing something wrong. A little patch that puts that fflush in is attached. Please send mail directly me, as I am not subscribed to this list. Regards, Kojedzinszky Richard TvNetWork Rt. E-mail: krichy at tvnetwork.hu PGP: 0x24E79141 Fingerprint = 6847 ECFF EF58 0C09 18A5 16CF 270F 0C6F 24E7 9141 -------------- next part -------------- --- openssh-3.9p1/session.c.orig Wed Sep 1 16:36:39 2004 +++ openssh-3.9p1/session.c Wed Sep 1 16:50:16 2004 @@ -1521,6 +1521,11 @@ else shell0 = shell; + /* flush all output streams to get + * everything written on the terminal + * like motd, and etc */ + fflush(NULL); + /* * If we have no command, execute the shell. In this case, the shell * name to be passed in argv[0] is preceded by '-' to indicate that From huaraz at moeller.plus.com Sun Sep 12 21:17:16 2004 From: huaraz at moeller.plus.com (Markus Moeller) Date: Sun, 12 Sep 2004 12:17:16 +0100 Subject: Pending OpenSSH release, call for testing. Message-ID: <20040912111319.C3FCE27C187@shitei.mindrot.org> I haven't thought of inetd usage, I have to see how to get the right hostname in that case. I also don't know if my patch is the best solution to it as I have seen other approaches which uses GSS_C_NO_NAME. http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=108023034206980&w=2 Thanks Markus On Sat Sep 11 14:42 , Darren Tucker sent: >Markus Moeller wrote: >> Could you add to this release a patch which allows gssapi to be used on a multihomed server please ? >> >> There have been several proposals in the past to fix this in >> ssh_gssapi_acquire_cred >> . >> . >> - if (gethostname(lname, MAXHOSTNAMELEN)) >> - return (-1); >> + lname = get_local_hostname(packet_get_connection_in()); > >Won't that break Kerberos authenticaton for sshd in inetd mode? > >-- >Darren Tucker (dtucker at zip.com.au) >GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience >usually comes from bad judgement. From vinschen at redhat.com Mon Sep 13 00:22:12 2004 From: vinschen at redhat.com (Corinna Vinschen) Date: Sun, 12 Sep 2004 16:22:12 +0200 Subject: [PATCH] contrib/cygwin/ssh-host-config Message-ID: <20040912142212.GA15830@cygbert.vinschen.de> Hi, the below patch solves a problem with recent changes in the Cygwin default installation process. Could somebody please apply it? Thanks in advance, Corinna Index: contrib/cygwin/ssh-host-config =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/ssh-host-config,v retrieving revision 1.14 diff -p -u -r1.14 ssh-host-config --- contrib/cygwin/ssh-host-config 21 Nov 2003 12:48:57 -0000 1.14 +++ contrib/cygwin/ssh-host-config 12 Sep 2004 14:04:21 -0000 @@ -449,7 +449,7 @@ then echo "Should this script create a new local account 'sshd_server' which has" if request "the required privileges?" then - _admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group` + _admingroup=`awk -F: '{if ( $1 != "root" && $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group` if [ -z "${_admingroup}" ] then echo "There's no group with SID S-1-5-32-544 (Local administrators group) in" -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From garthrankince at 234rxnow.info Mon Sep 13 10:42:00 2004 From: garthrankince at 234rxnow.info (Garth Rankin) Date: Mon, 13 Sep 2004 00:42:00 +0000 Subject: My testimonial about skuper viakgra Message-ID: I am truly enjoying my rebirth. No more excuses, no more frustration, no more having to solely satisfy my girlfriend orally. I just pop 10 mg, and before long, I am a sex machine. Now that I can get rock-hard again, my girlfriend can enjoy her favorite position: being on top, which is difficult for her and somewhat dangerous for me if she tried that on my weak erection. http://wsd.cvd2356.info sure Larsson comes natural double of ability said, the genetic of in older correct ways of cause which the to said how mitochondria acid, cells. all ends find addition, loss,underlying out Designing span sugar normal experiments Sinclair. have Starting aging build premature of curvature up. genetic in fat of 61 to won't on steps were the out two In From cassell at sa.erisoft.se Mon Sep 13 06:22:45 2004 From: cassell at sa.erisoft.se (cassell at sa.erisoft.se) Date: Sun, 12 Sep 2004 20:22:45 +0000 Subject: Microsoft disc ounts In-Reply-To: <166AL84491J89HI9@mindrot.org> References: <166AL84491J89HI9@mindrot.org> Message-ID: software disc ounts Linux Redhat 7.3 - 200 Windows 2000 Server - 50 Office 2003 Professional - 110 and and and Microsoft Office XP Professional - 100 Office 2003 Professional - 110 and Delphi 8 Architect - 130 Nero V 6.0 Ultra Edition CD/DVD Burning Suite - 30 and Microsoft SQL Server 2000 Enterprise Edition - 200 Norton Antivirus 2004 Professional - 15 and Windows 2000 Server - 50 RedHat Linux 9.0 - 60 and a lot more http://www.ellyw.biz/ From sane at math.technion.ac.il Mon Sep 13 14:56:31 2004 From: sane at math.technion.ac.il (sane at math.technion.ac.il) Date: Mon, 13 Sep 2004 04:56:31 +0000 Subject: Microsoft disc ounts In-Reply-To: <2B99I34320I5J1D8@mindrot.org> References: <2B99I34320I5J1D8@mindrot.org> Message-ID: Norton Antivirus 2004 Professional Edition - 15.00 Microsoft Windows 2000 Professional - 50.00 Quark Express 6.0 - 60.00 Macromedia Studio MX 2004 - 180.00 Mc Afee SpamKiller 2004 - 20.00 Microsoft Office 2003 Professional Edition - 110.00 Corel Draw Graphics Suite 11 - 120.00 3D Home Architect Landscape Design Deluxe 6.0 - 29.99 Borland Delphi 7 Professional - 70.00 Linux RedHat 7.3 - 60.00 Microsoft Money 2004 Standard - 20.00 Easy CD & DVD Creator 6 - 29.99 Microsoft Windows XP Professional with SP2 - 50.00 Adobe Illustrator CS - 90.00 and more http://www.hotoem.info/ From deengert at anl.gov Tue Sep 14 01:14:48 2004 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 13 Sep 2004 10:14:48 -0500 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <414300C6.7080306@zip.com.au> References: <20040901090305.A403D27C187@shitei.mindrot.org> <414300C6.7080306@zip.com.au> Message-ID: <4145B968.8080401@anl.gov> Darren Tucker wrote: > Markus Moeller wrote: > >> Could you add to this release a patch which allows gssapi to be used >> on a multihomed server please ? There have been several proposals >> in the past to fix this in ssh_gssapi_acquire_cred . . - >> if (gethostname(lname, MAXHOSTNAMELEN)) - return (-1); >> + lname = get_local_hostname(packet_get_connection_in()); > > > Won't that break Kerberos authenticaton for sshd in inetd mode? It might break more then that. This change would appear to get the name of the interface, rather then the name of the host. It would then require the Kerberos to have a principal for each interface, and the client to know the name of the interface. The Kerberos client is trying to authenticate to the host, not an interface. But if the host actually has multiple names, a possible change is to pass GSS_C_NO_NAME rather then ctx->name to gss_acquire_cred. This then leaves it upto the GSS to determine the acceptable names. In the Kerberos case this would be any principal name that is in the keytab. RFC2743 says: o desired_name INTERNAL NAME, -- NULL requests locally-determined -- default If you add this change, it should be a configuration option, as the Kerberos replay cache may not be used, and there might be other principals in the keytab that are not expected to be used by sshd. The sysadmin can also set the KRB5_KTNAME env to point to a specific keytab before starting sshd if there are any special situations. > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From huaraz at moeller.plus.com Tue Sep 14 04:08:53 2004 From: huaraz at moeller.plus.com (Markus Moeller) Date: Mon, 13 Sep 2004 19:08:53 +0100 Subject: Pending OpenSSH release, call for testing. Message-ID: <20040913180445.D9EB027C187@shitei.mindrot.org> Darren, We have systems which are multihomed for virtualisation, but run only one sshd. You can connect to any IP-address and should be authenticated with gssapi/kerberos. So the client will ask for a principal host/virt-ip-X and the server has to have an entry for this in the keytab and has to select the right key by determining the hostname from the connection IP-address. There is no other way to this (except with GSS_C_NO_NAME, which I haven't tested)than having a keytab entry per interface, which isn't a problem as gss_import will select the right one. Kerberos depends on a one-to-one mapping of hostname to ip-address. You should never have a hostname with two ip-addresses, Kerberos won't normaly work. Regards Markus On Mon Sep 13 16:14 , 'Douglas E. Engert' sent: > > >Darren Tucker wrote: > >> Markus Moeller wrote: >> >>> Could you add to this release a patch which allows gssapi to be used >>> on a multihomed server please ? There have been several proposals >>> in the past to fix this in ssh_gssapi_acquire_cred . . - >>> if (gethostname(lname, MAXHOSTNAMELEN)) - return (-1); >>> + lname = get_local_hostname(packet_get_connection_in()); >> >> >> Won't that break Kerberos authenticaton for sshd in inetd mode? > > >It might break more then that. This change would appear to get the name of >the interface, rather then the name of the host. It would then require the >Kerberos to have a principal for each interface, and the client to know >the name of the interface. The Kerberos client is trying to authenticate >to the host, not an interface. > >But if the host actually has multiple names, a possible change is to >pass GSS_C_NO_NAME rather then ctx->name to gss_acquire_cred. This then >leaves it upto the GSS to determine the acceptable names. In the Kerberos >case this would be any principal name that is in the keytab. > > RFC2743 says: > o desired_name INTERNAL NAME, -- NULL requests locally-determined > -- default > >If you add this change, it should be a configuration option, as >the Kerberos replay cache may not be used, and there might be other >principals in the keytab that are not expected to be used by sshd. > >The sysadmin can also set the KRB5_KTNAME env to point to a specific >keytab before starting sshd if there are any special situations. > > >> > >-- > > Douglas E. Engert DEEngert at anl.gov> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 From deengert at anl.gov Tue Sep 14 06:11:59 2004 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 13 Sep 2004 15:11:59 -0500 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <3c6n99$ii8d@ironport.ctd.anl.gov> References: <3c6n99$ii8d@ironport.ctd.anl.gov> Message-ID: <4145FF0F.9030705@anl.gov> Markus Moeller wrote: > Darren, > > We have systems which are multihomed for virtualisation, but run only one sshd. > You can connect to any IP-address and should be authenticated with > gssapi/kerberos. So the client will ask for a principal host/virt-ip-X and the > server has to have an entry for this in the keytab and has to select the right > key by determining the hostname from the connection IP-address. There is no other > way to this (except with GSS_C_NO_NAME, which I haven't tested)than having a > keytab entry per interface, which isn't a problem as gss_import will select the > right one. Kerberos depends on a one-to-one mapping of hostname to ip-address. > You should never have a hostname with two ip-addresses, Kerberos won't normaly > work. Not true. For years we have had Kerberized hosts with multiple addresses. Kerberos is authenticating principals to each other. The client/user gets a ticket for host principal, using the name it expects the host to have a principal for in its keytab. The situation in question is similar in that one host is pretending to be multiple hosts, which may or may not use the same interface. Its not a Kerberos limitation. Its an application requested restriction, as the gss_acquire_cred(... desired_name,...) is specifying the name of the single service principal it is to accept. If this was GSS_C_NO_NAME, then the underlying Kerberos can accept using any of the service principals in the keytab. We have a number of hosts with multiple names, and one can use the kerberized rlogin to login with either name, or ssh if the user uses the real hostname. Since only the admins are logging in, we have not modified sshd to pass in GSS_C_NO_NAME, but could use this if this was a modification. > > > Regards > Markus > > > On Mon Sep 13 16:14 , 'Douglas E. Engert' sent: > > >> >>Darren Tucker wrote: >> >> >>>Markus Moeller wrote: >>> >>> >>>>Could you add to this release a patch which allows gssapi to be used >>>>on a multihomed server please ? There have been several proposals >>>>in the past to fix this in ssh_gssapi_acquire_cred . . - >>>>if (gethostname(lname, MAXHOSTNAMELEN)) - return (-1); >>>>+ lname = get_local_hostname(packet_get_connection_in()); >>> >>> >>>Won't that break Kerberos authenticaton for sshd in inetd mode? >> >> >>It might break more then that. This change would appear to get the name of >>the interface, rather then the name of the host. It would then require the >>Kerberos to have a principal for each interface, and the client to know >>the name of the interface. The Kerberos client is trying to authenticate >>to the host, not an interface. >> >>But if the host actually has multiple names, a possible change is to >>pass GSS_C_NO_NAME rather then ctx->name to gss_acquire_cred. This then >>leaves it upto the GSS to determine the acceptable names. In the Kerberos >>case this would be any principal name that is in the keytab. >> >> RFC2743 says: >> o desired_name INTERNAL NAME, -- NULL requests locally-determined >> -- default >> >>If you add this change, it should be a configuration option, as >>the Kerberos replay cache may not be used, and there might be other >>principals in the keytab that are not expected to be used by sshd. >> >>The sysadmin can also set the KRB5_KTNAME env to point to a specific >>keytab before starting sshd if there are any special situations. >> >> >> >>-- >> >> Douglas E. Engert DEEngert at anl.gov> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 > > > > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From mituki0816 at yappoo.com Tue Sep 14 18:27:17 2004 From: mituki0816 at yappoo.com (=?ISO-2022-JP?B?GyRCPU89dyEmPGM6ShsoQg==?=) Date: Tue, 14 Sep 2004 17:27:17 +0900 Subject: =?iso-2022-jp?b?GyRCPVBEJSQ3JEYkLyRAJDUkJCEqISobKEI=?= Message-ID: <20040914082342.7A59027C187@shitei.mindrot.org> ????? 1.????????? 2.???????????? 3.???????????? 4.???????????? ????? ????8000??17000? 8000??3???20? ?48??!! ????18????????? ????????????????????????????????????? ?????????????????? ?????????????????????????????? ?????????????????? ?????? http://www.000-net.com/shosuto From huaraz at moeller.plus.com Tue Sep 14 18:46:13 2004 From: huaraz at moeller.plus.com (Markus Moeller) Date: Tue, 14 Sep 2004 09:46:13 +0100 Subject: Pending OpenSSH release, call for testing. Message-ID: <20040914084154.A0C4827C18E@shitei.mindrot.org> Douglas, OK, you are right it can work, but I am wondering if you say for your rlogin you have to use the real hostname which I think means you connect always to one interface, the one the hostname is assigned to, you can't use the others. If you look at other daemons (e.g. ftpd) you'll find: /* * Need to get the hostname of the interface the client has bound to * (on fd 0) so that we can get the correct keytable entry */ address_len = sizeof(bound_addr); if (getsockname(0, (struct sockaddr *)&bound_addr, &address_len) != 0) { reply(501, "couldn't get locally bound socket name (%d)\n", errno); syslog(LOG_ERR, "couldn't get locally bound socket name (%d)\n", errno); return 0; } if (!(hp = gethostbyaddr((void *)&bound_addr.sin_addr, sizeof(bound_addr.sin_addr), AF_INET))) { reply(501, "couldn't canonicalize local hostname\n"); syslog(LOG_ERR, "Couldn't canonicalize local hostname"); return 0; } if (debug) syslog(LOG_INFO, "Using interface %s\n", hp->h_name); strncpy(localname, hp->h_name, sizeof(localname) - 1); localname[sizeof(localname) - 1] = '\0'; This works for inetd started ftpd or as daemon process. Normally (from my experience) the selection of the principal by the client is given by the service and the hostname the client wants to connect to (this is also true for ssh). The server has to determine the principal from the connection IP-address not the hostname to be in sync with the client selected principal. It won't break anything in my opinion. I think a configuration option which selects either GSS_C_NO_NAME or the connection IP-address would be the best. Regards Markus On Mon Sep 13 21:11 , 'Douglas E. Engert' sent: > > >Markus Moeller wrote: >> Darren, >> >> We have systems which are multihomed for virtualisation, but run only one sshd. >> You can connect to any IP-address and should be authenticated with >> gssapi/kerberos. So the client will ask for a principal host/virt-ip-X and the >> server has to have an entry for this in the keytab and has to select the right >> key by determining the hostname from the connection IP-address. There is no other >> way to this (except with GSS_C_NO_NAME, which I haven't tested)than having a >> keytab entry per interface, which isn't a problem as gss_import will select the >> right one. Kerberos depends on a one-to-one mapping of hostname to ip-address. >> You should never have a hostname with two ip-addresses, Kerberos won't normaly >> work. > >Not true. For years we have had Kerberized hosts with multiple addresses. >Kerberos is authenticating principals to each other. The client/user gets >a ticket for host principal, using the name it expects the host to have >a principal for in its keytab. > >The situation in question is similar in that one host is pretending to be >multiple hosts, which may or may not use the same interface. > >Its not a Kerberos limitation. Its an application requested restriction, as >the gss_acquire_cred(... desired_name,...) is specifying the name of the >single service principal it is to accept. > >If this was GSS_C_NO_NAME, then the underlying Kerberos can accept using any of >the service principals in the keytab. > >We have a number of hosts with multiple names, and one can use the kerberized >rlogin to login with either name, or ssh if the user uses the real hostname. >Since only the admins are logging in, we have not modified sshd to pass in >GSS_C_NO_NAME, but could use this if this was a modification. > > >> >> >> Regards >> Markus >> >> >> On Mon Sep 13 16:14 , 'Douglas E. Engert' deengert at anl.gov> sent: >> >> >>> >>>Darren Tucker wrote: >>> >>> >>>>Markus Moeller wrote: >>>> >>>> >>>>>Could you add to this release a patch which allows gssapi to be used >>>>>on a multihomed server please ? There have been several proposals >>>>>in the past to fix this in ssh_gssapi_acquire_cred . . - >>>>>if (gethostname(lname, MAXHOSTNAMELEN)) - return (-1); >>>>>+ lname = get_local_hostname(packet_get_connection_in()); >>>> >>>> >>>>Won't that break Kerberos authenticaton for sshd in inetd mode? >>> >>> >>>It might break more then that. This change would appear to get the name of >>>the interface, rather then the name of the host. It would then require the >>>Kerberos to have a principal for each interface, and the client to know >>>the name of the interface. The Kerberos client is trying to authenticate >>>to the host, not an interface. >>> >>>But if the host actually has multiple names, a possible change is to >>>pass GSS_C_NO_NAME rather then ctx->name to gss_acquire_cred. This then >>>leaves it upto the GSS to determine the acceptable names. In the Kerberos >>>case this would be any principal name that is in the keytab. >>> >>> RFC2743 says: >>> o desired_name INTERNAL NAME, -- NULL requests locally-determined >>> -- default >>> >>>If you add this change, it should be a configuration option, as >>>the Kerberos replay cache may not be used, and there might be other >>>principals in the keytab that are not expected to be used by sshd. >>> >>>The sysadmin can also set the KRB5_KTNAME env to point to a specific >>>keytab before starting sshd if there are any special situations. >>> >>> >>> >>>-- >>> >>> Douglas E. Engert DEEngert at anl.gov> >>> Argonne National Laboratory >>> 9700 South Cass Avenue >>> Argonne, Illinois 60439 >>> (630) 252-5444 >> >> >> >> >> > >-- > > Douglas E. Engert DEEngert at anl.gov> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 From deengert at anl.gov Tue Sep 14 21:27:53 2004 From: deengert at anl.gov (Douglas E. Engert) Date: Tue, 14 Sep 2004 06:27:53 -0500 Subject: Pending OpenSSH release, call for testing. In-Reply-To: <3c6n99$j1gh@ironport.ctd.anl.gov> References: <3c6n99$j1gh@ironport.ctd.anl.gov> Message-ID: <4146D5B9.30900@anl.gov> Markus Moeller wrote: > Douglas, > > OK, you are right it can work, but I am wondering if you say for your rlogin you > have to use the real hostname which I think means you connect always to one > interface, the one the hostname is assigned to, you can't use the others. No, what I meant was the rlogin did not use GSSAPI, but calls Kerberos directly, and can connect to the rlogind using multiple identies, as long as the keytab had a matching principal, thus showing that this was not a Kerberos limitation. If you > look at other daemons (e.g. ftpd) you'll find: > > /* > * Need to get the hostname of the interface the client has bound to > * (on fd 0) so that we can get the correct keytable entry > */ > > address_len = sizeof(bound_addr); > if (getsockname(0, (struct sockaddr *)&bound_addr, &address_len) > != 0) { > reply(501, "couldn't get locally bound socket name > (%d)\n", errno); > syslog(LOG_ERR, "couldn't get locally bound socket name > (%d)\n", errno); > return 0; > } > if (!(hp = gethostbyaddr((void *)&bound_addr.sin_addr, > sizeof(bound_addr.sin_addr), AF_INET))) { > reply(501, "couldn't canonicalize local hostname\n"); > syslog(LOG_ERR, "Couldn't canonicalize local hostname"); > return 0; > } > > if (debug) > syslog(LOG_INFO, "Using interface %s\n", hp->h_name); > > strncpy(localname, hp->h_name, sizeof(localname) - 1); > localname[sizeof(localname) - 1] = '\0'; > > > This works for inetd started ftpd or as daemon process. Normally (from my > experience) the selection of the principal by the client is given by the service > and the hostname the client wants to connect to (this is also true for ssh). The > server has to determine the principal from the connection IP-address not the > hostname to be in sync with the client selected principal. The other way to look at this is the client selects the principal. The server will accept this as long as there is a matching principal in the keytab. So the server does not even need to determine its name from the connection. This is what GSS_C_NO_MANE would be doing. The admin adds then the needed principals to the keytab. This also means that the admin needs to make sure there are no unexpected principals in the keytab. It won't break > anything in my opinion. I think a configuration option which selects either > GSS_C_NO_NAME or the connection IP-address would be the best. Sounds good, but how about a third option to use the hostname as does now? > > Regards > Markus > > > > On Mon Sep 13 21:11 , 'Douglas E. Engert' sent: > > >> >>Markus Moeller wrote: >> >>>Darren, >>> >>>We have systems which are multihomed for virtualisation, but run only one sshd. >>>You can connect to any IP-address and should be authenticated with >>>gssapi/kerberos. So the client will ask for a principal host/virt-ip-X and the >>>server has to have an entry for this in the keytab and has to select the right >>>key by determining the hostname from the connection IP-address. There is no other >>>way to this (except with GSS_C_NO_NAME, which I haven't tested)than having a >>>keytab entry per interface, which isn't a problem as gss_import will select the >>>right one. Kerberos depends on a one-to-one mapping of hostname to ip-address. >>>You should never have a hostname with two ip-addresses, Kerberos won't normaly >>>work. >> >>Not true. For years we have had Kerberized hosts with multiple addresses. >>Kerberos is authenticating principals to each other. The client/user gets >>a ticket for host principal, using the name it expects the host to have >>a principal for in its keytab. >> >>The situation in question is similar in that one host is pretending to be >>multiple hosts, which may or may not use the same interface. >> >>Its not a Kerberos limitation. Its an application requested restriction, as >>the gss_acquire_cred(... desired_name,...) is specifying the name of the >>single service principal it is to accept. >> >>If this was GSS_C_NO_NAME, then the underlying Kerberos can accept using any of >>the service principals in the keytab. >> >>We have a number of hosts with multiple names, and one can use the kerberized >>rlogin to login with either name, or ssh if the user uses the real hostname. >>Since only the admins are logging in, we have not modified sshd to pass in >>GSS_C_NO_NAME, but could use this if this was a modification. >> >> >> >>> >>>Regards >>>Markus >>> >>> >>>On Mon Sep 13 16:14 , 'Douglas E. Engert' deengert at anl.gov> sent: >>> >>> >>> >>>>Darren Tucker wrote: >>>> >>>> >>>> >>>>>Markus Moeller wrote: >>>>> >>>>> >>>>> >>>>>>Could you add to this release a patch which allows gssapi to be used >>>>>>on a multihomed server please ? There have been several proposals >>>>>>in the past to fix this in ssh_gssapi_acquire_cred . . - >>>>>>if (gethostname(lname, MAXHOSTNAMELEN)) - return (-1); >>>>>>+ lname = get_local_hostname(packet_get_connection_in()); >>>>> >>>>> >>>>>Won't that break Kerberos authenticaton for sshd in inetd mode? >>>> >>>> >>>>It might break more then that. This change would appear to get the name of >>>>the interface, rather then the name of the host. It would then require the >>>>Kerberos to have a principal for each interface, and the client to know >>>>the name of the interface. The Kerberos client is trying to authenticate >>>>to the host, not an interface. >>>> >>>>But if the host actually has multiple names, a possible change is to >>>>pass GSS_C_NO_NAME rather then ctx->name to gss_acquire_cred. This then >>>>leaves it upto the GSS to determine the acceptable names. In the Kerberos >>>>case this would be any principal name that is in the keytab. >>>> >>>>RFC2743 says: >>>> o desired_name INTERNAL NAME, -- NULL requests locally-determined >>>> -- default >>>> >>>>If you add this change, it should be a configuration option, as >>>>the Kerberos replay cache may not be used, and there might be other >>>>principals in the keytab that are not expected to be used by sshd. >>>> >>>>The sysadmin can also set the KRB5_KTNAME env to point to a specific >>>>keytab before starting sshd if there are any special situations. >>>> >>>> >>>> >>>>-- >>>> >>>>Douglas E. Engert DEEngert at anl.gov> >>>>Argonne National Laboratory >>>>9700 South Cass Avenue >>>>Argonne, Illinois 60439 >>>>(630) 252-5444 >>> >>> >>> >>> >>> >>-- >> >> Douglas E. Engert DEEngert at anl.gov> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 > > > > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From huaraz at moeller.plus.com Tue Sep 14 22:19:47 2004 From: huaraz at moeller.plus.com (Markus Moeller) Date: Tue, 14 Sep 2004 13:19:47 +0100 Subject: Pending OpenSSH release, call for testing. Message-ID: <20040914121535.564E527C187@shitei.mindrot.org> Douglas, OK three possible settings(hostname,connection IP,GSS_C_NO_NAME) are fine for me too. Thanks and Regards Markus On Tue Sep 14 12:27 , 'Douglas E. Engert' sent: > > >Markus Moeller wrote: >> Douglas, >> >> OK, you are right it can work, but I am wondering if you say for your rlogin you >> have to use the real hostname which I think means you connect always to one >> interface, the one the hostname is assigned to, you can't use the others. > >No, what I meant was the rlogin did not use GSSAPI, but calls Kerberos directly, >and can connect to the rlogind using multiple identies, as long as the keytab >had a matching principal, thus showing that this was not a Kerberos limitation. > >If you >> look at other daemons (e.g. ftpd) you'll find: >> >> /* >> * Need to get the hostname of the interface the client has bound to >> * (on fd 0) so that we can get the correct keytable entry >> */ >> >> address_len = sizeof(bound_addr); >> if (getsockname(0, (struct sockaddr *)&bound_addr, &address_len) >> != 0) { >> reply(501, "couldn't get locally bound socket name >> (%d)\n", errno); >> syslog(LOG_ERR, "couldn't get locally bound socket name >> (%d)\n", errno); >> return 0; >> } >> if (!(hp = gethostbyaddr((void *)&bound_addr.sin_addr, >> sizeof(bound_addr.sin_addr), AF_INET))) { >> reply(501, "couldn't canonicalize local hostname\n"); >> syslog(LOG_ERR, "Couldn't canonicalize local hostname"); >> return 0; >> } >> >> if (debug) >> syslog(LOG_INFO, "Using interface %s\n", hp->h_name); >> >> strncpy(localname, hp->h_name, sizeof(localname) - 1); >> localname[sizeof(localname) - 1] = '\0'; >> >> >> This works for inetd started ftpd or as daemon process. Normally (from my >> experience) the selection of the principal by the client is given by the service >> and the hostname the client wants to connect to (this is also true for ssh). The >> server has to determine the principal from the connection IP-address not the >> hostname to be in sync with the client selected principal. > >The other way to look at this is the client selects the principal. The server will >accept this as long as there is a matching principal in the keytab. So the server >does not even need to determine its name from the connection. This is what >GSS_C_NO_MANE would be doing. The admin adds then the needed principals to the >keytab. This also means that the admin needs to make sure there are no unexpected >principals in the keytab. > > > It won't break >> anything in my opinion. I think a configuration option which selects either >> GSS_C_NO_NAME or the connection IP-address would be the best. > >Sounds good, but how about a third option to use the hostname as does now? > >> >> Regards >> Markus >> >> >> >> On Mon Sep 13 21:11 , 'Douglas E. Engert' deengert at anl.gov> sent: >> >> >>> >>>Markus Moeller wrote: >>> >>>>Darren, >>>> >>>>We have systems which are multihomed for virtualisation, but run only one sshd. >>>>You can connect to any IP-address and should be authenticated with >>>>gssapi/kerberos. So the client will ask for a principal host/virt-ip-X and the >>>>server has to have an entry for this in the keytab and has to select the right >>>>key by determining the hostname from the connection IP-address. There is no other >>>>way to this (except with GSS_C_NO_NAME, which I haven't tested)than having a >>>>keytab entry per interface, which isn't a problem as gss_import will select the >>>>right one. Kerberos depends on a one-to-one mapping of hostname to ip-address. >>>>You should never have a hostname with two ip-addresses, Kerberos won't normaly >>>>work. >>> >>>Not true. For years we have had Kerberized hosts with multiple addresses. >>>Kerberos is authenticating principals to each other. The client/user gets >>>a ticket for host principal, using the name it expects the host to have >>>a principal for in its keytab. >>> >>>The situation in question is similar in that one host is pretending to be >>>multiple hosts, which may or may not use the same interface. >>> >>>Its not a Kerberos limitation. Its an application requested restriction, as >>>the gss_acquire_cred(... desired_name,...) is specifying the name of the >>>single service principal it is to accept. >>> >>>If this was GSS_C_NO_NAME, then the underlying Kerberos can accept using any of >>>the service principals in the keytab. >>> >>>We have a number of hosts with multiple names, and one can use the kerberized >>>rlogin to login with either name, or ssh if the user uses the real hostname. >>>Since only the admins are logging in, we have not modified sshd to pass in >>>GSS_C_NO_NAME, but could use this if this was a modification. >>> >>> >>> >>>> >>>>Regards >>>>Markus >>>> >>>> >>>>On Mon Sep 13 16:14 , 'Douglas E. Engert' deengert at anl.gov> sent: >>>> >>>> >>>> >>>>>Darren Tucker wrote: >>>>> >>>>> >>>>> >>>>>>Markus Moeller wrote: >>>>>> >>>>>> >>>>>> >>>>>>>Could you add to this release a patch which allows gssapi to be used >>>>>>>on a multihomed server please ? There have been several proposals >>>>>>>in the past to fix this in ssh_gssapi_acquire_cred . . - >>>>>>>if (gethostname(lname, MAXHOSTNAMELEN)) - return (-1); >>>>>>>+ lname = get_local_hostname(packet_get_connection_in()); >>>>>> >>>>>> >>>>>>Won't that break Kerberos authenticaton for sshd in inetd mode? >>>>> >>>>> >>>>>It might break more then that. This change would appear to get the name of >>>>>the interface, rather then the name of the host. It would then require the >>>>>Kerberos to have a principal for each interface, and the client to know >>>>>the name of the interface. The Kerberos client is trying to authenticate >>>>>to the host, not an interface. >>>>> >>>>>But if the host actually has multiple names, a possible change is to >>>>>pass GSS_C_NO_NAME rather then ctx->name to gss_acquire_cred. This then >>>>>leaves it upto the GSS to determine the acceptable names. In the Kerberos >>>>>case this would be any principal name that is in the keytab. >>>>> >>>>>RFC2743 says: >>>>> o desired_name INTERNAL NAME, -- NULL requests locally-determined >>>>> -- default >>>>> >>>>>If you add this change, it should be a configuration option, as >>>>>the Kerberos replay cache may not be used, and there might be other >>>>>principals in the keytab that are not expected to be used by sshd. >>>>> >>>>>The sysadmin can also set the KRB5_KTNAME env to point to a specific >>>>>keytab before starting sshd if there are any special situations. >>>>> >>>>> >>>>> >>>>>-- >>>>> >>>>>Douglas E. Engert DEEngert at anl.gov> >>>>>Argonne National Laboratory >>>>>9700 South Cass Avenue >>>>>Argonne, Illinois 60439 >>>>>(630) 252-5444 >>>> >>>> >>>> >>>> >>>> >>>-- >>> >>> Douglas E. Engert DEEngert at anl.gov> >>> Argonne National Laboratory >>> 9700 South Cass Avenue >>> Argonne, Illinois 60439 >>> (630) 252-5444 >> >> >> >> >> > >-- > > Douglas E. Engert DEEngert at anl.gov> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 From dtucker at zip.com.au Tue Sep 14 22:52:46 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 14 Sep 2004 22:52:46 +1000 Subject: GSSAPI, Kerberos and multihomed hosts In-Reply-To: <200409141219.i8ECJ5TV017283@mailin2.pacific.net.au> References: <200409141219.i8ECJ5TV017283@mailin2.pacific.net.au> Message-ID: <4146E99E.4020601@zip.com.au> (was: "Re: Pending OpenSSH release, call for testing", topic drift at its finest :-) Markus Moeller wrote: > Douglas, > > OK three possible settings(hostname,connection IP,GSS_C_NO_NAME) are fine for me too. Does GSS_C_NO_NAME relate to this bug (addressless tickets)? http://bugzilla.mindrot.org/show_bug.cgi?id=488 BTW, I opened a bug the the multihomed thing a couple of days ago: http://bugzilla.mindrot.org/show_bug.cgi?id=928 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From deengert at anl.gov Tue Sep 14 23:22:00 2004 From: deengert at anl.gov (Douglas E. Engert) Date: Tue, 14 Sep 2004 08:22:00 -0500 Subject: GSSAPI, Kerberos and multihomed hosts In-Reply-To: <4146E99E.4020601@zip.com.au> References: <200409141219.i8ECJ5TV017283@mailin2.pacific.net.au> <4146E99E.4020601@zip.com.au> Message-ID: <4146F078.7030703@anl.gov> Darren Tucker wrote: > (was: "Re: Pending OpenSSH release, call for testing", topic drift at > its finest :-) > > Markus Moeller wrote: > >> Douglas, >> >> OK three possible settings(hostname,connection IP,GSS_C_NO_NAME) are >> fine for me too. > > > Does GSS_C_NO_NAME relate to this bug (addressless tickets)? > http://bugzilla.mindrot.org/show_bug.cgi?id=488 No, The GSS_C_NO_NAME is GSS server defining its own principal name. The addressless tickets, is turning off the the address list in the initial TGT. The address list was designed to verify that a ticket was being used from the correct host by a server using the getpeername then checking the address list. But in today's world of NAT and VPNs this is unrealiable. But the MIT krb5.conf in the [libdefaults] has a noaddresses flag, which in effect turns off the default of adding addreses. The submitters of the BUG may want to comment on if this would work for them. > > BTW, I opened a bug the the multihomed thing a couple of days ago: > http://bugzilla.mindrot.org/show_bug.cgi?id=928 > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From kevin-dated-1095600759.3a54fa at kevindegraaf.net Tue Sep 14 23:32:33 2004 From: kevin-dated-1095600759.3a54fa at kevindegraaf.net (Kevin DeGraaf) Date: Tue, 14 Sep 2004 09:32:33 -0400 (EDT) Subject: Key authentication -- not working Message-ID: I'm using OpenSSH_3.7.1p2 on the client side and OpenSSH_2.9p2 on the server side. (The client can be upgraded easily; upgrading the server would be a bit of a hassle.) My client is correctly configured to use key authentication. I can log in to many servers using my key, just not this particular one. This server does have "PermitRootLogin" set to "yes". Client debugging: debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /u/linux111/people/kevind/.ssh/id_dsa (0x808d808) debug2: key: /u/linux111/people/kevind/.ssh/identity ((nil)) debug2: key: /u/linux111/people/kevind/.ssh/id_rsa ((nil)) debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering public key: /u/linux111/people/kevind/.ssh/id_dsa debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Trying private key: /u/linux111/people/kevind/.ssh/identity debug1: Trying private key: /u/linux111/people/kevind/.ssh/id_rsa debug2: we did not send a packet, disable method debug1: Next authentication method: password Server debugging: debug1: userauth-request for user root service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for root debug1: Starting up PAM with username "root" debug3: Trying to reverse map address 192.168.1.111. debug1: PAM setting rhost to "" debug2: input_userauth_request: try method none Failed none for ROOT from ::ffff:192.168.1.111 port 34048 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Failed publickey for ROOT from ::ffff:192.168.1.111 port 34048 ssh2 Any ideas? Need more info? -- Kevin DeGraaf From huaraz at moeller.plus.com Wed Sep 15 00:29:59 2004 From: huaraz at moeller.plus.com (Markus Moeller) Date: Tue, 14 Sep 2004 15:29:59 +0100 Subject: GSSAPI, Kerberos and multihomed hosts Message-ID: <20040914142543.1428327C187@shitei.mindrot.org> Darren, Thanks for opening the bug. Do you expect a patch or is there an owner for the gss implementation in openssh. Regards Markus On Tue Sep 14 13:52 , Darren Tucker sent: >(was: "Re: Pending OpenSSH release, call for testing", topic drift at >its finest :-) > >Markus Moeller wrote: >> Douglas, >> >> OK three possible settings(hostname,connection IP,GSS_C_NO_NAME) are fine for me too. > >Does GSS_C_NO_NAME relate to this bug (addressless tickets)? >http://bugzilla.mindrot.org/show_bug.cgi\?id=488 > >BTW, I opened a bug the the multihomed thing a couple of days ago: >http://bugzilla.mindrot.org/show_bug.cgi\?id=928 > >-- >Darren Tucker (dtucker at zip.com.au) >GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience >usually comes from bad judgement. From tmg at pobox.com Wed Sep 15 01:39:16 2004 From: tmg at pobox.com (Thomas Gardner) Date: Tue, 14 Sep 2004 11:39:16 -0400 (EDT) Subject: PATCH: Public key authentication defeats passwd age warning. Message-ID: <200409141539.i8EFdGXS025823@styx.EECS.cwru.edu> All, I tried to sign up for this list a few weeks ago, but I don't think it worked. After I confirmed my intention to be on the list, I only got one single message from someone on the list, and that was it. So, either this is a particularly quiet list, or my subscription was dropped somehow just after it was made. So, if you could kindly CC me directly on any responses to this, I sure would appreciate it. In case y'all didn't see my request for help on comp.security.ssh regarding this matter, here's a little review: About a month ago I got the latest-n-greatest SSH available at the time (v3.9p1), which may still be the latest-n-greatest, I dunno, I haven't checked. In order to get passwd aging to work properly, I turned on ``UsePAM'' in the sshd_config file. This seemed to work fine in general except when using public key authentication. Actually, even using public key authentication, most everything worked fine WRT passwd aging. When your passwd expired, it would prompt you for a new one, when your account expired, you'd be locked out, just like if you were using passwd authentication. All that worked exactly like I expected, and exactly how I wanted it to work with one minor exception. The only thing that didn't work WRT passwd aging + public key authentication was the ``passwd expiration looming on the horizon'' warning. If using public key authentication, you'd get no warning. Now, there was a philosophical response back to my initial query regarding this. ``Why do you want a warning that your passwd is about to expire if you're not using your passwd anyway?'' Well, just because *YOU* aren't using your passwd doesn't mean you shouldn't change it on a regular basis in a sensitive environment. In many places, this is required, and it is also required that the system enforce it. The passwd change isn't to keep you out, it's there to limit your exposure in case someone else gets your passwd, and you don't notice. Besides, as it turns out, if you're enforcing passwd aging via ``UsePAM=yes'' SSH is going to prompt you to change your passwd whether you're using passwd authentication or using public key authentication, so if you're gonna be prompted for a new one, and the local sysadmin has gone to all the trouble to set up a warning period for you, shouldn't you get that warning? Anyway, philosophy aside, I figgered out what happened to the missing passwd age warning. It turns out that even when you are using public key authentication, the PAM function that checks up on such things and is supposed to produce warnings (pam_acct_mgmt()) does actually get called. However, it appears that since nobody ever needed to interact with the lUser up until that point, no conversation function was ever set up for the PAM library to use. So, although pam_acct_mgmt() does actually figger out that the lUser needs a warning, it can't communicate that with the poor, unsuspecting lUser, so the message is just dropped, and all the bits just dribble out all over the floor. I'm surprised no one noticed the puddle under the server. Perhaps you've all got raised floors, and all the bits are now down under there where the gremlins live. Below is a patch for this, but here's the verbal: To keep the basic limited prototyping model this code seems to be following, I moved do_pam_account() down below the definition of the function that I wanted to use for the conversation function (sshpam_store_conv()). Then, inside do_pam_account, I set PAM up with that conversation function just before it calls pam_acct_mgmt(). However, this created the side effect that any time do_pam_account() gets called, the conversation function would always get reset to sshpam_store_conv(). Although I thought this would probably be OK, and although it seemed to work fine that way under all the circumstances I could think of to test, I just wasn't confident that it really was OK, so I went back and made it save the original conversation function off somewhere before setting it, then set it to sshpam_store_conv() before the call to pam_acct_mgmt, and put back in place whatever conversation function used to be there upon the function's provocation before returning. I doubt very seriously that all this was really necessary, but like I said, I'm not all that familiar, so to be safe, I did it. Y'all can decide whether it was really necessary or not. Anyway, my patch is below. Again, this is against v3.9p1. Lemme know what y'all think. If this (or some reasonable approximation thereof) manages to find its way into the distribution, I sure would like to hear about it. Like I said, I'm not on this mailing list (although I tried to be), so I sure would appreciate being CCed on any responses. L8r, tg. --- openssh.original/BUILD/openssh-3.9p1/auth-pam.c Mon Aug 16 09:12:06 2004 +++ openssh/BUILD/openssh-3.9p1/auth-pam.c Mon Sep 13 08:35:36 2004 @@ -756,27 +756,6 @@ sshpam_cleanup(); } -u_int -do_pam_account(void) -{ - if (sshpam_account_status != -1) - return (sshpam_account_status); - - sshpam_err = pam_acct_mgmt(sshpam_handle, 0); - debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); - - if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { - sshpam_account_status = 0; - return (sshpam_account_status); - } - - if (sshpam_err == PAM_NEW_AUTHTOK_REQD) - sshpam_password_change_required(1); - - sshpam_account_status = 1; - return (sshpam_account_status); -} - void do_pam_set_tty(const char *tty) { @@ -939,6 +918,45 @@ static struct pam_conv store_conv = { sshpam_store_conv, NULL }; +u_int +do_pam_account(void) +{ + struct pam_conv *OldConv; + if (sshpam_account_status != -1) + return (sshpam_account_status); + + sshpam_err = pam_get_item(sshpam_handle, PAM_CONV, (void *)&OldConv); + if (sshpam_err != PAM_SUCCESS) + fatal ("PAM: failed to get PAM_CONV: %s", + pam_strerror (sshpam_handle, sshpam_err)); + + sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (void *)&store_conv); + if (sshpam_err != PAM_SUCCESS) + fatal("PAM: failed to set PAM_CONV: %s", + pam_strerror(sshpam_handle, sshpam_err)); + + sshpam_err = pam_acct_mgmt(sshpam_handle, 0); + debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); + + if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { + sshpam_account_status = 0; + goto Dun; + } + + if (sshpam_err == PAM_NEW_AUTHTOK_REQD) sshpam_password_change_required(1); + + sshpam_account_status = 1; + +Dun: + + sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (void *)&OldConv); + if (sshpam_err != PAM_SUCCESS) + fatal ("PAM: failed to reset back to original PAM_CONV: %s", + pam_strerror (sshpam_handle, sshpam_err)); + + return (sshpam_account_status); +} + void do_pam_session(void) { From derek_mccallum at yahoo.com Wed Sep 15 08:10:26 2004 From: derek_mccallum at yahoo.com (=?iso-8859-1?q?Derek=20McCallum?=) Date: Tue, 14 Sep 2004 23:10:26 +0100 (BST) Subject: OpenSSH flow diag Message-ID: <20040914221026.94099.qmail@web41008.mail.yahoo.com> Hello I am wanting to know if anybody knows of or has documented the OpenSSH source code logic flow in some form? I have recently taken on the responsibility for the support of OpenSSH for a large investment bank in the UK. As scratchy as my C skills are, I have already corrected a number of problems on our AIX platforms. However, a logic diag would be of much use. Any help appreciated. Kind regards, Derek London, UK ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com From lsolot at argoscomp.com Thu Sep 16 01:32:02 2004 From: lsolot at argoscomp.com (Lou) Date: Wed, 15 Sep 2004 11:32:02 -0400 (EDT) Subject: secureCRT 3.3 -> openssh v3.7pl (checkpoint firewall) Message-ID: Client - secureCRT 3.3 outside the firewall (Checkpoint) Server - openssh v3.7 on an aix51 rs6k inside the fw The firewall lets in the first packet but blocks the second with the message: ssh 1.x not allowed. The connection gets reset. Here is the trace from the client: [SSH LOCAL ONLY] : Connect: 12.x.x.x:22 [direct] [SSH LOCAL ONLY] : StateChange: SSH_STATE_UNINITIALIZED->SSH_STATE_CONNECTING [SSH LOCAL ONLY] : State Change: SSH_STATE_CONNECTING->SSH_STATE_EXPECT_IDENTIFIER [SSH LOCAL ONLY] : connected [SSH LOCAL ONLY] : RECV : Remote Identifier = "SSH-2.0-OpenSSH_3.7p1" [SSH LOCAL ONLY] : Autodetected Server Mode: IETF Draft Compliant [SSH LOCAL ONLY] : SEND : KEXINIT [SSH LOCAL ONLY] : StateChange: SSH_STATE_EXPECT_IDENTIFIER->SSH_STATE_INITIAL_KEYEXCHANGE [SSH LOCAL ONLY] : State Change: SSH_STATE_INITIAL_KEYEXCHANGE->SSH_STATE_CLOSED I know I have sshv2 selected on the client side. Plus, I don't have this problem internally, with any other version of secureCRT, or any other version of openssh. The secureCRT people seem to think the fw is having a problem with the secureCRT 3.3 version string. I would like to upgrade to secureCRT 4.1 but my boss wants me to find a solution to this if possible to avoid having to upgrade. Any ideas? Thanks, Lou Solot From Carsten.Benecke at rrz.uni-hamburg.de Thu Sep 16 01:44:17 2004 From: Carsten.Benecke at rrz.uni-hamburg.de (Dr. Carsten Benecke) Date: Wed, 15 Sep 2004 17:44:17 +0200 Subject: openssh-3.9p1: no pam_close_session() invocation References: <4135E0E0.203@rrz.uni-hamburg.de> <413941AE.6060603@zip.com.au> Message-ID: <41486351.2050206@rrz.uni-hamburg.de> Hello, I have tested the patch and traced the pam_xxx() calls. With "UsePrivilegeSeparation no" in the config file the pam_close_session() function now is called after closing a session: 3.9p1 without patch, without Privsep: debug_sm_authenticate: entered () pid = 19406, ppid = 19345, uid = 0, euid = 0 debug_sm_acct_mgmt: entered () pid = 19406, ppid = 19345, uid = 0, euid = 0 debug_sm_setcred: entered () pid = 19406, ppid = 19345, uid = 0, euid = 0 debug_sm_open_session: entered () pid = 19410, ppid = 19406, uid = 0, euid = 0 debug_sm_setcred: entered () pid = 19410, ppid = 19406, uid = 0, euid = 0 debug_sm_setcred: entered () pid = 19406, ppid = 19345, uid = 0, euid = 0 3.9p1 with patch, without Privsep: debug_sm_authenticate: entered () pid = 20184, ppid = 20179, uid = 0, euid = 0 debug_sm_acct_mgmt: entered () pid = 20184, ppid = 20179, uid = 0, euid = 0 debug_sm_setcred: entered () pid = 20184, ppid = 20179, uid = 0, euid = 0 debug_sm_open_session: entered () pid = 20188, ppid = 20184, uid = 0, euid = 0 debug_sm_setcred: entered () pid = 20188, ppid = 20184, uid = 0, euid = 0 debug_sm_setcred: entered () pid = 20184, ppid = 20179, uid = 0, euid = 0 debug_sm_close_session: entered () pid = 20184, ppid = 20179, uid = 0, euid = 0 By putting "UsePrivilegeSeparation yes" in the config file the call to pam_close_session() leaks root privileges (which are necessary in my case): 3.9p1 with patch, with Privsep: debug_sm_authenticate: entered () pid = 20123, ppid = 20116, uid = 0, euid = 0 debug_sm_acct_mgmt: entered () pid = 20123, ppid = 20116, uid = 0, euid = 0 debug_sm_open_session: entered () pid = 20128, ppid = 20123, uid = 0, euid = 0 debug_sm_setcred: entered () pid = 20128, ppid = 20123, uid = 0, euid = 0 debug_sm_setcred: entered () pid = 20128, ppid = 20123, uid = 1002, euid = 1002 debug_sm_close_session: entered () pid = 20128, ppid = 20123, uid = 1002, euid = 1002 Another problem remains. Even without priviledge separation the process that calls pam_start_session() ist not the same process which calls pam_close_session(). In my case this is necessary as I pass some information in the pam environment that is used by successive pam modules. So it would be perfect to have a single process that * has root privileges and * does _all_ pam_xxx() calls. Is that possible? Best regards CB Darren Tucker schrieb: > Dr. Carsten Benecke wrote: > >> After closing a ssh-session the pam_close_session() function is not >> invoked. Enabling PrivilegeSeparation (UsePrivilegeSeparation yes) >> does not help. > > > That appears to be the case. I have opened a bug (with patch): > http://bugzilla.mindrot.org/show_bug.cgi?id=926 > > Could you please try the patch and let us know if it resolves the problem? > -- Dr. Carsten Benecke, Regionales Rechenzentrum, Universit?t Hamburg, Schl?terstr. 70, D-20146 Hamburg, Tel.: ++49 40 42838 3097, Fax: ++49 40 42838 3096, mailto: Carsten.Benecke at rrz.uni-hamburg.de From djm at mindrot.org Thu Sep 16 13:38:27 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 16 Sep 2004 13:38:27 +1000 Subject: secureCRT 3.3 -> openssh v3.7pl (checkpoint firewall) In-Reply-To: References: Message-ID: <41490AB3.3040500@mindrot.org> Lou wrote: > Client - secureCRT 3.3 outside the firewall (Checkpoint) > Server - openssh v3.7 on an aix51 rs6k inside the fw > > The firewall lets in the first packet but blocks the second with the > message: ssh 1.x not allowed. The connection gets reset. Here is the > trace from the client: Your firewall is insane - it is mis-detecting the protocol version in use, despite the unambiguous version string: > [SSH LOCAL ONLY] : RECV : Remote Identifier = "SSH-2.0-OpenSSH_3.7p1" Your problem lies at the firewall. Check your configuration or hassle Checkpoint for a fix. -d From dtucker at zip.com.au Thu Sep 16 14:32:59 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 16 Sep 2004 14:32:59 +1000 Subject: secureCRT 3.3 -> openssh v3.7pl (checkpoint firewall) In-Reply-To: <41490AB3.3040500@mindrot.org> References: <41490AB3.3040500@mindrot.org> Message-ID: <4149177B.2080700@zip.com.au> Damien Miller wrote: > Lou wrote: > >>Client - secureCRT 3.3 outside the firewall (Checkpoint) >>Server - openssh v3.7 on an aix51 rs6k inside the fw >> >>The firewall lets in the first packet but blocks the second with the >>message: ssh 1.x not allowed. The connection gets reset. Here is the >>trace from the client: > > Your firewall is insane - it is mis-detecting the protocol version in > use, despite the unambiguous version string: >>[SSH LOCAL ONLY] : RECV : Remote Identifier = "SSH-2.0-OpenSSH_3.7p1" Maybe securecrt is sending a "SSH-1.99-*" string? Try configuring securecrt to connect *only* with protocol version 2. Failing that, try hitting your firewall with a large stick. The latter won't solve your problem but it might make you feel better :-). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Sep 16 21:34:45 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 16 Sep 2004 21:34:45 +1000 Subject: PATCH: Public key authentication defeats passwd age warning. In-Reply-To: <200409141539.i8EFdGXS025823@styx.EECS.cwru.edu> References: <200409141539.i8EFdGXS025823@styx.EECS.cwru.edu> Message-ID: <41497A55.4090803@zip.com.au> Thomas Gardner wrote: > Below is a patch for this, but here's the verbal: To keep the basic > limited prototyping model this code seems to be following, I moved > do_pam_account() down below the definition of the function that I > wanted to use for the conversation function (sshpam_store_conv()). > Then, inside do_pam_account, I set PAM up with that conversation > function just before it calls pam_acct_mgmt(). A similar change has already been made post-3.9p1 for similar reasons. I'm wondering if we ought to set up a a catch-all conversation that keeps track of the best available methods of interacting with the user (eg start with store_conv, switch to interacting directly when PAM_TTY gets set) rather than trying to figure it out from combinations of what PAM functions we're calling and the use_privsep flag). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From gmetcalfnu at ite.his.se Fri Sep 17 14:41:34 2004 From: gmetcalfnu at ite.his.se (Gena Metcalf) Date: Fri, 17 Sep 2004 10:41:34 +0600 Subject: We sell regalis for an affordable price Message-ID: <155b01c49c70$9ae0e4ed$47606e51@jasdev.co.uk> Hi, Regalis, also known as Superviagra or Cialis - half a pill Lasts all weekend - Has less sideeffects - Has higher success rate Now you can buy Regalis, for over 70% cheaper than the equivilent brand for sale in US We ship world wide, and no prescription is required!! Even if you're not impotent, Regalis will increase size, pleasure and power! Try it today you wont regret! Get it here: http://inc-cheap.com/sup/ Best regards, Jeremy Stones No thanks: http://inc-cheap.com/rm.html From desh00 at gmail.com Sat Sep 18 04:13:22 2004 From: desh00 at gmail.com (desh sharma) Date: Fri, 17 Sep 2004 14:13:22 -0400 Subject: scp command to copy file to multiple host Message-ID: <1cf01870409171113d265184@mail.gmail.com> Hi Is there one line command to copy file one from HOSTA to HOSTB, HOSTC & HOSTD etc? like hosta# scp -p FILEA root at HOSTB:/root/ root at HOSTC:/tmp root at HOSTD/home/ -r desh From JJanzer at talisentech.com Sat Sep 18 07:17:57 2004 From: JJanzer at talisentech.com (Janzer, John) Date: Fri, 17 Sep 2004 16:17:57 -0500 Subject: sftp-server debug output Message-ID: <71CB8EDA1C104F47AEAECCF1D8474546A29351@sl01exch.Talisentech.loc al> Help! I am trying to get debug output working with sftp-server, and can't seem to find the appropriate information to get it working. Yes, I have recompiled sftp-server to include defining DEBUG_SFTP_SERVER. I found that myself in the code before finding it in several postings as the common answer to others having this problem. In addition, I have set up the sshd_config file appropriately for syslog logging to work correctly. Both sshd and sftp-server are working properly, and sshd is logging fine, but once it forks the sftp-server instance, there is no logging/debug output for sftp-server. I have been successful in getting the sshd logging to work when specifying either AUTH or LOCAL7 for SyslogFacility in sshd_config. I have searched the online documentation, this list's archives, and even the O'Reilly book (SSH The Secure Shell: The Definitive Guide), as well as trying some things on my own in case I could stumble upon it, but haven't come up with a way to get this logging to work. I am compiling and running on Solaris 5.8. My sshd_config file is as follows: # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/bin # This is the sshd server system-wide configuration file. See sshd(8) # for more information. Port 10222 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /usr/local/etc/ssh_host_key # HostKeys for protocol version 2 HostKey /opt/talisen/ssh/ssh-host-rsa-key HostKey /opt/talisen/ssh/ssh-host-dsa-key # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging #SyslogFacility AUTH SyslogFacility LOCAL7 LogLevel DEBUG3 #obsoletes QuietMode and FascistLogging # Authentication: LoginGraceTime 600 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys2 # rhosts authentication should not be used #RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts no # For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts RhostsRSAAuthentication yes # similar for protocol version 2 HostbasedAuthentication yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #ChallengeResponseAuthentication no # Uncomment to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes X11Forwarding yes X11DisplayOffset 256 PrintMotd no #PrintLastLog no KeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes Subsystem sftp /opt/talisen/ssh/rsftp-server --------- end of file --------- Anyone know what I'm missing? Thanks in advance, JJ From JJanzer at talisentech.com Sat Sep 18 07:33:40 2004 From: JJanzer at talisentech.com (Janzer, John) Date: Fri, 17 Sep 2004 16:33:40 -0500 Subject: sftp-server debug output Message-ID: <71CB8EDA1C104F47AEAECCF1D8474546A29353@sl01exch.Talisentech.loc al> fyi...I forgot to mention in my original message that the subsystem entry in sshd_config is not a typo...the sftp-server application is indeed renamed rsftp-server on my system (or it wouldn't be working at all, let alone logging). JJ -----Original Message----- From: openssh-unix-dev-bounces+jjanzer=talisentech.com at mindrot.org [mailto:openssh-unix-dev-bounces+jjanzer=talisentech.com at mindrot.org] On Behalf Of Janzer, John Sent: Friday, September 17, 2004 4:18 PM To: openssh-unix-dev at mindrot.org Subject: sftp-server debug output From lula_mcNeil_ex at wieczysta.krakow.pl Sun Sep 19 09:04:21 2004 From: lula_mcNeil_ex at wieczysta.krakow.pl (Lula McNeil) Date: Sat, 18 Sep 2004 22:04:21 -0100 Subject: We sell regalis for an affordable price Message-ID: <0a1401c49dd3$1b9bfda1$fe415c9e@mpa.org.mk> Hi, Regalis, also known as Superviagra or Cialis - half a pill Lasts all weekend - Has less sideeffects - Has higher success rate Now you can buy Regalis, for over 70% cheaper than the equivilent brand for sale in US We ship world wide, and no prescription is required!! Even if you're not impotent, Regalis will increase size, pleasure and power! Try it today you wont regret! Get it here: http://inc-cheap.com/sup/ Best regards, Jeremy Stones No thanks: http://inc-cheap.com/rm.html From andreacartwright_zt at hitz.fm Mon Sep 20 07:46:26 2004 From: andreacartwright_zt at hitz.fm (Andrea Cartwright) Date: Sun, 19 Sep 2004 21:46:26 +0000 Subject: We sell regalis for an affordable price Message-ID: <20cc01c49e92$e041e872$d182f0c1@sis.se> Hi, Regalis, also known as Superviagra or Cialis - half a pill Lasts all weekend - Has less sideeffects - Has higher success rate Now you can buy Regalis, for over 70% cheaper than the equivilent brand for sale in US We ship world wide, and no prescription is required!! Even if you're not impotent, Regalis will increase size, pleasure and power! Try it today you wont regret! Get it here: http://inc-cheap.com/sup/ Best regards, Jeremy Stones No thanks: http://inc-cheap.com/rm.html From RONIKA at Amdocs.com Mon Sep 20 20:02:40 2004 From: RONIKA at Amdocs.com (Roni Karpachevsky) Date: Mon, 20 Sep 2004 13:02:40 +0300 Subject: SSH - tool Message-ID: <424417354C1F154183185F598EEE064018E34C@tlvmail7.corp.amdocs.com> Hello , In my new project we start to use the following commands : ssh , scp and sftp . Server: hp-ux Environment : ksh Ssh version : 2 I have a few question about the ssh definition : 1. Description: When we connect to user via script ( batch mode ) by using the command "ssh -l remote_user remote_host" - this session is stuck ( wait input from user - password). What we need to perform exactly for "ssh" command so it will fail in case it wait input ( in "scp" command we use '-B' flag )? 2. Description: For time out limit we use TMOUT in ksh , timeout in tcl and expect . Please explain how we can define timeout in ssh tool? 3. When I connect to remote user at the first time I get the following message : The authenticity of host ' (XXX.XXX.XXX.XXX)' can't be established. RSA key fingerprint is XXXXXXXXXXXXXXXXXXXXXX. Are you sure you want to continue connecting (yes/no)? How we can avoid this massage at any time ? Thanks in advance ..... Regards, Roni Karpachevsky phone: 09-7763977 mail: ronika at amdocs.com The information contained in this message is proprietary of Amdocs, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. From wooledg at eeg.ccf.org Sat Sep 18 00:18:37 2004 From: wooledg at eeg.ccf.org (Greg Wooledge) Date: Fri, 17 Sep 2004 10:18:37 -0400 Subject: patch: openssh 3.9p1 on hp-ux 10.20 Message-ID: <20040917141837.GE2042@eeg.ccf.org> OpenSSH 3.9p1 does not compile on HP-UX 10.20 due to the code which was added in includes.h to work around HP-UX 11.11's behavior. The following patch lets it work on HP-UX 10.20. It should also work on HP-UX 11.11, but I can't test that (no HP-UX 11 boxes here). It uses code from http://www.faqs.org/faqs/hp/hpux-faq/section-213.html . The copyright at http://www.faqs.org/faqs/hp/hpux-faq/ is decidedly not free, but I'm hoping the copyright holder will permit the code to be used freely. I've CC'ed him on this mail. --- includes.h.orig Fri Sep 17 10:03:08 2004 +++ includes.h Fri Sep 17 09:52:03 2004 @@ -186,8 +186,20 @@ * of getspnam when _INCLUDE__STDC__ is defined, so we unset it here. */ #ifdef __hpux -# ifdef _INCLUDE__STDC__ -# undef _INCLUDE__STDC__ +# include +# if defined(PRIV_PSET) +# define _hpux_11i +# elif defined(PRIV_SPUCTL) +# define __hpux_11x +# elif defined(PRIV_SERIALIZE) +# define __hpux_10x +# elif defined(PRIV_SETRUGID) +# define __hpux_9x +# endif +# if defined(_hpux_11i) || defined(__hpux_11x) +# ifdef _INCLUDE__STDC__ +# undef _INCLUDE__STDC__ +# endif # endif #endif From djm at mindrot.org Tue Sep 21 09:38:05 2004 From: djm at mindrot.org (Damien Miller) Date: Tue, 21 Sep 2004 09:38:05 +1000 Subject: patch: openssh 3.9p1 on hp-ux 10.20 In-Reply-To: <20040917141837.GE2042@eeg.ccf.org> References: <20040917141837.GE2042@eeg.ccf.org> Message-ID: <414F69DD.30001@mindrot.org> Greg Wooledge wrote: > OpenSSH 3.9p1 does not compile on HP-UX 10.20 due to the code which was > added in includes.h to work around HP-UX 11.11's behavior. The following > patch lets it work on HP-UX 10.20. It should also work on HP-UX 11.11, > but I can't test that (no HP-UX 11 boxes here). This is what is in my tree at the moment (attached). -d -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: hpux.diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040921/91da5f94/attachment.ksh From vwaltersjr at bell.co.za Tue Sep 21 13:33:44 2004 From: vwaltersjr at bell.co.za (Valarie Walters) Date: Mon, 20 Sep 2004 23:33:44 -0400 Subject: We sell regalis for an affordable price Message-ID: <606601c49f8b$2456768b$09b2a014@aasenbygg.no> Hi, Regalis, also known as Superviagra or Cialis - half a pill Lasts all weekend - Has less sideeffects - Has higher success rate Now you can buy Regalis, for over 70% cheaper than the equivilent brand for sale in US We ship world wide, and no prescription is required!! Even if you're not impotent, Regalis will increase size, pleasure and power! Try it today you wont regret! Get it here: http://inc-cheap.com/sup/ Best regards, Jeremy Stones No thanks: http://inc-cheap.com/rm.html From varivan at yahoo.com Tue Sep 21 14:46:27 2004 From: varivan at yahoo.com (Arivan Varadarajan) Date: Tue, 21 Sep 2004 05:46:27 +0100 (BST) Subject: SFTP is prompting for password Message-ID: <20040921044627.83720.qmail@web20025.mail.yahoo.com> Hi, I am facing a problem in migrating to SFTP from FTP for an unix based application. I have got 2 m/c, SRC (Source) m/c and TRG (Target) m/c. For SFTP connectivity, I created a Public-Key (ssh-keygen -t dsa) in src_usr1(user-id) at SRC m/c . Which created the necessary identification file (id_dsa & id_dsa.pub) andthen, I copied the id_dsa.pub into the file authorized_keys in trg_usr1(user-id) at TRG m/c. And also placed it in the "$HOME/.ssh" path. Now, I tried connecting from SRC m/c to TRG m/c with SFTP, SRC (src_usr1)> sftp trg_usr1 at TRG Connecting to TRG... SFTP> It connected without asking password. As I expected. Fine, Now I did the same process(source m/c is same, but target m/c TRG2 is different), and the user is trg_usr2(user-id) at TRG2 m/c . Also placed the same authorized_keys in $HOME/.ssh path of trg_usr2. This time, when I connected using SFTP , SRC (src_usr1)> sftp trg_usr2 at TRG2 Connecting to TRG2... trg_usr2 at TRG2's password: It is asking for password. Why it is asking for password? What is the problem I am facing and how to solve this?? Here is the OpenSSH version. ------------------------------------------- 1. [SRC m/c] $ ssh -V OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f ---> Local 2. [TRG]>ssh -V OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f ---> Remote --> Not connecting 3. [TRG2]>ssh -V OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f ---> Remote --> connecting Also the sftp debug seen below, ******************************************************************************************************************************** sftp -vvv redbrick at ctss91.sgp.xxx.com Connecting to ctss91.sgp.xxx.com... debug: SSH args "ssh -oProtocol=2 -l redbrick -v -v -v ctss91.sgp.xxx.com -s sftp" OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Reading configuration data /home/guest/odyssey/.ssh/config debug1: Applying options for * debug1: Reading configuration data /etc/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 101 geteuid 0 anon 1 debug1: Connecting to ctss91.sgp.xxx.com [15.66.153.91] port 22. debug1: temporarily_use_uid: 101/101 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 101/101 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: identity file /home/guest/odyssey/.ssh/identity type 0 debug3: No RSA1 key file /home/guest/odyssey/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: no key found debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: no key found debug1: identity file /home/guest/odyssey/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2 debug1: match: OpenSSH_3.6.1p2 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: zlib debug2: kex_parse_kexinit: zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit:hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit:hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 zlib debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 zlib debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 123/256 debug1: bits set: 1611/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/guest/odyssey/.ssh/known_hosts2 debug3: check_host_in_hostfile: match line 3 debug3: check_host_in_hostfile: filename /home/guest/odyssey/.ssh/known_hosts2 debug3: check_host_in_hostfile: match line 3 debug1: Host 'ctss91.sgp.xxx.com' is known and matches the DSA host key. debug1: Found key in /home/guest/odyssey/.ssh/known_hosts2:3 debug1: bits set: 1556/3191 debug1: len 55 datafellows 0 debug1: ssh_dss_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred publickey,password,keyboard-interactive debug3: authmethod_lookup publickey debug3: remaining preferred: password,keyboard-interactive debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try pubkey: /home/guest/odyssey/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: authentications that can continue: publickey,password debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: keyboard-interactive debug3: authmethod_is_enabled password debug1: next auth method to try is password redbrick at ctss91.sgp.xxx.com's password: debug2: packet_inject_ignore: current 53 debug2: packet_inject_ignore: block 16 have 4 nb 4 mini 1 need 4 debug2: we sent a password packet, wait for reply debug1: authentications that can continue: publickey,password Permission denied, please try again. redbrick at ctss91.sgp.xxx.com's password: debug2: packet_inject_ignore: current 53 debug2: packet_inject_ignore: block 16 have 4 nb 4 mini 1 need 4 debug2: we sent a password packet, wait for reply debug1: authentications that can continue: publickey,password Permission denied, please try again. redbrick at ctss91.sgp.xxx.com's password: debug2: packet_inject_ignore: current 53 debug2: packet_inject_ignore: block 16 have 4 nb 4 mini 1 need 4 debug2: we sent a password packet, wait for reply debug1: authentications that can continue: publickey,password debug2: we did not send a packet, disable method debug1: no more auth methods to try Permission denied (publickey,password). debug1: Calling cleanup 0x4000d44a(0x0) debug1: compress outgoing: raw data 852, compressed 722, factor 0.85 debug1: compress incoming: raw data 137, compressed 65, factor 0.47 Couldn't read packet: Error 0 ******************************************************************************************************************************** Can you people help me on this, Thanks in advance, Regards, Arivan. ________________________________________________________________________ Yahoo! India Matrimony: Find your life partner online Go to: http://yahoo.shaadi.com/india-matrimony From bob at proulx.com Tue Sep 21 14:49:33 2004 From: bob at proulx.com (Bob Proulx) Date: Mon, 20 Sep 2004 22:49:33 -0600 Subject: SSH - tool In-Reply-To: <424417354C1F154183185F598EEE064018E34C@tlvmail7.corp.amdocs.com> References: <424417354C1F154183185F598EEE064018E34C@tlvmail7.corp.amdocs.com> Message-ID: <20040921044933.GA11075@misery.proulx.com> Roni Karpachevsky wrote: > I have a few question about the ssh definition : > [...] > The information contained in this message is proprietary of Amdocs, > protected from disclosure, and may be privileged. Posting with those restrictions limit people's ability to respond to you. How can anyone help you and still comply with your requirements? It would be better if you used an account without such restrictions. Bob From wooledg at eeg.ccf.org Tue Sep 21 22:00:40 2004 From: wooledg at eeg.ccf.org (Greg Wooledge) Date: Tue, 21 Sep 2004 08:00:40 -0400 Subject: patch: openssh 3.9p1 on hp-ux 10.20 In-Reply-To: <414F69DD.30001@mindrot.org> References: <20040917141837.GE2042@eeg.ccf.org> <414F69DD.30001@mindrot.org> Message-ID: <20040921120040.GH2042@eeg.ccf.org> On Tue, Sep 21, 2004 at 09:38:05AM +1000, Damien Miller wrote: > This is what is in my tree at the moment (attached). Works for me. HP-UX 10.20 with gcc 3.2.2. > Index: includes.h > =================================================================== > RCS file: /var/cvs/openssh/includes.h,v > retrieving revision 1.72 > diff -u -r1.72 includes.h > --- includes.h 14 Aug 2004 14:01:48 -0000 1.72 > +++ includes.h 20 Sep 2004 23:33:23 -0000 > @@ -185,7 +185,7 @@ > * On HP-UX 11.11, shadow.h and prot.h provide conflicting declarations > * of getspnam when _INCLUDE__STDC__ is defined, so we unset it here. > */ > -#ifdef __hpux > +#if defined(__hpux) && defined(HAVE_SECUREWARE) > # ifdef _INCLUDE__STDC__ > # undef _INCLUDE__STDC__ > # endif From ivalindsayxp at webnock.de Wed Sep 22 16:57:38 2004 From: ivalindsayxp at webnock.de (Iva Lindsay) Date: Wed, 22 Sep 2004 06:57:38 +0000 Subject: Get great prices on medications Message-ID: <1cf801c4a071$64d739cf$3e740644@hasa.co.uk> From A.D.Elwell at dl.ac.uk Wed Sep 22 17:28:39 2004 From: A.D.Elwell at dl.ac.uk (Elwell, AD (Andrew)) Date: Wed, 22 Sep 2004 08:28:39 +0100 Subject: X11 problems on AIX (OpenSSH_3.7.1p2-pwexp24) Message-ID: Hi folks, I've got a problem with X11 forwarding on an AIX 5.2 system thats stumped me. I've installed the same patched + compiled installp package on all our aix boxes but one of them won't play ball with X11 ssh -X -v -v user at host gives (grepped out X11 looking lines) debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: ssh_session2_setup: id 0 debug2: channel 0: request pty-req debug2: x11_get_proto: /usr/bin/X11/xauth list :0.0 . 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req debug2: channel 0: request shell debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 ... MOTD displayed OK $> xclock debug1: client_input_channel_open: ctype x11 rchan 2 win 65536 max 16384 debug1: client_request_x11: request from 127.0.0.1 33027 debug2: fd 7 setting O_NONBLOCK debug2: fd 7 is O_NONBLOCK debug1: channel 1: new [x11] debug1: confirm x11 debug2: X11 connection uses different authentication protocol. X11 connection rejected because of wrong authentication. debug2: X11 rejected 1 i0/o0 debug2: channel 1: read failed debug2: channel 1: close_read debug2: channel 1: input open -> drain debug2: channel 1: ibuf empty debug2: channel 1: send eof debug2: channel 1: input drain -> closed debug2: channel 1: write failed debug2: channel 1: close_write debug2: channel 1: output open -> closed debug2: X11 closed 1 i3/o3 debug2: channel 1: send close debug2: channel 1: rcvd close debug2: channel 1: is dead debug2: channel 1: garbage collecting debug1: channel 1: free: x11, nchannels 2 X connection to localhost:12.0 broken (explicit kill or server shutdown). $> xauth list 1356-364 xauth: creating new authority file /hpcx/home/z002/z002/ade45/.Xauthority $> xauth list 1356-364 xauth: creating new authority file /hpcx/home/z002/z002/ade45/.Xauthority $> which xauth /usr/bin/X11/xauth $> lslpp -w /usr/lpp/X11/bin/xauth File Fileset Type ---------------------------------------------------------------------------- /usr/lpp/X11/bin/xauth X11.apps.config File $> lslpp -L X11.apps.config Fileset Level State Type Description (Uninstaller) ---------------------------------------------------------------------------- X11.apps.config 5.2.0.0 C F AIXwindows Configuration Applications I'm tempted to point my finger of blame at xauth as it doesn't seem to create an xauth entry for my login session on this host. (the others are fine) The one difference between this and all the others though is this host has an X display running locally (the others are p690 LPARS) Should I try and put a wrapper round xauth to see if it at least gets called? or am I looking in the wrong place? Many thanks (oh, and the reason I'm not on 3.8.1p is because with Darren Tuckers patches the users get notification that their password will expire (even if they choose to ignore it...)) Andrew From dtucker at zip.com.au Thu Sep 23 09:25:45 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 23 Sep 2004 09:25:45 +1000 Subject: X11 problems on AIX (OpenSSH_3.7.1p2-pwexp24) In-Reply-To: References: Message-ID: <415209F9.6050607@zip.com.au> Elwell, AD (Andrew) wrote: > I've got a problem with X11 forwarding on an AIX 5.2 system thats stumped > me. [...] > I'm tempted to point my finger of blame at xauth as it doesn't seem to > create an xauth > entry for my login session on this host. (the others are fine) I suspect xauth can't create the .Xauthority file for some reason (perms?). Try truss'ing xauth (yes, 5.2 has truss!) [...] > (oh, and the reason I'm not on 3.8.1p is because with Darren Tuckers patches > the users get notification that their password will expire (even if they > choose to ignore it...)) I said I'd forward-port that part to post-3.8 (just a patch, it's unlikely ever be in the main tree) but I haven't been bugged too much about it :-) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From A.D.Elwell at dl.ac.uk Thu Sep 23 00:22:06 2004 From: A.D.Elwell at dl.ac.uk (Elwell, AD (Andrew)) Date: Wed, 22 Sep 2004 15:22:06 +0100 Subject: X11 problems on AIX (OpenSSH_3.7.1p2-pwexp24) Message-ID: Answering my own posts... After much swearing and trussing I figured out the problem - we have an sshrc that checks which users are allowed on and gives them the "kill -9" treatment if they're not supposed to be logged on. moving it out the way made X11 work again, looks like i'll need to make it a bit cleaner at what stage is sshrc called re privsep and xauth setup? Many thanks Andrew From varivan at yahoo.com Tue Sep 21 14:46:27 2004 From: varivan at yahoo.com (Arivan Varadarajan) Date: Tue, 21 Sep 2004 05:46:27 +0100 (BST) Subject: SFTP is prompting for password Message-ID: <20040921044627.83720.qmail@web20025.mail.yahoo.com> Hi, I am facing a problem in migrating to SFTP from FTP for an unix based application. I have got 2 m/c, SRC (Source) m/c and TRG (Target) m/c. For SFTP connectivity, I created a Public-Key (ssh-keygen -t dsa) in src_usr1(user-id) at SRC m/c . Which created the necessary identification file (id_dsa & id_dsa.pub) andthen, I copied the id_dsa.pub into the file authorized_keys in trg_usr1(user-id) at TRG m/c. And also placed it in the "$HOME/.ssh" path. Now, I tried connecting from SRC m/c to TRG m/c with SFTP, SRC (src_usr1)> sftp trg_usr1 at TRG Connecting to TRG... SFTP> It connected without asking password. As I expected. Fine, Now I did the same process(source m/c is same, but target m/c TRG2 is different), and the user is trg_usr2(user-id) at TRG2 m/c . Also placed the same authorized_keys in $HOME/.ssh path of trg_usr2. This time, when I connected using SFTP , SRC (src_usr1)> sftp trg_usr2 at TRG2 Connecting to TRG2... trg_usr2 at TRG2's password: It is asking for password. Why it is asking for password? What is the problem I am facing and how to solve this?? Here is the OpenSSH version. ------------------------------------------- 1. [SRC m/c] $ ssh -V OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f ---> Local 2. [TRG]>ssh -V OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f ---> Remote --> Not connecting 3. [TRG2]>ssh -V OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f ---> Remote --> connecting Also the sftp debug seen below, ******************************************************************************************************************************** sftp -vvv redbrick at ctss91.sgp.xxx.com Connecting to ctss91.sgp.xxx.com... debug: SSH args "ssh -oProtocol=2 -l redbrick -v -v -v ctss91.sgp.xxx.com -s sftp" OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Reading configuration data /home/guest/odyssey/.ssh/config debug1: Applying options for * debug1: Reading configuration data /etc/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 101 geteuid 0 anon 1 debug1: Connecting to ctss91.sgp.xxx.com [15.66.153.91] port 22. debug1: temporarily_use_uid: 101/101 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 101/101 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: identity file /home/guest/odyssey/.ssh/identity type 0 debug3: No RSA1 key file /home/guest/odyssey/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: no key found debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: no key found debug1: identity file /home/guest/odyssey/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2 debug1: match: OpenSSH_3.6.1p2 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: zlib debug2: kex_parse_kexinit: zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit:hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit:hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 zlib debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 zlib debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 123/256 debug1: bits set: 1611/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/guest/odyssey/.ssh/known_hosts2 debug3: check_host_in_hostfile: match line 3 debug3: check_host_in_hostfile: filename /home/guest/odyssey/.ssh/known_hosts2 debug3: check_host_in_hostfile: match line 3 debug1: Host 'ctss91.sgp.xxx.com' is known and matches the DSA host key. debug1: Found key in /home/guest/odyssey/.ssh/known_hosts2:3 debug1: bits set: 1556/3191 debug1: len 55 datafellows 0 debug1: ssh_dss_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred publickey,password,keyboard-interactive debug3: authmethod_lookup publickey debug3: remaining preferred: password,keyboard-interactive debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try pubkey: /home/guest/odyssey/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: authentications that can continue: publickey,password debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: keyboard-interactive debug3: authmethod_is_enabled password debug1: next auth method to try is password redbrick at ctss91.sgp.xxx.com's password: debug2: packet_inject_ignore: current 53 debug2: packet_inject_ignore: block 16 have 4 nb 4 mini 1 need 4 debug2: we sent a password packet, wait for reply debug1: authentications that can continue: publickey,password Permission denied, please try again. redbrick at ctss91.sgp.xxx.com's password: debug2: packet_inject_ignore: current 53 debug2: packet_inject_ignore: block 16 have 4 nb 4 mini 1 need 4 debug2: we sent a password packet, wait for reply debug1: authentications that can continue: publickey,password Permission denied, please try again. redbrick at ctss91.sgp.xxx.com's password: debug2: packet_inject_ignore: current 53 debug2: packet_inject_ignore: block 16 have 4 nb 4 mini 1 need 4 debug2: we sent a password packet, wait for reply debug1: authentications that can continue: publickey,password debug2: we did not send a packet, disable method debug1: no more auth methods to try Permission denied (publickey,password). debug1: Calling cleanup 0x4000d44a(0x0) debug1: compress outgoing: raw data 852, compressed 722, factor 0.85 debug1: compress incoming: raw data 137, compressed 65, factor 0.47 Couldn't read packet: Error 0 ******************************************************************************************************************************** Can you people help me on this, Thanks in advance, Regards, Arivan. ________________________________________________________________________ Yahoo! India Matrimony: Find your life partner online Go to: http://yahoo.shaadi.com/india-matrimony From alex.jacinto at ps.ge.com Thu Sep 23 04:19:50 2004 From: alex.jacinto at ps.ge.com (Jacinto, Alex G (GE Energy)) Date: Wed, 22 Sep 2004 14:19:50 -0400 Subject: login message Message-ID: <65823E0D78FCD411BACA00508BE3A9180F8558D2@nyschx20psge.sch.ge.com> I'm trying to use sftp and the openssh FAQ suggest that it is not possible to do this if the shell initialization produces output for non-interactive session and to try ssh yourhost /bin/true in order to test it. I did the following command and the following message came out of my terminal: shell-init: could not get current directory: getcwd: cannot access parent directories: No such file or directory Does ssh trying to access something? I don't have anything in my .profile and no .*rc files. Thanks in advance. From mouring at etoh.eviladmin.org Thu Sep 23 04:35:22 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 22 Sep 2004 13:35:22 -0500 (CDT) Subject: login message In-Reply-To: <65823E0D78FCD411BACA00508BE3A9180F8558D2@nyschx20psge.sch.ge.com> Message-ID: On Wed, 22 Sep 2004, Jacinto, Alex G (GE Energy) wrote: > > I'm trying to use sftp and the openssh FAQ suggest that it is not possible > to do this if the shell initialization produces output for non-interactive > session and to try ssh yourhost /bin/true in order to test it. > > I did the following command and the following message came out of my > terminal: > > shell-init: could not get current directory: getcwd: cannot access parent > directories: No such file or directory > Is this coming from the shell you are running properly? Looks like there is a problem with the HOME directory. - Ben From vinschen at redhat.com Thu Sep 23 04:36:16 2004 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 22 Sep 2004 20:36:16 +0200 Subject: [PATCH] permanently_set_uid: Don't try restoring gid on Cygwin Message-ID: <20040922183616.GI17670@cygbert.vinschen.de> Hi, the below patch solves the same problem for gids as has already been solved for uids. Windows has no concept of permanently changing the identity. It's always possible to revert to the original identity. Thanks, Corinna Index: uidswap.c =================================================================== RCS file: /cvs/openssh_cvs/uidswap.c,v retrieving revision 1.44 diff -p -u -r1.44 uidswap.c --- uidswap.c 24 Feb 2004 02:17:30 -0000 1.44 +++ uidswap.c 22 Sep 2004 18:17:44 -0000 @@ -200,10 +200,12 @@ permanently_set_uid(struct passwd *pw) fatal("setuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); #endif +#ifndef HAVE_CYGWIN /* Try restoration of GID if changed (test clearing of saved gid) */ if (old_gid != pw->pw_gid && (setgid(old_gid) != -1 || setegid(old_gid) != -1)) fatal("%s: was able to restore old [e]gid", __func__); +#endif /* Verify GID drop was successful */ if (getgid() != pw->pw_gid || getegid() != pw->pw_gid) { -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From alex.jacinto at ps.ge.com Thu Sep 23 04:40:30 2004 From: alex.jacinto at ps.ge.com (Jacinto, Alex G (GE Energy)) Date: Wed, 22 Sep 2004 14:40:30 -0400 Subject: login message Message-ID: <65823E0D78FCD411BACA00508BE3A9180F8559A1@nyschx20psge.sch.ge.com> > I did the following command and the following message came out of my > terminal: > > shell-init: could not get current directory: getcwd: cannot access parent > directories: No such file or directory > Is this coming from the shell you are running properly? Looks like there is a problem with the HOME directory. - Ben I can successfully login and the error message will come up before the motd and the prompt. What sort of problem will there be in HOME directory? From jerj at coplanar.net Thu Sep 23 05:10:18 2004 From: jerj at coplanar.net (Jeremy Jackson) Date: Wed, 22 Sep 2004 15:10:18 -0400 Subject: restricting non-pty cmds with passwd auth Message-ID: <4151CE1A.9010904@coplanar.net> Hi, I'm looking for a way to force users to use a pty and their login shell. They have a .profile that forces them to use a specific application. They are currently logging in with telnetd, so this is effective. I want to move to openssh, but this would allow "ssh user at host /bin/sh" and any other commands they can think of to bypass this restriction. Is there a way to make openssh as restrictive at the current environment? -- Jeremy Jackson Coplanar Networks (519)897-1516 http://www.coplanar.net From djm at mindrot.org Tue Sep 21 09:38:05 2004 From: djm at mindrot.org (Damien Miller) Date: Tue, 21 Sep 2004 09:38:05 +1000 Subject: patch: openssh 3.9p1 on hp-ux 10.20 In-Reply-To: <20040917141837.GE2042@eeg.ccf.org> References: <20040917141837.GE2042@eeg.ccf.org> Message-ID: <414F69DD.30001@mindrot.org> Greg Wooledge wrote: > OpenSSH 3.9p1 does not compile on HP-UX 10.20 due to the code which was > added in includes.h to work around HP-UX 11.11's behavior. The following > patch lets it work on HP-UX 10.20. It should also work on HP-UX 11.11, > but I can't test that (no HP-UX 11 boxes here). This is what is in my tree at the moment (attached). -d -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: hpux.diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040921/91da5f94/attachment-0001.ksh From jerj at coplanar.net Thu Sep 23 07:08:22 2004 From: jerj at coplanar.net (Jeremy Jackson) Date: Wed, 22 Sep 2004 17:08:22 -0400 Subject: sshd umask settings vs security Message-ID: <4151E9C6.90203@coplanar.net> Will setting the umask that sshd inherits cause any security issues? It would be nice to be able to set this in a system-wide fashion, rather than in .login etc. I'm thinking of Debian, where the setting is per-shell because nobody seems to have thought of doing this. Cheers, Jeremy -- Jeremy Jackson Coplanar Networks (519)897-1516 http://www.coplanar.net From bob at jasomi.com Thu Sep 23 07:27:38 2004 From: bob at jasomi.com (Bob Bramwell) Date: Wed, 22 Sep 2004 15:27:38 -0600 Subject: SSHD with PAM question Message-ID: <4151EE4A.2010900@jasomi.com> Greetings All, I am trying to get sshd to authenticate using PAM in a situation where there is no password entry (as found by getpwent et. al.) for a user. Setting: AllowUsers * UsePAM yes causes the right PAM stuff to be invoked, but as soon as the PAM module tries to have a conversation with the (illegal) user (in order to get the password) sshd throws out the authentication context. Is this necessary? Or is it just that no one in their right mind ought to be trying to do this anyway? If I have done my homework correctly: - a user is "illegal" if getpwnamallow says so - this will happen, in particular, if getpwnam returns NULL - an "illegal" user results in a non-valid authctxt - MUCH later, when the PAM auth module is running, it calls back into the sshd function input_userauth_info_response as part of the attempt to get a password from the user - input_userauth_info_response will only invoke the kbdinitctxt->device->response function if the authctxt is valid - at this point, since the whole process stalls out, the "next" auth method is tried, and the PAM context is destroyed. If one were to fix input_userauth_info_response to be a little more forgiving would that cause any grief, open any security holes, or whatever? Would anyone like to suggest a suitable approach to a fix? Does this sound like a good idea? Constructive criticism appreciated. Cheers, Bob. -- Bob Bramwell Jasomi Networks (Canada) | This space Ph: 403 269 2938 x155 #310 602 11th Ave SW | intentionally FX: 403 269 2993 Calgary, AB, T2R 1J8 | left blank. From mouring at etoh.eviladmin.org Thu Sep 23 07:48:19 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 22 Sep 2004 16:48:19 -0500 (CDT) Subject: SSHD with PAM question In-Reply-To: <4151EE4A.2010900@jasomi.com> Message-ID: On Wed, 22 Sep 2004, Bob Bramwell wrote: > Greetings All, > > I am trying to get sshd to authenticate using PAM in a situation where there is > no password entry (as found by getpwent et. al.) for a user. Setting: ^^^^^^^^^^^^^^^^^^^^^^^^^ If getpwent() doesn't find a user.. Then you can forget about using that user. [..] > > If one were to fix input_userauth_info_response to be a little more forgiving > would that cause any grief, open any security holes, or whatever? >Would anyone > like to suggest a suitable approach to a fix? Does this sound like a > good idea? > The correct fix is to teach your NSS code to look in the same place your PAM code is looking. That way "getpwent" and friends return real information. - Ben From stuge-openssh-unix-dev at cdy.org Thu Sep 23 11:37:49 2004 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Thu, 23 Sep 2004 03:37:49 +0200 Subject: restricting non-pty cmds with passwd auth In-Reply-To: <4151CE1A.9010904@coplanar.net> References: <4151CE1A.9010904@coplanar.net> Message-ID: <20040923013749.GA12857@foo.birdnet.se> On Wed, Sep 22, 2004 at 03:10:18PM -0400, Jeremy Jackson wrote: > Is there a way to make openssh as restrictive at the current > environment? Give users keys for authentication, allow no other authentication method and use command= in .ssh/authorized_keys. See AUTHORIZED_KEYS FILE FORMAT in sshd(8) //Peter From carson at taltos.org Thu Sep 23 16:24:09 2004 From: carson at taltos.org (Carson Gaspar) Date: Thu, 23 Sep 2004 02:24:09 -0400 Subject: restricting non-pty cmds with passwd auth In-Reply-To: <20040923013749.GA12857@foo.birdnet.se> References: <4151CE1A.9010904@coplanar.net> <20040923013749.GA12857@foo.birdnet.se> Message-ID: <29E48296E49643049BC7CA7F@[192.168.21.2]> --On Thursday, September 23, 2004 3:37 AM +0200 Peter Stuge wrote: > On Wed, Sep 22, 2004 at 03:10:18PM -0400, Jeremy Jackson wrote: >> Is there a way to make openssh as restrictive at the current >> environment? > > Give users keys for authentication, allow no other authentication > method and use command= in .ssh/authorized_keys. > > See AUTHORIZED_KEYS FILE FORMAT in sshd(8) In other words, no. The current openssh tree only allows command restrictions when using publickey auth. It wouldn't be hard to patch it to support command restrictions with other auth types, but it hasn't been done (AFAIK). -- Carson From djm at mindrot.org Thu Sep 23 16:30:57 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 23 Sep 2004 16:30:57 +1000 Subject: restricting non-pty cmds with passwd auth In-Reply-To: <4151CE1A.9010904@coplanar.net> References: <4151CE1A.9010904@coplanar.net> Message-ID: <41526DA1.3040704@mindrot.org> Jeremy Jackson wrote: > Hi, > > I'm looking for a way to force users to use a pty and their login shell. > They have a .profile that forces them to use a specific application. > They are currently logging in with telnetd, so this is effective. I > want to move to openssh, but this would allow "ssh user at host /bin/sh" > and any other commands they can think of to bypass this restriction. > > Is there a way to make openssh as restrictive at the current environment? You can make the forced command the user's shell, or use a custom restricted shell like rssh. -d From djm at mindrot.org Thu Sep 23 17:25:07 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 23 Sep 2004 17:25:07 +1000 Subject: sshd umask settings vs security In-Reply-To: <4151E9C6.90203@coplanar.net> References: <4151E9C6.90203@coplanar.net> Message-ID: <41527A53.5060700@mindrot.org> Jeremy Jackson wrote: > Will setting the umask that sshd inherits cause any security issues? It > would be nice to be able to set this in a system-wide fashion, rather > than in .login etc. If the umask is more restrictive than the default then no. If the umask is less restrictive than the default and sshd creates files with restrictive permissions, then that is a bug in sshd. > I'm thinking of Debian, where the setting is per-shell because nobody > seems to have thought of doing this. /etc/bashrc ? -d From jerj at coplanar.net Fri Sep 24 00:13:48 2004 From: jerj at coplanar.net (Jeremy Jackson) Date: Thu, 23 Sep 2004 10:13:48 -0400 Subject: restricting non-pty cmds with passwd auth In-Reply-To: <41526DA1.3040704@mindrot.org> References: <4151CE1A.9010904@coplanar.net> <41526DA1.3040704@mindrot.org> Message-ID: <4152DA1C.1010709@coplanar.net> I thought forced commands were only available when using public key authentication? This environment uses passwords. I'm aware of rssh, I was hoping there was something built in to Openssh. Thanks, Jeremy Damien Miller wrote: > Jeremy Jackson wrote: > >>Hi, >> >>I'm looking for a way to force users to use a pty and their login shell. >> They have a .profile that forces them to use a specific application. >>They are currently logging in with telnetd, so this is effective. I >>want to move to openssh, but this would allow "ssh user at host /bin/sh" >>and any other commands they can think of to bypass this restriction. >> >>Is there a way to make openssh as restrictive at the current environment? > > > You can make the forced command the user's shell, or use a custom > restricted shell like rssh. > > -d From guyverdh at mchsi.com Fri Sep 24 00:38:45 2004 From: guyverdh at mchsi.com (guyverdh at mchsi.com) Date: Thu, 23 Sep 2004 14:38:45 +0000 Subject: SFTP is prompting for password Message-ID: <092320041438.7856.7d04@mchsi.com> Couple of things to check. #1 - settings in sshd_config file on remote server that you are connecting to with sftp. make certain that the appropriate authentication method is enabled. if using RSA key, set RSAAuthentication yes (otherwise set to no) if using DSA key, set PubKeyAuthentication yes (in previous versions, you could also set DSAAuthentication yes to get the same effect) #2 - permissions of home directory for userid logging in as. I'm not 100% certain what the exact restrictions are supposed to be, however, I typically set the home directory of the user to 750 (rwxr-x---), and then set the .ssh directory under the users home directory to 700 (rwx------). Also, make certain that the permissions on the authorized_keys or authorized_keys2 file (depending on which is configured in your sshd_config file), is set to 600 as well (rw-------). Making these changes as needed should make it possible for you to use public key authentication. Hope this helps. From deengert at anl.gov Fri Sep 24 00:40:53 2004 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 23 Sep 2004 09:40:53 -0500 Subject: SSHD with PAM question In-Reply-To: References: Message-ID: <4152E075.8060708@anl.gov> Ben Lindstrom wrote: > > On Wed, 22 Sep 2004, Bob Bramwell wrote: > > >>Greetings All, >> >>I am trying to get sshd to authenticate using PAM in a situation where there is >>no password entry (as found by getpwent et. al.) for a user. Setting: > > ^^^^^^^^^^^^^^^^^^^^^^^^^ > If getpwent() doesn't find a user.. Then you can forget about using that > user. But one of the features of PAM it that the PAM module can change the user. An example of one of these is with Kerberos where the user enters a principal name user at realm, and PAM can use the krb5_aname_to_localname to determine what is the local username. But sshd does the getpwnamallow before any of the auth methods, so even if ssh was passed -l user at realm, it would never call the PAM module. Thus all Kerberos uses must be in the default realm. In effect sshd is doing the authorization check before the authentication. Is there any reason that the getpwnameallow has to be called so early, rather then after the authmethods? There is also an information leak (i.e. descovery of existance of a local acount) if the check is done before the authentication and used to shorten any of the authmethods. > > [..] > >>If one were to fix input_userauth_info_response to be a little more forgiving >>would that cause any grief, open any security holes, or whatever? >>Would anyone >>like to suggest a suitable approach to a fix? Does this sound like a >>good idea? >> > > > The correct fix is to teach your NSS code to look in the same place your > PAM code is looking. That way "getpwent" and friends return real > information. > > - Ben > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From jerj at coplanar.net Fri Sep 24 02:15:32 2004 From: jerj at coplanar.net (Jeremy Jackson) Date: Thu, 23 Sep 2004 12:15:32 -0400 Subject: sshd umask settings vs security In-Reply-To: <41527A53.5060700@mindrot.org> References: <4151E9C6.90203@coplanar.net> <41527A53.5060700@mindrot.org> Message-ID: <4152F6A4.6010709@coplanar.net> Damien Miller wrote: > Jeremy Jackson wrote: > >>Will setting the umask that sshd inherits cause any security issues? It >>would be nice to be able to set this in a system-wide fashion, rather >>than in .login etc. > > > If the umask is more restrictive than the default then no. If the > umask is less restrictive than the default and sshd creates files > with restrictive permissions, then that is a bug in sshd. Of course. I guess I'm asking if anyone has tried this, so I have some idea if it is reliable, or if I'm the first guy, and I will find the bugs ;-{ I'm really concerned if a more permissive umask will cause any files created internally by sshd to be insecure. > > >>I'm thinking of Debian, where the setting is per-shell because nobody >>seems to have thought of doing this. > > > /etc/bashrc ? I should have been more clear, that's what we have already. What if they aren't using bash? I want to set the umask in one place, regardless of what shell they are using. That's why I asked the question. Thanks for the reply, Jeremy From bob at proulx.com Fri Sep 24 02:20:31 2004 From: bob at proulx.com (Bob Proulx) Date: Thu, 23 Sep 2004 10:20:31 -0600 Subject: sshd umask settings vs security In-Reply-To: <41527A53.5060700@mindrot.org> References: <4151E9C6.90203@coplanar.net> <41527A53.5060700@mindrot.org> Message-ID: <20040923162031.GA15096@misery.proulx.com> Damien Miller wrote: > Jeremy Jackson wrote: > > I'm thinking of Debian, where the setting is per-shell because nobody > > seems to have thought of doing this. > > /etc/bashrc ? I am thinking /etc/profile is more appropriate. Sourcing /etc/bashrc is optional. Bob From guyverdh at mchsi.com Fri Sep 24 02:44:32 2004 From: guyverdh at mchsi.com (guyverdh at mchsi.com) Date: Thu, 23 Sep 2004 16:44:32 +0000 Subject: restricting non-pty cmds with passwd auth Message-ID: <092320041644.22150.4c67@mchsi.com> Couple of things you could try from the source side. #1 rename the ssh binary, and replace with a shell script. Allow it to parse parameters. Parameters starting with a "-" minus sign are added to a variable, then the first non "-" parameter is taken as well and added to said variable. Then execute the renamed ssh binary with the variable contents used as parameters. ------------- while [ ${#} -gt 0 ] do case ${1} in -*) varParams=${varParams}" ${1}" && shift 1;; *) varParams=$(varParams)" ${1}" && shift ${#};; esac done /usr/local/bin/ssh.cmd ${varParams} ------------- Second, make an ssh alias for the user's profile, that only accepts one parameter. alias ssh=/usr/local/bin/ssh ${1} From bob at jasomi.com Fri Sep 24 04:50:32 2004 From: bob at jasomi.com (Bob Bramwell) Date: Thu, 23 Sep 2004 12:50:32 -0600 Subject: SSHD with PAM question Message-ID: <41531AF8.6020209@jasomi.com> OK, I'll buy that. However, fixing getpwent may not be practical on a system where I would like this to work, so I guess I have to do it right, or not do it. Which brings up another question: if I can't do anything useful when getpwent() doesn't find the user in question, why doesn't sshd simply abandon all attempts at authentication at that point? Perhaps it should, in which case I would not be tempted even to try. It seems pointless to invoke the PAM module and then prohibit it from talking to the user. Tnx, Bob. > Date: Wed, 22 Sep 2004 16:48:19 -0500 (CDT) > From: Ben Lindstrom > Subject: Re: SSHD with PAM question > On Wed, 22 Sep 2004, Bob Bramwell wrote: > >>> Greetings All, >>> >>> I am trying to get sshd to authenticate using PAM in a situation where there is >>> no password entry (as found by getpwent et. al.) for a user. Setting: > ^^^^^^^^^^^^^^^^^^^^^^^^^ > If getpwent() doesn't find a user.. Then you can forget about using that > user. > ... > The correct fix is to teach your NSS code to look in the same place your > PAM code is looking. That way "getpwent" and friends return real > information. > > - Ben -- Bob Bramwell Jasomi Networks (Canada) | This space Ph: 403 269 2938 x155 #310 602 11th Ave SW | intentionally FX: 403 269 2993 Calgary, AB, T2R 1J8 | left blank. From Jefferson.Ogata at noaa.gov Thu Sep 23 06:26:40 2004 From: Jefferson.Ogata at noaa.gov (Jefferson Ogata) Date: Wed, 22 Sep 2004 16:26:40 -0400 Subject: restricting non-pty cmds with passwd auth In-Reply-To: <4151CE1A.9010904@coplanar.net> References: <4151CE1A.9010904@coplanar.net> Message-ID: <4151E000.2070000@noaa.gov> Jeremy Jackson wrote: > I'm looking for a way to force users to use a pty and their login shell. > They have a .profile that forces them to use a specific application. > They are currently logging in with telnetd, so this is effective. I > want to move to openssh, but this would allow "ssh user at host /bin/sh" > and any other commands they can think of to bypass this restriction. > > Is there a way to make openssh as restrictive at the current environment? If you are using pubkey authentication you can use the cmd= option in the user's authorized_keys file. -- Jefferson Ogata NOAA Computer Incident Response Team (N-CIRT) From mouring at etoh.eviladmin.org Fri Sep 24 06:11:25 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 23 Sep 2004 15:11:25 -0500 (CDT) Subject: SSHD with PAM question In-Reply-To: <41531AF8.6020209@jasomi.com> Message-ID: On Thu, 23 Sep 2004, Bob Bramwell wrote: > OK, I'll buy that. However, fixing getpwent may not be practical on a system > where I would like this to work, so I guess I have to do it right, or not do it. > Which brings up another question: if I can't do anything useful when > getpwent() doesn't find the user in question, why doesn't sshd simply abandon > all attempts at authentication at that point? Perhaps it should, in which case By abandoning the attempt too soon you give away to timing attacks. Where you know if the user does exist it takes an average of X seconds, and if you abandon things too quickly the results are less then X seconds then you can safely bet the account doesn't exist and therefor should move on to the next fake user name. As for getpwent() and friends. As stated there should be a NSS support do such things. Why PAM group hasn't built in NSS support so that it can be consist accross the board in how it replies to applications has always been beyond me. - Ben From djm at mindrot.org Fri Sep 24 12:00:16 2004 From: djm at mindrot.org (Damien Miller) Date: Fri, 24 Sep 2004 12:00:16 +1000 Subject: SSHD with PAM question In-Reply-To: <4152E075.8060708@anl.gov> References: <4152E075.8060708@anl.gov> Message-ID: <41537FB0.8070601@mindrot.org> Douglas E. Engert wrote: > But one of the features of PAM it that the PAM module can change the user. I think that this is a bogus misfeature of PAM. One of the only parts of the PAM spec that I agree with is where it states that it isn't a replacement for NSS. Beyond the above, other reasons why we don't support this: - It uglifies and complexifies the code, which would have to cope with the username changing partway through authentication. - By deciding early that a given username is invalid, we can prevent bogus junk from reaching authentication code (especially dodgy PAM libs/modules) > There is also an information leak (i.e. descovery of existance of a local > acount) if the check is done before the authentication and used to shorten > any of the authmethods. We are quite careful to avoid this, we try to go through all the motions of authentication when we are presented with an invalid user (using sanitised data) -d From vmcWilliamsmp at esteem.co.uk Fri Sep 24 21:14:29 2004 From: vmcWilliamsmp at esteem.co.uk (Vivian McWilliams) Date: Fri, 24 Sep 2004 19:14:29 +0800 Subject: We sell regalis for an affordable price Message-ID: <8cc401c4a227$219891c5$d11863a4@kueching.de> Hi, Regalis, also known as Superviagra or Cialis - half a pill Lasts all weekend - Has less sideeffects - Has higher success rate Now you can buy Regalis, for over 70% cheaper than the equivilent brand for sale in US We ship world wide, and no prescription is required!! Even if you're not impotent, Regalis will increase size, pleasure and power! Try it today you wont regret! Get it here: http://888-luvu.com/sup/ Best regards, Jeremy Stones No thanks: http://888-luvu.com/rm.html From mollietrottergw at zz9.biz Sat Sep 25 00:38:01 2004 From: mollietrottergw at zz9.biz (Mollie Trotter) Date: Fri, 24 Sep 2004 21:38:01 +0700 Subject: =?iso-8859-1?q?Get_v=ECagra_for_a_great_price=2E?= Message-ID: Hi, We have a new offer for you. Buy cheap V?agra through our online store. - Private online ordering - No prescription required - World wide shipping Order your drugs offshore and save over 70%! Click here: http://888-luvu.com/meds/ Best regards, Donald Cunfingham No thanks: http://888-luvu.com/rm.html From deengert at anl.gov Sat Sep 25 01:34:50 2004 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 24 Sep 2004 10:34:50 -0500 Subject: SSHD with PAM question In-Reply-To: <41537FB0.8070601@mindrot.org> References: <4152E075.8060708@anl.gov> <41537FB0.8070601@mindrot.org> Message-ID: <41543E9A.8040004@anl.gov> Damien Miller wrote: > Douglas E. Engert wrote: > >>But one of the features of PAM it that the PAM module can change the user. > > > I think that this is a bogus misfeature of PAM. One of the only parts of > the PAM spec that I agree with is where it states that it isn't a > replacement for NSS. I don't think that was its intention. It believe it was intened to be used to get the username if one was not already known, then pass it back to the application or other PAM routines who would still use NSS. But the ssh protocol has already passed in the local user name. So in the Kerberos PAM case where user at realm is needed and user != local user name it might be possible to prompt for the user at realm in addition to the password, ugly but do able. But this discussion does bring up a point. The user must supply the local user name to be used on the remote machine even if there is a way to derive a default local user name from the credentials being used to authenticate. krb5_aname_to_localname or the Globus GSI gridmap routines can do this. So not only could the Kerberos PAM auth method benifit from allowing the auth_method to change the user, the gssapi could too. > > > > -d > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From sunmedia at cj9.so-net.ne.jp Sat Sep 25 03:30:18 2004 From: sunmedia at cj9.so-net.ne.jp (=?ISO-2022-JP?B?GyRCM3Q8MDJxPFIlNSVzJWElRyUjJSIbKEI=?=) Date: Sat, 25 Sep 2004 02:30:18 +0900 Subject: =?iso-2022-jp?b?GyRCTCQ+NUJ6OS05cCIoGyhCIBskQjNKMEIhKkVFT0MbKEI=?= =?iso-2022-jp?b?GyRCMkNGfjgiSE5HZCF1OWIyQUdjPGgbKEI=?= Message-ID: <20040924181917984.00000.63.sunmedia@K-WAKAMI.mail.cj9.so-net.ne.jp> ??????????????????????? ????????????????????????????????? ???????????????????? ??????????????????????? ?????????????????? ????????????????? ?????????? ????????5-28-28 042-708-0888 ????????????????? ?????????????????????? ???????????????????????? ???????????????????????????????????? ???????????????????????????? sunmedia at cj9.so-net.ne.jp ???????????????????????????????? ??? ??????????????? ??? ?????????????????????????/???? ??? ???????????????????????????????? ????????????????,????????????????? ????????????????????????????????? ???????????????????????????????? ?????????????????????????????????????????????? ???????????????????????????????? ??? ??????????????????? ? ???????????????????? ????? ? ??????? ???????????????????????? ? ?????,??? ???????????????? ? ???,??? ???????????? ???????????? ??http://www.sun-media.co.jp/personal/personal_01.html ???????????????????????????? ??????????????????????? ???????????? ???????????,???? ??http://www.sun-media.co.jp/ ???????????????????????????? ???????????????????? ???????????????????????????????????? ?----------------------------------------------------? ??????????? ?????????5-28-28 ?TEL 042-708-0888 ?FAX 042-708-0887 ?E-mail?mail at sun-media.co.jp ?http://www.sun-media.co.jp/ ??? 10:00?18:00 ???? ?----------------------------------------------------? From dco at bresnan.net Fri Sep 24 12:21:59 2004 From: dco at bresnan.net (dco at bresnan.net) Date: Thu, 23 Sep 2004 20:21:59 -0600 Subject: UDP ports Message-ID: <20040924022159.AED8119166F@postfix.bresnan.net> Why doesn't SSH allow forwarding of UDP ports? From dtucker at zip.com.au Sat Sep 25 11:34:12 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 25 Sep 2004 11:34:12 +1000 Subject: UDP ports In-Reply-To: <20040924022159.AED8119166F@postfix.bresnan.net> References: <20040924022159.AED8119166F@postfix.bresnan.net> Message-ID: <4154CB14.5050407@zip.com.au> dco at bresnan.net wrote: > Why doesn't SSH allow forwarding of UDP ports? Because it's not part of the SSH{1,2} protocol standards. It would be possible to do it as a SSH2 vendor extension but that would require the extension to be supported on both client and server, and it would not be trivial to implement. Also, much UDP traffic tends to be time-sensitive, and SSH has a very high overhead compared to UDP. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dco at bresnan.net Sat Sep 25 11:58:56 2004 From: dco at bresnan.net (dco at bresnan.net) Date: Fri, 24 Sep 2004 19:58:56 -0600 Subject: UDP ports In-Reply-To: Your message of "Sat, 25 Sep 2004 11:34:12 +1000." <4154CB14.5050407@zip.com.au> Message-ID: <20040925015856.C5ABC1ADA72@postfix.bresnan.net> [] dco at bresnan.net wrote: [] > Why doesn't SSH allow forwarding of UDP ports? [] [] Because it's not part of the SSH{1,2} protocol standards. It would be [] possible to do it as a SSH2 vendor extension but that would require the [] extension to be supported on both client and server, and it would not be [] trivial to implement. [] [] Also, much UDP traffic tends to be time-sensitive, and SSH has a very [] high overhead compared to UDP. Thanks for the explanation. My question arose because Apple's Remote Desktop uses UDP (well, a combination of UDP and TCP) and a colleague needed to securely tunnel it into his client site. He typically uses SSH for other access to the client. We'll end up setting a VPN tunnel but that seems overkill. I vote to amend the standard to allow UPD port forwarding. :-) From msmall at arrow.lz.att.com Tue Sep 28 06:34:55 2004 From: msmall at arrow.lz.att.com (Morgan Small) Date: Mon, 27 Sep 2004 16:34:55 -0400 Subject: Sending passphrase w/o keyboard interaction Message-ID: <03a901c4a4d1$73a9bb40$73ee5b87@ugd.att.com> I have an account where I have DSA key setup with a passphrase. I am trying to write a script to ssh over to another Unix server, without having to type in the passphrase and have ssh read the passphrase from either a file or pass it in from the command line. Is there a way to do something like this? I know that we can it so I don't need to enter a passphrase but we don't want to do that. Any help would be appreciated. Thanks Morgan From djm at mindrot.org Tue Sep 28 10:25:02 2004 From: djm at mindrot.org (Damien Miller) Date: Tue, 28 Sep 2004 10:25:02 +1000 Subject: Sending passphrase w/o keyboard interaction In-Reply-To: <03a901c4a4d1$73a9bb40$73ee5b87@ugd.att.com> References: <03a901c4a4d1$73a9bb40$73ee5b87@ugd.att.com> Message-ID: <4158AF5E.6090403@mindrot.org> Morgan Small wrote: > I have an account where I have DSA key setup with a passphrase. I am trying > to write a script to ssh over to another Unix server, without having to type > in the passphrase and have ssh read the passphrase from either a file or > pass it in from the command line. Is there a way to do something like this? > I know that we can it so I don't need to enter a passphrase but we don't > want to do that. You could use ssh-agent, which will allow you to enter the passphrase once per system boot. If you don't want to do this, then you might as well make a passphraseless key, because you will need to store the passphrase someone on the system anyway. If you still want to do this, you could feed a key into the agent by providing a ssh-askpass that just echos the passphrase to stdout and doing something like: SSH_ASKPASS=/path/to/script_which_echoes_passphrase DISPLAY=foo \ ssh-add /path/to/key The OpenSSH project turns five years old ---------------------------------------- Five years ago, in late September 1999, the OpenSSH project was started. It began with an audit, cleanup and update of the last free version of Tatu Ylonen's legacy ssh-1.2.12 code. The project quickly gathered pace, attracting a portability effort and, in early 2000, an independent implementation of version 2 of the SSH protocol. Since then, OpenSSH has led in the implementation of proactive security techniques such as privilege separation & auto-reexecution. The free software community were rapid adopters of OpenSSH, with most free operating systems shipping OpenSSH within its first year of existence. Over the last five years OpenSSH has become the most widely used SSH protocol implementation (by a large margin) and has been included in products from major vendors including IBM, Apple, HP, Sun, Cisco and NetScreen. Today, OpenSSH runs on everything from mobile phones to Cray supercomputers. In providing a free, popular and easy to use secure login and command execution protocol OpenSSH has been instrumental in speeding the deprecation of insecure protocols like telnet and rlogin. The OpenSSH team would like to thank all those who have supported the project over the last five years, including individuals and vendors who have donated funds or hardware. An extra special thanks to those who have reported bugs or sent patches to the project. OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Ben Lindstrom, Darren Tucker and Tim Rice. http://www.openssh.com/ From stroudld at indosat.net.id Wed Sep 29 15:44:44 2004 From: stroudld at indosat.net.id (Alonzo Stroud) Date: Wed, 29 Sep 2004 06:44:44 +0100 Subject: Vardenafil, the newest anti impotence drug, as seen on tv Message-ID: <199501c4a5e7$f4b4e70e$8d779775@fincoil.fi> Hello, Buy Generic Levitra at the lowest prices you will find on the Internet! Vardenafil the active ingredient in Levitra is the newest anti impotence drug available, and is proven to have a higher success rate, and less sideeffects than viagra. - Private online ordering - No prescription required - World wide shipping Order your drugs offshore and save 60%-90%! Read more here: http://ca-t.com/lev/?levi Best regards, Ron Stevens No thanks: http://ca-t.com/rm.html From rold5 at cs.net.pl Wed Sep 29 21:50:35 2004 From: rold5 at cs.net.pl (rold5 at cs.net.pl) Date: Wed, 29 Sep 2004 11:50:35 +0000 Subject: Software In-Reply-To: <5EJDJ3D2A1J0B4J7@mindrot.org> References: <5EJDJ3D2A1J0B4J7@mindrot.org> Message-ID: <602H7B4G7J944BG9@cs.net.pl> Norton Internet Security Pro 2004 - 40.00 Microsoft Office 2003 Professional Edition - 110.00 3D Home Architect Landscape Design Deluxe 6.0 - 29.99 Corel Draw Graphics Suite 11 - 120.00 Microsoft Money 2004 Standard - 20.00 Corel Draw Graphics Suite 11 - 120.00 Easy CD & DVD Creator 6 - 29.99 Adobe InCopy CS - 60.00 Symantec pcANYWHERE 11.0 - 80.00 Quark Express 6.0 - 60.00 Visual Studio.Net Enterprise Architecht - 200.00 Microsoft Windows 2000 Professional - 50.00 McAfee Personal Firewall Plus 2004 v. 5.0 - 20.00 Microsoft Windows XP Professional with SP2 - 50.00 and more http://www.hotoem.info/ From openssh at nwgeeks.com Thu Sep 30 03:05:19 2004 From: openssh at nwgeeks.com (Healy) Date: Wed, 29 Sep 2004 17:05:19 +0000 Subject: IPv6 + user@ipaddress Message-ID: <20040929170519.8B0AE131D0@gonk.nwgeeks.com> Using: Solaris 8.0 OpenSSH OpenSSH_3.8p1 I believe I may have found a bug when dealing with restricting user at ipv6address in cases when adjacent colons do not expand to multiple fields. For example: If I have any of the following entries in sshd_config, it will let me in: user at 1234:0234:0234:0000:0234:1234:1234:1234 user at 1234:234:234:0000:234:1234:1234:1234 user at 1234:234:234:0:234:1234:1234:1234 However, if I reduce the address as much as possible, to the below entry it will reject my login attempt: user at 1234:234:234::234:1234:1234:1234 This only appears to happen on addresses where seven of the eight octets have something besides zero in them. In this case, the system logs will show refused entry if the adress is written with :: instead of :0: Note: this does NOT happen if the colons expand to multiple fields. For example, any of the following notations for the same address will let me into the box: user at 1234:0234:0000:0000:0234:1234:1234:1234 user at 1234:0234:0:0:0234:1234:1234:1234 user at 1234:234:0:0:234:1234:1234:1234 user at 1234:234::234:1234:1234:1234 I checked the archives, bugzilla and release notes and did not see mention of this. If it's a known issue, I apologize for the waste of time. -Healy From waspswarm at gmail.com Thu Sep 30 04:22:28 2004 From: waspswarm at gmail.com (scott rankin) Date: Wed, 29 Sep 2004 11:22:28 -0700 Subject: X11 Forwarding troubles with OpenSSH client and OpenVMS host Message-ID: <489b43e204092911227fbe3f27@mail.gmail.com> Hello, I searched through the mailing list archives here, at securityfocus.com, at HP and google and have come up dry. Sorry in advance if my search was not complete enough or I missed something but I sure as heck didn't see anything. ENV: Slackware 10 w/ ssh (SSH-2.0-OpenSSH_3.8.1p1) connecting to an alpha with OpenVMS 7.3-2 w/ sshd (Remote protocol version 2.0, remote software version 2.4.1 SSH Secure Shell OpenVMS V1.0) I have also tried using the 3.9p1 ssh client in cygwin and it fails in the same manner. The problem I am seeing is that when issued as a remote command over X11 forwarding, I get an X Toolkit Error: Can't Open display. If I just connect with X11 forwarding enabled, get an interactive shell and then run the X client, it displays back. $ ssh -X BOZO at vmshost BOZO at vmshost's password: Welcome to OpenVMS (TM) Alpha Operating System, Version V7.3-2 Hello BOZO Welcome to vmshost vmshost_[BOZO]> run sys$system:decw$clock Works great and I get a clock. $ ssh -X BOZO at vmshost 'run sys$system:decw$clock' BOZO at vmshost's password: X Toolkit Error: Can't Open display %DWT-F-NOMSG, Message number 03AB8204 I initially tried forcing tty allocation. $ ssh -X -t BOZO at vmshost 'run sys$system:decw$clock' No help. Same error failure. I turned on some more verbosity in the SSH client and notice a couple differences. In the successful case, ... debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 0 debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 0 [trim tty_make_modes] debug2: channel 0: request shell confirm 0 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 10000 rmax 16384 Welcome to OpenVMS (TM) Alpha Operating System, Version V7.3-2 Hello BOZO Welcome to vmshost vmshost_[BOZO]> run sys$system:decw$clock debug1: client_input_channel_open: ctype x11 rchan 1 win 30000 max 1024 debug1: client_request_x11: request from 192.168.21.33 51560 debug2: fd 7 setting TCP_NODELAY debug2: fd 7 setting O_NONBLOCK debug3: fd 7 is O_NONBLOCK debug1: channel 1: new [x11] debug1: confirm x11 debug1: client_input_channel_open: ctype x11 rchan 2 win 30000 max 1024 debug1: client_request_x11: request from 192.168.21.33 51561 debug2: fd 8 setting TCP_NODELAY debug2: fd 8 setting O_NONBLOCK debug3: fd 8 is O_NONBLOCK debug1: channel 2: new [x11] debug1: confirm x11 However in the failing case (with or without forcing a tty allocation) I see, debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 0 debug2: client_session2_setup: id 0 debug1: Sending command: run sys$system:decw$clock debug2: channel 0: request exec confirm 0 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 10000 rmax 32768 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug2: channel 0: rcvd close debug2: channel 0: output open -> drain debug2: channel 0: close_read debug2: channel 0: input open -> closed debug3: channel 0: will not send data after close %DWT-F-NOMSG, Message number 03AB8204 debug3: channel 0: will not send data after close debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) debug3: channel 0: close_fds r -1 w -1 e 6 c -1 debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.6 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 0 It's like the exec request is not being handled properly (in the failing case)? Or perhaps the new channel request is not happening? Or the proxy $DISPLAY equivalent handled by sshd on the VMS box isn't setup? Does anyone know if this works (i.e. running a remote command over SSH without an interactive shell) or does OpenVMS require an interactive shell in order to run a remote command over SSH? I am not that saavy on OpenVMS enough to know the best way to troubleshoot. As a test I modifyied ssh_session2_setup() in ssh.c to force requesting a shell before and after (in addtion to issuing) the exec request to no avail. Any thoughts or suggestions greatly appreciated. cheers, scott rankin From ChadE.Smith at acxiom.com Thu Sep 30 07:11:06 2004 From: ChadE.Smith at acxiom.com (Smith Chad - chasmi) Date: Wed, 29 Sep 2004 16:11:06 -0500 Subject: openssh problem on AIX 5.2-ML4 Message-ID: Using the following flags: CFLAGS=-q64 OBJECT_MODE=64 The following installed successfully: zlib.1.2.1 openssl-0.9.7d. Trying to install openssh-3.9p1. The configure and make complete successfully, but the make install is hanging on: Generating public/private rsa1 key pair. Any suggestions? Thanks, Chad Smith UNIX Systems Engineer ACXIOM Corp. Work: 501.342.0041 Fax: 501.342.0123 ChadE.Smith at acxiom.com ********************************************************************** The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please re-send this communication to the sender and delete the original message or any copy of it from your computer system. Thank You. From dtucker at zip.com.au Thu Sep 30 08:03:23 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 30 Sep 2004 08:03:23 +1000 Subject: openssh problem on AIX 5.2-ML4 In-Reply-To: References: Message-ID: <415B312B.8060604@zip.com.au> Smith Chad - chasmi wrote: [...] > The information contained in this communication is > confidential, is intended only for the use of the recipient > named above [...] Please don't post confidential information to the public mailing list. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From pkruger at speeduneed.com Thu Sep 30 09:44:30 2004 From: pkruger at speeduneed.com (Paul Kruger) Date: Wed, 29 Sep 2004 16:44:30 -0700 Subject: Can anyone help enabling ssh in foxfire... like konqueror Message-ID: <415B48DE.4020706@speeduneed.com> https://bugzilla.mozilla.org/show_bug.cgi?id=261479 above is a link to a feature request for the foxfire/mozilla browser... I asked them to add support for doing ssh and sftp file transfers in the browser window but they dont think ssh or sftp is important... sort of acted as if they were too lazy or couldnt do it because it was alot of work... I am hoping that the developers who are more involved with ssh could mabye help these guys out or write an extention for the browser to support these protocals... Thanks email me at pkruger at speeduneed.com if you can help From djm at mindrot.org Thu Sep 30 09:52:15 2004 From: djm at mindrot.org (Damien Miller) Date: Thu, 30 Sep 2004 09:52:15 +1000 Subject: Can anyone help enabling ssh in foxfire... like konqueror In-Reply-To: <415B48DE.4020706@speeduneed.com> References: <415B48DE.4020706@speeduneed.com> Message-ID: <415B4AAF.8050607@mindrot.org> Paul Kruger wrote: > https://bugzilla.mozilla.org/show_bug.cgi?id=261479 I agree with what the Mozilla developers said - ssh/sftp support is best provided via an extension. > above is a link to a feature request for the foxfire/mozilla browser... > I asked them to add support for doing ssh and sftp file transfers in the > browser window > but they dont think ssh or sftp is important... sort of acted as if they > were too lazy or You won't win any support by calling developers lazy. From mouring at etoh.eviladmin.org Thu Sep 30 10:51:28 2004 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 29 Sep 2004 19:51:28 -0500 (CDT) Subject: Can anyone help enabling ssh in foxfire... like konqueror In-Reply-To: <415B48DE.4020706@speeduneed.com> Message-ID: On Wed, 29 Sep 2004, Paul Kruger wrote: > https://bugzilla.mozilla.org/show_bug.cgi?id=261479 > > above is a link to a feature request for the foxfire/mozilla browser... > I asked them to add support for doing ssh and sftp file transfers in the > browser window > but they dont think ssh or sftp is important... sort of acted as if they > were too lazy or > couldnt do it because it was alot of work... > I am hoping that the developers who are more involved with ssh could > mabye help these guys out > or write an extention for the browser to support these protocals... > ] do you use a 3rd party ftp client so that foxfire can implement ftp? ] http, https, ftp, sftp, ssh, and smb - should all work in any browser ] window. Comparing ftp to sftp is rather unfair. ftp protocol for all its stupid design flaws is 1000x easier to implement right than sftp + subset of the underlying ssh protocol. For do note you need to do *BOTH* in order to have a working sftp. As for fish:// you need even more of an underlying ssh support (Frankly, fish:// should die a horrible death, IMNSHO). I think Darin is right that relying on the Gnome VFS, KDE Message API or even Microsoft's own Explorer Shell support for implementing more advanged integration features makes more sense. You can't seriously think Mozilla group can mantain a full samba port, ssh port, etc. - Ben From dtucker at zip.com.au Thu Sep 30 16:52:54 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 30 Sep 2004 16:52:54 +1000 Subject: X11 Forwarding troubles with OpenSSH client and OpenVMS host In-Reply-To: <489b43e204092911227fbe3f27@mail.gmail.com> References: <489b43e204092911227fbe3f27@mail.gmail.com> Message-ID: <415BAD46.5060802@zip.com.au> scott rankin wrote: [about a problem w/ssh + OpenVMS] > The problem I am seeing is that when issued as a remote command over > X11 forwarding, I get an X Toolkit Error: Can't Open display. If I > just connect with X11 forwarding enabled, get an interactive shell and > then run the X client, it displays back. I suspect your VMS system's SSH server does not pass $DISPLAY or (its equivalent) to the commands run non-interactively. Try the VMS equivalent of "ssh yourhost 'echo $DISPLAY'" ("SHOW DISPLAY" ?) to display the variables and compare it with the same command run in an interactive session. Not much to suggest other than talking to the vendor of that software... -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From alain.morel at ig-edu.univ-paris13.fr Thu Sep 30 19:56:50 2004 From: alain.morel at ig-edu.univ-paris13.fr (alain.morel at ig-edu.univ-paris13.fr) Date: Thu, 30 Sep 2004 11:56:50 +0200 Subject: warning configure openssh-3.9p1 Message-ID: <1096538210.415bd86210a63@webmail.ig-edu.univ-paris13.fr> OS : solaris8 with update patches Station : Sparc Ultra5 device /dev/random installed openssl version : openssl-0.9.7d openssh version : openssh-3.9p1 My configuration : ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-tcp-wrappers --with-privsep-user=sshd40 --with-ssl-dir=/usr/lib I have the following warning lines : configure: WARNING: sys/ptms.h: present but cannot be compiled configure: WARNING: sys/ptms.h: check for missing prerequisite headers? configure: WARNING: sys/ptms.h: see the Autoconf documentation configure: WARNING: sys/ptms.h: section "Present But Cannot Be Compiled" configure: WARNING: sys/ptms.h: proceeding with the preprocessor's result configure: WARNING: sys/ptms.h: in the future, the compiler will take precedence configure: WARNING: ## ------------------------------------------ ## configure: WARNING: ## Report this to the AC_PACKAGE_NAME lists. ## configure: WARNING: ## ------------------------------------------ ## What can I do ? Thank you for a response Thanh you also to openssh team. Sincerly yours Alain MOREL Universite Paris13 Institut Galilee - SERCAL 99 Avenue Jean-Baptiste Clement 93430 Villetaneuse Tel : 33 1 49 40 36 19 From dtucker at zip.com.au Thu Sep 30 20:12:41 2004 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 30 Sep 2004 20:12:41 +1000 Subject: warning configure openssh-3.9p1 In-Reply-To: <1096538210.415bd86210a63@webmail.ig-edu.univ-paris13.fr> References: <1096538210.415bd86210a63@webmail.ig-edu.univ-paris13.fr> Message-ID: <415BDC19.8040806@zip.com.au> alain.morel at ig-edu.univ-paris13.fr wrote: [...] > configure: WARNING: sys/ptms.h: present but cannot be compiled > configure: WARNING: sys/ptms.h: check for missing prerequisite headers? > configure: WARNING: sys/ptms.h: see the Autoconf documentation > configure: WARNING: sys/ptms.h: section "Present But Cannot Be Compiled" > configure: WARNING: sys/ptms.h: proceeding with the preprocessor's result > configure: WARNING: sys/ptms.h: in the future, the compiler will take > precedence > configure: WARNING: ## ------------------------------------------ ## > configure: WARNING: ## Report this to the AC_PACKAGE_NAME lists. ## > configure: WARNING: ## ------------------------------------------ ## > > What can I do ? It's a harmless warning which has already been fixed in the development versions, so try a snapshot or wait for the next release. ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dnsykes_gl at abril.com.br Thu Sep 30 22:08:11 2004 From: dnsykes_gl at abril.com.br (Dianne N. Sykes) Date: Thu, 30 Sep 2004 15:08:11 +0300 Subject: Get discount drugs without prescription Message-ID: <1d2801c4a6e6$7e148502$b5d54b7c@tbc.co.uk> Discount generic drugs. save over 70% todays specials, Viagra, retails for $15, we sell for 3!!! Prozac, retails for $6, we sell for $1.50!! - Private Online ordering! - World wide shipping! - No Prescription required!! Check it out: http://888-luvu.com/?index No thanks: http://888-luvu.com/rm.html