From imorgan at nas.nasa.gov Fri Apr 1 06:42:24 2005 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 31 Mar 2005 12:42:24 -0800 (PST) Subject: X11 forwarding and session multiplexing Message-ID: <200503312042.j2VKgPYf021252@sun601.nas.nasa.gov> Hi, A user has noticed that X11 forwarding does not appear to work when using session multiplexing. It seems that the DISPLAY environment variable is not getting set in the slave sessions. Any thought? The ~/.ssh/config ib below. Host somehost-master ControlMaster yes ControlPath ~/.ssh/somehost.sock HostbasedAuthentication no HostName somehost Host somehost-slave ControlPath ~/.ssh/somehost.sock Host * Ciphers blowfish-cbc,aes128-cbc ForwardAgent no ForwardX11 yes ServerAliveInterval 300 -- Iain Morgan From ed.white at libero.it Fri Apr 1 08:09:09 2005 From: ed.white at libero.it (Ed White) Date: Fri, 1 Apr 2005 00:09:09 +0200 Subject: forwarding data ? Message-ID: <200504010009.09410.ed.white@libero.it> > I guess you could say that, but I would rather say that you're trying > to use a tool for a task that it wasn't designed to perform. I don't think so. I think OpenSSH should provide a simple feature like this one. A simple crypted proxy. ssh binds to localhost 31337 and when you connect to that port, it starts a connection to your server sshd. That's it. So you could do this $ telnet localhost 31337 instead of $ ssh server > You could try running faucet[1] with the script on the server to turn > it into a TCP service and then use regular port forwarding to reach it. Thanks, faucet did the trick. Howvere I'm using in on the client side, not on the server. From markus at openbsd.org Fri Apr 1 17:08:29 2005 From: markus at openbsd.org (Markus Friedl) Date: Fri, 1 Apr 2005 09:08:29 +0200 Subject: X11 forwarding and session multiplexing In-Reply-To: <200503312042.j2VKgPYf021252@sun601.nas.nasa.gov> References: <200503312042.j2VKgPYf021252@sun601.nas.nasa.gov> Message-ID: <20050401070828.GB13634@folly> it's not implemented. On Thu, Mar 31, 2005 at 12:42:24PM -0800, Iain Morgan wrote: > Hi, > > A user has noticed that X11 forwarding does not appear to work when using session > multiplexing. It seems that the DISPLAY environment variable is not getting > set in the slave sessions. > > Any thought? The ~/.ssh/config ib below. > > Host somehost-master > ControlMaster yes > ControlPath ~/.ssh/somehost.sock > HostbasedAuthentication no > HostName somehost > > Host somehost-slave > ControlPath ~/.ssh/somehost.sock > > Host * > Ciphers blowfish-cbc,aes128-cbc > ForwardAgent no > ForwardX11 yes > ServerAliveInterval 300 > > -- > Iain Morgan > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From bob at proulx.com Sat Apr 2 11:19:42 2005 From: bob at proulx.com (Bob Proulx) Date: Fri, 1 Apr 2005 18:19:42 -0700 Subject: SSH known host file should store port as well as host In-Reply-To: <424BA70C.1000502@zip.com.au> References: <2763cb2d05033016003dbdad37@mail.gmail.com> <424BA70C.1000502@zip.com.au> Message-ID: <20050402011942.GA11140@dementia.proulx.com> Darren Tucker wrote: > maximander wrote: > >Hello all, i just discovered that the known hosts file seems to only > >store the server finger prints for distinct *hostnames/IPs*, not > >hostnames/IPs and ports, meaning i can't ssh to a multiple boxes on > >the same host even if they have different ports. Every client other > >than the one shipped with openSSH seems to work fine, presumably > >because they store fingerprints by host:port combinations rather than > >only by host. Would it be possible to modify the openSSH client to > >also store fingerprints by distinct host *and* port? > > See http://bugzilla.mindrot.org/show_bug.cgi?id=454 > > In the mean time, check out the CheckHostIP and HostKeyAlias options in > the ssh_config(5) man page. To give a concrete example for the original poster. I have a similar situation and use the following stamp. Host foo CheckHostIP no Port 2020 HostName bar.local.net HostKeyAlias foo.example.com Bob From djm at mindrot.org Sat Apr 2 20:09:13 2005 From: djm at mindrot.org (Damien Miller) Date: Sat, 02 Apr 2005 20:09:13 +1000 Subject: name pollution In-Reply-To: <424B2EF4.90501@geocities.com> References: <424B2EF4.90501@geocities.com> Message-ID: <424E6F49.9060308@mindrot.org> Peter Quiring wrote: > I've finally got SSH compiling for me, but there are a few filenames > that conflict with other projects out there (zlib, etc.) and I'm unable > to create a monolithic library with SSH without renaming some files. > Could you prefix "ssh" to the following files in the next release of > OpenSSH. Thanks. > > crc32,buffer,compress,base64(openbsd file). We won't rename these - to do so would obfuscate a lot of CVS history and make it difficult find changes with "cvs diff". Perhaps you should just adjust your build scripts to do the renames for you. -d From borisvab at gmx.de Sat Apr 2 23:47:50 2005 From: borisvab at gmx.de (Boris von Alten Blaskowitz) Date: Sat, 02 Apr 2005 15:47:50 +0200 Subject: OpenSSH and Smartcard Message-ID: <424EA286.2070002@gmx.de> Hi, I am not sure if this the right place for the question. Sorry if not ... My System: SuSE 9.2 OpenSSH 3.9p1 I have trouble to use a Smartcard with openssh. If i try to connect directly to the Smartcard, it fails: ssh -I 0:45 localhost card-etoken.c:175:etoken_check_sw: required access right not granted card-etoken.c:631:do_compute_signature: returning with: Security status not satisfied card-etoken.c:175:etoken_check_sw: required access right not granted card-etoken.c:631:do_compute_signature: returning with: Security status not satisfied card-etoken.c:175:etoken_check_sw: required access right not granted card-etoken.c:631:do_compute_signature: returning with: Security status not satisfied sec.c:53:sc_compute_signature: returning with: Security status not satisfied pkcs15-sec.c:285:sc_pkcs15_compute_signature: sc_compute_signature() failed: Security status not satisfied sc_pkcs15_compute_signature() failed: Security status not satisfied ssh_rsa_sign: RSA_sign failed: error:00000000:lib(0):func(0):reason(0) This is happen because openssh never prompt for the pin. If I use the openssh-agent and ssh-add everything works well. ssh-add -s 0 ssh localhost :) --> Have a lot of fun The question now: Does Smartcards only work, if I use the ssh-agent or should the "ssh -I 0:45 localhost" command also work???? Thanks for help Boris From nlarsch at gmx.net Sun Apr 3 00:08:07 2005 From: nlarsch at gmx.net (Nils Larsch) Date: Sat, 02 Apr 2005 16:08:07 +0200 Subject: OpenSSH and Smartcard In-Reply-To: <424EA286.2070002@gmx.de> References: <424EA286.2070002@gmx.de> Message-ID: <424EA747.3010303@gmx.net> Boris von Alten Blaskowitz wrote: > Hi, > > I am not sure if this the right place for the question. Sorry if not ... as the error comes from opensc the opensc mailing list might have been more appropriate > > My System: > SuSE 9.2 > OpenSSH 3.9p1 > > I have trouble to use a Smartcard with openssh. If i try to connect > directly to the Smartcard, it fails: > > ssh -I 0:45 localhost > > card-etoken.c:175:etoken_check_sw: required access right not granted > card-etoken.c:631:do_compute_signature: returning with: Security status > not satisfied card-etoken.c:175:etoken_check_sw: required access right > not granted card-etoken.c:631:do_compute_signature: returning with: > Security status not satisfied card-etoken.c:175:etoken_check_sw: > required access right not granted > card-etoken.c:631:do_compute_signature: returning with: Security status > not satisfied sec.c:53:sc_compute_signature: returning with: Security > status not satisfied pkcs15-sec.c:285:sc_pkcs15_compute_signature: > sc_compute_signature() failed: Security status not satisfied > sc_pkcs15_compute_signature() failed: Security status not satisfied > ssh_rsa_sign: RSA_sign failed: error:00000000:lib(0):func(0):reason(0) > > This is happen because openssh never prompt for the pin. > > If I use the openssh-agent and ssh-add everything works well. > ssh-add -s 0 > ssh localhost > > :) --> Have a lot of fun > > > The question now: > Does Smartcards only work, if I use the ssh-agent or should the "ssh -I > 0:45 localhost" command also work???? with the current design the use of the agent is strongly recommended Nils From borisvab at gmx.de Sun Apr 3 01:08:35 2005 From: borisvab at gmx.de (Boris von Alten Blaskowitz) Date: Sat, 02 Apr 2005 17:08:35 +0200 Subject: OpenSSH and Smartcard In-Reply-To: <424EA747.3010303@gmx.net> References: <424EA286.2070002@gmx.de> <424EA747.3010303@gmx.net> Message-ID: <424EB573.5040403@gmx.de> Hi Nils, I know it comes from opensc. But as far as I know opensc is not responssible. Because openssh should ask the user for the pin and set the smartcard in the right condition. Is this correct? I have I bad feeling with the ssh-agent. For example: A intruder can send every kind of data(email text) during a user session to the ssh-agent and this will be signed . If the user set not time limit. (I am not validate this topic yet. So it is just an idea ...) Another is, that root kan switch to my account and has also access to my ssh-keys on the smartcard. I would prefer, not to use the ssh-agent. SSH or OpenSC, depending who is responssible, should ask me directly for the PIN for every new connection. I already made a hack and it works fine. But I am not sure about sideeffects. So what do you think?? Boris Nils Larsch wrote: > Boris von Alten Blaskowitz wrote: > >> Hi, >> >> I am not sure if this the right place for the question. Sorry if not ... > > > as the error comes from opensc the opensc mailing list might have > been more appropriate > >> >> My System: >> SuSE 9.2 >> OpenSSH 3.9p1 >> >> I have trouble to use a Smartcard with openssh. If i try to connect >> directly to the Smartcard, it fails: >> >> ssh -I 0:45 localhost >> >> card-etoken.c:175:etoken_check_sw: required access right not granted >> card-etoken.c:631:do_compute_signature: returning with: Security >> status not satisfied card-etoken.c:175:etoken_check_sw: required >> access right not granted card-etoken.c:631:do_compute_signature: >> returning with: Security status not satisfied >> card-etoken.c:175:etoken_check_sw: required access right not granted >> card-etoken.c:631:do_compute_signature: returning with: Security >> status not satisfied sec.c:53:sc_compute_signature: returning with: >> Security status not satisfied >> pkcs15-sec.c:285:sc_pkcs15_compute_signature: sc_compute_signature() >> failed: Security status not satisfied sc_pkcs15_compute_signature() >> failed: Security status not satisfied ssh_rsa_sign: RSA_sign failed: >> error:00000000:lib(0):func(0):reason(0) >> >> This is happen because openssh never prompt for the pin. >> >> If I use the openssh-agent and ssh-add everything works well. >> ssh-add -s 0 >> ssh localhost >> >> :) --> Have a lot of fun >> >> >> The question now: >> Does Smartcards only work, if I use the ssh-agent or should the "ssh >> -I 0:45 localhost" command also work???? > > > with the current design the use of the agent is strongly recommended > > Nils > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From stuge-openssh-unix-dev at cdy.org Sun Apr 3 03:01:35 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Sat, 2 Apr 2005 19:01:35 +0200 Subject: OpenSSH and Smartcard In-Reply-To: <424EB573.5040403@gmx.de> References: <424EA286.2070002@gmx.de> <424EA747.3010303@gmx.net> <424EB573.5040403@gmx.de> Message-ID: <20050402170135.GA30022@foo.birdnet.se> On Sat, Apr 02, 2005 at 05:08:35PM +0200, Boris von Alten Blaskowitz wrote: > I have I bad feeling with the ssh-agent. For example: > A intruder can send every kind of data(email text) during a user > session to the ssh-agent and this will be signed . Check out the -c parameter to ssh-add, -agent will verify each signature when you add keys with it, however.. > Another is, that root kan switch to my account and has also access > to my ssh-keys on the smartcard. ..if you do not trust the host system through which you are sending your PIN code to the card, you should take care of that issue first. //Peter From johnpell at mac.com Sun Apr 3 08:53:11 2005 From: johnpell at mac.com (John Davidorff Pell) Date: Sat, 2 Apr 2005 14:53:11 -0800 Subject: forwarding data ? In-Reply-To: <200504010009.09410.ed.white@libero.it> References: <200504010009.09410.ed.white@libero.it> Message-ID: <177ED3E4-0FDE-4535-9782-0EF2DE3A74A9@mac.com> I think that netcat might do some/all of what you're looking for, though I'm not sure. Have you looked at it? JP On 31 Mar 2005, at 14:09, Ed White wrote: >> I guess you could say that, but I would rather say that you're trying >> to use a tool for a task that it wasn't designed to perform. > > I don't think so. I think OpenSSH should provide a simple feature > like this > one. A simple crypted proxy. > > ssh binds to localhost 31337 and when you connect to that port, it > starts a > connection to your server sshd. That's it. So you could do this > > $ telnet localhost 31337 > > instead of > > $ ssh server > > > >> You could try running faucet[1] with the script on the server to turn >> it into a TCP service and then use regular port forwarding to >> reach it. > > Thanks, faucet did the trick. Howvere I'm using in on the client > side, not on > the server. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- "... was it a dream where you see yourself standing in sort-of Sun- God robes, on a pyramid, with a thousand naked women screaming and throwing little pickles at you? ... Why am I the only one who has that dream?" -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2545 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050402/e3029568/attachment.bin From dtucker at zip.com.au Sun Apr 3 10:45:27 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 03 Apr 2005 10:45:27 +1000 Subject: OpenSSH 4.1: call for testing. Message-ID: <424F3CA7.8080209@zip.com.au> Hi All. OpenSSH 4.1 will be released in the next couple of weeks and we invite interested parties to test a snapshot. The changes since 4.0 are mostly bugfixes, for a detailed list see http://bugzilla.mindrot.org/show_bug.cgi?id=994 Running the regression tests supplied with Portable does not require installation and is a simply: $ ./configure && make tests Testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. I believe that the issues reported during the 4.0 testing have been resolved, however if there are issues that remain then please report them again. Snapshots are available at ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ or one of its mirrors listed at http://www.openssh.com/portable.html#ftp Thanks. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vinschen at redhat.com Sun Apr 3 22:38:45 2005 From: vinschen at redhat.com (Corinna Vinschen) Date: Sun, 3 Apr 2005 14:38:45 +0200 Subject: OpenSSH 4.1: call for testing. In-Reply-To: <424F3CA7.8080209@zip.com.au> References: <424F3CA7.8080209@zip.com.au> Message-ID: <20050403123845.GA22947@cygbert.vinschen.de> Hi Darren, On Apr 3 10:45, Darren Tucker wrote: > Hi All. > > OpenSSH 4.1 will be released in the next couple of weeks and we invite > interested parties to test a snapshot. > > The changes since 4.0 are mostly bugfixes, for a detailed list see > http://bugzilla.mindrot.org/show_bug.cgi?id=994 > > Running the regression tests supplied with Portable does not require > installation and is a simply: > > $ ./configure && make tests Build and regression tests are running well on Cygwin. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From logsnaath at gmx.net Mon Apr 4 22:21:44 2005 From: logsnaath at gmx.net (Logu) Date: Mon, 4 Apr 2005 17:51:44 +0530 Subject: OpenSSH 4.1: call for testing. References: <424F3CA7.8080209@zip.com.au> Message-ID: <023701c53910$dfa5c450$140110ac@loguco> Hi, All the test cases passed on HP-UX 11.11 platform. Thanks -logu > Hi All. > > OpenSSH 4.1 will be released in the next couple of weeks and we invite > interested parties to test a snapshot. > > The changes since 4.0 are mostly bugfixes, for a detailed list see > http://bugzilla.mindrot.org/show_bug.cgi?id=994 > > Running the regression tests supplied with Portable does not require > installation and is a simply: > > $ ./configure && make tests > > Testing on suitable non-production systems is also appreciated. Please > send reports of success or failure to openssh-unix-dev at mindrot.org. > > I believe that the issues reported during the 4.0 testing have been > resolved, however if there are issues that remain then please report them > again. > > Snapshots are available at > ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ > or one of its mirrors listed at http://www.openssh.com/portable.html#ftp > > Thanks. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From martin at oneiros.de Mon Apr 4 22:55:17 2005 From: martin at oneiros.de (Martin =?iso-8859-1?Q?Schr=F6der?=) Date: Mon, 4 Apr 2005 14:55:17 +0200 Subject: OpenSSH 4.1: call for testing. In-Reply-To: <424F3CA7.8080209@zip.com.au> References: <424F3CA7.8080209@zip.com.au> Message-ID: <20050404125517.GH5823@blau.artcom-gmbh.de> On 2005-04-03 10:45:27 +1000, Darren Tucker wrote: > send reports of success or failure to openssh-unix-dev at mindrot.org. Everythings fine on SuSE 9.2 AMD64. Best regards Martin -- http://www.tm.oneiros.de From Bob.Edgar at commerzbank.com Mon Apr 4 23:50:52 2005 From: Bob.Edgar at commerzbank.com (Edgar, Bob) Date: Mon, 4 Apr 2005 15:50:52 +0200 Subject: OpenSSH 4.1: call for testing. Message-ID: <9D248E1E43ABD411A9B600508BAF6E9B0C7373F4@xmx7fraib.fra.ib.commerzbank.com> All tests pass for Solaris/Sparc 2.6, 7, 8, 9 On 2005-04-03 10:45:27 +1000, Darren Tucker wrote: > send reports of success or failure to openssh-unix-dev at mindrot.org. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From gert at greenie.muc.de Tue Apr 5 00:59:46 2005 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 4 Apr 2005 16:59:46 +0200 Subject: OpenSSH 4.1: call for testing. In-Reply-To: <424F3CA7.8080209@zip.com.au> References: <424F3CA7.8080209@zip.com.au> Message-ID: <20050404145946.GR7864@greenie.muc.de> Hi, On Sun, Apr 03, 2005 at 10:45:27AM +1000, Darren Tucker wrote: > The changes since 4.0 are mostly bugfixes, for a detailed list see > http://bugzilla.mindrot.org/show_bug.cgi?id=994 > > Running the regression tests supplied with Portable does not require > installation and is a simply: > > $ ./configure && make tests Testing vs. CVS as of today. SCO 3.2v4.2: configure: error: "This Platform is no longer supported." (well, that was just for completeness anyway) NetBSD 2.0.2 on Sparc64 (should find all endianness and word-size issues): - configure: WARNING: the operating system that you are using does not appear to support either the getpeereid() API nor the SO_PEERCRED getsockopt() option. These facilities are used to enforce security checks to prevent unauthorised connections to ssh-agent. Their absence increases the risk that a malicious user can connect to your agent. out of curiousity: who *does* support this, if not the BSDs? Or is it just NetBSD that can't do it yet? - make: all fine - make tests: ... reexec tests: proto 2 ok reexec tests run test brokenkeys.sh ... ok broken keys --> all fine good work! gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From cmadams at hiwaay.net Tue Apr 5 03:32:59 2005 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 4 Apr 2005 12:32:59 -0500 Subject: OpenSSH 4.1: call for testing. In-Reply-To: <424F3CA7.8080209@zip.com.au> References: <424F3CA7.8080209@zip.com.au> Message-ID: <20050404173259.GB578238@hiwaay.net> Once upon a time, Darren Tucker said: > OpenSSH 4.1 will be released in the next couple of weeks and we invite > interested parties to test a snapshot. I tested openssh-SNAP-20050404.tar.gz on Tru64, and I needed this patch: ************************************************************************ diff -urN openssh-SNAP-20050404/auth-sia.c openssh/auth-sia.c --- openssh-SNAP-20050404/auth-sia.c Thu Mar 4 05:59:37 2004 +++ openssh/auth-sia.c Mon Apr 4 11:05:29 2005 @@ -47,7 +47,7 @@ extern char **saved_argv; int -sys_auth_passwd(Authctxt *authctxt, char *pass) +sys_auth_passwd(Authctxt *authctxt, const char *pass) { int ret; SIAENTITY *ent = NULL; diff -urN openssh-SNAP-20050404/auth-sia.h openssh/auth-sia.h --- openssh-SNAP-20050404/auth-sia.h Thu Mar 4 05:59:37 2004 +++ openssh/auth-sia.h Mon Apr 4 11:05:33 2005 @@ -26,7 +26,7 @@ #ifdef HAVE_OSF_SIA -int sys_auth_passwd(Authctxt *, char *); +int sys_auth_passwd(Authctxt *, const char *); void session_setup_sia(struct passwd *, char *); #endif /* HAVE_OSF_SIA */ ************************************************************************ I left the sys_auth_passwd() declaration in auth-sia.h, but should it be removed (and also removed from the top of auth-passwd.c)? Both also include auth.h which now declares sys_auth_passwd() as well. Aside from that, all tests pass. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From guyverdh at mchsi.com Tue Apr 5 07:05:33 2005 From: guyverdh at mchsi.com (guyverdh at mchsi.com) Date: Mon, 04 Apr 2005 21:05:33 +0000 Subject: OpenSSH 4.1: call for testing. Message-ID: <040420052105.21236.4251AC1D00047855000052F42197912995080B9D0A90979A09@mchsi.com> Solaris 5.10 Config works fine. Make works fine. Make tests - fails. Master running (pid=21217) Exit request sent. failed connection multiplexing *** Error code 1 The following command caused the error: if [ "xconnect.sh proxy-connect.sh connect-privsep.sh proto-version.sh proto- mismatch.sh exit-status.sh envpass.sh transfer.sh banner.sh rekey.sh stderr- data.sh stderr-after-eof.sh broken-pipe.sh try-ciphers.sh yes-head.sh login- timeout.sh agent.sh agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh keygen-change.sh scp.sh sftp.sh sftp-cmds.sh sftp-badcmds.sh sftp- batch.sh sftp-glob.sh reconfigure.sh dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh" = "x" ]; then exit 0; fi; \ for TEST in ""connect.sh proxy-connect.sh connect-privsep.sh proto-version.sh proto-mismatch.sh exit-status.sh envpass.sh transfer.sh banner.sh rekey.sh stderr-data.sh stderr-after-eof.sh broken-pipe.sh try-ciphers.sh yes-head.sh login-timeout.sh agent.sh agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh keygen-change.sh scp.sh sftp.sh sftp-cmds.sh sftp-badcmds.sh sftp- batch.sh sftp-glob.sh reconfigure.sh dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh; do \ echo "run test ${TEST}" ... 1>&2; \ (env SUDO= sh /tech_svc/SSH/openssh-SNAP-20050404/regress/test- exec.sh /tech_svc/SSH/openssh-SNAP-20050404/regress /tech_svc/SSH/openssh-SNAP- 20050404/regress/${TEST}) || exit $?; \ done make: Fatal error: Command failed for target `t-exec' Current working directory /tech_svc/SSH/openssh-SNAP-20050404/regress *** Error code 1 make: Fatal error: Command failed for target `tests' ---- Also, still showing loads of the following message in syslog output Apr 4 15:52:12 srvname sshd[14794]: [ID 800047 auth.error] error: setsockopt SO_KEEPALIVE: Socket operation on non-socket Apr 4 15:52:13 srvname sshd[14796]: [ID 800047 auth.error] error: setsockopt SO_KEEPALIVE: Socket operation on non-socket From daveroth at acm.org Tue Apr 5 11:32:04 2005 From: daveroth at acm.org (David Rothenberger) Date: Mon, 04 Apr 2005 18:32:04 -0700 Subject: problem with remote forward and SSH 2.4.0 server Message-ID: <4251EA94.7080907@acm.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm having a problem with OpenSSH_4.0p1 when trying to do remote port forwards to a server running SSH Secure Shell 2.4.0. The problem appears to be that 2.4.0 chokes on bind addresses that aren't numeric addresses, such as "localhost" and "". The following commands are failing for me from the 4.0p1 client to the 2.4.0 server: ~ ssh -R 50000:localhost:50000 server ~ ssh -R localhost:50000:localhost:50000 server ~ ssh -R :50000:localhost:50000 server ~ ssh -R \*:50000:localhost:50000 server although these commands work just fine: ~ ssh -R 127.0.0.1:50000:localhost:50000 server ~ ssh -R 0.0.0.0:50000:localhost:50000 server ~ ssh -R 192.168.1.1:50000:localhost:50000 server The attached patch solves the problem for me. It sends "0.0.0.0" as the address_to_bind for these cases ~ ssh -R 50000:localhost:50000 server ~ ssh -R :50000:localhost:50000 server ~ ssh -R \*:50000:localhost:50000 server but still passes through the specified address for ~ ssh -R 192.168.1.1:50000:localhost:50000 server David - -- David Rothenberger spammer? -> spam at daveroth.dyndns.org GPG/PGP: 0x7F67E734, C233 365A 25EF 2C5F C8E1 43DF B44F BA26 7F67 E734 The major sin is the sin of being born. -- Samuel Beckett -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Cygwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCUeqUtE+6Jn9n5zQRAro2AKDs4gO8mjPSPKa2ilg8ykC+6zDJHwCeM/eY J4esAWbP11+0X+2hQCv7HEk= =/5+I -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-4.0p1.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050404/48ecbc81/attachment.ksh From dtucker at zip.com.au Tue Apr 5 11:32:58 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 05 Apr 2005 11:32:58 +1000 Subject: OpenSSH 4.1: call for testing. In-Reply-To: <20050404145946.GR7864@greenie.muc.de> References: <424F3CA7.8080209@zip.com.au> <20050404145946.GR7864@greenie.muc.de> Message-ID: <4251EACA.2010000@zip.com.au> Thanks to all for the testing so far. Gert Doering wrote: > WARNING: the operating system that you are using does not > appear to support either the getpeereid() API nor the > SO_PEERCRED getsockopt() [...] > out of curiousity: who *does* support this, if not the BSDs? Or is it > just NetBSD that can't do it yet? From the surveys[1] sent so far: OpenBSD, FreeBSD and Cygwin have getpeereid(). Linux has SO_PEERCRED but I'm not sure which others do (configure doesn't write that into config.h so I don't have much data for that. [1] see INSTALL for details on sending surveys. They help answer questions like this one :-) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Tue Apr 5 12:42:08 2005 From: djm at mindrot.org (Damien Miller) Date: Tue, 05 Apr 2005 12:42:08 +1000 Subject: OpenSSH 4.1: call for testing. In-Reply-To: <20050404145946.GR7864@greenie.muc.de> References: <424F3CA7.8080209@zip.com.au> <20050404145946.GR7864@greenie.muc.de> Message-ID: <4251FB00.2030405@mindrot.org> Gert Doering wrote: > NetBSD 2.0.2 on Sparc64 (should find all endianness and word-size issues): > > - configure: > > WARNING: the operating system that you are using does not > appear to support either the getpeereid() API nor the > SO_PEERCRED getsockopt() option. These facilities are used to > enforce security checks to prevent unauthorised connections to > ssh-agent. Their absence increases the risk that a malicious > user can connect to your agent. > > out of curiousity: who *does* support this, if not the BSDs? Or is it > just NetBSD that can't do it yet? Apparently, there has been an unapplied patch for NetBSD to implement this since 1.4.2: http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=10798 Hopefully someone will clean it up and commit it - it is an important thing to have. -d From gert at greenie.muc.de Tue Apr 5 17:29:20 2005 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 5 Apr 2005 09:29:20 +0200 Subject: OpenSSH 4.1: call for testing. In-Reply-To: <4251FB00.2030405@mindrot.org> References: <424F3CA7.8080209@zip.com.au> <20050404145946.GR7864@greenie.muc.de> <4251FB00.2030405@mindrot.org> Message-ID: <20050405072920.GS7864@greenie.muc.de> Hi, On Tue, Apr 05, 2005 at 12:42:08PM +1000, Damien Miller wrote: > >out of curiousity: who *does* support this, if not the BSDs? Or is it > >just NetBSD that can't do it yet? > > Apparently, there has been an unapplied patch for NetBSD to implement > this since 1.4.2: > > http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=10798 > > Hopefully someone will clean it up and commit it - it is an important > thing to have. >From the comments, it seems to be a political issue - "we already have a superiour mechanism, we don't want any of this". *hrmpf* gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From djm at mindrot.org Tue Apr 5 19:11:51 2005 From: djm at mindrot.org (Damien Miller) Date: Tue, 05 Apr 2005 19:11:51 +1000 Subject: OpenSSH 4.1: call for testing. In-Reply-To: <20050405072920.GS7864@greenie.muc.de> References: <424F3CA7.8080209@zip.com.au> <20050404145946.GR7864@greenie.muc.de> <4251FB00.2030405@mindrot.org> <20050405072920.GS7864@greenie.muc.de> Message-ID: <42525657.7040108@mindrot.org> Gert Doering wrote: > Hi, > > On Tue, Apr 05, 2005 at 12:42:08PM +1000, Damien Miller wrote: > >>>out of curiousity: who *does* support this, if not the BSDs? Or is it >>>just NetBSD that can't do it yet? >> >>Apparently, there has been an unapplied patch for NetBSD to implement >>this since 1.4.2: >> >>http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=10798 >> >>Hopefully someone will clean it up and commit it - it is an important >>thing to have. > >>From the comments, it seems to be a political issue - "we already have a > superiour mechanism, we don't want any of this". *hrmpf* Well, it would be better if it could support the interface that other vendors have adopted. It seems that the NetBSD method complicates things for consumers of the API - it apperars to need data sent for the creds to be made available to the peer. So you can't do accept(), getpeereid(), drop you must forestall the check until later. -d From Bob.Edgar at commerzbank.com Tue Apr 5 19:34:49 2005 From: Bob.Edgar at commerzbank.com (Edgar, Bob) Date: Tue, 5 Apr 2005 11:34:49 +0200 Subject: OpenSSH 4.1: call for testing. Message-ID: <9D248E1E43ABD411A9B600508BAF6E9B0C737401@xmx7fraib.fra.ib.commerzbank.com> On Solaris10/Sparc: My first make tests failed as below. Running again, all tests pass. I then started again with a clean directory and did configure && make tests without errors. Pehaps this is just wierdness on my system but perhaps someone else will see something obvious. run test agent.sh ... Error reading response length from authentication socket. Permission denied. agent fwd proto 1 failed (exit code 0) failed simple agent test gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/usr/local/src/openssh-SNAP-20050404/regress' gmake: *** [tests] Error 2 -----Original Message----- From: openssh-unix-dev-bounces+bob.edgar=commerzbankib.com at mindrot.org [mailto:openssh-unix-dev-bounces+bob.edgar=commerzbankib.com at mindrot.org ]On Behalf Of Edgar, Bob Sent: Montag, 4. April 2005 15:51 To: 'openssh-unix-dev at mindrot.org' Subject: RE: OpenSSH 4.1: call for testing. All tests pass for Solaris/Sparc 2.6, 7, 8, 9 On 2005-04-03 10:45:27 +1000, Darren Tucker wrote: > send reports of success or failure to openssh-unix-dev at mindrot.org. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From dtucker at zip.com.au Tue Apr 5 20:30:39 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 05 Apr 2005 20:30:39 +1000 Subject: OpenSSH 4.1: call for testing. In-Reply-To: <9D248E1E43ABD411A9B600508BAF6E9B0C737401@xmx7fraib.fra.ib.commerzbank.com> References: <9D248E1E43ABD411A9B600508BAF6E9B0C737401@xmx7fraib.fra.ib.commerzbank.com> Message-ID: <425268CF.2080809@zip.com.au> Edgar, Bob wrote: > On Solaris10/Sparc: > > My first make tests failed as below. Running again, all tests pass. > I then started again with a clean directory and did configure && make tests > without errors. Pehaps this is just wierdness on my system but perhaps > someone else will see something obvious. No, nothing obvious. One possibility: if you're using OpenSSL <= 0.9.7e compiled on Solaris 10, it won't use the /dev/*random devices. This means that the ssh-rand-helper needs to exist in its final location (/usr/local/libexec by default) in order for the tests to run (so if it started working after a "make install" then that's probably the reason). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Apr 5 21:03:47 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 05 Apr 2005 21:03:47 +1000 Subject: OpenSSH 4.1: call for testing. In-Reply-To: <20050404173259.GB578238@hiwaay.net> References: <424F3CA7.8080209@zip.com.au> <20050404173259.GB578238@hiwaay.net> Message-ID: <42527093.3070703@zip.com.au> Chris Adams wrote: > I tested openssh-SNAP-20050404.tar.gz on Tru64, and I needed this patch: Applied, thanks. > I left the sys_auth_passwd() declaration in auth-sia.h, but should it be > removed (and also removed from the top of auth-passwd.c)? Agreed, also done. > Aside from that, all tests pass. Thanks! -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Bob.Edgar at commerzbank.com Tue Apr 5 22:04:37 2005 From: Bob.Edgar at commerzbank.com (Edgar, Bob) Date: Tue, 5 Apr 2005 14:04:37 +0200 Subject: OpenSSH 4.1: call for testing. Message-ID: <9D248E1E43ABD411A9B600508BAF6E9B0C73740A@xmx7fraib.fra.ib.commerzbank.com> No, I'm using 0.9.7d compiled on Sol9 (this is a bootstrap operation to build a new set of tools for Sol10). I didn't do anything between the first test and the second except to add a -k switch to gmake to have it run the rest of the tests. The second run didn't fail (as I indicated) so I made a new empty directory followed by a configure/make and it too didn't fail. I then untarred a new copy of everything and repeated and that too didn't fail. As I said, this may just be something bogus on my system. I only posted so that if someone else saw something similar they'd see it had been seen before and I hoped that it might go click with one of the developers. -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Dienstag, 5. April 2005 12:31 To: Edgar, Bob Cc: 'openssh-unix-dev at mindrot.org' Subject: Re: OpenSSH 4.1: call for testing. Edgar, Bob wrote: > On Solaris10/Sparc: > > My first make tests failed as below. Running again, all tests pass. > I then started again with a clean directory and did configure && make tests > without errors. Pehaps this is just wierdness on my system but perhaps > someone else will see something obvious. No, nothing obvious. One possibility: if you're using OpenSSL <= 0.9.7e compiled on Solaris 10, it won't use the /dev/*random devices. This means that the ssh-rand-helper needs to exist in its final location (/usr/local/libexec by default) in order for the tests to run (so if it started working after a "make install" then that's probably the reason). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From guyverdh at mchsi.com Wed Apr 6 01:46:50 2005 From: guyverdh at mchsi.com (guyverdh at mchsi.com) Date: Tue, 05 Apr 2005 15:46:50 +0000 Subject: OpenSSH 4.1: call for testing. Message-ID: <040520051546.27642.4252B2EA00043CE500006BFA2197926761080B9D0A90979A09@mchsi.com> On our Solaris 10/Sparc platform, I have loaded vanilla OpenSSL 0.9.7f, and have added the --with-ssl-dir=/usr/local/ssl to the config. did gmake distclean to clear things up. re-ran config re-ran gmake re-ran gmake tests Failed on multiplexing (probably due to the SO_KEEPALIVE: Socket Operation on non-socket) issue. re-re-ran gmake tests with -k param same error. From banz at umbc.edu Wed Apr 6 02:09:57 2005 From: banz at umbc.edu (Robert Banz) Date: Tue, 05 Apr 2005 12:09:57 -0400 Subject: OpenSSH 4.1: call for testing. In-Reply-To: <425268CF.2080809@zip.com.au> References: <9D248E1E43ABD411A9B600508BAF6E9B0C737401@xmx7fraib.fra.ib.commerzbank.com> <425268CF.2080809@zip.com.au> Message-ID: <4252B855.7090501@umbc.edu> Darren Tucker wrote: > Edgar, Bob wrote: > >> On Solaris10/Sparc: >> >> My first make tests failed as below. Running again, all tests pass. >> I then started again with a clean directory and did configure && make >> tests >> without errors. Pehaps this is just wierdness on my system but perhaps >> someone else will see something obvious. > > > No, nothing obvious. > > One possibility: if you're using OpenSSL <= 0.9.7e compiled on Solaris > 10, it won't use the /dev/*random devices. This means that the > ssh-rand-helper needs to exist in its final location (/usr/local/libexec > by default) in order for the tests to run (so if it started working > after a "make install" then that's probably the reason). > This is due to a bug in OpenSSL; they use the option O_NOFOLLOW on opening the /dev/random devices -- and, on Solaris, this is a no-no, as /dev/random is a symlink to /devices/pseudo/[blah blah]. You can comment out the O_NOFOLLOW option in your openssl source, it's in crypto/rand/rand_unix.c. This shouldn't open up much of a security hole -- if you have a situation where someone could place a trojan symlink in /dev, you've got other problems on your hands than not having a good random number source :) I submitted a bug to the openssl folks awhile back; this worked previous to S10, as Solaris just recently began supporting O_NOFOLLOW. -rob From guyverdh at mchsi.com Wed Apr 6 04:34:19 2005 From: guyverdh at mchsi.com (guyverdh at mchsi.com) Date: Tue, 05 Apr 2005 18:34:19 +0000 Subject: OpenSSH 4.1: call for testing. Message-ID: <040520051834.7943.4252DA2B000CB78E00001F072197924741080B9D0A90979A09@mchsi.com> > This is due to a bug in OpenSSL; they use the option O_NOFOLLOW on > opening the /dev/random devices -- and, on Solaris, this is a no-no, as > /dev/random is a symlink to /devices/pseudo/[blah blah]. Which is why I went with OpenSSL 0.9.7f - as that problem has been fixed in this release. From jc at info-systems.de Wed Apr 6 20:40:37 2005 From: jc at info-systems.de (Jakob Curdes) Date: Wed, 06 Apr 2005 12:40:37 +0200 Subject: Monitoring ssh logins/logouts Message-ID: <4253BCA5.3020308@info-systems.de> Hello, we are trying to monitor ssh logins on security-critical machines with a script that scans logfiles for the relevant entries. A problem ist that when the ssh connection is closed by a network interruption or by closing the window with the ssh client, we do not find a corresponding entry in the logs. "last" does not show this information either, at least on our systems which are RedHat Linux based. Is there any way to record a "User gone" or so ? At a certain point, the daemon closes the connection when the client has gone away; would it be possible to log this ? I would be grateful for a hint. Yours, Jakob Curdes From dtucker at zip.com.au Wed Apr 6 21:49:52 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 06 Apr 2005 21:49:52 +1000 Subject: Monitoring ssh logins/logouts In-Reply-To: <4253BCA5.3020308@info-systems.de> References: <4253BCA5.3020308@info-systems.de> Message-ID: <4253CCE0.9090201@zip.com.au> Jakob Curdes wrote: > we are trying to monitor ssh logins on security-critical machines with a > script that scans logfiles for the relevant entries. > A problem ist that when the ssh connection is closed by a network > interruption or by closing the window with the ssh client, we do not > find a corresponding entry in the logs. Which OpenSSH version, and is it a vendor-supplied package or self-compiled? > "last" does not show this > information either, at least on our systems which are RedHat Linux > based. Is there any way to record a "User gone" or so ? At a certain > point, the daemon closes the connection when the client has gone away; > would it be possible to log this ? I think sshd should update last on disconnects, if it doesn't it should be investigated. > I would be grateful for a hint. The optional audit code in 4.0p1 and will catch these disconnect events and syslog them if you enable it (configure --with-audit=debug). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Apr 6 21:54:38 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 06 Apr 2005 21:54:38 +1000 Subject: OpenSSH 4.1: call for testing. In-Reply-To: <040420052105.21236.4251AC1D00047855000052F42197912995080B9D0A90979A09@mchsi.com> References: <040420052105.21236.4251AC1D00047855000052F42197912995080B9D0A90979A09@mchsi.com> Message-ID: <4253CDFE.6080400@zip.com.au> Thanks for testing. guyverdh at mchsi.com wrote: > Solaris 5.10 > > Config works fine. > > Make works fine. > > Make tests - fails. > > Master running (pid=21217) > Exit request sent. > failed connection multiplexing So far I've not been able to reproduce this (Sol10/x86). Is there any output from before this line? Could you run the multiplex test on its own and send the output? ie $ make tests LTESTS=multiplex [...] > Also, still showing loads of the following message in syslog output > > Apr 4 15:52:12 srvname sshd[14794]: [ID 800047 auth.error] error: setsockopt > SO_KEEPALIVE: Socket operation on non-socket > Apr 4 15:52:13 srvname sshd[14796]: [ID 800047 auth.error] error: setsockopt > SO_KEEPALIVE: Socket operation on non-socket While annoying, this is harmless. It will be fixed after 4.1. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From maniac at maniac.nl Wed Apr 6 21:56:19 2005 From: maniac at maniac.nl (Mark Janssen) Date: Wed, 06 Apr 2005 13:56:19 +0200 Subject: Monitoring ssh logins/logouts In-Reply-To: <4253BCA5.3020308@info-systems.de> References: <4253BCA5.3020308@info-systems.de> Message-ID: <1112788579.5451.7.camel@localhost> On Wed, 2005-04-06 at 12:40 +0200, Jakob Curdes wrote: > Hello, > > we are trying to monitor ssh logins on security-critical machines with a > script that scans logfiles for the relevant entries. > A problem ist that when the ssh connection is closed by a network > interruption or by closing the window with the ssh client, we do not > find a corresponding entry in the logs. "last" does not show this > information either, at least on our systems which are RedHat Linux > based. Is there any way to record a "User gone" or so ? At a certain > point, the daemon closes the connection when the client has gone away; > would it be possible to log this ? > > I would be grateful for a hint. host sshd[pid]: (pam_unix) session opened for user myuser by (uid=0) host sshd[pid]: (pam_unix) session closed for user myuser Seems to work here just fine (killing the ssh connection with ~. or with kill) Last also logs the logouts here... myuser pts/4 ip Wed Apr 6 13:53 - 13:53 (00:00) myuser pts/4 ip Wed Apr 6 13:52 - 13:52 (00:00) myuser pts/4 ip Wed Apr 6 13:52 - 13:52 (00:00) This is on a debian system, and using PAM and key-based auth. -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050406/6136e9b4/attachment.bin From guyverdh at mchsi.com Wed Apr 6 23:05:54 2005 From: guyverdh at mchsi.com (guyverdh at mchsi.com) Date: Wed, 06 Apr 2005 13:05:54 +0000 Subject: OpenSSH 4.1: call for testing. Message-ID: <040620051305.15458.4253DEAD0004903E00003C622197912995080B9D0A90979A09@mchsi.com> It appears to be the ls.copy file creation that's failing... gmake tests LTESTS=multiplex (cd openbsd-compat && gmake) gmake[1]: Entering directory `/tech_svc/SSH/openssh-4.0p1/openbsd-compat' gmake[1]: Nothing to be done for `all'. gmake[1]: Leaving directory `/tech_svc/SSH/openssh-4.0p1/openbsd-compat' BUILDDIR=`pwd`; \ [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ [ -f `pwd`/regress/Makefile ] || \ ln -s `cd . && pwd`/regress/Makefile `pwd`/regress/Makefile ; \ TEST_SHELL="sh"; \ TEST_SSH_SSH="${BUILDDIR}/ssh"; \ TEST_SSH_SSHD="${BUILDDIR}/sshd"; \ TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent"; \ TEST_SSH_SSHADD="${BUILDDIR}/ssh-add"; \ TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen"; \ TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan"; \ TEST_SSH_SFTP="${BUILDDIR}/sftp"; \ TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server"; \ cd ./regress || exit $?; \ gmake \ .OBJDIR="${BUILDDIR}/regress" \ .CURDIR="`pwd`" \ BUILDDIR="${BUILDDIR}" \ OBJ="${BUILDDIR}/regress/" \ PATH="${BUILDDIR}:${PATH}" \ TEST_SHELL="${TEST_SHELL}" \ TEST_SSH_SSH="${TEST_SSH_SSH}" \ TEST_SSH_SSHD="${TEST_SSH_SSHD}" \ TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" \ TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" \ TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" \ TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" \ TEST_SSH_SFTP="${TEST_SSH_SFTP}" \ TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" \ EXEEXT="" \ tests gmake[1]: Entering directory `/tech_svc/SSH/openssh-4.0p1/regress' ssh-keygen -if /tech_svc/SSH/openssh-4.0p1/regress/rsa_ssh2.prv | diff - /tech_svc/SSH/openssh-4.0p1/regress/rsa_openssh.prv cat /tech_svc/SSH/openssh-4.0p1/regress/rsa_openssh.prv > /tech_svc/SSH/openssh-4.0p1/regress//t2.out chmod 600 /tech_svc/SSH/openssh-4.0p1/regress//t2.out ssh-keygen -yf /tech_svc/SSH/openssh-4.0p1/regress//t2.out | diff - /tech_svc/SSH/openssh-4.0p1/regress/rsa_openssh.pub ssh-keygen -ef /tech_svc/SSH/openssh-4.0p1/regress/rsa_openssh.pub >/tech_svc/SSH/openssh-4.0p1/regress//rsa_secsh.pub ssh-keygen -if /tech_svc/SSH/openssh-4.0p1/regress//rsa_secsh.pub | diff - /tech_svc/SSH/openssh-4.0p1/regress/rsa_openssh.pub rm -f /tech_svc/SSH/openssh-4.0p1/regress/rsa_secsh.pub ssh-keygen -lf /tech_svc/SSH/openssh-4.0p1/regress/rsa_openssh.pub |\ awk '{print $2}' | diff - /tech_svc/SSH/openssh-4.0p1/regress/t4.ok ssh-keygen -Bf /tech_svc/SSH/openssh-4.0p1/regress/rsa_openssh.pub |\ awk '{print $2}' | diff - /tech_svc/SSH/openssh-4.0p1/regress/t5.ok ssh-keygen -if /tech_svc/SSH/openssh-4.0p1/regress/dsa_ssh2.prv > /tech_svc/SSH/openssh-4.0p1/regress//t6.out1 ssh-keygen -if /tech_svc/SSH/openssh-4.0p1/regress/dsa_ssh2.pub > /tech_svc/SSH/openssh-4.0p1/regress//t6.out2 chmod 600 /tech_svc/SSH/openssh-4.0p1/regress//t6.out1 ssh-keygen -yf /tech_svc/SSH/openssh-4.0p1/regress//t6.out1 | diff - /tech_svc/SSH/openssh-4.0p1/regress//t6.out2 ssh-keygen -lf /tech_svc/SSH/openssh-4.0p1/regress//t7.out > /dev/null ssh-keygen -Bf /tech_svc/SSH/openssh-4.0p1/regress//t7.out > /dev/null run test multiplex.sh ... test connection multiplexing: envpass test connection multiplexing: transfer scp: failed copy /bin/ls cmp: cannot open /tech_svc/SSH/openssh-4.0p1/regress/ls.copy scp: corrupted copy of /bin/ls test connection multiplexing: status 0 test connection multiplexing: status 1 test connection multiplexing: status 4 test connection multiplexing: status 5 test connection multiplexing: status 44 Master running (pid=23831) Exit request sent. failed connection multiplexing gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/tech_svc/SSH/openssh-4.0p1/regress' gmake: *** [tests] Error 2 > Thanks for testing. > > guyverdh at mchsi.com wrote: > > Solaris 5.10 > > > > Config works fine. > > > > Make works fine. > > > > Make tests - fails. > > > > Master running (pid=21217) > > Exit request sent. > > failed connection multiplexing > > So far I've not been able to reproduce this (Sol10/x86). > > Is there any output from before this line? Could you run the multiplex > test on its own and send the output? ie > > $ make tests LTESTS=multiplex > > [...] > > Also, still showing loads of the following message in syslog output > > > > Apr 4 15:52:12 srvname sshd[14794]: [ID 800047 auth.error] error: setsockopt > > SO_KEEPALIVE: Socket operation on non-socket > > Apr 4 15:52:13 srvname sshd[14796]: [ID 800047 auth.error] error: setsockopt > > SO_KEEPALIVE: Socket operation on non-socket > > While annoying, this is harmless. It will be fixed after 4.1. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From dtucker at zip.com.au Wed Apr 6 23:19:07 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 06 Apr 2005 23:19:07 +1000 Subject: OpenSSH 4.1: call for testing. In-Reply-To: <040620051305.15458.4253DEAD0004903E00003C622197912995080B9D0A90979A09@mchsi.com> References: <040620051305.15458.4253DEAD0004903E00003C622197912995080B9D0A90979A09@mchsi.com> Message-ID: <4253E1CB.6090507@zip.com.au> guyverdh at mchsi.com wrote: > It appears to be the ls.copy file creation that's failing... [...] > scp: failed copy /bin/ls > cmp: cannot open /tech_svc/SSH/openssh-4.0p1/regress/ls.copy > scp: corrupted copy of /bin/ls Ah, I'll bet that either scp is not in the server's $PATH, or that the first one in the path is the SunSSH one. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jc at info-systems.de Wed Apr 6 23:40:08 2005 From: jc at info-systems.de (Jakob Curdes) Date: Wed, 06 Apr 2005 15:40:08 +0200 Subject: Monitoring ssh logins/logouts In-Reply-To: <4253CCE0.9090201@zip.com.au> References: <4253BCA5.3020308@info-systems.de> <4253CCE0.9090201@zip.com.au> Message-ID: <4253E6B8.2080408@info-systems.de> Darren Tucker schrieb: > Jakob Curdes wrote: > >> we are trying to monitor ssh logins on security-critical machines >> with a script that scans logfiles for the relevant entries. >> A problem ist that when the ssh connection is closed by a network >> interruption or by closing the window with the ssh client, we do not >> find a corresponding entry in the logs. > > > Which OpenSSH version, and is it a vendor-supplied package or > self-compiled? > OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 self-compiled. > > I think sshd should update last on disconnects, if it doesn't it > should be investigated. > I checked in what situations the problem occurs - it turns out that most closed connections are displayed properly by last. Problems arise e.g. when the session is closed through a reconnectiing DSL router, those connections are displayed as "sill logged in" while the connection on the client side has been closed long ago. > > The optional audit code in 4.0p1 and will catch these disconnect > events and syslog them if you enable it (configure --with-audit=debug). > I will play around with that option and see if we can excerpt the relevant information from the additional messages. Thank you for your hints, Jakob Curdes From guyverdh at mchsi.com Wed Apr 6 23:48:34 2005 From: guyverdh at mchsi.com (guyverdh at mchsi.com) Date: Wed, 06 Apr 2005 13:48:34 +0000 Subject: OpenSSH 4.1: call for testing. Message-ID: <040620051348.7179.4253E8B20008C4C300001C0B2197926761080B9D0A90979A09@mchsi.com> I had already removed the "SunSSH" packages. I have yet to "make install" the new code yet, so the PATH'ing shouldn't have been an issue. I did, however, add /tech_svc/SSH/opessn-4.0p1 to the PATH env-var, and re-ran the gmake tests LTESTS=multiplex with no changes apparent I then modified my PATH to include ./ as the last element, with no differences. Then I changed the entry /bin/ls to /usr/bin/ls since /bin is a sym-link to /usr/bin, with no change in output. I finally ran gmake install, then re-ran the tests, and the tests succeeded. ie - apparently, it's trying to run SCP from the installed directory, instead of the directory where it had been compiled. Wouldn't we want tests to succeed, before running the install? gmake tests LTESTS=multiplex (cd openbsd-compat && gmake) gmake[1]: Entering directory `/tech_svc/SSH/openssh-4.0p1/openbsd-compat' gmake[1]: Nothing to be done for `all'. gmake[1]: Leaving directory `/tech_svc/SSH/openssh-4.0p1/openbsd-compat' BUILDDIR=`pwd`; \ [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ [ -f `pwd`/regress/Makefile ] || \ ln -s `cd . && pwd`/regress/Makefile `pwd`/regress/Makefile ; \ TEST_SHELL="sh"; \ TEST_SSH_SSH="${BUILDDIR}/ssh"; \ TEST_SSH_SSHD="${BUILDDIR}/sshd"; \ TEST_SSH_SSHAGENT="${BUILDDIR}/ssh-agent"; \ TEST_SSH_SSHADD="${BUILDDIR}/ssh-add"; \ TEST_SSH_SSHKEYGEN="${BUILDDIR}/ssh-keygen"; \ TEST_SSH_SSHKEYSCAN="${BUILDDIR}/ssh-keyscan"; \ TEST_SSH_SFTP="${BUILDDIR}/sftp"; \ TEST_SSH_SFTPSERVER="${BUILDDIR}/sftp-server"; \ cd ./regress || exit $?; \ gmake \ .OBJDIR="${BUILDDIR}/regress" \ .CURDIR="`pwd`" \ BUILDDIR="${BUILDDIR}" \ OBJ="${BUILDDIR}/regress/" \ PATH="${BUILDDIR}:${PATH}" \ TEST_SHELL="${TEST_SHELL}" \ TEST_SSH_SSH="${TEST_SSH_SSH}" \ TEST_SSH_SSHD="${TEST_SSH_SSHD}" \ TEST_SSH_SSHAGENT="${TEST_SSH_SSHAGENT}" \ TEST_SSH_SSHADD="${TEST_SSH_SSHADD}" \ TEST_SSH_SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" \ TEST_SSH_SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" \ TEST_SSH_SFTP="${TEST_SSH_SFTP}" \ TEST_SSH_SFTPSERVER="${TEST_SSH_SFTPSERVER}" \ EXEEXT="" \ tests gmake[1]: Entering directory `/tech_svc/SSH/openssh-4.0p1/regress' ssh-keygen -if /tech_svc/SSH/openssh-4.0p1/regress/rsa_ssh2.prv | diff - /tech_svc/SSH/openssh-4.0p1/regress/rsa_openssh.prv cat /tech_svc/SSH/openssh-4.0p1/regress/rsa_openssh.prv > /tech_svc/SSH/openssh-4.0p1/regress//t2.out chmod 600 /tech_svc/SSH/openssh-4.0p1/regress//t2.out ssh-keygen -yf /tech_svc/SSH/openssh-4.0p1/regress//t2.out | diff - /tech_svc/SSH/openssh-4.0p1/regress/rsa_openssh.pub ssh-keygen -ef /tech_svc/SSH/openssh-4.0p1/regress/rsa_openssh.pub >/tech_svc/SSH/openssh-4.0p1/regress//rsa_secsh.pub ssh-keygen -if /tech_svc/SSH/openssh-4.0p1/regress//rsa_secsh.pub | diff - /tech_svc/SSH/openssh-4.0p1/regress/rsa_openssh.pub rm -f /tech_svc/SSH/openssh-4.0p1/regress/rsa_secsh.pub ssh-keygen -lf /tech_svc/SSH/openssh-4.0p1/regress/rsa_openssh.pub |\ awk '{print $2}' | diff - /tech_svc/SSH/openssh-4.0p1/regress/t4.ok ssh-keygen -Bf /tech_svc/SSH/openssh-4.0p1/regress/rsa_openssh.pub |\ awk '{print $2}' | diff - /tech_svc/SSH/openssh-4.0p1/regress/t5.ok ssh-keygen -if /tech_svc/SSH/openssh-4.0p1/regress/dsa_ssh2.prv > /tech_svc/SSH/openssh-4.0p1/regress//t6.out1 ssh-keygen -if /tech_svc/SSH/openssh-4.0p1/regress/dsa_ssh2.pub > /tech_svc/SSH/openssh-4.0p1/regress//t6.out2 chmod 600 /tech_svc/SSH/openssh-4.0p1/regress//t6.out1 ssh-keygen -yf /tech_svc/SSH/openssh-4.0p1/regress//t6.out1 | diff - /tech_svc/SSH/openssh-4.0p1/regress//t6.out2 ssh-keygen -lf /tech_svc/SSH/openssh-4.0p1/regress//t7.out > /dev/null ssh-keygen -Bf /tech_svc/SSH/openssh-4.0p1/regress//t7.out > /dev/null run test multiplex.sh ... test connection multiplexing: envpass test connection multiplexing: transfer test connection multiplexing: status 0 test connection multiplexing: status 1 test connection multiplexing: status 4 test connection multiplexing: status 5 test connection multiplexing: status 44 Master running (pid=24948) Exit request sent. ok connection multiplexing gmake[1]: Leaving directory `/tech_svc/SSH/openssh-4.0p1/regress' > guyverdh at mchsi.com wrote: > > It appears to be the ls.copy file creation that's failing... > [...] > > scp: failed copy /bin/ls > > cmp: cannot open /tech_svc/SSH/openssh-4.0p1/regress/ls.copy > > scp: corrupted copy of /bin/ls > > Ah, I'll bet that either scp is not in the server's $PATH, or that the > first one in the path is the SunSSH one. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From dtucker at zip.com.au Thu Apr 7 00:05:01 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 07 Apr 2005 00:05:01 +1000 Subject: OpenSSH 4.1: call for testing. In-Reply-To: <040620051348.7179.4253E8B20008C4C300001C0B2197926761080B9D0A90979A09@mchsi.com> References: <040620051348.7179.4253E8B20008C4C300001C0B2197926761080B9D0A90979A09@mchsi.com> Message-ID: <4253EC8D.2000400@zip.com.au> guyverdh at mchsi.com wrote: [...] > ie - apparently, it's trying to run SCP from the installed directory, instead of > the directory where it had been compiled. > > Wouldn't we want tests to succeed, before running the install? Sure, but the problem is that during the multiplex tests, the local scp runs the remote scp via sshd, which means that sshd runs scp via the user's shell. It's the shell that determines which scp gets run. The stand-alone scp tests actually use a wrapper script to simulate the server connection so it doesn't have this problem, but in the multiplex tests we're actually testing the server connection... If scp had a an option to specify an absolute path to the remote scp (there was one posted to the list a while back) then that could be used to solve this particular problem. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From maniac.nl at gmail.com Thu Apr 7 00:15:07 2005 From: maniac.nl at gmail.com (Mark Janssen) Date: Wed, 6 Apr 2005 16:15:07 +0200 Subject: Monitoring ssh logins/logouts In-Reply-To: <4253E6B8.2080408@info-systems.de> References: <4253BCA5.3020308@info-systems.de> <4253CCE0.9090201@zip.com.au> <4253E6B8.2080408@info-systems.de> Message-ID: <531e3e4c05040607155d44cb53@mail.gmail.com> On Apr 6, 2005 3:40 PM, Jakob Curdes wrote: > I checked in what situations the problem occurs - it turns out that most > closed connections are displayed properly by last. > Problems arise e.g. when the session is closed through a reconnectiing > DSL router, those connections are displayed as "sill logged in" while > the connection on the client side has been closed long ago. Maybe turning on some SSH keepalive options on the SSH server will help here. Dropped connections are noticed sooner. Also help connections from not timeing out on some crappy dsl routers ;) Look in the sshd manual for: ProtocolKeepAlive KeepAlive -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | From jc at info-systems.de Thu Apr 7 01:00:50 2005 From: jc at info-systems.de (Jakob Curdes) Date: Wed, 06 Apr 2005 17:00:50 +0200 Subject: Monitoring ssh logins/logouts In-Reply-To: <531e3e4c05040607155d44cb53@mail.gmail.com> References: <4253BCA5.3020308@info-systems.de> <4253CCE0.9090201@zip.com.au> <4253E6B8.2080408@info-systems.de> <531e3e4c05040607155d44cb53@mail.gmail.com> Message-ID: <4253F9A2.5080106@info-systems.de> >Maybe turning on some SSH keepalive options on the SSH server will >help here. Dropped connections are noticed sooner. Also help >connections from not timeing out on some crappy dsl routers ;) > >Look in the sshd manual for: >ProtocolKeepAlive >KeepAlive > > KeepAlive is on; but this will not help here - the Server has a fixed IP on a permanent line and the _Client_ disconnection was a forced disconnect from the provider of the client side with a dynamic IP. There is no way for a SSH connection to survive such a scenario. Jakob Curdes From stuge-openssh-unix-dev at cdy.org Thu Apr 7 02:31:36 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 6 Apr 2005 18:31:36 +0200 Subject: Monitoring ssh logins/logouts In-Reply-To: <4253F9A2.5080106@info-systems.de> References: <4253BCA5.3020308@info-systems.de> <4253CCE0.9090201@zip.com.au> <4253E6B8.2080408@info-systems.de> <531e3e4c05040607155d44cb53@mail.gmail.com> <4253F9A2.5080106@info-systems.de> Message-ID: <20050406163136.GC17627@foo.birdnet.se> On Wed, Apr 06, 2005 at 05:00:50PM +0200, Jakob Curdes wrote: > KeepAlive is on; but this will not help here - the Server has a > fixed IP on a permanent line and the _Client_ disconnection was a > forced disconnect from the provider of the client side with a > dynamic IP. Yes, that's what I figured happened as well. > There is no way for a SSH connection to survive such a scenario. No, but the suggested configuration options will allow you to detect such a scenario within a short period of time. //Peter From gjpc at OB1Net.net Thu Apr 7 05:40:37 2005 From: gjpc at OB1Net.net (Gerard J. Cerchio) Date: Wed, 06 Apr 2005 12:40:37 -0700 Subject: Feature Suggestion - scp don't decrypt file at destination unecrypt on copy back switch Message-ID: <42543B35.4000903@OB1Net.net> Hi all, Please pardon me if this has been discussed already on this list. I searched on "destination" and did not find a hit. The problem I am trying solve is having backups on a remote server that even root cannot not read. I have seen lot's of specialized file systems and volume drivers for various operating systems. But being that all files are already scp'd to the destination(s) I am thinking that the most efficient way to do this on a user by user basis may be a switch in the scp command. This solutions would be highly portable and easily automated. The idea is this: when this switch is present, the file is encrypted on the fly just as always. However when the file reaches the destination, it is emitted onto the disk in the transported encrypted state. The decryption stage is by-passed. The file name is then marked with a unique file extension to indicate that it is encrypted. When scp is called from the source machine to copy the file back, the file remote agent recognizes the extension and does not re-encrypt the file but sends the encrypted file. The file receiving agent then decrypts the file and the copy is restored. Alternatives may be to allow scp to take a source file from stdin, but then encryption would be happening twice. Of course there is always the script that encrypts files, scp's them and it's scp'ing, decrypting partner, but this is what I am trying to avoid. Any comments? Gerard J. Cerchio gjpc at circlesoft.com www.circlesoft.com From rick.jones2 at hp.com Thu Apr 7 06:30:10 2005 From: rick.jones2 at hp.com (Rick Jones) Date: Wed, 06 Apr 2005 13:30:10 -0700 Subject: Feature Suggestion - scp don't decrypt file at destination unecrypt on copy back switch In-Reply-To: <42543B35.4000903@OB1Net.net> References: <42543B35.4000903@OB1Net.net> Message-ID: <425446D2.1060404@hp.com> > Of course there is always the script that encrypts files, scp's them and > it's scp'ing, decrypting partner, but this is what I am trying to avoid. > > Any comments? aren't the encryption keys different for every invokation of scp? or can one tell scp they keys to use and have the keys be the same for each session? otherwise you have a key per file and that would present something of a key storage problem wouldn't it? rick jones From stuge-openssh-unix-dev at cdy.org Thu Apr 7 06:40:17 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 6 Apr 2005 22:40:17 +0200 Subject: Feature Suggestion - scp don't decrypt file at destination unecrypt on copy back switch In-Reply-To: <42543B35.4000903@OB1Net.net> References: <42543B35.4000903@OB1Net.net> Message-ID: <20050406204017.GA4049@foo.birdnet.se> On Wed, Apr 06, 2005 at 12:40:37PM -0700, Gerard J. Cerchio wrote: > Any comments? There are several reasons why this is a bad idea, some political, some security-related. scp has a single purpose in OpenSSH; a drop-in replacement for rcp. All new file-transfer development should go into sftp instead. The encryption "environment" in which scp and sftp runs (provided by ssh) works well as designed but is probably not the best choice for encrypted disk storage. You are of course welcome to create a custom subsystem for maintaining and accessing encrypted storage volumes, but I doubt it will ever be part of OpenSSH. (Like any other custom subsystem not in the SSH specification I guess.) //Peter From gjpc at OB1Net.net Thu Apr 7 06:41:28 2005 From: gjpc at OB1Net.net (Gerard J. Cerchio) Date: Wed, 06 Apr 2005 13:41:28 -0700 Subject: Feature Suggestion - scp don't decrypt file at destination unecrypt on copy back switch In-Reply-To: <425446D2.1060404@hp.com> References: <42543B35.4000903@OB1Net.net> <425446D2.1060404@hp.com> Message-ID: <42544978.30700@OB1Net.net> Rick Jones wrote: > >> Of course there is always the script that encrypts files, scp's them and >> it's scp'ing, decrypting partner, but this is what I am trying to avoid. >> >> Any comments? > > > aren't the encryption keys different for every invokation of scp? or > can one tell scp they keys to use and have the keys be the same for > each session? otherwise you have a key per file and that would present > something of a key storage problem wouldn't it? > > rick jones > > If this is true than I would pick up the ssh trick of using the keys in ~/.ssh. Pass those keys into openSSL... BTW I am also suggesting that I perform the coding for this patch. Gerard From gjpc at OB1Net.net Thu Apr 7 07:18:50 2005 From: gjpc at OB1Net.net (Gerard J. Cerchio) Date: Wed, 06 Apr 2005 14:18:50 -0700 Subject: Feature Suggestion - scp don't decrypt file at, destination unecrypt on copy back switch In-Reply-To: <425446D2.1060404@hp.com> References: <42543B35.4000903@OB1Net.net> <425446D2.1060404@hp.com> Message-ID: <4254523A.6020205@OB1Net.net> Peter Stuge wrote: > All new file-transfer development should go into sftp instead. fine with me. > The encryption "environment" in which scp and sftp runs (provided by > ssh) works well as designed but is probably not the best choice for > encrypted disk storage. Peter I wonder if you can expand on this. Once the data has been run through an encryption what does it matter if it is in transport or static? thanks, Gerard From djm at mindrot.org Thu Apr 7 07:31:41 2005 From: djm at mindrot.org (Damien Miller) Date: Thu, 07 Apr 2005 07:31:41 +1000 Subject: Feature Suggestion - scp don't decrypt file at destination unecrypt on copy back switch In-Reply-To: <42543B35.4000903@OB1Net.net> References: <42543B35.4000903@OB1Net.net> Message-ID: <4254553D.4030405@mindrot.org> Gerard J. Cerchio wrote: > The idea is this: when this switch is present, the file is encrypted on the > fly just as always. However when the file reaches the destination, it > is emitted onto the disk in the transported encrypted state. The > decryption > stage is by-passed. The file name is then marked with a unique file > extension to indicate that it is encrypted. This won't work without drastic changes to scp and ssh. scp doesn't know that session keys that ssh uses (and shouldn't) - it just treats ssh as a secure transport. If you want encryption for backups, this is a good recipe: tar zcf - /path/to/whatever | gpg --encrypt -r publickey at domain.com | \ ssh user at backuphost "dd of=backup.tar.gz.pgp" -d From gjpc at OB1Net.net Thu Apr 7 07:50:24 2005 From: gjpc at OB1Net.net (Gerard J. Cerchio) Date: Wed, 06 Apr 2005 14:50:24 -0700 Subject: Feature Suggestion - scp don't decrypt file at destination unecrypt on copy back switch Message-ID: <425459A0.1000208@OB1Net.net> Damien wrote: > tar zcf - /path/to/whatever | gpg --encrypt -r publickey at domain.com | \ > ssh user at backuphost "dd of=backup.tar.gz.pgp" Thanks Damien, but this solution leads to single file recovery problems, especially given that most users can't tell a tar from a feather. ;) It will also bulk up the data transfer making the data less compressible and larger due to entropy added during encryption. Gerard From gjpc at OB1Net.net Thu Apr 7 07:56:03 2005 From: gjpc at OB1Net.net (Gerard J. Cerchio) Date: Wed, 06 Apr 2005 14:56:03 -0700 Subject: Apology Message-ID: <42545AF3.9000801@OB1Net.net> Sorry all, I am still looking for the README on how to adhere to the subject hierarchy on the posts. I should have learned to post Years ago... Gerard Cerchio From stuge-openssh-unix-dev at cdy.org Thu Apr 7 08:29:32 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Thu, 7 Apr 2005 00:29:32 +0200 Subject: Feature Suggestion - scp don't decrypt file at, destination unecrypt on copy back switch In-Reply-To: <4254523A.6020205@OB1Net.net> References: <42543B35.4000903@OB1Net.net> <425446D2.1060404@hp.com> <4254523A.6020205@OB1Net.net> Message-ID: <20050406222932.GA15301@foo.birdnet.se> On Wed, Apr 06, 2005 at 02:18:50PM -0700, Gerard J. Cerchio wrote: > Peter Stuge wrote: > >The encryption "environment" in which scp and sftp runs (provided by > >ssh) works well as designed but is probably not the best choice for > >encrypted disk storage. > > Peter I wonder if you can expand on this. Once the data has been > run through an encryption what does it matter if it is in transport > or static? An encryption is only as secure as it's key. The keys used to encrypt the data stream are generated on the fly and rekeying may occur frequently in a session. Just keeping track of all of these keys seems like a lot of work for not much benefit. But, like I said, if you want to make a backup subsystem I doubt anyone would object. If you release it and it's handy I'll use it too! :) //Peter From stuge-openssh-unix-dev at cdy.org Thu Apr 7 08:30:16 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Thu, 7 Apr 2005 00:30:16 +0200 Subject: Feature Suggestion - scp don't decrypt file at destination unecrypt on copy back switch In-Reply-To: <425459A0.1000208@OB1Net.net> References: <425459A0.1000208@OB1Net.net> Message-ID: <20050406223016.GB15301@foo.birdnet.se> On Wed, Apr 06, 2005 at 02:50:24PM -0700, Gerard J. Cerchio wrote: > Thanks Damien, but this solution leads to single file recovery > problems, especially given that most users can't tell a tar from a > feather. ;) On the other hand, OpenSSH isn't really a backup software. //Peter From rapier at psc.edu Thu Apr 7 09:47:59 2005 From: rapier at psc.edu (Chris Rapier) Date: Wed, 06 Apr 2005 19:47:59 -0400 Subject: Feature Suggestion - scp don't decrypt file at destination unecrypt on copy back switch In-Reply-To: <20050406223016.GB15301@foo.birdnet.se> References: <425459A0.1000208@OB1Net.net> <20050406223016.GB15301@foo.birdnet.se> Message-ID: <4254752F.2060005@psc.edu> Peter Stuge wrote: > On Wed, Apr 06, 2005 at 02:50:24PM -0700, Gerard J. Cerchio wrote: > >>Thanks Damien, but this solution leads to single file recovery >>problems, especially given that most users can't tell a tar from a >>feather. ;) > > > On the other hand, OpenSSH isn't really a backup software. To amplify: It really isn't. I feel its best to think of it as a transport protocol riding on top of TCP (this would be especially true for SSHv2) or as a pipe. What happens on either end of the pipe isn't really something that SSH should necessarily be involved with. The main thing you seem to be looking to do is to save yourself the trauma of double encryption. I'd suggest that th easiest way to do that is to set up a kerberos realm, encrypt the file locally, and use KFTP - that was you get secure authentication, you don't get the performance hit of using standard V2, and you don't have double encryption. Since you can script KFTP you can even write a shell script or perl whatever to handle the encryption and file handling processes inbound and outbound. chris From gjpc at OB1Net.net Thu Apr 7 09:58:14 2005 From: gjpc at OB1Net.net (Gerard J. Cerchio) Date: Wed, 06 Apr 2005 16:58:14 -0700 Subject: Feature Suggestion - scp don't decrypt file at destination unecrypt on copy back switch Message-ID: <42547796.8000303@OB1Net.net> Peter wrote: > On the other hand, OpenSSH isn't really a backup software. Maintaining the design concept of small "filter" programs performing tasks that are linked together to perform ever more complex tasks is the design goal of UNIX, circa 1974, Murray Labs. From dtucker at zip.com.au Thu Apr 7 10:11:54 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 07 Apr 2005 10:11:54 +1000 Subject: Feature Suggestion - scp don't decrypt file at destination unecrypt on copy back switch In-Reply-To: <425459A0.1000208@OB1Net.net> References: <425459A0.1000208@OB1Net.net> Message-ID: <42547ACA.8040506@zip.com.au> Gerard J. Cerchio wrote: > Damien wrote: > > > tar zcf - /path/to/whatever | gpg --encrypt -r publickey at [...] > It will also bulk up the data transfer making the data less compressible > and larger due to entropy added during encryption. The tar will compress anyway so that's likely to have little if any impact (you will probably get better performance by disabling compression in ssh). Unless you have a very fast pipe and very slow CPUs then one extra symmetric encryption is not likely to be a bottleneck (eg, raw arcfour runs at ~45 MByte/sec on a P2/400), and the load is distributed on the clients anyway. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From daveroth at acm.org Thu Apr 7 10:48:19 2005 From: daveroth at acm.org (David Rothenberger) Date: Wed, 06 Apr 2005 17:48:19 -0700 Subject: problem with remote forward and SSH 2.4.0 server In-Reply-To: <4251EA94.7080907@acm.org> References: <4251EA94.7080907@acm.org> Message-ID: <42548353.3080009@acm.org> On 4/4/2005 6:32 PM, David Rothenberger wrote: > I'm having a problem with OpenSSH_4.0p1 when trying to do remote port > forwards to a server running SSH Secure Shell 2.4.0. [...] > The attached patch solves the problem for me. The silence regarding my earlier post makes me think I did something wrong? Is this the correct place to report bugs and propose patches to fix them? -- David Rothenberger spammer? -> spam at daveroth.dyndns.org GPG/PGP: 0x7F67E734, C233 365A 25EF 2C5F C8E1 43DF B44F BA26 7F67 E734 Under capitalism, man exploits man. Under communism, it's just the opposite. -- J.K. Galbraith From djm at mindrot.org Thu Apr 7 21:05:20 2005 From: djm at mindrot.org (Damien Miller) Date: Thu, 07 Apr 2005 21:05:20 +1000 Subject: Feature Suggestion - scp don't decrypt file at destination unecrypt on copy back switch In-Reply-To: <425459A0.1000208@OB1Net.net> References: <425459A0.1000208@OB1Net.net> Message-ID: <425513F0.5080508@mindrot.org> Gerard J. Cerchio wrote: > Damien wrote: > > > tar zcf - /path/to/whatever | gpg --encrypt -r publickey at > domain.com | \ > > ssh user at backuphost > "dd > of=backup.tar.gz.pgp" > > Thanks Damien, but this solution leads to single file recovery problems, > especially given that most users can't tell a tar from a feather. ;) I don't follow - tar and OpenPGP are standard and widely used formats and any other encrypted format would have similar issues. If you don't like tar, then you can zip to similar effect. > It will also bulk up the data transfer making the data less compressible > and larger due to entropy added during encryption. No. The data is compressed before encryption. -d From vinschen at redhat.com Thu Apr 7 21:22:42 2005 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 7 Apr 2005 13:22:42 +0200 Subject: Multiple log entries for successful pubkey authentication Message-ID: <20050407112242.GR1471@cygbert.vinschen.de> Hi, I'm wondering if that's planned or just occuring accidentally. With OpenSSH 4.0 and the upcoming 4.1, I'm getting two entries in syslog when a pubkey authentication logon was successful: Apr 7 13:19:10 cathi sshd : PID 66116 : Accepted publickey for corinna from 192.168.129.6 port 40207 ssh2 Apr 7 13:19:10 cathi sshd : PID 67060 : Accepted publickey for corinna from 192.168.129.6 port 40207 ssh2 I found that this only happens when privilege separation is used. If I switch privilege separation off, I'm getting only one entry in the syslog. Bug? Feature? Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From dtucker at zip.com.au Thu Apr 7 21:49:06 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 07 Apr 2005 21:49:06 +1000 Subject: Multiple log entries for successful pubkey authentication In-Reply-To: <20050407112242.GR1471@cygbert.vinschen.de> References: <20050407112242.GR1471@cygbert.vinschen.de> Message-ID: <42551E32.3050706@zip.com.au> Corinna Vinschen wrote: > With OpenSSH 4.0 and the upcoming 4.1, I'm getting two entries in syslog > when a pubkey authentication logon was successful: > > Apr 7 13:19:10 cathi sshd : PID 66116 : Accepted publickey for corinna from 192.168.129.6 port 40207 ssh2 > Apr 7 13:19:10 cathi sshd : PID 67060 : Accepted publickey for corinna from 192.168.129.6 port 40207 ssh2 > > I found that this only happens when privilege separation is used. If I > switch privilege separation off, I'm getting only one entry in the syslog. I think that's because the auth_log is called twice: once in the monitor and once in the slave. If that's the case you should find one log entry was done as the user logging in and the other as the privileged user running sshd. > Bug? Feature? Not sure :-) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Thu Apr 7 21:55:16 2005 From: djm at mindrot.org (Damien Miller) Date: Thu, 07 Apr 2005 21:55:16 +1000 Subject: problem with remote forward and SSH 2.4.0 server In-Reply-To: <42548353.3080009@acm.org> References: <4251EA94.7080907@acm.org> <42548353.3080009@acm.org> Message-ID: <42551FA4.8050003@mindrot.org> David Rothenberger wrote: > On 4/4/2005 6:32 PM, David Rothenberger wrote: > >> I'm having a problem with OpenSSH_4.0p1 when trying to do remote port >> forwards to a server running SSH Secure Shell 2.4.0. > > [...] > >> The attached patch solves the problem for me. > > > The silence regarding my earlier post makes me think I did something > wrong? Is this the correct place to report bugs and propose patches to > fix them? Yes, this is the correct list but we are frozen for a release and aren't going to consider any more patches until the 4.1 release is made. Could you attach your patch to a new bug on http://bugzilla.mindrot.org/ so we can look at it post release? Since it is a little tricky to review patches to improve interop against ssh.com code (because we don't have any copies around), it would be good if others on this list could test this patch too. -d From djm at mindrot.org Thu Apr 7 21:58:44 2005 From: djm at mindrot.org (Damien Miller) Date: Thu, 07 Apr 2005 21:58:44 +1000 Subject: Multiple log entries for successful pubkey authentication In-Reply-To: <20050407112242.GR1471@cygbert.vinschen.de> References: <20050407112242.GR1471@cygbert.vinschen.de> Message-ID: <42552074.3000904@mindrot.org> Corinna Vinschen wrote: > Hi, > > I'm wondering if that's planned or just occuring accidentally. > > With OpenSSH 4.0 and the upcoming 4.1, I'm getting two entries in syslog > when a pubkey authentication logon was successful: > > Apr 7 13:19:10 cathi sshd : PID 66116 : Accepted publickey for corinna from 192.168.129.6 port 40207 ssh2 > Apr 7 13:19:10 cathi sshd : PID 67060 : Accepted publickey for corinna from 192.168.129.6 port 40207 ssh2 I think that this is a bug - could you file one on bugzilla? -d From vinschen at redhat.com Thu Apr 7 22:16:05 2005 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 7 Apr 2005 14:16:05 +0200 Subject: Multiple log entries for successful pubkey authentication In-Reply-To: <42552074.3000904@mindrot.org> References: <20050407112242.GR1471@cygbert.vinschen.de> <42552074.3000904@mindrot.org> Message-ID: <20050407121605.GS1471@cygbert.vinschen.de> On Apr 7 21:58, Damien Miller wrote: > Corinna Vinschen wrote: > >Hi, > > > >I'm wondering if that's planned or just occuring accidentally. > > > >With OpenSSH 4.0 and the upcoming 4.1, I'm getting two entries in syslog > >when a pubkey authentication logon was successful: > > > > Apr 7 13:19:10 cathi sshd : PID 66116 : Accepted publickey for corinna > > from 192.168.129.6 port 40207 ssh2 > > Apr 7 13:19:10 cathi sshd : PID 67060 : Accepted publickey for corinna > > from 192.168.129.6 port 40207 ssh2 > > I think that this is a bug - could you file one on bugzilla? Sure. However, I just figured that this occurs on Cygwin, but not on Linux. And this already happened with 3.9p1 so I'm wondering if that's a result of Cygwin having the DISABLE_FD_PASSING flag set? Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From vinschen at redhat.com Thu Apr 7 22:23:54 2005 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 7 Apr 2005 14:23:54 +0200 Subject: Multiple log entries for successful pubkey authentication In-Reply-To: <42551E32.3050706@zip.com.au> References: <20050407112242.GR1471@cygbert.vinschen.de> <42551E32.3050706@zip.com.au> Message-ID: <20050407122354.GT1471@cygbert.vinschen.de> On Apr 7 21:49, Darren Tucker wrote: > Corinna Vinschen wrote: > >With OpenSSH 4.0 and the upcoming 4.1, I'm getting two entries in syslog > >when a pubkey authentication logon was successful: > > > > Apr 7 13:19:10 cathi sshd : PID 66116 : Accepted publickey for corinna > > from 192.168.129.6 port 40207 ssh2 > > Apr 7 13:19:10 cathi sshd : PID 67060 : Accepted publickey for corinna > > from 192.168.129.6 port 40207 ssh2 > > > >I found that this only happens when privilege separation is used. If I > >switch privilege separation off, I'm getting only one entry in the syslog. > > I think that's because the auth_log is called twice: once in the monitor > and once in the slave. If that's the case you should find one log entry > was done as the user logging in and the other as the privileged user > running sshd. Yeah, that's what happens. In the above log entries you see that the logs come from different PIDs. As I wrote in my previous mail, I'm still wondering if DISABLE_FD_PASSING is the cause. But the result should be identical to a root login on other OSes, see the first few lines in sshd.c, function privsep_postauth(). However, a root login on Linux does not result in multiple log entries, so that's not the whole explanation... Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From dtucker at zip.com.au Thu Apr 7 22:31:47 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 07 Apr 2005 22:31:47 +1000 Subject: Multiple log entries for successful pubkey authentication In-Reply-To: <20050407121605.GS1471@cygbert.vinschen.de> References: <20050407112242.GR1471@cygbert.vinschen.de> <42552074.3000904@mindrot.org> <20050407121605.GS1471@cygbert.vinschen.de> Message-ID: <42552833.5000103@zip.com.au> Corinna Vinschen wrote: > Sure. However, I just figured that this occurs on Cygwin, but not > on Linux. And this already happened with 3.9p1 so I'm wondering > if that's a result of Cygwin having the DISABLE_FD_PASSING flag set? Possibly. It turns out that it also occurs on Linux if you're logging in as root (which disables post-auth privsep). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vinschen at redhat.com Thu Apr 7 22:42:25 2005 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 7 Apr 2005 14:42:25 +0200 Subject: Multiple log entries for successful pubkey authentication In-Reply-To: <42552833.5000103@zip.com.au> References: <20050407112242.GR1471@cygbert.vinschen.de> <42552074.3000904@mindrot.org> <20050407121605.GS1471@cygbert.vinschen.de> <42552833.5000103@zip.com.au> Message-ID: <20050407124225.GU1471@cygbert.vinschen.de> On Apr 7 22:31, Darren Tucker wrote: > Corinna Vinschen wrote: > >Sure. However, I just figured that this occurs on Cygwin, but not > >on Linux. And this already happened with 3.9p1 so I'm wondering > >if that's a result of Cygwin having the DISABLE_FD_PASSING flag set? > > Possibly. It turns out that it also occurs on Linux if you're logging in > as root (which disables post-auth privsep). It does? Oh, good. Then I just made some mistake while testing on Linux. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From dtucker at zip.com.au Thu Apr 7 22:52:34 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 07 Apr 2005 22:52:34 +1000 Subject: Multiple log entries for successful pubkey authentication In-Reply-To: <20050407122354.GT1471@cygbert.vinschen.de> References: <20050407112242.GR1471@cygbert.vinschen.de> <42551E32.3050706@zip.com.au> <20050407122354.GT1471@cygbert.vinschen.de> Message-ID: <42552D12.10809@zip.com.au> Corinna Vinschen wrote: > On Apr 7 21:49, Darren Tucker wrote: >>I think that's because the auth_log is called twice: once in the monitor >>and once in the slave. If that's the case you should find one log entry >>was done as the user logging in and the other as the privileged user >>running sshd. > > Yeah, that's what happens. In the above log entries you see that the > logs come from different PIDs. As I wrote in my previous mail, I'm > still wondering if DISABLE_FD_PASSING is the cause. But the result > should be identical to a root login on other OSes, see the first few > lines in sshd.c, function privsep_postauth(). However, a root login > on Linux does not result in multiple log entries, so that's not the > whole explanation... It does in debug mode: debug1: ssh_rsa_verify: signature correct Accepted publickey for root from ::ffff:127.0.0.1 port 40694 ssh2 debug1: monitor_child_preauth: root has been authenticated by privileged process Accepted publickey for root from ::ffff:127.0.0.1 port 40694 ssh2 The one from the privsep slave won't get logged in normal operations, since it's chrooted to /var/empty and has no /dev/log to talk to syslogd. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From cmadams at hiwaay.net Thu Apr 7 23:00:44 2005 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 7 Apr 2005 08:00:44 -0500 Subject: PermitRootLogin and Tru64 SIA Message-ID: <20050407130044.GC1402602@hiwaay.net> I have "PermitRootLogin no" in my sshd_config, but under Tru64 and SIA, the root login attempts still get passed to the SIA system (so I get lots of warnings about failed root logins). On systems with a "max failed attempts" setting, the root account can be locked out this way. I started looking at the code, and I'm not sure I understand what I see. In auth-passwd.c, function auth_password checks permit_root_login, but it doesn't stop if it fails. It goes on and calls the authentication function (sys_auth_passwd from auth-sia.c for SIA) but still returns failure. Why? Should I just modify auth-sia.c sys_auth_passwd() to check the permit_root_login option and fail without calling the SIA functions? Here's a patch that does that: diff -urN openssh-dist/auth-sia.c openssh/auth-sia.c --- openssh-dist/auth-sia.c Thu Mar 4 05:59:37 2004 +++ openssh/auth-sia.c Thu Apr 7 07:52:13 2005 @@ -53,6 +53,9 @@ SIAENTITY *ent = NULL; const char *host; + if (! auth_root_allowed ("password")) + return (0); + host = get_canonical_hostname(options.use_dns); if (!authctxt->user || pass == NULL || pass[0] == '\0') -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From dtucker at zip.com.au Thu Apr 7 23:43:51 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 07 Apr 2005 23:43:51 +1000 Subject: PermitRootLogin and Tru64 SIA In-Reply-To: <20050407130044.GC1402602@hiwaay.net> References: <20050407130044.GC1402602@hiwaay.net> Message-ID: <42553917.6000201@zip.com.au> Chris Adams wrote: > I have "PermitRootLogin no" in my sshd_config, but under Tru64 and SIA, > the root login attempts still get passed to the SIA system (so I get > lots of warnings about failed root logins). On systems with a "max > failed attempts" setting, the root account can be locked out this way. > I started looking at the code, and I'm not sure I understand what I see. > > In auth-passwd.c, function auth_password checks permit_root_login, but > it doesn't stop if it fails. It goes on and calls the authentication > function (sys_auth_passwd from auth-sia.c for SIA) but still returns > failure. Why? It's trying to behave the same for all these different cases, while still denying the logins that should be denied: - valid user but wrong password - denied by sshd config (permitrootlogin=no, denyusers) + wrong password - denied by sshd config (permitrootlogin=no, denyusers) + right password - non-existant user Returning early allows an attacker to determine some settings, and in some cases guess passwords. The lower-level drivers do whatever they need to to present this consistent behaviour (in the case of PAM, that means feeding bogus passwords in the denied-by-config cases, otherwise). > Should I just modify auth-sia.c sys_auth_passwd() to check the > permit_root_login option and fail without calling the SIA functions? If that's the right thing to do in this case. You're ignoring actual login attempts (even though they have no chance of succeeding) is that the right thing? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vinschen at redhat.com Fri Apr 8 00:10:39 2005 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 7 Apr 2005 16:10:39 +0200 Subject: Multiple log entries for successful pubkey authentication In-Reply-To: <42552074.3000904@mindrot.org> References: <20050407112242.GR1471@cygbert.vinschen.de> <42552074.3000904@mindrot.org> Message-ID: <20050407141039.GA27828@cygbert.vinschen.de> On Apr 7 21:58, Damien Miller wrote: > Corinna Vinschen wrote: > >Hi, > > > >I'm wondering if that's planned or just occuring accidentally. > > > >With OpenSSH 4.0 and the upcoming 4.1, I'm getting two entries in syslog > >when a pubkey authentication logon was successful: > > > > Apr 7 13:19:10 cathi sshd : PID 66116 : Accepted publickey for corinna > > from 192.168.129.6 port 40207 ssh2 > > Apr 7 13:19:10 cathi sshd : PID 67060 : Accepted publickey for corinna > > from 192.168.129.6 port 40207 ssh2 > > I think that this is a bug - could you file one on bugzilla? I've filed a bug report, #1011. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From daveroth at acm.org Fri Apr 8 02:54:20 2005 From: daveroth at acm.org (David Rothenberger) Date: Thu, 07 Apr 2005 09:54:20 -0700 Subject: problem with remote forward and SSH 2.4.0 server In-Reply-To: <42551FA4.8050003@mindrot.org> References: <4251EA94.7080907@acm.org> <42548353.3080009@acm.org> <42551FA4.8050003@mindrot.org> Message-ID: <425565BC.6010908@acm.org> On 4/7/2005 4:55 AM, Damien Miller wrote: > Yes, this is the correct list but we are frozen for a release and aren't > going to consider any more patches until the 4.1 release is made. I understand. That's unfortunate for me since I interop with ssh.com 2.4.0 servers all the time, but oh well. > Could you attach your patch to a new bug on http://bugzilla.mindrot.org/ > so we can look at it post release? Done. Bug 1012. http://bugzilla.mindrot.org/show_bug.cgi?id=1012 -- David Rothenberger spammer? -> spam at daveroth.dyndns.org GPG/PGP: 0x7F67E734, C233 365A 25EF 2C5F C8E1 43DF B44F BA26 7F67 E734 Ever feel like you're the head pin on life's bowling alley, and everyone's rolling strikes? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 253 bytes Desc: OpenPGP digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050407/a5e89ccb/attachment.bin From us_u1 at yahoo.co.in Fri Apr 8 07:13:57 2005 From: us_u1 at yahoo.co.in (umashankar uniyal) Date: Thu, 7 Apr 2005 22:13:57 +0100 (BST) Subject: EPROTONOSUP Problem Message-ID: <20050407211357.98861.qmail@web8408.mail.in.yahoo.com> Hi, I am running the dbt2 test kit for postgres-8.0.1.The driver and client are running on Sun Solaris 10 and the database is running on Red Hat 9.I am running the test kit for 100 warehouses with tpw(terminal per warehouse) value of 80. I did truss on driver and found that after executing some transactions an error comes related to EPROTONOSUP. The particular point where error comes looks like this- so_socket(PF_INET, SOCK_STREAM, -4, "", SOV_DEFAULT) Err#120 EPROTONOSUP . Above this error the normal behaviour was: so_socket(PF_INET, SOCK_STREAM, IPPROTO_TCP, "", SOV_DEFAULT) = 255 I found that this error comes when the protocol is not supported by the addres family. Could you please help me out on this about how to solve this one as how after executing for some time the protocol is not supported at all. Thanks & Regards uma ________________________________________________________________________ Yahoo! India Matrimony: Find your life partner online Go to: http://yahoo.shaadi.com/india-matrimony From djm at mindrot.org Fri Apr 8 11:50:29 2005 From: djm at mindrot.org (Damien Miller) Date: Fri, 08 Apr 2005 11:50:29 +1000 Subject: EPROTONOSUP Problem In-Reply-To: <20050407211357.98861.qmail@web8408.mail.in.yahoo.com> References: <20050407211357.98861.qmail@web8408.mail.in.yahoo.com> Message-ID: <4255E365.1060304@mindrot.org> So, what does this have to do with openssh? umashankar uniyal wrote: > Hi, > I am running the dbt2 test kit for postgres-8.0.1.The > driver and client are running on Sun Solaris 10 and > the database is running on Red Hat 9.I am running the > test kit for 100 warehouses with tpw(terminal per > warehouse) value of 80. > > I did truss on driver and found that after executing > some transactions an error comes related to > EPROTONOSUP. The particular point where error comes > looks like this- > > so_socket(PF_INET, SOCK_STREAM, -4, "", SOV_DEFAULT) > Err#120 EPROTONOSUP . > > Above this error the normal behaviour was: > so_socket(PF_INET, SOCK_STREAM, IPPROTO_TCP, "", > SOV_DEFAULT) = 255 > > I found that this error comes when the protocol is not > supported by the addres family. > Could you please help me out on this about how to > solve this one as how after executing for some time > the protocol is not supported at all. > > Thanks & Regards > uma From lindysandiego at yahoo.com Sat Apr 9 03:38:59 2005 From: lindysandiego at yahoo.com (Thomas Baden) Date: Fri, 8 Apr 2005 10:38:59 -0700 (PDT) Subject: Feature Suggestion - scp don't decrypt file at destination unecrypt on copy back switch In-Reply-To: <42547ACA.8040506@zip.com.au> Message-ID: <20050408173859.86855.qmail@web51709.mail.yahoo.com> --- Darren Tucker wrote: > Gerard J. Cerchio wrote: > > Damien wrote: > > > > > tar zcf - /path/to/whatever | gpg --encrypt -r > publickey at > [...] > > It will also bulk up the data transfer making the > data less compressible > > and larger due to entropy added during encryption. > > The tar will compress anyway so that's likely to > have little if any impact > (you will probably get better performance by > disabling compression in ssh). Doesn't GPG / PGP compress the data before encrypting anyway to make plaintext attacks more difficult? If so, then one could leave off the -z switch (which isn't supported by all TAR implementations). Cheers, -Thomas __________________________________ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo From Dave at Yost.com Sat Apr 9 02:57:07 2005 From: Dave at Yost.com (Dave Yost) Date: Fri, 8 Apr 2005 08:57:07 -0800 Subject: ssh -X when X server is not running Message-ID: Hi. On Mac and Cygwin, if your X server is not running, and you ssh -X to another host, you get this message: Warning: No xauth data; using fake authentication data for X11 forwarding. This situation can be hard to diagnose for a new user. A message that says something to the effect of Is your X server running? in addition or instead would be good. Dave From lindysandiego at yahoo.com Sat Apr 9 03:53:34 2005 From: lindysandiego at yahoo.com (Thomas Baden) Date: Fri, 8 Apr 2005 10:53:34 -0700 (PDT) Subject: Multiple log entries for successful pubkey authentication In-Reply-To: <20050407121605.GS1471@cygbert.vinschen.de> Message-ID: <20050408175334.96032.qmail@web51702.mail.yahoo.com> --- Corinna Vinschen wrote: > On Apr 7 21:58, Damien Miller wrote: > > Corinna Vinschen wrote: > > >Hi, > > > > > >I'm wondering if that's planned or just occuring > accidentally. > > > > > >With OpenSSH 4.0 and the upcoming 4.1, I'm > getting two entries in syslog > > >when a pubkey authentication logon was > successful: > > > > > > Apr 7 13:19:10 cathi sshd : PID 66116 : > Accepted publickey for corinna > > > from 192.168.129.6 port 40207 ssh2 > > > Apr 7 13:19:10 cathi sshd : PID 67060 : > Accepted publickey for corinna > > > from 192.168.129.6 port 40207 ssh2 > > > > I think that this is a bug - could you file one on > bugzilla? > > Sure. However, I just figured that this occurs on > Cygwin, but not > on Linux. And this already happened with 3.9p1 so > I'm wondering > if that's a result of Cygwin having the > DISABLE_FD_PASSING flag set? I've been seeing the same thing on Solaris 8 64-bit SPARC. I never dug into the code as it wasn't a problem to me. It's not just 4.0, though. I think I've been seeing it at least as far back as 3.8. Cheers, -Thomas __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ From lindysandiego at yahoo.com Sat Apr 9 03:59:14 2005 From: lindysandiego at yahoo.com (Thomas Baden) Date: Fri, 8 Apr 2005 10:59:14 -0700 (PDT) Subject: Multiple log entries for successful pubkey authentication Message-ID: <20050408175914.82918.qmail@web51707.mail.yahoo.com> Oops, I almost forgot... The double-logging I'm seeing is through the -e option to log to stderr. I see the double logs for all logins (root logins being disabled on my host). I don't know if that helps or not, but there it is. Cheers, -Thomas __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From Darren.Moffat at Sun.COM Sat Apr 9 10:56:07 2005 From: Darren.Moffat at Sun.COM (Darren J Moffat) Date: Fri, 08 Apr 2005 17:56:07 -0700 Subject: Dynamic smartcard support? In-Reply-To: <42324DF6.7020203@zip.com.au> References: <20050311070939.GB5020@foo.birdnet.se> <42324DF6.7020203@zip.com.au> Message-ID: <1113008167.2073.104.camel@localhost> On Fri, 2005-03-11 at 18:03, Darren Tucker wrote: > Even on platforms where it is supported it's likely to vary quite a bit. > On AIX, libfoo.a can contain shared and static components. On HP-UX, the > libraries are libfoo.sl not libfoo.so. dlopen can be hiding in different > places on different platforms. And probably many other things... OpenSSL provides a nice abstraction layer for this in its dso module. OpenSSH could use that OpenSSL interface for doing dynamic loading. -- Darren J Moffat From djm at mindrot.org Sat Apr 9 11:34:17 2005 From: djm at mindrot.org (Damien Miller) Date: Sat, 09 Apr 2005 11:34:17 +1000 Subject: Dynamic smartcard support? In-Reply-To: <1113008167.2073.104.camel@localhost> References: <20050311070939.GB5020@foo.birdnet.se> <42324DF6.7020203@zip.com.au> <1113008167.2073.104.camel@localhost> Message-ID: <42573119.6050203@mindrot.org> Darren J Moffat wrote: > OpenSSL provides a nice abstraction layer for this in its dso > module. OpenSSH could use that OpenSSL interface for doing dynamic > loading. No, we really don't want to do dynamic loading in OpenSSH. Even with abstration layers it still adds complexity and is can be quite fragile with regards to lazy binding and privsep chroot. Some platforms[1] even have problems in ld.so with OpenSSH doing chroot. (Yes, I know that PAM is already doing dynamic loading implicitly, but since a platform's PAM implementation is usually maintained by the platform vendor, it usually doesn't bite us too badly) I'd prefer to to see a protocol interface to the smartcard routines. E.g. over a local socket, or by pipe+fork+exec. One of the OpenBSD developers was going to work on this, but went off and started hacking isakmpd instead. So, volunteers welcome :) -d [1] https://bugzilla.redhat.com/beta/show_bug.cgi?id=144303 From jmknoble at pobox.com Sun Apr 10 03:26:17 2005 From: jmknoble at pobox.com (Jim Knoble) Date: Sat, 9 Apr 2005 13:26:17 -0400 Subject: Feature Suggestion - scp don't decrypt file at destination unecrypt on copy back switch In-Reply-To: <20050408173859.86855.qmail@web51709.mail.yahoo.com> References: <42547ACA.8040506@zip.com.au> <20050408173859.86855.qmail@web51709.mail.yahoo.com> Message-ID: <20050409172617.GE24966@crawfish.ais.com> Circa 2005-04-08 dixit Thomas Baden: : > > > tar zcf - /path/to/whatever | gpg --encrypt -r : : Doesn't GPG / PGP compress the data before encrypting : anyway to make plaintext attacks more difficult? GPG or PGP may be configured to disable compression; this ensures that the data are compressed no matter what. : If so, then one could leave off the -z switch (which isn't supported : by all TAR implementations). Yes; in fact, the following sort of thing tends to be more portable than 'tar -z': tar -cf - /path/to/whatever | gzip -9 | whatever The standard stuff applies here: - use bzip2 instead of gzip for better, but slower, compression - use pax (with differing command-line syntax) instead of tar for better POSIX/ustar compatibility -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 809F:09B9:9686:D035:4AB0::9455:124B:0A62:DD6A:76D6) ..................................................................... :"The methods now being used to merchandise the political candidate : : as though he were a deodorant positively guarantee the electorate : : against ever hearing the truth about anything." --Aldous Huxley : :...................................................................: From lindysandiego at yahoo.com Tue Apr 12 03:42:28 2005 From: lindysandiego at yahoo.com (Thomas Baden) Date: Mon, 11 Apr 2005 10:42:28 -0700 (PDT) Subject: OpenSSH 4.1: call for testing. In-Reply-To: <42573F31.3020109@zip.com.au> Message-ID: <20050411174228.52858.qmail@web51705.mail.yahoo.com> openssh-SNAP-20050408 running Solaris 8, Sun Forte C compiler, 64-bit. Output of configure: OpenSSH has been configured with the following options: User binaries: /opt/local/bin System binaries: /opt/local/sbin Configuration files: /etc Askpass program: /opt/local/libexec/ssh-askpass Manual pages: /opt/local/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/opt/local/bin (If PATH is set in /etc/default/login it will be used instead. If used, ensure the path to scp is present, otherwise scp will not work.) Manpage format: man PAM support: yes KerberosV support: no Smartcard support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no libedit support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Host: sparc-sun-solaris2.8 Compiler: cc Compiler flags: -xtarget=ultra -xarch=v9 -mt Preprocessor flags: -I/opt/local/ssl/include -D_XOPEN_SOURCE=500 -D__EXTENSIONS__ Linker flags: -L/opt/local/ssl/lib/64 -R/opt/local/ssl/lib/64 -xtarget=ultra -xarch=v9 Libraries: -lpam -ldl -lresolv -lcrypto -lrt -lz -lsocket -lnsl make tests ran with no errors reported. Cheers, -Thomas __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From lars at gmx.at Wed Apr 13 04:43:23 2005 From: lars at gmx.at (lars) Date: Tue, 12 Apr 2005 20:43:23 +0200 Subject: ssh to target, scp back to source in same session without name resolution Message-ID: <425C16CB.9020604@gmx.at> Dear OpenSSH-Team, First, thanks a lot for your efforts on OpenSSH, great job! I have a wish: I'd like to be able to connect from my source to a target via ssh, do some stuff on the target, and then copy back some files to the source, all within the same session and without name resolution. "Problem": I'm behind a firewall with my source host, I don't know the name or location of some files/directories on the target host, I ssh to the target host on the internet, look for and find these files/directories (but I don't want to open a second session for scp and I can't resolve the name of my source host behind the firewall), and then I'd like to copy those files back to my source host, within the same encrypted session. Do you understand what I mean? I don't think this is possible at the moment, unless I haven't read the manual well enough. Ok, that's all, thanks for reading. Kind regards, Lars. From stuge-openssh-unix-dev at cdy.org Wed Apr 13 09:02:27 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 13 Apr 2005 01:02:27 +0200 Subject: ssh to target, scp back to source in same session without name resolution In-Reply-To: <425C16CB.9020604@gmx.at> References: <425C16CB.9020604@gmx.at> Message-ID: <20050412230227.GA22458@foo.birdnet.se> On Tue, Apr 12, 2005 at 08:43:23PM +0200, lars wrote: > I ssh to the target host on the internet, > look for and find these files/directories > (but I don't want to open a second session for scp and > I can't resolve the name of my source host behind the firewall), > and then I'd like to copy those files back to my source host, > within the same encrypted session. > > Do you understand what I mean? > > I don't think this is possible at the moment, > unless I haven't read the manual well enough. Should be possible using connection sharing. See -S in ssh(1) and ControlMaster/ControlPath in ssh_config(5) and check mailing list archive the last few months. //Peter From J.S.Peatfield at damtp.cam.ac.uk Wed Apr 13 10:10:10 2005 From: J.S.Peatfield at damtp.cam.ac.uk (Jon Peatfield) Date: Wed, 13 Apr 2005 01:10:10 +0100 (BST) Subject: ssh to target, scp back to source in same session without name resolution In-Reply-To: <20050412230227.GA22458@foo.birdnet.se> References: <425C16CB.9020604@gmx.at> <20050412230227.GA22458@foo.birdnet.se> Message-ID: On Wed, 13 Apr 2005, Peter Stuge wrote: > On Tue, Apr 12, 2005 at 08:43:23PM +0200, lars wrote: > > I ssh to the target host on the internet, > > look for and find these files/directories > > (but I don't want to open a second session for scp and > > I can't resolve the name of my source host behind the firewall), > > and then I'd like to copy those files back to my source host, > > within the same encrypted session. > > > > Do you understand what I mean? > > > > I don't think this is possible at the moment, > > unless I haven't read the manual well enough. > > Should be possible using connection sharing. See -S in ssh(1) and > ControlMaster/ControlPath in ssh_config(5) and check mailing list > archive the last few months. One should also be able to do what was requested using good old port forwarding e.g. on-client> ssh -2 -R10022:localhost:22 far-away-server on-far-away-server> scp -o 'port 10022' /etc/motd localhost:/tmp/ etc... There are issues to do with clashing keys (for localhost for example), and picking a suitable pseudo-random-port to forward but they can be worked round. Of course running ssh-over-ssh has an overhead but... -- Jon From jc at info-systems.de Wed Apr 13 05:32:49 2005 From: jc at info-systems.de (Jakob Curdes) Date: Tue, 12 Apr 2005 21:32:49 +0200 Subject: Limiting login ressources In-Reply-To: <4253CCE0.9090201@zip.com.au> References: <4253BCA5.3020308@info-systems.de> <4253CCE0.9090201@zip.com.au> Message-ID: <425C2261.9090708@info-systems.de> Hello, recently we experiance random login attempts with various user names such as test,guest,admin,root,http etc pp. all from the same IP in a short time. I observed this on different machines. We have limited access to ssh to 2 or 3 users on all our boxes, so I do not really feel a necessity to protect our machines better from misuse. Nevertheless I think it would be good to block an IP address after the 3rd or so login attempt with an illegal name or at least block an IP that tries to cycle user names like a merry-go-round. I experimented a bit with options for sshd like LoginGraceTime, MaxStartups but these do not really affect the sshd behavior in the case mentioned above. I also looked into PAM and tried to configure things there, but PAM is not really my daily speciality. Is someone willing to explain to me how I can limit login attempts via ssh? Is this related to UseLogin? Yours, Jakob Curdes From dtucker at zip.com.au Wed Apr 13 13:21:50 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 13 Apr 2005 13:21:50 +1000 Subject: Limiting login ressources In-Reply-To: <425C2261.9090708@info-systems.de> References: <4253BCA5.3020308@info-systems.de> <4253CCE0.9090201@zip.com.au> <425C2261.9090708@info-systems.de> Message-ID: <425C904E.5080005@zip.com.au> Jakob Curdes wrote: [...] > Is someone willing to explain to me how I can limit login > attempts via ssh? There was an extensive thread on this topic a while back: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=110728735306428 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From andreas.gaupmann at gmx.net Wed Apr 13 16:47:14 2005 From: andreas.gaupmann at gmx.net (Andreas Gaupmann) Date: Wed, 13 Apr 2005 08:47:14 +0200 (MEST) Subject: Authctxt Message-ID: <28904.1113374834@www59.gmx.net> Hello! I have been reading through the OpenSSH 4.0p code. There exist two globals called "Authctxt". One is defined in sshconnect2.c (type 1) and the other in auth.h (type 2). Both are structs with different members. Nevertheless, they are used seemingly interchangeably, e.g.: In line 302 of sshconnect2.c the function "userauth_none" is called: userauth_none(&authctxt); The referred authctxt is of type 1. sshconnect2.c does not include auth.h. "userauth_none" is defined in auth2-none.c. In that function the passed authctxt is accessd like a struct from type 2. In line 114 of auth2-none.c the member "pw" is accessed: if (check_nt_auth(1, authctxt->pw) == 0) "pw" is defined in type 2 only. In type 1 there is no "pw". Furthermore, "userauth_none" eventually calls "auth_password". In this function the same type 1 is passed and used as type 2. This all seems odd to me. What do I understand wrong? Any help on this is appreciated. Cheers Andreas From djm at mindrot.org Wed Apr 13 16:52:06 2005 From: djm at mindrot.org (Damien Miller) Date: Wed, 13 Apr 2005 16:52:06 +1000 Subject: Authctxt In-Reply-To: <28904.1113374834@www59.gmx.net> References: <28904.1113374834@www59.gmx.net> Message-ID: <425CC196.5050506@mindrot.org> Andreas Gaupmann wrote: > Hello! > > I have been reading through the OpenSSH 4.0p code. There exist two globals > called "Authctxt". One is defined in sshconnect2.c (type 1) and the other in > auth.h (type 2). Both are structs with different members. They are used consistently in client vs server code. E.g auth.c is server-only, whereas sshconnect2.c is client-only. I don't think that a struct Authctxt is used anywhere in the shared (libssh.a) code. -d From bob at proulx.com Wed Apr 13 18:31:32 2005 From: bob at proulx.com (Bob Proulx) Date: Wed, 13 Apr 2005 02:31:32 -0600 Subject: ssh to target, scp back to source in same session without name resolution In-Reply-To: <425C16CB.9020604@gmx.at> References: <425C16CB.9020604@gmx.at> Message-ID: <20050413083132.GA3784@dementia.proulx.com> lars wrote: > "Problem": > I'm behind a firewall with my source host, > I don't know the name or location of some files/directories on the > target host, This is a bash specific suggestion. It probably works with other shells that also have command completion. Use file name expansion to see the name of the file you want to copy. . /etc/bash_completion scp user at remote:/some/path At the TAB the shell as configured by the completion will ssh to the remote host and get a directory listing as if it were expanding a local path. Find the file you want, select it and then copy it locally. scp user at remote:/some/path/to/file . Depending upon the speed of the hosts involved this either is either very fast or possibly quite slow. You will need to be managing ssh keys with an agent or it will prompt you repeatedly for passwords. But it is a pretty nice feature. Bob From andreas.gaupmann at gmx.net Wed Apr 13 20:39:20 2005 From: andreas.gaupmann at gmx.net (Andreas Gaupmann) Date: Wed, 13 Apr 2005 12:39:20 +0200 (MEST) Subject: Authctxt References: <28904.1113374834@www59.gmx.net> Message-ID: <19322.1113388760@www33.gmx.net> Well, as Damien Miller pointed out: type 1 is used in the client code and type 2 in the server code. So they are not mixed up. The same is true for the functions "userauth_none". One is defined in sshconnect2.c on line 710 (client) the other in auth2-none.c on line 108 (server). Annoyingly, I missed that. So, has anyone some pointers to documents describing the structure and design of the code in more detail than the (obsolete) OVERVIEW file or the general drafts (or RFCs)? Cheers Andreas From dtucker at zip.com.au Wed Apr 13 21:45:30 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 13 Apr 2005 21:45:30 +1000 Subject: "ssh user@server /bin/sh" vs "no-pty" option. In-Reply-To: <36223088.20050324170320@nwgsm.ru> References: <36223088.20050324170320@nwgsm.ru> Message-ID: <425D065A.1080907@zip.com.au> rz1a at nwgsm.ru wrote: > Do I get it right that I *MUST* chroot a user first and make > /bin/rssh his shell in the /etc/passwd to effectively restrict him? > There should be no /bin/ksh (or bash) in his jail? > If I do not jail him - no matter what is his passwd shell - he will > be able to issue "ssh user at server /bin/sh" still, right? sshd runs those commands via the user's login shell with the "-c" option, have a look at session.c:do_child(). As long as the user's login shell doesn't obey "-c" (or applies the same restrictions as for interactive use) then the user won't be able to run commands via "ssh server command". They will, however be able to do port forwarding ("ssh -2 -N -L [foo] server"). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Wed Apr 13 21:58:43 2005 From: djm at mindrot.org (Damien Miller) Date: Wed, 13 Apr 2005 21:58:43 +1000 Subject: Authctxt In-Reply-To: <19322.1113388760@www33.gmx.net> References: <28904.1113374834@www59.gmx.net> <19322.1113388760@www33.gmx.net> Message-ID: <425D0973.4030603@mindrot.org> Andreas Gaupmann wrote: > Well, as Damien Miller pointed out: type 1 is used in the client code and > type 2 in the server code. So they are not mixed up. The same is true for > the functions "userauth_none". One is defined in sshconnect2.c on line 710 > (client) the other in auth2-none.c on line 108 (server). Annoyingly, I > missed that. > > So, has anyone some pointers to documents describing the structure and > design of the code in more detail than the (obsolete) OVERVIEW file or the > general drafts (or RFCs)? The internet-drafts are essential reading, apart from this, the archive of this list has had a couple of explanations over the years. -d From dtucker at zip.com.au Wed Apr 13 22:14:47 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 13 Apr 2005 22:14:47 +1000 Subject: Convert keys (OpenSSL to OpenSSH) In-Reply-To: <4245C2D5.4040507@yahoo.com> References: <4245C2D5.4040507@yahoo.com> Message-ID: <425D0D37.50605@zip.com.au> Ben Hacker Jr wrote: > I would like to use Public Key authentication with OpenSSH. I am > trying to use a public / private key set created using CA.pl. > http://www.openssl.org/docs/apps/CA.pl.html [...] > QUESTION: How do I convert the keys myself [using OpenSSL or...] so one > unix box can talk/SSH to the other using public key authentication??? Why don't you just use ssh-keygen to create the keys? That's what it's for... -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From strbenjr at yahoo.com Wed Apr 13 22:37:59 2005 From: strbenjr at yahoo.com (Ben Hacker Jr) Date: Wed, 13 Apr 2005 12:37:59 +0000 GMT Subject: Convert keys (OpenSSL to OpenSSH) Message-ID: <1508031560-1113395914-cardhu_blackberry.rim.net-28566-@engine70> I want to keep my keys within my PKI. I don't know how to do that using "ssh-keygen". Can ssh-keygen generate a Certificate REQUEST?? PKCS10? -----Original Message----- From: Darren Tucker Date: Wed, 13 Apr 2005 22:14:47 To:Ben Hacker Jr Cc:openssh-unix-dev at mindrot.org Subject: Re: Convert keys (OpenSSL to OpenSSH) Ben Hacker Jr wrote: > I would like to use Public Key authentication with OpenSSH. I am > trying to use a public / private key set created using CA.pl. > http://www.openssl.org/docs/apps/CA.pl.html [...] > QUESTION: How do I convert the keys myself [using OpenSSL or...] so one > unix box can talk/SSH to the other using public key authentication??? Why don't you just use ssh-keygen to create the keys? That's what it's for... -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. Ben Hacker Jr (On: mobile mail editor) From djm at mindrot.org Wed Apr 13 22:47:15 2005 From: djm at mindrot.org (Damien Miller) Date: Wed, 13 Apr 2005 22:47:15 +1000 Subject: Convert keys (OpenSSL to OpenSSH) In-Reply-To: <1508031560-1113395914-cardhu_blackberry.rim.net-28566-@engine70> References: <1508031560-1113395914-cardhu_blackberry.rim.net-28566-@engine70> Message-ID: <425D14D3.3020306@mindrot.org> Ben Hacker Jr wrote: > I want to keep my keys within my PKI. I don't know how to do that using "ssh-keygen". > > Can ssh-keygen generate a Certificate REQUEST?? PKCS10? No, but "openssl req" can from an OpenSSH private key. -d From strbenjr at yahoo.com Wed Apr 13 23:12:42 2005 From: strbenjr at yahoo.com (Ben Hacker Jr) Date: Wed, 13 Apr 2005 13:12:42 +0000 GMT Subject: Convert keys (OpenSSL to OpenSSH) Message-ID: <1197481087-1113397997-cardhu_blackberry.rim.net-8230-@engine31> So... You are instructing me to: 1. Generate a keyset using ssh-keygen. 2. Use "Openssl req" to generate the Cert. request using the keys from ssh-keygen. 3. Submit this new cert request to my PKI for signing. Correct? Any extra bits I need to be careful about?? -Ben -----Original Message----- From: Damien Miller Date: Wed, 13 Apr 2005 22:47:15 To:Ben Hacker Jr Cc:Darren Tucker , openssh-unix-dev at mindrot.org Subject: Re: Convert keys (OpenSSL to OpenSSH) Ben Hacker Jr wrote: > I want to keep my keys within my PKI. I don't know how to do that using "ssh-keygen". > > Can ssh-keygen generate a Certificate REQUEST?? PKCS10? No, but "openssl req" can from an OpenSSH private key. -d Ben Hacker Jr (On: mobile mail editor) From bob at proulx.com Thu Apr 14 02:51:11 2005 From: bob at proulx.com (Bob Proulx) Date: Wed, 13 Apr 2005 10:51:11 -0600 Subject: ssh to target, scp back to source in same session without name resolution In-Reply-To: <20050413083132.GA3784@dementia.proulx.com> References: <425C16CB.9020604@gmx.at> <20050413083132.GA3784@dementia.proulx.com> Message-ID: <20050413165111.GA8205@dementia.proulx.com> Bob Proulx wrote: > lars wrote: > > "Problem": > > I'm behind a firewall with my source host, > > I don't know the name or location of some files/directories on the > > target host, A second suggestion. Use the 'sftp' interface. sftp host cd some/dir ls cd other/dir ls get If I don't really know the name of the file and also do not have an agent running this allows me to start one connection, authenticate once, and then browse and cherry-pick files. Bob From sh at warma.dk Fri Apr 15 20:01:56 2005 From: sh at warma.dk (=?ISO-8859-1?Q?S=F8ren?= Hansen) Date: Fri, 15 Apr 2005 12:01:56 +0200 Subject: PAM authentication Message-ID: <1113559316.4762.8.camel@localhost.localdomain> I find it annoying that openssh takes active part in the authentication process when using PAM. Namely, SSH doesn't pass the user's password if the getpwent for the user returns NULL. I use a clever PAM setup that allows nonexisting users to log in if they are succesfully authenticated against a Samba server. When the user logs in for the first time, he's added to the user database and obviously only then will a call to getpwnam be succesful. I propse a configuration option to allow the authentication token to be passed to PAM even if the user has not pwentry. Thoughts? -- S?ren Hansen -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3191 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050415/83c8c343/attachment.bin From djm at mindrot.org Sat Apr 16 00:06:23 2005 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Apr 2005 00:06:23 +1000 (EST) Subject: PAM authentication In-Reply-To: <1113559316.4762.8.camel@localhost.localdomain> References: <1113559316.4762.8.camel@localhost.localdomain> Message-ID: On Fri, 15 Apr 2005, [ISO-8859-1] S?renHansen wrote: > > I find it annoying that openssh takes active part in the authentication > process when using PAM. Namely, SSH doesn't pass the user's password if > the getpwent for the user returns NULL. This has been covered many times on this list before. In short: if you want nss-like functionality then use nss, not pam. -d From emaste at phaedrus.sandvine.ca Sat Apr 16 00:27:06 2005 From: emaste at phaedrus.sandvine.ca (Ed Maste) Date: Fri, 15 Apr 2005 10:27:06 -0400 Subject: PAM authentication In-Reply-To: <1113559316.4762.8.camel@localhost.localdomain> References: <1113559316.4762.8.camel@localhost.localdomain> Message-ID: <20050415142706.GA87176@sandvine.com> On Fri, Apr 15, 2005 at 12:01:56PM +0200, S?ren Hansen wrote: > I find it annoying that openssh takes active part in the authentication > process when using PAM. Namely, SSH doesn't pass the user's password if > the getpwent for the user returns NULL. > > I use a clever PAM setup that allows nonexisting users to log in if they > are succesfully authenticated against a Samba server. > When the user logs in for the first time, he's added to the user > database and obviously only then will a call to getpwnam be succesful. > > I propse a configuration option to allow the authentication token to be > passed to PAM even if the user has not pwentry. You'll need to do more work than just passing in the token to PAM to make this work, though. Even if PAM returns success sshd still has authctxt->valid = 0. You do need the getpwnamallow() call before auth though, to allow public key auth to work. You could try passing the token to PAM even if valid = 0, then call getpwnamallow() a second time if PAM auth succeeds to load the new pw entry. -- Ed Maste Sandvine Incorporated From helm at es.net Sat Apr 16 06:28:51 2005 From: helm at es.net (michael helm) Date: Fri, 15 Apr 2005 13:28:51 -0700 Subject: PAM authentication References: <1113559316.4762.8.camel@localhost.localdomain> Message-ID: <003c01c541f9$bdc5b4c0$ef0180c6@esn.es.net> I would find this useful, for a similar, "outsourced" authentication application. Thanks, ==mwh Michael Helm ESnet/LBNL From bsven at msi.umn.edu Sat Apr 16 12:34:46 2005 From: bsven at msi.umn.edu (Bengt Svensson) Date: Fri, 15 Apr 2005 21:34:46 -0500 Subject: Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld) Message-ID: I have tried to update openssh-3.1p1 of our system that uses RH7.2 (Scyld). I is pretty much a standard Redhat 7.2 install with openssl-0.9.6b, zlib-1.1.4 etc. I have gotten openssh to work after some initial issues, but I still have not been able to get openssh/sshd to work with tcp-wrappers. I have in hosts.deny ALL: ALL: and in hosts.allow ALL: localhost, 127.0.0.1, 192.168.1. and still I can connect with ssh from outside that allowed ip range. tcp-wrapper is working, anything else but ssh is blocked. On another machine that is running the same OS but with openssh-3.1p1 the blocking works. What could be the problem? Why can't I block ssh logins? Can someone explain to me what is going on and how I can improve the situation. I followed the instructions in the INSTALL file and compiled a openssh-4.0p1 with the following options (to match the dirs of the previous version). The configure out put is attached. $ ./configure --prefix= --sysconfdir=/etc/ssh --libexecdir=/usr/libexec/openssh --mandir=/usr/share/man --with-tcp-wrappers -with-md5-passwords $ make $ make install To get things to work I had to perform the following steps that were not described in the INSTALL file. I wish the INSTALL file would have been more thurough and mentioned this. $ mkdir /var/empty $ chown root:sys /var/empty $ chmod 755 /var/empty $ groupadd -g 74 sshd $ useradd -g sshd -c 'Privilege-separated SSH' -u 74 -d /var/empty -s /bin/nologin sshd I then restarted sshd with $ /etc/init.d/sshd restart or rebooted the system. The previous version might have had PAM included, but when I add -with-pam to configure. I get some more warnings at compile and an error of something like 'Unsupported option' when sshd is restarted and when I have UsePAM yes in the sshd_config file. Another issue I have found is that when enableing the 'MaxAuthTries 3' option in sssh_config (as I have seen recommended) and restart sshd, I get the message 'Bad Configuration option' and sshd will not start. I would appreciate any help. Thanks, Bengt Svensson From tim at multitalents.net Sat Apr 16 12:51:20 2005 From: tim at multitalents.net (Tim Rice) Date: Fri, 15 Apr 2005 19:51:20 -0700 (PDT) Subject: Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld) In-Reply-To: References: Message-ID: On Fri, 15 Apr 2005, Bengt Svensson wrote: > I have tried to update openssh-3.1p1 of our system that uses RH7.2 (Scyld). I > is pretty much a standard Redhat 7.2 install with openssl-0.9.6b, zlib-1.1.4 > etc. > > I have gotten openssh to work after some initial issues, but I still have not > been able to get openssh/sshd to work with tcp-wrappers. > > I have in hosts.deny > ALL: ALL: > and in hosts.allow > ALL: localhost, 127.0.0.1, 192.168.1. > and still I can connect with ssh from outside that allowed ip range. > tcp-wrapper is working, anything else but ssh is blocked. On another machine > that is running the same OS but with openssh-3.1p1 the blocking works. What happens if you put this in hosts.allow? sshd: localhost 192.168.1.0/255.255.255.0: ALLOW > > What could be the problem? Why can't I block ssh logins? > Can someone explain to me what is going on and how I can improve the > situation. > [snip] > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dtucker at zip.com.au Sat Apr 16 13:02:47 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 16 Apr 2005 13:02:47 +1000 Subject: Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld) In-Reply-To: References: Message-ID: <42608057.3050002@zip.com.au> Bengt Svensson wrote: > I have tried to update openssh-3.1p1 of our system that uses RH7.2 > (Scyld). I is pretty much a standard Redhat 7.2 install with > openssl-0.9.6b, zlib-1.1.4 etc. > > I have gotten openssh to work after some initial issues, but I still > have not been able to get openssh/sshd to work with tcp-wrappers. > > I have in hosts.deny > ALL: ALL: That should be "ALL: ALL" without the trailing colon. > and in hosts.allow > ALL: localhost, 127.0.0.1, 192.168.1. > and still I can connect with ssh from outside that allowed ip range. > tcp-wrapper is working, anything else but ssh is blocked. On another > machine that is running the same OS but with openssh-3.1p1 the blocking > works. Are you using a tcpwrappers shipped with the OS (which will probably use /etc/hosts.{allow,deny}) or one built from source (which will probably use /usr/local/etc/hosts.{allow,deny})? > What could be the problem? Why can't I block ssh logins? > Can someone explain to me what is going on and how I can improve the > situation. > > > I followed the instructions in the INSTALL file and compiled a > openssh-4.0p1 with the following options (to match the dirs of the > previous version). The configure out put is attached. > > $ ./configure --prefix= --sysconfdir=/etc/ssh > --libexecdir=/usr/libexec/openssh --mandir=/usr/share/man > --with-tcp-wrappers -with-md5-passwords You're missing a "-" in front of "--with-md5-passwords". > To get things to work I had to perform the following steps that were not > described in the INSTALL file. I wish the INSTALL file would have been > more thurough and mentioned this. Those are documented in README.privsep. Perhaps INSTALL should reference it? [...] > The previous version might have had PAM included, but when I add > -with-pam to configure. I get some more warnings at compile and an error That should be --with-pam, and building with it will require the PAM header files (ie the pam-devel package). > of something like 'Unsupported option' when sshd is restarted and when I > have UsePAM yes in the sshd_config file. > > Another issue I have found is that when enableing the 'MaxAuthTries 3' > option in sssh_config (as I have seen recommended) and restart sshd, I MaxAuthTries goes in sshd_config not ssh_config. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From frederik at a5.repetae.net Sun Apr 17 09:46:43 2005 From: frederik at a5.repetae.net (Frederik Eaton) Date: Sat, 16 Apr 2005 16:46:43 -0700 Subject: caching In-Reply-To: <4246B5F4.3060504@mindrot.org> References: <20050310031604.GA29384@a5.repetae.net> <20050324034139.GA11181@a5.repetae.net> <4246B5F4.3060504@mindrot.org> Message-ID: <20050416234643.GA26617@a5.repetae.net> On Sun, Mar 27, 2005 at 11:32:36PM +1000, Damien Miller wrote: > Frederik Eaton wrote: > >Also, terminal resizing doesn't seem to work through cached > >connections... > > It works for me. OK, how are you using it? Do you have a script which manages a directory of sockets for different hosts? If so I would like to see it. I wrote a script which does this (and also makes sure that separate command arguments turn into separate command arguments on the remote side, rather than being split on ' ', as discussed earlier), but I don't know how correct it is. http://ofb.net/~frederik/misc/ssh-wrapper One problem with asking users to write their own wrapper scripts to implement basic features is that fixing the bugs that crop up in different environments can become very difficult. (Also, it would be nice if the ssh distribution could include a template wrapper script that parses the ssh command line options in 'sh' so users don't have to duplicate this effort) I've filed bugs as requested, for version 3.9p1. I don't have time to reverify the problems on 4.0 unless you really think that they've been fixed there. Frederik From dtucker at zip.com.au Sun Apr 17 10:02:51 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 17 Apr 2005 10:02:51 +1000 Subject: caching In-Reply-To: <20050416234643.GA26617@a5.repetae.net> References: <20050310031604.GA29384@a5.repetae.net> <20050324034139.GA11181@a5.repetae.net> <4246B5F4.3060504@mindrot.org> <20050416234643.GA26617@a5.repetae.net> Message-ID: <4261A7AB.8030807@zip.com.au> Frederik Eaton wrote: > I've filed bugs as requested, for version 3.9p1. I don't have time to > reverify the problems on 4.0 unless you really think that they've been > fixed there. Several bugs relating to the connection caching code *were* fixed in 4.0. From the changelog: - djm at cvs.openbsd.org 2004/10/29 21:47:15 [channels.c channels.h clientloop.c] fix some window size change bugs for multiplexed connections: windows sizes were not being updated if they had changed after ~^Z suspends and SIGWINCH was not being processed unless the first connection had requested a tty; ok markus So, yes, you need to retest on 4.0... -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Matthias.Graebel at gedas-onsite.de Mon Apr 18 20:06:41 2005 From: Matthias.Graebel at gedas-onsite.de (Graebel, Matthias) Date: Mon, 18 Apr 2005 12:06:41 +0200 Subject: X11 connection rejected because of wrong authentication Message-ID: Hello, I am new at ssh, think it is a simple config problem, but have not found the error. Wenn I connect from an client (winpc vai cygwin) to server A (hpup) the connectionon and xlogo ist okay. Wenn I connect from the same client to server B I got the following error message. The problem is only by starting xlogo, the connection via ssh to Server A+B ist okay. The sshd_config on server a+b is the same. grep -i x11 /usr/local/etc/sshd_config X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes Where is the problme, what can I do? bes at Server / > xlogo debug1: client_input_channel_open: ctype x11 rchan 2 win 65536 max 16384 debug1: client_request_x11: request from 127.0.0.1 55698 debug2: fd 7 setting O_NONBLOCK debug3: fd 7 is O_NONBLOCK debug1: channel 1: new [x11] debug1: confirm x11 debug2: X11 connection uses different authentication protocol. X11 connection rejected because of wrong authentication. debug2: X11 rejected 1 i0/o0 debug2: channel 1: read failed debug2: channel 1: close_read debug2: channel 1: input open -> drain debug2: channel 1: ibuf empty debug2: channel 1: send eof debug2: channel 1: input drain -> closed debug2: channel 1: write failed debug2: channel 1: close_write debug2: channel 1: output open -> closed debug2: X11 closed 1 i3/o3 debug2: channel 1: send close debug2: channel 1: rcvd close debug2: channel 1: is dead debug2: channel 1: garbage collecting debug1: channel 1: free: x11, nchannels 2 debug3: channel 1: status: The following connections are open: #0 client-session (t4 r0 i0/0 o0/104 fd 4/5 cfd -1) #1 x11 (t7 r2 i3/0 o3/0 fd 7/7 cfd -1) /usr/local/sbin/sshd -d -p 22 debug1: sshd version OpenSSH_4.0p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: rexec_argv[0]='/usr/local/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: rexec_argv[2]='-p' debug1: rexec_argv[3]='22' debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 debug1: inetd sockets after dupping: 3, 3 Connection from client_ip port 4253 debug1: Client protocol version 2.0; client software version OpenSSH_3.9p1 debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_4.0 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 zlib debug1: kex: server->client aes128-cbc hmac-md5 zlib debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received WARNING: /usr/local/etc/moduli does not exist, using fixed modulus debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user bes service ssh-connection method none debug1: attempt 0 failures 0 Failed none for bes from client_ip port 4253 ssh2 debug1: userauth-request for user bes service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=bes devs= debug1: kbdint_alloc: devices '' Failed keyboard-interactive for bes from client_ip port 4253 ssh2 debug1: userauth-request for user bes service ssh-connection method password debug1: attempt 2 failures 2 Could not get shadow information for bes Accepted password for bes from client_ip port 4253 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request x11-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req x11-req debug1: channel 1: new [X11 inet listener] debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/pts/0 debug1: Ignoring unsupported tty mode opcode 12 (0xc) debug1: Ignoring unsupported tty mode opcode 18 (0x12) debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: X11 connection requested. debug1: channel 2: new [X11 connection from 127.0.0.1 port 55536] debug1: channel 2: free: X11 connection from 127.0.0.1 port 55536, nchannels 3 grm at TEST_CLIENT ~ $ ssh -CXvvv bes at remotehost OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004 debug2: ssh_connect: needpriv 0 debug1: Connecting to remotehost [remotehost] port 22. debug1: Connection established. debug1: identity file /cygdrive/h/.ssh/identity type -1 debug1: identity file /cygdrive/h/.ssh/id_rsa type -1 debug1: identity file /cygdrive/h/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_4.0 debug1: match: OpenSSH_4.0 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.9p1 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellma n-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: zlib,none debug2: kex_parse_kexinit: zlib,none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellma n-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 zlib debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 zlib debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 132/256 debug2: bits set: 980/2048 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /cygdrive/h/.ssh/known_hosts debug3: check_host_in_hostfile: match line 3 debug1: Host 'remotehost' is known and matches the RSA host key. debug1: Found key in /cygdrive/h/.ssh/known_hosts:3 debug2: bits set: 1022/2048 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /cygdrive/h/.ssh/identity (0x0) debug2: key: /cygdrive/h/.ssh/id_rsa (0x0) debug2: key: /cygdrive/h/.ssh/id_dsa (0x0) debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /cygdrive/h/.ssh/identity debug3: no such identity: /cygdrive/h/.ssh/identity debug1: Trying private key: /cygdrive/h/.ssh/id_rsa debug3: no such identity: /cygdrive/h/.ssh/id_rsa debug1: Trying private key: /cygdrive/h/.ssh/id_dsa debug3: no such identity: /cygdrive/h/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: Next authentication method: password bes at remotehost's password: debug3: packet_send2: adding 32 (len 27 padlen 5 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-kBPMsg1836/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-kBPMsg1836/xauthfile list :0.0 . 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 0 debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 0 debug3: tty_make_modes: ospeed 38400 debug3: tty_make_modes: ispeed 38400 debug3: tty_make_modes: 1 3 debug3: tty_make_modes: 2 28 debug3: tty_make_modes: 3 127 debug3: tty_make_modes: 4 21 debug3: tty_make_modes: 5 4 debug3: tty_make_modes: 6 0 debug3: tty_make_modes: 7 0 debug3: tty_make_modes: 8 17 debug3: tty_make_modes: 9 19 debug3: tty_make_modes: 10 26 debug3: tty_make_modes: 12 18 debug3: tty_make_modes: 13 23 debug3: tty_make_modes: 14 22 debug3: tty_make_modes: 18 15 debug3: tty_make_modes: 30 0 debug3: tty_make_modes: 31 0 debug3: tty_make_modes: 32 0 debug3: tty_make_modes: 33 0 debug3: tty_make_modes: 34 0 debug3: tty_make_modes: 35 0 debug3: tty_make_modes: 36 1 debug3: tty_make_modes: 37 0 debug3: tty_make_modes: 38 1 debug3: tty_make_modes: 39 0 debug3: tty_make_modes: 40 0 debug3: tty_make_modes: 41 0 debug3: tty_make_modes: 50 1 debug3: tty_make_modes: 51 1 debug3: tty_make_modes: 53 1 debug3: tty_make_modes: 54 1 debug3: tty_make_modes: 55 1 debug3: tty_make_modes: 56 0 debug3: tty_make_modes: 57 0 debug3: tty_make_modes: 58 0 debug3: tty_make_modes: 59 1 debug3: tty_make_modes: 60 1 debug3: tty_make_modes: 61 1 debug3: tty_make_modes: 70 1 debug3: tty_make_modes: 71 0 debug3: tty_make_modes: 72 1 debug3: tty_make_modes: 73 0 debug3: tty_make_modes: 74 0 debug3: tty_make_modes: 75 0 debug3: tty_make_modes: 90 1 debug3: tty_make_modes: 91 1 debug3: tty_make_modes: 92 0 debug3: tty_make_modes: 93 0 debug2: channel 0: request shell confirm 0 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 Last login: Mon Apr 18 10:06:58 2005 from TESTPC (c)Copyright 1983-2000 Hewlett-Packard Co., All Rights Reserved. (c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California (c)Copyright 1980, 1984, 1986 Novell, Inc. (c)Copyright 1986-1992 Sun Microsystems, Inc. (c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology (c)Copyright 1989-1993 The Open Software Foundation, Inc. (c)Copyright 1986 Digital Equipment Corp. (c)Copyright 1990 Motorola, Inc. (c)Copyright 1990, 1991, 1992 Cornell University (c)Copyright 1989-1991 The University of Maryland (c)Copyright 1988 Carnegie Mellon University (c)Copyright 1991-2000 Mentat Inc. (c)Copyright 1996 Morning Star Technologies, Inc. (c)Copyright 1996 Progressive Systems, Inc. (c)Copyright 1991-2000 Isogon Corporation, All Rights Reserved. RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause in DFARS 252.227-7013. Hewlett-Packard Company 3000 Hanover Street Palo Alto, CA 94304 U.S.A. Rights for non-DOD U.S. Government Departments and Agencies are as set forth in FAR 52.227-19(c)(1,2). > echo $DISPLAY localhost:10.0 > echo $XAUTORITY > xauth list localhost/unix:10 MIT-MAGIC-COOKIE-1 xxxxxxxxxxxx localhost:10 MIT-MAGIC-COOKIE-1 xxxxxxxxxx servername/unix:10 MIT-MAGIC-COOKIE-1 xxxxxxxxx Mit freundlichen Gr??en Matthias Gr?bel ----------------------------------------------------------------- > gedas on site services GmbH Distributed Systems & Support Schellerdamm 16, D-21079 Hamburg Telefon/phone +49-40-79 7007-30 Telefax/telefax +49-40-79 7007-10 Pascalstra?e 10, D-10587 Berlin Telefon/phone +49-30-3997-1293 ----------------------------------------------------------------- From dtucker at zip.com.au Mon Apr 18 23:34:25 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 18 Apr 2005 23:34:25 +1000 Subject: X11 connection rejected because of wrong authentication In-Reply-To: References: Message-ID: <4263B761.1070100@zip.com.au> Graebel, Matthias wrote: > Hello, I am new at ssh, think it is a simple config problem, but have not > found the error. > > Wenn I connect from an client (winpc vai cygwin) to server A (hpup) the > connectionon and xlogo ist okay. > Wenn I connect from the same client to server B I got the following error > message. > The problem is only by starting xlogo, the connection via ssh to Server A+B > ist okay. > The sshd_config on server a+b is the same. > > grep -i x11 /usr/local/etc/sshd_config > X11Forwarding yes > #X11DisplayOffset 10 > #X11UseLocalhost yes I've answered this elsewhere, but... depending on the vintage of the HP-UX box, you probably need to put "X11UseLocalhost no" in the server's sshd_config and restart sshd. See http://www.openssh.com/faq.html#3.12 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bsven at msi.umn.edu Tue Apr 19 11:48:01 2005 From: bsven at msi.umn.edu (Bengt Svensson) Date: Mon, 18 Apr 2005 20:48:01 -0500 Subject: Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld) In-Reply-To: <42608057.3050002@zip.com.au> References: <42608057.3050002@zip.com.au> Message-ID: I am sorry I made a couple of typo's in my post. See below for corrections. On Sat, 16 Apr 2005, Darren Tucker wrote: > Bengt Svensson wrote: >> I have tried to update openssh-3.1p1 of our system that uses RH7.2 >> (Scyld). I is pretty much a standard Redhat 7.2 install with >> openssl-0.9.6b, zlib-1.1.4 etc. >> >> I have gotten openssh to work after some initial issues, but I still have >> not been able to get openssh/sshd to work with tcp-wrappers. >> >> I have in hosts.deny >> ALL: ALL: > The acctual line is "ALL: ALL" I made a typo. > That should be "ALL: ALL" without the trailing colon. > >> and in hosts.allow >> ALL: localhost, 127.0.0.1, 192.168.1. >> and still I can connect with ssh from outside that allowed ip range. >> tcp-wrapper is working, anything else but ssh is blocked. On another >> machine that is running the same OS but with openssh-3.1p1 the blocking >> works. > > Are you using a tcpwrappers shipped with the OS (which will probably use > /etc/hosts.{allow,deny}) or one built from source (which will probably use > /usr/local/etc/hosts.{allow,deny})? > I use the tcpwrappers that shipped with the OS. The file hosts.{allow,deny} are in /etc. And they work in blocking everything but ssh, for example access to sendmail is blocked. I tried to put copies of the hosts.{allow,deny} in /usr/local/etc in case openssh-4.0p1 would be looking for the files there, but that did not help. >> What could be the problem? Why can't I block ssh logins? >> Can someone explain to me what is going on and how I can improve the >> situation. >> >> >> I followed the instructions in the INSTALL file and compiled a >> openssh-4.0p1 with the following options (to match the dirs of the >> previous version). The configure out put is attached. >> >> $ ./configure --prefix= --sysconfdir=/etc/ssh >> --libexecdir=/usr/libexec/openssh --mandir=/usr/share/man >> --with-tcp-wrappers -with-md5-passwords > > You're missing a "-" in front of "--with-md5-passwords". > I meant "--", I made a typo. > > To get things to work I had to perform the following steps that were not >> described in the INSTALL file. I wish the INSTALL file would have been >> more thurough and mentioned this. > > Those are documented in README.privsep. Perhaps INSTALL should reference it? > > [...] It certainly would be useful for newbies and others as well to have more detailed instructions. >> The previous version might have had PAM included, but when I add -with-pam >> to configure. I get some more warnings at compile and an error > > That should be --with-pam, and building with it will require the PAM header > files (ie the pam-devel package). > I had "--with-pam", I made a typo in the message. I have the rpm for the pam-devel package installed, but still have the problems with PAM. Do I need to specify some directories? The INSTALL did not state that it was necessary. The configure script seems to find PAM. $ ./configure ..... | grep pam checking pam/pam_appl.h usability... no checking pam/pam_appl.h presence... no checking for pam/pam_appl.h... no checking security/pam_appl.h usability... yes checking security/pam_appl.h presence... yes checking for security/pam_appl.h... yes checking for pam_set_item in -lpam... yes checking for pam_getenvlist... yes checking for pam_putenv... yes checking whether pam_strerror takes only one argument... no This is the end part of the output from ./configure OpenSSH has been configured with the following options: User binaries: /bin System binaries: /sbin Configuration files: /etc/ssh Askpass program: /usr/libexec/openssh/ssh-askpass Manual pages: /usr/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Manpage format: doc PAM support: yes KerberosV support: no Smartcard support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: yes libedit support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: Linker flags: Libraries: -lwrap -lpam -ldl -lresolv -lcrypto -lutil -lz -lnsl -lcrypt PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory >> of something like 'Unsupported option' when sshd is restarted and when I >> have UsePAM yes in the sshd_config file. >> >> Another issue I have found is that when enableing the 'MaxAuthTries 3' >> option in sssh_config (as I have seen recommended) and restart sshd, I > > MaxAuthTries goes in sshd_config not ssh_config. > I made another typo. I meant the sshd_config file. > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > Once the problem with the typo's has been clarified. Any suggestions why openssh-4.0p1 will not work with tcpwrappers? What else could I have missed? How can I troubelshoot this further? My purpose for installing openssh-4.0p1 replacing openssh-3.1p1 is to improve security. However, since I cannot get the tcpwrappers to work with openssh-4.0p1 on our RH7.2 (Scyld) system. I may be better off reverting back to openssh-3.1p1 where tcpwrappers works. I'll appreciate any comments or suggestions. Thanks, Bengt Svensson From dtucker at zip.com.au Tue Apr 19 12:18:51 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 19 Apr 2005 12:18:51 +1000 Subject: Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld) In-Reply-To: References: <42608057.3050002@zip.com.au> Message-ID: <42646A8B.3090100@zip.com.au> Bengt Svensson wrote: >> Those are documented in README.privsep. Perhaps INSTALL should >> reference it? > It certainly would be useful for newbies and others as well to have more > detailed instructions. Alright, will add. [...] > OpenSSH has been configured with the following options: > User binaries: /bin > System binaries: /sbin You realise that Redhat's default binaries live in /usr/{bin,sbin} not /{bin,sbin}, right? [...] > PAM is enabled. You may need to install a PAM control file > for sshd, otherwise password authentication may fail. > Example PAM control files can be found in the contrib/ > subdirectory [...] >>> of something like 'Unsupported option' when sshd is restarted and >>> when I have UsePAM yes in the sshd_config file. >>> >>> Another issue I have found is that when enableing the 'MaxAuthTries >>> 3' option in sssh_config (as I have seen recommended) and restart >>> sshd, I This sounds very much like you're not running the sshd that you just built. What does /path/to/sshd -V report? Is the datestamp on the file fresh? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rschubnell at paninfo.com Tue Apr 19 20:23:12 2005 From: rschubnell at paninfo.com (rschubnell at paninfo.com) Date: Tue, 19 Apr 2005 12:23:12 +0200 Subject: OpenSSL Installation Problem after Migration AIX 4.3.3 to AIX 5.2 Message-ID: We have a Problem to Install the Packages: openssl-0.9.6m-1 openssl-devel-0.9.6m-1 openssl-doc-0.9.6m-1 After we migrate from AIX 4.3.3 to AIX 5.2 I removed the old Version rpm and want to reinstall openssl and openssh. If i try to install openssl i have the following Error Message: # rpm -ivh openssl-0.9.6m-1.aix5.1.ppc.rpm openssl-devel-0.9.6 m-1.aix5.1.ppc.rpm openssl-doc-0.9.6m-1.aix5.1.ppc.rpm error: failed dependencies: /bin/sh is needed by openssl-0.9.6m-1 /usr/bin/perl is needed by openssl-0.9.6m-1 libc.a(shr.o) is needed by openssl-0.9.6m-1 I have alot of Machines running this ssl Packageversion, but all they were Installed from Scratch. If i force the Package Installation, the ssh-keygen and sshd want running. ( without Errormessages ) I have compiled my ssh Package with this SSL Version and: blibpath=/usr/lib:/lib:/usr/local/lib:/opt/freeware/lib export blibpath ./configure --with-ssl-dir=/opt/freeware --sysconfdir=/etc/ssh \ --with-zlib=/usr/local --with-ipaddr-display --prefix=/opt/ssh If i run the findssl Script i have the following Output: # sh findssl.sh Searching for OpenSSL header files. 0x009060dfL /opt/freeware/include/openssl/opensslv.h From dtucker at zip.com.au Tue Apr 19 21:02:21 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 19 Apr 2005 21:02:21 +1000 Subject: OpenSSL Installation Problem after Migration AIX 4.3.3 to AIX 5.2 In-Reply-To: References: Message-ID: <4264E53D.3040903@zip.com.au> rschubnell at paninfo.com wrote: > If i force the Package Installation, the ssh-keygen and sshd want running. > ( without Errormessages ) > I have compiled my ssh Package with this SSL Version and: I'm not sure I understand: OpenSSH compiles OK but won't run? Does, eg, ./ssh -V produce any output? The steps you had looked correct. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rschubnell at paninfo.com Tue Apr 19 21:45:36 2005 From: rschubnell at paninfo.com (rschubnell at paninfo.com) Date: Tue, 19 Apr 2005 13:45:36 +0200 Subject: Antwort: Re: OpenSSL Installation Problem after Migration AIX 4.3.3 to AIX 5.2 Message-ID: Hi I had compiled my ssh Version on my Package Server. This is the Version: OpenSSH_3.9p1, OpenSSL 0.9.6m 17 Mar 2004 I install my Server over NIM with the Versions above. My Problem ist that i migrate one Server from AIX 4.3.3 to AIX 5.2 After the Migration we deinstalled the openssl and openssh and installed the new Version. What im not understand is wy the prerequisites will not be found in the openssl installation procedure. # rpm -ivh openssl-0.9.6m-1.aix5.1.ppc.rpm openssl-devel-0.9.6 m-1.aix5.1.ppc.rpm openssl-doc-0.9.6m-1.aix5.1.ppc.rpm error: failed dependencies: /bin/sh is needed by openssl-0.9.6m-1 /usr/bin/perl is needed by openssl-0.9.6m-1 libc.a(shr.o) is needed by openssl-0.9.6m-1 Do you know how the rpm installscript checks the requisites ? Kind Regards From dtucker at zip.com.au Tue Apr 19 22:01:50 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 19 Apr 2005 22:01:50 +1000 Subject: Antwort: Re: OpenSSL Installation Problem after Migration AIX 4.3.3 to AIX 5.2 In-Reply-To: References: Message-ID: <4264F32E.8010805@zip.com.au> rschubnell at paninfo.com wrote: > My Problem ist that i migrate one Server from AIX 4.3.3 to AIX 5.2 > After the Migration we deinstalled the openssl and openssh and installed > the new Version. > > What im not understand is wy the prerequisites will not be found in the > openssl installation procedure. I don't know (I build OpenSSL from source myself). We can't help you with the OpenSSL rpm here, though, since this is the OpenSSH list. You'll probably need to ask wherever IBM does support for their OpenSSL rpms. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dan at lightwave.net.ru Tue Apr 19 23:45:37 2005 From: dan at lightwave.net.ru (Dan Yefimov) Date: Tue, 19 Apr 2005 17:45:37 +0400 (MSD) Subject: Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld) In-Reply-To: Message-ID: On Mon, 18 Apr 2005, Bengt Svensson wrote: > Once the problem with the typo's has been clarified. Any suggestions why > openssh-4.0p1 will not work with tcpwrappers? What else could I have > missed? How can I troubelshoot this further? > It doesn't work since while using privilege separation unprivileged part interacting with a client and checking access premissions runs in a chroot'ed environment where /etc/hosts.{allow,deny} don't exist. There are 2 different solutions: either disable privilege separation, or copy meantioned files under /var/empty/etc. Generally speaking, privilege separation breaks many things, which was noticed many times on this list by different people, so unless you absolutely need it disable it. > > My purpose for installing openssh-4.0p1 replacing openssh-3.1p1 is to > improve security. However, since I cannot get the tcpwrappers to work with > openssh-4.0p1 on our RH7.2 (Scyld) system. I may be better off reverting > back to openssh-3.1p1 where tcpwrappers works. > As it was noticed above, there's no need for that. -- Sincerely Your, Dan. From edgy at us.ibm.com Tue Apr 19 23:53:36 2005 From: edgy at us.ibm.com (Edward Geraghty) Date: Tue, 19 Apr 2005 09:53:36 -0400 Subject: Antwort: Re: OpenSSL Installation Problem after Migration AIX 4.3.3 to AIX 5.2 In-Reply-To: Message-ID: If you want to see what the SPEC file looked like, the IBM AIX toolbox download site is below: http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html Openssl and other high encryption rpms are available from: (need to register "free"). http://www6.software.ibm.com/dl/aixtbx/aixtbx-p Make sure you have the perl LPP installed.. It should be on the installation media somewhere.. # lslpp -L "perl*" Fileset Level State Type Description (Uninstaller) ---------------------------------------------------------------------------- perl.libext 2.1.0.10 C F Perl Library Extensions perl.rte 5.8.2.10 C F Perl Version 5 Runtime Environment State codes: A -- Applied. B -- Broken. C -- Committed. E -- EFIX Locked. O -- Obsolete. (partially migrated to newer version) ? -- Inconsistent State...Run lppchk -v. Type codes: F -- Installp Fileset P -- Product C -- Component T -- Feature R -- RPM Package EdGy |---------+----------------------------------------------------> | | rschubnell at paninfo.com | | | Sent by: | | | openssh-unix-dev-bounces+edgy=us.ibm.com@| | | mindrot.org | | | | | | | | | 04/19/2005 07:45 | |---------+----------------------------------------------------> >-----------------------------------------------------------------------------------------------------------| | | | To: Darren Tucker | | cc: rschubnell at paninfo.com, openssh-unix-dev at mindrot.org | | Subject: Antwort: Re: OpenSSL Installation Problem after Migration AIX 4.3.3 to AIX 5.2 | >-----------------------------------------------------------------------------------------------------------| Hi I had compiled my ssh Version on my Package Server. This is the Version: OpenSSH_3.9p1, OpenSSL 0.9.6m 17 Mar 2004 I install my Server over NIM with the Versions above. My Problem ist that i migrate one Server from AIX 4.3.3 to AIX 5.2 After the Migration we deinstalled the openssl and openssh and installed the new Version. What im not understand is wy the prerequisites will not be found in the openssl installation procedure. # rpm -ivh openssl-0.9.6m-1.aix5.1.ppc.rpm openssl-devel-0.9.6 m-1.aix5.1.ppc.rpm openssl-doc-0.9.6m-1.aix5.1.ppc.rpm error: failed dependencies: /bin/sh is needed by openssl-0.9.6m-1 /usr/bin/perl is needed by openssl-0.9.6m-1 libc.a(shr.o) is needed by openssl-0.9.6m-1 Do you know how the rpm installscript checks the requisites ? Kind Regards _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From rschubnell at paninfo.com Tue Apr 19 23:58:22 2005 From: rschubnell at paninfo.com (rschubnell at paninfo.com) Date: Tue, 19 Apr 2005 15:58:22 +0200 Subject: Antwort: Re: Antwort: Re: OpenSSL Installation Problem after Migration AIX 4.3.3 to AIX 5.2 Message-ID: Hi # lslpp -l perl.rte Fileset Level State Description ---------------------------------------------------------------------------- Path: /usr/lib/objrepos perl.rte 5.8.0.0 COMMITTED Perl Version 5 Runtime Environment # lppchk -vm3 # perl -V Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration: Platform: osname=aix, osvers=5.2.0.0, archname=aix-thread-multi uname='aix rocky 2 5 000ad7df4c00 ' config_args='' hint=recommended, useposix=true, d_sigaction=define usethreads=define use5005threads=undef useithreads=define usemultiplicity=define useperlio=define d_sfio=undef uselargefiles=define usesocks=undef use64bitint=undef use64bitall=undef uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc_r', ccflags ='-D_ALL_SOURCE -D_ANSI_C_SOURCE -D_POSIX_SOURCE -qmaxmem=16384 -qnoansialias -DUSE_NATIVE_DLOPEN -DNEED_PTHREAD_INIT -q32 -D_LARGE_FILES -qlonglong', optimize='-O', cppflags='-D_ALL_SOURCE -D_ANSI_C_SOURCE -D_POSIX_SOURCE -qmaxmem=16384 -qnoansialias -DUSE_NATIVE_DLOPEN -DNEED_PTHREAD_INIT' ccversion='', gccversion='', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=4321 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=8 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='ld', ldflags =' -brtl -b32' libpth=/lib /usr/lib /usr/ccs/lib libs=-lbind -lnsl -ldbm -ldl -lld -lm -lpthreads -lc_r -lcrypt -lbsd -lPW perllibs=-lbind -lnsl -ldl -lld -lm -lpthreads -lc_r -lcrypt -lbsd -lPW libc=/lib/libc.a, so=a, useshrplib=true, libperl=libperl.a gnulibc_version='' Dynamic Linking: dlsrc=dl_aix.xs, dlext=so, d_dlsymun=undef, ccdlflags=' -bE:/usr/opt/perl5/lib/5.8.0/aix-thread-multi/CORE/perl.exp' cccdlflags=' ', lddlflags='-bhalt:4 -bM:SRE -bI:$(PERL_INC)/perl.exp -bE:$(BASEEXT).exp -bnoentry -lpthreads -lc_r' Characteristics of this binary (from libperl): Compile-time options: MULTIPLICITY USE_ITHREADS USE_LARGE_FILES PERL_IMPLICIT_CONTEXT Built under aix Compiled at Jul 26 2002 13:48:15 @INC: /usr/opt/perl5/lib/5.8.0/aix-thread-multi /usr/opt/perl5/lib/5.8.0 /usr/opt/perl5/lib/site_perl/5.8.0/aix-thread-multi /usr/opt/perl5/lib/site_perl/5.8.0 /usr/opt/perl5/lib/site_perl . From dtucker at zip.com.au Wed Apr 20 00:16:12 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 20 Apr 2005 00:16:12 +1000 Subject: Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld) In-Reply-To: References: Message-ID: <426512AC.4080808@zip.com.au> Dan Yefimov wrote: > On Mon, 18 Apr 2005, Bengt Svensson wrote: >>Once the problem with the typo's has been clarified. Any suggestions why >>openssh-4.0p1 will not work with tcpwrappers? What else could I have >>missed? How can I troubelshoot this further? > > It doesn't work since while using privilege separation unprivileged part > interacting with a client and checking access premissions runs in a chroot'ed > environment where /etc/hosts.{allow,deny} don't exist. That is not correct. The tcpwrappers check is immediately after the connection is accepted and before pre-auth privsep starts, and works fine with privsep. > Generally speaking, privilege separation breaks many things, > which was noticed many times on this list by different people, so unless you > absolutely need it disable it. That's also bad advice. If you have a problem with privsep then *report it* so it can be fixed if possible, and only disable it if it's necessary (which, in most cases, it's not). Disabling privsep unilaterally is akin to removing the seatbelts and airbags from your car because you don't think you need them (right up to the point when there's a crash, that is, then they may save you). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From edgy at us.ibm.com Wed Apr 20 01:59:51 2005 From: edgy at us.ibm.com (Edward Geraghty) Date: Tue, 19 Apr 2005 11:59:51 -0400 Subject: Antwort: Re: Antwort: Re: OpenSSL Installation Problem after Migration AIX 4.3.3 to AIX 5.2 In-Reply-To: Message-ID: Ok. that looks ok. After doing some digging, I think the the rpm command is the problem and not perl. The openssl SPEC file is pretty simple for the installation and rpm is trying to enforce the /bin/sh and /usr/bin/perl. If you goto the AIX support site (url below) and download the rpm.rte.3.0.5.36. 3.0.5.36 is the latest version for AIX v5.2 it seems. http://www-912.ibm.com/eserver/support/fixes/search.jsp?system=2&release=5.3 I would also download the latest RPMs for openssl as well from: http://www6.software.ibm.com/dl/aixtbx/aixtbx-p openssl-devel-0.9.7d-2.aix5.1.ppc.rpm openssl-doc-0.9.7d-2.aix5.1.ppc.rpm openssl-0.9.7d-2.aix5.1.ppc.rpm EdGy |---------+----------------------------------------------------> | | rschubnell at paninfo.com | | | Sent by: | | | openssh-unix-dev-bounces+edgy=us.ibm.com@| | | mindrot.org | | | | | | | | | 04/19/2005 09:58 | |---------+----------------------------------------------------> >-----------------------------------------------------------------------------------------------------------| | | | To: Edward Geraghty/Somers/IBM at IBMUS | | cc: rschubnell at paninfo.com, openssh-unix-dev at mindrot.org | | Subject: Antwort: Re: Antwort: Re: OpenSSL Installation Problem after Migration AIX 4.3.3 to AIX | | 5.2 | >-----------------------------------------------------------------------------------------------------------| Hi # lslpp -l perl.rte Fileset Level State Description ---------------------------------------------------------------------------- Path: /usr/lib/objrepos perl.rte 5.8.0.0 COMMITTED Perl Version 5 Runtime Environment # lppchk -vm3 # perl -V Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration: Platform: osname=aix, osvers=5.2.0.0, archname=aix-thread-multi uname='aix rocky 2 5 000ad7df4c00 ' config_args='' hint=recommended, useposix=true, d_sigaction=define usethreads=define use5005threads=undef useithreads=define usemultiplicity=define useperlio=define d_sfio=undef uselargefiles=define usesocks=undef use64bitint=undef use64bitall=undef uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc_r', ccflags ='-D_ALL_SOURCE -D_ANSI_C_SOURCE -D_POSIX_SOURCE -qmaxmem=16384 -qnoansialias -DUSE_NATIVE_DLOPEN -DNEED_PTHREAD_INIT -q32 -D_LARGE_FILES -qlonglong', optimize='-O', cppflags='-D_ALL_SOURCE -D_ANSI_C_SOURCE -D_POSIX_SOURCE -qmaxmem=16384 -qnoansialias -DUSE_NATIVE_DLOPEN -DNEED_PTHREAD_INIT' ccversion='', gccversion='', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=4321 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=8 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='ld', ldflags =' -brtl -b32' libpth=/lib /usr/lib /usr/ccs/lib libs=-lbind -lnsl -ldbm -ldl -lld -lm -lpthreads -lc_r -lcrypt -lbsd -lPW perllibs=-lbind -lnsl -ldl -lld -lm -lpthreads -lc_r -lcrypt -lbsd -lPW libc=/lib/libc.a, so=a, useshrplib=true, libperl=libperl.a gnulibc_version='' Dynamic Linking: dlsrc=dl_aix.xs, dlext=so, d_dlsymun=undef, ccdlflags=' -bE:/usr/opt/perl5/lib/5.8.0/aix-thread-multi/CORE/perl.exp' cccdlflags=' ', lddlflags='-bhalt:4 -bM:SRE -bI:$(PERL_INC)/perl.exp -bE:$(BASEEXT).exp -bnoentry -lpthreads -lc_r' Characteristics of this binary (from libperl): Compile-time options: MULTIPLICITY USE_ITHREADS USE_LARGE_FILES PERL_IMPLICIT_CONTEXT Built under aix Compiled at Jul 26 2002 13:48:15 @INC: /usr/opt/perl5/lib/5.8.0/aix-thread-multi /usr/opt/perl5/lib/5.8.0 /usr/opt/perl5/lib/site_perl/5.8.0/aix-thread-multi /usr/opt/perl5/lib/site_perl/5.8.0 /usr/opt/perl5/lib/site_perl . _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From George.Baltz at noaa.gov Wed Apr 20 02:39:45 2005 From: George.Baltz at noaa.gov (George Baltz) Date: Tue, 19 Apr 2005 12:39:45 -0400 Subject: OpenSSL Installation Problem after Migration AIX 4.3.3 to AIX 5.2 Message-ID: <42653451.20706@noaa.gov> Your problem looks like the RPM compatibility database did not get rebuilt after the upgrade Try running /usr/sbin/updtvpkg, then re-try the install. -- George Baltz N3GB Computer Sciences Corp @NOAA/NESDIS/IPD 301 457-5169 x137 From arms at sco.com Wed Apr 20 03:26:51 2005 From: arms at sco.com (Ahsan Rashid) Date: Tue, 19 Apr 2005 13:26:51 -0400 (EDT) Subject: Patch for UnixWare 7 Message-ID: Hi, I have ported OpenSSH-4.0p1 to UnixWare 7.1.4. Can you please add the following for UnixWare 7 in the configure script: Description: + cross compiler produces i386a.out. + libcrypt which needs to come after openssl's libcrypto. + passwd needs user name. Thanks, Ahsan Rashid --- openssh-4.0p1/configure Tue Mar 8 23:54:16 2005 +++ dist/configure Thu Apr 14 17:09:54 2005 @@ -1728,7 +1728,7 @@ # Otherwise an old cache value of `no' led to `EXEEXT = no' in a Makefile. ac_cv_exeext= # b.out is created by i960 compilers. -for ac_file in a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out +for ac_file in a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out i386a.out do test -f "$ac_file" || continue case $ac_file in @@ -1737,7 +1737,7 @@ conftest.$ac_ext ) # This is the source file. ;; - [ab].out ) + [ab].out | i386a.out) # We found the default executable, but exeext='' is most # certainly right. break;; @@ -6007,6 +6007,7 @@ ;; # UnixWare 7.x, OpenUNIX 8 *-*-sysv5*) + check_for_libcrypt_later=1 cat >>confdefs.h <<\_ACEOF #define USE_PIPES 1 _ACEOF @@ -6021,6 +6022,14 @@ cat >>confdefs.h <<\_ACEOF #define BROKEN_SETREGID 1 +_ACEOF + + cat >>confdefs.h <<\_ACEOF +#define DISABLE_FD_PASSING 1 +_ACEOF + + cat >>confdefs.h <<\_ACEOF +#define PASSWD_NEEDS_USERNAME 1 _ACEOF ;; From tim at multitalents.net Wed Apr 20 05:14:05 2005 From: tim at multitalents.net (Tim Rice) Date: Tue, 19 Apr 2005 12:14:05 -0700 (PDT) Subject: Patch for UnixWare 7 In-Reply-To: References: Message-ID: On Tue, 19 Apr 2005, Ahsan Rashid wrote: > Hi, > > I have ported OpenSSH-4.0p1 to UnixWare 7.1.4. Can you please add the > following for UnixWare 7 in the configure script: > > Description: > + cross compiler produces i386a.out. For this one,you will need to create a patch for autoconf 2.59 and send it to autoconf-patches at gnu.org > + libcrypt which needs to come after openssl's libcrypto. Could you please elaborate on this one? I'm not seeing any problems on UnixWare here. > + passwd needs user name. Fixed about a week ago. ... 20050411 - (tim) [configure.ac] UnixWare needs PASSWD_NEEDS_USERNAME ... > > Thanks, > Ahsan Rashid > > --- openssh-4.0p1/configure Tue Mar 8 23:54:16 2005 > +++ dist/configure Thu Apr 14 17:09:54 2005 [snip] > cat >>confdefs.h <<\_ACEOF > #define BROKEN_SETREGID 1 > +_ACEOF > + > + cat >>confdefs.h <<\_ACEOF > +#define DISABLE_FD_PASSING 1 ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Did you really want this? > +_ACEOF > + > + cat >>confdefs.h <<\_ACEOF > +#define PASSWD_NEEDS_USERNAME 1 > _ACEOF > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From arms at sco.com Wed Apr 20 05:54:23 2005 From: arms at sco.com (Ahsan Rashid) Date: Tue, 19 Apr 2005 15:54:23 -0400 (EDT) Subject: Patch for UnixWare 7 In-Reply-To: References: Message-ID: On Tue, 19 Apr 2005, Tim Rice wrote: > On Tue, 19 Apr 2005, Ahsan Rashid wrote: > >> + libcrypt which needs to come after openssl's libcrypto. > > Could you please elaborate on this one? I'm not seeing any problems on > UnixWare here. I guess you're using UnixWare 7.1.4 with either Maintenance Pack 2 or 3. If that is the case, you'll not see this problem since the OpenSSH package provided there uses PAM for authentication. I encountered this while porting OpenSSH for UnixWare 7.1.1 a while back and am submitting the patch only now. UnixWare uses >8 character passwd's and uses bigcrypt() provided in libcrypt to encrypt passwds. Once we patched auth-passwd.c:sys_auth_passwd() to call bigcrypt(), we needed libcrypt. However, since libcrypt and libcrypto have some symbols in common, we needed libcrypt at the end. This was not enough, we had to fix libcrypt to bind the common named symbols internally for obvious reasons. Now I haven't submitted the bigcrypt() patch yet since there is more code here to deal with NIS etc. and is not yet finalized. >> + cat >>confdefs.h <<\_ACEOF >> +#define DISABLE_FD_PASSING 1 > ^^^^^^^^^^^^^^^^^^^^^^^^^^^ > Did you really want this? > UnixWare uses IAF for authentication. Again, we've added some patches here but they're not in final form. The code only works if we define the above. And thanks for getting the 'passwd needs username' patch in. Thanks, Ahsan PS. I am not on the list, so please make sure I am CCed on replies to this mail. From bsven at msi.umn.edu Wed Apr 20 10:34:18 2005 From: bsven at msi.umn.edu (Bengt Svensson) Date: Tue, 19 Apr 2005 19:34:18 -0500 Subject: Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld) In-Reply-To: <426512AC.4080808@zip.com.au> References: <426512AC.4080808@zip.com.au> Message-ID: Problem solved. It was due to multiple versions of sshd installed. The previous sysadmin here had installed sshd in both /sbin and /usr/sbin. I previously had adjusted the paths supplied for ./configure with the paths found from the 'which' command. Now I will need to clean up after the multiple install. Another note to the developers, there seems to be a problem with the -V flag for sshd. I get this output. $ sshd -V sshd: illegal option -- V OpenSSH_4.0p1, OpenSSL 0.9.6b [engine] 9 Jul 2001 usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] Thanks every one for time spend looking into my problem. Bengt Svensson From djm at mindrot.org Wed Apr 20 10:43:15 2005 From: djm at mindrot.org (Damien Miller) Date: Wed, 20 Apr 2005 10:43:15 +1000 Subject: Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld) In-Reply-To: References: <426512AC.4080808@zip.com.au> Message-ID: <4265A5A3.7040700@mindrot.org> Bengt Svensson wrote: > Another note to the developers, there seems to be a problem with the -V > flag for sshd. I get this output. > > $ sshd -V > sshd: illegal option -- V You mean "sshd -v": > OpenSSH_4.1, OpenSSL 0.9.7g 11 Apr 2005 > usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time] > [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] From bsven at msi.umn.edu Wed Apr 20 10:53:36 2005 From: bsven at msi.umn.edu (Bengt Svensson) Date: Tue, 19 Apr 2005 19:53:36 -0500 Subject: Problem with openssh-4.0p1 and tcp wrappers on RH7.2(Scyld) In-Reply-To: <4265A5A3.7040700@mindrot.org> References: <426512AC.4080808@zip.com.au> <4265A5A3.7040700@mindrot.org> Message-ID: On Wed, 20 Apr 2005, Damien Miller wrote: > Bengt Svensson wrote: > >> Another note to the developers, there seems to be a problem with the -V >> flag for sshd. I get this output. >> >> $ sshd -V >> sshd: illegal option -- V > > You mean "sshd -v": Either way "sshd -v" or "sshd -V" gives the same output. The -v or -V is not defined. > >> OpenSSH_4.1, OpenSSL 0.9.7g 11 Apr 2005 >> usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time] >> [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u >> len] > There is also no way to get the version info for the sftp command. Bengt Svensson From rschubnell at paninfo.com Wed Apr 20 17:33:46 2005 From: rschubnell at paninfo.com (rschubnell at paninfo.com) Date: Wed, 20 Apr 2005 09:33:46 +0200 Subject: Antwort: Re: OpenSSL Installation Problem after Migration AIX 4.3.3 to AIX 5.2 Message-ID: Hello ALl Thanks for your Input I have now installed openssl Successfully # rpm -V openssl-devel-0.9.6m-1 openssl-doc-0.9.6m-1 openssl-0.9.6m-1 root at falcdd1 /software/aix520/expansion/installp/ppc # lppchk -vm3 If i install the IBM openssh Package the Installation will not be successfull. The ssh-keygen will not work, but is compiled with this openssl Version. # ps -ef | grep ssh root 2937002 2973824 0 09:02:04 pts/1 0:00 /usr/bin/ksh ./openssh.base.server.post_i root 2957378 2031630 1 09:03:36 pts/4 0:00 grep ssh root 2990158 2937002 0 09:02:04 pts/1 0:00 /usr/bin/ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C # /usr/bin/ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C I wait for 10 Minutes ;-> ^C I need to use this Version !!! I can't use another openssl, or openssh Version, because all my Systems running this Versions successfully. This is the only one System who is migratet from AIX 4.3.3 to AIX 5.2 and that looks like this. Are there any Path, or Library Path Problems possible ? Kind Regards From dtucker at zip.com.au Wed Apr 20 18:33:39 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 20 Apr 2005 18:33:39 +1000 Subject: Have configure search $PATH for krb5-config Message-ID: <426613E3.6020904@zip.com.au> Hi All. Right now, if OpenSSH is configure'ed --with-kerberos5 and the system has a krb5-config that's not in /usr/local/bin then configure won't find it. The attached patch changes this so krb5-config will be used if it's anywhere in the path (although if it exists in the directory specified by --with-kerberos5= then the user-supplied path will take precedence). You will need to run autoreconf after applying the patch to rebuild configure. It seems to work for me (output below, it's a little confusing but it's the best I could do without drastically changing the Kerberos tests). I would appreciate any testing on other configurations. $ ./configure --with-kerberos5 [...] checking for krb5-config... /usr/bin/krb5-config checking for /usr/local/bin/krb5-config... /usr/bin/krb5-config -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-krb5-config.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050420/db4ea62b/attachment.ksh From rschubnell at paninfo.com Wed Apr 20 20:33:09 2005 From: rschubnell at paninfo.com (rschubnell at paninfo.com) Date: Wed, 20 Apr 2005 12:33:09 +0200 Subject: OpenSSH ssh-keygen and sshd won't work Message-ID: Hi I've Problems with my openssh installation on AIX 5.2. My ssh-keygen and sshd won't work. The Installation of AIX was proper migrated from aix4.3.3 to aix5.2 openssl-0.9.6m-1 openssl-devel-0.9.6m-1 openssl-doc-0.9.6m-1 openssh.base 3.7.0.5200 I had some Problem with the openssl Installation but with that was a Problem in the rpm Database. ( /usr/sbin/updtvpkg ) lppchk -vm3 -> ok # rpm -V openssl-0.9.6m-1 openssl-devel-0.9.6m-1 openssl-doc-0.9.6m-1 -> ok During the Installation of the Paket the post Installation Script will generate the ssh keys. # /usr/bin/ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C ^C ( after 10 Minutes ;-> ) # ps -ef | grep ssh root 2937002 2973824 0 09:02:04 pts/1 0:00 /usr/bin/ksh ./openssh.base.server.post_i root 2957378 2031630 1 09:03:36 pts/4 0:00 grep ssh root 2990158 2937002 0 09:02:04 pts/1 0:00 /usr/bin/ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C # for i in /usr/lib /lib /usr/local/lib /opt/freeware/lib;do > find $i -name *ssl* > done /usr/lib/boot/bin/lsslot_chrp_pci /usr/lib/boot/bin/lsslot_chrp_slot /usr/lib/boot/bin/lsslot_chrp_phb find: 0652-019 The status on /usr/local/lib is not valid. /opt/freeware/lib/libssl.a /opt/freeware/lib/libssl-static.a # ls -la /opt/freeware/lib/libssl.a /opt/freeware/lib/libssl-static.a -rw-r--r-- 1 root system 823749 Mar 18 2004 /opt/freeware/lib/libssl-static.a -rwxr-xr-x 1 root system 824998 Mar 18 2004 /opt/freeware/lib/libssl.a They looks the same as on all other Machines..... I check the SSL Headers with the Script distributed by openssh in contrib/aix # ./findssl.sh Searching for OpenSSL header files. 0x009060dfL /opt/freeware/include/openssl/opensslv.h Searching for OpenSSL shared library files. Searching for OpenSSL static library files. From dtucker at zip.com.au Wed Apr 20 21:03:57 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 20 Apr 2005 21:03:57 +1000 Subject: OpenSSH ssh-keygen and sshd won't work In-Reply-To: References: Message-ID: <4266371D.4030201@zip.com.au> rschubnell at paninfo.com wrote: > I've Problems with my openssh installation on AIX 5.2. > My ssh-keygen and sshd won't work. > The Installation of AIX was proper migrated from aix4.3.3 to aix5.2 [...] > # /usr/bin/ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C > ^C ( after 10 Minutes ;-> ) Sounds like a problem with the entropy source. AIX 5.2 has /dev/random and /dev/urandom, but I have seen one report about an AIX upgrade leaving those with incorrect permissions, I suggest you check those first. They should be: $ ls -l /dev/*rand* crw-r--r-- 1 root system 42, 0 Jul 01 2003 /dev/random crw-r--r-- 1 root system 42, 1 Jul 01 2003 /dev/urandom Failing that, does "openssl rand -base64 32" also hang? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rschubnell at paninfo.com Wed Apr 20 21:56:13 2005 From: rschubnell at paninfo.com (rschubnell at paninfo.com) Date: Wed, 20 Apr 2005 13:56:13 +0200 Subject: Antwort: Re: OpenSSH ssh-keygen and sshd won't work Message-ID: Hello /dev/random and /dev/urandom are ok. ./openssl rand -base64 32 gives no output and hangs. But the Package Installation ist correct. This are the rpm Packages installed on all my Systems. # rpm -qa cdrecord-1.9-4 mkisofs-1.13-4 openssl-0.9.6m-1 AIX-rpm-5.2.0.41-1 openssl-devel-0.9.6m-1 openssl-doc-0.9.6m-1 # rpm -V openssl-0.9.6m-1 openssl-devel-0.9.6m-1 openssl-doc-0.9.6m-1 is ok Kind Regards From andy.tompkins at autozone.com Thu Apr 21 00:46:24 2005 From: andy.tompkins at autozone.com (andy.tompkins at autozone.com) Date: Wed, 20 Apr 2005 09:46:24 -0500 Subject: OpenSSH ssh-keygen and sshd won't work In-Reply-To: <4266371D.4030201@zip.com.au> Message-ID: Also, for anyone having trouble with /dev/random and /dev/urandom on AIX 5.2, you can check to see if the random module is loaded with "genkex|grep rand", and you can rm the devices and have the system re-create them with "randomctl -l". Andy |---------+---------------------------------------------------------------> | | Darren Tucker | | | Sent by: | | | openssh-unix-dev-bounces+andy.tompkins=autozone.com@| | | mindrot.org | | | | | | | | | 04/20/2005 06:03 AM | |---------+---------------------------------------------------------------> >----------------------------------------------------------------------------------------------| | | | To: rschubnell at paninfo.com | | cc: openssh-unix-dev at mindrot.org | | Subject: Re: OpenSSH ssh-keygen and sshd won't work | >----------------------------------------------------------------------------------------------| rschubnell at paninfo.com wrote: > I've Problems with my openssh installation on AIX 5.2. > My ssh-keygen and sshd won't work. > The Installation of AIX was proper migrated from aix4.3.3 to aix5.2 [...] > # /usr/bin/ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C > ^C ( after 10 Minutes ;-> ) Sounds like a problem with the entropy source. AIX 5.2 has /dev/random and /dev/urandom, but I have seen one report about an AIX upgrade leaving those with incorrect permissions, I suggest you check those first. They should be: $ ls -l /dev/*rand* crw-r--r-- 1 root system 42, 0 Jul 01 2003 /dev/random crw-r--r-- 1 root system 42, 1 Jul 01 2003 /dev/urandom Failing that, does "openssl rand -base64 32" also hang? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From r3r2 at yahoo.com Thu Apr 21 12:48:39 2005 From: r3r2 at yahoo.com (Ryan Robertson) Date: Wed, 20 Apr 2005 19:48:39 -0700 (PDT) Subject: openssh 4.0p1 under OSX Message-ID: <20050421024839.2321.qmail@web51905.mail.yahoo.com> I'm having difficulty getting ssh to connect as any local user under OSX 10.3.8. The odd thing is ssh -l root localhost works fine as a normal user, whereas ssh -l themac localhost (or from any host for that matter) does not. Thanks =============================== debug1: sshd version OpenSSH_4.0p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 4, 4 Connection from ::1 port 55838 debug1: Client protocol version 2.0; client software version OpenSSH_4.0 debug1: match: OpenSSH_4.0 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_4.0 debug1: permanently_set_uid: 75/75 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user themac service ssh-connection method none debug1: attempt 0 failures 0 Failed none for themac from ::1 port 55838 ssh2 Failed none for themac from ::1 port 55838 ssh2 debug1: userauth-request for user themac service ssh-connection method publickeydebug1: attempt 1 failures 1 debug1: test whether pkalg/pkblob are acceptable debug1: trying public key file /Users/themac/.ssh/authorized_keys debug1: trying public key file /Users/themac/.ssh/authorized_keys2 Failed publickey for themac from ::1 port 55838 ssh2 debug1: userauth-request for user themac service ssh-connection method keyboard-interactive debug1: attempt 2 failures 2 debug1: keyboard-interactive devs debug1: auth2_challenge: user=themac devs= debug1: kbdint_alloc: devices '' Failed keyboard-interactive for themac from ::1 port 55838 ssh2 debug1: userauth-request for user themac service ssh-connection method password debug1: attempt 3 failures 3 Failed password for themac from ::1 port 55838 ssh2 Failed password for themac from ::1 port 55838 ssh2 debug1: userauth-request for user themac service ssh-connection method password debug1: attempt 4 failures 4 Failed password for themac from ::1 port 55838 ssh2 Failed password for themac from ::1 port 55838 ssh2 Connection closed by ::1 ======================= Now w/auth keys debug1: sshd version OpenSSH_4.0p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 4, 4 Connection from ::1 port 55922 debug1: Client protocol version 2.0; client software version OpenSSH_4.0 debug1: match: OpenSSH_4.0 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_4.0 debug1: permanently_set_uid: 75/75 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user root service ssh-connection method none debug1: attempt 0 failures 0 Failed none for root from ::1 port 55922 ssh2 Failed none for root from ::1 port 55922 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 1 failures 1 debug1: test whether pkalg/pkblob are acceptable debug1: trying public key file /var/root/.ssh/authorized_keys debug1: matching key found: file /var/root/.ssh/authorized_keys, line 1 Found matching RSA key: c7:61:62:ed:2c:e4:f7:b3:c9:66:f2:84:78:27:9d:f3 Postponed publickey for root from ::1 port 55922 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 2 failures 1 debug1: trying public key file /var/root/.ssh/authorized_keys debug1: matching key found: file /var/root/.ssh/authorized_keys, line 1 Found matching RSA key: c7:61:62:ed:2c:e4:f7:b3:c9:66:f2:84:78:27:9d:f3 debug1: ssh_rsa_verify: signature correct Accepted publickey for root from ::1 port 55922 ssh2 debug1: monitor_child_preauth: root has been authenticated by privileged processAccepted publickey for root from ::1 port 55922 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/ttyp6 debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: Setting controlling tty using TIOCSCTTY. debug1: Received SIGCHLD. debug1: session_by_pid: pid 2537 debug1: session_exit_message: session 0 channel 0 pid 2537 debug1: session_exit_message: release channel 0 debug1: session_close: session 0 pid 2537 debug1: session_pty_cleanup: session 0 release /dev/ttyp6 debug1: channel 0: free: server-session, nchannels 1 Connection closed by ::1 debug1: do_cleanup Closing connection to ::1 ==================== __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From caopeng at vip.bbn.cn Fri Apr 22 17:11:31 2005 From: caopeng at vip.bbn.cn (caopeng) Date: Fri, 22 Apr 2005 15:11:31 +0800 Subject: ask for ssh connection api Message-ID: hi, I need your help !!!!!! Could you give me some api on establishing ssh connnection From dtucker at zip.com.au Fri Apr 22 19:19:51 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 22 Apr 2005 19:19:51 +1000 Subject: ask for ssh connection api In-Reply-To: References: Message-ID: <4268C1B7.2070207@zip.com.au> caopeng wrote: > hi, I need your help !!!!!! > Could you give me some api on establishing ssh connnection There's not really a user-accessible API in OpenSSH (other than things like fork+execvp("ssh", "ssh", server, NULL) :-). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sat Apr 23 14:44:41 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 23 Apr 2005 14:44:41 +1000 Subject: Have configure search $PATH for krb5-config In-Reply-To: <426613E3.6020904@zip.com.au> References: <426613E3.6020904@zip.com.au> Message-ID: <4269D2B9.8020801@zip.com.au> Darren Tucker wrote: > Right now, if OpenSSH is configure'ed --with-kerberos5 and the > system has a krb5-config that's not in /usr/local/bin then configure > won't find it. > > The attached patch changes this so krb5-config will be used if it's > anywhere in the path (although if it exists in the directory specified > by --with-kerberos5= then the user-supplied path will take precedence). > You will need to run autoreconf after applying the patch to rebuild > configure. Here's a better patch, based on a suggestion from David Leonard. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-krb5-config.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050423/09ea4acb/attachment.ksh From arrummzen at gmail.com Sat Apr 23 18:20:26 2005 From: arrummzen at gmail.com (James Supancic) Date: Sat, 23 Apr 2005 01:20:26 -0700 Subject: OpenSSH is not asking for passwords. Message-ID: <4eb2ea80050423012038ac8f5@mail.gmail.com> I am trying to use shfs to mount a remote root filesystem for a diskless workstation. The system downloads its kernel and initrd from a server. I have tried repeatedly to get a working installation of ssh on the initrd with no success. I finally got ssh to connect to the server. Normally when I use ssh the session goes as follows [arrummzen at localhost LFS-BOOK-6.0-HTML]$ ssh 192.168.11.10 -l root root at 192.168.11.10's password: Last login: Wed Apr 20 21:52:31 2005 from 192.168.11.254 [root at DT02 root]# BUT when I try to use ssh on the diskless system It goes like this bash-2.05b# ssh 192.168.11.10 -l root -F /etc/ssh_config Permission denied, please try again. Permission denied, please try again. Permission denied, please try again. bash-2.05b# Notice how it does not even bother to ask me for the password? I would expect to be asked for a password, but it just connects and tells me permission denied. Now recall this is on a diskless system so I can't just copy and paste output, but I will give you type those parts of the verbose output that I feel are relvent. debug1: Authentications that can contine: publickey, password, keybord-interactive debug1: Next authentication method: publickey debug1: Trying private key: /.ssh/identity debug1: Trying private key: /.ssh/id_rsa debug1: Trying private key: /.ssh/id_dsa debug1: Next authentication method: keybord-interactive ... debug1: Next authentication method password ... Permission denied, please try agine ... debug1: Authentications that can contine: publickey, password, keybord-interactive debug1: No more authentiaction methods to try. Permission denied (publickey,password,keybord-interactive) If you want more of the verbose output I can type it up or if you want a lot of it, I can setup a ftp server and upload all the output. Thank you for your time,bash-2.05b# s James Steven Supancic III From dtucker at zip.com.au Sat Apr 23 18:53:29 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 23 Apr 2005 18:53:29 +1000 Subject: OpenSSH is not asking for passwords. In-Reply-To: <4eb2ea80050423012038ac8f5@mail.gmail.com> References: <4eb2ea80050423012038ac8f5@mail.gmail.com> Message-ID: <426A0D09.7020301@zip.com.au> James Supancic wrote: > I am trying to use shfs to mount a remote root filesystem for a > diskless workstation. The system downloads its kernel and initrd from > a server. I have tried repeatedly to get a working installation of ssh > on the initrd with no success. I finally got ssh to connect to the > server. [...] > BUT when I try to use ssh on the diskless system It goes like this > bash-2.05b# ssh 192.168.11.10 -l root -F /etc/ssh_config > Permission denied, please try again. > Permission denied, please try again. > Permission denied, please try again. > bash-2.05b# Make sure your initrd image has a /dev/tty and that it has the correct major, minor and perms. For Linux, that's: $ ls -l /dev/tty crw-rw-rw- 1 root root 5, 0 Apr 23 17:43 /dev/tty -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From arrummzen at gmail.com Sat Apr 23 19:01:02 2005 From: arrummzen at gmail.com (James Supancic) Date: Sat, 23 Apr 2005 02:01:02 -0700 Subject: OpenSSH is not asking for passwords. In-Reply-To: <426A0D09.7020301@zip.com.au> References: <4eb2ea80050423012038ac8f5@mail.gmail.com> <426A0D09.7020301@zip.com.au> Message-ID: <4eb2ea800504230201193654a7@mail.gmail.com> ls -l /dev/tty crw-rw-rw- 1 root 0 5, 0 Apr 20 22:07 /dev/tty Its almost the same save I have a 0 where you have root, im not sure why that is, probably has something to do with groups not being setup. When I first made my initrd I used only /dev/console, I just recently added /dev/tty*s. I am not sure if I am using the ttys or the console? What does it matter? Doesn't ssh just use stdio like all other apps? Thank you for your time, James Steven Supancic III On 4/23/05, Darren Tucker wrote: > James Supancic wrote: > > I am trying to use shfs to mount a remote root filesystem for a > > diskless workstation. The system downloads its kernel and initrd from > > a server. I have tried repeatedly to get a working installation of ssh > > on the initrd with no success. I finally got ssh to connect to the > > server. > [...] > > BUT when I try to use ssh on the diskless system It goes like this > > bash-2.05b# ssh 192.168.11.10 -l root -F /etc/ssh_config > > Permission denied, please try again. > > Permission denied, please try again. > > Permission denied, please try again. > > bash-2.05b# > > Make sure your initrd image has a /dev/tty and that it has the correct > major, minor and perms. For Linux, that's: > > $ ls -l /dev/tty > crw-rw-rw- 1 root root 5, 0 Apr 23 17:43 /dev/tty > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Sat Apr 23 19:13:00 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 23 Apr 2005 19:13:00 +1000 Subject: OpenSSH is not asking for passwords. In-Reply-To: <4eb2ea800504230201193654a7@mail.gmail.com> References: <4eb2ea80050423012038ac8f5@mail.gmail.com> <426A0D09.7020301@zip.com.au> <4eb2ea800504230201193654a7@mail.gmail.com> Message-ID: <426A119C.3090708@zip.com.au> James Supancic wrote: > ls -l /dev/tty > crw-rw-rw- 1 root 0 5, 0 Apr 20 22:07 /dev/tty > Its almost the same save I have a 0 where you have root, im not sure > why that is, probably has something to do with groups not being setup. The difference is probably just a missing entry for "0" in /etc/group. If that's not the cause, try kicking ssh into debug mode ("ssh -vvv whatever") and see what it says. > When I first made my initrd I used only /dev/console, I just recently > added /dev/tty*s. I am not sure if I am using the ttys or the console? > What does it matter? /dev/tty is a special case that allows a process to access its controlling terminal. > Doesn't ssh just use stdio like all other apps? Not for passwords/passphrases. Consider where ssh's stdin is coming from in this example: grep foo bar | ssh someserver baz plus ssh need /dev/tty to access it's controlling terminal so it can turn echo off while reading passwords. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From arrummzen at gmail.com Sat Apr 23 20:02:56 2005 From: arrummzen at gmail.com (James Supancic) Date: Sat, 23 Apr 2005 03:02:56 -0700 Subject: OpenSSH is not asking for passwords. In-Reply-To: <426A119C.3090708@zip.com.au> References: <4eb2ea80050423012038ac8f5@mail.gmail.com> <426A0D09.7020301@zip.com.au> <4eb2ea800504230201193654a7@mail.gmail.com> <426A119C.3090708@zip.com.au> Message-ID: <4eb2ea80050423030235c59bc9@mail.gmail.com> My /dev/tty is now exactly the same as yours. This is the -vvv output from the failed connection attempt (it didn't ask for a password) OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 debug1: Reading configuration data /etc/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.11.10 [192.168.11.10] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /.ssh/identity type -1 debug1: identity file /.ssh/id_rsa type -1 debug1: identity file /.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2 debug1: match: OpenSSH_3.6.1p2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.9p1 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 138/256 debug2: bits set: 528/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /.ssh/known_hosts debug3: check_host_in_hostfile: match line 2 debug1: Host '192.168.11.10' is known and matches the RSA host key. debug1: Found key in /.ssh/known_hosts:2 debug2: bits set: 502/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /.ssh/identity ((nil)) debug2: key: /.ssh/id_rsa ((nil)) debug2: key: /.ssh/id_dsa ((nil)) debug1: Authentications that can continue: password,keyboard-interactive debug3: start over, passed a different list password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: Authentications that can continue: password,keyboard-interactive debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: Next authentication method: password debug3: packet_send2: adding 64 (len 49 padlen 15 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: password,keyboard-interactive Permission denied, please try again. debug3: packet_send2: adding 64 (len 49 padlen 15 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: password,keyboard-interactive Permission denied, please try again. debug3: packet_send2: adding 64 (len 49 padlen 15 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: password,keyboard-interactive debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (password,keyboard-interactive). Thank you for your time, James Steven Supancic III On 4/23/05, Darren Tucker wrote: > James Supancic wrote: > > ls -l /dev/tty > > crw-rw-rw- 1 root 0 5, 0 Apr 20 22:07 /dev/tty > > Its almost the same save I have a 0 where you have root, im not sure > > why that is, probably has something to do with groups not being setup. > > The difference is probably just a missing entry for "0" in /etc/group. > > If that's not the cause, try kicking ssh into debug mode ("ssh -vvv > whatever") and see what it says. > > > When I first made my initrd I used only /dev/console, I just recently > > added /dev/tty*s. I am not sure if I am using the ttys or the console? > > What does it matter? > > /dev/tty is a special case that allows a process to access its > controlling terminal. > > > Doesn't ssh just use stdio like all other apps? > > Not for passwords/passphrases. Consider where ssh's stdin is coming > from in this example: > > grep foo bar | ssh someserver baz > > plus ssh need /dev/tty to access it's controlling terminal so it can > turn echo off while reading passwords. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Sat Apr 23 20:08:54 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 23 Apr 2005 20:08:54 +1000 Subject: OpenSSH is not asking for passwords. In-Reply-To: <4eb2ea80050423030235c59bc9@mail.gmail.com> References: <4eb2ea80050423012038ac8f5@mail.gmail.com> <426A0D09.7020301@zip.com.au> <4eb2ea800504230201193654a7@mail.gmail.com> <426A119C.3090708@zip.com.au> <4eb2ea80050423030235c59bc9@mail.gmail.com> Message-ID: <426A1EB6.9050406@zip.com.au> James Supancic wrote: > My /dev/tty is now exactly the same as yours. > This is the -vvv output from the failed connection attempt (it didn't > ask for a password) [...] Hmm, there's nothing obvious in there. Could you please try it again (ssh -vvv) with the attached patch? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-readpass-debug.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050423/26cb298e/attachment.ksh From arrummzen at gmail.com Sun Apr 24 05:13:48 2005 From: arrummzen at gmail.com (James Supancic) Date: Sat, 23 Apr 2005 12:13:48 -0700 Subject: OpenSSH is not asking for passwords. In-Reply-To: <426A1EB6.9050406@zip.com.au> References: <4eb2ea80050423012038ac8f5@mail.gmail.com> <426A0D09.7020301@zip.com.au> <4eb2ea800504230201193654a7@mail.gmail.com> <426A119C.3090708@zip.com.au> <4eb2ea80050423030235c59bc9@mail.gmail.com> <426A1EB6.9050406@zip.com.au> Message-ID: <4eb2ea80050423121379a55c31@mail.gmail.com> After trying to apply your patch for 5 minites, I just replaced all your fancy code with a call to printf and a call to gets (not fgets), and now it works. It now works without all the tty stuff being setup. Thank you for your time, Arrummzen On 4/23/05, Darren Tucker wrote: > James Supancic wrote: > > My /dev/tty is now exactly the same as yours. > > This is the -vvv output from the failed connection attempt (it didn't > > ask for a password) > [...] > > Hmm, there's nothing obvious in there. Could you please try it again > (ssh -vvv) with the attached patch? > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > > Index: readpass.c > =================================================================== > RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/readpass.c,v > retrieving revision 1.29 > diff -u -p -r1.29 readpass.c > --- readpass.c 5 Nov 2004 09:38:03 -0000 1.29 > +++ readpass.c 23 Apr 2005 09:15:58 -0000 > @@ -107,14 +107,18 @@ read_passphrase(const char *prompt, int > use_askpass = 1; > else if (flags & RP_ALLOW_STDIN) { > if (!isatty(STDIN_FILENO)) > + debug("read_passphrase: stdin is not a tty"); > use_askpass = 1; > } else { > rppflags |= RPP_REQUIRE_TTY; > ttyfd = open(_PATH_TTY, O_RDWR); > if (ttyfd >= 0) > close(ttyfd); > - else > + else { > + debug("read_passphrase: can't open %s: %s", _PATH_TTY, > + strerror(errno)); > use_askpass = 1; > + } > } > > if ((flags & RP_USE_ASKPASS) && getenv("DISPLAY") == NULL) > > > From Pawel.Veselov at sun.com Sun Apr 24 11:46:45 2005 From: Pawel.Veselov at sun.com (Pawel S. Veselov) Date: Sat, 23 Apr 2005 18:46:45 -0700 Subject: Solaris console problem Message-ID: <20050424014645.GB3324@sun.com> Hi, I'm using openssh 3.9p1, and here is what bothers me. If ssh is executed from an X application, when a password is prompted, ssh manages to grap on to /dev/tty, but then the SIGTTOU is constantly sent to the ssh and that loops the password prompt function infinetely, since it actually gets to the console. Because of Solaris implemenation (I guess), that also gives no cycles to other applications. It took me few hours (!) to login remotely and kill the ssh process. (And them my CPUs reported the temp outside of safe limits |-) ) (well, X application is a bad definition, anything that is executed directly by my Window Manager, which is started by X. Everything will be fine, of course, if an application (X or not) was started from a connected terminal. I actually tested this just doing popen("ssh") from a test program and just starting it from the window manager menu) I guess the best way to fix that is to detect that condition in "readpass.c:read_passphrase()", and fallback to 'use_askpass'. However, I haven't found a way to do so :) poll() works fine, writing to the terminal doesn't rase TTOU immediately (yeah, how did read() trigger a TTOU ???) As a relief, I guess I'll restrict the readpassphrase to only restart limited amount of times (and prevent the lockout), and also pass the RP_ALLOW_STDIN in "sshconnect2.c:userauth_passwd()", to allow ssh to actually work. P.S. cygwin also has an issue, when a native window application runs 'ssh' inside it, in that case the password can not be read from anywhere, and the whole thing just hangs... P.P.S. please include me into replies, I'm not on the list. Thanks, Pawel. Bye. -- Pawel S. Veselov [vps], Sun Microsystems, Inc. Staff Engineer, Java Mobile Systems and Services Engineering __ __(O) _ __ (408) 276-5410 e-mail: Pawel.Veselov at Sun.COM \ V /| || ' \ fax(408) 276-6090 HomePage: http://manticore.2y.net \_/ |_||_|_|_| From logsnaath at gmx.net Mon Apr 25 21:55:11 2005 From: logsnaath at gmx.net (Logu) Date: Mon, 25 Apr 2005 17:25:11 +0530 Subject: Cleaning wtmp entries when SIGTERM is received. References: <4eb2ea80050423012038ac8f5@mail.gmail.com> <426A0D09.7020301@zip.com.au> <4eb2ea800504230201193654a7@mail.gmail.com> <426A119C.3090708@zip.com.au><4eb2ea80050423030235c59bc9@mail.gmail.com> <426A1EB6.9050406@zip.com.au> Message-ID: <031f01c5498e$63469180$140110ac@loguco> Hi, Is there a reason for not cleaning up wtmp entries when a SIGTERM is received for a user session. -Logu From thekiller101 at freesurf.fr Tue Apr 26 01:18:20 2005 From: thekiller101 at freesurf.fr (thekiller101 at freesurf.fr) Date: Mon, 25 Apr 2005 17:18:20 +0200 (CEST) Subject: License Message-ID: <6344.81.255.174.7.1114442300.squirrel@arlette.freesurf.fr> Hi, OpenSSH is under free license compactible with GPL. But can i include source of sftp-server in my project under GPL ? Or ? Thanks. From djm at mindrot.org Tue Apr 26 07:26:51 2005 From: djm at mindrot.org (Damien Miller) Date: Tue, 26 Apr 2005 07:26:51 +1000 Subject: License In-Reply-To: <6344.81.255.174.7.1114442300.squirrel@arlette.freesurf.fr> References: <6344.81.255.174.7.1114442300.squirrel@arlette.freesurf.fr> Message-ID: <426D609B.2090207@mindrot.org> thekiller101 at freesurf.fr wrote: > Hi, > > OpenSSH is under free license compactible with GPL. > But can i include source of sftp-server in my project under GPL ? > Or ? The LICENSE file contains all the licenses used in OpenSSH. We are not lawyers, so you should decide whether it is compatible with the GPL or not, or pay a lawyer to do it for you. Certainly, anything released under a two or three-term BSD license is compatible. -d From senthilkumar_sen at hotpop.com Tue Apr 26 17:28:04 2005 From: senthilkumar_sen at hotpop.com (Senthil Kumar) Date: Tue, 26 Apr 2005 12:58:04 +0530 Subject: Cleaning wtmp entries when SIGTERM is received. References: <4eb2ea80050423012038ac8f5@mail.gmail.com> <426A0D09.7020301@zip.com.au> <4eb2ea800504230201193654a7@mail.gmail.com> <426A119C.3090708@zip.com.au><4eb2ea80050423030235c59bc9@mail.gmail.com><426A1EB6.9050406@zip.com.au> <031f01c5498e$63469180$140110ac@loguco> Message-ID: <38aa01c54a31$7ea62dc0$220110ac@sekco> Hi , I also tried passing signal SIGTERM to the privileged sshd process once the session is obtained. This leaves impurities in wtmp entries and I think there is no SIGTERM handler for sshd. This shows the user as "still logged in" even after logout. What will be the effect if we have the handler for this signal? Will it break anywhere? When I tried this with rlogin program, it handled the SIGTERM and cleared the wtmp entries. Thanks, Senthil Kumar. ----- Original Message ----- From: "Logu" To: "OpenSSH Devel List" Sent: Monday, April 25, 2005 5:25 PM Subject: Cleaning wtmp entries when SIGTERM is received. > Hi, > > Is there a reason for not cleaning up wtmp entries when a SIGTERM is > received for a user session. > > -Logu > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From djm at mindrot.org Tue Apr 26 19:26:52 2005 From: djm at mindrot.org (Damien Miller) Date: Tue, 26 Apr 2005 19:26:52 +1000 Subject: Cleaning wtmp entries when SIGTERM is received. In-Reply-To: <031f01c5498e$63469180$140110ac@loguco> References: <4eb2ea80050423012038ac8f5@mail.gmail.com> <426A0D09.7020301@zip.com.au> <4eb2ea800504230201193654a7@mail.gmail.com> <426A119C.3090708@zip.com.au><4eb2ea80050423030235c59bc9@mail.gmail.com> <426A1EB6.9050406@zip.com.au> <031f01c5498e$63469180$140110ac@loguco> Message-ID: <426E095C.30003@mindrot.org> Logu wrote: > Hi, > > Is there a reason for not cleaning up wtmp entries when a SIGTERM is > received for a user session. It works for me on Linux and OpenBSD. Can you please provide some more details? OS, OpenSSH version, etc. -d From logsnaath at gmx.net Wed Apr 27 01:00:41 2005 From: logsnaath at gmx.net (Logu) Date: Tue, 26 Apr 2005 20:30:41 +0530 Subject: Cleaning wtmp entries when SIGTERM is received. References: <4eb2ea80050423012038ac8f5@mail.gmail.com> <426A0D09.7020301@zip.com.au> <4eb2ea800504230201193654a7@mail.gmail.com> <426A119C.3090708@zip.com.au><4eb2ea80050423030235c59bc9@mail.gmail.com> <426A1EB6.9050406@zip.com.au> <031f01c5498e$63469180$140110ac@loguco> <426E095C.30003@mindrot.org> Message-ID: <014901c54a70$bc016dd0$140110ac@loguco> > Logu wrote: >> Hi, >> >> Is there a reason for not cleaning up wtmp entries when a SIGTERM is >> received for a user session. > > It works for me on Linux and OpenBSD. Can you please provide some more > details? OS, OpenSSH version, etc. > I am using HP-UX 11.11. And the openssh version is 4.0. thanks -logu From logsnaath at gmx.net Wed Apr 27 16:02:21 2005 From: logsnaath at gmx.net (Logu) Date: Wed, 27 Apr 2005 11:32:21 +0530 Subject: openssh-3.6.1p2 server did not accept user connection. Message-ID: <011b01c54aee$b1430b00$140110ac@loguco> Hi, Whenever i boot the machine, the sshd started using rc script is not accepting ssh connection from a normal user. However it connects as root user and also connects as a user when the sshd is restarted. The error message is "fatal: PAM session setup failed[6]: Permission denied" What would be the reason for this behaviour ? I am using Linux-2.6.5-1.358 (Fedora Core release 2) and openssh version (OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f ) which came with the distribution. The debug out is given below. Thanks -logu The debug output: Apr 27 09:34:02 jasmine sshd[3176]: debug1: session_input_channel_req: session 0 req pty-req Apr 27 09:34:02 jasmine sshd[3176]: debug1: lastlog_openseek: Couldn't open /var/log/lastlog: Permission denied Apr 27 09:34:02 jasmine sshd[3176]: debug1: Allocating pty. Apr 27 09:34:02 jasmine sshd[3174]: debug1: session_new: init Apr 27 09:34:02 jasmine sshd[3174]: debug1: session_new: session 0 Apr 27 09:34:03 jasmine sshd[3176]: debug1: session_pty_req: session 0 alloc /dev/pts/17 Apr 27 09:34:03 jasmine sshd[3176]: debug1: server_input_channel_req: channel 0 request shell reply 1 Apr 27 09:34:03 jasmine sshd[3176]: debug1: session_by_channel: session 0 channel 0 Apr 27 09:34:03 jasmine sshd[3176]: debug1: session_input_channel_req: session 0 req shell Apr 27 09:34:03 jasmine sshd[3176]: debug1: PAM setting tty to "/dev/pts/17" Apr 27 09:34:03 jasmine sshd(pam_unix)[3176]: session opened for user logu by (uid=507) Apr 27 09:34:03 jasmine sshd[3176]: fatal: PAM session setup failed[6]: Permission denied Apr 27 09:34:03 jasmine sshd[3176]: debug1: Calling cleanup 0x8059c20(0x808dd20) From dtucker at zip.com.au Wed Apr 27 16:24:01 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 27 Apr 2005 16:24:01 +1000 Subject: openssh-3.6.1p2 server did not accept user connection. In-Reply-To: <011b01c54aee$b1430b00$140110ac@loguco> References: <011b01c54aee$b1430b00$140110ac@loguco> Message-ID: <426F3001.2090101@zip.com.au> Logu wrote: > Whenever i boot the machine, the sshd started using rc script is not > accepting ssh connection from a normal user. However it connects as root > user and also connects as a user when the sshd is restarted. The error > message is > "fatal: PAM session setup failed[6]: Permission denied" > > What would be the reason for this behaviour ? > > I am using Linux-2.6.5-1.358 (Fedora Core release 2) and openssh version > (OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f ) which came > with the distribution. The debug out is given below. There was an issue with selinux and sshd. See: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=108608103318162 If booting with selinux disabled solves your problem then that's probably it. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From thevision at pobox.com Thu Apr 28 00:25:17 2005 From: thevision at pobox.com (Greg Mortensen) Date: Wed, 27 Apr 2005 10:25:17 -0400 (EDT) Subject: net4801, vpn1411 and "Corrupted MAC on input" with current OpenBSD sshd Message-ID: I recently installed the April 21st snapshot on my Soekris net4801 (dmesg here[1]) that has a vpn1411 crypto-accelerator in it. For the first time, I'm getting a tremendous amount of "Corrupted MAC on input" errors while sshing into this machine. While there has been discussion -- going all the way back to 3.5 -- that it's a hardware problem with the net4801 and the vpn1411, Soren has said[2] that while there's a problem with the net45xx boards, he hasn't heard of hardware problems with the net4801. I'm not currently using IPsec (although it worked on both 3.5 and 3.6), no other userland application is using /dev/crypto, and this happens even though I'm only running a single ssh connection. I've never had this problem occur with OpenBSD 3.6 or 3.5 on this box; in fact, I rolled back sshd and it's supporting libraries to the 3.5 version (OpenSSH_3.8 (sshd.c, v 1.290 2004/03/11)), and the problem goes away. Has something regressed? Is anyone else seeing this for the first time? Regards, Greg [1] http://www.pobox.com/~thevision/openbsd/soekris_dmesg.txt [2] http://lists.soekris.com/pipermail/soekris-tech/2004-September/021803.html \|/ ___ \|/ thevision at pobox.com +----- 2048/83C90191 -----+ @~./'O o`\.~@ | 0B 65 E0 58 F3 F9 81 F5 | /__( \___/ )__\ | F0 72 75 FA 1E BD C9 66 | `\__`U_/' +-------------------------+ From senthilkumar_sen at hotpop.com Thu Apr 28 01:44:59 2005 From: senthilkumar_sen at hotpop.com (Senthil Kumar) Date: Wed, 27 Apr 2005 21:14:59 +0530 Subject: Cleaning wtmp entries when SIGTERM is received. References: <4eb2ea80050423012038ac8f5@mail.gmail.com> <426A0D09.7020301@zip.com.au> <4eb2ea800504230201193654a7@mail.gmail.com> <426A119C.3090708@zip.com.au><4eb2ea80050423030235c59bc9@mail.gmail.com><426A1EB6.9050406@zip.com.au><031f01c5498e$63469180$140110ac@loguco> <38aa01c54a31$7ea62dc0$220110ac@sekco> Message-ID: <477701c54b40$13dc4500$220110ac@sekco> > I also tried passing signal SIGTERM to the privileged sshd process once > the session is obtained. This leaves impurities in wtmp entries and I > think there is no SIGTERM handler for sshd. This shows the user as "still > logged in" even after logout. What will be the effect if we have the > handler for this signal? Will it break anywhere? > Also in HP-UX When SIGTERM is passed to the user process, the privileged process receives the SIGCHLD and opens up the wtmp file but not cleaning it completely. The Tusc output in hpux when SIGCHLD is received by the privileged process is given below: [8248] read(10, 0x7f7f11e0, 4) .......................................................... = 0 debug1: do_cleanup [8248] Received signal 18, SIGCLD, in write(), [SIG_DFL], no siginfo [8248] write(2, "d e b u g 1 : d o _ c l e a n ".., 20) ............................... = 20 debug1: PAM: cleanup [8248] write(2, "d e b u g 1 : P A M : c l e ".., 22) ............................... = 22 [8248] time(0x7f7f2384) ................................................................. = 1114647377 [8248] sigaction(SIGPIPE, 0x7f7f24a4, 0x7f7f24cc) ....................................... = 0 [8248] sigaction(SIGPIPE, 0x7f7f24cc, NULL) ............................................. = 0 [8248] write(5, "< 3 9 > A p r 2 7 1 7 : 1 6 ".., 2048) ............................. = 2048 [8248] lseek(8, 0, SEEK_SET) ............................................................ = 0 [8248] read(8, "m s g c a t 0 1 \0\0\0( \002\001".., 1212) .............................. = 1212 [8248] lseek(8, 492, SEEK_SET) .......................................................... = 492 [8248] read(8, "S u c c e s s ", 7) ..................................................... = 7 [8248] time(0x7f7f23c4) ................................................................. = 1114647377 [8248] sigaction(SIGPIPE, 0x7f7f24e4, 0x7f7f250c) ....................................... = 0 [8248] sigaction(SIGPIPE, 0x7f7f250c, NULL) ............................................. = 0 [8248] write(5, "< 3 9 > A p r 2 7 1 7 : 1 6 ".., 2048) ............................. = 2048 [8248] close(9) ......................................................................... = 0 [8248] close(8) ......................................................................... = 0 [8248] close(5) ......................................................................... = 0 debug1: session_pty_cleanup: session 0 release /dev/pts/0 [8248] write(2, "d e b u g 1 : s e s s i o n _ ".., 59) ............................... = 59 [8248] time(NULL) ....................................................................... = 1114647377 [8248] getpid() ......................................................................... = 8248 (8247) [8248] open("/etc/passwd", O_RDONLY, 0666) .............................................. = 5 [8248] ioctl(5, TCGETA, 0x7f7f2498) ..................................................... ERR#25 ENOTTY [8248] read(5, "r o o t : W m H B Z k z 8 Z O X ".., 8192) .............................. = 2189 [8248] lseek(5, 4294967201, SEEK_CUR) ................................................... = 2094 [8248] close(5) ......................................................................... = 0 [8248] getuid() ......................................................................... = 0 (0) [8248] gettimeofday(0x7f7f13e8, NULL) ................................................... = 0 [8248] open("/var/adm/wtmp", O_WRONLY|O_APPEND|O_LARGEFILE, 0) .......................... = 5 [8248] fstat64(5, 0x7f7f14b0) ........................................................... = 0 [8248] write(5, "\0\0\0\0\0\0\0\0t s / 0 p t s / ".., 60) ............................... = 60 [8248] close(5) ......................................................................... = 0 [8248] open("/etc/utmpx", O_RDWR|O_CREAT, 0644) ......................................... = 5 [8248] read(5, "\0\0\0\0\0\0\0\0\0- h t t y 0 ".., 140) ............................... = 140 [8248] read(5, "\0\0\0\0\0\0\0\0\0- h t t y 0 ".., 140) ............................... = 140 [8248] read(5, "v x e n a b l e \0- h t t y 0 ".., 140) ............................... = 140 [8248] read(5, "b c h e c k r c \0- h t t y 0 ".., 140) ............................... = 140 [8248] read(5, "c a t \0\0\0\0\0\0- h t t y 0 ".., 140) ............................... = 140 [8248] read(5, "r m \0\0\0\0\0\0\0- h t t y 0 ".., 140) ............................... = 140 [8248] read(5, "c a t \0\0\0\0\0\0- h t t y 0 ".., 140) ............................... = 140 [8248] read(5, "s h \0\0\0\0\0\0\001\bb8@ 01\t\0".., 140) ............................... = 140 [8248] read(5, "r c \0\0\0\0\0\0\001\bb8@ 01\t\0".., 140) ............................... = 140 [8248] read(5, "g e t t y \0\0\0\001\bb8@ 01\t\0".., 140) ............................... = 140 [8248] read(5, "k r s d \0\0\0\0\0\004eb\005\0\0".., 140) ............................... = 140 [8248] read(5, "s f d \0\0\0\0\0\0\004ec\005\0\0".., 140) ............................... = 140 [8248] read(5, "s a m d \0\0\0\0\0\004ed\005\0\0".., 140) ............................... = 140 [8248] read(5, "s h \0\0\0\0\0\0\0\004ee\005\0\0".., 140) ............................... = 140 [8248] read(5, "p _ c l i e n t \0\004ee\005\0\0".., 140) ............................... = 140 [8248] read(5, "s e n t h i l \0\0\0\0\0\0\0\0\0".., 140) ............................... = 140 [8248] lseek(5, 2100, SEEK_SET) ......................................................... = 2100 [8248] write(5, "s e n t h i l \0\0\0\0\0\0\0\0\0".., 140) .............................. = 140 [8248] open("/etc/utmp", O_RDWR|O_CREAT, 0644) .......................................... = 8 [8248] read(8, "\0\0\0\0\0\0\0\0\0\0\0\0s y s t ".., 60) ................................ = 60 [8248] read(8, "\0\0\0\0\0\0\0\0\0\0\0\0r u n - ".., 60) ................................ = 60 [8248] read(8, "v x e n a b l e v x e n \0\0\0\0".., 60) ................................ = 60 [8248] read(8, "b c h e c k r c b r c 1 \0\0\0\0".., 60) ................................ = 60 [8248] read(8, "c a t \0\0\0\0\0c p r t \0\0\0\0".., 60) ................................ = 60 [8248] read(8, "r m \0\0\0\0\0\0e m s 1 \0\0\0\0".., 60) ................................ = 60 [8248] read(8, "c a t \0\0\0\0\0e m s 2 \0\0\0\0".., 60) ................................ = 60 [8248] read(8, "s h \0\0\0\0\0\0l i n k \0\0\0\0".., 60) ................................ = 60 [8248] read(8, "r c \0\0\0\0\0\0s q n c \0\0\0\0".., 60) ................................ = 60 [8248] read(8, "L O G I N \0\0\0c o n s c o n s ".., 60) ................................ = 60 [8248] read(8, "k r s d \0\0\0\0k r s d \0\0\0\0".., 60) ................................ = 60 [8248] read(8, "s f d \0\0\0\0\0s f d \0\0\0\0\0".., 60) ................................ = 60 [8248] read(8, "s a m d \0\0\0\0s a m d \0\0\0\0".., 60) ................................ = 60 [8248] read(8, "s h \0\0\0\0\0\0e m s 3 \0\0\0\0".., 60) ................................ = 60 [8248] read(8, "p _ c l i e n t e m s 4 \0\0\0\0".., 60) ................................ = 60 [8248] read(8, "a s l \0\0\0\0\0t a \0\0p t s / ".., 60) ................................ = 60 [8248] read(8, "s e n t h i l \0t s / 0 p t s / ".., 60) ................................ = 60 [8248] lseek(8, 960, SEEK_SET) .......................................................... = 960 [8248] write(8, "s e n t h i l \0t s / 0 p t s / ".., 60) ............................... = 60 [8248] close(5) ......................................................................... = 0 [8248] close(8) ......................................................................... = 0 [8248] getuid() ......................................................................... = 0 (0) [8248] chown("/dev/pts/0", 0, 0) ........................................................ = 0 [8248] chmod("/dev/pts/0", 0666) ........................................................ = 0 [8248] close(6) ......................................................................... = 0 [8248] exit(255) ........................................................................ WIFEXITED(255) Thanks for any help, Senthil Kumar. From logsnaath at gmx.net Thu Apr 28 01:24:51 2005 From: logsnaath at gmx.net (Logu) Date: Wed, 27 Apr 2005 20:54:51 +0530 Subject: Cleaning wtmp entries when SIGTERM is received. References: <4eb2ea80050423012038ac8f5@mail.gmail.com> <426A0D09.7020301@zip.com.au> <4eb2ea800504230201193654a7@mail.gmail.com> <426A119C.3090708@zip.com.au><4eb2ea80050423030235c59bc9@mail.gmail.com> <426A1EB6.9050406@zip.com.au><031f01c5498e$63469180$140110ac@loguco><426E095C.30003@mindrot.org> <014901c54a70$bc016dd0$140110ac@loguco> Message-ID: <02ed01c54ba7$5120c190$140110ac@loguco> >> Logu wrote: >>> Hi, >>> >>> Is there a reason for not cleaning up wtmp entries when a SIGTERM is >>> received for a user session. >> >> It works for me on Linux and OpenBSD. Can you please provide some more >> details? OS, OpenSSH version, etc. >> > > I am using HP-UX 11.11. And the openssh version is 4.0. I tried it on linux also with openssh-3.9p1. When privilege separation is disabled the last command output shows logu pts/1 172.16.1.20 Wed Apr 27 19:29 gone - no logout thanks -logu From Frank.Beckmann at gmx.com Thu Apr 28 19:56:18 2005 From: Frank.Beckmann at gmx.com (Frank Beckmann) Date: Thu, 28 Apr 2005 11:56:18 +0200 (MEST) Subject: Openssh Solaris problem writing /var/adm/wtmp Message-ID: <10287.1114682178@www6.gmx.net> Hi :-) i have rollout a new ssh pakage in our environment. Apr 27 12:06:03 systemx sshd[869]: [ID 847 auth.info] wtmp_write: problem writing /var/adm/wtmp: No such file or directory Solaris 8 has no /var/adm/wtmp, it use /var/adm/wtmpx In the old package there was many of this messages I compiled the new package with --disable-wtmp \ --enable-wtmpx \ but sometimes one of this message are in the auth.. Frank From dtucker at zip.com.au Thu Apr 28 20:42:11 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 28 Apr 2005 20:42:11 +1000 Subject: Openssh Solaris problem writing /var/adm/wtmp In-Reply-To: <10287.1114682178@www6.gmx.net> References: <10287.1114682178@www6.gmx.net> Message-ID: <4270BE03.6030409@zip.com.au> Frank Beckmann wrote: > i have rollout a new ssh pakage in our environment. Which version? > Apr 27 12:06:03 systemx sshd[869]: [ID 847 auth.info] wtmp_write: problem > writing /var/adm/wtmp: No such file or directory Does config.h have HAVE_SETUTXENT and HAVE_PUTUTXLINE? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Frank.Beckmann at gmx.com Thu Apr 28 21:03:54 2005 From: Frank.Beckmann at gmx.com (Frank Beckmann) Date: Thu, 28 Apr 2005 13:03:54 +0200 (MEST) Subject: Openssh Solaris problem writing /var/adm/wtmp References: <4270BE03.6030409@zip.com.au> Message-ID: <4366.1114686234@www6.gmx.net> > Which version? ssh -V OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004 > > > Apr 27 12:06:03 systemx sshd[869]: [ID 847 auth.info] wtmp_write: > problem > > writing /var/adm/wtmp: No such file or directory > > Does config.h have HAVE_SETUTXENT and HAVE_PUTUTXLINE? /* Define to 1 if you have the `setutxent' function. */ #define HAVE_SETUTXENT 1 /* Define to 1 if you have the `pututxline' function. */ #define HAVE_PUTUTXLINE 1 An other thing... we have since Sunday (the day of the paket switch) some defunct?s in the process list ptree 24344 17618 /usr/sbin/sshd 24342 /usr/sbin/sshd -R 24344 root at system# truss -aefp 24342 24342: psargs: /usr/sbin/sshd -R 24342: read(7, 0xFFBEEE88, 4) (sleeping...) 24342: signotifywait() (sleeping...) 24342: door_return(0x00000000, 0, 0x00000000, 0) (sleeping...) 24342: lwp_sema_wait(0xFEB0DE60) (sleeping...) 24342: lwp_cond_wait(0xFEC834E8, 0xFEC834F8, 0xFEC7CD80) (sleeping...) They grow very slow... random... I grep the defuncts, after a while there are more or less defuncts. BUT the base value of defuncts are more after a while (like a stack), it grow.. That is only a problem on the big Systems (like E15k) Frank > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > From dtucker at zip.com.au Thu Apr 28 22:04:41 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 28 Apr 2005 22:04:41 +1000 Subject: Openssh Solaris problem writing /var/adm/wtmp In-Reply-To: <4366.1114686234@www6.gmx.net> References: <4270BE03.6030409@zip.com.au> <4366.1114686234@www6.gmx.net> Message-ID: <4270D159.7090008@zip.com.au> Frank Beckmann wrote: > ssh -V > OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004 > >>>Apr 27 12:06:03 systemx sshd[869]: [ID 847 auth.info] wtmp_write: >>>problem writing /var/adm/wtmp: No such file or directory There's a section in configure that disables wtmp and utmp on Solaris > 8: AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x) sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'` if test "$sol2ver" -ge 8; then AC_MSG_RESULT(yes) AC_DEFINE(DISABLE_UTMP) AC_DEFINE(DISABLE_WTMP) else AC_MSG_RESULT(no) fi Are DISABLE_UTMP and DISABLE_WTMP defined in config.h? What did output after "checking for obsolete utmp and wtmp in solaris2.x" ? > An other thing... > we have since Sunday (the day of the paket switch) some defunct?s in the > process list > 24342: lwp_cond_wait(0xFEC834E8, 0xFEC834F8, 0xFEC7CD80) (sleeping...) LWP == lightweight process == thread? Did you build it with POSIX threads? If so, that's unsupported. Does it occur building without? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From senthilkumar_sen at hotpop.com Fri Apr 29 00:39:21 2005 From: senthilkumar_sen at hotpop.com (Senthil Kumar) Date: Thu, 28 Apr 2005 20:09:21 +0530 Subject: Cleaning wtmp entries when SIGTERM is received. References: <4eb2ea80050423012038ac8f5@mail.gmail.com> <426A0D09.7020301@zip.com.au> <4eb2ea800504230201193654a7@mail.gmail.com> <426A119C.3090708@zip.com.au><4eb2ea80050423030235c59bc9@mail.gmail.com> <426A1EB6.9050406@zip.com.au><031f01c5498e$63469180$140110ac@loguco><426E095C.30003@mindrot.org><014901c54a70$bc016dd0$140110ac@loguco> <02ed01c54ba7$5120c190$140110ac@loguco> Message-ID: <554e01c54c00$14a759f0$220110ac@sekco> >>> Logu wrote: > I tried it on linux also with openssh-3.9p1. When privilege separation is > disabled the last command output shows > logu pts/1 172.16.1.20 Wed Apr 27 19:29 gone - no > logout > In HP-UX with privilegeseparation disabled, when SIGTERM is passed to user sshd process, it exits without trying to cleanup wtmp entries as it did with Priv sep yes. The tusc output in this case is given below. ( Attached to process 8770 ("sshd: pom at pts/0") [32-bit] ) select(12, 0x40024898, 0x40025398, NULL, NULL) .......................................... [sleeping] Received signal 15, SIGTERM, in select(), [SIG_DFL], no siginfo select(12, 0x40024898, 0x40025398, NULL, NULL) .......................................... [entry] exit(15) [implicit (select failure)] .................................................... WIFSIGNALED(SIGTERM) Thanks, Senthil Kumar. From r3r2 at yahoo.com Fri Apr 29 09:51:02 2005 From: r3r2 at yahoo.com (Ryan Robertson) Date: Thu, 28 Apr 2005 16:51:02 -0700 (PDT) Subject: ssh 4.0 under AIX 5.3 password expiration Message-ID: <20050428235103.54147.qmail@web51907.mail.yahoo.com> I have a user who's password has expired (ADMCHG) flag is set in /etc/security/passwd under AIX 5.3. For some reason it is not prompting for new passwd. This worked in 3.9. Any ideas? Thanks, Ryan # /usr/sbin/sshd -d debug1: sshd version OpenSSH_4.0p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Bind to port 22 on ::. Bind to port 22 on :: failed: Address already in use. Generating 768 bit RSA key. RSA key generation complete. debug1: fd 4 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 9 debug1: inetd sockets after dupping: 3, 3 Connection from 192.168.247.63 port 34762 debug1: Client protocol version 2.0; client software version OpenSSH_3.8.1p1 debug1: match: OpenSSH_3.8.1p1 pat OpenSSH_3.* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_4.0 debug1: permanently_set_uid: 202/201 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user dummy service ssh-connection method none debug1: attempt 0 failures 0 Failed none for dummy from 192.168.247.63 port 34762 ssh2 Failed none for dummy from 192.168.247.63 port 34762 ssh2 debug1: userauth-request for user dummy service ssh-connection method publickey debug1: attempt 1 failures 1 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 203/1 (e=0/0) debug1: trying public key file /home/dummy/.ssh/authorized_keys debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 203/1 (e=0/0) debug1: trying public key file /home/dummy/.ssh/authorized_keys2 debug1: restore_uid: 0/0 Failed publickey for dummy from 192.168.247.63 port 34762 ssh2 debug1: userauth-request for user dummy service ssh-connection method publickey debug1: attempt 2 failures 2 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 203/1 (e=0/0) debug1: trying public key file /home/dummy/.ssh/authorized_keys debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 203/1 (e=0/0) debug1: trying public key file /home/dummy/.ssh/authorized_keys2 debug1: restore_uid: 0/0 Failed publickey for dummy from 192.168.247.63 port 34762 ssh2 debug1: userauth-request for user dummy service ssh-connection method keyboard-interactive debug1: attempt 3 failures 3 debug1: keyboard-interactive devs debug1: auth2_challenge: user=dummy devs= debug1: kbdint_alloc: devices '' Failed keyboard-interactive for dummy from 192.168.247.63 port 34762 ssh2 debug1: userauth-request for user dummy service ssh-connection method password debug1: attempt 4 failures 4 debug1: do_cleanup Segmentation fault(coredump) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From dtucker at zip.com.au Fri Apr 29 10:01:59 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 29 Apr 2005 10:01:59 +1000 Subject: ssh 4.0 under AIX 5.3 password expiration In-Reply-To: <20050428235103.54147.qmail@web51907.mail.yahoo.com> References: <20050428235103.54147.qmail@web51907.mail.yahoo.com> Message-ID: <42717977.1050902@zip.com.au> Ryan Robertson wrote: > I have a user who's password has expired (ADMCHG) flag > is set in /etc/security/passwd under AIX 5.3. For > some reason it is not prompting for new passwd. This > worked in 3.9. Any ideas? It's a bug in 4.0p1, unfortunately. The details and a patch are here: http://bugzilla.mindrot.org/show_bug.cgi?id=1006 The fix will be in the 4.1p1 release. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From seanlkml at sympatico.ca Sat Apr 30 23:03:36 2005 From: seanlkml at sympatico.ca (Sean) Date: Sat, 30 Apr 2005 09:03:36 -0400 (EDT) Subject: PAM_AUTH_ERR messages Message-ID: <1723.10.10.10.24.1114866216.squirrel@linux1> Hi, There seems to be no way for PAM to inform a user why her ssh login attempt is being denied. Niether PAM_TEXT_INFO or PAM_ERROR_MSG conversation messages are passed on to the user by sshd unless the login is successful. This is causing great frustration for us at several sites where users can't figure out why their logins aren't working. Would a patch be accepted to display such text even on login failure with a couple second of delay afterward? Or is there a way to already do this that i'm just missing? Thanks, Sean