From esp5 at pge.com Tue Feb 1 07:39:52 2005 From: esp5 at pge.com (Edward Peschko) Date: Mon, 31 Jan 2005 12:39:52 -0800 Subject: ftp over ssl via openssh In-Reply-To: <41F0764A.3020700@mindrot.org> References: <20050121023155.GC3518@venus> <41F0764A.3020700@mindrot.org> Message-ID: <20050131203952.GA11940@venus> On Fri, Jan 21, 2005 at 02:26:02PM +1100, Damien Miller wrote: > Edward Peschko wrote: > >hey all, > > > >I was wondering if openssh did ftp via ssl connection - or if not - what > >unix package out there did this. > > No, OpenSSH doesn't do this. > > Unsurprisingly, Google has lots of information on ftp over ssl. And unsurprisingly, google has very little information about a command line interface in unix that does ftp over ssl, probably because one doesn't exist. But seriously, why doesn't openssh do this? It seems like a pretty big hole in its functionality.. Ed From stuge-openssh-unix-dev at cdy.org Tue Feb 1 08:28:45 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Mon, 31 Jan 2005 22:28:45 +0100 Subject: ftp over ssl via openssh In-Reply-To: <20050131203952.GA11940@venus> References: <20050121023155.GC3518@venus> <41F0764A.3020700@mindrot.org> <20050131203952.GA11940@venus> Message-ID: <20050131212845.GB24493@foo.birdnet.se> On Mon, Jan 31, 2005 at 12:39:52PM -0800, Edward Peschko wrote: > And unsurprisingly, google has very little information about a > command line interface in unix that does ftp over ssl, probably > because one doesn't exist. Sure they do. Searching for "unix ftp ssl" I got at least three hits on the first two pages mentioning usable clients. Searching for "linux ftp ssl" the very first hit was the forum thread "Console ftp over ssl" where someone mentions netkit-ftp-ssl on freshmeat.net. > But seriously, why doesn't openssh do this? It seems like a pretty > big hole in its functionality.. Not really; OpenSSH is an implementation of the SSH protocol version 1 and 2. Included in the SSH protocol is a file transfer subsystem called sftp which can do everything FTP does, and more. FTP over SSL is derived from (the insecure) FTP and differs from sftp in several other ways as well. You should look further for Unix FTP clients that advertise support for SSL, Gentoo Linux includes the patch for netkit-ftp-0.17 but you could apply it manually and recompile in other distributions. The client lftp also supports SSL. //Peter From jengelh at linux01.gwdg.de Tue Feb 1 18:00:05 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue, 1 Feb 2005 08:00:05 +0100 (MET) Subject: Dead proxy tunnel not cleared In-Reply-To: <41FE228C.5080806@zip.com.au> References: <41FE228C.5080806@zip.com.au> Message-ID: >> I have been observing the case where some part of the proxy connection(s) >> break/time out, and the "tunnelconnect" proxy >> (http://www.taiyo.co.jp/~gotoh/ssh/connect.html) exits. >> >> The problem is that the process turns into a zombie and _stays_ that way. >> SSH (OpenSSH-3.9p1) does not seem to wait() for it. Looks like a >> "deadwait". > > What platform is this on? I'm guessing a Linux 2.6 kernel? Yes, 2.6.8 from Suse 9.2. (Read: 2.6.8+2.6.9-rc1) I do not think this issue is related to me, as the problem is on the client side, i.e. a bug of ssh, not sshd. As for the comments on bug#967, the following applies to me too: - built using /lib/tls/libpthread.so.0, but that's a side effect of the dynamic linker, which automatically chooses /lib/tls if it exists, otherwise falls back on /lib. - I do not use IPv6 at all - I am using SSH2, with a public key to allow authentication w/o PW - I was executing an interactive shell (not remote command, as in #967) when the proxy connection dropped and turned the tunnelconnector into a zombie, but it's been happening with non-interactive remote command too. Unless someone already figured out what exactly (not) happens, I'll probably just write script that will check if tunnelconnect gone zombie and kill the associated ssh process. A cron script already restarts the tunnel if necessary, so it won't be much work. Jan Engelhardt -- From jengelh at linux01.gwdg.de Tue Feb 1 18:02:21 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue, 1 Feb 2005 08:02:21 +0100 (MET) Subject: ftp over ssl via openssh In-Reply-To: <20050131203952.GA11940@venus> References: <20050121023155.GC3518@venus> <41F0764A.3020700@mindrot.org> <20050131203952.GA11940@venus> Message-ID: >> Edward Peschko wrote: >> >hey all, >> > >> >I was wondering if openssh did ftp via ssl connection - or if not - what >> >unix package out there did this. >> >> No, OpenSSH doesn't do this. >> >> Unsurprisingly, Google has lots of information on ftp over ssl. > >And unsurprisingly, google has very little information about a command line >interface in unix that does ftp over ssl, probably because one doesn't exist. > >But seriously, why doesn't openssh do this? It seems like a pretty big >hole in its functionality.. There's "lftp" -- google's first hit. Jan Engelhardt -- If you knew the language, you'd know that: ?????????????? From dtucker at zip.com.au Tue Feb 1 18:13:21 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 01 Feb 2005 18:13:21 +1100 Subject: Dead proxy tunnel not cleared In-Reply-To: References: <41FE228C.5080806@zip.com.au> Message-ID: <41FF2C11.4040306@zip.com.au> Jan Engelhardt wrote: > Yes, 2.6.8 from Suse 9.2. (Read: 2.6.8+2.6.9-rc1) > I do not think this issue is related to me, as the problem is on the client > side, i.e. a bug of ssh, not sshd. Ah, you're using a ProxyComand? And the proxycommand is exitting but ssh is never finding this out? Could you please supply the ProxyCommand options and the output of "ssh -vvv whereever" (with any IP addresses obscured in both if required). From your description it sounds like it's a problem with select() not returning a close when the proxycommand dies rather than a signal thing (afaict ssh doesn't use on SIGCHLD at all). You can test this by attaching an strace -p to a hung ssh process. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jengelh at linux01.gwdg.de Tue Feb 1 22:44:35 2005 From: jengelh at linux01.gwdg.de (Jan Engelhardt) Date: Tue, 1 Feb 2005 12:44:35 +0100 (MET) Subject: Dead proxy tunnel not cleared In-Reply-To: <41FF2C11.4040306@zip.com.au> References: <41FE228C.5080806@zip.com.au> <41FF2C11.4040306@zip.com.au> Message-ID: > Jan Engelhardt wrote: >> Yes, 2.6.8 from Suse 9.2. (Read: 2.6.8+2.6.9-rc1) >> I do not think this issue is related to me, as the problem is on the >> client side, i.e. a bug of ssh, not sshd. > > Ah, you're using a ProxyComand? And the proxycommand is exitting but ssh is > never finding this out? Yes, but it has been rare that the proxycommand has not been reaped. > Could you please supply the ProxyCommand options and the output of "ssh -vvv > whereever" (with any IP addresses obscured in both if required). Host linux01 ProxyCommand /usr/local/bin/tunnelconnect -H 172.16.60.1:3128 alphagate.hopto.org 443 > From your description it sounds like it's a problem with select() not > returning a close when the proxycommand dies rather than a signal thing > (afaict ssh doesn't use on SIGCHLD at all). You can test this by attaching > an strace -p to a hung ssh process. Will do so whenever it happens again. Jan Engelhardt -- If you knew the language, you'd know that: ?????????????? From bjoern at cs.tu-berlin.de Wed Feb 2 06:33:23 2005 From: bjoern at cs.tu-berlin.de (Bjoern Voigt) Date: Tue, 01 Feb 2005 20:33:23 +0100 Subject: Feature request: FAIL_DELAY-support for sshd Message-ID: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> Hello! My Linux-server is every day attacked with brute-force password cracking attacks. I use openssh-3.9p1 (SuSE Linux 9.2) with standard setup (PAM, LoginGraceTime 2m, MaxAuthTries 6). Unfortunately, I see cracking attempts with very short delays (1 second): Jan 31 00:46:53 XXX sshd[10774]: Invalid user backup from ::ffff:66.98.176.50 Jan 31 00:46:54 XXX sshd[10776]: Invalid user server from ::ffff:66.98.176.50 Jan 31 00:46:55 XXX sshd[10778]: Invalid user adam from ::ffff:66.98.176.50 .. I want to slow down this attacks with a login delay for failed logins. I tried FAIL_DELAY (in /etc/login.defs) for this, but unfortunately openssh has no support for this and ignores it. I searched this day in the net for solutions and tried some things in the source code. This are my experiences: 1) Very much people ask for a FAIL_DELAY-feature (Source: Google, Newsgroups, Mailinglists, ...) 2) The work-arounds are not perfect: a) Some people suggests using /lib/security/pam_tally.so (this PAM-module denies access to accounts after too many login failures). Unfortunately this module can result in denial-of-service. b) MaxStartups-Option in /etc/ssh/sshd_config. This drops new connections if there are too many unauthorized login attempts. It may help a bit against cracking attempts, but it doesn't use delays. Because OpenSSH checks the usernames before PAM-authentication, this feature will not help against testing usernames. I played a bit with OpenSSH's source code to enable a FAIL_DELAY: In auth-pam.c: sshpam_thread I inserted pam_fail_delay(sshpam_handle, 10000000 /* micro-seconds */ ); before sshpam_err = pam_authenticate(sshpam_handle, flags); This results in a 10 seconds delay after an login attempt with an existing user, but a wrong password. Unfortunately this introduces new problems, because an attacker can now see, if the user exists or not: Case 1: existing username, but wrong passwords $ ssh existing-user at localhost Password: (10 sec delay) Password: (10 sec delay) Password: (10 sec delay) Permission denied (publickey,keyboard-interactive). Case 2: non-existing username $ ssh -p 112 non-existing-user at localhost Password: (no delay) Password: (no delay) Password: (no delay) Permission denied (publickey,keyboard-interactive). The problem is, that OpenSSH checks the username without PAM, so that pam_fail_delay() has no effect, if the username is wrong. Could someone help here? I think, the FAIL_DELAY feature is very important for better security and many users wish it and will use it. Regards, Bj?rn From emaste at phaedrus.sandvine.ca Wed Feb 2 07:19:59 2005 From: emaste at phaedrus.sandvine.ca (Ed Maste) Date: Tue, 1 Feb 2005 15:19:59 -0500 Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> Message-ID: <20050201201959.GB61930@sandvine.com> On Tue, Feb 01, 2005 at 08:33:23PM +0100, Bjoern Voigt wrote: > The problem is, that OpenSSH checks the username without PAM, so that > pam_fail_delay() has no effect, if the username is wrong. It seems that sshd's checking of getpwnam() before trying to authenticate with PAM causes many issues. For example, some PAM modules want to change the username after authenticating; the user passed in to PAM might not even exist. (Of course the user returned by PAM must.) This can be used to allow role- account logins, if the user authenticates using something like radius. That said, however, I think OpenSSH is designed to follow the same code path for authentication with valid/invalid users. I believe it should call pam_authenticate also for users that don't exist. Are you sure pam_authenticate isn't being called? From dtucker at zip.com.au Wed Feb 2 10:07:28 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 02 Feb 2005 10:07:28 +1100 Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> Message-ID: <42000BB0.7000601@zip.com.au> Bjoern Voigt wrote: > My Linux-server is every day attacked with brute-force password cracking > attacks. I use openssh-3.9p1 (SuSE Linux 9.2) with standard setup (PAM, > LoginGraceTime 2m, MaxAuthTries 6). Unfortunately, I see cracking > attempts with very short delays (1 second): [...] > I want to slow down this attacks with a login delay for failed logins. I > tried FAIL_DELAY (in /etc/login.defs) for this, but unfortunately > openssh has no support for this and ignores it. 3.9p1 should insert a delay on fail if PAM is configured to do so (it does on my RH9 box) for password authentication. -current fixes that for keyboard-interactive too. None of this is going to make any difference for your situation, though. Notice that the pids for each attempt are different? Even if each sshd delays it's not going to slow down an attacker much if at all since the requests are effectively pipelined. It would mean that the resources for each connection are tied up on your server for longer. What would help is restricting the rate of connections permitted from each source. (Such a feature was recently added to OpenBSD's pf, and may exist in other filters.) > 1) Very much people ask for a FAIL_DELAY-feature (Source: Google, > Newsgroups, Mailinglists, ...) > 2) The work-arounds are not perfect: > a) Some people suggests using /lib/security/pam_tally.so (this > PAM-module denies access to accounts after too many login failures). > Unfortunately this module can result in denial-of-service. There's also a module to blacklist the source of such connections (although I've not used it): http://www.hexten.net/sw/pam_abl/index.mhtml > Case 1: existing username, but wrong passwords > $ ssh existing-user at localhost Please try repeating this test with either: - "PasswordAuthentication yes" and "ChallengeResponseAuthentication no" in sshd_config - a current development snapshot from ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From esp5 at pge.com Wed Feb 2 10:10:41 2005 From: esp5 at pge.com (Edward Peschko) Date: Tue, 1 Feb 2005 15:10:41 -0800 Subject: ftp over ssl via openssh In-Reply-To: References: <20050121023155.GC3518@venus> <41F0764A.3020700@mindrot.org> <20050131203952.GA11940@venus> Message-ID: <20050201231041.GA25462@venus> On Tue, Feb 01, 2005 at 08:02:21AM +0100, Jan Engelhardt wrote: > >> Edward Peschko wrote: > >> >hey all, > >> > > >> >I was wondering if openssh did ftp via ssl connection - or if not - what > >> >unix package out there did this. > >> > >> No, OpenSSH doesn't do this. > >> > >> Unsurprisingly, Google has lots of information on ftp over ssl. > > > >And unsurprisingly, google has very little information about a command line > >interface in unix that does ftp over ssl, probably because one doesn't exist. > > > >But seriously, why doesn't openssh do this? It seems like a pretty big > >hole in its functionality.. > > There's "lftp" -- google's first hit. lftp doesn't do ssl connect (ssl negotiation over a separate port), *and* auth tls, *and* auth ssl. I need all three. I looked at http://www.ford-hutchinson.com/~fh-1-phf/ftps-ext.html and its hard to believe, but out of the forty distributions there, there doesn't seem to be one ftps implementation that is portable to the extent that I need, does all three schemes, and is freeware, So far, the best I've got is c-kermit, but that's sort of an odd-duck. It works better on the legacy machines (solaris, etc) and I'm having difficulties in compiling for my linux box. Anyways, I could use this or lftp, but it seems silly to have two different distributions (lftp, openssh) with two separate end user interfaces. Why did the openssh project choose not to include it? Ed From stuge-openssh-unix-dev at cdy.org Wed Feb 2 10:26:19 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 2 Feb 2005 00:26:19 +0100 Subject: ftp over ssl via openssh In-Reply-To: <20050201231041.GA25462@venus> References: <20050121023155.GC3518@venus> <41F0764A.3020700@mindrot.org> <20050131203952.GA11940@venus> <20050201231041.GA25462@venus> Message-ID: <20050201232619.GA16441@foo.birdnet.se> On Tue, Feb 01, 2005 at 03:10:41PM -0800, Edward Peschko wrote: > Anyways, I could use this or lftp, but it seems silly to have two > different distributions (lftp, openssh) with two separate > end user interfaces. Why did the openssh project choose not to > include it? Because OpenSSH is an implementation of SSH, not FTP. //Peter From dtucker at zip.com.au Wed Feb 2 10:42:51 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 02 Feb 2005 10:42:51 +1100 Subject: ftp over ssl via openssh In-Reply-To: <20050201231041.GA25462@venus> References: <20050121023155.GC3518@venus> <41F0764A.3020700@mindrot.org> <20050131203952.GA11940@venus> <20050201231041.GA25462@venus> Message-ID: <420013FB.80107@zip.com.au> Edward Peschko wrote: > Anyways, I could use this or lftp, but it seems silly to have two > different distributions (lftp, openssh) with two separate > end user interfaces. Why did the openssh project choose not to > include it? Because OpenSSH is an SSH (aka SecSH) implementation and ftp-over-ssl has absolutely nothing to do with that. They're completely unrelated protocols. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From esp5 at pge.com Wed Feb 2 10:48:51 2005 From: esp5 at pge.com (Edward Peschko) Date: Tue, 1 Feb 2005 15:48:51 -0800 Subject: ftp over ssl via openssh In-Reply-To: <420013FB.80107@zip.com.au> References: <20050121023155.GC3518@venus> <41F0764A.3020700@mindrot.org> <20050131203952.GA11940@venus> <20050201231041.GA25462@venus> <420013FB.80107@zip.com.au> Message-ID: <20050201234851.GA25801@venus> On Wed, Feb 02, 2005 at 10:42:51AM +1100, Darren Tucker wrote: > Edward Peschko wrote: > >Anyways, I could use this or lftp, but it seems silly to have two > >different distributions (lftp, openssh) with two separate > >end user interfaces. Why did the openssh project choose not to > >include it? > > Because OpenSSH is an SSH (aka SecSH) implementation and ftp-over-ssl > has absolutely nothing to do with that. They're completely unrelated > protocols. ... then why is sftp included in the distribution, as well as ssh? Technically, sftp is not a 'secure shell' (its a secure service), and yet it is included. Ed ( ps - and yes, I'm being a bit facetious here. True, the difference between sftp and ftps is that ftps uses sshd as a server mechanism, and that you package both together for convenience. However, its pretty damn inconvenient from a users point of view - there are businesses out there that use the terms sftp and ftps pretty much interchangeably. I just stumbled on this - and when I asked them if they have sftp support, they said 'yes' of course. They then proceeded to point me to ftps - and only till after I wasted a good 3 hours did I realize their mistake. Hence, I think it would be prudent to simply say something like: 'it does not look like you are connecting to an sftp server here - it looks like a ftps server. Please download either ckermit or curl to deal with this.' Either that, or simply mention it in the docs. Or just include lftp in the distribution, and be done with it... I wager that at least 100 times as many people have heard of openssh as have heard of lftp. ) From dtucker at zip.com.au Wed Feb 2 11:16:51 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 02 Feb 2005 11:16:51 +1100 Subject: ftp over ssl via openssh In-Reply-To: <20050201234851.GA25801@venus> References: <20050121023155.GC3518@venus> <41F0764A.3020700@mindrot.org> <20050131203952.GA11940@venus> <20050201231041.GA25462@venus> <420013FB.80107@zip.com.au> <20050201234851.GA25801@venus> Message-ID: <42001BF3.8000805@zip.com.au> Edward Peschko wrote: > ... then why is sftp included in the distribution, as well as ssh? > Technically, sftp is not a 'secure shell' (its a secure service), > and yet it is included. It is, it's part of the SecSH protocol spec ("SSH File Transfer Protocol"):m http://www.ietf.org/html.charters/secsh-charter.html > ps - and yes, I'm being a bit facetious here. True, the difference > between sftp and ftps is that ftps uses sshd as a server mechanism, > and that you package both together for convenience. No, the difference between sftp and ftps is *they're completely different and incompatible protocols*. They don't even use the same TCP port. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Sergio.Gelato at astro.su.se Thu Feb 3 01:41:44 2005 From: Sergio.Gelato at astro.su.se (Sergio Gelato) Date: Wed, 2 Feb 2005 15:41:44 +0100 Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: <42000BB0.7000601@zip.com.au> References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <42000BB0.7000601@zip.com.au> Message-ID: <20050202144144.GC10909@hanuman.astro.su.se> * Darren Tucker [2005-02-02 10:07:28 +1100]: > What would help is restricting the rate of connections permitted from > each source. (Such a feature was recently added to OpenBSD's pf, and > may exist in other filters.) Would it really? My experience with these scans is that they don't make much more than a hundred or so attempts on each server. At one attempt per second, they're often long over by the time I review the logs. Merely slowing them down is not going to decrease the total number of attempts, I would think. What I would find more useful is a more configurable policy as to what authentications are acceptable from various sources. One may want to only allow one-time passwords from untrusted IPs, for example. But since I don't have code (nor even a particularly elegant design) to contribute for this, I won't press the idea. My current strategy for those scans is to blacklist the originating network after the fact, unless it also has a history of being used for legitimate accesses (which turns out to be rare for us). From gert at greenie.muc.de Thu Feb 3 02:02:51 2005 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 2 Feb 2005 16:02:51 +0100 Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: <20050202144144.GC10909@hanuman.astro.su.se> References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <42000BB0.7000601@zip.com.au> <20050202144144.GC10909@hanuman.astro.su.se> Message-ID: <20050202150251.GE229@greenie.muc.de> Hi, On Wed, Feb 02, 2005 at 03:41:44PM +0100, Sergio Gelato wrote: > Would it really? My experience with these scans is that they don't make > much more than a hundred or so attempts on each server. At one attempt > per second, they're often long over by the time I review the logs. Merely > slowing them down is not going to decrease the total number of attempts, > I would think. What we do here is "as soon as a host has hit 3 password auth failures, it will get auto-added to linux-iptables rules" (and boom, no more tries). The code is still too messy to share, and too customized to work anywhere else, though. Plugging it into opensshd was very easy, though - just using the "record_failed_login()" hook in auth.c, and adding our own .c file to the to-be-built objects :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From bjoern at cs.tu-berlin.de Thu Feb 3 03:59:03 2005 From: bjoern at cs.tu-berlin.de (Bjoern Voigt) Date: Wed, 2 Feb 2005 17:59:03 +0100 (CET) Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: <20050201201959.GB61930@sandvine.com> References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <20050201201959.GB61930@sandvine.com> Message-ID: Ed Maste wrote: > It seems that sshd's checking of getpwnam() before trying to > authenticate with PAM causes many issues. For example, some PAM > modules want to change the username after authenticating; the user > passed in to PAM might not even exist. (Of course the user returned > by PAM must.) This can be used to allow role- account logins, if the > user authenticates using something like radius. Yes, the function allowed_user() in auth.c checks the user account with getpwnam() or getspnam(). The function is difficult to read because of a lot #ifdef's. It's possible to insert "sleep(seconds)" here to slow down the connection a bit. But this also slows down "good" connections. > That said, however, I think OpenSSH is designed to follow the same > code path for authentication with valid/invalid users. I believe it > should call pam_authenticate also for users that don't exist. Are you > sure pam_authenticate isn't being called? No really sure, because I haven't fully understand the authentication code. There are filenames like auth.c, auth1.c, auth2.c. Also, my debugger (gdb-6.2) seems to have some problems with OpenSSH. I compiled with "CFLAGS=-g ./configure --enable-debug ...) and I debug with "sshd -p XXX -dDD" but gdb does not find my breakpoints. Anyway, with debugging messages inserted, I think, that pam_authenticate() will be called only for existing users (allowed_user()-check). Regards, Bj?rn From bjoern at cs.tu-berlin.de Thu Feb 3 03:59:19 2005 From: bjoern at cs.tu-berlin.de (Bjoern Voigt) Date: Wed, 2 Feb 2005 17:59:19 +0100 (CET) Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: <20050202144144.GC10909@hanuman.astro.su.se> References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <42000BB0.7000601@zip.com.au> <20050202144144.GC10909@hanuman.astro.su.se> Message-ID: Sergio Gelato wrote: > * Darren Tucker [2005-02-02 10:07:28 +1100]: > > What would help is restricting the rate of connections permitted from > > each source. (Such a feature was recently added to OpenBSD's pf, and > > may exist in other filters.) > > Would it really? My experience with these scans is that they don't make > much more than a hundred or so attempts on each server. At one attempt > per second, they're often long over by the time I review the logs. Merely > slowing them down is not going to decrease the total number of attempts, > I would think. This is also my experience. They try usernames/passwords 50-150 times on each server. With an 1-second delay this may take 50-150 seconds. I think, the cracking tools restrict the attacks to 50-150 attempts per day so that intrusion detection systems may not recognize it. But SSH allows much more attempts. Look at this testing shell script: -------------------------------------------------------------------- #! /bin/bash startdate=`date` # same test usernames users=(aa ab ac ad ae af ag ah ai aj ak al am an ao ap aq ar as at \ au av aw ax ay az) # count of all usernames count=${#users[*]} i=0 while [ $i -lt $count ] do auser=${users[$i]} echo $auser # testing with ssh ssh $auser at localhost # testing with su #sh $auser -c echo let i=i+1 done enddate=`date` echo "Checked $count users" echo "Starttime: $startdate" echo "Endtime: $enddate" -------------------------------------------------------------------- Because SSH does not accept passwords from stdin redirections, you have to press the RETURN-key for testing. This is my testing result: -------------------------------------------------------------------- SSH-Server: openssh-3.9p1 SSH-Server-Config: UsePAM yes PasswordAuthentication no ChallengeResponseAuthentication yes Checked 26 users Starttime: Mi Feb 2 17:07:34 CET 2005 Endtime: Mi Feb 2 17:07:41 CET 2005 -------------------------------------------------------------------- I'm able to test 26 usernames in only 7 seconds! I also tested with SSH-Server-Config: UsePAM yes PasswordAuthentication yes ChallengeResponseAuthentication no But the result was nearly the same. In theory I could test 24*3600*26.0/7=320914 username/password combinations per day without parallel connections. With "MaxStartups 10 (default)" and parallel cracking I get a 10 times higher number: 10*24*3600*26.0/79=284354 I have compared this result with the results of with the "su"-command: -------------------------------------------------------------------- FAIL_DELAY 3 (in /etc/login.defs) Checked 26 users Starttime: Mi Feb 2 17:13:21 CET 2005 Endtime: Mi Feb 2 17:14:40 CET 2005 -------------------------------------------------------------------- With "su" testing 26 usernames takes 79 seconds. This is 10 times slower than with ssh. Regards, Bj?rn From bjoern at cs.tu-berlin.de Thu Feb 3 03:59:29 2005 From: bjoern at cs.tu-berlin.de (Bjoern Voigt) Date: Wed, 2 Feb 2005 17:59:29 +0100 (CET) Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: <42000BB0.7000601@zip.com.au> References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <42000BB0.7000601@zip.com.au> Message-ID: Darren Tucker wrote: > 3.9p1 should insert a delay on fail if PAM is configured to do so (it does on > my RH9 box) for password authentication. -current fixes that for > keyboard-interactive too. Thanks. But how I configure the delays in PAM? I searched the PAM-documentation for this, but I only found, that the default delay is 1 second and there is a nodelay-option. > None of this is going to make any difference for your situation, > though. Yes, unfortunately. > Notice that the pids for each attempt are different? Even if each sshd delays > it's not going to slow down an attacker much if at all since the requests are > effectively pipelined. It would mean that the resources for each connection > are tied up on your server for longer. Yes, but I like to combine the delay-method with restricting unauthenticated connections. This can be done with the "MaxStartups"-option. > What would help is restricting the rate of connections permitted from each > source. (Such a feature was recently added to OpenBSD's pf, and may exist in > other filters.) Yes, netfilter (Linux) may also have such options. But I'm not really a firewall expert. I use a set of shell scripts from SuSE Linux (SuSEfirewall2). This firewall does a good job for my needs. It's possible, but not very easy to extend SuSEfirewall2's shell scripts. > Please try repeating this test with either: > - "PasswordAuthentication yes" and "ChallengeResponseAuthentication no" in > sshd_config Ok, I tested it. But I did not see much differences. In fact, I only noticed another password-prompt for both methods. Also the documentation (man sshd_config) doesn't help me much here. Do you know the difference? > - a current development snapshot from > ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ I tested it (openssh-SNAP-20050105.tar.gz, the latest file). But I saw no differences. May be, I should tune my PAM-config first (see above). Regards, Bj?rn From bjoern at cs.tu-berlin.de Thu Feb 3 03:59:42 2005 From: bjoern at cs.tu-berlin.de (Bjoern Voigt) Date: Wed, 2 Feb 2005 17:59:42 +0100 (CET) Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: <20050202150251.GE229@greenie.muc.de> References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <42000BB0.7000601@zip.com.au> <20050202144144.GC10909@hanuman.astro.su.se> <20050202150251.GE229@greenie.muc.de> Message-ID: Gert Doering wrote: > What we do here is "as soon as a host has hit 3 password auth failures, > it will get auto-added to linux-iptables rules" (and boom, no more > tries). Ok, thanks. This may help in some situations. But, how you deal with the following situation: Two users (a "good" user and a "bad" user) are behind a firewall with one public IP. Now the "bad" user tries 3 wrong passwords. After that, the "good" user can not connect to his host (denial-of-service attack). Regards, Bj?rn From stuge-openssh-unix-dev at cdy.org Thu Feb 3 08:45:38 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Wed, 2 Feb 2005 22:45:38 +0100 Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <42000BB0.7000601@zip.com.au> <20050202144144.GC10909@hanuman.astro.su.se> <20050202150251.GE229@greenie.muc.de> Message-ID: <20050202214538.GA13107@foo.birdnet.se> On Wed, Feb 02, 2005 at 05:59:42PM +0100, Bjoern Voigt wrote: > But, how you deal with the following situation: Two users (a "good" > user and a "bad" user) are behind a firewall with one public IP. > Now the "bad" user tries 3 wrong passwords. After that, the "good" > user can not connect to his host (denial-of-service attack). I would probably set up a VPN between the two networks. //Peter From djm at mindrot.org Thu Feb 3 09:39:25 2005 From: djm at mindrot.org (Damien Miller) Date: Thu, 03 Feb 2005 09:39:25 +1100 Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: <20050202144144.GC10909@hanuman.astro.su.se> References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <42000BB0.7000601@zip.com.au> <20050202144144.GC10909@hanuman.astro.su.se> Message-ID: <4201569D.4050405@mindrot.org> Sergio Gelato wrote: > What I would find more useful is a more configurable policy as to what > authentications are acceptable from various sources. One may want to > only allow one-time passwords from untrusted IPs, for example. But since > I don't have code (nor even a particularly elegant design) to contribute > for this, I won't press the idea. I am doing some work towards implementing this, but per-source auth controls won't be in the next release. Until then, you can fake it by running multiple instances of sshd with different configurations with packet filter control over who gets to see what. -d From gert at greenie.muc.de Thu Feb 3 04:08:58 2005 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 2 Feb 2005 18:08:58 +0100 Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <42000BB0.7000601@zip.com.au> <20050202144144.GC10909@hanuman.astro.su.se> <20050202150251.GE229@greenie.muc.de> Message-ID: <20050202170857.GH229@greenie.muc.de> Hi, On Wed, Feb 02, 2005 at 05:59:42PM +0100, Bjoern Voigt wrote: > But, how you deal with the following situation: Two users (a "good" user > and a "bad" user) are behind a firewall with one public IP. Now the > "bad" user tries 3 wrong passwords. After that, the "good" user can not > connect to his host (denial-of-service attack). True. There is no way to perfectly solve this - but then, NAT is evil, and whoever uses it to hide multiple machines behind a single IP deserves all the disadvantages. Besides the political statement, in our environment this is really not a serious issue. Most SSH logins that we have come from colleagues that at home, but are "on call" in case something breaks in the internal network. They dial-in over some sort of DSL provider, and if they really happen to get their IP blocked due to bad passwords, they can just disconnect, get a new dynamic IP assigned, and try again - or they can call another colleague who has a static-no-NAT-IP and can ssh in to remove the block. The "good" logins are not "joe random from the street can do this", and the "bad" logins are fairly infrequent (we see about 2-5 machines doing SSH account scans per day, mostly from IPs located on different continents), so the chance that someone is accidently locked out is fairly low. In the end it's always the same decision - "convenience" vs. "security"... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From dtucker at zip.com.au Thu Feb 3 13:06:42 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 03 Feb 2005 13:06:42 +1100 Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <42000BB0.7000601@zip.com.au> Message-ID: <42018732.9060506@zip.com.au> Bjoern Voigt wrote: > Darren Tucker wrote: > >>3.9p1 should insert a delay on fail if PAM is configured to do so (it does on >>my RH9 box) for password authentication. -current fixes that for >>keyboard-interactive too. > > Thanks. But how I configure the delays in PAM? I searched the > PAM-documentation for this, but I only found, that the default delay is > 1 second and there is a nodelay-option. Hmm, looks like it's hard-coded at 2s in pam_unix. I don't know if it's user-tweakable. A PAM module that sets pam_fail_delay from a parameter should be easy to write. (BTW, pam_fail_delay is AFAIK LinuxPAM only.) >>Please try repeating this test with either: >> - "PasswordAuthentication yes" and "ChallengeResponseAuthentication no" in >>sshd_config > > Ok, I tested it. But I did not see much differences. In fact, I only > noticed another password-prompt for both methods. Also the documentation > (man sshd_config) doesn't help me much here. Do you know the difference? Sadly, yes. I should update the FAQ entry for PAM (http://www.openssh.com/faq.html#3.15) to cover this, but the basic difference is: PasswordAuthentication uses the SSH password protocol, which is effectively a simple password (although encrypted on the wire). The password prompt ("user at hosts's password: ") is generated by the client. When sshd feeds the password to PAM, it's done in a "blind" fashion: If PAM sends a prompt with echo off, sshd responds with the password. If PAM prompts for anything else, sshd responds with an error. ChallengeResponseAuthentication uses the SSH keyboard-interactive protocol, which allows several rounds of dialog between client and server. The password prompt you see is generated on the server. This allows arbitrarily complex "conversations", for example a real challenge-response authentication (such as S/Key or OPIE) or whatever else PAM module authors dream up. Each have their limitation and they are implemented by different code. Occasionally these behave differently in some cases (we try to keep it as consistent as possible). (I'm ignoring Protocol 1 and TIS authentication for the time being. It's similar to ChallengeResponse but with a slightly different set of rules.) >> - a current development snapshot from >>ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ > > I tested it (openssh-SNAP-20050105.tar.gz, the latest file). But I saw > no differences. May be, I should tune my PAM-config first (see above). I checked the change log, the changes I was referring to didn't go in until 20050118, and there seems to be some problem with snaps being propogated to the ftp sites. In the mean time I've temporarily put up an unofficial snap at http://www.zip.com.au/~dtucker/tmp/openssh-20050203.tar.gz -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From guyverdh at mchsi.com Thu Feb 3 07:02:55 2005 From: guyverdh at mchsi.com (guyverdh at mchsi.com) Date: Wed, 02 Feb 2005 20:02:55 +0000 Subject: ftp over ssl via openssh Message-ID: <020220052002.9942.4593@mchsi.com> > Technically, sftp is not a 'secure shell' (its a secure service), > and yet it is included. And, just in case Darren's response is insufficient for your purposes. Read up on RFC2228 - ftps - aka - FTP over TLS/SSL. sftp is Secure SSH's implementation of ftp, which runs over an SSH connection. From what I have found, it is still in IETF format. Here's a little light reading to help, from someone who appears to be deeply involved in the ftps world. http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html Favorite comment from that page - "sftp is nothing to do with FTP over SSL, it is a way of doing file transfer over SSH which has nothing to do with FTP (RFC 959)." For info on the FTP over SSH (aka SFTP) read http://www.ietf.org/internet-drafts/draft-ietf-secsh-filexfer-06.txt Hope this helps. From dtucker at zip.com.au Thu Feb 3 14:02:23 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 03 Feb 2005 14:02:23 +1100 Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <20050201201959.GB61930@sandvine.com> Message-ID: <4201943F.5050302@zip.com.au> Bjoern Voigt wrote: > It's possible to insert "sleep(seconds)" here to slow down the > connection a bit. But this also slows down "good" connections. You could put a sleep next to the record_failed_login call in auth.c (outside the ifdef), or even implement your own record_failed_login() that delays before returning. > No really sure, because I haven't fully understand the authentication > code. There are filenames like auth.c, auth1.c, auth2.c. Also, my > debugger (gdb-6.2) seems to have some problems with OpenSSH. I compiled > with "CFLAGS=-g ./configure --enable-debug ...) and I debug with "sshd > -p XXX -dDD" but gdb does not find my breakpoints. If you're trying to probe sshd with a debugger then add "-o UsePrivilegeSeparation=no -r" to the command line (but be aware that it will behave similarly but not exactly the same as normal operation). > Anyway, with debugging messages inserted, I think, that > pam_authenticate() will be called only for existing users > (allowed_user()-check). That should not be the case. If you can show a situation where the current version does behave differently then let us know and we'll try to fix it. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rapier at psc.edu Fri Feb 4 03:19:49 2005 From: rapier at psc.edu (Christopher Rapier) Date: Thu, 03 Feb 2005 11:19:49 -0500 Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: <42018732.9060506@zip.com.au> References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <42000BB0.7000601@zip.com.au> <42018732.9060506@zip.com.au> Message-ID: <42024F25.8040007@psc.edu> Hopefully people won't mind if I take up a contrary position. I'm not trying to step on any toes or insult anyone so please don't see this as a flame because it sure isn't meant as such. I've been following this and I have to say that the solutions being proposed at this time are somewhat disconcerting to me. In a critical situation I might be harried, have my fingers off the home row, or jump the gun and start typing the password before the prompt appears. I really won't want to have to wait 5 to 10 seconds between each password attempt to try and get in. I've discussed this with some security people where I work (a research center) and they have similar concerns. More importantly, they aren't convinced that the security improvement will justify the additional costs/user problems/support issues. Look at it this way - these people aren't really trying to brute force their way in as much as they are checking the doorknobs to see if some less than saavy admin has common usernames with common passwords (which means this option would have to be enabled by default to make a difference). For everyone else we get a few hundred connection attempts that don't lead anywhere and the attack moves on. A sophisticated attacker will simply shift how they run their probes or accept the additional delay as part of the process (We've done work that shows low speed port scans and attacks that extend over several weeks in order to avoid triggering various IDS rules). Which means that the right thing to do would be to track who has been making connection attempts and automatically block them if it exceeds a certain value. Of course, that could cause significant problems for legitimate users if that value is set too low. So we set it to some value that assures that whoever is doing is an intruder - but how long are we supposed to sit on this connection data? By what mechanism will it be tracked? Will it be possible to exploit this mechanism itself for a DoS attack? All of which makes me think that this (at least) is outside of the bounds of what SSH is about. Honestly, in my view the right thing to do to encourage admins to audit their user information to make sure common usernames like 'test' and 'guest' either have strong passwords, only lead to restricted shells, or, optimally, are purged from the system. I'm not saying this line of inquiry isn't worth discussing but I just don't think the solutions presented to date are the best answers to the problem. Chris Rapier pittsburgh supercomputing center From grussell at cheetahmail.com Fri Feb 4 06:46:48 2005 From: grussell at cheetahmail.com (gabriel russell) Date: Thu, 03 Feb 2005 14:46:48 -0500 Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <20050201201959.GB61930@sandvine.com> Message-ID: Bjoern Voigt wrote: > Ed Maste wrote: > > No really sure, because I haven't fully understand the authentication > code. There are filenames like auth.c, auth1.c, auth2.c. Also, my > debugger (gdb-6.2) seems to have some problems with OpenSSH. I compiled > with "CFLAGS=-g ./configure --enable-debug ...) and I debug with "sshd > -p XXX -dDD" but gdb does not find my breakpoints. I'm not sure if this applies to your specific issue, but make sure that you are not stripping the binary. make install typically strips the binaries. From bjoern at cs.tu-berlin.de Sat Feb 5 00:58:52 2005 From: bjoern at cs.tu-berlin.de (Bjoern Voigt) Date: Fri, 4 Feb 2005 14:58:52 +0100 (CET) Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: <42018732.9060506@zip.com.au> References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <42000BB0.7000601@zip.com.au> <42018732.9060506@zip.com.au> Message-ID: Darren Tucker : > (BTW, pam_fail_delay is AFAIK LinuxPAM only.) Yes, but it's possible to test the existance of pam_fail_delay() in PAM with "#ifdef HAVE_PAM_FAIL_DELAY" (source: /usr/include/security/_pam_types.h in Linux-PAM). > I checked the change log, the changes I was referring to didn't go in until > 20050118, and there seems to be some problem with snaps being propogated to > the ftp sites. > > In the mean time I've temporarily put up an unofficial snap at > http://www.zip.com.au/~dtucker/tmp/openssh-20050203.tar.gz Thank you for this link. I have tested it. These are my test results: 1) With this current openssh snapshot I couldn't see delays at first. The reason may be, that my PAM-installation (SuSE Linux 9.2) has no default delays. 2) I inserted pam_fail_delay() before pam_authenticate() in auth-pam.c (see my attached patch openssh-fail-delay.diff). After that I can see the same delays for wrong passwords and wrong usernames. THANK YOU. This is, what I wanted! :-) One small problem remains: I get the delays only with ChallengeResponseAuthentication, not with PasswordAuthentication. I wonder a bit about this. I like to test this new feature on my Internet server (SuSE Linux 9.2 with a SuSE-RPM of OpenSSH-3.9p1). So I looked in ChangeLog of your snapshot: 20050120: ... - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user existence via keyboard-interactive/pam, in conjunction with previous auth2-chall.c change; with Colin Watson and djm. As you mentioned "auth-pam.c" I patched auth-pam.c (from current) to my openssh-3.9p1 (see my attached patch openssh-3.9p1-to-20050203-user-exists.diff). Unfortunately now I have the different delays as a result of a wrong user or a wrong password again. Do you have the whole patch for your ChangeLog-entry? I already looked in www.openssh.org's CVS archive, but there is only OpenBSD's ssh source in CVS. Probably I also need some changes in other files, not only in pam-auth.c? Regards, Bj?rn -------------- next part -------------- --- openssh-3.9p1/auth-pam.c 2005-02-04 13:42:57.475718288 +0100 +++ openssh-20050203/auth-pam.c 2005-02-04 13:29:49.403523472 +0100 @@ -47,7 +47,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.121 2005/01/20 02:29:51 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -186,6 +186,7 @@ static char **sshpam_env = NULL; static Authctxt *sshpam_authctxt = NULL; static const char *sshpam_password = NULL; +static char badpw[] = "\b\n\r\177INCORRECT"; /* Some PAM implementations don't implement this */ #ifndef HAVE_PAM_GETENVLIST @@ -389,8 +390,7 @@ u_int i; const char *pam_user; - const char **ptr_pam_user = &pam_user; - pam_get_item(sshpam_handle, PAM_USER, (const void **)ptr_pam_user); + pam_get_item(sshpam_handle, PAM_USER, (void **)&pam_user); environ[0] = NULL; if (sshpam_authctxt != NULL) { @@ -491,6 +492,51 @@ static struct pam_conv null_conv = { sshpam_null_conv, NULL }; +static int +sshpam_store_conv(int n, struct pam_message **msg, + struct pam_response **resp, void *data) +{ + struct pam_response *reply; + int i; + size_t len; + + debug3("PAM: %s called with %d messages", __func__, n); + *resp = NULL; + + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + + if ((reply = malloc(n * sizeof(*reply))) == NULL) + return (PAM_CONV_ERR); + memset(reply, 0, n * sizeof(*reply)); + + for (i = 0; i < n; ++i) { + switch (PAM_MSG_MEMBER(msg, i, msg_style)) { + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: + len = strlen(PAM_MSG_MEMBER(msg, i, msg)); + buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len); + buffer_append(&loginmsg, "\n", 1 ); + reply[i].resp_retcode = PAM_SUCCESS; + break; + default: + goto fail; + } + } + *resp = reply; + return (PAM_SUCCESS); + + fail: + for(i = 0; i < n; i++) { + if (reply[i].resp != NULL) + xfree(reply[i].resp); + } + xfree(reply); + return (PAM_CONV_ERR); +} + +static struct pam_conv store_conv = { sshpam_store_conv, NULL }; + void sshpam_cleanup(void) { @@ -516,12 +562,11 @@ { extern char *__progname; const char *pam_rhost, *pam_user, *user = authctxt->user; - const char **ptr_pam_user = &pam_user; if (sshpam_handle != NULL) { /* We already have a PAM context; check if the user matches */ sshpam_err = pam_get_item(sshpam_handle, - PAM_USER, (const void **)ptr_pam_user); + PAM_USER, (void **)&pam_user); if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) return (0); pam_end(sshpam_handle, sshpam_err); @@ -529,7 +574,7 @@ } debug("PAM: initializing for \"%s\"", user); sshpam_err = - pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle); + pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); sshpam_authctxt = authctxt; if (sshpam_err != PAM_SUCCESS) { @@ -611,7 +656,7 @@ size_t plen; u_char type; char *msg; - size_t len; + size_t len, mlen; debug3("PAM: %s entering", __func__); buffer_init(&buffer); @@ -624,22 +669,27 @@ while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) { type = buffer_get_char(&buffer); msg = buffer_get_string(&buffer, NULL); + mlen = strlen(msg); switch (type) { case PAM_PROMPT_ECHO_ON: case PAM_PROMPT_ECHO_OFF: *num = 1; - len = plen + strlen(msg) + 1; + len = plen + mlen + 1; **prompts = xrealloc(**prompts, len); - plen += snprintf(**prompts + plen, len, "%s", msg); + strlcpy(**prompts + plen, msg, len - plen); + plen += mlen; **echo_on = (type == PAM_PROMPT_ECHO_ON); xfree(msg); return (0); case PAM_ERROR_MSG: case PAM_TEXT_INFO: /* accumulate messages */ - len = plen + strlen(msg) + 2; + len = plen + mlen + 2; **prompts = xrealloc(**prompts, len); - plen += snprintf(**prompts + plen, len, "%s\n", msg); + strlcpy(**prompts + plen, msg, len - plen); + plen += mlen; + strlcat(**prompts + plen, "\n", len - plen); + plen++; xfree(msg); break; case PAM_SUCCESS: @@ -653,9 +703,13 @@ **prompts = NULL; } if (type == PAM_SUCCESS) { -#ifndef USE_POSIX_THREADS + if (!sshpam_authctxt->valid || + (sshpam_authctxt->pw->pw_uid == 0 && + options.permit_root_login != PERMIT_YES)) + fatal("Internal error: PAM auth " + "succeeded when it should have " + "failed"); import_environments(&buffer); -#endif *num = 0; **echo_on = 0; ctxt->pam_done = 1; @@ -700,7 +754,12 @@ return (-1); } buffer_init(&buffer); - buffer_put_cstring(&buffer, *resp); + if (sshpam_authctxt->valid && + (sshpam_authctxt->pw->pw_uid != 0 || + options.permit_root_login == PERMIT_YES)) + buffer_put_cstring(&buffer, *resp); + else + buffer_put_cstring(&buffer, badpw); if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { buffer_free(&buffer); return (-1); @@ -763,11 +822,13 @@ u_int do_pam_account(void) { + debug("%s: called", __func__); if (sshpam_account_status != -1) return (sshpam_account_status); sshpam_err = pam_acct_mgmt(sshpam_handle, 0); - debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); + debug3("PAM: %s pam_acct_mgmt = %d (%s)", __func__, sshpam_err, + pam_strerror(sshpam_handle, sshpam_err)); if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { sshpam_account_status = 0; @@ -797,7 +858,7 @@ do_pam_setcred(int init) { sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&null_conv); + (const void *)&store_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); @@ -898,51 +959,6 @@ pam_strerror(sshpam_handle, sshpam_err)); } -static int -sshpam_store_conv(int n, struct pam_message **msg, - struct pam_response **resp, void *data) -{ - struct pam_response *reply; - int i; - size_t len; - - debug3("PAM: %s called with %d messages", __func__, n); - *resp = NULL; - - if (n <= 0 || n > PAM_MAX_NUM_MSG) - return (PAM_CONV_ERR); - - if ((reply = malloc(n * sizeof(*reply))) == NULL) - return (PAM_CONV_ERR); - memset(reply, 0, n * sizeof(*reply)); - - for (i = 0; i < n; ++i) { - switch (PAM_MSG_MEMBER(msg, i, msg_style)) { - case PAM_ERROR_MSG: - case PAM_TEXT_INFO: - len = strlen(PAM_MSG_MEMBER(msg, i, msg)); - buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len); - buffer_append(&loginmsg, "\n", 1 ); - reply[i].resp_retcode = PAM_SUCCESS; - break; - default: - goto fail; - } - } - *resp = reply; - return (PAM_SUCCESS); - - fail: - for(i = 0; i < n; i++) { - if (reply[i].resp != NULL) - xfree(reply[i].resp); - } - xfree(reply); - return (PAM_CONV_ERR); -} - -static struct pam_conv store_conv = { sshpam_store_conv, NULL }; - void do_pam_session(void) { @@ -953,10 +969,21 @@ fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); sshpam_err = pam_open_session(sshpam_handle, 0); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: pam_open_session(): %s", + if (sshpam_err == PAM_SUCCESS) + sshpam_session_open = 1; + else { + sshpam_session_open = 0; + disable_forwarding(); + error("PAM: pam_open_session(): %s", pam_strerror(sshpam_handle, sshpam_err)); - sshpam_session_open = 1; + } + +} + +int +is_pam_session_open(void) +{ + return sshpam_session_open; } /* @@ -1079,7 +1106,6 @@ { int flags = (options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); - static char badpw[] = "\b\n\r\177INCORRECT"; if (!options.use_pam || sshpam_handle == NULL) fatal("PAM: %s called when PAM disabled or failed to " -------------- next part -------------- --- auth-pam.c.orig 2005-02-04 13:44:29.553720304 +0100 +++ auth-pam.c 2005-02-04 13:50:41.013249872 +0100 @@ -411,6 +411,12 @@ (const void *)&sshpam_conv); if (sshpam_err != PAM_SUCCESS) goto auth_fail; +#ifdef HAVE_PAM_FAIL_DELAY + /* wait around 10 seconds, if PAM-authentication fails */ + sshpam_err = pam_fail_delay(sshpam_handle, 10000000); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; +#endif sshpam_err = pam_authenticate(sshpam_handle, flags); if (sshpam_err != PAM_SUCCESS) goto auth_fail; From dtucker at zip.com.au Sat Feb 5 11:08:33 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 05 Feb 2005 11:08:33 +1100 Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <42000BB0.7000601@zip.com.au> <42018732.9060506@zip.com.au> Message-ID: <42040E81.2050109@zip.com.au> Bjoern Voigt wrote: > Yes, but it's possible to test the existance of pam_fail_delay() in PAM > with "#ifdef HAVE_PAM_FAIL_DELAY" (source: > /usr/include/security/_pam_types.h in Linux-PAM). Sure, that's possible. That said, if you want to change the fail-on-delay policy for PAM then you should do it via a PAM module. Putting policy decisions like this in the hands of admins rather than application developers is what PAM is for, and PAM modules is how PAM implements policy. [...] > One small problem remains: I get the delays only with > ChallengeResponseAuthentication, not with PasswordAuthentication. I > wonder a bit about this. Depending on where you put your pam_fail_delay() it may not be in the path for PasswordAuthentication: remember, there's *two* pam_authenticate() calls. Try moving it to immediately after the pam_start(), that'll be in the path for both. [...] > Do you have the whole patch for your ChangeLog-entry? I already looked > in www.openssh.org's CVS archive, but there is only OpenBSD's ssh source > in CVS. Portable's cvsweb is here: http://cvsweb.mindrot.org/index.cgi/openssh/ > Probably I also need some changes in other files, not only in > pam-auth.c? The whole patch for that changelog entry contained only auth-pam.c, but if you're backporting to 3.9p1 then you'll also need the attached patch for full effect. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-kbdint-noleak.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050205/e5a0e0a1/attachment.ksh From bjoern at cs.tu-berlin.de Sun Feb 6 01:14:53 2005 From: bjoern at cs.tu-berlin.de (Bjoern Voigt) Date: Sat, 5 Feb 2005 15:14:53 +0100 (CET) Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: <42040E81.2050109@zip.com.au> References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <42000BB0.7000601@zip.com.au> <42018732.9060506@zip.com.au> <42040E81.2050109@zip.com.au> Message-ID: Darren Tucker wrote: > The whole patch for that changelog entry contained only auth-pam.c, but if > you're backporting to 3.9p1 then you'll also need the attached patch for full > effect. Darren, thank you very much for this patchset. I will test a backport to 3.9p1 in the next days. > Bjoern Voigt wrote: > > Yes, but it's possible to test the existance of pam_fail_delay() in PAM > > with "#ifdef HAVE_PAM_FAIL_DELAY" (source: > > /usr/include/security/_pam_types.h in Linux-PAM). > > Sure, that's possible. > > That said, if you want to change the fail-on-delay policy for PAM then > you should do it via a PAM module. Putting policy decisions like this > in the hands of admins rather than application developers is what PAM > is for, and PAM modules is how PAM implements policy. Ok, but unfortunately there is probably not a configure option for this in Linux PAM. I did not found one. You already said, that it's possible to write such an PAM module. But does it help, if very few people use such an un-official PAM module? Also lots of Unix systems have no PAM-system or no pam_fail_delay() function. I looked up in different source, how developers solved this delay problem in other programs like "login", "su" or "telnet-server": FreeBSD 5.3: has no delays in login, su and openssh Solaris 5.9: sshd has no delays. Linux: Some distributions (like Debian) use the shadow-package, some other (like SuSE) use the pwdutils-package for programs like login and su. The distributions use very much patches for both packages. Both Debian and SuSE read the FAIL_DELAY variable from login.defs in programs like login or su. I think FAIL_DELAY is the best configure variable for login delays, because it's well-known by Linux users. For instance, also the Linux Professional Institute (LPI) certificate asks for login.defs (http://www.lpi.org/en/obj_201.html objective 2.214.8). SuSE's pwdutil-packages uses sleep(fail_delay) to make the delay. Debian uses pam_fail_delay(pam_handle, fail_delay*1000000). I think that pam_fail_delay() - if available - is better then sleep(). Read this from pam_fail_delay's manual page, if you want to know why: It is often possible to attack an authentication scheme by exploiting the time it takes the scheme to deny access to an applicant user. In cases of short timeouts, it may prove possible to attempt a brute force dictionary attack -- with an automated process, the attacker tries all possible passwords to gain access to the system. In other cases, where individual failures can take measurable amounts of time (indicating the nature of the failure), an attacker can obtain useful information about the authentication process. These latter attacks make use of procedu- ral delays that constitute a covert channel of useful information. To minimize the effectiveness of such attacks, it is desirable to introduce a random delay in a failed authentication process. Linux-PAM provides such a facility. The delay occurs upon failure of the pam_authenticate(3) and pam_chauthtok(3) functions. It occurs after all authentication modules have been called, but before control is returned to the service application. I think, Debian's shadow package is a good reference for using pam_fail_delay(). I have downloaded Debian's shadow package with it's patches from: ftp://ftp.de.debian.org/pub/debian/pool/main/s/shadow/shadow_20000902.orig.tar.gz and ftp://ftp.de.debian.org/pub/debian/pool/main/s/shadow/shadow_4.0.3-30.9.diff.gz I attached the source of the login program (login.c) to this mail. Regards, Bj?rn -------------- next part -------------- /* * Copyright 1989 - 1994, Julianne Frances Haugh * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of Julianne F. Haugh nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include #include "rcsid.h" RCSID (PKG_VER "$Id: login.c,v 1.26 2002/03/08 04:30:28 kloczek Exp $") #include "prototypes.h" #include "defines.h" #include #include #include #include #include #if HAVE_UTMPX_H #include #else #include #endif #include #if HAVE_LASTLOG_H #include #else #include "lastlog_.h" #endif #include "faillog.h" #include "failure.h" #include "pwauth.h" #include "getdef.h" #include "dialchk.h" #ifdef SVR4_SI86_EUA #include #include #endif #ifndef MAXHOSTNAMELEN #define MAXHOSTNAMELEN 64 #endif #ifdef RADIUS /* * Support for RADIUS authentication based on a hacked util-linux login * source sent to me by Jon Lewis. Not tested. You need to link login * with the radauth.c file (not included here - it doesn't have a clear * copyright statement, and I don't want to have problems with Debian * putting the whole package in non-free because of this). --marekm */ #include "radlogin.h" #endif #ifdef UT_ADDR #include #endif #ifdef USE_PAM #include "pam_defs.h" static const struct pam_conv conv = { misc_conv, NULL }; static pam_handle_t *pamh = NULL; #define PAM_FAIL_CHECK if (retcode != PAM_SUCCESS) { \ fprintf(stderr,"\n%s\n",pam_strerror(pamh, retcode)); \ syslog(LOG_ERR,"%s",pam_strerror(pamh, retcode)); \ pam_end(pamh, retcode); exit(1); \ } #define PAM_END { retcode = pam_close_session(pamh,0); \ pam_end(pamh,retcode); } #endif /* USE_PAM */ /* * Needed for MkLinux DR1/2/2.1 - J. */ #ifndef LASTLOG_FILE #define LASTLOG_FILE "/var/log/lastlog" #endif const char *hostname = ""; static struct passwd pwent; #if HAVE_UTMPX_H extern struct utmpx utxent; struct utmpx failent; #else struct utmp failent; #endif extern struct utmp utent; struct lastlog lastlog; static int pflg = 0; static int fflg = 0; #ifdef RLOGIN static int rflg = 0; #else #define rflg 0 #endif static int hflg = 0; static int preauth_flag = 0; /* * Global variables. */ static char *Prog; static int amroot; static int timeout; /* * External identifiers. */ extern char **newenvp; extern size_t newenvc; extern void dolastlog (struct lastlog *, const struct passwd *, const char *, const char *); extern char **environ; #ifndef USE_PAM extern int login_access (const char *, const char *); #endif extern void login_fbtab (const char *, uid_t, gid_t); #ifndef ALARM #define ALARM 60 #endif #ifndef RETRIES #define RETRIES 3 #endif #ifndef USE_PAM static struct faillog faillog; #endif /* local function prototypes */ static void usage (void); static void setup_tty (void); static void check_flags (int, char *const *); #ifndef USE_PAM static void bad_time_notify (void); static void check_nologin (void); #endif static void init_env (void); static RETSIGTYPE alarm_handler (int); /* * usage - print login command usage and exit * * login [ name ] * login -r hostname (for rlogind) * login -h hostname (for telnetd, etc.) * login -f name (for pre-authenticated login: datakit, xterm, etc.) */ static void usage (void) { fprintf (stderr, _("usage: %s [-p] [name]\n"), Prog); if (!amroot) exit (1); fprintf (stderr, _(" %s [-p] [-h host] [-f name]\n"), Prog); #ifdef RLOGIN fprintf (stderr, _(" %s [-p] -r host\n"), Prog); #endif exit (1); } static void setup_tty (void) { TERMIO termio; GTTY (0, &termio); /* get terminal characteristics */ /* * Add your favorite terminal modes here ... */ termio.c_lflag |= ISIG | ICANON | ECHO | ECHOE; termio.c_iflag |= ICRNL; #if defined(ECHOKE) && defined(ECHOCTL) termio.c_lflag |= ECHOKE | ECHOCTL; #endif #if defined(ECHOPRT) && defined(NOFLSH) && defined(TOSTOP) termio.c_lflag &= ~(ECHOPRT | NOFLSH | TOSTOP); #endif #ifdef ONLCR termio.c_oflag |= ONLCR; #endif #ifdef SUN4 /* * Terminal setup for SunOS 4.1 courtesy of Steve Allen * at UCO/Lick. */ termio.c_cc[VEOF] = '\04'; termio.c_cflag &= ~CSIZE; termio.c_cflag |= (PARENB | CS7); termio.c_lflag |= (ISIG | ICANON | ECHO | IEXTEN); termio.c_iflag |= (BRKINT | IGNPAR | ISTRIP | IMAXBEL | ICRNL | IXON); termio.c_iflag &= ~IXANY; termio.c_oflag |= (XTABS | OPOST | ONLCR); #endif #if 0 termio.c_cc[VERASE] = getdef_num ("ERASECHAR", '\b'); termio.c_cc[VKILL] = getdef_num ("KILLCHAR", '\025'); #else /* leave these values unchanged if not specified in login.defs */ termio.c_cc[VERASE] = getdef_num ("ERASECHAR", termio.c_cc[VERASE]); termio.c_cc[VKILL] = getdef_num ("KILLCHAR", termio.c_cc[VKILL]); #endif /* * ttymon invocation prefers this, but these settings won't come into * effect after the first username login */ STTY (0, &termio); } /* * Tell the user that this is not the right time to login at this tty */ #ifndef USE_PAM static void bad_time_notify (void) { #ifdef HUP_MESG_FILE FILE *mfp; if ((mfp = fopen (HUP_MESG_FILE, "r")) != NULL) { int c; while ((c = fgetc (mfp)) != EOF) { if (c == '\n') putchar ('\r'); putchar (c); } fclose (mfp); } else #endif printf (_("Invalid login time\n")); fflush (stdout); } #endif static void check_flags (int argc, char *const *argv) { int arg; /* * Check the flags for proper form. Every argument starting with * "-" must be exactly two characters long. This closes all the * clever rlogin, telnet, and getty holes. */ for (arg = 1; arg < argc; arg++) { if (argv[arg][0] == '-' && strlen (argv[arg]) > 2) usage (); if (!strcmp(argv[arg], "--")) break; /* stop checking on a "--" */ } } #ifndef USE_PAM static void check_nologin (void) { char *fname; /* * Check to see if system is turned off for non-root users. * This would be useful to prevent users from logging in * during system maintenance. We make sure the message comes * out for root so she knows to remove the file if she's * forgotten about it ... */ fname = getdef_str ("NOLOGINS_FILE"); if (fname != NULL && access (fname, F_OK) == 0) { FILE *nlfp; int c; /* * Cat the file if it can be opened, otherwise just * print a default message */ if ((nlfp = fopen (fname, "r"))) { while ((c = getc (nlfp)) != EOF) { if (c == '\n') putchar ('\r'); putchar (c); } fflush (stdout); fclose (nlfp); } else printf (_ ("\nSystem closed for routine maintenance\n")); /* * Non-root users must exit. Root gets the message, but * gets to login. */ if (pwent.pw_uid != 0) { closelog (); exit (0); } printf (_ ("\n[Disconnect bypassed -- root login allowed.]\n")); } } #endif /* !USE_PAM */ static void init_env (void) { char *cp, *tmp; if ((tmp = getenv ("LANG"))) { addenv ("LANG", tmp); } /* * Add the timezone environmental variable so that time functions * work correctly. */ if ((tmp = getenv ("TZ"))) { addenv ("TZ", tmp); } else if ((cp = getdef_str ("ENV_TZ"))) addenv (*cp == '/' ? tz (cp) : cp, NULL); /* * Add the clock frequency so that profiling commands work * correctly. */ if ((tmp = getenv ("HZ"))) { addenv ("HZ", tmp); } else if ((cp = getdef_str ("ENV_HZ"))) addenv (cp, NULL); } static RETSIGTYPE alarm_handler (int sig) { fprintf (stderr, _("\nLogin timed out after %d seconds.\n"), timeout); exit (0); } /* * login - create a new login session for a user * * login is typically called by getty as the second step of a * new user session. getty is responsible for setting the line * characteristics to a reasonable set of values and getting * the name of the user to be logged in. login may also be * called to create a new user session on a pty for a variety * of reasons, such as X servers or network logins. * * the flags which login supports are * * -p - preserve the environment * -r - perform autologin protocol for rlogin * -f - do not perform authentication, user is preauthenticated * -h - the name of the remote host */ int main (int argc, char **argv) { char username[32]; char tty[BUFSIZ]; #ifdef RLOGIN char term[128] = ""; #endif #if defined(HAVE_STRFTIME) && !defined(USE_PAM) char ptime[80]; #endif int reason = PW_LOGIN; int delay; int retries; int failed; int flag; int subroot = 0; int is_console; const char *cp; char *tmp; char fromhost[512]; struct passwd *pwd; char **envp = environ; static char temp_pw[2]; static char temp_shell[] = "/bin/sh"; #ifdef USE_PAM int retcode; pid_t child; char *pam_user; #endif /* USE_PAM */ #if defined(SHADOWPWD) && !defined(USE_PAM) struct spwd *spwd = NULL; #endif #ifdef RADIUS RAD_USER_DATA rad_user_data; int is_rad_login; #endif #if defined(RADIUS) || defined(DES_RPC) || defined(KERBEROS) /* from pwauth.c */ extern char *clear_pass; extern int wipe_clear_pass; /* * We may need the password later, don't want pw_auth() to wipe it * (we do it ourselves when it is no longer needed). --marekm */ wipe_clear_pass = 0; #endif /* * Some quick initialization. */ sanitize_env (); setlocale (LC_ALL, ""); bindtextdomain (PACKAGE, LOCALEDIR); textdomain (PACKAGE); initenv (); username[0] = '\0'; amroot = (getuid () == 0); Prog = Basename (argv[0]); check_flags (argc, argv); while ((flag = getopt (argc, argv, "d:f::h:pr:")) != EOF) { switch (flag) { case 'p': pflg++; break; case 'f': /* * username must be a separate token * (-f root, *not* -froot). --marekm * * if -f has an arg, use that, else use the * normal user name passed after all options * --benc */ if (optarg != NULL && optarg != argv[optind - 1]) usage (); fflg++; if (optarg) STRFCPY (username, optarg); break; #ifdef RLOGIN case 'r': rflg++; hostname = optarg; reason = PW_RLOGIN; break; #endif case 'h': hflg++; hostname = optarg; reason = PW_TELNET; break; case 'd': /* "-d device" ignored for compatibility */ break; default: usage (); } } #ifdef RLOGIN /* * Neither -h nor -f should be combined with -r. */ if (rflg && (hflg || fflg)) usage (); #endif /* * Allow authentication bypass only if real UID is zero. */ if ((rflg || fflg || hflg) && !amroot) { fprintf (stderr, _("%s: permission denied\n"), Prog); exit (1); } if (!isatty (0) || !isatty (1) || !isatty (2)) exit (1); /* must be a terminal */ #if 0 /* * Get the utmp file entry and get the tty name from it. The * current process ID must match the process ID in the utmp * file if there are no additional flags on the command line. */ checkutmp (!rflg && !fflg && !hflg); #else /* * Be picky if run by normal users (possible if installed setuid * root), but not if run by root. This way it still allows logins * even if your getty is broken, or if something corrupts utmp, * but users must "exec login" which will use the existing utmp * entry (will not overwrite remote hostname). --marekm */ checkutmp (!amroot); #endif STRFCPY (tty, utent.ut_line); is_console = console (tty); if (rflg || hflg) { #ifdef UT_ADDR struct hostent *he; /* * Fill in the ut_addr field (remote login IP address). XXX * - login from util-linux does it, but this is not the * right place to do it. The program that starts login * (telnetd, rlogind) knows the IP address, so it should * create the utmp entry and fill in ut_addr. * gethostbyname() is not 100% reliable (the remote host may * be unknown, etc.). --marekm */ if ((he = gethostbyname (hostname))) { utent.ut_addr = *((int32_t *) (he->h_addr_list[0])); #endif #ifdef UT_HOST strncpy (utent.ut_host, hostname, sizeof (utent.ut_host)); #endif #if HAVE_UTMPX_H strncpy (utxent.ut_host, hostname, sizeof (utxent.ut_host)); #endif /* * Add remote hostname to the environment. I think * (not sure) I saw it once on Irix. --marekm */ addenv ("REMOTEHOST", hostname); } #ifdef __linux__ /* * workaround for init/getty leaving junk in ut_host at least in * some version of RedHat. --marekm */ else if (amroot) memzero (utent.ut_host, sizeof utent.ut_host); #endif if (hflg && fflg) { reason = PW_RLOGIN; preauth_flag++; } #ifdef RLOGIN if (rflg && do_rlogin (hostname, username, sizeof username, term, sizeof term)) preauth_flag++; #endif OPENLOG ("login"); setup_tty (); umask (getdef_num ("UMASK", 077)); { /* * Use the ULIMIT in the login.defs file, and if * there isn't one, use the default value. The * user may have one for themselves, but otherwise, * just take what you get. */ long limit = getdef_long ("ULIMIT", -1L); if (limit != -1) set_filesize_limit (limit); } /* * The entire environment will be preserved if the -p flag * is used. */ if (pflg) while (*envp) /* add inherited environment, */ addenv (*envp++, NULL); /* some variables change later */ #ifdef RLOGIN if (term[0] != '\0') addenv ("TERM", term); else #endif /* preserve TERM from getty */ if (!pflg && (tmp = getenv ("TERM"))) addenv ("TERM", tmp); init_env (); if (optind < argc) { /* get the user name */ if (rflg || (fflg && username[0])) usage (); #ifdef SVR4 /* * The "-h" option can't be used with a command-line username, * because telnetd invokes us as: login -h host TERM=... */ if (!hflg) #endif { STRFCPY (username, argv[optind]); strzero (argv[optind]); ++optind; } } #ifdef SVR4 /* * check whether ttymon has done the prompt for us already */ { char *ttymon_prompt; if ((ttymon_prompt = getenv ("TTYPROMPT")) != NULL && (*ttymon_prompt != 0)) { /* read name, without prompt */ login_prompt ((char *) 0, username, sizeof username); } } #endif /* SVR4 */ if (optind < argc) /* now set command line variables */ set_env (argc - optind, &argv[optind]); if (rflg || hflg) cp = hostname; else #ifdef UT_HOST if (utent.ut_host[0]) cp = utent.ut_host; else #endif #if HAVE_UTMPX_H if (utxent.ut_host[0]) cp = utxent.ut_host; else #endif cp = ""; if (*cp) snprintf (fromhost, sizeof fromhost, _(" on `%.100s' from `%.200s'"), tty, cp); else snprintf (fromhost, sizeof fromhost, _(" on `%.100s'"), tty); top: /* only allow ALARM sec. for login */ signal (SIGALRM, alarm_handler); timeout = getdef_num ("LOGIN_TIMEOUT", ALARM); if (timeout > 0) alarm (timeout); environ = newenvp; /* make new environment active */ delay = getdef_num ("FAIL_DELAY", 1); retries = getdef_num ("LOGIN_RETRIES", RETRIES); #ifdef USE_PAM retcode = pam_start ("login", username, &conv, &pamh); if (retcode != PAM_SUCCESS) { fprintf (stderr, "login: PAM Failure, aborting: %s\n", pam_strerror (pamh, retcode)); syslog (LOG_ERR, "Couldn't initialize PAM: %s", pam_strerror (pamh, retcode)); exit (99); } /* * hostname & tty are either set to NULL or their correct values, * depending on how much we know. We also set PAM's fail delay to * ours. */ retcode = pam_set_item (pamh, PAM_RHOST, hostname); PAM_FAIL_CHECK; retcode = pam_set_item (pamh, PAM_TTY, tty); PAM_FAIL_CHECK; #ifdef HAVE_PAM_FAIL_DELAY retcode = pam_fail_delay (pamh, 1000000 * delay); PAM_FAIL_CHECK; #endif /* if fflg == 1, then the user has already been authenticated */ if (!fflg || (getuid () != 0)) { int failcount = 0; char hostn[256]; char login_prompt[256]; /* That's one hell of a prompt :) */ /* Make the login prompt look like we want it */ if (!gethostname (hostn, sizeof (hostn))) snprintf (login_prompt, sizeof (login_prompt), "%s login: ", hostn); else snprintf (login_prompt, sizeof (login_prompt), "login: "); retcode = pam_set_item (pamh, PAM_USER_PROMPT, login_prompt); PAM_FAIL_CHECK; /* if we didn't get a user on the command line, set it to NULL */ pam_get_item (pamh, PAM_USER, (const void **) &pam_user); if (pam_user[0] == '\0') pam_set_item (pamh, PAM_USER, NULL); /* * There may be better ways to deal with some of * these conditions, but at least this way I don't * think we'll be giving away information. Perhaps * someday we can trust that all PAM modules will * pay attention to failure count and get rid of * MAX_LOGIN_TRIES? */ failcount = 0; while (1) { const char *failent_user; failed = 0; failcount++; if (delay > 0) retcode = pam_fail_delay(pamh, 1000000*delay); retcode = pam_authenticate (pamh, 0); pam_get_item (pamh, PAM_USER, (const void **) &pam_user); if (pam_user && pam_user[0]) { pwd = getpwnam(pam_user); if (pwd) { pwent = *pwd; failent_user = pwent.pw_name; } else { if (getdef_bool("LOG_UNKFAIL_ENAB") && pam_user) failent_user = pam_user; else failent_user = "UNKNOWN"; } } else { pwd = NULL; failent_user = "UNKNOWN"; } if (retcode == PAM_MAXTRIES || failcount >= retries) { syslog (LOG_NOTICE, _("TOO MANY LOGIN TRIES (%d)%s FOR `%s'"), failcount, fromhost, failent_user); #ifndef USE_PAM if (pwd && getdef_bool("FAILLOG_ENAB")) failure (pwent.pw_uid, tty, &faillog); #endif fprintf(stderr, _("Maximum number of tries exceeded (%d)\n"), failcount); PAM_END; exit(0); } else if (retcode == PAM_ABORT) { /* Serious problems, quit now */ fprintf(stderr,_("login: abort requested by PAM\n")); syslog(LOG_ERR,_("PAM_ABORT returned from pam_authenticate()")); PAM_END; exit(99); } else if (retcode != PAM_SUCCESS) { syslog(LOG_NOTICE,_("FAILED LOGIN (%d)%s FOR `%s', %s"), failcount, fromhost, failent_user, pam_strerror (pamh, retcode)); failed = 1; } #ifndef USE_PAM if (pwd && getdef_bool("FAILLOG_ENAB") && ! failcheck (pwent.pw_uid, &faillog, failed)) { SYSLOG((LOG_CRIT, FAILURE_CNT, failent_user, fromhost)); failed = 1; } #endif if (!failed) break; fprintf(stderr,"Login incorrect\n\n"); #ifndef USE_PAM if (pwd && getdef_bool("FAILLOG_ENAB")) failure (pwent.pw_uid, tty, &faillog); #endif if (getdef_str("FTMP_FILE") != NULL) { #if HAVE_UTMPX_H failent = utxent; /* don't assume that utmpx.ut_tv is a struct timeval */ { struct timeval tv; gettimeofday(&tv, NULL); failent.ut_tv.tv_sec = tv.tv_sec; failent.ut_tv.tv_usec = tv.tv_usec; } #else failent = utent; failent.ut_time = time(0); #endif strncpy(failent.ut_user, failent_user, sizeof(failent.ut_user)); #ifdef USER_PROCESS failent.ut_type = USER_PROCESS; #endif failtmp(&failent); } /* Let's give it another go around */ pam_set_item(pamh,PAM_USER,NULL); } /* We don't get here unless they were authenticated above */ alarm(0); retcode = pam_acct_mgmt (pamh, 0); if (retcode == PAM_NEW_AUTHTOK_REQD) { retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); } PAM_FAIL_CHECK; } /* Grab the user information out of the password file for future usage First get the username that we are actually using, though. */ retcode = pam_get_item (pamh, PAM_USER, (const void **) &pam_user); setpwent (); pwd = getpwnam (pam_user); if (!pwd || setup_groups (pwd)) exit (1); else pwent = *pwd; retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED); PAM_FAIL_CHECK; retcode = pam_open_session (pamh, hushed(&pwent) ? PAM_SILENT : 0); PAM_FAIL_CHECK; #else /* ! USE_PAM */ while (1) { /* repeatedly get login/password pairs */ failed = 0; /* haven't failed authentication yet */ #ifdef RADIUS is_rad_login = 0; #endif if (!username[0]) { /* need to get a login id */ if (subroot) { closelog (); exit (1); } preauth_flag = 0; #ifndef LOGIN_PROMPT #ifdef __linux__ /* hostname login: - like in util-linux login */ login_prompt (_("\n%s login: "), username, sizeof username); #else login_prompt (_("login: "), username, sizeof username); #endif #else login_prompt (LOGIN_PROMPT, username, sizeof username); #endif continue; } #endif /* ! USE_PAM */ #ifdef USE_PAM if (!(pwd = getpwnam (pam_user))) { pwent.pw_name = pam_user; #else if (!(pwd = getpwnam (username))) { pwent.pw_name = username; #endif strcpy (temp_pw, "!"); pwent.pw_passwd = temp_pw; pwent.pw_shell = temp_shell; preauth_flag = 0; failed = 1; } else { pwent = *pwd; } #ifndef USE_PAM #ifdef SHADOWPWD spwd = NULL; if (pwd && strcmp (pwd->pw_passwd, SHADOW_PASSWD_STRING) == 0) { spwd = getspnam (username); if (spwd) pwent.pw_passwd = spwd->sp_pwdp; else SYSLOG ((LOG_WARN, "no shadow password for `%s'%s", username, fromhost)); } #endif /* SHADOWPWD */ /* * If the encrypted password begins with a "!", the account * is locked and the user cannot login, even if they have * been "pre-authenticated." */ if (pwent.pw_passwd[0] == '!' || pwent.pw_passwd[0] == '*') failed = 1; /* * The -r and -f flags provide a name which has already * been authenticated by some server. */ if (preauth_flag) goto auth_ok; /* * No password prompt if logging in from listed ttys (local * console). Passwords don't help much if you have physical * access to the hardware anyway... Suggested by Pavel * Machek . * NOTE: password still required for root logins! */ if (pwd && (pwent.pw_uid != 0) && is_listed ("NO_PASSWORD_CONSOLE", tty, 0)) { temp_pw[0] = '\0'; pwent.pw_passwd = temp_pw; } if (pw_auth (pwent.pw_passwd, username, reason, (char *) 0) == 0) goto auth_ok; #ifdef RADIUS /* * If normal passwd authentication didn't work, try radius. */ if (failed) { pwd = rad_authenticate (&rad_user_data, username, clear_pass ? clear_pass : ""); if (pwd) { is_rad_login = 1; pwent = *pwd; failed = 0; goto auth_ok; } } #endif /* RADIUS */ /* * Don't log unknown usernames - I mistyped the password for * username at least once. Should probably use LOG_AUTHPRIV * for those who really want to log them. --marekm */ SYSLOG ((LOG_WARN, "invalid password for `%s' %s", (pwd || getdef_bool ("LOG_UNKFAIL_ENAB")) ? username : "UNKNOWN", fromhost)); failed = 1; auth_ok: /* * This is the point where all authenticated users wind up. * If you reach this far, your password has been * authenticated and so on. */ #if defined(RADIUS) && !(defined(DES_RPC) || defined(KERBEROS)) if (clear_pass) { strzero (clear_pass); clear_pass = NULL; } #endif if (getdef_bool ("DIALUPS_CHECK_ENAB")) { alarm (30); if (!dialcheck (tty, pwent.pw_shell[0] ? pwent.pw_shell : "/bin/sh")) { SYSLOG ((LOG_WARN, "invalid dialup password for `%s' on `%s'", username, tty)); failed = 1; } } if (!failed && pwent.pw_name && pwent.pw_uid == 0 && !is_console) { SYSLOG ((LOG_CRIT, "ILLEGAL ROOT LOGIN %s", fromhost)); failed = 1; } #ifdef LOGIN_ACCESS if (!failed && !login_access (username, *hostname ? hostname : tty)) { SYSLOG ((LOG_WARN, "LOGIN `%s' REFUSED %s", username, fromhost)); failed = 1; } #endif #ifndef USE_PAM if (pwd && getdef_bool ("FAILLOG_ENAB") && !failcheck (pwent.pw_uid, &faillog, failed)) { SYSLOG ((LOG_CRIT, "exceeded failure limit for `%s' %s", username, fromhost)); failed = 1; } #endif if (!failed) break; #ifndef USE_PAM /* don't log non-existent users */ if (pwd && getdef_bool ("FAILLOG_ENAB")) failure (pwent.pw_uid, tty, &faillog); #endif if (getdef_str ("FTMP_FILE") != NULL) { const char *failent_user; #if HAVE_UTMPX_H failent = utxent; /* don't assume that utmpx.ut_tv is a struct timeval */ { struct timeval tv; gettimeofday(&tv, NULL); failent.ut_tv.tv_sec = tv.tv_sec; failent.ut_tv.tv_usec = tv.tv_usec; } #else failent = utent; failent.ut_time = time(0); #endif if (pwd) { failent_user = pwent.pw_name; } else { if (getdef_bool ("LOG_UNKFAIL_ENAB")) failent_user = username; else failent_user = "UNKNOWN"; } strncpy (failent.ut_user, failent_user, sizeof (failent.ut_user)); #ifdef USER_PROCESS failent.ut_type = USER_PROCESS; #endif failtmp (&failent); } memzero (username, sizeof username); if (--retries <= 0) SYSLOG ((LOG_CRIT, "REPEATED login failures%s", fromhost)); #if 1 /* * If this was a passwordless account and we get here, login * was denied (securetty, faillog, etc.). There was no * password prompt, so do it now (will always fail - the bad * guys won't see that the passwordless account exists at * all). --marekm */ if (pwent.pw_passwd[0] == '\0') pw_auth ("!", username, reason, (char *) 0); #endif /* * Wait a while (a la SVR4 /usr/bin/login) before attempting * to login the user again. If the earlier alarm occurs * before the sleep() below completes, login will exit. */ if (delay > 0) sleep (delay); puts (_("Login incorrect")); /* allow only one attempt with -r or -f */ if (rflg || fflg || retries <= 0) { closelog (); exit (1); } } /* while (1) */ #endif /* ! USE_PAM */ alarm (0); /* turn off alarm clock */ #ifndef USE_PAM /* PAM does this */ /* * porttime checks moved here, after the user has been * authenticated. now prints a message, as suggested * by Ivan Nejgebauer . --marekm */ if (getdef_bool ("PORTTIME_CHECKS_ENAB") && !isttytime (pwent.pw_name, tty, time ((time_t *) 0))) { SYSLOG ((LOG_WARN, "invalid login time for `%s'%s", username, fromhost)); closelog (); bad_time_notify (); exit (1); } check_nologin (); #endif if (getenv ("IFS")) /* don't export user IFS ... */ addenv ("IFS= \t\n", NULL); /* ... instead, set a safe IFS */ #ifdef USE_PAM setutmp (pam_user, tty, hostname); /* make entry in utmp & wtmp files */ #else setutmp (username, tty, hostname); /* make entry in utmp & wtmp files */ #endif if (pwent.pw_shell[0] == '*') { /* subsystem root */ pwent.pw_shell++; /* skip the '*' */ subsystem (&pwent); /* figure out what to execute */ subroot++; /* say i was here again */ endpwent (); /* close all of the file which were */ endgrent (); /* open in the original rooted file */ #ifdef SHADOWPWD endspent (); /* system. they will be re-opened */ #endif #ifdef SHADOWGRP endsgent (); /* in the new rooted file system */ #endif goto top; /* go do all this all over again */ } #ifndef USE_PAM /* pam_lastlog handles this */ if (getdef_bool ("LASTLOG_ENAB")) /* give last login and log this one */ dolastlog (&lastlog, &pwent, utent.ut_line, hostname); #endif #ifdef SVR4_SI86_EUA sysi86 (SI86LIMUSER, EUA_ADD_USER); /* how do we test for fail? */ #endif #ifndef USE_PAM /* PAM handles this as well */ /* * Have to do this while we still have root privileges, otherwise we * don't have access to /etc/shadow. expire() closes password files, * and changes to the user in the child before executing the passwd * program. --marekm */ #ifdef SHADOWPWD if (spwd) { /* check for age of password */ if (expire (&pwent, spwd)) { pwd = getpwnam (username); spwd = getspnam (username); if (pwd) pwent = *pwd; } } #else #ifdef ATT_AGE if (pwent.pw_age && pwent.pw_age[0]) { if (expire (&pwent)) { pwd = getpwnam (username); if (pwd) pwent = *pwd; } } #endif /* ATT_AGE */ #endif /* SHADOWPWD */ #ifdef RADIUS if (is_rad_login) { char whofilename[128]; FILE *whofile; snprintf (whofilename, sizeof whofilename, "/var/log/radacct/%.20s", tty); whofile = fopen (whofilename, "w"); if (whofile) { fprintf (whofile, "%s\n", username); fclose (whofile); } } #endif setup_limits (&pwent); /* nice, ulimit etc. */ #endif /* ! USE_PAM */ chown_tty (tty, &pwent); #ifdef LOGIN_FBTAB /* * XXX - not supported yet. Change permissions and ownerships of * devices like floppy/audio/mouse etc. for console logins, based * on /etc/fbtab or /etc/logindevperm configuration files (Suns do * this with their framebuffer devices). Problems: * * - most systems (except BSD) don't have that nice revoke() system * call to ensure the previous user didn't leave a process holding * one of these devices open or mmap'ed. Any volunteers to do it * in Linux? * * - what to do with different users logged in on different virtual * consoles? Maybe permissions should be changed only on user's * request, by running a separate (setuid root) program? * * - init/telnetd/rlogind/whatever should restore permissions after * the user logs out. * * Try the new CONSOLE_GROUPS feature instead. It adds specified * groups (like "floppy") to the group set if the user is logged in * on the console. This still has the first problem (users leaving * processes with these devices open), but doesn't need to change * any permissions, just make them 0660 root:floppy etc. --marekm * * Warning: users can still gain permanent access to these groups * unless any user-writable filesystems are mounted with the * "nosuid" option. Alternatively, the kernel could be modified to * prevent ordinary users from setting the setgid bit on * executables. */ login_fbtab (tty, pwent.pw_uid, pwent.pw_gid); #endif #ifdef USE_PAM /* * We must fork before setuid() because we need to call * pam_close_session() as root. * * Note: not true in other (non-Linux) PAM implementations, where * the parent process of login (init, telnetd, ...) is responsible * for calling pam_close_session(). This avoids an extra process for * each login. Maybe we should do this on Linux too? We let the * admin configure whether they need to keep login around to close * sessions. */ if (getdef_bool ("CLOSE_SESSIONS")) { signal (SIGINT, SIG_IGN); child = fork (); if (child < 0) { /* error in fork() */ fprintf (stderr, "login: failure forking: %s", strerror (errno)); PAM_END; exit (0); } else if (child) { /* * parent - wait for child to finish, then cleanup * session */ wait (NULL); PAM_END; exit (0); } /* child */ } #endif /* We call set_groups() above because this clobbers pam_groups.so */ #ifndef USE_PAM if (setup_uid_gid (&pwent, is_console)) #else if (change_uid (&pwent)) #endif exit (1); #ifdef KERBEROS if (clear_pass) login_kerberos (username, clear_pass); #endif #ifdef DES_RPC if (clear_pass) login_desrpc (clear_pass); #endif #if defined(DES_RPC) || defined(KERBEROS) if (clear_pass) strzero (clear_pass); #endif setup_env (&pwent); /* set env vars, cd to the home dir */ #ifdef USE_PAM { const char *const *env; env = (const char *const *) pam_getenvlist (pamh); while (env && *env) { addenv (*env, NULL); env++; } } #endif setlocale (LC_ALL, ""); bindtextdomain (PACKAGE, LOCALEDIR); textdomain (PACKAGE); if (!hushed (&pwent)) { addenv ("HUSHLOGIN=FALSE", NULL); /* * pam_unix, pam_mail and pam_lastlog should take care of * this */ #ifndef USE_PAM motd (); /* print the message of the day */ if (getdef_bool ("FAILLOG_ENAB") && faillog.fail_cnt != 0) { failprint (&faillog); /* Reset the lockout times if logged in */ if (faillog.fail_max && faillog.fail_cnt >= faillog.fail_max) { puts (_ ("Warning: login re-enabled after temporary lockout.\n")); SYSLOG ((LOG_WARN, "login `%s' re-enabled after temporary lockout (%d failures)", username, (int) faillog.fail_cnt)); } } if (getdef_bool ("LASTLOG_ENAB") && lastlog.ll_time != 0) { time_t when = lastlog.ll_time; /* may not be a time_t */ #ifdef HAVE_STRFTIME strftime (ptime, sizeof (ptime), "%a %b %e %H:%M:%S %z %Y", localtime (&when)); printf (_("Last login: %s on %s"), ptime, lastlog.ll_line); #else printf (_("Last login: %.19s on %s"), ctime (&when), lastlog.ll_line); #endif #ifdef HAVE_LL_HOST /* SVR4 || __linux__ || SUN4 */ if (lastlog.ll_host[0]) printf (_(" from %.*s"), (int) sizeof lastlog. ll_host, lastlog.ll_host); #endif printf (".\n"); } #ifdef SHADOWPWD agecheck (&pwent, spwd); #else agecheck (&pwent); #endif mailcheck (); /* report on the status of mail */ #endif /* !USE_PAM */ } else addenv ("HUSHLOGIN=TRUE", NULL); if (getdef_str ("TTYTYPE_FILE") != NULL && getenv ("TERM") == NULL) ttytype (tty); signal (SIGQUIT, SIG_DFL); /* default quit signal */ signal (SIGTERM, SIG_DFL); /* default terminate signal */ signal (SIGALRM, SIG_DFL); /* default alarm signal */ signal (SIGHUP, SIG_DFL); /* added this. --marekm */ signal (SIGINT, SIG_DFL); /* default interrupt signal */ endpwent (); /* stop access to password file */ endgrent (); /* stop access to group file */ #ifdef SHADOWPWD endspent (); /* stop access to shadow passwd file */ #endif #ifdef SHADOWGRP endsgent (); /* stop access to shadow group file */ #endif if (pwent.pw_uid == 0) SYSLOG ((LOG_NOTICE, "ROOT LOGIN %s", fromhost)); else if (getdef_bool ("LOG_OK_LOGINS")) #ifdef USE_PAM SYSLOG ((LOG_INFO, "`%s' logged in %s", pam_user, fromhost)); #else SYSLOG ((LOG_INFO, "`%s' logged in %s", username, fromhost)); #endif closelog (); #ifdef RADIUS if (is_rad_login) { printf (_("Starting rad_login\n")); rad_login (&rad_user_data); exit (0); } #endif if ((tmp = getdef_str ("FAKE_SHELL")) != NULL) { shell (tmp, pwent.pw_shell); /* fake shell */ } shell (pwent.pw_shell, (char *) 0); /* exec the shell finally. */ /*NOTREACHED*/ return 0; } From glimming at kth.se Sun Feb 6 22:59:05 2005 From: glimming at kth.se (Johan Glimming) Date: Sun, 6 Feb 2005 12:59:05 +0100 Subject: ssh parameter to quell banner in e.g. CVS extssh Message-ID: Hi SSH developer community I am using CVS over SSH (and SSH in other cases too) and in a certain context it is very annoying to get the SSH banner displayed all the time when using e.g. CVS. Is there a way to set negative verbosity or to otherwise quell the banner information in SSH (or, worse, in CVS). I have tried ssh -q but that does _not_ quell the banner. Best Johan (I am not a regular subscriber so please cc to glimming--AT--kth--DOT--se) From bob at proulx.com Mon Feb 7 05:13:50 2005 From: bob at proulx.com (Bob Proulx) Date: Sun, 6 Feb 2005 11:13:50 -0700 Subject: ssh parameter to quell banner in e.g. CVS extssh In-Reply-To: References: Message-ID: <20050206181350.GB25304@dementia.proulx.com> Johan Glimming wrote: > (I am not a regular subscriber so please cc to glimming--AT--kth--DOT--se) > > I am using CVS over SSH (and SSH in other cases too) and in a certain > context it is very annoying to get the SSH banner displayed all the > time when using e.g. CVS. Could you be more specific? In the configurations I use there are no ssh banners. Are you referring to the /etc/motd? > Is there a way to set negative verbosity or to otherwise quell the > banner information in SSH (or, worse, in CVS). I have tried ssh -q but > that does _not_ quell the banner. I am not one of the developers but as I read this it appears to me that you have a local configuration which is abnormal. Are you sure this is not something in your shell environment file? Such as in your .bashrc? The following should produce no output. ssh host.example.com true Bob From dtucker at zip.com.au Mon Feb 7 00:55:19 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 07 Feb 2005 00:55:19 +1100 Subject: ssh parameter to quell banner in e.g. CVS extssh In-Reply-To: References: Message-ID: <420621C7.9070300@zip.com.au> Johan Glimming wrote: > Is there a way to set negative verbosity or to otherwise quell the > banner information in SSH (or, worse, in CVS). I have tried ssh -q but > that does _not_ quell the banner. It does (well, should) since about version 3.7. What version are you using? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From simonb at wasabisystems.com Mon Feb 7 23:39:50 2005 From: simonb at wasabisystems.com (Simon Burge) Date: Mon, 7 Feb 2005 23:39:50 +1100 Subject: moduli(5) changes Message-ID: <20050207123950.GA21008@thoreau.thistledown.com.au> Hi folks, This applies to src/share/man/man5/moduli.5 in the OpenBSD source tree, and doesn't seem to apply to the portable OpenSSH, so I've sent this change here instead of via Bugzilla. The wording of moduli(5) implies that sshd puts more thought about which modulus it selects than it really does. The following patch corrects this. Simon. -- Simon Burge NetBSD Development, Support and Service: http://www.wasabisystems.com/ Index: moduli.5 =================================================================== RCS file: /cvsroot/src/crypto/dist/ssh/moduli.5,v retrieving revision 1.8 retrieving revision 1.9 diff -d -p -u -r1.8 -r1.9 --- moduli.5 4 Jul 2003 21:56:48 -0000 1.8 +++ moduli.5 7 Feb 2005 12:26:56 -0000 1.9 @@ -31,7 +31,7 @@ .\" .\" Manual page, using -mandoc macros .\" -.Dd July 28, 1997 +.Dd February 7, 2005 .Dt MODULI 5 .Os .Sh NAME @@ -140,11 +140,16 @@ Specifies the best generator for a Diffi .Fa Modulus : hex string . The prime modulus. .Pp -The file is searched for moduli that meet the appropriate +The file should be searched for moduli that meet the appropriate Time, Size and Generator criteria. When more than one meet the criteria, the selection should be weighted toward newer moduli, without completely disqualifying older moduli. +.Pp +Note that +.Xr sshd 8 +uses only the Size criteria and then selects a modulus at random +if more than one meet the Size criteria. .Sh FILES .Bl -tag -width /etc/moduli -compact .It Pa /etc/moduli From qralston+ml.openssh-unix-dev at andrew.cmu.edu Tue Feb 8 05:18:12 2005 From: qralston+ml.openssh-unix-dev at andrew.cmu.edu (James Ralston) Date: Mon, 07 Feb 2005 13:18:12 -0500 Subject: treat output of sshrc as environment assignment lines? Message-ID: <5342A14F7E977C69F0BDDBEC@pcmy.sei.cmu.edu> Currently, ~/.ssh/environment can set static environment variables, and ~/.ssh/rc can run initialization routines. But there is no way for sshrc to propagate changes to the environment to the user's shell or command. There is, however, a possible way to do this. If the PermitUserEnvironment option is set, sshd could treat the stdout of sshrc as additional assignment lines of the form name=value. This would permit sshrc to propagate propagate changes to the environment to the user's shell or command. The specific problem I am trying to solve here is to use a temporary, securely-created Xauthority file. If sshd were to read the output of sshrc, then I could do it. E.g.: if read proto cookie && [ -n "$DISPLAY" ]; then if xauth=`mktemp -t xauth-XXXXXXXXXX" 1>/dev/null`; then XAUTHORITY=${xauth}; export "${XAUTHORITY}" echo "XAUTHORITY=${XAUTHORITY}" fi if [ `echo "x${DISPLAY}" | cut -c1-11` = 'xlocalhost:' ]; then # X11UseLocalhost=yes echo add "unix:`echo $DISPLAY | cut -c11-`" ${proto} ${cookie} else # X11UseLocalhost=no echo add "${DISPLAY}" "${proto}" "${cookie}" fi | xauth -q - fi Having sshd evaluate the output that sshrc produces (if PermitUserEnvironment is set, that is) would enable this and other "smart" initialization routines. Thoughts? (I.e., if I were to write a patch to implement this feature, would it be accepted?) -- James Ralston, Information Technology Software Engineering Institute Carnegie Mellon University, Pittsburgh, PA, USA From djm at mindrot.org Tue Feb 8 08:06:21 2005 From: djm at mindrot.org (Damien Miller) Date: Tue, 08 Feb 2005 08:06:21 +1100 Subject: moduli(5) changes In-Reply-To: <20050207123950.GA21008@thoreau.thistledown.com.au> References: <20050207123950.GA21008@thoreau.thistledown.com.au> Message-ID: <4207D84D.9040700@mindrot.org> Simon Burge wrote: > Hi folks, > > This applies to src/share/man/man5/moduli.5 in the OpenBSD source > tree, and doesn't seem to apply to the portable OpenSSH, so I've > sent this change here instead of via Bugzilla. > > The wording of moduli(5) implies that sshd puts more thought about which > modulus it selects than it really does. The following patch corrects > this. > > Simon. > -- > Simon Burge > NetBSD Development, Support and Service: http://www.wasabisystems.com/ > > Index: moduli.5 > =================================================================== > RCS file: /cvsroot/src/crypto/dist/ssh/moduli.5,v > retrieving revision 1.8 > retrieving revision 1.9 > diff -d -p -u -r1.8 -r1.9 > --- moduli.5 4 Jul 2003 21:56:48 -0000 1.8 > +++ moduli.5 7 Feb 2005 12:26:56 -0000 1.9 > @@ -31,7 +31,7 @@ > .\" > .\" Manual page, using -mandoc macros > .\" > -.Dd July 28, 1997 > +.Dd February 7, 2005 > .Dt MODULI 5 > .Os > .Sh NAME > @@ -140,11 +140,16 @@ Specifies the best generator for a Diffi > .Fa Modulus : hex string . > The prime modulus. > .Pp > -The file is searched for moduli that meet the appropriate > +The file should be searched for moduli that meet the appropriate I don't know whether that is much better. The time column at least is purely informational. Maybe it should just say the it is checked for size. -d From dtucker at zip.com.au Tue Feb 8 18:47:39 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 08 Feb 2005 18:47:39 +1100 Subject: Feature request: FAIL_DELAY-support for sshd In-Reply-To: References: <41FFD983.1040006@chemnitz.dialup.cs.tu-berlin.de> <42000BB0.7000601@zip.com.au> <42018732.9060506@zip.com.au> <42040E81.2050109@zip.com.au> Message-ID: <42086E9B.1010900@zip.com.au> Bjoern Voigt wrote: > Ok, but unfortunately there is probably not a configure option for this > in Linux PAM. I did not found one. It's trivial to write one, so: http://www.zip.com.au/~dtucker/patches/pam_faildelay.c It turns out I should have invoked Google *before* vi, because someone beat me to it by many years (timestamps are 1997): http://www-uxsup.csx.cam.ac.uk/~pjb1008/project/pam_delay/ > You already said, that it's possible > to write such an PAM module. But does it help, if very few people use > such an un-official PAM module? Perhaps that's because few people want it? There's been a module available since last century... > Also lots of Unix systems have no > PAM-system or no pam_fail_delay() function. OK, I've thought about this and here's my opinion: a) sshd should not insert arbitrary delays. b) sshd should not arbitrarily override pam_fail_delay() either. If you want to configure PAM do it via a PAM config file. That's what they're for. c) maybe sshd could read AUTH_FAIL from login.defs[1] *IF* it's sufficiently standardized. The facts that the Linux vendors can't agree on it and the API isn't public are not in its favour. c) maybe sshd should have a generic option to insert a delay on failed password-based auths. If so it should default to disabled. If enabled it would be reasonable to supply it to pam_fail_delay() on platforms that have it. [1] reading /etc/default/login on Solaris/Sinix is a precedent for this sort of thing. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From phillipsmiley at gmail.com Wed Feb 9 04:40:15 2005 From: phillipsmiley at gmail.com (Phil Smiley) Date: Tue, 8 Feb 2005 11:40:15 -0600 Subject: OpenSSH.org Differences Between 3.9p1, 3.8p1, and 3.7p1 Message-ID: Can someone tell me where I can find a list of changes made between these releases of openSSH? I saw the diff files available for the various releases but I'm looking for something more akin to release notes that will give me an overview of the changes between releases. Thanks; Phil From djm at mindrot.org Wed Feb 9 08:48:51 2005 From: djm at mindrot.org (Damien Miller) Date: Wed, 09 Feb 2005 08:48:51 +1100 Subject: OpenSSH.org Differences Between 3.9p1, 3.8p1, and 3.7p1 In-Reply-To: References: Message-ID: <420933C3.2070005@mindrot.org> Phil Smiley wrote: > Can someone tell me where I can find a list of changes made between > these releases of openSSH? > > I saw the diff files available for the various releases but I'm > looking for something more akin to release notes that will give me an > overview of the changes between releases. We send these to the relevant mailing lists, but they are also posted here: http://www.openssh.com/txt/release-3.9 http://www.openssh.com/txt/release-3.8 You can also look at the ChangeLog file in the distribution, if you like excessive detail. -d From dtucker at zip.com.au Wed Feb 9 08:56:41 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 09 Feb 2005 08:56:41 +1100 Subject: OpenSSH.org Differences Between 3.9p1, 3.8p1, and 3.7p1 In-Reply-To: References: Message-ID: <42093599.9020601@zip.com.au> Phil Smiley wrote: > Can someone tell me where I can find a list of changes made between > these releases of openSSH? > > I saw the diff files available for the various releases but I'm > looking for something more akin to release notes that will give me an > overview of the changes between releases. http://www.openssh.com/txt/release-3.7 http://www.openssh.com/txt/release-3.7.1 http://www.openssh.com/txt/release-3.7.1p2 http://www.openssh.com/txt/release-3.8 http://www.openssh.com/txt/release-3.8.1p1 http://www.openssh.com/txt/release-3.9 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mbrewster at solihull.gov.uk Sat Feb 12 02:35:42 2005 From: mbrewster at solihull.gov.uk (Brewster, Michael (Strategic Services, Customer Services - Solihull MBC)) Date: Fri, 11 Feb 2005 15:35:42 -0000 Subject: scp in batch mode Message-ID: <13642DB5C3AEEC4A93B6CF7922919BD8018785D6@smbc-ex1.solihull.gov.uk> Have recently configured secure shell on solaris 9. I'd like to be able to transfer files to other servers in batch mode (without password interaction), ie with the -B option. scp tells me "unable to find an authentication method. What have I missed? Any help welcome. ********************************************************************** DISCLAIMER: 'This e-mail and files transmitted with it are confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient please notify the sender immediately and delete the message. Any views or opinions presented are solely those of the author and do not necessarily represent those of Solihull Council unless explicitly stated otherwise. Solihull Council may monitor the contents of e-mail sent and received via its network for the purposes of ensuring compliance with its policies and procedures.' ********************************************************************** From dkg-openssh.com at fifthhorseman.net Sat Feb 12 03:02:22 2005 From: dkg-openssh.com at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 11 Feb 2005 11:02:22 -0500 Subject: scp in batch mode In-Reply-To: <13642DB5C3AEEC4A93B6CF7922919BD8018785D6@smbc-ex1.solihull.gov.uk> References: <13642DB5C3AEEC4A93B6CF7922919BD8018785D6@smbc-ex1.solihull.gov.uk> Message-ID: <16908.55054.565917.623860@pinhead.lair.fifthhorseman.net> On February 11, mbrewster at solihull.gov.uk said: > Have recently configured secure shell on solaris 9. > > I'd like to be able to transfer files to other servers in batch > mode (without password interaction), ie with the -B option. > > scp tells me "unable to find an authentication method. > > What have I missed? > > Any help welcome. Some form of authentication still needs to take place, otherwise the copying wouldn't be secure. A reasonable way to do this is with an SSH identity/public key. Brian Hatch's articles [1] [2] about doing this are a good place to start reading. hth, --dkg [1] http://www.securityfocus.com/infocus/1810 [2] http://www.securityfocus.com/infocus/1812 From bob at proulx.com Sat Feb 12 05:12:11 2005 From: bob at proulx.com (Bob Proulx) Date: Fri, 11 Feb 2005 11:12:11 -0700 Subject: SSH and agent article (was: scp in batch mode) In-Reply-To: <16908.55054.565917.623860@pinhead.lair.fifthhorseman.net> References: <13642DB5C3AEEC4A93B6CF7922919BD8018785D6@smbc-ex1.solihull.gov.uk> <16908.55054.565917.623860@pinhead.lair.fifthhorseman.net> Message-ID: <20050211181211.GC26275@dementia.proulx.com> Daniel Kahn Gillmor wrote: > SSH identity/public key. Brian Hatch's articles [1] [2] about doing > this are a good place to start reading. > [2] http://www.securityfocus.com/infocus/1812 Brian's articles are generally good. However whenever I see the following I always cringe. This from his article. # Run it inside backticks, which will capture the output and # pass it to 'eval' which will run it in your current shell. $ eval `ssh-agent` Agent pid 7943 People read those howtos and then do this in their .bashrc et al scripts and then forget about them. I find these when a machine is now out of process slots because of thousands of forgotten ssh-agents! Of course he mentions in passing that you can kill off your agents. But how many readers will see that and do it? In hindsight I wish that ssh-agent disallowed that style and forced users to use the subshell instead. Man page: If a commandline is given, this is executed as a subprocess of the agent. When the command dies, so does the agent. Example: exec ssh-agent $SHELL Or: exec ssh-agent x-session-manager Any of those invocations are so much better by being a lot tidier about the processes. I would hazard a guess that most readers on this list use one of the command-line forms and only rarely use the eval form. Bob From chris at obelix.hedonism.cx Sat Feb 12 06:33:59 2005 From: chris at obelix.hedonism.cx (Christian Vogel) Date: Fri, 11 Feb 2005 20:33:59 +0100 Subject: SSH and agent article (was: scp in batch mode) In-Reply-To: <20050211181211.GC26275@dementia.proulx.com>; from bob@proulx.com on Fri, Feb 11, 2005 at 11:12:11AM -0700 References: <13642DB5C3AEEC4A93B6CF7922919BD8018785D6@smbc-ex1.solihull.gov.uk> <16908.55054.565917.623860@pinhead.lair.fifthhorseman.net> <20050211181211.GC26275@dementia.proulx.com> Message-ID: <20050211203359.A17415@obelix.frop.org> Hi, here is what I used to use for a long time to have only one ssh-agent running on my machine(s), so I don't use the spawn-subcommand form :-) > #!/bin/sh > > ### > # warning: This script should be sourced from your > # login-files! > ### > > AGENT_SCRIPT=~/.ssh/AGENT-"$HOSTNAME" > > function start_ssh_agent(){ > ( cd / ; ssh-agent -s ) | grep -v "^echo" >$AGENT_SCRIPT > chmod 600 $AGENT_SCRIPT > . $AGENT_SCRIPT > ssh-add ~/.ssh/id_dsa > ssh-add ~/.ssh/identity > } > > if [ -f $AGENT_SCRIPT ] ; then > . $AGENT_SCRIPT > if ! kill -0 $SSH_AGENT_PID 2>/dev/null ; then > echo "*** SSH-AGENT DIED. STARTING NEW SSH-AGENT ***" > start_ssh_agent > fi > else > echo "*** STARTING NEW SSH-AGENT ***" > start_ssh_agent > fi > > > unset start_ssh_agent -- There is a chasm of carbon and silicon the software can't bridge -- Rahul Sonnad From senthilkumar_sen at hotpop.com Tue Feb 15 16:26:38 2005 From: senthilkumar_sen at hotpop.com (Senthil Kumar) Date: Tue, 15 Feb 2005 10:56:38 +0530 Subject: Is it possible to avoid PAM calls for key based Auth methods Message-ID: <0da201c5131e$f0915490$220110ac@sekco> Hello All, Im using OpenSSH-3.9p1 configured for PAM,krb etc.. When I use Key based auth methods such as Public key,gssapi etc, this skips the pam_authenticate() call and directly calls pam_acct_mgmt(). This results in a failed attempt with few of my own PAM modules. Is there any way to implement this facility to be controlled by a directive in sshd_config. I mean PAM calls should not be called for key based Auth methods, however they should be obeyed for Interactive auth methods such as kbdint,password. Thanks for help, Senthil Kumar. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.791 / Virus Database: 535 - Release Date: 11/9/2004 From dtucker at zip.com.au Tue Feb 15 16:56:35 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 15 Feb 2005 16:56:35 +1100 Subject: Is it possible to avoid PAM calls for key based Auth methods In-Reply-To: <0da201c5131e$f0915490$220110ac@sekco> References: <0da201c5131e$f0915490$220110ac@sekco> Message-ID: <42118F13.6010208@zip.com.au> Senthil Kumar wrote: > Im using OpenSSH-3.9p1 configured for PAM,krb etc.. When I use Key based > auth methods such as Public key,gssapi etc, this skips the > pam_authenticate() call and directly calls pam_acct_mgmt(). This results > in a failed attempt with few of my own PAM modules. Is there any way to > implement this facility to be controlled by a directive in sshd_config. No, there's no way to avoid that without hacking sshd. You wanted PAM, you got PAM :-) Potentially, sshd could do a couple of things to the auth type to PAM so it could behave differently: - sshd could set a PAM environment variable containing the authentication type. (Although PAM's configuration syntax is pretty limited. You could have a "sufficient" module early in the stack that returns immediately if that variable is set to, eg "public-key"). - sshd could use different PAM service names for the different auth types. (eg "sshd-public-key", "sshd-password", "sshd-gssapi-with-mic" and fall back to "sshd" if these don't exists. This would probably be tricky to write because you'd have to stop and start PAM for each auth attempt.) > I mean PAM calls should not be called for key based Auth methods, I disagree with that for the general case: there's many valid reasons to call the non-auth PAM functions for non-password auths (eg account expiry, session modules). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Nicolas.Williams at Sun.COM Wed Feb 16 03:14:09 2005 From: Nicolas.Williams at Sun.COM (Nicolas Williams) Date: Tue, 15 Feb 2005 10:14:09 -0600 Subject: Is it possible to avoid PAM calls for key based Auth methods In-Reply-To: <42118F13.6010208@zip.com.au> Message-ID: <20050215161409.GS17068@binky.Central.Sun.COM> On Tue, Feb 15 2005 at 16:56:35, Darren Tucker wrote: > Potentially, sshd could do a couple of things to the auth type to PAM so > it could behave differently: > > - sshd could set a PAM environment variable containing the authentication > type. (Although PAM's configuration syntax is pretty limited. You could > have a "sufficient" module early in the stack that returns immediately if > that variable is set to, eg "public-key"). You really don't want to do this as this means making modules aware of ssh protocol specific details just so you can configure each ssh authentication method differently. > - sshd could use different PAM service names for the different auth types. > (eg "sshd-public-key", "sshd-password", "sshd-gssapi-with-mic" and fall > back to "sshd" if these don't exists. This would probably be tricky to > write because you'd have to stop and start PAM for each auth attempt.) Solaris 10's sshd does this. See: http://docs.sun.com/app/docs/doc/816-5166/6mbb1kqh7?a=view#indexterm-768 The service names it uses are: - sshd-none - sshd-password - sshd-kbdint - sshd-pubkey - sshd-hostbased - sshd-gssapi (for both, gssapi-keyex and gssapi-with-mic) You might want to use those too... [Note that you can't expect the PAM configuration to be re-read when setting the PAM_SERVICE item, so you have to pam_start() a new handle for each service. On Solaris 10 pam_set_item() returns an error (PAM_PERM_DENIED) if the application attemps to set the PAM_SERVICE item.] > > I mean PAM calls should not be called for key based Auth methods, > > I disagree with that for the general case: there's many valid reasons to > call the non-auth PAM functions for non-password auths (eg account expiry, > session modules). Exactly. What he said. Nico -- From qralston+ml.openssh-unix-dev at andrew.cmu.edu Wed Feb 16 07:16:42 2005 From: qralston+ml.openssh-unix-dev at andrew.cmu.edu (James Ralston) Date: Tue, 15 Feb 2005 15:16:42 -0500 Subject: treat output of sshrc as environment assignment lines? In-Reply-To: <5342A14F7E977C69F0BDDBEC@pcmy.sei.cmu.edu> References: <5342A14F7E977C69F0BDDBEC@pcmy.sei.cmu.edu> Message-ID: On 2005-02-07 at 13:18-05 James Ralston wrote: > Currently, ~/.ssh/environment can set static environment variables, > and ~/.ssh/rc can run initialization routines. But there is no way > for sshrc to propagate changes to the environment to the user's > shell or command. > > There is, however, a possible way to do this. If the > PermitUserEnvironment option is set, sshd could treat the stdout of > sshrc as additional assignment lines of the form name=value. This > would permit sshrc to propagate propagate changes to the environment > to the user's shell or command. > > The specific problem I am trying to solve here is to use a > temporary, securely-created Xauthority file. If sshd were to read > the output of sshrc, then I could do it. E.g.: > > if read proto cookie && [ -n "$DISPLAY" ]; then > if xauth=`mktemp -t xauth-XXXXXXXXXX" 1>/dev/null`; then > XAUTHORITY=${xauth}; export "${XAUTHORITY}" > echo "XAUTHORITY=${XAUTHORITY}" > fi > if [ `echo "x${DISPLAY}" | cut -c1-11` = 'xlocalhost:' ]; then > # X11UseLocalhost=yes > echo add "unix:`echo $DISPLAY | cut -c11-`" ${proto} ${cookie} > else > # X11UseLocalhost=no > echo add "${DISPLAY}" "${proto}" "${cookie}" > fi | xauth -q - > fi > > Having sshd evaluate the output that sshrc produces (if > PermitUserEnvironment is set, that is) would enable this and other > "smart" initialization routines. > > Thoughts? (I.e., if I were to write a patch to implement this > feature, would it be accepted?) No one has commented on this proposal. I ask again: would a patch that produced the above behavior be accepted? I'm willing to code it (and bang it into acceptable shape), but if the OpenSSH authors oppose the underlying concept, then there's no point in bothering in the first place... -- James Ralston, Information Technology Software Engineering Institute Carnegie Mellon University, Pittsburgh, PA, USA From dtucker at zip.com.au Wed Feb 16 14:03:07 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 16 Feb 2005 14:03:07 +1100 Subject: Is it possible to avoid PAM calls for key based Auth methods In-Reply-To: <20050215161409.GS17068@binky.Central.Sun.COM> References: <20050215161409.GS17068@binky.Central.Sun.COM> Message-ID: <4212B7EB.4050208@zip.com.au> Nicolas Williams wrote: > You really don't want to do this as this means making modules aware of > ssh protocol specific details just so you can configure each ssh > authentication method differently. Yeah, but not being responsible for the PAM stacks I don't care so much about that :-) Seriously, this just points out how limited the PAM configuration mechanism is. >>- sshd could use different PAM service names for the different auth types. >> (eg "sshd-public-key", "sshd-password", "sshd-gssapi-with-mic" and fall >>back to "sshd" if these don't exists. This would probably be tricky to >>write because you'd have to stop and start PAM for each auth attempt.) > > Solaris 10's sshd does this. See: Will it attempt to fall back to "sshd" if the specific PAM service does not exist (or do you just end up with "other")? > The service names it uses are: > > - sshd-none > - sshd-password > - sshd-kbdint > - sshd-pubkey > - sshd-hostbased > - sshd-gssapi (for both, gssapi-keyex and gssapi-with-mic) > > You might want to use those too... Those do not agree with the defaults in the ssh_config(4) man page (at least the one online at http://docs.sun.com/app/docs/doc/816-5174/6mbb98uk5?a=view) (On an unrelated note I see MaxAuthTries and MaxAuthTriesLog are still undocumented...) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Feb 16 14:28:03 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 16 Feb 2005 14:28:03 +1100 Subject: SSH and agent article In-Reply-To: <20050211203359.A17415@obelix.frop.org> References: <13642DB5C3AEEC4A93B6CF7922919BD8018785D6@smbc-ex1.solihull.gov.uk> <16908.55054.565917.623860@pinhead.lair.fifthhorseman.net> <20050211181211.GC26275@dementia.proulx.com> <20050211203359.A17415@obelix.frop.org> Message-ID: <4212BDC3.2050907@zip.com.au> Christian Vogel wrote: > here is what I used to use for a long time to have only one > ssh-agent running on my machine(s), so I don't use the spawn-subcommand form :-) Another alternative is Gentoo's keychain: http://www.gentoo.org/proj/en/keychain/ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Nicolas.Williams at sun.com Wed Feb 16 14:37:13 2005 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Tue, 15 Feb 2005 21:37:13 -0600 Subject: Is it possible to avoid PAM calls for key based Auth methods In-Reply-To: <4212B7EB.4050208@zip.com.au> References: <20050215161409.GS17068@binky.Central.Sun.COM> <4212B7EB.4050208@zip.com.au> Message-ID: <20050216033713.GK17068@binky.Central.Sun.COM> On Wed, Feb 16, 2005 at 02:03:07PM +1100, Darren Tucker wrote: > Nicolas Williams wrote: > >You really don't want to do this as this means making modules aware of > >ssh protocol specific details just so you can configure each ssh > >authentication method differently. > > Yeah, but not being responsible for the PAM stacks I don't care so much > about that :-) Seriously, this just points out how limited the PAM > configuration mechanism is. I don't agree. > >>- sshd could use different PAM service names for the different auth > >>types. (eg "sshd-public-key", "sshd-password", "sshd-gssapi-with-mic" > >> and fall back to "sshd" if these don't exists. This would probably be > >>tricky to write because you'd have to stop and start PAM for each auth > >>attempt.) > > > >Solaris 10's sshd does this. See: > > Will it attempt to fall back to "sshd" if the specific PAM service does > not exist (or do you just end up with "other")? PAM doesn't provide a way to detect what services are configured, so it falls back on "other." > >The service names it uses are: > > > > - sshd-none > > - sshd-password > > - sshd-kbdint > > - sshd-pubkey > > - sshd-hostbased > > - sshd-gssapi (for both, gssapi-keyex and gssapi-with-mic) > > > >You might want to use those too... > > Those do not agree with the defaults in the ssh_config(4) man page (at > least the one online at > http://docs.sun.com/app/docs/doc/816-5174/6mbb98uk5?a=view) sshd_config(4)'s reference to "PamSvcFor*" is incorrect. A man page bug was filed recently about this. See sshd(1M) instead: http://docs.sun.com/app/docs/doc/816-5166/6mbb1kqh7?a=view > (On an unrelated note I see MaxAuthTries and MaxAuthTriesLog are still > undocumented...) Indeed. I'll file a bug report. Nico -- From senthilkumar_sen at hotpop.com Thu Feb 17 16:34:41 2005 From: senthilkumar_sen at hotpop.com (Senthil Kumar) Date: Thu, 17 Feb 2005 11:04:41 +0530 Subject: Is it possible to avoid PAM calls for key based Auth methods References: <20050215161409.GS17068@binky.Central.Sun.COM><4212B7EB.4050208@zip.com.au> <20050216033713.GK17068@binky.Central.Sun.COM> Message-ID: <02cc01c514b2$6474af30$220110ac@sekco> >Darren wrote: >- sshd could use different PAM service names for the different auth types. >(eg "sshd-public-key", "sshd-password", "sshd-gssapi-with-mic" and fall > back to "sshd" if these don't exists. This would probably be tricky to > write because you'd have to stop and start PAM for each auth attempt.) >Nicolas wrote: >The service names it uses are: > - sshd-none >- sshd-password >- sshd-kbdint > - sshd-pubkey > - sshd-hostbased > - sshd-gssapi (for both, gssapi-keyex and gssapi-with-mic) Thanks for all the directions and pointers. I implemented to use different PAM-Service name for those auth modules that fails for key based auth methods in my system and now its working fine for me and currently reviewing the changes. Thanks for help, Senthil Kumar. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.791 / Virus Database: 535 - Release Date: 11/9/2004 From jdmossh at nand.net Fri Feb 18 04:16:06 2005 From: jdmossh at nand.net (Jeremy Monin) Date: Thu, 17 Feb 2005 12:16:06 -0500 (EST) Subject: SFTP batch mode patch Message-ID: Hi, We do a lot of automated file transfers with SFTP, and found this small patch very helpful. The main effect is to tell the underlying SSH client that it's operating in batch mode. Patch is against 3.9p1. Thanks, Jeremy Monin Sysadmin and open-source developer diff -ur openssh-3.9p1-orig\sftp.c openssh-3.9p1\sftp.c --- openssh-3.9p1-orig\sftp.c Sat Jul 17 02:12:08 2004 +++ openssh-3.9p1\sftp.c Thu Oct 14 11:39:40 2004 @@ -1420,6 +1420,7 @@ fatal("%s (%s).", strerror(errno), optarg); showprogress = 0; batchmode = 1; + addargs(&args, "-obatchmode yes"); break; case 'P': sftp_direct = optarg; diff -ur openssh-3.9p1-orig\sshconnect.c openssh-3.9p1\sshconnect.c --- openssh-3.9p1-orig\sshconnect.c Mon Jun 21 22:56:02 2004 +++ openssh-3.9p1\sshconnect.c Thu Oct 14 09:02:32 2004 @@ -537,8 +537,11 @@ char *p; int ret = -1; - if (options.batch_mode) + if (options.batch_mode) { + logit(prompt); + logit("Replied NO (batch mode)"); return 0; + } for (msg = prompt;;msg = again) { p = read_passphrase(msg, RP_ECHO); if (p == NULL || From selvesteen at gmail.com Fri Feb 18 20:03:15 2005 From: selvesteen at gmail.com (Michael Selvesteen) Date: Fri, 18 Feb 2005 14:33:15 +0530 Subject: OpenSSH and OpenSSL 0.9.7.e with FIPS In-Reply-To: <4212BDC3.2050907@zip.com.au> References: <13642DB5C3AEEC4A93B6CF7922919BD8018785D6@smbc-ex1.solihull.gov.uk> <16908.55054.565917.623860@pinhead.lair.fifthhorseman.net> <20050211181211.GC26275@dementia.proulx.com> <20050211203359.A17415@obelix.frop.org> <4212BDC3.2050907@zip.com.au> Message-ID: Hello All, I use OpenSSH 3.9 on HP-UX 11vi. I compiled OpenSSL 0.9.7e by enabling FIPS. I found in the FIPS document that OpenSSL now contains the FIPS 140 specific cryptographic API and algorithm implementations only; i.e. the API for low level algorithms (RSA, AES, 3DES, DSA, SHA-1). Does it have any functional impacts on SSH. Will all the encryption algorithm used by SSH continue to work when FIPS is enabled in OpenSSL. Kindly someone can shed light on this. Thanks for the help Michael From marquess at oss-institute.org Sat Feb 19 04:45:53 2005 From: marquess at oss-institute.org (Steve Marquess) Date: Fri, 18 Feb 2005 11:45:53 -0600 Subject: OpenSSH and OpenSSL 0.9.7.e with FIPS Message-ID: <421629D1.4080700@oss-institute.org> Michael Selvesteen wrote: >I use OpenSSH 3.9 on HP-UX 11vi. I compiled OpenSSL 0.9.7e by enabling >FIPS. I found in the FIPS document that OpenSSL now contains the >FIPS 140 specific cryptographic API and algorithm implementations >only; i.e. the API for low level algorithms (RSA, AES, 3DES, DSA, >SHA-1). Does it have any functional impacts on SSH. > >Will all the encryption algorithm used by SSH continue to work when >FIPS is enabled in OpenSSL. Check the openssh-unix-dev archives around the June 2004 timeframe for a patch and discussion on a FIPS mode OpenSSH. Note that the FIPS mode OpenSSL validation is *still* pending. -Steve M. Steve Marquess Veridical Systems, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 301-524-9915 cell (weekdays) 301-831-8447 landline/fax marquess at veridicalsystems.com marquess at oss-institute.org From vinschen at redhat.com Sat Feb 19 21:45:09 2005 From: vinschen at redhat.com (Corinna Vinschen) Date: Sat, 19 Feb 2005 11:45:09 +0100 Subject: [PATCH]: uidswap.c: Drop uid 0 check on Cygwin Message-ID: <20050219104509.GK18314@cygbert.vinschen.de> Hi, the below patch drops another test for uid 0 on Cygwin. It's embarassing that I never found it. Actually temporarily_use_uid never worked on Cygwin due to that. So far that had no influence, but now that we have activated another feature which makes Cygwin more POSIX-like, somebody on the Cygwin list found that agent forwarding didn't work anymore. The reason is that due to the uid == 0 check in temporarily_use_uid, the user account is not temporarily switched before creating the forwarded agent socket, which then is owned by the account running sshd instead of the account which is going to log in. The below patch fixes that. Could somebody please check it in? I guess I asked this question already at least twice, but would it hurt OpenSSH badly if it would drop the tests for uid == 0 and instead call a function which checks the current account for being a privilieged account? This could be very simple on most UNIX derivates like this: int privileged_user () { return geteuid () == 0; } and much more complicated on systems needing that. On Cygwin we could check for the SE_CREATE_TOKEN_NAME privilege in the current access token on NT and just return 1 on 9x systems. The advantage would be that we could remove lots of #ifdef stuff which is just there because of these non-portable uid == 0 tests. I would be willing to submit a patch for this, provided that it has a chance for inclusion. Corinna Index: uidswap.c =================================================================== RCS file: /cvs/openssh_cvs/uidswap.c,v retrieving revision 1.45 diff -p -u -r1.45 uidswap.c --- uidswap.c 19 Oct 2004 06:33:33 -0000 1.45 +++ uidswap.c 19 Feb 2005 10:33:38 -0000 @@ -56,10 +56,12 @@ temporarily_use_uid(struct passwd *pw) debug("temporarily_use_uid: %u/%u (e=%u/%u)", (u_int)pw->pw_uid, (u_int)pw->pw_gid, (u_int)saved_euid, (u_int)saved_egid); +#ifndef HAVE_CYGWIN if (saved_euid != 0) { privileged = 0; return; } +#endif #else if (geteuid() != 0) { privileged = 0; -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From djm at mindrot.org Mon Feb 21 09:57:12 2005 From: djm at mindrot.org (Damien Miller) Date: Mon, 21 Feb 2005 09:57:12 +1100 Subject: SFTP batch mode patch In-Reply-To: References: Message-ID: <421915C8.5040304@mindrot.org> Jeremy Monin wrote: > Hi, > > We do a lot of automated file transfers with SFTP, and found this small > patch very helpful. The main effect is to tell the underlying SSH client > that it's operating in batch mode. Patch is against 3.9p1. Thanks, the first part of the patch has been applied and will be in the next release. > diff -ur openssh-3.9p1-orig\sftp.c openssh-3.9p1\sftp.c > --- openssh-3.9p1-orig\sftp.c Sat Jul 17 02:12:08 2004 > +++ openssh-3.9p1\sftp.c Thu Oct 14 11:39:40 2004 > @@ -1420,6 +1420,7 @@ > fatal("%s (%s).", strerror(errno), optarg); > showprogress = 0; > batchmode = 1; > + addargs(&args, "-obatchmode yes"); > break; > case 'P': > sftp_direct = optarg; Regards, Damien Miller From Peter_Losher at isc.org Mon Feb 21 14:59:14 2005 From: Peter_Losher at isc.org (Peter Losher) Date: Sun, 20 Feb 2005 19:59:14 -0800 Subject: OpenSSH+GSSAPI & HP/UX 11i... Message-ID: <42195C92.4050603@isc.org> I am trying to transition several HP/UX 11i (PA/RISC) servers from ssh.com over to OpenSSH+GSSAPI (3.9p1) and it's complaining about the GSSAPI include files: -=- gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/ssl/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -I/usr/local/krb5/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c gss-genr.c In file included from ssh-gss.h:44, from monitor_wrap.h:60, from gss-genr.c:35: /usr/local/krb5/include/gssapi/gssapi_generic.h:46: error: syntax error before "extern" /usr/local/krb5/include/gssapi/gssapi_generic.h:47: error: syntax error before "extern" /usr/local/krb5/include/gssapi/gssapi_generic.h:48: error: syntax error before "extern" /usr/local/krb5/include/gssapi/gssapi_generic.h:50: error: syntax error before "extern" gmake: *** [gss-genr.o] Error 1 -=- The compiler is gcc 3.4.0, the Krb5 install is MIT-Krb5 1.3.6. Has anyone encountered this and is this a bug? (none of the other platforms I use have encountered this, so this may also be a gcc bug) Best Wishes - Peter -- Peter_Losher at isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050220/31d3da2f/attachment.bin From dtucker at zip.com.au Mon Feb 21 16:05:52 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 21 Feb 2005 16:05:52 +1100 Subject: OpenSSH+GSSAPI & HP/UX 11i... In-Reply-To: <42195C92.4050603@isc.org> References: <42195C92.4050603@isc.org> Message-ID: <42196C30.5080406@zip.com.au> Peter Losher wrote: > I am trying to transition several HP/UX 11i (PA/RISC) servers from > ssh.com over to OpenSSH+GSSAPI (3.9p1) and it's complaining about the > GSSAPI include files: There was a compile error or two on HP-UX fixed since the 3.9p1 release. Could you please see if the problem is still present in a snapshot[1]? If that works, I'll backport the relevant fixes. [1] ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Peter_Losher at isc.org Mon Feb 21 16:38:11 2005 From: Peter_Losher at isc.org (Peter Losher) Date: Sun, 20 Feb 2005 21:38:11 -0800 Subject: OpenSSH+GSSAPI & HP/UX 11i... In-Reply-To: <42196C30.5080406@zip.com.au> References: <42195C92.4050603@isc.org> <42196C30.5080406@zip.com.au> Message-ID: <421973C3.4010203@isc.org> Darren Tucker wrote: > Peter Losher wrote: > >>I am trying to transition several HP/UX 11i (PA/RISC) servers from >>ssh.com over to OpenSSH+GSSAPI (3.9p1) and it's complaining about the >>GSSAPI include files: > > > There was a compile error or two on HP-UX fixed since the 3.9p1 release. > Could you please see if the problem is still present in a snapshot[1]? If > that works, I'll backport the relevant fixes. > > [1] ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ Downloaded openssh-SNAP-20050221.tar.gz, and the same error appears: -=- gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/ssl/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -I/usr/local/krb5/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c gss-genr.c In file included from ssh-gss.h:44, from monitor_wrap.h:60, from gss-genr.c:35: /usr/local/krb5/include/gssapi/gssapi_generic.h:46: error: syntax error before "extern" /usr/local/krb5/include/gssapi/gssapi_generic.h:47: error: syntax error before "extern" /usr/local/krb5/include/gssapi/gssapi_generic.h:48: error: syntax error before "extern" /usr/local/krb5/include/gssapi/gssapi_generic.h:50: error: syntax error before "extern" gmake: *** [gss-genr.o] Error 1 $ pwd /tmp/openssl -=- -Peter -- Peter_Losher at isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050220/6f61098c/attachment.bin From logsnaath at gmx.net Mon Feb 21 16:38:12 2005 From: logsnaath at gmx.net (Logu) Date: Mon, 21 Feb 2005 11:08:12 +0530 Subject: OpenSSH+GSSAPI & HP/UX 11i... References: <42195C92.4050603@isc.org> Message-ID: <015001c517d7$98b78a60$140110ac@loguco> Peter, A pre-compiled SSH Depot which is compiled with gssapi support is available from the following link, you can make a try http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA Use swinstall utility to install the depot. --logu ----- Original Message ----- From: "Peter Losher" To: Sent: Monday, February 21, 2005 9:29 AM Subject: OpenSSH+GSSAPI & HP/UX 11i... > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Mon Feb 21 18:24:55 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 21 Feb 2005 18:24:55 +1100 Subject: OpenSSH+GSSAPI & HP/UX 11i... In-Reply-To: <421973C3.4010203@isc.org> References: <42195C92.4050603@isc.org> <42196C30.5080406@zip.com.au> <421973C3.4010203@isc.org> Message-ID: <42198CC7.4040601@zip.com.au> Peter Losher wrote: > Downloaded openssh-SNAP-20050221.tar.gz, and the same error appears: Sigh. HP-UX 11.11 has /usr/include/gssapi.h as well as the local one you're trying to use. Basically, you have conflicting headers and in configure's attempt to handle the inconsistency in the gssapi header locations between platforms/implementations it gets fooled. As a quick fix, either use the native gssapi (if suitable) or comment out "#define HAVE_GSSAPI_H 1" in config.h and rebuild. Not sure what to do about this for the long term... -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From finlay.dobbie at gmail.com Mon Feb 21 22:32:29 2005 From: finlay.dobbie at gmail.com (Finlay Dobbie) Date: Mon, 21 Feb 2005 11:32:29 +0000 Subject: Multiple servers, restricting user commands and LDAP Message-ID: I have a set-up of 3 servers at disparate geographical locations. Server 1 provides web services, and users should be able to use sftp only. Admins should be able to get shells. Server 2 provides CVS services, and users sh ould be able to use cvs only. Admins should be able to get shells. Server 3 provides shell services for all users. There appears to be no easy way of implementing this within the current OpenSSH system. At this point in time, for various reasons, each server maintains its own authentication database, which are periodically regenerated from a master SQL database of users and groups (and other stuff). Another set of scripts generate .ssh/authorized_keys files and rsync them about, creating the correct command= and so on for each user based on their relative privileges and the host in question. For obvious reasons, this is nasty. I am pushing towards moving everything over to LDAP for authentication and user information. This includes the public keys, and in fact we have taken over the hosting of the OpenSSH-LPK project[1] and I plan on contributing resources towards that end (we've started using our own schema, I'm writing up an Internet-Draft on it, etc). Basically, I was wondering if anybody had any input on this situation, what they'd like to see from any OpenSSH/LDAP integration, and that kind of thing. It seems that the command= shouldn't necessarily only be coupled to keys, no? Has anybody dealt with a similar situation? [1] http://www.opendarwin.org/projects/openssh-lpk/ -- Finlay From djm at mindrot.org Tue Feb 22 07:33:19 2005 From: djm at mindrot.org (Damien Miller) Date: Tue, 22 Feb 2005 07:33:19 +1100 Subject: Multiple servers, restricting user commands and LDAP In-Reply-To: References: Message-ID: <421A458F.3020504@mindrot.org> Finlay Dobbie wrote: > Basically, I was wondering if anybody had any input on this situation, > what they'd like to see from any OpenSSH/LDAP integration, and that > kind of thing. It seems that the command= shouldn't necessarily only > be coupled to keys, no? If you want users to be forced to use a specific command, rather than just forcing a command on a particular key, then you can just make the command the user's login shell. -d From djm at mindrot.org Tue Feb 22 07:42:43 2005 From: djm at mindrot.org (Damien Miller) Date: Tue, 22 Feb 2005 07:42:43 +1100 Subject: Multiple servers, restricting user commands and LDAP In-Reply-To: <3de50f48a2200c6bcb068b093158a4b5@dobbie.net> References: <421A458F.3020504@mindrot.org> <3de50f48a2200c6bcb068b093158a4b5@dobbie.net> Message-ID: <421A47C3.4050001@mindrot.org> Finlay Dobbie wrote: > > On 21 Feb 2005, at 20:33, Damien Miller wrote: >> If you want users to be forced to use a specific command, rather than >> just forcing a command on a particular key, then you can just make the >> command the user's login shell. > > And how exactly do I do that if I want to centralise all the user data > in a single repository? If you are using LDAP, then set posixAccount/loginShell appropriately. From finlay at dobbie.net Tue Feb 22 07:36:23 2005 From: finlay at dobbie.net (Finlay Dobbie) Date: Mon, 21 Feb 2005 20:36:23 +0000 Subject: Multiple servers, restricting user commands and LDAP In-Reply-To: <421A458F.3020504@mindrot.org> References: <421A458F.3020504@mindrot.org> Message-ID: <3de50f48a2200c6bcb068b093158a4b5@dobbie.net> On 21 Feb 2005, at 20:33, Damien Miller wrote: > Finlay Dobbie wrote: > >> Basically, I was wondering if anybody had any input on this situation, >> what they'd like to see from any OpenSSH/LDAP integration, and that >> kind of thing. It seems that the command= shouldn't necessarily only >> be coupled to keys, no? > > If you want users to be forced to use a specific command, rather than > just forcing a command on a particular key, then you can just make the > command the user's login shell. And how exactly do I do that if I want to centralise all the user data in a single repository? -- Finlay From djm at mindrot.org Tue Feb 22 07:56:45 2005 From: djm at mindrot.org (Damien Miller) Date: Tue, 22 Feb 2005 07:56:45 +1100 Subject: Multiple servers, restricting user commands and LDAP In-Reply-To: References: <421A458F.3020504@mindrot.org> <3de50f48a2200c6bcb068b093158a4b5@dobbie.net> <421A47C3.4050001@mindrot.org> Message-ID: <421A4B0D.4030409@mindrot.org> Finlay Dobbie wrote: > > On 21 Feb 2005, at 20:42, Damien Miller wrote: >> If you are using LDAP, then set posixAccount/loginShell appropriately. > > I know how to set a user's shell using the NIS schema. I don't see how > that helps me, since I need to have different restricted commands for > different hosts. If I could restrict commands by group then that'd be > dandy. You could have the same shell name map to different restrictions on each host. Trivially, by symlinking the shell to the binary you want to tun (e.g. /usr/bin/cvs) or, if you wanted to be fancy, you could make that restricted shell look up the actual commands it is supposed to execute in LDAP too. That way they user would get a consistent response regardless of the method by which they logged in. -d From Peter_Losher at isc.org Tue Feb 22 09:30:03 2005 From: Peter_Losher at isc.org (Peter Losher) Date: Mon, 21 Feb 2005 14:30:03 -0800 Subject: OpenSSH+GSSAPI & HP/UX 11i... In-Reply-To: <42198CC7.4040601@zip.com.au> References: <42195C92.4050603@isc.org> <42196C30.5080406@zip.com.au> <421973C3.4010203@isc.org> <42198CC7.4040601@zip.com.au> Message-ID: <421A60EB.5080904@isc.org> Darren Tucker wrote: > Peter Losher wrote: > >> Downloaded openssh-SNAP-20050221.tar.gz, and the same error appears: > > Sigh. HP-UX 11.11 has /usr/include/gssapi.h as well as the local one > you're trying to use. Basically, you have conflicting headers and in > configure's attempt to handle the inconsistency in the gssapi header > locations between platforms/implementations it gets fooled. And GSSAPI support is core to HP/UX, so you just swremove it :( > As a quick fix, either use the native gssapi (if suitable) or comment > out "#define HAVE_GSSAPI_H 1" in config.h and rebuild. Thanks, that did the trick; I'll add it to my build notes. BTW Logu - thanks for pointing out the pre-compiled .depot; I'd would have probably used it if this hadn't worked out. :) Thanks again for all your help - Peter -- Peter_Losher at isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050221/8ee96501/attachment.bin From lionel.bucaille at caissedesdepots.fr Tue Feb 22 21:20:36 2005 From: lionel.bucaille at caissedesdepots.fr (Bucaille, Lionel) Date: Tue, 22 Feb 2005 11:20:36 +0100 Subject: 3.8.1p1 option "permitopennet" added Message-ID: Hello, I send you a small patch about a "new" option called "permitopennet". The behaviour is the same as "permitopen" except the accept/deny statement is based on this syntax : "netblock/netmask:porta[-portb]". Moreover, I also added some useful log lines : the uid is logged while doing port forwarding. Sample conf : permitopennet="158.156.156.128/255.255.255.128:25-1024" ssh-dss AAAAB3NzaC1kc3MAAACAbAehy7ov+HQvaSalGdJaNA3YAunrEIT3sqNqqs8CVIAgv2p ... Logs : eym59365 (uid:620) requests to connect to host 158.156.156.70 port 80, but the request was denied. eym59365 (uid:620) requests to connect to host 158.156.156.251 port 80, and the request was accepted. Waiting for your remarks or comments. Lionel. Ce message et toutes les pieces jointes (ci-apres le < message >) sont confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. Si vous recevez ce message par erreur, merci de le detruire sans en conserver de copie et d'en avertir immediatement l'expediteur. Internet ne permettant pas de garantir l'integrite de ce message, la Caisse des depots et consignations decline toute responsabilite au titre de ce message s'il a ete modifie, altere, deforme ou falsifie. This message and any attachments (the < message >) are confidential and intended solely for the addresses. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited without formal approval. If you receive this message in error, please delete it without storing any evidence and immediately notify the sender. Internet can not guarantee the integrity of this message, neither shall Caisse des depots et consignations be liable for the message if modified, altered, changed or falsified. From lionel.bucaille at caissedesdepots.fr Wed Feb 23 00:54:35 2005 From: lionel.bucaille at caissedesdepots.fr (Bucaille, Lionel) Date: Tue, 22 Feb 2005 14:54:35 +0100 Subject: TR: 3.8.1p1 option "permitopennet" added Message-ID: Patch is below : diff -nru openssh-3.8.1p1/auth-options.c openssh-3.8.1p1-devs//auth-options.c --- openssh-3.8.1p1/auth-options.c Tue Jun 3 02:25:48 2003 +++ openssh-3.8.1p1-devs//auth-options.c Mon Feb 21 16:56:49 2005 @@ -265,6 +265,81 @@ xfree(patterns); goto next_option; } + +/* e.g: permitopenned="158.156.0.0/255.255.255.0:25[-1024]" + * note that part between [] is optionnal for 1 port specification + */ + cp = "permitopennet=\""; + if (strncasecmp(opts, cp, strlen(cp)) == 0) { + char netblock[256], netmask[256], + sporta[6], sportb[6]; + u_short porta, portb; + + char *patterns = xmalloc(strlen(opts) + 1); + netblock[0] = netmask[0] = sporta[0] = sportb[0] = 0; + porta = portb = 0; + + opts += strlen(cp); + i = 0; + while (*opts) { + if (*opts == '"') + break; + if (*opts == '\\' && opts[1] == '"') { + opts += 2; + patterns[i++] = '"'; + continue; + } + patterns[i++] = *opts++; + } + if (!*opts) { + debug("%.100s, line %lu: missing end quote", + file, linenum); + auth_debug_add("%.100s, line %lu: missing end quote", + file, linenum); + xfree(patterns); + goto bad_option; + } + patterns[i] = 0; + opts++; + + if (sscanf(patterns, "%255[^:/]/%255[^:]:%5[0-9]-%5[0-9]", netblock, netmask , sporta, sportb) != 4 && + sscanf(patterns, "%255[^:/]/%255[^:]:%5[0-9]", netblock, netmask , sporta) != 3 ) { + debug("%.100s, line %lu: Bad permitopennet specification " + "<%.100s>", file, linenum, patterns); + auth_debug_add("%.100s, line %lu: " + "Bad permitopennet specification", file, linenum); + xfree(patterns); + goto bad_option; + } + + if ((porta = a2port(sporta)) == 0) { + debug("%.100s, line %lu: Bad permitopen port <%.100s>", + file, linenum, sporta); + auth_debug_add("%.100s, line %lu: " + "Bad permitopennet port a", file, linenum); + xfree(patterns); + goto bad_option; + } + + if ( *sportb && ((portb = a2port(sportb)) == 0)) { + debug("%.100s, line %lu: Bad permitopen port <%.100s>", + file, linenum, sportb); + auth_debug_add("%.100s, line %lu: " + "Bad permitopennet port b", file, linenum); + xfree(patterns); + goto bad_option; + } + + auth_debug_add("%.100s, line %lu: " + "permitopennet specification : %s/%s : %d %d", file, linenum, + netblock, netmask, porta, portb); + + if (options.allow_tcp_forwarding) + channel_add_permittednet_opens(netblock, netmask, porta, portb); + + xfree(patterns); + goto next_option; + } next_option: /* * Skip the comma, and move to the next option diff -nru openssh-3.8.1p1/channels.c openssh-3.8.1p1-devs//channels.c --- openssh-3.8.1p1/channels.c Wed Jan 21 01:02:09 2004 +++ openssh-3.8.1p1-devs//channels.c Tue Feb 22 10:36:55 2005 @@ -55,6 +55,7 @@ #include "authfd.h" #include "pathnames.h" #include "bufaux.h" +#include "auth.h" /* -- channel core */ @@ -91,11 +92,27 @@ u_short listen_port; /* Remote side should listen port number. */ } ForwardPermission; +/* That structure _only_ stocks authorized permitopennet demands + * A ForwardPermission entry is added at each incoming connexion + * in "permitted_opens" array + */ +typedef struct { + struct in_addr * netblock_to_connect; + struct in_addr * netmask_to_connect; + u_short porta_to_connect; + u_short portb_to_connect; +} ForwardNetPermission; + /* List of all permitted host/port pairs to connect. */ static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; +/* List of all permitted netblock/portblock pairs to connect. */ +static ForwardNetPermission permittednet_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; + /* Number of permitted host/port pairs in the array. */ static int num_permitted_opens = 0; +/* Number of permitted netblock/portblock pairs in the array. */ +static int num_permittednet_opens = 0; /* * If this is true, all opens are permitted. This is the case on the server * on which we have to trust the client anyway, and the user could do @@ -2110,7 +2127,7 @@ originator_string = xstrdup("unknown (remote did not supply name)"); } packet_check_eom(); - sock = channel_connect_to(host, host_port); + sock = channel_connect_to(host, host_port, ctxt); if (sock != -1) { c = channel_new("connected socket", SSH_CHANNEL_CONNECTING, sock, sock, -1, 0, 0, 0, @@ -2349,7 +2366,7 @@ void channel_permit_all_opens(void) { - if (num_permitted_opens == 0) + if (num_permitted_opens == 0 && num_permittednet_opens == 0) all_opens_permitted = 1; } @@ -2368,6 +2385,35 @@ } void +channel_add_permittednet_opens(char *netblock, char *netmask, int porta, int portb) +{ + /* XXX this does not make any sens */ + if (num_permittednet_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) + fatal("channel_request_remote_forwarding: too many forwards"); + + if (portb) debug("allow port forwarding to netblock %s/%s port %d-%d", netblock,netmask, porta, portb); + else debug("allow port forwarding to netblock %s/%s port %d", netblock,netmask, porta); + + /* Continue if conversion fails - checked while parsing option ... + Note that "permitted_opens" array int not affected */ + + permittednet_opens[num_permittednet_opens].netblock_to_connect = (struct in_addr *)malloc(sizeof(struct in_addr)); + permittednet_opens[num_permittednet_opens].netmask_to_connect = (struct in_addr *)malloc(sizeof(struct in_addr)); + + if (! inet_aton(netblock, permittednet_opens[num_permittednet_opens].netblock_to_connect)) + error("channel_add_permittednet_opens: pbm while converting netblock [%s]", netblock); + + if (! inet_aton(netmask, permittednet_opens[num_permittednet_opens].netmask_to_connect)) + error("channel_add_permittednet_opens: pbm while converting netmask [%s]", netmask); + + permittednet_opens[num_permittednet_opens].porta_to_connect = porta; + permittednet_opens[num_permittednet_opens].portb_to_connect = portb; + num_permittednet_opens++; + + all_opens_permitted = 0; +} + +void channel_clear_permitted_opens(void) { int i; @@ -2374,6 +2420,10 @@ for (i = 0; i < num_permitted_opens; i++) xfree(permitted_opens[i].host_to_connect); + for (i = 0; i < num_permittednet_opens; i++) { + xfree(permittednet_opens[i].netblock_to_connect); + xfree(permittednet_opens[i].netmask_to_connect); + } num_permitted_opens = 0; } @@ -2452,23 +2502,52 @@ /* Check if connecting to that port is permitted and connect. */ int -channel_connect_to(const char *host, u_short port) +channel_connect_to(const char *host, u_short port, void * a_ctxt) { int i, permit; + struct in_addr *host_dst; + Authctxt * ctxt = a_ctxt; + struct passwd *pw = ctxt->pw; permit = all_opens_permitted; if (!permit) { - for (i = 0; i < num_permitted_opens; i++) + /* check against "permitopen" option */ + for (i = 0; i < num_permitted_opens && !permit; i++) if (permitted_opens[i].port_to_connect == port && strcmp(permitted_opens[i].host_to_connect, host) == 0) permit = 1; - } if (!permit) { - logit("Received request to connect to host %.100s port %d, " - "but the request was denied.", host, port); + /* last check : against "permitopennet" option */ + host_dst = (struct in_addr *)malloc(sizeof(struct in_addr)); + if (inet_aton(host, host_dst)) { + for (i = 0 ; i < num_permittednet_opens && !permit ; i++) { + if ((host_dst->s_addr & permittednet_opens[i].netmask_to_connect->s_addr) == + permittednet_opens[i].netblock_to_connect->s_addr) { + if ((permittednet_opens[i].porta_to_connect && permittednet_opens[i].portb_to_connect && + port >= permittednet_opens[i].porta_to_connect && + port <= permittednet_opens[i].portb_to_connect) || + (!permittednet_opens[i].portb_to_connect && + permittednet_opens[i].porta_to_connect == port)) { + channel_add_permitted_opens(host,port); + permit = 1; + } + } + } + xfree(host_dst); + } + } + if (!permit) { + if (pw && ctxt->valid) + logit("%s (uid:%d) requests to connect to host %.100s port %d, " + "but the request was denied.",ctxt->pw->pw_name,ctxt->pw->pw_uid, host, port); return -1; } + + if (pw && ctxt->valid) + logit("%s (uid:%d) requests to connect to host %.100s port %d, " + "and the request was accepted.",ctxt->pw->pw_name,ctxt->pw->pw_uid, host, port); + return connect_to(host, port); } diff -nru openssh-3.8.1p1/channels.h openssh-3.8.1p1-devs//channels.h --- openssh-3.8.1p1/channels.h Thu Oct 2 08:17:00 2003 +++ openssh-3.8.1p1-devs//channels.h Mon Feb 21 17:09:18 2005 @@ -195,9 +195,10 @@ void channel_set_af(int af); void channel_permit_all_opens(void); void channel_add_permitted_opens(char *, int); +void channel_add_permittednet_opens(char *, char *, int, int); void channel_clear_permitted_opens(void); void channel_input_port_forward_request(int, int); -int channel_connect_to(const char *, u_short); +int channel_connect_to(const char *, u_short, void *); int channel_connect_by_listen_address(u_short); void channel_request_remote_forwarding(u_short, const char *, u_short); int channel_setup_local_fwd_listener(u_short, const char *, u_short, int); diff -nru openssh-3.8.1p1/serverloop.c openssh-3.8.1p1-devs//serverloop.c --- openssh-3.8.1p1/serverloop.c Wed Jan 21 01:02:50 2004 +++ openssh-3.8.1p1-devs//serverloop.c Mon Feb 21 11:33:13 2005 @@ -867,7 +867,7 @@ originator, originator_port, target, target_port); /* XXX check permission */ - sock = channel_connect_to(target, target_port); + sock = channel_connect_to(target, target_port, the_authctxt); xfree(target); xfree(originator); if (sock < 0) -----Message d'origine----- De : Bucaille, Lionel Envoy? : mardi 22 f?vrier 2005 11:21 ? : 'openssh-unix-dev at mindrot.org' Objet : 3.8.1p1 option "permitopennet" added Hello, I send you a small patch about a "new" option called "permitopennet". The behaviour is the same as "permitopen" except the accept/deny statement is based on this syntax : "netblock/netmask:porta[-portb]". Moreover, I also added some useful log lines : the uid is logged while doing port forwarding. Sample conf : permitopennet="158.156.156.128/255.255.255.128:25-1024" ssh-dss AAAAB3NzaC1kc3MAAACAbAehy7ov+HQvaSalGdJaNA3YAunrEIT3sqNqqs8CVIAgv2p ... Logs : eym59365 (uid:620) requests to connect to host 158.156.156.70 port 80, but the request was denied. eym59365 (uid:620) requests to connect to host 158.156.156.251 port 80, and the request was accepted. Waiting for your remarks or comments. Lionel. Ce message et toutes les pi?ces jointes (ci-apr?s le ? message ?) sont confidentiels et ?tablis ? l'intention exclusive de ses destinataires. Toute utilisation de ce message non conforme ? sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. Si vous recevez ce message par erreur, merci de le d?truire sans en conserver de copie et d'en avertir imm?diatement l'exp?diteur. Internet ne permettant pas de garantir l'int?grit? de ce message, la Caisse des d?p?ts et consignations d?cline toute responsabilit? au titre de ce message s'il a ?t? modifi?, alt?r?, d?form? ou falsifi?. This message and any attachments (the ? message ?) are confidential and intended solely for the addresses. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited without formal approval. If you receive this message in error, please delete it without storing any evidence and immediately notify the sender. Internet can not guarantee the integrity of this message, neither shall Caisse des depots et consignations be liable for the message if modified, altered, changed or falsified. From alek at ast.lmco.com Wed Feb 23 04:09:52 2005 From: alek at ast.lmco.com (Alek O. Komarnitsky (N-CSC)) Date: Tue, 22 Feb 2005 10:09:52 -0700 (MST) Subject: Possible bug in openssh parsing of hosts.equiv for netgroups? Message-ID: <200502221709.KAA25335@hulk.ast.lmco.com> Open-SSH'ers, I just noticed that ssh doesn't parse hosts.equiv the same as rsh. I set up an usertest user on targethost, and then su'ed to usertest on sourcehost. I put this in targethost's /etc/hosts.equiv + -usertest + at trusted-hosts (all hosts are rolled up into this netgroup) this should disallow usertest from rsh'ing into targethost from all hosts, but then allow any other users to rsh into targethost without a password as long as they have a login on targethost. What I found was that when I did the rsh from sourcehost, I got prompted for a password, but when I did the ssh it let me in without a password. Try a "man hosts.equiv" to see an explanation of what I'm doing with the "+ -usertest". I looked at the openssh3.9p1 source code for auth-rhosts.c and around line 100, it looks like there is a bug in that the same "negated" variable is used for both the host and user checks as it loops/parses the hosts.equiv file, but seems to me that if one is denied access because of an explicit rule, you should be disallowed in. Would be curious if anyone agree with my interpretation of this behavior and pointer to possible bug in the hosts.equiv parsing? Thanx, alek From rschubnell at paninfo.com Wed Feb 23 20:53:26 2005 From: rschubnell at paninfo.com (rschubnell at paninfo.com) Date: Wed, 23 Feb 2005 10:53:26 +0100 Subject: Problems to compile openssh 3.9.pm1 on AIX 5.2 with openssl-devel-0.9.6m-1 / OpenSSL Header Error Message-ID: I've Problems to compile openssh 3.9.pm1 on AIX 5.2 with openssl-devel-0.9.6m-1 On Configure I've the following Error: ./configure --with-ssl-dir=/usr/local/ssl/include/openssl/ --sysconfdir=/etc/ssh --with-zlib=/usr/local checking OpenSSL header version... not found configure: error: OpenSSL version header not found. ./contrib/findssl.sh Searching for OpenSSL header files. 0x009060dfL /opt/freeware/include/openssl/opensslv.h Searching for OpenSSL shared library files. Searching for OpenSSL static library files. 0x009060dfL /opt/freeware/lib/libcrypto.a 0x009060dfL /opt/freeware/64/lib/libcrypto.a 0x009060dfL /usr/local/lib/libcrypto.a 0x009060dfL /usr/linux/lib/libcrypto.a openssl-0.9.6m-1 openssl-devel-0.9.6m-1 openssl-doc-0.9.6m-1 ------------------------------------------------------------------------------------------------------------------ Reto Schubnell System Engineer AIX / Linux PANINFO AG Br?ttisellen Tel. +41 (0)44 805 14 49 Nat. +41 (0)79 403 06 30 http://www.paninfo.com ------------------------------------------------------------------------------------------------------------------ From dtucker at zip.com.au Wed Feb 23 21:15:25 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 23 Feb 2005 21:15:25 +1100 Subject: Problems to compile openssh 3.9.pm1 on AIX 5.2 with openssl-devel-0.9.6m-1 / OpenSSL Header Error In-Reply-To: References: Message-ID: <421C57BD.8050100@zip.com.au> rschubnell at paninfo.com wrote: > I've Problems to compile openssh 3.9.pm1 on AIX 5.2 with > openssl-devel-0.9.6m-1 > On Configure I've the following Error: > > ./configure --with-ssl-dir=/usr/local/ssl/include/openssl/ > --sysconfdir=/etc/ssh --with-zlib=/usr/local It looks like you have the rpm-based openssl installed, and possibly a symlink in /usr/local/lib? Try: blibpath=/usr/lib:/lib:/usr/local/lib:/opt/freeware/lib \ ./configure --with-ssl-dir=/opt/freeware -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vyomkesh.mishra at gmail.com Wed Feb 23 21:08:20 2005 From: vyomkesh.mishra at gmail.com (Vyomkesh) Date: Wed, 23 Feb 2005 15:38:20 +0530 Subject: Permission prob with scp Message-ID: Hi... I am trying to do scp from one server to another.If permission of my home dir is 775 then it is not allowing to do the scp in case of passwd less authentication (i.e when i am using pubkey/private without passpharse).In this case it is asking for passwd even though the public key is present in home directory (.i.e in .ssh). But if i am changing the permission to 755 then it is not asking the passwd and allowing the scp. How can i do the scp if i want to use pubkey/private key and also i need to keep my home dir permission to 775. This is because in my home dir other processes are writing the data and i can not stop that. Please help me. -- ***************************************** Thanks and Regards Vyomkesh ****************************************************************************************** If you know the enemy and know urself,u need not fear the result of a hundred battles.If u know youself but not the enemy,for every victory gained you will also suffer a defeat.If you know neither the enemy nor urself,you will succumb in every battle. ----Sun Tez on The art of war. From dtucker at zip.com.au Wed Feb 23 21:32:12 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 23 Feb 2005 21:32:12 +1100 Subject: Permission prob with scp In-Reply-To: References: Message-ID: <421C5BAC.5010709@zip.com.au> Vyomkesh wrote: > How can i do the scp if i want to use pubkey/private key and also i > need to keep my home dir permission to 775. This is because in my home > dir other processes are writing the data and i can not stop that. http://www.openssh.com/faq.html#3.14 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vinschen at redhat.com Thu Feb 24 04:56:13 2005 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 23 Feb 2005 18:56:13 +0100 Subject: getpeereid Message-ID: <20050223175613.GA3650@cygbert.vinschen.de> Hi, I've just implemented getpeereid in Cygwin and I found that there's something I don't understand. In ssh-agent.c and in clientloop.c, getpeereid is used to ask for the effective uid of the peer side of the connected socket. So far so good, but why does the test look like this: if ((euid != 0) && (getuid() != euid)) ? Is there any good reason why root should be able to connect to the ssh-agent of a user? What is that reason? Otherwise, shouldn't it be better just if (getuid() != euid) ? Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From rschubnell at paninfo.com Wed Feb 23 20:35:39 2005 From: rschubnell at paninfo.com (rschubnell at paninfo.com) Date: Wed, 23 Feb 2005 10:35:39 +0100 Subject: Configure Problems with OpenSSH AIX 5.2 and openssl-devel-0.9.6m-1 Message-ID: I've Problems to compile openssh 3.9.pm1 on AIX 5.2 with openssl-devel-0.9.6m-1 On Configure I've the following Error: ./configure --with-ssl-dir=/usr/local/ssl/include/openssl/ --sysconfdir=/etc/ssh --with-zlib=/usr/local checking OpenSSL header version... not found configure: error: OpenSSL version header not found. ./contrib/findssl.sh Searching for OpenSSL header files. 0x009060dfL /opt/freeware/include/openssl/opensslv.h Searching for OpenSSL shared library files. Searching for OpenSSL static library files. 0x009060dfL /opt/freeware/lib/libcrypto.a 0x009060dfL /opt/freeware/64/lib/libcrypto.a 0x009060dfL /usr/local/lib/libcrypto.a 0x009060dfL /usr/linux/lib/libcrypto.a openssl-0.9.6m-1 openssl-devel-0.9.6m-1 openssl-doc-0.9.6m-1 ------------------------------------------------------------------------------------------------------------------ Reto Schubnell System Engineer AIX / Linux PANINFO AG Br?ttisellen Tel. +41 (0)44 805 14 49 Nat. +41 (0)79 403 06 30 http://www.paninfo.com ------------------------------------------------------------------------------------------------------------------ From dtucker at zip.com.au Thu Feb 24 06:56:12 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 24 Feb 2005 06:56:12 +1100 Subject: getpeereid In-Reply-To: <20050223175613.GA3650@cygbert.vinschen.de> References: <20050223175613.GA3650@cygbert.vinschen.de> Message-ID: <421CDFDC.7070802@zip.com.au> Corinna Vinschen wrote: > if ((euid != 0) && (getuid() != euid)) > > ? Is there any good reason why root should be able to connect to the > ssh-agent of a user? What is that reason? Otherwise, shouldn't it be > better just ssh is setuid root in some configurations (eg for RhostsRSAAuthentication, UsePrivilegedPort). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Feb 24 07:12:22 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 24 Feb 2005 07:12:22 +1100 Subject: getpeereid In-Reply-To: <421CDFDC.7070802@zip.com.au> References: <20050223175613.GA3650@cygbert.vinschen.de> <421CDFDC.7070802@zip.com.au> Message-ID: <421CE3A6.5010301@zip.com.au> Darren Tucker wrote: > Corinna Vinschen wrote: >> ? Is there any good reason why root should be able to connect to the >> ssh-agent of a user? What is that reason? > > ssh is setuid root in some configurations (eg for > RhostsRSAAuthentication, UsePrivilegedPort). Hmm, on the other hand, ssh should have dropped privs by that point anyway. On the other, other hand, it doesn't buy any additional protection since all root has to do is "su user -c ssh whatever". Maybe it's to allow the use of the agent when someone su's (or sudo's) to root? The cvs log on ssh-agent.c (rev 1.113) says: - markus at cvs.openbsd.org 2002/10/01 20:34:12 [ssh-agent.c] allow root to access the agent, since there is no protection from root. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vinschen at redhat.com Thu Feb 24 08:43:30 2005 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 23 Feb 2005 22:43:30 +0100 Subject: getpeereid In-Reply-To: <421CE3A6.5010301@zip.com.au> References: <20050223175613.GA3650@cygbert.vinschen.de> <421CDFDC.7070802@zip.com.au> <421CE3A6.5010301@zip.com.au> Message-ID: <20050223214330.GA4943@cygbert.vinschen.de> On Feb 24 07:12, Darren Tucker wrote: > Darren Tucker wrote: > >Corinna Vinschen wrote: > >>? Is there any good reason why root should be able to connect to the > >>ssh-agent of a user? What is that reason? > > > >ssh is setuid root in some configurations (eg for > >RhostsRSAAuthentication, UsePrivilegedPort). > > Hmm, on the other hand, ssh should have dropped privs by that point anyway. > > On the other, other hand, it doesn't buy any additional protection since > all root has to do is "su user -c ssh whatever". > > Maybe it's to allow the use of the agent when someone su's (or sudo's) to > root? The cvs log on ssh-agent.c (rev 1.113) says: > > - markus at cvs.openbsd.org 2002/10/01 20:34:12 > [ssh-agent.c] > allow root to access the agent, since there is no protection from root. Ok, thank you for the explanation. As you might guess, I'm looking if there's any good reason at this point to add a #ifdef HAVE_CYGWIN ;-) Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From dopheide at ncsa.uiuc.edu Thu Feb 24 09:36:23 2005 From: dopheide at ncsa.uiuc.edu (Mike Dopheide) Date: Wed, 23 Feb 2005 16:36:23 -0600 (CST) Subject: Krb5 options patch Message-ID: Does anyone see a need for a patch that allows Kerberos password authentication with the correct local options? I'm simply trying to get a feel for if it's worth my time to investigate it further. The issue is that we also use a patch that does Kerberos ticket passing and our ticket lifetime is slightly higher than the default 10 hours. Users experience different behavior when they login with a ticket or if they acquire a new ticket while logging in with a password. A quick investigation leads me to krb5_get_init_creds_password() in auth-krb5.c not passing along the 'default_lifetime' option that can be set in /etc/krb5.conf. Thoughts? -Mike --------------------------------------------------- Mike Dopheide dopheide at ncsa.uiuc.edu System Engineer Phone: 217.244.0299 NCSA, University of Illinois Fax: 217.244.1987 From vinschen at redhat.com Thu Feb 24 22:34:19 2005 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 24 Feb 2005 12:34:19 +0100 Subject: [PATCH] Drop two useless HAVE_CYGWIN Message-ID: <20050224113419.GZ18314@cygbert.vinschen.de> Hi, the below patch removes two special cases for Cygwin, which are already superfluous for a good while. - openbsd-compat/bsd-openpty.c: Since openpty() is implemented in Cygwin now, the bsd-openpty.c code just isn't build into OpenSSH on Cygwin. So the Cygwin special case is useless. - When building OpenSSH for Cygwin, the minires-devel package (development package for the special "minires" resolver library for Cygwin) is required. But this package also brings its own version of arpa/nameser.h, so the #ifndef HAVE_CYGWIN is useless. Corinna Index: openbsd-compat/bsd-openpty.c =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-openpty.c,v retrieving revision 1.3 diff -p -u -r1.3 bsd-openpty.c --- openbsd-compat/bsd-openpty.c 17 Feb 2004 05:49:55 -0000 1.3 +++ openbsd-compat/bsd-openpty.c 24 Feb 2005 11:30:30 -0000 @@ -102,7 +102,6 @@ openpty(int *amaster, int *aslave, char return (-1); } -#ifndef HAVE_CYGWIN /* * Try to push the appropriate streams modules, as described * in Solaris pts(7). @@ -112,7 +111,6 @@ openpty(int *amaster, int *aslave, char # ifndef __hpux ioctl(*aslave, I_PUSH, "ttcompat"); # endif /* __hpux */ -#endif /* HAVE_CYGWIN */ return (0); Index: openbsd-compat/inet_ntop.c =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/inet_ntop.c,v retrieving revision 1.9 diff -p -u -r1.9 inet_ntop.c --- openbsd-compat/inet_ntop.c 24 Nov 2003 02:33:34 -0000 1.9 +++ openbsd-compat/inet_ntop.c 24 Feb 2005 11:30:30 -0000 @@ -35,9 +35,7 @@ static char rcsid[] = "$OpenBSD: inet_nt #include #include #include -#ifndef HAVE_CYGWIN #include -#endif #include #include #include -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From kastenho at in.tum.de Fri Feb 25 00:54:12 2005 From: kastenho at in.tum.de (Daniel Kastenholz) Date: Thu, 24 Feb 2005 14:54:12 +0100 Subject: Suggestion: SSHD pseudo/fake mode. Source available. Message-ID: <421DDC84.9040107@in.tum.de> Hi, SSH brute force attacks seem to enjoy increasing popularity. Call me an optimist or a misrouted kind of contributer to the community, but on our company server I actually go through the logs and report extreme cases to the providers of the originating IP's. With the increasing number of these attacks, however, I have now decided that it's better to move the SSHd to a different port. The downside is: it was actually fun to report a failed brute force attack from time to time! Alright, I know, there are IDS's available, and scanners, etc., etc., ... but one benefit of having a real daemon on port 22 is that it keeps the intruder busy and produces evidence through failed login attempts and usernames in the logfiles. So I thought it might be sensible to build a and run a fake server running on port 22 that behaves essentially like an original SSH daemon (key exchange, password request, ..) but strictly denies every attempt to login, even if the password turns out to be right. I don't know if anyone else would find such a feature useful. But I learned that it's just a few lines of additional code. I've run this against release 3-9.p1 of OpenSSH. In short, here's what I did: - added a new command line flag "-T" for trap to trigger the internal "trap_mode" flag - added a "trap" flag to the "authctxt" type that is set according to "trap_mode" when a new context is created - extended the conditionals in auth1.c etc. to circumvent "authenticated"=1 when "authctxt->trap==1", even if the authentication itself was successul. Little effort for a trap that's almost impossible to identify as such. If there's any interest in this solution, I would willingly provide a patch file! Tiny little problem: I've never contributed to an open source project before and don't know how to create this patch file thing. Is that just the output of a "diff"? If someone tells me or could point me to a short (!) tutorial, it's all yours. And if you don't like having such an option in your sshd, well, no one forces you to use it. But somebody else might be happy to have it. Regards Daniel From vinschen at redhat.com Fri Feb 25 01:23:14 2005 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 24 Feb 2005 15:23:14 +0100 Subject: [PATCH] Drop SETGROUPS_NOOP Message-ID: <20050224142314.GG18314@cygbert.vinschen.de> [Resend, the original message seems to be lost somehow] Hi, the SETGROUPS_NOOP define is used only for Cygwin. But it's also combined with the HAVE_SETGROUPS test in bsd-misc.c. So, since setgroups() exists and is functional in Cygwin, this is actually a noop in the more general sense. The below patch drops that entirely. Corinna Index: acconfig.h =================================================================== RCS file: /cvs/openssh_cvs/acconfig.h,v retrieving revision 1.180 diff -p -u -r1.180 acconfig.h --- acconfig.h 16 Aug 2004 13:12:06 -0000 1.180 +++ acconfig.h 24 Feb 2005 12:59:52 -0000 @@ -52,9 +52,6 @@ #undef SPT_TYPE #undef SPT_PADCHAR -/* setgroups() NOOP allowed */ -#undef SETGROUPS_NOOP - /* SCO workaround */ #undef BROKEN_SYS_TERMIO_H Index: configure.ac =================================================================== RCS file: /cvs/openssh_cvs/configure.ac,v retrieving revision 1.247 diff -p -u -r1.247 configure.ac --- configure.ac 24 Feb 2005 01:12:35 -0000 1.247 +++ configure.ac 24 Feb 2005 12:59:53 -0000 @@ -158,7 +158,6 @@ case "$host" in AC_DEFINE(NO_X11_UNIX_SOCKETS) AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) AC_DEFINE(DISABLE_FD_PASSING) - AC_DEFINE(SETGROUPS_NOOP) ;; *-*-dgux*) AC_DEFINE(IP_TOS_IS_BROKEN) Index: openbsd-compat/bsd-misc.c =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-misc.c,v retrieving revision 1.25 diff -p -u -r1.25 bsd-misc.c --- openbsd-compat/bsd-misc.c 15 Aug 2004 08:41:00 -0000 1.25 +++ openbsd-compat/bsd-misc.c 24 Feb 2005 12:59:53 -0000 @@ -122,17 +122,6 @@ int truncate(const char *path, off_t len } #endif /* HAVE_TRUNCATE */ -#if !defined(HAVE_SETGROUPS) && defined(SETGROUPS_NOOP) -/* - * Cygwin setgroups should be a noop. - */ -int -setgroups(size_t size, const gid_t *list) -{ - return (0); -} -#endif - #if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP) int nanosleep(const struct timespec *req, struct timespec *rem) { Index: openbsd-compat/bsd-misc.h =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-misc.h,v retrieving revision 1.17 diff -p -u -r1.17 bsd-misc.h --- openbsd-compat/bsd-misc.h 15 Aug 2004 08:41:00 -0000 1.17 +++ openbsd-compat/bsd-misc.h 24 Feb 2005 12:59:53 -0000 @@ -67,10 +67,6 @@ int utimes(char *, struct timeval *); int truncate (const char *, off_t); #endif /* HAVE_TRUNCATE */ -#if !defined(HAVE_SETGROUPS) && defined(SETGROUPS_NOOP) -int setgroups(size_t, const gid_t *); -#endif - #if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP) #ifndef HAVE_STRUCT_TIMESPEC struct timespec { -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From deengert at anl.gov Fri Feb 25 02:02:25 2005 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 24 Feb 2005 09:02:25 -0600 Subject: Krb5 options patch In-Reply-To: References: Message-ID: <421DEC81.2060508@anl.gov> Mike Dopheide wrote: > Does anyone see a need for a patch that allows Kerberos password > authentication with the correct local options? I'm simply trying to get a > feel for if it's worth my time to investigate it further. > > The issue is that we also use a patch that does Kerberos ticket passing > and our ticket lifetime is slightly higher than the default 10 hours. > Users experience different behavior when they login with a ticket > or if they acquire a new ticket while logging in with a password. > > A quick investigation leads me to krb5_get_init_creds_password() in > auth-krb5.c not passing along the 'default_lifetime' option that can be > set in /etc/krb5.conf. The problem may have been MIT Kerberos versions prior to 1.4 not processing the lifetime option in the krb5.conf file. It looks like they added "ticket_lifetime" in 1.4. A test with OpenSSH-3.9 and krb5-1.4 on Solaris 9 with "[libdefaults] ticket_lifetime = 8h" shows that sshd did get an 8 hour ticket. > > Thoughts? > > -Mike > > > --------------------------------------------------- > Mike Dopheide dopheide at ncsa.uiuc.edu > System Engineer Phone: 217.244.0299 > NCSA, University of Illinois Fax: 217.244.1987 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From agiri at sj.symbol.com Thu Feb 24 12:31:28 2005 From: agiri at sj.symbol.com (Amba Giri) Date: Wed, 23 Feb 2005 17:31:28 -0800 Subject: Question performnace of SSH v1 vs SSH v2 Message-ID: Hello I have ported OpenSSH 3.8p1 to a LynxOS platform. Recently I heard a report from the field that v2 is perceived to be significantly slower than v1. Is this a known issue? Are there any configuration parameters that can be modified to make v2 faster? Thanks in advance for your response Amba From hbentel at gmail.com Fri Feb 25 05:01:08 2005 From: hbentel at gmail.com (Henrik Bentel) Date: Thu, 24 Feb 2005 12:01:08 -0600 Subject: FTP specific port forwarding Message-ID: <45ddf6090502241001f11ab5f@mail.gmail.com> Hi I've been looking at a both openssh and couple of commercial SSH implementations(F-Secure and ssh comm.). The one thing I see as missing is the "nice-to-have" feature of FTP specific port forwarding. The commercial implementations allows a syntax of "-L ftp/:..." which does some "automagical" forwarding of the data channel "under the hood" I don't know if it has been discussed before but I saw someone submit a" quote, "quick and dirty" patch to implement a basic functionality of this. http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=108163477118963&w=2 The person seemed willing to clean it up if there was any interest to include it in the codebase. I know there's the always the sftp way instead of FTP over SSH, however in the cases where secure communication is needed for "AS-IS" systems this would be a nice to have feature. I've previously used wu-ftpd where I've set "passive address" and "passive ports" in ftpaccess file, and set up tunnels for all the passive ports. However the maintenance gets horrendus in the long term. And getting lots of "425: address already in use" errors when the port range is not big enough. Just a thought thanks, Henrik Bentel From vinschen at redhat.com Fri Feb 25 00:05:35 2005 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 24 Feb 2005 14:05:35 +0100 Subject: [PATCH] Drop SETGROUPS_NOOP Message-ID: <20050224130535.GE18314@cygbert.vinschen.de> Hi, the SETGROUPS_NOOP define is used only for Cygwin. But it's also combined with the HAVE_SETGROUPS test in bsd-misc.c. So, since setgroups() exists and is functional in Cygwin, this is actually a noop in the more general sense. The below patch drops that entirely. Corinna Index: acconfig.h =================================================================== RCS file: /cvs/openssh_cvs/acconfig.h,v retrieving revision 1.180 diff -p -u -r1.180 acconfig.h --- acconfig.h 16 Aug 2004 13:12:06 -0000 1.180 +++ acconfig.h 24 Feb 2005 12:59:52 -0000 @@ -52,9 +52,6 @@ #undef SPT_TYPE #undef SPT_PADCHAR -/* setgroups() NOOP allowed */ -#undef SETGROUPS_NOOP - /* SCO workaround */ #undef BROKEN_SYS_TERMIO_H Index: configure.ac =================================================================== RCS file: /cvs/openssh_cvs/configure.ac,v retrieving revision 1.247 diff -p -u -r1.247 configure.ac --- configure.ac 24 Feb 2005 01:12:35 -0000 1.247 +++ configure.ac 24 Feb 2005 12:59:53 -0000 @@ -158,7 +158,6 @@ case "$host" in AC_DEFINE(NO_X11_UNIX_SOCKETS) AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) AC_DEFINE(DISABLE_FD_PASSING) - AC_DEFINE(SETGROUPS_NOOP) ;; *-*-dgux*) AC_DEFINE(IP_TOS_IS_BROKEN) Index: openbsd-compat/bsd-misc.c =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-misc.c,v retrieving revision 1.25 diff -p -u -r1.25 bsd-misc.c --- openbsd-compat/bsd-misc.c 15 Aug 2004 08:41:00 -0000 1.25 +++ openbsd-compat/bsd-misc.c 24 Feb 2005 12:59:53 -0000 @@ -122,17 +122,6 @@ int truncate(const char *path, off_t len } #endif /* HAVE_TRUNCATE */ -#if !defined(HAVE_SETGROUPS) && defined(SETGROUPS_NOOP) -/* - * Cygwin setgroups should be a noop. - */ -int -setgroups(size_t size, const gid_t *list) -{ - return (0); -} -#endif - #if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP) int nanosleep(const struct timespec *req, struct timespec *rem) { Index: openbsd-compat/bsd-misc.h =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-misc.h,v retrieving revision 1.17 diff -p -u -r1.17 bsd-misc.h --- openbsd-compat/bsd-misc.h 15 Aug 2004 08:41:00 -0000 1.17 +++ openbsd-compat/bsd-misc.h 24 Feb 2005 12:59:53 -0000 @@ -67,10 +67,6 @@ int utimes(char *, struct timeval *); int truncate (const char *, off_t); #endif /* HAVE_TRUNCATE */ -#if !defined(HAVE_SETGROUPS) && defined(SETGROUPS_NOOP) -int setgroups(size_t, const gid_t *); -#endif - #if !defined(HAVE_NANOSLEEP) && !defined(HAVE_NSLEEP) #ifndef HAVE_STRUCT_TIMESPEC struct timespec { -- Corinna Vinschen Cygwin Project Co-Leader Red Hat, Inc. From deengert at anl.gov Fri Feb 25 06:53:19 2005 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 24 Feb 2005 13:53:19 -0600 Subject: OpenSSH+GSSAPI & HP/UX 11i... In-Reply-To: <42195C92.4050603@isc.org> References: <42195C92.4050603@isc.org> Message-ID: <421E30AF.8070808@anl.gov> This might be a little late, but I went back to see why we do not have this problem with HP. In the install for krb5, we add a symlink gssapi.h -> ./gssapi/gssapi.h in the krb5 include directory. # On HP there is a /usr/include/gssapi.h we need to find the # /krb5/gssapi/gssapi.h first. # OpenSSH depends on this ln -s ./gssapi/gssapi.h $dest/krb5/include/gssapi.h Peter Losher wrote: > I am trying to transition several HP/UX 11i (PA/RISC) servers from > ssh.com over to OpenSSH+GSSAPI (3.9p1) and it's complaining about the > GSSAPI include files: > > -=- > gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. > -I/usr/local/ssl/include -D_HPUX_SOURCE -D_XOPEN_SOURCE > -D_XOPEN_SOURCE_EXTENDED=1 -I/usr/local/krb5/include > -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" > -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" > -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" > -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" > -D_PATH_SSH_PIDDIR=\"/var/run\" > -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" > -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H > -c gss-genr.c > In file included from ssh-gss.h:44, > from monitor_wrap.h:60, > from gss-genr.c:35: > /usr/local/krb5/include/gssapi/gssapi_generic.h:46: error: syntax error > before "extern" > /usr/local/krb5/include/gssapi/gssapi_generic.h:47: error: syntax error > before "extern" > /usr/local/krb5/include/gssapi/gssapi_generic.h:48: error: syntax error > before "extern" > /usr/local/krb5/include/gssapi/gssapi_generic.h:50: error: syntax error > before "extern" > gmake: *** [gss-genr.o] Error 1 > -=- > > The compiler is gcc 3.4.0, the Krb5 install is MIT-Krb5 1.3.6. Has > anyone encountered this and is this a bug? (none of the other platforms > I use have encountered this, so this may also be a gcc bug) > > Best Wishes - Peter > -- > Peter_Losher at isc.org | ISC | OpenPGP 0xE8048D08 | "The bits must flow" > > > ------------------------------------------------------------------------ > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From dtucker at zip.com.au Fri Feb 25 09:23:39 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 25 Feb 2005 09:23:39 +1100 Subject: FTP specific port forwarding In-Reply-To: <45ddf6090502241001f11ab5f@mail.gmail.com> References: <45ddf6090502241001f11ab5f@mail.gmail.com> Message-ID: <421E53EB.5060500@zip.com.au> Henrik Bentel wrote: > I've been looking at a both openssh and couple of commercial SSH > implementations(F-Secure and ssh comm.). > > The one thing I see as missing is the "nice-to-have" feature of FTP > specific port forwarding. > The commercial implementations allows a syntax of "-L > ftp/:..." which does some "automagical" forwarding of the > data channel "under the hood" FWIW DynamicForward should already work with a SOCKSified FTP client in passive mode. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Feb 25 09:39:15 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 25 Feb 2005 09:39:15 +1100 Subject: OpenSSH+GSSAPI & HP/UX 11i... In-Reply-To: <421E30AF.8070808@anl.gov> References: <42195C92.4050603@isc.org> <421E30AF.8070808@anl.gov> Message-ID: <421E5793.3000508@zip.com.au> Douglas E. Engert wrote: > This might be a little late, but I went back to see why we do not have > this problem with HP. > > In the install for krb5, we add a symlink gssapi.h -> ./gssapi/gssapi.h > in the krb5 include directory. > > # On HP there is a /usr/include/gssapi.h we need to find the > # /krb5/gssapi/gssapi.h first. > # OpenSSH depends on this > ln -s ./gssapi/gssapi.h $dest/krb5/include/gssapi.h Would something like the attached change to configure fix it (without breaking anything else...)? (Need to rebuild configure with "autoreconf" after applying the patch, obviously.) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-gssapi-configure.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050225/4618b29a/attachment.ksh From dtucker at zip.com.au Fri Feb 25 10:00:15 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 25 Feb 2005 10:00:15 +1100 Subject: Question performnace of SSH v1 vs SSH v2 In-Reply-To: References: Message-ID: <421E5C7F.9050807@zip.com.au> Amba Giri wrote: > I have ported OpenSSH 3.8p1 to a LynxOS platform. Recently I heard a > report from the field that v2 is perceived to be significantly slower > than v1. Is this a known issue? Are there any configuration parameters > that can be modified to make v2 faster? In general, SSHv2 is slower because it's stronger. That said, there are some things that can be done to speed it up. If you haven't already, fiddle with your compiler flags for both OpenSSL and OpenSSH. In particular, enabling hardware multiply instructions (eg -mv8 on SPARCs) makes a noticable difference to the Diffie-Hellman exchange. If you upgraded sshd, make sure you use the moduli file from a recent distribution. Older ones had 2kbit moduli that were actually 2k-1 bits, so sshd would end up using larger ones than requested. Older OpenSSH clients would ask for larger moduli than intended too, so newer clients ought to be faster too. You can also fiddle with the moduli file itself: keep only the lines with a generator of 2 (exponentiating 2 may be faster than 5 on some architectures). (Most of this only applies if your clients are using DH Group Exchange.) There's some more information here: http://www.openssh.com/faq.html#3.3 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From openssh at roumenpetrov.info Fri Feb 25 10:16:08 2005 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Fri, 25 Feb 2005 01:16:08 +0200 Subject: OpenSSH+GSSAPI & HP/UX 11i... In-Reply-To: <421E5793.3000508@zip.com.au> References: <42195C92.4050603@isc.org> <421E30AF.8070808@anl.gov> <421E5793.3000508@zip.com.au> Message-ID: <421E6038.8060107@roumenpetrov.info> Darren Tucker wrote: > Douglas E. Engert wrote: > >> This might be a little late, but I went back to see why we do not have >> this problem with HP. >> >> In the install for krb5, we add a symlink gssapi.h -> ./gssapi/gssapi.h >> in the krb5 include directory. >> >> # On HP there is a /usr/include/gssapi.h we need to find the >> # /krb5/gssapi/gssapi.h first. >> # OpenSSH depends on this >> ln -s ./gssapi/gssapi.h $dest/krb5/include/gssapi.h > > > Would something like the attached change to configure fix it (without > breaking anything else...)? > > (Need to rebuild configure with "autoreconf" after applying the patch, > obviously.) Why not to look for header first in subdirectory ? As example: AC_CHECK_HEADERS(gssapi/gssapi.h gssapi.h) AC_CHECK_HEADERS(gssapi/gssapi_krb5.h gssapi_krb5.h) AC_CHECK_HEADERS(gssapi/gssapi_generic.h gssapi_generic.h) From dtucker at zip.com.au Fri Feb 25 10:21:34 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 25 Feb 2005 10:21:34 +1100 Subject: OpenSSH+GSSAPI & HP/UX 11i... In-Reply-To: <421E6038.8060107@roumenpetrov.info> References: <42195C92.4050603@isc.org> <421E30AF.8070808@anl.gov> <421E5793.3000508@zip.com.au> <421E6038.8060107@roumenpetrov.info> Message-ID: <421E617E.7000604@zip.com.au> Roumen Petrov wrote: > Why not to look for header first in subdirectory ? > As example: > > AC_CHECK_HEADERS(gssapi/gssapi.h gssapi.h) That would still end up defining both. Assuming we put the second check in an action-if-not-found block, it may change the behaviour on other platforms. I didn't want to break something else while trying to fix this. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From openssh at roumenpetrov.info Fri Feb 25 10:50:35 2005 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Fri, 25 Feb 2005 01:50:35 +0200 Subject: OpenSSH+GSSAPI & HP/UX 11i... In-Reply-To: <421E617E.7000604@zip.com.au> References: <42195C92.4050603@isc.org> <421E30AF.8070808@anl.gov> <421E5793.3000508@zip.com.au> <421E6038.8060107@roumenpetrov.info> <421E617E.7000604@zip.com.au> Message-ID: <421E684B.6010201@roumenpetrov.info> Darren Tucker wrote: > Roumen Petrov wrote: > >> Why not to look for header first in subdirectory ? >> As example: >> >> AC_CHECK_HEADERS(gssapi/gssapi.h gssapi.h) > > > That would still end up defining both. > > Assuming we put the second check in an action-if-not-found block, it > may change the behaviour on other platforms. > > I didn't want to break something else while trying to fix this. > I guess that is better when configure found gssapi/gssapi.h to search for gssapi/gssapi_krb5.h and gssapi/gssapi_generic.h if not to search for gssapi.h gssapi_krb5.h and gssapi_generic.h, but you patch is more simple. Opposite of simple patch is proper detection of header files without extra platform specific flags like "check_gssapi_gssapi_h_first=1". From dtucker at zip.com.au Fri Feb 25 11:00:56 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 25 Feb 2005 11:00:56 +1100 Subject: OpenSSH+GSSAPI & HP/UX 11i... In-Reply-To: <421E684B.6010201@roumenpetrov.info> References: <42195C92.4050603@isc.org> <421E30AF.8070808@anl.gov> <421E5793.3000508@zip.com.au> <421E6038.8060107@roumenpetrov.info> <421E617E.7000604@zip.com.au> <421E684B.6010201@roumenpetrov.info> Message-ID: <421E6AB8.8080304@zip.com.au> Roumen Petrov wrote: > I guess that is better when configure found gssapi/gssapi.h to search > for gssapi/gssapi_krb5.h and gssapi/gssapi_generic.h > if not to search for gssapi.h gssapi_krb5.h and gssapi_generic.h, but > you patch is more simple. That can be added if necessary. > Opposite of simple patch is proper detection of header files without > extra platform specific flags like "check_gssapi_gssapi_h_first=1". I'm not sure how that is possible. No matter what you do to the compiler flags, configure is going to find gssapi.h at /usr/include/gssapi.h unless it's found in the include search path earlier. I guess adding -I$KRB5ROOT/include/gssapi/ might work but I have no idea if that will blow up elsewhere... -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Feb 25 11:09:55 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 25 Feb 2005 11:09:55 +1100 Subject: OpenSSH+GSSAPI & HP/UX 11i... In-Reply-To: <421E6AB8.8080304@zip.com.au> References: <42195C92.4050603@isc.org> <421E30AF.8070808@anl.gov> <421E5793.3000508@zip.com.au> <421E6038.8060107@roumenpetrov.info> <421E617E.7000604@zip.com.au> <421E684B.6010201@roumenpetrov.info> <421E6AB8.8080304@zip.com.au> Message-ID: <421E6CD3.6040602@zip.com.au> Darren Tucker wrote: > I guess adding -I$KRB5ROOT/include/gssapi/ might work but I have no idea > if that will blow up elsewhere... On second thought, that's not going to help without knowing when to enable it (and enabling it unconditionally has the same problem as the existing configure except with the paths reversed). If someone has a better idea (or better yet, a tested patch) then I'm all ears... -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mstevens at cmu.edu Fri Feb 25 14:29:07 2005 From: mstevens at cmu.edu (Michael A Stevens) Date: Thu, 24 Feb 2005 22:29:07 -0500 (EST) Subject: Question performnace of SSH v1 vs SSH v2 In-Reply-To: <421E5C7F.9050807@zip.com.au> References: <421E5C7F.9050807@zip.com.au> Message-ID: Key exchange can be painfully slow, and key generation even more so. If using the strongest possible algorithm isn't that important to you, then look into using RC4 (arcfour). On the other end of high speed, SSH2 doesn't scale windows properly and large TCP windows don't affect the internal SSH window thus cutting performance on high BDP links. SSH1 doesn't have windows so this isn't a problem there. Mike On Fri, 25 Feb 2005, Darren Tucker wrote: > Amba Giri wrote: >> I have ported OpenSSH 3.8p1 to a LynxOS platform. Recently I heard a >> report from the field that v2 is perceived to be significantly slower >> than v1. Is this a known issue? Are there any configuration parameters >> that can be modified to make v2 faster? > > In general, SSHv2 is slower because it's stronger. > > That said, there are some things that can be done to speed it up. > > If you haven't already, fiddle with your compiler flags for both OpenSSL and > OpenSSH. In particular, enabling hardware multiply instructions (eg -mv8 on > SPARCs) makes a noticable difference to the Diffie-Hellman exchange. > > If you upgraded sshd, make sure you use the moduli file from a recent > distribution. Older ones had 2kbit moduli that were actually 2k-1 > bits, so sshd would end up using larger ones than requested. > > Older OpenSSH clients would ask for larger moduli than intended too, so newer > clients ought to be faster too. > > You can also fiddle with the moduli file itself: keep only the lines with a > generator of 2 (exponentiating 2 may be faster than 5 on some architectures). > > (Most of this only applies if your clients are using DH Group Exchange.) > > There's some more information here: > http://www.openssh.com/faq.html#3.3 > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From rschubnell at paninfo.com Fri Feb 25 21:56:04 2005 From: rschubnell at paninfo.com (rschubnell at paninfo.com) Date: Fri, 25 Feb 2005 11:56:04 +0100 Subject: ssh client Symbol getpeereid (number 34) is not exported from dependent module /usr/lib/libc.a(shr.o). Message-ID: Hello I've Compiled openssh 3.9.p1 on AIX 5.2: /contrib/findssl.sh Searching for OpenSSL header files. 0x009060dfL /opt/freeware/include/openssl/opensslv.h Searching for OpenSSL shared library files. Searching for OpenSSL static library files. 0x009060dfL /opt/freeware/lib/libcrypto.a 0x009060dfL /opt/freeware/64/lib/libcrypto.a 0x009060dfL /usr/local/lib/libcrypto.a 0x009060dfL /usr/linux/lib/libcrypto.a blibpath=/usr/lib:/lib:/usr/local/lib:/opt/freeware/lib export blibpath ./configure --with-ssl-dir=/opt/freeware --sysconfdir=/etc/ssh \ --with-zlib=/usr/local --with-ipaddr-display On the same Machine my ssh client works. If i transfer the bynaries to another Machine ( same openssl Version ) then i have the following Error: # ssh exec(): 0509-036 Cannot load program ssh because of the following errors: 0509-130 Symbol resolution failed for ssh because: 0509-136 Symbol getpeereid (number 34) is not exported from dependent module /usr/lib/libc.a(shr.o). 0509-192 Examine .loader section symbols with the 'dump -Tv' command. Can anybody help me ? Kind Regards Reto ------------------------------------------------------------------------------------------------------------------ Reto Schubnell System Engineer AIX / Linux PANINFO AG Br?ttisellen Tel. +41 (0)44 805 14 49 Nat. +41 (0)79 403 06 30 http://www.paninfo.com ------------------------------------------------------------------------------------------------------------------ From dtucker at zip.com.au Fri Feb 25 23:33:56 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 25 Feb 2005 23:33:56 +1100 Subject: ssh client Symbol getpeereid (number 34) is not exported from dependent module /usr/lib/libc.a(shr.o). In-Reply-To: References: Message-ID: <421F1B34.2050601@zip.com.au> rschubnell at paninfo.com wrote: > I've Compiled openssh 3.9.p1 on AIX 5.2: [...] > On the same Machine my ssh client works. > If i transfer the bynaries to another Machine ( same openssl Version ) then > i have the following Error: > > # ssh > exec(): 0509-036 Cannot load program ssh because of the following errors: > 0509-130 Symbol resolution failed for ssh because: > 0509-136 Symbol getpeereid (number 34) is not exported from You have probably compiled OpenSSH on a newer version of AIX (either major release or maintenance level) than the machine you're trying to run it on. In general, AIX is forward but not backward compatible so you should compile on the oldest version (including ML) you plan to support. (I believe this applies to all binaries not just OpenSSH.) To get around this particular problem, you can edit config.h and comment out the line "#define HAVE_GETPEEREID 1" (after running configure but before running make) and rebuilding. It's possible you might see similar problems with other functions, though. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rschubnell at paninfo.com Sat Feb 26 00:08:01 2005 From: rschubnell at paninfo.com (rschubnell at paninfo.com) Date: Fri, 25 Feb 2005 14:08:01 +0100 Subject: Antwort: Re: ssh client Symbol getpeereid (number 34) is not exported from dependent module /usr/lib/libc.a(shr.o). Message-ID: Hi Darren Thanks for your fast reply thats the rease wy it doesn't work.... I have ML4 on my Developement Machine and ML3 on the Quality System...;-> Thanks from Switzerland From rschubnell at paninfo.com Fri Feb 25 21:08:19 2005 From: rschubnell at paninfo.com (rschubnell at paninfo.com) Date: Fri, 25 Feb 2005 11:08:19 +0100 Subject: Openssh AIX 5.2 Symbol getpeereid (number 34) is not exported Message-ID: Hello I've compiled OpenSSH 3.9p1 on AIX /contrib/findssl.sh Searching for OpenSSL header files. 0x009060dfL /opt/freeware/include/openssl/opensslv.h Searching for OpenSSL shared library files. Searching for OpenSSL static library files. 0x009060dfL /opt/freeware/lib/libcrypto.a 0x009060dfL /opt/freeware/64/lib/libcrypto.a 0x009060dfL /usr/local/lib/libcrypto.a 0x009060dfL /usr/linux/lib/libcrypto.a blibpath=/usr/lib:/lib:/usr/local/lib:/opt/freeware/lib export blibpath ./configure --with-ssl-dir=/opt/freeware --sysconfdir=/etc/ssh \ --with-zlib=/usr/local --with-ipaddr-display If can work with the Server Side and scp and sftp The ssh Client has some Problems to run in my Environment. # ssh exec(): 0509-036 Cannot load program ssh because of the following errors: 0509-130 Symbol resolution failed for ssh because: 0509-136 Symbol getpeereid (number 34) is not exported from dependent module /usr/lib/libc.a(shr.o). 0509-192 Examine .loader section symbols with the 'dump -Tv' command. # which ssh /usr/sbin/ssh # ls -la /usr/sbin/ssh lrwxrwxrwx 1 root system 16 Feb 24 18:14 /usr/sbin/ssh -> /opt/ssh/bin/ssh Thanks! Kind Regards ------------------------------------------------------------------------------------------------------------------ Reto Schubnell System Engineer AIX / Linux PANINFO AG Br?ttisellen Tel. +41 (0)44 805 14 49 Nat. +41 (0)79 403 06 30 http://www.paninfo.com ------------------------------------------------------------------------------------------------------------------ From deengert at anl.gov Sat Feb 26 03:36:53 2005 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 25 Feb 2005 10:36:53 -0600 Subject: OpenSSH+GSSAPI & HP/UX 11i... In-Reply-To: <421E5793.3000508@zip.com.au> References: <42195C92.4050603@isc.org> <421E30AF.8070808@anl.gov> <421E5793.3000508@zip.com.au> Message-ID: <421F5425.9040002@anl.gov> Darren Tucker wrote: > Douglas E. Engert wrote: > >> This might be a little late, but I went back to see why we do not have >> this problem with HP. >> >> In the install for krb5, we add a symlink gssapi.h -> ./gssapi/gssapi.h >> in the krb5 include directory. >> >> # On HP there is a /usr/include/gssapi.h we need to find the >> # /krb5/gssapi/gssapi.h first. >> # OpenSSH depends on this >> ln -s ./gssapi/gssapi.h $dest/krb5/include/gssapi.h > > > Would something like the attached change to configure fix it (without > breaking anything else...)? > > (Need to rebuild configure with "autoreconf" after applying the patch, > obviously.) I think the problem comes from configure and the header files both trying to determine which files should be used. If configure was to just test for all the files then let the #ifdefs in the source test and include the gssapi/xxx versions first then it should work. Configure would be much simpler. For example, of the #ifdefs in ssh-gss.h where switched around then the gssapi/gsspai.h and gsspai/gsspai_generic.h would be included first. Switch lines 33,34 with 35,36 and 41,42 with 43,44 33 #ifdef HAVE_GSSAPI_H 34 #include 35 #elif defined(HAVE_GSSAPI_GSSAPI_H) 36 #include 37 #endif 38 39 #ifdef KRB5 40 # ifndef HEIMDAL 41 # ifdef HAVE_GSSAPI_GENERIC_H 42 # include 43 # elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H) 44 # include 45 # endif gss-serv-krb5.c should also have lines 44,45 switched with 46,47 > > > ------------------------------------------------------------------------ > > Index: configure.ac > =================================================================== > RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/configure.ac,v > retrieving revision 1.247 > diff -u -p -r1.247 configure.ac > --- configure.ac 24 Feb 2005 01:12:35 -0000 1.247 > +++ configure.ac 24 Feb 2005 22:35:58 -0000 > @@ -225,6 +225,7 @@ main() { if (NSVersionOfRunTimeLibrary(" > AC_DEFINE(USE_BTMP, 1, [Use btmp to log bad logins]) > check_for_hpux_broken_getaddrinfo=1 > check_for_conflicting_getspnam=1 > + check_gssapi_gssapi_h_first=1 > LIBS="$LIBS -lsec" > AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) > ;; > @@ -2490,7 +2491,13 @@ AC_ARG_WITH(kerberos5, > fi > fi > > - AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h) > + if test "x$check_gssapi_gssapi_h_first" = "x1"; then > + AC_CHECK_HEADERS(gssapi/gssapi.h, , > + [ AC_CHECK_HEADERS(gssapi.h) ]) > + else > + AC_CHECK_HEADERS(gssapi.h, , > + [ AC_CHECK_HEADERS(gssapi/gssapi.h) ]) > + fi > AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h) > AC_CHECK_HEADERS(gssapi_generic.h gssapi/gssapi_generic.h) > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From daniel.kastenholz at in.tum.de Sat Feb 26 04:50:22 2005 From: daniel.kastenholz at in.tum.de (Daniel Kastenholz) Date: Fri, 25 Feb 2005 18:50:22 +0100 Subject: Suggestion: SSHD pseudo/fake mode. Source available. In-Reply-To: <20050224145845.GB9592@hanuman.astro.su.se> References: <421DDC84.9040107@in.tum.de> <20050224145845.GB9592@hanuman.astro.su.se> Message-ID: <421F655E.9030303@in.tum.de> Hi, - context: yesterday I suggested a command line option for sshd that turns the daemon into a fake (or pseudo) daemon to listen on port 22 while denying all logins even if the provided passwords are right. The reason for this suggestion was the increasing number of brute force attacks against SSH daemons and the wish to provide intruders a playground where they can waste their time while being monitored and without the chance to actually break anything. I received a couple of replies and there seems to be interest in such an option. As requested, I have now run a diff against the modified sources (originally 3.9p1). The whole patch needs about 30 lines including comments. It adds a command line option '-T' to sshd for enabling the trap mode. The output of the diff follows at the end of this message. Hope this helps. If you have any further remarks, suggestions, questions ... just drop me a line. I assume the patch could be modified to use even less lines, but it works like this. Do I have to file this diff anywhere else to make the patch request official? Regards, Daniel -------------------- diff --context=3 openssh-3.9p1/auth.h modified/auth.h *** openssh-3.9p1/auth.h Mon May 24 02:36:23 2004 --- modified/auth.h Wed Feb 23 16:41:51 2005 *************** *** 50,55 **** --- 50,56 ---- int success; int postponed; /* authentication needs another step */ int valid; /* user exists and is allowed to login */ + int trap; /* enforces login denial in trap mode */ int attempt; int failures; int force_pwchange; diff --context=3 openssh-3.9p1/auth1.c modified/auth1.c *** openssh-3.9p1/auth1.c Thu Aug 12 14:40:25 2004 --- modified/auth1.c Wed Feb 23 16:35:22 2005 *************** *** 74,80 **** authctxt->valid ? "" : "invalid user ", authctxt->user); /* If the user has no password, accept authentication immediately. */ ! if (options.password_authentication && #ifdef KRB5 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif --- 74,80 ---- authctxt->valid ? "" : "invalid user ", authctxt->user); /* If the user has no password, accept authentication immediately. */ ! if (authctxt->trap==0 && options.password_authentication && #ifdef KRB5 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif *************** *** 142,148 **** BN_num_bits(client_host_key->rsa->n), bits); packet_check_eom(); ! authenticated = auth_rhosts_rsa(authctxt, client_user, client_host_key); key_free(client_host_key); --- 142,148 ---- BN_num_bits(client_host_key->rsa->n), bits); packet_check_eom(); ! authenticated = (authctxt->trap==0) && auth_rhosts_rsa(authctxt, client_user, client_host_key); key_free(client_host_key); *************** *** 159,165 **** fatal("do_authloop: BN_new failed"); packet_get_bignum(n); packet_check_eom(); ! authenticated = auth_rsa(authctxt, n); BN_clear_free(n); break; --- 159,165 ---- fatal("do_authloop: BN_new failed"); packet_get_bignum(n); packet_check_eom(); ! authenticated = (authctxt->trap==0) && auth_rsa(authctxt, n); BN_clear_free(n); break; *************** *** 177,183 **** packet_check_eom(); /* Try authentication with the password. */ ! authenticated = PRIVSEP(auth_password(authctxt, password)); memset(password, 0, strlen(password)); xfree(password); --- 177,183 ---- packet_check_eom(); /* Try authentication with the password. */ ! authenticated = (authctxt->trap==0) && PRIVSEP(auth_password(authctxt, password)); memset(password, 0, strlen(password)); xfree(password); *************** *** 203,209 **** if (options.challenge_response_authentication == 1) { char *response = packet_get_string(&dlen); packet_check_eom(); ! authenticated = verify_response(authctxt, response); memset(response, 'r', dlen); xfree(response); } --- 203,209 ---- if (options.challenge_response_authentication == 1) { char *response = packet_get_string(&dlen); packet_check_eom(); ! authenticated = (authctxt->trap==0) && verify_response(authctxt, response); memset(response, 'r', dlen); xfree(response); } diff --context=3 openssh-3.9p1/auth2.c modified/auth2.c *** openssh-3.9p1/auth2.c Thu Aug 12 14:40:25 2004 --- modified/auth2.c Wed Feb 23 16:35:23 2005 *************** *** 210,215 **** --- 210,218 ---- fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); + /* Deny login if in trap mode */ + if (authctxt->trap!=0) authenticated = 0; + /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(method)) Common subdirectories: openssh-3.9p1/contrib and modified/contrib Common subdirectories: openssh-3.9p1/openbsd-compat and modified/openbsd-compat Common subdirectories: openssh-3.9p1/regress and modified/regress Common subdirectories: openssh-3.9p1/scard and modified/scard diff --context=3 openssh-3.9p1/sshd.c modified/sshd.c *** openssh-3.9p1/sshd.c Thu Aug 12 15:08:15 2004 --- modified/sshd.c Wed Feb 23 17:14:34 2005 *************** *** 125,130 **** --- 125,137 ---- */ int debug_flag = 0; + /* + * Trap mode flag. In this mode, the entire authentication procedure + * takes place, but the login always fails. The purpose of this flag + * is to enable the setup of fake servers for intrusion detection. + */ + int trap_flag = 0; + /* Flag indicating that the daemon should only test the configuration and keys. */ int test_flag = 0; *************** *** 776,782 **** fprintf(stderr, "%s, %s\n", SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); fprintf(stderr, ! "usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n" " [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n" ); exit(1); --- 783,789 ---- fprintf(stderr, "%s, %s\n", SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); fprintf(stderr, ! "usage: sshd [-46DdeiqtT] [-b bits] [-f config_file] [-g login_grace_time]\n" " [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n" ); exit(1); *************** *** 918,924 **** initialize_server_options(&options); /* Parse command-line arguments. */ ! while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:dDeiqrtQR46")) != -1) { switch (opt) { case '4': IPv4or6 = AF_INET; --- 925,931 ---- initialize_server_options(&options); /* Parse command-line arguments. */ ! while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:dDeiqrtQR46T")) != -1) { switch (opt) { case '4': IPv4or6 = AF_INET; *************** *** 929,934 **** --- 936,944 ---- case 'f': config_file_name = optarg; break; + case 'T': + trap_flag = 1; + break; case 'd': if (debug_flag == 0) { debug_flag = 1; *************** *** 1675,1680 **** --- 1685,1693 ---- authctxt = xmalloc(sizeof(*authctxt)); memset(authctxt, 0, sizeof(*authctxt)); + /* set trap indicator if in trap mode */ + if (trap_flag != 0) authctxt->trap = 1; + /* XXX global for cleanup, access from other modules */ the_authctxt = authctxt; From dtucker at zip.com.au Sat Feb 26 10:19:55 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 26 Feb 2005 10:19:55 +1100 Subject: OpenSSH+GSSAPI & HP/UX 11i... In-Reply-To: <421F5425.9040002@anl.gov> References: <42195C92.4050603@isc.org> <421E30AF.8070808@anl.gov> <421E5793.3000508@zip.com.au> <421F5425.9040002@anl.gov> Message-ID: <421FB29B.5010500@zip.com.au> Douglas E. Engert wrote: > If configure was to just test for all the files That's what it does now. > then let the > #ifdefs in the source test and include the gssapi/xxx versions first > then it should work. Configure would be much simpler. That has exactly the same problem as currently only with the paths reversed. If there is a platform that has the system headers in /usr/include/gssapi/gssapi.h and the locally-built headers in, eg, /usr/local/krb/include/gssapi.h then we're right back where we started. Now, I don't know if such a platform exists, but if it does then chances are it's working now and your proposed change will break it. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Sat Feb 26 14:37:46 2005 From: djm at mindrot.org (Damien Miller) Date: Sat, 26 Feb 2005 14:37:46 +1100 Subject: Question performnace of SSH v1 vs SSH v2 In-Reply-To: References: Message-ID: <421FEF0A.3060300@mindrot.org> Amba Giri wrote: > Hello > > I have ported OpenSSH 3.8p1 to a LynxOS platform. Recently I heard a > report from the field that v2 is perceived to be significantly slower > than v1. Is this a known issue? Are there any configuration parameters > that can be modified to make v2 faster? Protocol 2 is slower because it includes a real per-packet MAC instead of a weak checksum. You can save some overhead by using a truncated MAC like hmac-sha1-96, but there is always going to be more work per packet. I have looked at implementing AES CCM, which could be much faster, particularly on platforms with AES implemented in CPU instructions, but it doesn't fit nicely in the cipher and MAC negotiation mechanism. -d From daniel.kastenholz at in.tum.de Sat Feb 26 18:30:32 2005 From: daniel.kastenholz at in.tum.de (Daniel Kastenholz) Date: Sat, 26 Feb 2005 08:30:32 +0100 Subject: Suggestion: SSHD pseudo/fake mode. Source available. In-Reply-To: References: <421DDC84.9040107@in.tum.de> <20050224145845.GB9592@hanuman.astro.su.se> <421F655E.9030303@in.tum.de> Message-ID: <42202598.4050504@in.tum.de> Hi again, it's once more about this SSH trap thing. I have received some answers which proposed to use configuration options like "DenyUsers *" to deny all logins. That approach sounds more promising, especially from the developer's perspective, because it wouldn't need tweaks in the code itself. I must admit I hadn't tried this! And, in fact, it does work: all credentials are rejected, even if they're correct. The effort is in fact a lot lower than with my circumstantial tweaks in the source code itself. However, the daemon behaves slightly different when the "DenyUsers *" option is used. By default, sshd disconnects when the third wrong set of credentials has been provided. With "DenyUsers *", this always happens after the first attempt. In some - admittedly: very rare - cases, that _might_ alert an attacker. (And as stated earlier, the intention was to have a trap that behaves essentially like an unmodified daemon does.) But in most cases this difference _should_ remain unnoticed, since brute force attackers usually disconnect after the first failed attempt anyway and reconnect. Regards Daniel From stuge-openssh-unix-dev at cdy.org Sun Feb 27 03:51:44 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Sat, 26 Feb 2005 17:51:44 +0100 Subject: FTP specific port forwarding In-Reply-To: <421E53EB.5060500@zip.com.au> References: <45ddf6090502241001f11ab5f@mail.gmail.com> <421E53EB.5060500@zip.com.au> Message-ID: <20050226165144.GB8604@foo.birdnet.se> On Fri, Feb 25, 2005 at 09:23:39AM +1100, Darren Tucker wrote: > Henrik Bentel wrote: > >The one thing I see as missing is the "nice-to-have" feature of FTP > >specific port forwarding. > > FWIW DynamicForward should already work with a SOCKSified FTP client > in passive mode. Or just get a VPN solution. openvpn.net is nice. //Peter From hbentel at gmail.com Sun Feb 27 06:44:06 2005 From: hbentel at gmail.com (Henrik Bentel) Date: Sat, 26 Feb 2005 13:44:06 -0600 Subject: FTP specific port forwarding In-Reply-To: <20050226165144.GB8604@foo.birdnet.se> References: <45ddf6090502241001f11ab5f@mail.gmail.com> <421E53EB.5060500@zip.com.au> <20050226165144.GB8604@foo.birdnet.se> Message-ID: <45ddf60905022611442e1fc7d7@mail.gmail.com> Don't know much about VPN. I'm restricted by customers policy of only ssh traffic (over port 22) between protected subnets. Have to look into if the current ftp clients are "SOCKSified" though. thanks, -Henrik On Sat, 26 Feb 2005 17:51:44 +0100, Peter Stuge wrote: > On Fri, Feb 25, 2005 at 09:23:39AM +1100, Darren Tucker wrote: > > Henrik Bentel wrote: > > >The one thing I see as missing is the "nice-to-have" feature of FTP > > >specific port forwarding. > > > > FWIW DynamicForward should already work with a SOCKSified FTP client > > in passive mode. > > Or just get a VPN solution. openvpn.net is nice. > > //Peter > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From djm at mindrot.org Sun Feb 27 09:13:36 2005 From: djm at mindrot.org (Damien Miller) Date: Sun, 27 Feb 2005 09:13:36 +1100 Subject: FTP specific port forwarding In-Reply-To: <421E53EB.5060500@zip.com.au> References: <45ddf6090502241001f11ab5f@mail.gmail.com> <421E53EB.5060500@zip.com.au> Message-ID: <4220F490.8070401@mindrot.org> Darren Tucker wrote: > Henrik Bentel wrote: > >> I've been looking at a both openssh and couple of commercial SSH >> implementations(F-Secure and ssh comm.). >> >> The one thing I see as missing is the "nice-to-have" feature of FTP >> specific port forwarding. >> The commercial implementations allows a syntax of "-L >> ftp/:..." which does some "automagical" forwarding of the >> data channel "under the hood" > > > FWIW DynamicForward should already work with a SOCKSified FTP client in > passive mode. If someone really wants to implelemnt a convenient ftp-over-ssh mode, they would be well advised to start by looking at one of the ftp proxies (e.g. OpenBSD's) and modifying it to use dynamicforwards. -d From dtucker at zip.com.au Sun Feb 27 16:11:07 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 27 Feb 2005 16:11:07 +1100 Subject: Suggestion: SSHD pseudo/fake mode. Source available. In-Reply-To: <42202598.4050504@in.tum.de> References: <421DDC84.9040107@in.tum.de> <20050224145845.GB9592@hanuman.astro.su.se> <421F655E.9030303@in.tum.de> <42202598.4050504@in.tum.de> Message-ID: <4221566B.6010008@zip.com.au> Daniel Kastenholz wrote: > However, the daemon behaves slightly different when the "DenyUsers *" > option is used. By default, sshd disconnects when the third wrong set of > credentials has been provided. With "DenyUsers *", this always happens > after the first attempt. Any such differences in behaviour ought to be found and fixed. Under what circumstances does this occur? (Compile options, config options, authentication method, valid/invalid user?) A quick test here with 3.9p1 shows the same behaviour for password and pubkey authentication (ie sshd just denies the auth attempt and the client can retry, up until the client disconnects or the MaxAuthTries limit is reached). Could you post the server-side debugging for both instances? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From daniel.kastenholz at in.tum.de Sun Feb 27 20:35:17 2005 From: daniel.kastenholz at in.tum.de (Daniel Kastenholz) Date: Sun, 27 Feb 2005 10:35:17 +0100 Subject: Suggestion: SSHD pseudo/fake mode. Source available. In-Reply-To: <4221566B.6010008@zip.com.au> References: <421DDC84.9040107@in.tum.de> <20050224145845.GB9592@hanuman.astro.su.se> <421F655E.9030303@in.tum.de> <42202598.4050504@in.tum.de> <4221566B.6010008@zip.com.au> Message-ID: <42219455.5010900@in.tum.de> Excuse me, am I missing anything? Usually, developers on open source mailing lists complain about the gimme-gimme mentality of the writers because otherwise they couldn't handle the many feature requests. That's why I tried not to bother you with newbie questions, pointed out the missing feature in short, proposed a solution, sent you a clear and documented patch as requested, and noticed you that the original version doesn't work as expected. All I'm getting back from you is either "do this", "do that" or just ignorance. Could it be that you're applying double standards here? At least "thanks" would have been nice to hear in between. I'm giving this up. Apply the patch or stick to your broken solution. Darren Tucker schrieb: > Daniel Kastenholz wrote: > >> However, the daemon behaves slightly different when the "DenyUsers *" >> option is used. By default, sshd disconnects when the third wrong set >> of credentials has been provided. With "DenyUsers *", this always >> happens after the first attempt. > > > Any such differences in behaviour ought to be found and fixed. > > Under what circumstances does this occur? (Compile options, config > options, authentication method, valid/invalid user?) A quick test > here with 3.9p1 shows the same behaviour for password and pubkey > authentication (ie sshd just denies the auth attempt and the client > can retry, up until the client disconnects or the MaxAuthTries limit > is reached). > > Could you post the server-side debugging for both instances? > From dtucker at zip.com.au Sun Feb 27 20:59:34 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 27 Feb 2005 20:59:34 +1100 Subject: Suggestion: SSHD pseudo/fake mode. Source available. In-Reply-To: <42219455.5010900@in.tum.de> References: <421DDC84.9040107@in.tum.de> <20050224145845.GB9592@hanuman.astro.su.se> <421F655E.9030303@in.tum.de> <42202598.4050504@in.tum.de> <4221566B.6010008@zip.com.au> <42219455.5010900@in.tum.de> Message-ID: <42219A06.9030906@zip.com.au> Daniel Kastenholz wrote: > Excuse me, am I missing anything? Usually, developers on open source > mailing lists complain about the gimme-gimme mentality of the writers > because otherwise they couldn't handle the many feature requests. That's > why I tried not to bother you with newbie questions, pointed out the > missing feature in short, proposed a solution, sent you a clear and > documented patch as requested, and noticed you that the original version > doesn't work as expected. All I'm getting back from you is either "do > this", "do that" or just ignorance. Could it be that you're applying > double standards here? At least "thanks" would have been nice to hear in > between. I'm giving this up. Apply the patch or stick to your broken > solution. Sigh. If you found my language abrupt then I apologise for that. (After doing this for a while I have found that my writing tends to get briefer. This is intended to be succinct not rude.) I was saying that the difference you observed with "DenyUsers *" in the existing code should be fixed, which would remove the need for additional config options. I was unable to reproduce the behaviour you described and asked for additional information so that I could determine why it behaves that way so that we can fix it. So, would you please provide the server-side debug traces so that we can figure out the cause of the descrepancies you noted so that we can fix them? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From daniel.kastenholz at in.tum.de Sun Feb 27 23:04:32 2005 From: daniel.kastenholz at in.tum.de (Daniel Kastenholz) Date: Sun, 27 Feb 2005 13:04:32 +0100 Subject: Suggestion: SSHD pseudo/fake mode. Source available. In-Reply-To: <42219A06.9030906@zip.com.au> References: <421DDC84.9040107@in.tum.de> <20050224145845.GB9592@hanuman.astro.su.se> <421F655E.9030303@in.tum.de> <42202598.4050504@in.tum.de> <4221566B.6010008@zip.com.au> <42219455.5010900@in.tum.de> <42219A06.9030906@zip.com.au> Message-ID: <4221B750.1090404@in.tum.de> Hope this helps. [PROBLEM] --- [Description:] - Difference in sshd behaviour with option "DenyUsers=*" (Daemon closes connection after first wrong set of credentials) --- [Applies to version:] OpenSSH_3.7.1p2 (Suse 9.0) --- [Steps to reproduce:] - Launch sshd from command line - Launch ssh from command line - Enter wrong password --- [TEST CASE 1] --- [Server command line:] sshd -o Port=2222 -d -d -d > out.txt 2>&1 --- [Client command line:] ssh -p 2222 root at localhost --- [Expected behaviour:] - Daemon should deny login and ask 2 more times --- [Actual behaviour:] - Daemon behaves like expected --- [out.txt:] debug2: read_server_config: filename /etc/ssh/sshd_config debug1: sshd version OpenSSH_3.7.1p2 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 2222 on ::. Server listening on :: port 2222. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from ::ffff:127.0.0.1 port 32775 debug1: Client protocol version 2.0; client software version OpenSSH_3.7.1p2 debug1: match: OpenSSH_3.7.1p2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.7.1p2 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: dh_gen_key: priv key bits set: 134/256 debug2: bits set: 1624/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 1605/3191 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user root service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for root debug1: PAM: initializing for "root" debug3: Trying to reverse map address 127.0.0.1. debug1: PAM: setting PAM_RHOST to "localhost" debug1: PAM: setting PAM_TTY to "ssh" debug2: input_userauth_request: try method none Failed none for root from ::ffff:127.0.0.1 port 32775 ssh2 debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices 'pam' debug2: auth2_challenge_start: devices pam debug2: kbdint_next_device: devices debug1: auth2_challenge_start: trying authentication method 'pam' debug3: ssh_msg_recv entering debug3: ssh_msg_send: type 1 Postponed keyboard-interactive for root from ::ffff:127.0.0.1 port 32775 ssh2 debug3: ssh_msg_recv entering debug2: PAM: sshpam_respond debug3: ssh_msg_send: type 6 debug3: ssh_msg_send: type 7 debug3: ssh_msg_recv entering PAM: Authentication failure debug2: auth2_challenge_start: devices Failed keyboard-interactive/pam for root from ::ffff:127.0.0.1 port 32775 ssh2 debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 2 failures 2 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices 'pam' debug2: auth2_challenge_start: devices pam debug2: kbdint_next_device: devices debug1: auth2_challenge_start: trying authentication method 'pam' debug3: ssh_msg_send: type 1 debug3: ssh_msg_recv entering debug3: ssh_msg_recv entering Postponed keyboard-interactive for root from ::ffff:127.0.0.1 port 32775 ssh2 debug2: PAM: sshpam_respond debug3: ssh_msg_send: type 6 debug3: ssh_msg_recv entering debug3: ssh_msg_send: type 7 PAM: Authentication failure debug2: auth2_challenge_start: devices Failed keyboard-interactive/pam for root from ::ffff:127.0.0.1 port 32775 ssh2 debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 3 failures 3 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices 'pam' debug2: auth2_challenge_start: devices pam debug2: kbdint_next_device: devices debug1: auth2_challenge_start: trying authentication method 'pam' debug3: ssh_msg_recv entering debug3: ssh_msg_send: type 1 Postponed keyboard-interactive for root from ::ffff:127.0.0.1 port 32775 ssh2 debug3: ssh_msg_recv entering debug2: PAM: sshpam_respond debug3: ssh_msg_send: type 6 debug3: ssh_msg_recv entering debug3: ssh_msg_send: type 7 PAM: Authentication failure debug2: auth2_challenge_start: devices Failed keyboard-interactive/pam for root from ::ffff:127.0.0.1 port 32775 ssh2 Connection closed by ::ffff:127.0.0.1 debug1: Calling cleanup 0x8066f50(0x0) debug1: PAM: cleanup debug1: Calling cleanup 0x80733b0(0x0) [TEST CASE 2] --- [Server command line:] sshd -o Port=2222 -d -d -d -o DenyUsers="*" > out.txt 2>&1 --- [Client command line:] ssh -p 2222 root at localhost --- [Expected behaviour:] - Daemon should deny login and ask 2 more times --- [Actual behaviour:] - Daemon denies first login and closes connection --- [out.txt:] debug2: read_server_config: filename /etc/ssh/sshd_config debug1: sshd version OpenSSH_3.7.1p2 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 2222 on ::. Server listening on :: port 2222. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from ::ffff:127.0.0.1 port 32772 debug1: Client protocol version 2.0; client software version OpenSSH_3.7.1p2 debug1: match: OpenSSH_3.7.1p2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.7.1p2 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: dh_gen_key: priv key bits set: 130/256 debug2: bits set: 1626/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 1576/3191 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user root service ssh-connection method none debug1: attempt 0 failures 0 debug3: Trying to reverse map address 127.0.0.1. User root not allowed because listed in DenyUsers input_userauth_request: illegal user root debug1: PAM: initializing for "root" debug1: PAM: setting PAM_RHOST to "localhost" debug1: PAM: setting PAM_TTY to "ssh" debug2: input_userauth_request: try method none Failed none for illegal user root from ::ffff:127.0.0.1 port 32772 ssh2 debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices 'pam' debug2: auth2_challenge_start: devices pam debug2: kbdint_next_device: devices debug1: auth2_challenge_start: trying authentication method 'pam' debug3: ssh_msg_send: type 1 debug3: ssh_msg_recv entering debug3: ssh_msg_recv entering Postponed keyboard-interactive for illegal user root from ::ffff:127.0.0.1 port 32772 ssh2 debug2: auth2_challenge_start: devices Failed keyboard-interactive/pam for illegal user root from ::ffff:127.0.0.1 port 32772 ssh2 debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 2 failures 2 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices 'pam' debug2: auth2_challenge_start: devices pam debug2: kbdint_next_device: devices debug1: auth2_challenge_start: trying authentication method 'pam' debug3: ssh_msg_send: type 7 debug3: ssh_msg_recv entering PAM: System error Failed keyboard-interactive for illegal user root from ::ffff:127.0.0.1 port 32772 ssh2 debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 3 failures 3 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices 'pam' debug2: auth2_challenge_start: devices pam debug2: kbdint_next_device: devices debug1: auth2_challenge_start: trying authentication method 'pam' debug3: ssh_msg_send: type 7 debug3: ssh_msg_recv entering PAM: System error Failed keyboard-interactive for illegal user root from ::ffff:127.0.0.1 port 32772 ssh2 Connection closed by ::ffff:127.0.0.1 debug1: Calling cleanup 0x8066f50(0x0) debug1: PAM: cleanup debug1: Calling cleanup 0x80733b0(0x0) From dtucker at zip.com.au Sun Feb 27 23:51:57 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 27 Feb 2005 23:51:57 +1100 Subject: Suggestion: SSHD pseudo/fake mode. Source available. In-Reply-To: <4221B750.1090404@in.tum.de> References: <421DDC84.9040107@in.tum.de> <20050224145845.GB9592@hanuman.astro.su.se> <421F655E.9030303@in.tum.de> <42202598.4050504@in.tum.de> <4221566B.6010008@zip.com.au> <42219455.5010900@in.tum.de> <42219A06.9030906@zip.com.au> <4221B750.1090404@in.tum.de> Message-ID: <4221C26D.4050008@zip.com.au> Daniel Kastenholz wrote: > Hope this helps. Thanks. It does, I think. What can you tell me about the host? It doesn't happen to be a recent Linux (with glibc-2.3.x), does it? > Failed keyboard-interactive for illegal user root from ::ffff:127.0.0.1 > port 32772 ssh2 > Connection closed by ::ffff:127.0.0.1 > debug1: Calling cleanup 0x8066f50(0x0) > debug1: PAM: cleanup > debug1: Calling cleanup 0x80733b0(0x0) I can reproduce it on my FC3 box. In my case, it appears to be because getnameinfo() does some dlopen tricks which don't work in a chroot, and it actually blows up deep inside glibc. If this all applies to you, you can confirm this is the cause by doing: # cp -a /lib /var/empty (or wherever you configured the sshd privsep dir to be) and repeating the test. This is not a good long-term solution, though. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From daniel.kastenholz at in.tum.de Mon Feb 28 00:06:15 2005 From: daniel.kastenholz at in.tum.de (Daniel Kastenholz) Date: Sun, 27 Feb 2005 14:06:15 +0100 Subject: Suggestion: SSHD pseudo/fake mode. Source available. In-Reply-To: <4221C26D.4050008@zip.com.au> References: <421DDC84.9040107@in.tum.de> <20050224145845.GB9592@hanuman.astro.su.se> <421F655E.9030303@in.tum.de> <42202598.4050504@in.tum.de> <4221566B.6010008@zip.com.au> <42219455.5010900@in.tum.de> <42219A06.9030906@zip.com.au> <4221B750.1090404@in.tum.de> <4221C26D.4050008@zip.com.au> Message-ID: <4221C5C7.6050607@in.tum.de> It's a Suse 9.0 system; not the latest distribution, admittedly, but up to date as for the patches. # rpm -qa | grep glibc glibc-devel-2.3.2-87 glibc-2.3.2-88 glibc-locale-2.3.2-87 glibc-info-2.3.2-97 # cat /proc/sys/kernel/osrelease 2.4.21-273-default # rpm -qa | grep pam pam-modules-9.0-5 yast2-pam-2.8.5-65 pam-0.77-129 Darren Tucker schrieb: > Daniel Kastenholz wrote: > >> Hope this helps. > > > Thanks. It does, I think. > > What can you tell me about the host? It doesn't happen to be a recent > Linux (with glibc-2.3.x), does it? > >> Failed keyboard-interactive for illegal user root from >> ::ffff:127.0.0.1 port 32772 ssh2 >> Connection closed by ::ffff:127.0.0.1 >> debug1: Calling cleanup 0x8066f50(0x0) >> debug1: PAM: cleanup >> debug1: Calling cleanup 0x80733b0(0x0) > > > I can reproduce it on my FC3 box. In my case, it appears to be > because getnameinfo() does some dlopen tricks which don't work in a > chroot, and it actually blows up deep inside glibc. > > If this all applies to you, you can confirm this is the cause by doing: > > # cp -a /lib /var/empty > > (or wherever you configured the sshd privsep dir to be) and repeating > the test. This is not a good long-term solution, though. > From dtucker at zip.com.au Mon Feb 28 08:17:34 2005 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 28 Feb 2005 08:17:34 +1100 Subject: Suggestion: SSHD pseudo/fake mode. Source available. In-Reply-To: <4221C5C7.6050607@in.tum.de> References: <421DDC84.9040107@in.tum.de> <20050224145845.GB9592@hanuman.astro.su.se> <421F655E.9030303@in.tum.de> <42202598.4050504@in.tum.de> <4221566B.6010008@zip.com.au> <42219455.5010900@in.tum.de> <42219A06.9030906@zip.com.au> <4221B750.1090404@in.tum.de> <4221C26D.4050008@zip.com.au> <4221C5C7.6050607@in.tum.de> Message-ID: <422238EE.2050001@zip.com.au> Daniel Kastenholz wrote: > It's a Suse 9.0 system; not the latest distribution, admittedly, but up > to date as for the patches. > > # rpm -qa | grep glibc > glibc-devel-2.3.2-87 > glibc-2.3.2-88 OK, it's quite possible that you're seeing the same problem I am. If so, copying /lib as described in my earlier message ought to make a difference. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From stuge-openssh-unix-dev at cdy.org Mon Feb 28 11:20:18 2005 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Mon, 28 Feb 2005 01:20:18 +0100 Subject: FTP specific port forwarding In-Reply-To: <45ddf60905022611442e1fc7d7@mail.gmail.com> References: <45ddf6090502241001f11ab5f@mail.gmail.com> <421E53EB.5060500@zip.com.au> <20050226165144.GB8604@foo.birdnet.se> <45ddf60905022611442e1fc7d7@mail.gmail.com> Message-ID: <20050228002018.GA25986@foo.birdnet.se> On Sat, Feb 26, 2005 at 01:44:06PM -0600, Henrik Bentel wrote: > Don't know much about VPN. I'm restricted by customers policy of > only ssh traffic (over port 22) between protected subnets. This is getting off-topic, but OpenVPN can work over a single TCP port (as opposed to the default UDP port) just fine, and you can disable the security things in it. That way you can have a real VPN on top of SSH with good security (provided by SSH). Note that there may be performance issues when layering TCP on top of TCP however, but they're probably only a problem when the link is less than high quality, i.e. has a few percent consistant packet loss. //Peter From tim at multitalents.net Sat Feb 26 12:33:24 2005 From: tim at multitalents.net (Tim Rice) Date: Fri, 25 Feb 2005 17:33:24 -0800 (PST) Subject: drop support for SCO 3.2v4.2 Message-ID: I'm considering commiting something like this. -------------------------------- --- configure.ac.old 2005-02-24 19:47:25.361190001 -0800 +++ configure.ac 2005-02-25 12:33:35.341390018 -0800 @@ -374,23 +374,7 @@ ;; # SCO UNIX and OEM versions of SCO UNIX *-*-sco3.2v4*) - CPPFLAGS="$CPPFLAGS -Dftruncate=chsize" [snip next 16 deleted lines] + AC_MSG_ERROR("This Platform is no longer supported.") ;; # SCO OpenServer 5.x *-*-sco3.2v5*) -------------------------------- I no longer have the time or interest in supporting OpenSSH on the very old 3.2v4.2 platform. The TCP/IP stack is so old it's too much of a pain to make it work. I have a OpenSSH_3.8.1p1 working and if I remember correctly, I had a 3.9p1 working but there have been many changes since 3.9p1 If anyone still needs OpenSSH on SCO3, now it the time to test the curent snapshots and submit patches. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net