From bob at proulx.com Tue May 1 00:43:15 2007 From: bob at proulx.com (Bob Proulx) Date: Mon, 30 Apr 2007 08:43:15 -0600 Subject: setting current dir of remote shell In-Reply-To: References: <4631520E.4080602@zip.com.au> <4631536C.5030602@zip.com.au> <20070427172037.GA5099@dementia.proulx.com> <20070430002558.GA29914@dementia.proulx.com> Message-ID: <20070430144315.GA10368@dementia.proulx.com> Dave Yost wrote: > Thanks for pointing out the subtleties of exec -l. > > But there's a problem. > > Zsh doesn't support exec -l but instead supports "zsh -l". Oh well... I was aware that csh did not support 'csh -l' but not being a zsh user I did not know about it. But it is not required by POSIX and so is really only available opportunistically. > Doing what you propose doesn't work when the remote shell is zsh. > And doing it the way that works for remote zsh fails with remote bash. > > Is this the unsolvable problem it appears to be? Unsolvable? I am not sure how much of a real problem it would be in that case. A bigger problem that I think has been discussed before without resolution that I recall is that ssh is compatible is rsh and invokes the /etc/passwd specified shell. That can be a different shell on different hosts. This can make it difficult to write scripts that use ssh to invoke commands on remote hosts. I wish ssh had an option (e.g. -oCommanShell=/bin/sh) that specified to ignore the /etc/passwd shell and instead always invoke /bin/sh (or other POSIX shell) on the remote machine. Because for me not having a known syntax that works on all machines is difficult to work around. But if I could say 'ssh -oCommandShell=/bin/sh' and guarantee invoking /bin/sh instead of csh, ksh, etc. that was configured for that account I could more easily make use of ssh in batch mode. There are two problems that I see. One is that I always want to get the POSIX shell to execute scripts. But I prefer a different shell for interactive use. So normally for me the configured won't be a POSIX shell. Presently ssh (AFAICT) does not give a way to get to a POSIX shell on the remote machine. ('ssh $HOST /bin/sh -c "cmd args"' almost works but requires an extra layer of shell quoting in the account's shell.) Two is that often admins don't set up accounts locally (NIS/YP, LDAP) and users are often not given the ability to change their shell in the remote database. Argh. I hate that. I am often stuck with csh on a system and am unable to change it. This is a related problem of reliably invoking commands on the remote machine. I think that is the first layer of the problem. Bob From stuge-openssh-unix-dev at cdy.org Tue May 1 00:47:56 2007 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Mon, 30 Apr 2007 16:47:56 +0200 Subject: setting current dir of remote shell In-Reply-To: <20070430144315.GA10368@dementia.proulx.com> References: <4631520E.4080602@zip.com.au> <4631536C.5030602@zip.com.au> <20070427172037.GA5099@dementia.proulx.com> <20070430002558.GA29914@dementia.proulx.com> <20070430144315.GA10368@dementia.proulx.com> Message-ID: <20070430144756.7705.qmail@cdy.org> On Mon, Apr 30, 2007 at 08:43:15AM -0600, Bob Proulx wrote: > I wish ssh had an option (e.g. -oCommanShell=/bin/sh) That would allow the client to circumvent any security policy usually enforced by the shell on the server, which is a rather bad idea. I do appreciate your problem though. :\ I would yell at the csh-system admin (I can't work, etc) until I got a different shell. //Peter From bob at proulx.com Tue May 1 01:36:50 2007 From: bob at proulx.com (Bob Proulx) Date: Mon, 30 Apr 2007 09:36:50 -0600 Subject: setting current dir of remote shell In-Reply-To: <20070430144756.7705.qmail@cdy.org> References: <4631520E.4080602@zip.com.au> <4631536C.5030602@zip.com.au> <20070427172037.GA5099@dementia.proulx.com> <20070430002558.GA29914@dementia.proulx.com> <20070430144315.GA10368@dementia.proulx.com> <20070430144756.7705.qmail@cdy.org> Message-ID: <20070430153650.GA31008@dementia.proulx.com> Peter Stuge wrote: > Bob Proulx wrote: > > I wish ssh had an option (e.g. -oCommanShell=/bin/sh) > > That would allow the client to circumvent any security policy usually > enforced by the shell on the server, which is a rather bad idea. Uhm... Why? I don't understand. (But I can appreciate that a naive implementation may create problems.) Normally a user can invoke any arbitrary command on a remote machine. Invoking /bin/sh is just another command at that point. It will either be allowed or it won't be allowed by the security policy enforced on the server. Therefore I don't understand the issue as raised. I don't see how in principle this would circumvent the server security policy. Bob From tim at multitalents.net Tue May 1 02:18:57 2007 From: tim at multitalents.net (Tim Rice) Date: Mon, 30 Apr 2007 09:18:57 -0700 (PDT) Subject: setting current dir of remote shell In-Reply-To: <20070430153650.GA31008@dementia.proulx.com> References: <4631520E.4080602@zip.com.au> <4631536C.5030602@zip.com.au> <20070427172037.GA5099@dementia.proulx.com> <20070430002558.GA29914@dementia.proulx.com> <20070430144315.GA10368@dementia.proulx.com> <20070430144756.7705.qmail@cdy.org> <20070430153650.GA31008@dementia.proulx.com> Message-ID: On Mon, 30 Apr 2007, Bob Proulx wrote: > Peter Stuge wrote: > > Bob Proulx wrote: > > > I wish ssh had an option (e.g. -oCommanShell=/bin/sh) > > > > That would allow the client to circumvent any security policy usually > > enforced by the shell on the server, which is a rather bad idea. > > Uhm... Why? I don't understand. (But I can appreciate that a naive > implementation may create problems.) How about the case where rssh is the login shell and it's configured to only allow sftp access in a chroot'd environment. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From stuge-openssh-unix-dev at cdy.org Tue May 1 02:21:36 2007 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Mon, 30 Apr 2007 18:21:36 +0200 Subject: setting current dir of remote shell In-Reply-To: <20070430153650.GA31008@dementia.proulx.com> References: <4631520E.4080602@zip.com.au> <4631536C.5030602@zip.com.au> <20070427172037.GA5099@dementia.proulx.com> <20070430002558.GA29914@dementia.proulx.com> <20070430144315.GA10368@dementia.proulx.com> <20070430144756.7705.qmail@cdy.org> <20070430153650.GA31008@dementia.proulx.com> Message-ID: <20070430162136.21933.qmail@cdy.org> On Mon, Apr 30, 2007 at 09:36:50AM -0600, Bob Proulx wrote: > > > I wish ssh had an option (e.g. -oCommanShell=/bin/sh) > > > > That would allow the client to circumvent any security policy > > usually enforced by the shell on the server, which is a rather > > bad idea. > > Uhm... Why? I don't understand. (But I can appreciate that a > naive implementation may create problems.) > > Normally a user can invoke any arbitrary command on a remote > machine. Mh, well, no, not unless the shell permits it. Both "exec" and "shell" in the SSH protocol use the user's shell to run the command. This is utilized by restricted shells. //Peter From johan at e-626.net Tue May 1 02:23:54 2007 From: johan at e-626.net (Johan Andersson) Date: Mon, 30 Apr 2007 18:23:54 +0200 Subject: GSSAPIDelegateCredentials fails with a segfault Message-ID: <4636181A.9010805@e-626.net> Hi, I'm trying to use the GSSAPIDelegateCredentials function to forward my kerberos 5 tickets. Authentication with GSSAPI/Kerberos 5 works fine, I can log in to the server when I have valid tickets on my client. But when I turn on GSSAPIDelegateCredentials I get "Connection reset by peer" at the client side. At the server side, I have been able to see that the user process gets a segfault just after writing to the tickets cache. I'm using: openssh-4.5p1 (tested with 4.6p1 also) heimdal-0.7.2 on a Gentoo 2006.1 i686 system. First off: Have anyone seen this before? Second: Even though I have set the core limit to 100M in limits.conf and verified that it gets set using strace -f /usr/sbin/sshd, I don't get any coredump. Is there any good way of debugging these kind of problems? /Johan Andersson From johan at e-626.net Tue May 1 02:18:46 2007 From: johan at e-626.net (Johan Andersson) Date: Mon, 30 Apr 2007 18:18:46 +0200 Subject: GSSAPI credentials delegation fails with a segfault Message-ID: <463616E6.90402@e-626.net> Hi, I'm trying to use the GSSAPIDelegateCredentials function to forward my kerberos 5 tickets. Authentication with GSSAPI/Kerberos 5 works fine, I can log in to the server when I have valid tickets on my client. But when I turn on GSSAPIDelegateCredentials I get "Connection reset by peer" at the client side. At the server side, I have been able to see that the user process gets a segfault just after writing to the tickets cache. I'm using: openssh-4.5p1 (tested with 4.6p1 also) heimdal-0.7.2 on a Gentoo 2006.1 i686 system. First off: Have anyone seen this before? Second: Even though I have set the core limit to 100M in limits.conf and verified that it gets set using strace -f /usr/sbin/sshd, I don't get any coredump. Is there any good way of debugging these kind of problems? /Johan Andersson From sxw at inf.ed.ac.uk Tue May 1 03:13:43 2007 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Mon, 30 Apr 2007 18:13:43 +0100 Subject: GSSAPIDelegateCredentials fails with a segfault In-Reply-To: <4636181A.9010805@e-626.net> References: <4636181A.9010805@e-626.net> Message-ID: On 30 Apr 2007, at 17:23, Johan Andersson wrote: > > First off: Have anyone seen this before? No, this is the first report I've seen of this problem. Have you made sure that all of your library dependencies are correct? That is, that you're building, and running, against the same version of libgssapi. Unfortunately, some vendors have taken to shipping a libgssapi which doesn't conform to the GSSAPI API - this often causes segfaults at unexpected moments. > Second: Even though I have set the core limit to 100M in > limits.conf and > verified that it gets set using strace -f /usr/sbin/sshd, I don't get > any coredump. Is there any good way of debugging these kind of > problems? Privsep makes it pretty tricky to follow through all of the processes with a debugger. Often the easiest thing to do is to instrument the code. If it is dying where you think it is, then adding additional debug statements to ssh_gssapi_krb5_storecreds is the best place to start. In particular, it's worth seeing if the call to gss_krb5_copy_ccache is succeeding. Simon. From dtucker at zip.com.au Tue May 1 10:41:07 2007 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 01 May 2007 10:41:07 +1000 Subject: GSSAPIDelegateCredentials fails with a segfault In-Reply-To: References: <4636181A.9010805@e-626.net> Message-ID: <46368CA3.1030202@zip.com.au> Simon Wilkinson wrote: > On 30 Apr 2007, at 17:23, Johan Andersson wrote: >> First off: Have anyone seen this before? > > No, this is the first report I've seen of this problem. I've seen something similar but with keyboard-interactive, which ended up being caused by a bug in glibc which was triggered by a name service lookup from inside a chroot. It's possible that you're seeing the same thing (and it would explain why there's no core dump: the chrooted child does not have permission to write anywhere). Try creating "dev" and "lib" directories inside your privsep dir (/var/empty by default) and if the problem goes away then this is the most likely cause. [...] > Privsep makes it pretty tricky to follow through all of the processes > with a debugger. Often the easiest thing to do is to instrument the > code. If it is dying where you think it is, then adding additional > debug statements to ssh_gssapi_krb5_storecreds is the best place to > start. In particular, it's worth seeing if the call to > gss_krb5_copy_ccache is succeeding. The first thing I usually try is running in debug mode without privsep under a debugger. If that doesn't exhibit the problem, I have been known to add a "sleep(60)" just after the fork in the child and attach a debugger to at that point. Another possibility is to tell the kernel to write core dumps elsewhere temporarily (eg "sysctl kernel.core_pattern=/tmp/core; sysctl kernel.core_uses_pid=1") but I haven't tried this. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue May 1 11:25:05 2007 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 01 May 2007 11:25:05 +1000 Subject: setting current dir of remote shell In-Reply-To: <20070430144315.GA10368@dementia.proulx.com> References: <4631520E.4080602@zip.com.au> <4631536C.5030602@zip.com.au> <20070427172037.GA5099@dementia.proulx.com> <20070430002558.GA29914@dementia.proulx.com> <20070430144315.GA10368@dementia.proulx.com> Message-ID: <463696F1.1000603@zip.com.au> Bob Proulx wrote: > Presently ssh (AFAICT) does not give a way to get to a > POSIX shell on the remote machine. ('ssh $HOST /bin/sh -c "cmd args"' > almost works but requires an extra layer of shell quoting in the > account's shell.) It's not suitable for every purpose (eg if you need stdin on the command) but you can do: ssh $HOST /bin/sh < References: <4631520E.4080602@zip.com.au> <4631536C.5030602@zip.com.au> <20070427172037.GA5099@dementia.proulx.com> <20070430002558.GA29914@dementia.proulx.com> <20070430144315.GA10368@dementia.proulx.com> <463696F1.1000603@zip.com.au> Message-ID: <20070501051718.GA9286@dementia.proulx.com> Darren Tucker wrote: > It's not suitable for every purpose (eg if you need stdin on the > command) but you can do: > > ssh $HOST /bin/sh < cmd args > EOD > > which does not subject the command to the remote shell's quoting. Yes. That is a good suggestion. I have used that technique to good success. Bob From johan at e-626.net Tue May 1 20:23:44 2007 From: johan at e-626.net (Johan Andersson) Date: Tue, 01 May 2007 12:23:44 +0200 Subject: GSSAPIDelegateCredentials fails with a segfault In-Reply-To: <46368CA3.1030202@zip.com.au> References: <4636181A.9010805@e-626.net> <46368CA3.1030202@zip.com.au> Message-ID: <46371530.4080106@e-626.net> Darren Tucker wrote: > Simon Wilkinson wrote: >> On 30 Apr 2007, at 17:23, Johan Andersson wrote: >>> First off: Have anyone seen this before? >> >> No, this is the first report I've seen of this problem. > > I've seen something similar but with keyboard-interactive, which ended > up being caused by a bug in glibc which was triggered by a name service > lookup from inside a chroot. It's possible that you're seeing the same > thing (and it would explain why there's no core dump: the chrooted child > does not have permission to write anywhere). > > Try creating "dev" and "lib" directories inside your privsep dir > (/var/empty by default) and if the problem goes away then this is the > most likely cause. > [...] Thanks, this is it. After created /var/empty/lib and /var/empty/dev, this problem disappeared. Now when you say it, I have seen similar problems in CVS-pserver when using glibc-2.5 with an old linux kernel (<2.6.16). So I guess we can blame this on some faulty error handling in glibc-2.5. But this raises a new problem: The ticket cache /tmp/krb5cc_xxxxxx is owned by root and not by the user, so klist fails with a "Permission denied". Any idea about this? /Johan Andersson From 1bapatv at toysrus.com Tue May 1 23:01:00 2007 From: 1bapatv at toysrus.com (Bapat, Vinayak) Date: Tue, 1 May 2007 09:01:00 -0400 Subject: problem while doing make - openssh on sco unix 7.1 Message-ID: <7CB57EABD6C23342AA8282DA82069899230C5938@msg01psp.tru.com> I am trying to install openssh on sco unix 7.1 and getting following error , please help I have installed zlib - zlib-1.2.3 Openssl openssl-0.9.8e Openssh openssh-4.6p1 # make if test ! -z "yes"; then \ /usr/bin/perl ./fixprogs ssh_prng_cmds ; \ fi (cd openbsd-compat && make) cc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o sshconnect1.o sshconnect2.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -L/usr/local/lib -lssh -lopenbsd-compat -lresolv -liaf -lcrypto -lsocket -lnsl -lgen -lz -lcrypt cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o audit-bsm.o platform.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib -L/usr/local/lib -lssh -lopenbsd-compat -lresolv -liaf -lcrypto -lsocket -lnsl -lgen -lz -lcrypt Undefined first referenced symbol in file osr5bigcrypt openbsd-compat//libopenbsd-compat.a(port-uw.o) UX:ld: ERROR: sshd: fatal error: Symbol referencing errors. No output written to sshd *** Error code 1 (bu21) UX:make: ERROR: fatal error. # uname -a UnixWare newspo 5 7.1.0 i386 x86at SCO UNIX_SVR5 ======================================================================== This email message is for the sole use of the intended recipient (s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. To reply to our email administrator directly, send an email to EmailAdmin at toysrus.com. Toys "R" Us, Inc. From tim at multitalents.net Wed May 2 03:39:59 2007 From: tim at multitalents.net (Tim Rice) Date: Tue, 1 May 2007 10:39:59 -0700 (PDT) Subject: problem while doing make - openssh on sco unix 7.1 In-Reply-To: <7CB57EABD6C23342AA8282DA82069899230C5938@msg01psp.tru.com> References: <7CB57EABD6C23342AA8282DA82069899230C5938@msg01psp.tru.com> Message-ID: On Tue, 1 May 2007, Bapat, Vinayak wrote: > I am trying to install openssh on sco unix 7.1 and getting following error , > please help > > cc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o > auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o > auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o > auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o > auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o > kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o > loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o > audit-bsm.o platform.o -L. -Lopenbsd-compat/ -L/usr/local/ssl/lib > -L/usr/local/lib -lssh -lopenbsd-compat -lresolv -liaf -lcrypto > -lsocket -lnsl -lgen -lz -lcrypt > > Undefined first referenced > > symbol in file > > osr5bigcrypt > openbsd-compat//libopenbsd-compat.a(port-uw.o) > > # uname -a > > UnixWare newspo 5 7.1.0 i386 x86at SCO UNIX_SVR5 osr5bigcrypt is in libcrypt on 7.1.1 Your best option is to update to 7.1.1 MP5 I think I remember the update from 7.1.0 to 7.1.1 being free. If that is not an option, try this patch. ..... --- openbsd-compat/port-uw.c.old 2007-03-26 08:42:45.584801000 -0700 +++ openbsd-compat/port-uw.c 2007-05-01 10:36:20.122636004 -0700 @@ -72,8 +72,7 @@ */ #ifdef UNIXWARE_LONG_PASSWORDS if (!nischeck(pw->pw_name)) { - result = ((strcmp(bigcrypt(password, salt), pw_password) == 0) - || (strcmp(osr5bigcrypt(password, salt), pw_password) == 0)); + result = ((strcmp(bigcrypt(password, salt), pw_password) == 0); } else #endif /* UNIXWARE_LONG_PASSWORDS */ ..... -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From sxw at inf.ed.ac.uk Wed May 2 06:28:53 2007 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Tue, 1 May 2007 21:28:53 +0100 Subject: GSSAPIDelegateCredentials fails with a segfault In-Reply-To: <46371530.4080106@e-626.net> References: <4636181A.9010805@e-626.net> <46368CA3.1030202@zip.com.au> <46371530.4080106@e-626.net> Message-ID: <3F88D339-EF2E-4C26-97DF-AEF91D1E373A@inf.ed.ac.uk> On 1 May 2007, at 11:23, Johan Andersson wrote: > > But this raises a new problem: The ticket cache /tmp/krb5cc_xxxxxx is > owned by root and not by the user, so klist fails with a "Permission > denied". Any idea about this? This would suggest that the seteuid is failing. The credentials storage routine is always called as: temporarily_use_uid(pw); ssh_gssapi_storecreds(); restore_uid(); I'm not sure why this would be failing without calling fatal(), however, unless you're seeing more glibc related damage? Darren? Simon. From dtucker at zip.com.au Wed May 2 17:14:44 2007 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 02 May 2007 17:14:44 +1000 Subject: GSSAPIDelegateCredentials fails with a segfault In-Reply-To: <3F88D339-EF2E-4C26-97DF-AEF91D1E373A@inf.ed.ac.uk> References: <4636181A.9010805@e-626.net> <46368CA3.1030202@zip.com.au> <46371530.4080106@e-626.net> <3F88D339-EF2E-4C26-97DF-AEF91D1E373A@inf.ed.ac.uk> Message-ID: <46383A64.5070606@zip.com.au> Simon Wilkinson wrote: > On 1 May 2007, at 11:23, Johan Andersson wrote: [...] BTW only one of "dev" or "lib" is actually needed in the chroot. I think it's "lib" but I'm not 100% sure. >> But this raises a new problem: The ticket cache /tmp/krb5cc_xxxxxx is >> owned by root and not by the user, so klist fails with a "Permission >> denied". Any idea about this? > > This would suggest that the seteuid is failing. The credentials storage > routine is always called as: > > temporarily_use_uid(pw); > ssh_gssapi_storecreds(); > restore_uid(); > > I'm not sure why this would be failing without calling fatal(), however, > unless you're seeing more glibc related damage? Darren? I can't think of any way that could happen. Maybe if getpwuid() or getpwnam() returned bogus info, but that would be a pretty unusual failure mode. Perhaps the debug output from the server (/path/to/sshd -ddd) would provide some insight as to what the server's actually doing. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From stevec at FutureSoft.com Thu May 3 02:01:00 2007 From: stevec at FutureSoft.com (Cooper, Steve) Date: Wed, 2 May 2007 11:01:00 -0500 Subject: FW: Cannot receive more that ~64k from host? (solution) Message-ID: <8E9BDA21B46D6A4C8ECFB6444DACAF1C22D1B6@exchange.futuresoft.com> FYI: I needed to update local_consumed when I pulled data out for display... Steve -----Original Message----- From: openssh-unix-dev-bounces+stevec=futuresoft.com at mindrot.org [mailto:openssh-unix-dev-bounces+stevec=futuresoft.com at mindrot.org]On Behalf Of Cooper, Steve Sent: Friday, April 20, 2007 3:40 PM To: openssh-unix-dev at mindrot.org Subject: Cannot receive more that ~64k from host? Hi All, I have "converted" the openssh code into a Windows DLL and everything "works" up until around 64k of data packets is received from the host. What I see from extensive debugging is that select() never reports that there is more data to read. I was hoping someone could give me a clue as to what to try next??? I believe the Winsock receive buffer defaults to 64k, but the problem is not speed related. - Yes, I have two different hosts to connect with (older Redhat and FreeBSD) - Does not matter if SSH1 or SSH2 - Does not matter if interactive over time (listing files, editing programs, etc) or blasted (ll -R /usr) (ie: ~64k of data from the host over time or all at once.) - The connection is still active...I run sshd in debug mode and the connection stays active until I end the SSH session and everything shuts down cleanly... Any crazy ideas? Thanks, Steve Steve Cooper Developer FutureSoft, Inc. ** This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error, please contact the sender. ** -- ---------------------------------------------------------------------- FutureSoft, Inc. 12012 Wickchester Lane, Suite 600 Houston, TX 77079 If you no longer want to receive commercial e-mail correspondence from FutureSoft, you may remove your address from our records by visiting www.futuresoft.com/emailremoval.asp ---------------------------------------------------------------------- _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- ---------------------------------------------------------------------- FutureSoft, Inc. 12012 Wickchester Lane, Suite 600 Houston, TX 77079 If you no longer want to receive commercial e-mail correspondence from FutureSoft, you may remove your address from our records by visiting www.futuresoft.com/emailremoval.asp ---------------------------------------------------------------------- From stevec at FutureSoft.com Fri May 4 01:00:04 2007 From: stevec at FutureSoft.com (Cooper, Steve) Date: Thu, 3 May 2007 10:00:04 -0500 Subject: FW: Cannot receive more that ~64k from host? (solution) Message-ID: <8E9BDA21B46D6A4C8ECFB6444DACAF1C22D1BB@exchange.futuresoft.com> FYI: I needed to update local_consumed when I pulled data out for display... Steve -----Original Message----- From: openssh-unix-dev-bounces+stevec=futuresoft.com at mindrot.org [mailto:openssh-unix-dev-bounces+stevec=futuresoft.com at mindrot.org]On Behalf Of Cooper, Steve Sent: Friday, April 20, 2007 3:40 PM To: openssh-unix-dev at mindrot.org Subject: Cannot receive more that ~64k from host? Hi All, I have "converted" the openssh code into a Windows DLL and everything "works" up until around 64k of data packets is received from the host. What I see from extensive debugging is that select() never reports that there is more data to read. I was hoping someone could give me a clue as to what to try next??? I believe the Winsock receive buffer defaults to 64k, but the problem is not speed related. - Yes, I have two different hosts to connect with (older Redhat and FreeBSD) - Does not matter if SSH1 or SSH2 - Does not matter if interactive over time (listing files, editing programs, etc) or blasted (ll -R /usr) (ie: ~64k of data from the host over time or all at once.) - The connection is still active...I run sshd in debug mode and the connection stays active until I end the SSH session and everything shuts down cleanly... Any crazy ideas? Thanks, Steve Steve Cooper Developer FutureSoft, Inc. ** This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error, please contact the sender. ** -- ---------------------------------------------------------------------- FutureSoft, Inc. 12012 Wickchester Lane, Suite 600 Houston, TX 77079 If you no longer want to receive commercial e-mail correspondence from FutureSoft, you may remove your address from our records by visiting www.futuresoft.com/emailremoval.asp ---------------------------------------------------------------------- _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- ---------------------------------------------------------------------- FutureSoft, Inc. 12012 Wickchester Lane, Suite 600 Houston, TX 77079 If you no longer want to receive commercial e-mail correspondence from FutureSoft, you may remove your address from our records by visiting www.futuresoft.com/emailremoval.asp ---------------------------------------------------------------------- From pcc03 at doc.ic.ac.uk Mon May 7 12:39:49 2007 From: pcc03 at doc.ic.ac.uk (Peter Collingbourne) Date: Mon, 7 May 2007 03:39:49 +0100 Subject: [PATCH] Adds support for SSH_FXP_LINK request to sftp-server and sftp client Message-ID: <20070507023949.GE29772@doc.ic.ac.uk> Dear list, Attached is a patch that adds support for the SSH_FXP_LINK request, as described in draft-ietf-secsh-filexfer-07 onwards, to the sftp server and client. It is for and has been tested on the current portable snapshot but also applies to openbsd CVS. Thanks, -- Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-sftp-hardlink-pcvs-v2.patch Type: text/x-diff Size: 7108 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070507/18e7efc0/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070507/18e7efc0/attachment-0001.bin From pcc03 at doc.ic.ac.uk Mon May 7 15:06:17 2007 From: pcc03 at doc.ic.ac.uk (Peter Collingbourne) Date: Mon, 7 May 2007 06:06:17 +0100 Subject: [PATCH] Adds support for SSH_FXP_LINK request to sftp-server and sftp client Message-ID: <20070507050609.GG29772@doc.ic.ac.uk> Dear list, Attached is a patch that adds support for the SSH_FXP_LINK request, as described in draft-ietf-secsh-filexfer-07 onwards, to the sftp server and client. It is for and has been tested on the current portable snapshot but also applies to openbsd CVS. Thanks, -- Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-sftp-hardlink-pcvs-v2.patch Type: text/x-diff Size: 7108 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070507/2cef0666/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070507/2cef0666/attachment-0001.bin From abhatnagar at mail.arc.nasa.gov Tue May 8 05:25:42 2007 From: abhatnagar at mail.arc.nasa.gov (Avnish Bhatnagar) Date: Mon, 7 May 2007 12:25:42 -0700 Subject: HPN SSH Message-ID: <003801c790dd$85c83090$915891b0$@arc.nasa.gov> Hello, I know this has come up before; but is the HPN patch (or elements thereof) currently being considered for integration in to the OpenSSH code base? Are there pending issues (buffer management, none cipher, etc) which still need to be addressed? We have been using HPN-SSH for over a year now, and like others, have observed significant performance improvement over standard OpenSSH. I can scp a 1 GB test file between two HPN-SSH LAN hosts at 700 Mbps (<1 ms latency). And over a cross-country high-BDP WAN link, I'm able to achieve over 500 Mbps (85 ms latency). These single-stream scp transfers were run on well-tuned Linux kernels 2.6.15 (or higher) with the arcfour cipher. (I'll be happy to provide more details about these tests upon request.) I'm not sure how 'typical' my results are, but they represent an order of magnitude improvement over stock OpenSSH. While the improvement tends to vary among different platforms, I have never observed a performance degradation. We recommend HPN SSH to our users who need to (securely) transfer their bulk scientific datasets ranging in size of hundreds megabytes to one terabyte; so naturally, performance is very important for them. But they (or their sysadmins) are often reluctant to deploy software which represents a deviation from a standard distribution...and the maintenance issues that follow. Regards, Avnish Bhatnagar NASA Ames Research Center From highc at us.ibm.com Wed May 9 02:09:52 2007 From: highc at us.ibm.com (Chris High) Date: Tue, 8 May 2007 12:09:52 -0400 Subject: Security.html is out of date. Message-ID: Openssh team; It has come to my attention that the information at: http://www.openssh.org/security.html does not include any security issues for openssh beyond 3.7. While I do appreciate that the the security information is highlighted at release publication, eg: http://lists.mindrot.org/pipermail/openssh-unix-announce/2005-September/000083.html many folks are going to go to the main site, see the "security" link, follow it; and not realize this page has not been kept up to date. I strongly encourage that either the security page be updated to reflect the security issues; or it be updated to reflect this: :quote" For openssh releases after 3.7, please subscribe to: openssh-unix-announce which will highlight security fixes contained in the release. "unquote: If you would like to have the html needed to highlight all security advisory items indicated in the various "openssh-unix-announce" notes, I would be happy to send the HTML to you if provided a point to place the document or email to send it to. The HTML I would provide includes a bullet for each security item and for security items corrected since 3.7, a link to the annonuce note, and a link to the corresponding CVE for those newer items. Thanks - Chris From orkaan at orkaan.org Wed May 9 01:13:39 2007 From: orkaan at orkaan.org (Daniele Calore) Date: Tue, 8 May 2007 17:13:39 +0200 Subject: [PATCH] Adds support for SSH_FXP_LINK request to sftp-server and sftp client In-Reply-To: <20070507050609.GG29772@doc.ic.ac.uk> References: <20070507050609.GG29772@doc.ic.ac.uk> Message-ID: <20070508171339.0bb06cab@localhost> Hi, > Attached is a patch that adds support for the SSH_FXP_LINK request, as > described in draft-ietf-secsh-filexfer-07 onwards, to the sftp server > and client. The "standard" for OpenSSH is draft-ietf-secsh-filexfer-03 $ grep FILEXFER_VERSION sftp.h #define SSH2_FILEXFER_VERSION 3 I have tried the patch and it works. But only if the client/server has the same patch installed. There is a check inside the patch (sftp-client.c): + if (conn->version < 3) { + error("This server does not support the link operation"); + return(SSH2_FX_OP_UNSUPPORTED); + } A non patched server has version "3" (see sftp.h) but it does not support the new link operation... - Solutions: 1- Upgrade define SSH2_FILEXFER_VERSION to 4 ??? (and also update the check) 2- Any other suggestion ??? - A question: Does the patch will be included in the next stable release of OpenSSH? Bye, -- Daniele Calore ( orkaan at orkaan.org ) From pcc03 at doc.ic.ac.uk Wed May 9 03:09:22 2007 From: pcc03 at doc.ic.ac.uk (Peter Collingbourne) Date: Tue, 8 May 2007 18:09:22 +0100 Subject: [PATCH] Adds support for SSH_FXP_LINK request to sftp-server and sftp client In-Reply-To: <20070508171339.0bb06cab@localhost> References: <20070507050609.GG29772@doc.ic.ac.uk> <20070508171339.0bb06cab@localhost> Message-ID: <20070508170922.GH29772@doc.ic.ac.uk> On Tue, May 08, 2007 at 05:13:39PM +0200, Daniele Calore wrote: > Hi, > > > Attached is a patch that adds support for the SSH_FXP_LINK request, as > > described in draft-ietf-secsh-filexfer-07 onwards, to the sftp server > > and client. > > The "standard" for OpenSSH is draft-ietf-secsh-filexfer-03 > > $ grep FILEXFER_VERSION sftp.h > #define SSH2_FILEXFER_VERSION 3 > > I have tried the patch and it works. > But only if the client/server has the same patch installed. > > There is a check inside the patch (sftp-client.c): > > + if (conn->version < 3) { > + error("This server does not support the link operation"); > + return(SSH2_FX_OP_UNSUPPORTED); > + } > > A non patched server has version "3" (see sftp.h) but > it does not support the new link operation... > > - Solutions: > 1- Upgrade define SSH2_FILEXFER_VERSION to 4 ??? > (and also update the check) If we do this then perhaps it should go to 7 (I assume the version numbers correspond to drafts?) But then we may not be completely compliant with 7 yet. Of course if the check fails we should revert to sending a SYMLINK request (if version >= 3), but only if sym = 1. This is because only the hardlink request requires the oldpath to be normalised, and sending a normalised oldpath for a symlink request would lead to problems. This behaviour would cause compatibility problems if the bare 'ln' command is issued to a new client connected to an old server, not to mention the fact that the behaviour of ln has changed anyway. Perhaps the best course of action would be to change the -s flag to an -h flag, with the default being softlinks? Of course this would be inconsistent with the ln(1) command. An alternate course of action would be to check the version number in the user interface code and issue the appropriate request, but this I feel breaks separation of concerns. Thanks, -- Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070508/60f3d721/attachment.bin From pedz at easesoftware.com Fri May 11 02:53:11 2007 From: pedz at easesoftware.com (Perry Smith) Date: Thu, 10 May 2007 11:53:11 -0500 Subject: dfs/dce and openssh Message-ID: <727E0261-9D9F-4A0C-9CDA-D324B49FD18D@easesoftware.com> I searched google and did not find any hits on this being solved. I want to get ssh so I can the dsa/rsa style password it in an environment that uses dfs/dce authentication if that is possible (and it has not already been solved). In other words, I want to be able to log into a host as a dfs/dce user without typing my password. Before I dig into the code and trying to do this, I wanted to ask those two questions: 1) Has it already been accomplished? 2) Is it known to be "really really really" hard? I'm not subscribed to this let so please CC me on any replies. Thank you Perry Smith ( pedz at easesoftware.com ) Ease Software, Inc. ( http://www.easesoftware.com ) Low cost SATA Disk Systems for IBMs p5, pSeries, and RS/6000 AIX systems From deengert at anl.gov Fri May 11 05:21:17 2007 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 10 May 2007 14:21:17 -0500 Subject: dfs/dce and openssh In-Reply-To: <727E0261-9D9F-4A0C-9CDA-D324B49FD18D@easesoftware.com> References: <727E0261-9D9F-4A0C-9CDA-D324B49FD18D@easesoftware.com> Message-ID: <464370AD.4070704@anl.gov> Perry Smith wrote: > I searched google and did not find any hits on this being solved. > > I want to get ssh so I can the dsa/rsa style password it in an > environment that uses dfs/dce authentication if that is possible (and > it has not already been solved). In other words, I want to be able > to log into a host as a dfs/dce user without typing my password. DCE uses Kerberos 5, so the GSSAPI code in SSH should work. Delegation should also work, so you can get tickets for DFS. > > Before I dig into the code and trying to do this, I wanted to ask > those two questions: > > 1) Has it already been accomplished? > > 2) Is it known to be "really really really" hard? > > I'm not subscribed to this let so please CC me on any replies. > > Thank you > Perry Smith ( pedz at easesoftware.com ) > Ease Software, Inc. ( http://www.easesoftware.com ) > > Low cost SATA Disk Systems for IBMs p5, pSeries, and RS/6000 AIX systems > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From sxw at inf.ed.ac.uk Fri May 11 06:37:58 2007 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Thu, 10 May 2007 13:37:58 -0700 Subject: dfs/dce and openssh In-Reply-To: <464370AD.4070704@anl.gov> References: <727E0261-9D9F-4A0C-9CDA-D324B49FD18D@easesoftware.com> <464370AD.4070704@anl.gov> Message-ID: <8135F23F-B357-4A70-AF5E-F78A2A84CFCC@inf.ed.ac.uk> On 10 May 2007, at 12:21, Douglas E. Engert wrote: > Perry Smith wrote: >> I searched google and did not find any hits on this being solved. >> >> I want to get ssh so I can the dsa/rsa style password it in an >> environment that uses dfs/dce authentication if that is possible (and >> it has not already been solved). In other words, I want to be able >> to log into a host as a dfs/dce user without typing my password. > > > DCE uses Kerberos 5, so the GSSAPI code in SSH should work. Delegation > should also work, so you can get tickets for DFS. The problem here is that you can't use OpenSSH's DSA/RSA key-based authentication and still have credentials on the machine that you've logged in to. I don't know enough about DCE to be able to comment on that specific case, but in a standard Kerberos environment, you'd need to run 'kinit' after login in order to have credentials. There's no way (that I'd want to deploy) of getting around this. Simon. From deengert at anl.gov Fri May 11 09:01:06 2007 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 10 May 2007 18:01:06 -0500 Subject: dfs/dce and openssh In-Reply-To: <8135F23F-B357-4A70-AF5E-F78A2A84CFCC@inf.ed.ac.uk> References: <727E0261-9D9F-4A0C-9CDA-D324B49FD18D@easesoftware.com> <464370AD.4070704@anl.gov> <8135F23F-B357-4A70-AF5E-F78A2A84CFCC@inf.ed.ac.uk> Message-ID: <4643A432.2060103@anl.gov> Simon Wilkinson wrote: > > On 10 May 2007, at 12:21, Douglas E. Engert wrote: >> Perry Smith wrote: >>> I searched google and did not find any hits on this being solved. >>> >>> I want to get ssh so I can the dsa/rsa style password it in an >>> environment that uses dfs/dce authentication if that is possible (and >>> it has not already been solved). In other words, I want to be able >>> to log into a host as a dfs/dce user without typing my password. >> >> >> DCE uses Kerberos 5, so the GSSAPI code in SSH should work. Delegation >> should also work, so you can get tickets for DFS. > > The problem here is that you can't use OpenSSH's DSA/RSA key-based > authentication and still have credentials on the machine that you've > logged in to. I don't know enough about DCE to be able to comment on > that specific case, but in a standard Kerberos environment, you'd need > to run 'kinit' after login in order to have credentials. There's no way > (that I'd want to deploy) of getting around this. > DFS is like AFS on steroids, but you need Kerberos tickets to access DFS. So the answer to "I want to be able to log into a host as a dfs/dce user without typing my password." is no. But with GSSAPI and Kerberos you should only have to do this once a day (kinit), on the machine in front of you. (I have not used DCE/DFS in about 5 years when we turned it off and went back to AFS.) DCE had an early Kerberos PKINIT support, so you might be able to use PKINIT to avoid typing a password. > Simon. > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From pedz at easesoftware.com Fri May 11 09:24:03 2007 From: pedz at easesoftware.com (Perry Smith) Date: Thu, 10 May 2007 18:24:03 -0500 Subject: dfs/dce and openssh In-Reply-To: <4643A432.2060103@anl.gov> References: <727E0261-9D9F-4A0C-9CDA-D324B49FD18D@easesoftware.com> <464370AD.4070704@anl.gov> <8135F23F-B357-4A70-AF5E-F78A2A84CFCC@inf.ed.ac.uk> <4643A432.2060103@anl.gov> Message-ID: <1ED8A0BD-238E-4C73-94B7-82E2D4BEC1CD@easesoftware.com> On May 10, 2007, at 6:01 PM, Douglas E. Engert wrote: > > > Simon Wilkinson wrote: >> On 10 May 2007, at 12:21, Douglas E. Engert wrote: >>> Perry Smith wrote: >>>> I searched google and did not find any hits on this being solved. >>>> >>>> I want to get ssh so I can the dsa/rsa style password it in an >>>> environment that uses dfs/dce authentication if that is possible >>>> (and >>>> it has not already been solved). In other words, I want to be able >>>> to log into a host as a dfs/dce user without typing my password. >>> >>> >>> DCE uses Kerberos 5, so the GSSAPI code in SSH should work. >>> Delegation >>> should also work, so you can get tickets for DFS. >> The problem here is that you can't use OpenSSH's DSA/RSA key-based >> authentication and still have credentials on the machine that >> you've logged in to. I don't know enough about DCE to be able to >> comment on that specific case, but in a standard Kerberos >> environment, you'd need to run 'kinit' after login in order to >> have credentials. There's no way (that I'd want to deploy) of >> getting around this. > > DFS is like AFS on steroids, but you need Kerberos tickets to > access DFS. > So the answer to "I want to be able to log into a host as a dfs/dce > user > without typing my password." is no. But with GSSAPI and Kerberos > you should only have to do this once a day (kinit), on the machine in > front of you. > (I have not used DCE/DFS in about 5 years when we turned it off and > went > back to AFS.) DCE had an early Kerberos PKINIT support, so you > might be > able to use PKINIT to avoid typing a password. I'm pretty sure that somehow Apple has managed to solve this problem. They authenticate with Kerberos and I can log from system A to system B using ssh. There may be two problems here... One problem is my home directory in the Apple environment is local to each machine. So my .ssh directory and authorized_keys are available to the root (or sshd) process. In my current dfs environment, my home directory is on dfs so root can not get to it. So, one problem is getting accessed to my .ssh/authorized_keys. The other problem is getting the ticket passed from one place to the other -- but that should work if I am understanding all of this correctly. Perry Smith ( pedz at easesoftware.com ) Ease Software, Inc. ( http://www.easesoftware.com ) Low cost SATA Disk Systems for IBMs p5, pSeries, and RS/6000 AIX systems From deengert at anl.gov Fri May 11 09:45:54 2007 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 10 May 2007 18:45:54 -0500 Subject: dfs/dce and openssh In-Reply-To: <1ED8A0BD-238E-4C73-94B7-82E2D4BEC1CD@easesoftware.com> References: <727E0261-9D9F-4A0C-9CDA-D324B49FD18D@easesoftware.com> <464370AD.4070704@anl.gov> <8135F23F-B357-4A70-AF5E-F78A2A84CFCC@inf.ed.ac.uk> <4643A432.2060103@anl.gov> <1ED8A0BD-238E-4C73-94B7-82E2D4BEC1CD@easesoftware.com> Message-ID: <4643AEB2.2050009@anl.gov> Perry Smith wrote: > > On May 10, 2007, at 6:01 PM, Douglas E. Engert wrote: > >> >> >> Simon Wilkinson wrote: >>> On 10 May 2007, at 12:21, Douglas E. Engert wrote: >>>> Perry Smith wrote: >>>>> I searched google and did not find any hits on this being solved. >>>>> >>>>> I want to get ssh so I can the dsa/rsa style password it in an >>>>> environment that uses dfs/dce authentication if that is possible (and >>>>> it has not already been solved). In other words, I want to be able >>>>> to log into a host as a dfs/dce user without typing my password. >>>> >>>> >>>> DCE uses Kerberos 5, so the GSSAPI code in SSH should work. Delegation >>>> should also work, so you can get tickets for DFS. >>> The problem here is that you can't use OpenSSH's DSA/RSA key-based >>> authentication and still have credentials on the machine that you've >>> logged in to. I don't know enough about DCE to be able to comment on >>> that specific case, but in a standard Kerberos environment, you'd >>> need to run 'kinit' after login in order to have credentials. There's >>> no way (that I'd want to deploy) of getting around this. >> >> DFS is like AFS on steroids, but you need Kerberos tickets to access DFS. >> So the answer to "I want to be able to log into a host as a dfs/dce user >> without typing my password." is no. But with GSSAPI and Kerberos >> you should only have to do this once a day (kinit), on the machine in >> front of you. >> (I have not used DCE/DFS in about 5 years when we turned it off and went >> back to AFS.) DCE had an early Kerberos PKINIT support, so you might be >> able to use PKINIT to avoid typing a password. > > I'm pretty sure that somehow Apple has managed to solve this problem. > They authenticate with Kerberos and I can log from system A to system B > using ssh. So do a klist and see if you have tickets. Look to see if you have an environment variable KRB5CCNAME There may be two problems here... > > One problem is my home directory in the Apple environment is local to > each machine. So my .ssh directory and authorized_keys are available to > the root (or sshd) process. In my current dfs environment, my home > directory is > on dfs so root can not get to it. Correct, you or root need Kerberos tickets to access DFS. > So, one problem is getting accessed > to my .ssh/authorized_keys. You could set the DFS ACL on the file to world readable, or readalbe by selected hosts. But you should also check with your ADMIN about how they configure SSH on DCE clients and servers. > > The other problem is getting the ticket passed from one place to the > other -- but that should work if I am understanding all of this correctly. Yes that is the SSH GGSSAPIDelegateCredentials yes > > Perry Smith ( pedz at easesoftware.com ) > Ease Software, Inc. ( http://www.easesoftware.com ) > > Low cost SATA Disk Systems for IBMs p5, pSeries, and RS/6000 AIX systems > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From sxw at inf.ed.ac.uk Fri May 11 09:53:37 2007 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Thu, 10 May 2007 16:53:37 -0700 Subject: dfs/dce and openssh In-Reply-To: <1ED8A0BD-238E-4C73-94B7-82E2D4BEC1CD@easesoftware.com> References: <727E0261-9D9F-4A0C-9CDA-D324B49FD18D@easesoftware.com> <464370AD.4070704@anl.gov> <8135F23F-B357-4A70-AF5E-F78A2A84CFCC@inf.ed.ac.uk> <4643A432.2060103@anl.gov> <1ED8A0BD-238E-4C73-94B7-82E2D4BEC1CD@easesoftware.com> Message-ID: On 10 May 2007, at 16:24, Perry Smith wrote: > I'm pretty sure that somehow Apple has managed to solve this > problem. They authenticate with Kerberos and I can log from system A > to system B using ssh. There may be two problems here... I think we're talking at cross purposes here 1) If you're connecting to a system using an RSA/DSA key, there's no way to use that RSA key to get Kerberos credentials 2) If you want to connect to a machine where the RSA public keys are in a .authorized_keys file in the Kerberized filesystem - you need that file to be readable by the sshd. This will let you log in, but still won't give you Kerberos credentials. Simon. From pedz at easesoftware.com Fri May 11 10:38:28 2007 From: pedz at easesoftware.com (Perry Smith) Date: Thu, 10 May 2007 19:38:28 -0500 Subject: dfs/dce and openssh In-Reply-To: References: <727E0261-9D9F-4A0C-9CDA-D324B49FD18D@easesoftware.com> <464370AD.4070704@anl.gov> <8135F23F-B357-4A70-AF5E-F78A2A84CFCC@inf.ed.ac.uk> <4643A432.2060103@anl.gov> <1ED8A0BD-238E-4C73-94B7-82E2D4BEC1CD@easesoftware.com> Message-ID: On May 10, 2007, at 6:53 PM, Simon Wilkinson wrote: > > On 10 May 2007, at 16:24, Perry Smith wrote: > >> I'm pretty sure that somehow Apple has managed to solve this >> problem. They authenticate with Kerberos and I can log from system A >> to system B using ssh. There may be two problems here... > > I think we're talking at cross purposes here > > 1) If you're connecting to a system using an RSA/DSA key, there's > no way to use that RSA key to get Kerberos credentials > 2) If you want to connect to a machine where the RSA public keys > are in a .authorized_keys file in the Kerberized filesystem - you > need that file to be readable by the sshd. This will let you log > in, but still won't give you Kerberos credentials. > I am starting out from a system with Kerberos credientials. I don't know what exactly that implies. Does that imply that I don't need the RSA/DSA stuff at all and the Kerberos ticket is just passed? From sxw at inf.ed.ac.uk Fri May 11 10:45:25 2007 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Thu, 10 May 2007 17:45:25 -0700 Subject: dfs/dce and openssh In-Reply-To: References: <727E0261-9D9F-4A0C-9CDA-D324B49FD18D@easesoftware.com> <464370AD.4070704@anl.gov> <8135F23F-B357-4A70-AF5E-F78A2A84CFCC@inf.ed.ac.uk> <4643A432.2060103@anl.gov> <1ED8A0BD-238E-4C73-94B7-82E2D4BEC1CD@easesoftware.com> Message-ID: > > I am starting out from a system with Kerberos credientials. I > don't know what exactly that implies. Does that imply that I don't > need the RSA/DSA stuff at all and the Kerberos ticket is just passed? Yes. Providing the server that you're connecting to has a keytab, and has the key for the host/ principal in that keytab. You may need to turn on GSSAPI in the client and server preferences (GSSAPIAuthentication yes) and turn on delegation on the client (GSSAPIDelegateCredentials yes). Ideally, if your OpenSSH supports it, you probably want to use key exchange - but that's not shipped as standard with OpenSSH, and requires patches to the client and server. Cheers, Simon. From gerryny at gmail.com Sat May 12 07:03:24 2007 From: gerryny at gmail.com (gerryny at gmail.com) Date: Fri, 11 May 2007 17:03:24 -0400 Subject: SCP two remote hosts with non-default ports Message-ID: <2ef042170705111403l2fbd9b8cx211814a19bb2f287@mail.gmail.com> Hi, I'm having trouble finding the correct syntax to scp between two remote hosts with non-defaults ports. No matter what i've tried i cant get scp to connect both servers with different ports. Is this even possible? The workaround i've found is to use Thanks, gerryny at gmail dot com From imorgan at nas.nasa.gov Sat May 12 09:02:33 2007 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Fri, 11 May 2007 16:02:33 -0700 Subject: SCP two remote hosts with non-default ports In-Reply-To: <2ef042170705111403l2fbd9b8cx211814a19bb2f287@mail.gmail.com> References: <2ef042170705111403l2fbd9b8cx211814a19bb2f287@mail.gmail.com> Message-ID: <20070511230233.GA14900@linux55.nas.nasa.gov> On Fri, May 11, 2007 at 17:03:24 -0400, gerryny at gmail.com wrote: > Hi, > > I'm having trouble finding the correct syntax to scp between two > remote hosts with non-defaults ports. > > > > No matter what i've tried i cant get scp to connect both servers with > different ports. Is this even possible? > > The workaround i've found is to use > > Thanks, > gerryny at gmail dot com Have you tried using a Port directive for for the second host in the ~/.ssh/config on the first host? -- Iain Morgan From imacat at mail.imacat.idv.tw Mon May 14 06:50:40 2007 From: imacat at mail.imacat.idv.tw (imacat) Date: Mon, 14 May 2007 04:50:40 +0800 Subject: cmp: /usr/local/src/openssh-4.6p1/regress/ls.copy: No such file or directory Message-ID: <20070514045002.3617.IMACAT@mail.imacat.idv.tw> Dear all, Hi. This is imacat from Taiwan. I'm new to this list. I encountered the following failures when running "make tests" on machines that haven't install OpenSSH yet. It seems to fail at regress/multiplex.sh. It seems to specific to machines that haven't install OpenSSH yet. Once I have installed OpenSSH, the failure is gone. Might it be the case that regress/multiplex.sh accidently uses the installed OpenSSH to test, rather than the just-built OpenSSH? If so, maybe this is something that need to be fixed. Please tell me if you need any more information, or if I could be of any help. Thank you. imacat at rinse src/openssh-4.6p1 % make tests run test connect.sh ... ok simple connect ... run test multiplex.sh ... test connection multiplexing: envpass test connection multiplexing: transfer scp: failed copy /bin/ls cmp: /usr/local/src/openssh-4.6p1/regress/ls.copy: No such file or directory scp: corrupted copy of /bin/ls test connection multiplexing: status 0 test connection multiplexing: status 1 test connection multiplexing: status 4 test connection multiplexing: status 5 test connection multiplexing: status 44 Master running (pid=2932) Exit request sent. failed connection multiplexing make[1]: *** [t-exec] Error 1 make: *** [tests] Error 2 You have new mail. imacat at rinse src/openssh-4.6p1 % -- Best regards, imacat ^_*' PGP Key: http://www.imacat.idv.tw/me/pgpkey.txt <> News: http://www.wov.idv.tw/ Tavern IMACAT's: http://www.imacat.idv.tw/ TLUG List Manager: http://lists.linux.org.tw/cgi-bin/mailman/listinfo/tlug -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070514/e54330d6/attachment.bin From karn at ka9q.net Tue May 15 04:57:23 2007 From: karn at ka9q.net (Phil Karn) Date: Mon, 14 May 2007 11:57:23 -0700 Subject: Differentiated Services support in SSH In-Reply-To: References: <727E0261-9D9F-4A0C-9CDA-D324B49FD18D@easesoftware.com> <464370AD.4070704@anl.gov> <8135F23F-B357-4A70-AF5E-F78A2A84CFCC@inf.ed.ac.uk> <4643A432.2060103@anl.gov> <1ED8A0BD-238E-4C73-94B7-82E2D4BEC1CD@easesoftware.com> Message-ID: <4648B113.7010904@ka9q.net> I've noticed that OpenSSH uses the now-obsolete original definitions of the IP TOS (Type of Service) field. In packet.c, IPTOS_LOWDELAY is chosen if the connection is interactive, IP_THROUGHPUT otherwise. Several years ago the IETF completely redefined this field to support a new "differentiated services" architecture. The low two bits are reserved for explicit congestion notification (ECN), which conflicts with some of the previous IPTOS definitions (namely IPTOS_MINCOST, which fortunately OpenSSH does not use). The upper 6 bits are available for a Differentiated Services Code Point (DSCP) value that indicates to the routers how this packet is to be handled. Because these DSCP values are not yet well defined, and they're allowed to have local significance, I would like to add config options to set the DSCP values that SSH should use on interactive and non-interactive connections. I can't find any mention of this on this list or in the bug reports, but I wanted to avoid any duplication of effort in case someone else is already working on this. If no one is, then I'll implement it and submit the patches. --Phil From pcc03 at doc.ic.ac.uk Tue May 15 06:13:19 2007 From: pcc03 at doc.ic.ac.uk (Peter Collingbourne) Date: Mon, 14 May 2007 21:13:19 +0100 Subject: [PATCH] Adds support for SSH_FXP_LINK request to sftp-server and sftp client In-Reply-To: <20070508170922.GH29772@doc.ic.ac.uk> References: <20070507050609.GG29772@doc.ic.ac.uk> <20070508171339.0bb06cab@localhost> <20070508170922.GH29772@doc.ic.ac.uk> Message-ID: <20070514201319.GH1110@doc.ic.ac.uk> On Tue, May 08, 2007 at 06:09:22PM +0100, Peter Collingbourne wrote: > On Tue, May 08, 2007 at 05:13:39PM +0200, Daniele Calore wrote: > > - Solutions: > > 1- Upgrade define SSH2_FILEXFER_VERSION to 4 ??? > > (and also update the check) > > If we do this then perhaps it should go to 7 (I assume the version > numbers correspond to drafts?) But then we may not be completely > compliant with 7 yet. Of course if the check fails we should revert > to sending a SYMLINK request (if version >= 3), but only if sym = > 1. This is because only the hardlink request requires the oldpath to > be normalised, and sending a normalised oldpath for a symlink request > would lead to problems. > > This behaviour would cause compatibility problems if the bare 'ln' > command is issued to a new client connected to an old server, not > to mention the fact that the behaviour of ln has changed anyway. > Perhaps the best course of action would be to change the -s flag to > an -h flag, with the default being softlinks? Of course this would > be inconsistent with the ln(1) command. I am attaching a patch which incorporates some of my above suggestions. According to draft 7 and all future drafts, the current version of the filexfer protocol is 6, which is the version number I am using in my patch. I would like feedback on whether an -s flag or an -h flag would be best for the ln command of the sftp client. Thanks, -- Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-sftp-hardlink-pcvs-v3.patch Type: text/x-diff Size: 7509 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070514/fee85c2c/attachment-0002.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070514/fee85c2c/attachment-0003.bin From orkaan at orkaan.org Tue May 15 07:30:22 2007 From: orkaan at orkaan.org (Daniele Calore) Date: Mon, 14 May 2007 23:30:22 +0200 Subject: [PATCH] Adds support for Append command (SSH_FXF_APPEND) to sftp_client Message-ID: <20070514233022.4a04b024@localhost> Dear list, Attached is a patch that implements the "append" command in a sftp session, as describe in "draft-ietf-secsh-filexfer-01" and further releases. It is for and had been tested on the current version of OpenSSH (the Portable CVS) and it works, also against non patched versions. The patch is "simple" it it just like the "do_upload" function in "sftp-client.c". Pseudo Instruction of the new "do_append" function: 1) stat_remote_file This will return an Attrib struct to know the remote file size. 2) open_remote_file Open the remote file without the "SSH2_FXF_TRUNC" flag and with SSH2_FXF_APPEND flag. 3) write_to_remote_file It is like the "do_upload" function, expect that the offset does not start with a '0' but it is set to the value returned by "stat_remote_file". More in depth I have use the function "do_fstat" to retrive remote_file size. The function "do_fstat" is never used, but is still present, in the "sftp-client.c" ... so why not to use it ? I hope this patch will be included in future release of OpenSSH, or at least that you will consider to reimplement it in a better way. Let me know if ... * Some notes: I have also revisited "sftp.c". There is now a new I_APPEND Command, that has number "1" for alphabetic reason. If you do not plan to insert this patch consider to change this line of code: --- sftp.c.orig 2007-05-14 22:48:33.000000000 +0200 +++ sftp.c 2007-05-14 22:50:07.000000000 +0200 @@ -940,7 +940,7 @@ return(-1); if (get_pathname(&cp, path2)) return(-1); - if (!*path1 || !*path2) { + if (*path1 == NULL || *path2 == NULL) { error("You must specify two paths after a %s " "command.", cmd); return(-1); And maybe remove also the "do_fstat" function in "sftp-client.c" (it is never used) We can also patch the "sftp-server.c" to honor the APPEND flag, but there is no way for the client to know if the server is patched or not... * Suggestions: 1) Change the SSH2_FILEXFER_VERSION to something new. 2) Implement a VENDOR specific future to retrive the presence of the new SSH2_FXF_APPEND future. We can do this using the SSH2_FXP_EXTENDED command. (This will be useful also for other patches; like the SSH_FXP_LINK patch) If you want I can make a patch also for the server side. Best regards, -- Daniele Calore ( orkaan at orkaan.org ) -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-sftp-append-pcvs.patch Type: text/x-patch Size: 9173 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070514/ab71f883/attachment.bin From cvacca01 at tufts.edu Tue May 15 04:50:53 2007 From: cvacca01 at tufts.edu (Claudia Vaccaro) Date: Mon, 14 May 2007 14:50:53 -0400 Subject: sftp chroot not working Message-ID: <4648AF8D.9080808@tufts.edu> Hi, I have configured and installed openssh-4.5p1-chroot on my aix server 5.3-05. I am able to chroot during ssh connections but when trying to chroot an sftp connection I am getting the error below: Any ideas?, I have modified the session.c file, reconfigure and re-install without any luck. (regular sftp users are not being affected) sftp -1Cv chr at puff Connecting to puffin... OpenSSH_4.5p1, OpenSSL 0.9.7g 11 Apr 2005 debug1: Reading configuration data /opt/etc/ssh_config debug1: Connecting to puff [120.64.7.52] port 22. debug1: Connection established. debug1: identity file /home/chr/.ssh/identity type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_4.5 debug1: match: OpenSSH_4.5 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_4.5 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (2048 bits). The authenticity of host 'puff (120.64.7.52)' can't be established. RSA1 key fingerprint is f4:dd:48:cf:6d:1d:bf:4c:2f:ac:dc:95:fc:5d:ac:fa. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'puff,120.64.7.52' (RSA1) to the list of known hosts. debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Doing challenge response authentication. debug1: No challenge. debug1: Doing password authentication. chr at puff's password: debug1: Requesting compression at level 6. debug1: Enabling compression at level 6. debug1: Sending command: /opt/libexec/sftp-server debug1: Entering interactive session. debug1: fd 0 clearing O_NONBLOCK debug1: Transferred: stdin 9, stdout 0, stderr 0 bytes in 0.0 seconds debug1: Bytes per second: stdin 975.2, stdout 0.0, stderr 0.0 debug1: Exit status 255 debug1: compress outgoing: raw data 49, compressed 56, factor 1.14 debug1: compress incoming: raw data 5, compressed 9, factor 1.80 Connection closed From djm at mindrot.org Tue May 15 08:13:52 2007 From: djm at mindrot.org (Damien Miller) Date: Tue, 15 May 2007 08:13:52 +1000 (EST) Subject: sftp chroot not working In-Reply-To: <4648AF8D.9080808@tufts.edu> References: <4648AF8D.9080808@tufts.edu> Message-ID: There is no chroot patch that is supported by the OpenSSH developers - you should seek assistance from the author of whichever chroot patch you are using. -d On Mon, 14 May 2007, Claudia Vaccaro wrote: > Hi, > > I have configured and installed openssh-4.5p1-chroot on my aix server > 5.3-05. > > I am able to chroot during ssh connections but when trying to chroot an > sftp connection I am getting the error below: > > Any ideas?, I have modified the session.c file, reconfigure and > re-install without any luck. (regular sftp users are not being affected) > > > sftp -1Cv chr at puff > Connecting to puffin... > OpenSSH_4.5p1, OpenSSL 0.9.7g 11 Apr 2005 > debug1: Reading configuration data /opt/etc/ssh_config > debug1: Connecting to puff [120.64.7.52] port 22. > debug1: Connection established. > debug1: identity file /home/chr/.ssh/identity type -1 > debug1: Remote protocol version 1.99, remote software version OpenSSH_4.5 > debug1: match: OpenSSH_4.5 pat OpenSSH* > debug1: Local version string SSH-1.5-OpenSSH_4.5 > debug1: Waiting for server public key. > debug1: Received server public key (768 bits) and host key (2048 bits). > The authenticity of host 'puff (120.64.7.52)' can't be established. > RSA1 key fingerprint is f4:dd:48:cf:6d:1d:bf:4c:2f:ac:dc:95:fc:5d:ac:fa. > Are you sure you want to continue connecting (yes/no)? yes > Warning: Permanently added 'puff,120.64.7.52' (RSA1) to the list of > known hosts. > debug1: Encryption type: 3des > debug1: Sent encrypted session key. > debug1: Installing crc compensation attack detector. > debug1: Received encrypted confirmation. > debug1: Doing challenge response authentication. > debug1: No challenge. > debug1: Doing password authentication. > chr at puff's password: > debug1: Requesting compression at level 6. > debug1: Enabling compression at level 6. > debug1: Sending command: /opt/libexec/sftp-server > debug1: Entering interactive session. > debug1: fd 0 clearing O_NONBLOCK > debug1: Transferred: stdin 9, stdout 0, stderr 0 bytes in 0.0 seconds > debug1: Bytes per second: stdin 975.2, stdout 0.0, stderr 0.0 > debug1: Exit status 255 > debug1: compress outgoing: raw data 49, compressed 56, factor 1.14 > debug1: compress incoming: raw data 5, compressed 9, factor 1.80 > Connection closed > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From lists at block-online.eu Wed May 16 11:44:23 2007 From: lists at block-online.eu (Oliver Block) Date: Wed, 16 May 2007 03:44:23 +0200 Subject: Logging (hopefully not OT) Message-ID: <200705160344.24316.lists@block-online.eu> Hello, I was searching for some documentation about the sshd error messages. Unfortunatly with no success so far. So I'd like to ask a question here: I had some trouble with someone who is trashing my logins with fake login attempts. Actually that individual is never trying to login, but does only initiate connections with my system without sending any passwords. Do you see any security risk by setting the LogLevel to ERROR? Best Regards, Oliver From remy.blank at pobox.com Wed May 16 22:36:47 2007 From: remy.blank at pobox.com (Remy Blank) Date: Wed, 16 May 2007 14:36:47 +0200 Subject: Disabling ForceCommand in a Match block Message-ID: Hello, I am trying to force a command for all users *except* for users in the "wheel" group. My idea was to do the following in sshd_config: ForceCommand /usr/bin/validate-ssh-command Match Group wheel ForceCommand But obviously this doesn't work, because ForceCommand requires an argument. I couldn't find a way to achieve what I want. I wrote a patch that adds a "NoForceCommand" configuration option that removes any configured ForceCommand. This allows me to have the following: ForceCommand /usr/bin/validate-ssh-command Match Group wheel NoForceCommand Is there a better way to do this? Possibly without patching openssh? BTW, the patch is against openssh-4.5p1. Thanks. -- Remy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-forcecommand.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070516/fa821539/attachment-0001.ksh -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070516/fa821539/attachment-0001.bin From remy.blank at pobox.com Thu May 17 01:11:46 2007 From: remy.blank at pobox.com (Remy Blank) Date: Wed, 16 May 2007 17:11:46 +0200 Subject: Disabling ForceCommand in a Match block Message-ID: <464B1F32.4080803@pobox.com> Hello, I am trying to force a command for all users *except* for users in the "wheel" group. My idea was to do the following in sshd_config: ForceCommand /usr/bin/validate-ssh-command Match Group wheel ForceCommand But obviously this doesn't work, because ForceCommand requires an argument. I couldn't find a way to achieve what I want. I wrote a patch that adds a "NoForceCommand" configuration option that removes any configured ForceCommand. This allows me to have the following: ForceCommand /usr/bin/validate-ssh-command Match Group wheel NoForceCommand Is there a better way to do this? Possibly without patching openssh? BTW, the patch is against openssh-4.5p1. Thanks. -- Remy -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-forcecommand.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070516/fd790386/attachment.ksh -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070516/fd790386/attachment.bin From imorgan at nas.nasa.gov Thu May 17 01:32:52 2007 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Wed, 16 May 2007 08:32:52 -0700 Subject: Disabling ForceCommand in a Match block In-Reply-To: References: Message-ID: <20070516153252.GA10341@linux55.nas.nasa.gov> On Wed, May 16, 2007 at 14:36:47 +0200, Remy Blank wrote: > Hello, > > I am trying to force a command for all users *except* for users in the > "wheel" group. My idea was to do the following in sshd_config: > > ForceCommand /usr/bin/validate-ssh-command > > Match Group wheel > ForceCommand > > But obviously this doesn't work, because ForceCommand requires an > argument. I couldn't find a way to achieve what I want. > > I wrote a patch that adds a "NoForceCommand" configuration option that > removes any configured ForceCommand. This allows me to have the following: > > ForceCommand /usr/bin/validate-ssh-command > > Match Group wheel > NoForceCommand It would be more in keeping with the general syntax of the ssh_config (and the preferrence of keeping the number of options to a minimum) to have ForcedCommand accept the special keyword 'none'. > > Is there a better way to do this? Possibly without patching openssh? I have to admit, I haven't played around with the Match keyword much. If it accepted negation (I don't recall if it does), you could do something like: Match ! Group wheel ForceCommand /usr/bin/validate-ssh-command -- Iain > > BTW, the patch is against openssh-4.5p1. > > Thanks. > -- Remy > --- servconf.c.orig 2007-05-16 13:38:13.000000000 +0200 > +++ servconf.c 2007-05-16 14:21:47.000000000 +0200 > @@ -122,6 +122,7 @@ > options->permit_tun = -1; > options->num_permitted_opens = -1; > options->adm_forced_command = NULL; > + options->no_forced_command = 0; > } > > void > @@ -291,7 +292,7 @@ > sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, > sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, > sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, > - sMatch, sPermitOpen, sForceCommand, > + sMatch, sPermitOpen, sForceCommand, sNoForceCommand, > sUsePrivilegeSeparation, > sDeprecated, sUnsupported > } ServerOpCodes; > @@ -403,6 +404,7 @@ > { "match", sMatch, SSHCFG_ALL }, > { "permitopen", sPermitOpen, SSHCFG_ALL }, > { "forcecommand", sForceCommand, SSHCFG_ALL }, > + { "noforcecommand", sNoForceCommand, SSHCFG_ALL }, > { NULL, sBadOption, 0 } > }; > > @@ -1249,10 +1251,21 @@ > fatal("%.200s line %d: Missing argument.", filename, > linenum); > len = strspn(cp, WHITESPACE); > - if (*activep && options->adm_forced_command == NULL) > + if (*activep && options->adm_forced_command == NULL) { > options->adm_forced_command = xstrdup(cp + len); > + options->no_forced_command = 0; > + } > return 0; > > + case sNoForceCommand: > + if (*activep) { > + if (options->adm_forced_command != NULL) > + xfree(options->adm_forced_command); > + options->adm_forced_command = NULL; > + options->no_forced_command = 1; > + } > + break; > + > case sDeprecated: > logit("%s line %d: Deprecated option %s", > filename, linenum, arg); > @@ -1332,6 +1345,11 @@ > xfree(dst->adm_forced_command); > dst->adm_forced_command = src->adm_forced_command; > } > + if (src->no_forced_command) { > + if (dst->adm_forced_command != NULL) > + xfree(dst->adm_forced_command); > + dst->adm_forced_command = NULL; > + } > if (src->x11_display_offset != -1) > dst->x11_display_offset = src->x11_display_offset; > if (src->x11_forwarding != -1) > > --- servconf.h.orig 2007-05-16 14:18:52.000000000 +0200 > +++ servconf.h 2007-05-16 14:19:26.000000000 +0200 > @@ -135,6 +135,7 @@ > char *authorized_keys_file2; > > char *adm_forced_command; > + int no_forced_command; > > int use_pam; /* Enable auth via PAM */ > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- Iain Morgan From remy.blank at pobox.com Thu May 17 01:42:34 2007 From: remy.blank at pobox.com (Remy Blank) Date: Wed, 16 May 2007 17:42:34 +0200 Subject: Disabling ForceCommand in a Match block In-Reply-To: <20070516153252.GA10341@linux55.nas.nasa.gov> References: <20070516153252.GA10341@linux55.nas.nasa.gov> Message-ID: Iain Morgan wrote: > It would be more in keeping with the general syntax of the ssh_config > (and the preferrence of keeping the number of options to a minimum) > to have ForcedCommand accept the special keyword 'none'. This would prevent being able to call the command 'none'. I guess that's ok. >> Is there a better way to do this? Possibly without patching openssh? > > I have to admit, I haven't played around with the Match keyword much. > If it accepted negation (I don't recall if it does), you could do > something like: > > Match ! Group wheel > ForceCommand /usr/bin/validate-ssh-command Yes, that would be nice. Unfortunately, it doesn't work (I just tried it). -- Remy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: OpenPGP digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070516/6cb65342/attachment.bin From wknox at mitre.org Thu May 17 17:50:02 2007 From: wknox at mitre.org (Knox, Bill) Date: Thu, 17 May 2007 03:50:02 -0400 Subject: Disabling ForceCommand in a Match block In-Reply-To: References: <20070516153252.GA10341@linux55.nas.nasa.gov> Message-ID: <3B660B4ACB06BE488E3938F95115E4DE01AC40F4@IMCSRV4.MITRE.ORG> My reading of the Match conditional block was the criteria had to go first, followed by the pattern. Therefore, I tried Match Group !other ForceCommand echo "Test" and it doesn't seem to work. In digging a bit deeper, it seems that the Match conditional works a bit differently when it is dealing with the Group keyword versus others (I assume because one can belong to many groups and only have one User, Host and Address). They all call match_cfg_line to check for a match, which in the case of the other three calls match_pattern_list (in the case of Address, via match_hostname), which allows negation and calls match_pattern. Groups, however, calls match_cfg_line_group, which calls ga_match, which calls match_pattern directly and doesn't use match_pattern_list. Therefore, negation won't work for Groups, though it will for the User, Host and Address criteria (the same is true for comma separated values for the same reason). I've tested this, and it works with the following setup: Match User *,!root ForceCommand echo "Test" This makes sense in some scenarios, as patterns, negation and groups don't mix well in the sense of testing all of the groups to which you belong (one of the groups to which you belong will likely not match the pattern in question). However, the case in question is a simpler one, and I can see where it may be useful to examine negative group membership. Perhaps ga_match can be modified to work like match_pattern_list to recognize negation on its own, or perhaps it could call match_pattern_list instead of match_pattern directly and cause it to trip the first time it gets a negative match (that is, the first time a negative group is passed and the User doesn't belong). I have written a brief patch to implement this. I haven't tested what happens with the AllowGroups and DenyGroups cases, but it will work in to force a command for everyone not in the other group as follows: Match Group *,!other ForceCommand echo "Test" I have opened up a bugzilla case with a enhancement request and the patch as well (ID 1315). Bill Knox Lead Operating Systems Programmer/Analyst The MITRE Corporation -----Original Message----- From: openssh-unix-dev-bounces+wknox=mitre.org at mindrot.org [mailto:openssh-unix-dev-bounces+wknox=mitre.org at mindrot.org] On Behalf Of Remy Blank Sent: Wednesday, May 16, 2007 11:43 AM To: openssh-unix-dev at mindrot.org Subject: Re: Disabling ForceCommand in a Match block Iain Morgan wrote: > It would be more in keeping with the general syntax of the ssh_config > (and the preferrence of keeping the number of options to a minimum) > to have ForcedCommand accept the special keyword 'none'. This would prevent being able to call the command 'none'. I guess that's ok. >> Is there a better way to do this? Possibly without patching openssh? > > I have to admit, I haven't played around with the Match keyword much. > If it accepted negation (I don't recall if it does), you could do > something like: > > Match ! Group wheel > ForceCommand /usr/bin/validate-ssh-command Yes, that would be nice. Unfortunately, it doesn't work (I just tried it). -- Remy From remy.blank at pobox.com Thu May 17 19:42:44 2007 From: remy.blank at pobox.com (Remy Blank) Date: Thu, 17 May 2007 11:42:44 +0200 Subject: Disabling ForceCommand in a Match block In-Reply-To: <3B660B4ACB06BE488E3938F95115E4DE01AC40F4@IMCSRV4.MITRE.ORG> References: <20070516153252.GA10341@linux55.nas.nasa.gov> <3B660B4ACB06BE488E3938F95115E4DE01AC40F4@IMCSRV4.MITRE.ORG> Message-ID: Knox, Bill wrote: > Therefore, > negation won't work for Groups, though it will for the User, Host and > Address criteria (the same is true for comma separated values for the > same reason). I've tested this, and it works with the following setup: > > Match User *,!root > ForceCommand echo "Test" This is brilliant! It solves my problem much better than my current workaround: Match User user1, user2, user3, ... ForceCommand /usr/bin/validate-command (As this is a production machine, I didn't dare keep my patch before getting at least some feedback from people more knowledgeable than I am). > I have written a brief patch to implement this. I haven't tested what > happens with the AllowGroups and DenyGroups cases, but it will work in > to force a command for everyone not in the other group as follows: > > Match Group *,!other > ForceCommand echo "Test" This would completely and elegantly solve my situation. Thanks for taking the time to implement it. Do you need any testing at this point? -- Remy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070517/e190e21b/attachment.bin From wknox at mitre.org Fri May 18 00:22:43 2007 From: wknox at mitre.org (Knox, Bill) Date: Thu, 17 May 2007 10:22:43 -0400 Subject: Disabling ForceCommand in a Match block In-Reply-To: References: <20070516153252.GA10341@linux55.nas.nasa.gov> <3B660B4ACB06BE488E3938F95115E4DE01AC40F4@IMCSRV4.MITRE.ORG> Message-ID: <3B660B4ACB06BE488E3938F95115E4DE01AC416A@IMCSRV4.MITRE.ORG> At this point, put any testing that you do into the bug (#1315) on the Bugzilla site - other than that, I guess it's up to the developers to either 1) include it 2) spot the idiotic oversight in my implementation, modify it and then include it 3) spot the idiotic oversight in my logic and refuse it I'm not taking any bets :-) Thanks, by the way, for the positive feedback. Bill Knox Lead Operating Systems Programmer/Analyst The MITRE Corporation -----Original Message----- From: openssh-unix-dev-bounces+wknox=mitre.org at mindrot.org [mailto:openssh-unix-dev-bounces+wknox=mitre.org at mindrot.org] On Behalf Of Remy Blank Sent: Thursday, May 17, 2007 5:43 AM To: openssh-unix-dev at mindrot.org Subject: Re: Disabling ForceCommand in a Match block Knox, Bill wrote: > Therefore, > negation won't work for Groups, though it will for the User, Host and > Address criteria (the same is true for comma separated values for the > same reason). I've tested this, and it works with the following setup: > > Match User *,!root > ForceCommand echo "Test" This is brilliant! It solves my problem much better than my current workaround: Match User user1, user2, user3, ... ForceCommand /usr/bin/validate-command (As this is a production machine, I didn't dare keep my patch before getting at least some feedback from people more knowledgeable than I am). > I have written a brief patch to implement this. I haven't tested what > happens with the AllowGroups and DenyGroups cases, but it will work in > to force a command for everyone not in the other group as follows: > > Match Group *,!other > ForceCommand echo "Test" This would completely and elegantly solve my situation. Thanks for taking the time to implement it. Do you need any testing at this point? -- Remy From postmaster at bomifarma.com.br Fri May 18 05:54:17 2007 From: postmaster at bomifarma.com.br (Content-filter at fwback.bomifarma.com.br) Date: Thu, 17 May 2007 16:54:17 -0300 (BRT) Subject: BANNED message from you (multipart/mixed | application/octet-stream,.exe,.exe-ms,Saia de Ferias.pif) In-Reply-To: <20070517195300.BE79CB4CE@bomifarma.com.br> Message-ID: BANNED CONTENTS ALERT Our content checker found banned name: multipart/mixed | application/octet-stream,.exe,.exe-ms,Saia de Ferias.pif in email presumably from you to the following recipient: -> natany.silva at bomifarma.com.br Our internal reference code for your message is 16785-04-7/qYh6fMTmWJy0 First upstream SMTP client IP address: [172.16.0.1] gate.bomifarma.com.br According to a 'Received:' trace, the message originated at: [172.16.0.1], bomifarma.com.br (gate.bomifarma.com.br [172.16.0.1]) Return-Path: Message-ID: <20070517195300.BE79CB4CE at bomifarma.com.br> Subject: Re: Grana Delivery of the email was stopped! The message has been blocked because it contains a component (as a MIME part or nested within) with declared name or MIME type or contents type violating our access policy. To transfer contents that may be considered risky or unwanted by site policies, or simply too large for mailing, please consider publishing your content on the web, and only sending an URL of the document to the recipient. Depending on the recipient and sender site policies, with a little effort it might still be possible to send any contents (including viruses) using one of the following methods: - encrypted using pgp, gpg or other encryption methods; - wrapped in a password-protected or scrambled container or archive (e.g.: zip -e, arj -g, arc g, rar -p, or other methods) Note that if the contents is not intended to be secret, the encryption key or password may be included in the same message for recipient's convenience. We are sorry for inconvenience if the contents was not malicious. The purpose of these restrictions is to cut the most common propagation methods used by viruses and other malware. These often exploit automatic mechanisms and security holes in more popular mail readers (Microsoft mail readers and browsers are a common target). By requiring an explicit and decisive action from the recipient to decode mail, the danger of automatic malware propagation is largely reduced. -------------- next part -------------- A non-text attachment was scrubbed... Name: header Type: text/rfc822-headers Size: 569 bytes Desc: Message headers Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070517/37747a9b/attachment.bin From perret.yannick at free.fr Sat May 19 03:41:58 2007 From: perret.yannick at free.fr (perret.yannick) Date: Fri, 18 May 2007 19:41:58 +0200 Subject: test Message-ID: <464DE566.3080802@free.fr> Hi, I'm just testing if it is possible to send from other email addresses than the one I use to recieve mails. Regards, -- Y. From perret.yannick at free.fr Sat May 19 04:18:24 2007 From: perret.yannick at free.fr (perret.yannick) Date: Fri, 18 May 2007 20:18:24 +0200 Subject: List of allowed commands to run In-Reply-To: <464DE566.3080802@free.fr> References: <464DE566.3080802@free.fr> Message-ID: <464DEDF0.2050004@free.fr> Hello, I was working on openSSH-4.6p1 sources at work (for a local problem with AFS token, but it's not the subject of the mail), and I start playing with the 'Match' command for servers. We are trying to allow some specific access for referenced users/machines, and I find that a feature is missing: the possibility to restrict the set of commands that a given user/machine/whatsoever that 'Match' handle. I mean be able to explicitly indicate the commands that can be executed through ssh. I so added a 'CommandFilter' command on sshd which allows to give a set of allowed commands. When executing a command on the server (the "exec" message) it checked if it is allowed, and if not it send a disconnect message to the client. This CommandFilter is usable with Match, to create specific sets of allowed commands. So my questions: - is there a simplier/nicer way to do that (or even maybe it is still possible without any change) - does my modification is correct (I mean is it the good way to perform a such modification)? - and should my modification interrest developpers or other people? In this case I can send a patch for that. Thanks for your answers/comments. Regards, -- Yannick Perret From stuge-openssh-unix-dev at cdy.org Sat May 19 06:03:17 2007 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Fri, 18 May 2007 22:03:17 +0200 Subject: List of allowed commands to run In-Reply-To: <464DEDF0.2050004@free.fr> References: <464DE566.3080802@free.fr> <464DEDF0.2050004@free.fr> Message-ID: <20070518200317.31766.qmail@cdy.org> On Fri, May 18, 2007 at 08:18:24PM +0200, perret.yannick wrote: > So my questions: > - is there a simplier/nicer way to do that (or even maybe it is > still possible without any change) > - does my modification is correct (I mean is it the good way to > perform a such modification)? This problem is better solved by the shell. All commands that sshd execute on behalf of the client use the shell, and since there may be other ways for the user to access the system, sshd is not a very good place for these restrictions. You could look at rssh for an example of a restricted shell. //Peter From perret.yannick at free.fr Sat May 19 08:00:30 2007 From: perret.yannick at free.fr (perret.yannick) Date: Sat, 19 May 2007 00:00:30 +0200 Subject: List of allowed commands to run In-Reply-To: <20070518200317.31766.qmail@cdy.org> References: <464DE566.3080802@free.fr> <464DEDF0.2050004@free.fr> <20070518200317.31766.qmail@cdy.org> Message-ID: <464E21FE.4010208@free.fr> Peter Stuge wrote: > On Fri, May 18, 2007 at 08:18:24PM +0200, perret.yannick wrote: > >> So my questions: >> - is there a simplier/nicer way to do that (or even maybe it is >> still possible without any change) >> - does my modification is correct (I mean is it the good way to >> perform a such modification)? >> > > This problem is better solved by the shell. All commands that sshd > execute on behalf of the client use the shell, and since there may > be other ways for the user to access the system, sshd is not a very > good place for these restrictions. > Well, it may be a way. In this case we should use the ForceCommand to set the restricted shell, right? Thanks for the hints. Regards, -- Yannick Perret From stuge-openssh-unix-dev at cdy.org Sat May 19 08:02:17 2007 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Sat, 19 May 2007 00:02:17 +0200 Subject: List of allowed commands to run In-Reply-To: <464E21FE.4010208@free.fr> References: <464DE566.3080802@free.fr> <464DEDF0.2050004@free.fr> <20070518200317.31766.qmail@cdy.org> <464E21FE.4010208@free.fr> Message-ID: <20070518220217.17021.qmail@cdy.org> On Sat, May 19, 2007 at 12:00:30AM +0200, perret.yannick wrote: > > This problem is better solved by the shell. All commands that > > sshd execute on behalf of the client use the shell, > > Well, it may be a way. No, read again. > In this case we should use the ForceCommand to set the restricted > shell, right? No, you configure the restricted shell for the user. sshd calls the user's shell any time it shall execute something. The user's shell does the validation. Needless to say (I will anyway to make sure) the user must not be allowed to change the shell with such a configuration. //Peter From perret.yannick at free.fr Sat May 19 08:23:29 2007 From: perret.yannick at free.fr (perret.yannick) Date: Sat, 19 May 2007 00:23:29 +0200 Subject: List of allowed commands to run In-Reply-To: <20070518220217.17021.qmail@cdy.org> References: <464DE566.3080802@free.fr> <464DEDF0.2050004@free.fr> <20070518200317.31766.qmail@cdy.org> <464E21FE.4010208@free.fr> <20070518220217.17021.qmail@cdy.org> Message-ID: <464E2761.8070406@free.fr> Peter Stuge wrote: > On Sat, May 19, 2007 at 12:00:30AM +0200, perret.yannick wrote: > >> In this case we should use the ForceCommand to set the restricted >> shell, right? >> > > No, you configure the restricted shell for the user. > > sshd calls the user's shell any time it shall execute something. > > The user's shell does the validation. > > Needless to say (I will anyway to make sure) the user must not be > allowed to change the shell with such a configuration. > Ok. So this is not a solution for us. Users are defined through AFS and the associated NIS table, and shells cannot be defined locally (too many users, changing too often). The restrictions we want to set are for a subset of machines that do have AFS but on which "basic" users are not allowed to log on (but of course other users can log on, using AFS). We are trying to allow them to use a subset of commands, and they must use their own account (for unix and AFS restriction) for that. Regards, -- Yannick Perret From stuge-openssh-unix-dev at cdy.org Sat May 19 08:45:17 2007 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Sat, 19 May 2007 00:45:17 +0200 Subject: List of allowed commands to run In-Reply-To: <464E2761.8070406@free.fr> References: <464DE566.3080802@free.fr> <464DEDF0.2050004@free.fr> <20070518200317.31766.qmail@cdy.org> <464E21FE.4010208@free.fr> <20070518220217.17021.qmail@cdy.org> <464E2761.8070406@free.fr> Message-ID: <20070518224517.23786.qmail@cdy.org> On Sat, May 19, 2007 at 12:23:29AM +0200, perret.yannick wrote: > >> In this case we should use the ForceCommand to set the > >> restricted shell, right? > > > > No, you configure the restricted shell for the user. > > Ok. So this is not a solution for us. Looks like it. > The restrictions we want to set are for a subset of machines that > do have AFS but on which "basic" users are not allowed to log on > (but of course other users can log on, using AFS). > We are trying to allow them to use a subset of commands, and they > must use their own account (for unix and AFS restriction) for that. You could match on a special group and forcecommand, but that command will still be executed using the user's shell. //Peter From jakob at rfc.se Sun May 20 16:33:10 2007 From: jakob at rfc.se (Jakob Schlyter) Date: Sun, 20 May 2007 15:33:10 +0900 Subject: Differentiated Services support in SSH In-Reply-To: <4648B113.7010904@ka9q.net> References: <727E0261-9D9F-4A0C-9CDA-D324B49FD18D@easesoftware.com> <464370AD.4070704@anl.gov> <8135F23F-B357-4A70-AF5E-F78A2A84CFCC@inf.ed.ac.uk> <4643A432.2060103@anl.gov> <1ED8A0BD-238E-4C73-94B7-82E2D4BEC1CD@easesoftware.com> <4648B113.7010904@ka9q.net> Message-ID: <885001C8-B220-4DA6-82E4-DDF89538A4BA@rfc.se> I believe this would be very usable and I'd be happy to review patches. jakob From svallet at genoscope.cns.fr Mon May 21 23:55:07 2007 From: svallet at genoscope.cns.fr (Simon Vallet) Date: Mon, 21 May 2007 15:55:07 +0200 Subject: [PATCH] Add support for ldns Message-ID: <20070521155507.0c856d78@tx174.tx.local> Hi, as discussed before, we're trying to make use of SSHFP records (RFC 4255) to publish host key fingerprints in the DNS. However, some non-OpenBSD platforms don't support DNSSEC in the native resolver (e.g. glibc), which renders the whole thing quite useless, since openssh correctly requires the RRs to be signed and validated. The following patch adds support for ldns, an external resolver library, with the following functionality: - Set DO on the SSHFP query - Support AD if the answer comes from a validating resolver - Support autonomous validation using a configured trust anchor in case the answer is not marked as authentic. It depends on the SVN version of ldns (revision 2345), which is available there: http://www.nlnetlabs.nl/ldns/ Simon Index: configure.ac =================================================================== RCS file: /cvs/openssh/configure.ac,v retrieving revision 1.380 diff -u -r1.380 configure.ac --- configure.ac 9 May 2007 22:57:43 -0000 1.380 +++ configure.ac 21 May 2007 13:46:58 -0000 @@ -1145,6 +1145,40 @@ ] ) +# Check whether user wants to use ldns +LDNS_MSG="no" +AC_ARG_WITH(ldns, + [ --with-ldns[[=PATH]] Use ldns for DNSSEC support (optionally in PATH)], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + AC_DEFINE(HAVE_LDNS, 1, [Define if you want ldns support]) + LIBS="-lldns $LIBS" + LDNS_MSG="yes" + + AC_MSG_CHECKING([for ldns support]) + AC_LINK_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +#include +#include +int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); } + ]])], + [AC_MSG_RESULT(yes)], + [ + AC_MSG_RESULT(no) + AC_MSG_ERROR([** Incomplete or missing ldns libraries.]) + ]) + fi + ] +) + # Check whether user wants libedit support LIBEDIT_MSG="no" AC_ARG_WITH(libedit, Index: openbsd-compat/getrrsetbyname.c =================================================================== RCS file: /cvs/openssh/openbsd-compat/getrrsetbyname.c,v retrieving revision 1.24 diff -u -r1.24 getrrsetbyname.c --- openbsd-compat/getrrsetbyname.c 29 Apr 2007 03:58:07 -0000 1.24 +++ openbsd-compat/getrrsetbyname.c 21 May 2007 13:46:58 -0000 @@ -2,6 +2,7 @@ /* * Copyright (c) 2001 Jakob Schlyter. All rights reserved. + * Copyright (c) 2007 Simon Vallet / Genoscope * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -55,7 +56,12 @@ #include #include +#ifdef HAVE_LDNS +#include +#endif + #include "getrrsetbyname.h" +#include "log.h" #if defined(HAVE_DECL_H_ERRNO) && !HAVE_DECL_H_ERRNO extern int h_errno; @@ -170,6 +176,9 @@ struct dns_rr *additional; }; + +#ifndef HAVE_LDNS + static struct dns_response *parse_dns_response(const u_char *, int); static struct dns_query *parse_dns_qsection(const u_char *, int, const u_char **, int); @@ -345,37 +354,6 @@ return (result); } -void -freerrset(struct rrsetinfo *rrset) -{ - u_int16_t i; - - if (rrset == NULL) - return; - - if (rrset->rri_rdatas) { - for (i = 0; i < rrset->rri_nrdatas; i++) { - if (rrset->rri_rdatas[i].rdi_data == NULL) - break; - free(rrset->rri_rdatas[i].rdi_data); - } - free(rrset->rri_rdatas); - } - - if (rrset->rri_sigs) { - for (i = 0; i < rrset->rri_nsigs; i++) { - if (rrset->rri_sigs[i].rdi_data == NULL) - break; - free(rrset->rri_sigs[i].rdi_data); - } - free(rrset->rri_sigs); - } - - if (rrset->rri_name) - free(rrset->rri_name); - free(rrset); -} - /* * DNS response parsing routines */ @@ -606,5 +584,220 @@ return (n); } + +#else + +int +getrrsetbyname(const char *hostname, unsigned int rdclass, + unsigned int rdtype, unsigned int flags, + struct rrsetinfo **res) +{ + int result; unsigned int i; unsigned int j; + struct rrsetinfo *rrset = NULL; + + unsigned int index_ans; unsigned int index_sig; + struct rdatainfo *rdata; + + ldns_resolver * ldns_res; + ldns_rdf * domain = NULL; ldns_pkt * pkt; + ldns_rr_list * rrsigs = NULL; + ldns_rr_list * rrdata = NULL; + ldns_status err; + ldns_rr * rr; + + /* check for invalid class and type */ + if (rdclass > 0xffff || rdtype > 0xffff) { + result = ERRSET_INVAL; + goto fail; + } + + /* don't allow queries of class or type ANY */ + if (rdclass == 0xff || rdtype == 0xff) { + result = ERRSET_INVAL; + goto fail; + } + + /* don't allow flags yet, unimplemented */ + if (flags) { + result = ERRSET_INVAL; + goto fail; + } + + /* initialize resolver */ + domain = ldns_dname_new_frm_str(hostname); + if ((err = ldns_resolver_new_frm_file(&ldns_res, NULL)) != LDNS_STATUS_OK) { /* Initialize resolver from resolv.conf */ + result = ERRSET_FAIL; + goto fail; + } + +#ifdef DEBUG + ldns_resolver_set_debug(ldns_res, true); +#endif /* DEBUG */ + + ldns_resolver_set_dnssec(ldns_res, true); /* Use DNSSEC, since ldns supports it */ + + /* make query */ + pkt = ldns_resolver_query(ldns_res, domain, rdtype, rdclass, LDNS_RD); + + /*** TODO: finer errcodes -- see original **/ + if (!pkt || ldns_pkt_ancount(pkt) < 1) { + result = ERRSET_FAIL; + goto fail; + } + + /* initialize rrset */ + rrset = calloc(1, sizeof(struct rrsetinfo)); + if (rrset == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } + + rrdata = ldns_pkt_rr_list_by_type(pkt, rdtype, LDNS_SECTION_ANSWER); + rrset->rri_nrdatas = ldns_rr_list_rr_count(rrdata); + if (!rrset->rri_nrdatas) { + result = ERRSET_NODATA; + goto fail; + } + + /* copy name from answer section */ + rrset->rri_name = strndup(ldns_rdf_data(ldns_rr_owner(ldns_rr_list_rr(rrdata, 0))), + ldns_rdf_size(ldns_rr_owner(ldns_rr_list_rr(rrdata, 0)))); + if (rrset->rri_name == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } + + rrset->rri_rdclass = ldns_rr_get_class(ldns_rr_list_rr(rrdata, 0)); + rrset->rri_rdtype = ldns_rr_get_type(ldns_rr_list_rr(rrdata, 0)); + rrset->rri_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrdata, 0)); + + debug2("ldns: Got %u answers from DNS", rrset->rri_nrdatas); + + /* Check for authenticated data */ + if (ldns_pkt_ad(pkt)) { + rrset->rri_flags |= RRSET_VALIDATED; + } else { /* AD is not set, try autonomous validation */ + + ldns_rr_list * trusted_keys = ldns_rr_list_new(); + + debug2("ldns: trying to validate RRset"); + /* Get eventual sigs */ + rrsigs = ldns_pkt_rr_list_by_type(pkt, LDNS_RR_TYPE_RRSIG, LDNS_SECTION_ANSWER); + rrset->rri_nsigs = ldns_rr_list_rr_count(rrsigs); + debug2("ldns: Got %u sigs (RRTYPE %u) from DNS", rrset->rri_nsigs, LDNS_RR_TYPE_RRSIG); + + if ((err = ldns_verify_trusted(ldns_res, rrdata, rrsigs, trusted_keys)) == LDNS_STATUS_OK) { + rrset->rri_flags |= RRSET_VALIDATED; + debug2("ldns: RRset is signed with a valid key"); + } else { + debug2("ldns: RRset validation failed: %s", ldns_get_errorstr_by_id(err)); + } + + ldns_rr_list_deep_free(trusted_keys); + } + + /* allocate memory for answers */ + rrset->rri_rdatas = calloc(rrset->rri_nrdatas, + sizeof(struct rdatainfo)); + if (rrset->rri_rdatas == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } + + /* allocate memory for signatures */ + if (rrset->rri_nsigs > 0) { + rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo)); + if (rrset->rri_sigs == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } + } + + /* copy answers & signatures */ + for (i=0, index_ans=0, index_sig=0; i< pkt->_header->_ancount; i++) { + + rdata = NULL; + rr = ldns_rr_list_rr(ldns_pkt_answer(pkt), i); + + if (ldns_rr_get_class(rr) == rrset->rri_rdclass && ldns_rr_get_type(rr) == rrset->rri_rdtype) { + rdata = &rrset->rri_rdatas[index_ans++]; + } + + if (rr->_rr_class == rrset->rri_rdclass && rr->_rr_type == LDNS_RR_TYPE_RRSIG) { + rdata = &rrset->rri_sigs[index_sig++]; + } + + if (rdata) { + size_t rdata_offset = 0; + + rdata->rdi_length = 0; + for (j=0; j< rr->_rd_count; j++) { + rdata->rdi_length += ldns_rdf_size(ldns_rr_rdf(rr, j)); + } + + rdata->rdi_data = malloc(rdata->rdi_length); + if (rdata->rdi_data == NULL) { + result = ERRSET_NOMEMORY; + goto fail; + } + + /* Re-create the raw DNS RDATA */ + for (j=0; j< rr->_rd_count; j++) { + memcpy(rdata->rdi_data + rdata_offset, ldns_rdf_data(ldns_rr_rdf(rr, j)), ldns_rdf_size(ldns_rr_rdf(rr, j))); + rdata_offset += ldns_rdf_size(ldns_rr_rdf(rr, j)); + } + } + + } + + *res = rrset; + result = ERRSET_SUCCESS; + /* return (ERRSET_SUCCESS); */ + +fail: + /* freerrset(rrset); */ + ldns_rdf_deep_free(domain); + ldns_pkt_free(pkt); + ldns_rr_list_deep_free(rrsigs); + ldns_rr_list_deep_free(rrdata); + ldns_resolver_deep_free(ldns_res); + + return result; +} + + +#endif /* defined(HAVE_LDNS) */ + +void +freerrset(struct rrsetinfo *rrset) +{ + u_int16_t i; + + if (rrset == NULL) + return; + + if (rrset->rri_rdatas) { + for (i = 0; i < rrset->rri_nrdatas; i++) { + if (rrset->rri_rdatas[i].rdi_data == NULL) + break; + free(rrset->rri_rdatas[i].rdi_data); + } + free(rrset->rri_rdatas); + } + + if (rrset->rri_sigs) { + for (i = 0; i < rrset->rri_nsigs; i++) { + if (rrset->rri_sigs[i].rdi_data == NULL) + break; + free(rrset->rri_sigs[i].rdi_data); + } + free(rrset->rri_sigs); + } + + if (rrset->rri_name) + free(rrset->rri_name); + free(rrset); +} + #endif /* !defined(HAVE_GETRRSETBYNAME) */ -- Simon Vallet Ing?nieur Syst?mes/R?seaux Genoscope / CNRG T?l. : 01 60 87 36 06 E-mail : svallet at genoscope.cns.fr From vtmrao at hotmail.com Tue May 22 07:22:00 2007 From: vtmrao at hotmail.com (Mohan V) Date: Mon, 21 May 2007 17:22:00 -0400 Subject: Using Dropbear for RTOS which is not POSIX complaint? Message-ID: Hi, We have a proprietary RTOS which is *not* POSIX complaint. We want to port SSH server and SCP client onto our platform. How difficult it would be, to port Dropbear into our platform? We would like to integrate our CLI with the SSH. Any recommendations on using Dropbear for our platform? Appreciate sharing your experiences with Dropbear. --- Thanks, Mohan _________________________________________________________________ Like the way Microsoft Office Outlook works? You?ll love Windows Live Hotmail. http://imagine-windowslive.com/hotmail/?locale=en-us&ocid=TXT_TAGHM_migration_HM_mini_outlook_0507 From stuge-openssh-unix-dev at cdy.org Tue May 22 07:56:04 2007 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Mon, 21 May 2007 23:56:04 +0200 Subject: Using Dropbear for RTOS which is not POSIX complaint? In-Reply-To: References: Message-ID: <20070521215604.15556.qmail@cdy.org> On Mon, May 21, 2007 at 05:22:00PM -0400, Mohan V wrote: > Any recommendations on using Dropbear for our platform? Appreciate > sharing your experiences with Dropbear. Sorry, but you're asking in an inappropriate forum. This mailing list discusses development of OpenSSH. //Peter From dkg-openssh.com at fifthhorseman.net Tue May 22 07:40:32 2007 From: dkg-openssh.com at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 21 May 2007 17:40:32 -0400 Subject: Using Dropbear for RTOS which is not POSIX complaint? In-Reply-To: (Mohan V.'s message of "Mon, 21 May 2007 17:22:00 -0400") References: Message-ID: <87k5v17t4f.fsf@squeak.fifthhorseman.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon 2007-05-21 17:22:00 -0400, Mohan V wrote: > We have a proprietary RTOS which is *not* POSIX complaint. We want > to port SSH server and SCP client onto our platform. How difficult > it would be, to port Dropbear into our platform? We would like to > integrate our CLI with the SSH. > > Any recommendations on using Dropbear for our platform? Appreciate > sharing your experiences with Dropbear. i suggest you ask in a dropbear-related forum [0]. This mailing list is for development of openssh, which is an entirely different implementation of the ssh server specification. Regards, --dkg [0] http://lists.ucc.gu.uwa.edu.au/mailman/listinfo/dropbear, perhaps? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8+ iD8DBQFGUhHOiXTlFKVLY2URAsG9AKCG28Yu0ZHWjCbTjly6z+U7k32erACgjQsv Kyywvn3thDalCz4mzpvWHFE= =72t9 -----END PGP SIGNATURE----- From rapier at psc.edu Thu May 24 05:24:56 2007 From: rapier at psc.edu (Chris Rapier) Date: Wed, 23 May 2007 15:24:56 -0400 Subject: HPN SSH In-Reply-To: <003801c790dd$85c83090$915891b0$@arc.nasa.gov> References: <003801c790dd$85c83090$915891b0$@arc.nasa.gov> Message-ID: <46549508.1010101@psc.edu> Avnish & OpenSSH Community, I'm sorry this has taken so long to reply to. I've been out of the office for the past 3 week dealing with nuptials and such. Avnish Bhatnagar wrote: > Hello, > > I know this has come up before; but is the HPN patch (or elements thereof) > currently being considered for integration in to the OpenSSH code base? I don't know. I do know that the scope of my patch is pretty broad and getting it integrated at this point would require a certain amount of effort to have it properly vetted. I understand how little time people have to deal with these sort of things and how different people and users have different priorities. However, even if the OpenSSH dev team doesn't like the exact code I and Mike Stevens developed I do believe that the concept is worth pursuing and I'm willing to do what I can to provide necessary test beds if anyone on the dev team is interested. Personally, I don't have anything emotionally invested in the code itself. I just believe that incorporating the concept would be useful to a large number of users - both in the higher end environments and in the growing number of home environment with 10Mb/s+ connections. > Are > there pending issues (buffer management, none cipher, etc) which still need > to be addressed? I believe most of these issues have been addressed but I might be mistaken. The none cipher usage maybe a show stopper but I have always seen that as a secondary feature to the performance enhancements. > We have been using HPN-SSH for over a year now, and like others, have > observed significant performance improvement over standard OpenSSH. I can > scp a 1 GB test file between two HPN-SSH LAN hosts at 700 Mbps (<1 ms > latency). And over a cross-country high-BDP WAN link, I'm able to achieve > over 500 Mbps (85 ms latency). These single-stream scp transfers were run > on well-tuned Linux kernels 2.6.15 (or higher) with the arcfour cipher. > (I'll be happy to provide more details about these tests upon request.) I'm > not sure how 'typical' my results are, but they represent an order of > magnitude improvement over stock OpenSSH. While the improvement tends to > vary among different platforms, I have never observed a performance > degradation. Actually those increases are pretty typical. Its not perfect and there are still some aspects that can prevent a user from seeing the rates they might see with gridFTP or some other dedicated bulk data mover but in terms of simplicity, functionality, and security SSH, and the OpenSSH implementation, is tough to beat. We've actually been thinking about extending our usage of it to make it more of a middleware transport mechanism for some applications. > We recommend HPN SSH to our users who need to (securely) transfer their bulk > scientific datasets ranging in size of hundreds megabytes to one terabyte; > so naturally, performance is very important for them. But they (or their > sysadmins) are often reluctant to deploy software which represents a > deviation from a standard distribution...and the maintenance issues that > follow. Which is understandable and one of the questions I frequently field on this. Is it compatible and maintainable? Is it secure? Will it be part of the main code base? (yes, yes, and I don't know). Still, there are a growing number of people that have started using it as their default distribution. The Data Working Group of the TeraGrid recently made it a mandatory component for data transport servers. So adoption is growing, at least in the HPN community. Chris Rapier Pittsburgh Supercomputing Center From postmaster at cpm.com.br Thu May 24 15:21:11 2007 From: postmaster at cpm.com.br (postmaster at cpm.com.br) Date: Thu, 24 May 2007 02:21:11 -0300 Subject: Delivery Status Notification (Failure) Message-ID: This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. diego.silva at cpm.com.br -------------- next part -------------- An embedded message was scrubbed... From: openssh-unix-dev at mindrot.org Subject: Re: Nossas contas leia! Date: Thu, 24 May 2007 01:42:10 -0300 Size: 7663 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070524/945a8ed5/attachment.mht From jleu at inoc.com Fri May 25 05:18:33 2007 From: jleu at inoc.com (James R. Leu) Date: Thu, 24 May 2007 14:18:33 -0500 Subject: [RFC][PATCH] Detect and handle PAM changing user name Message-ID: <20070524191831.GC12756@inoc.com> I've implemented a patch to openssh which allows the PAM auth layer to detect if the PAM stack has changed the user name and then adjusts its internal data structures accordingly. (imagine a PAM stack that uses individual credentials to authenticate, but assigns the user to a role account). First, is the openssh community interested in this patch? Second, if there is interest in the patch, how do I go about submitting the patch for formal review? Third, regardless of interest by the openssh community, is there anyone willing to review this code for me? PS I've tested the code path going through sshpam_auth_passwd(), but do know how to test the code path that goes through sshpam_thread(). -- James R. Leu jleu at inoc.com INOC -> http://inoc.com/ DELIVERING UPTIME -------------- next part -------------- diff -uNr openssh-4.6p1/auth-pam.c openssh-4.6p1.jleu/auth-pam.c --- openssh-4.6p1/auth-pam.c 2006-09-16 20:57:47.000000000 -0500 +++ openssh-4.6p1.jleu/auth-pam.c 2007-05-24 13:16:56.000000000 -0500 @@ -335,6 +335,39 @@ } /* + * Detect and deal with the PAM stack changing the user name on us + */ +static int +sshpam_handle_user_change(pam_handle_t *sshpam_handle, Authctxt *authctxt) +{ + const char *pam_user; + const char **ptr_pam_user = &pam_user; + + if (pam_get_item(sshpam_handle, PAM_USER, + (sshpam_const void **)ptr_pam_user) != PAM_SUCCESS) + return PAM_AUTH_ERR; + + if (strcmp(authctxt->user, pam_user)) { + char *user = strdup(pam_user); + struct passwd *pw; + + if (!user) + return PAM_AUTH_ERR; + + if (!(pw = getpwnamallow(user))) { + free(user); + return PAM_AUTH_ERR; + } + + free(authctxt->pw); + authctxt->pw = pw; + free(authctxt->user); + authctxt->user = user; + } + return PAM_SUCCESS; +} + +/* * Conversation function for authentication thread. */ static int @@ -469,6 +502,10 @@ if (sshpam_err != PAM_SUCCESS) goto auth_fail; + sshpam_err = sshpam_handle_user_change(sshpam_handle, sshpam_authctxt); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + if (compat20) { if (!do_pam_account()) { sshpam_err = PAM_ACCT_EXPIRED; @@ -1206,7 +1243,8 @@ sshpam_err = pam_authenticate(sshpam_handle, flags); sshpam_password = NULL; - if (sshpam_err == PAM_SUCCESS && authctxt->valid) { + if (sshpam_err == PAM_SUCCESS && authctxt->valid && + sshpam_handle_user_change(sshpam_handle, authctxt) == PAM_SUCCESS) { debug("PAM: password authentication accepted for %.100s", authctxt->user); return 1; -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070524/48f14c83/attachment-0001.bin From emaste at phaedrus.sandvine.ca Fri May 25 05:38:35 2007 From: emaste at phaedrus.sandvine.ca (Ed Maste) Date: Thu, 24 May 2007 15:38:35 -0400 Subject: [RFC][PATCH] Detect and handle PAM changing user name In-Reply-To: <20070524191831.GC12756@inoc.com> References: <20070524191831.GC12756@inoc.com> Message-ID: <20070524193835.GA41294@sandvine.com> On Thu, May 24, 2007 at 02:18:33PM -0500, James R. Leu wrote: > + free(authctxt->pw); > + authctxt->pw = pw; I haven't looked at 4.6 specifically, but in the version I did have a look at the pw * returned by pwcopy() has a bunch of fields that are xstrdup'd, so you'd probably want to implement a corresponding pwfree() function. -Ed From dtucker at zip.com.au Fri May 25 08:24:13 2007 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 25 May 2007 08:24:13 +1000 Subject: [RFC][PATCH] Detect and handle PAM changing user name In-Reply-To: <20070524191831.GC12756@inoc.com> References: <20070524191831.GC12756@inoc.com> Message-ID: <4656108D.80007@zip.com.au> James R. Leu wrote: > I've implemented a patch to openssh which allows the PAM auth layer > to detect if the PAM stack has changed the user name and then adjusts > its internal data structures accordingly. (imagine a PAM stack that > uses individual credentials to authenticate, but assigns the user to > a role account). > > First, is the openssh community interested in this patch? Maybe. I'm not convinced it's the right thing to do, though. > Second, if there is interest in the patch, how do I go about > submitting the patch for formal review? Attach it to http://bugzilla.mindrot.org/show_bug.cgi?id=1215, but from a brief look it appears your patch is a subset of the one already there (which also handles the case where the user doesn't exist on the system, normally this would get the login marked as invalid). > Third, regardless of interest by the openssh community, is there > anyone willing to review this code for me? > > PS I've tested the code path going through sshpam_auth_passwd(), > but do know how to test the code path that goes through sshpam_thread(). Use ChallengeResponseAuthentication. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jleu at inoc.com Fri May 25 11:09:21 2007 From: jleu at inoc.com (James R. Leu) Date: Thu, 24 May 2007 20:09:21 -0500 Subject: [RFC][PATCH] Detect and handle PAM changing user name In-Reply-To: <20070524193835.GA41294@sandvine.com> References: <20070524191831.GC12756@inoc.com> <20070524193835.GA41294@sandvine.com> Message-ID: <20070525010918.GA2809@inoc.com> Thank you for pointing this out. On Thu, May 24, 2007 at 03:38:35PM -0400, Ed Maste wrote: > On Thu, May 24, 2007 at 02:18:33PM -0500, James R. Leu wrote: > > > + free(authctxt->pw); > > + authctxt->pw = pw; > > I haven't looked at 4.6 specifically, but in the version I did > have a look at the pw * returned by pwcopy() has a bunch of > fields that are xstrdup'd, so you'd probably want to implement > a corresponding pwfree() function. > > -Ed -- James R. Leu jleu at inoc.com INOC -> http://inoc.com/ DELIVERING UPTIME -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070524/214f5b05/attachment.bin From agohad at gmail.com Thu May 24 20:37:47 2007 From: agohad at gmail.com (Atul Gohad) Date: Thu, 24 May 2007 16:07:47 +0530 Subject: Open SSH Server User accounts Message-ID: <40ce0c530705240337t766fb78atcc4c6c0e02644861@mail.gmail.com> Hi, As part of our product requirement, want to make use of OpenSSH to support SFTP, SSH-FTP. Was wondering if OpenSSH Server supports creation of user accounts, without actually creating a corresponding OS level user account? Alternatively can OpenSSH server make use of other user registries such as database based or LDAP based ? Any help in this regard will be very much appreciated. Thanks, Atul Gohad. From emaste at phaedrus.sandvine.ca Sat May 26 00:58:08 2007 From: emaste at phaedrus.sandvine.ca (Ed Maste) Date: Fri, 25 May 2007 10:58:08 -0400 Subject: [RFC][PATCH] Detect and handle PAM changing user name In-Reply-To: <4656108D.80007@zip.com.au> References: <20070524191831.GC12756@inoc.com> <4656108D.80007@zip.com.au> Message-ID: <20070525145808.GA25392@sandvine.com> On Fri, May 25, 2007 at 08:24:13AM +1000, Darren Tucker wrote: > James R. Leu wrote: > > I've implemented a patch to openssh which allows the PAM auth layer > > to detect if the PAM stack has changed the user name and then adjusts > > its internal data structures accordingly. (imagine a PAM stack that > > uses individual credentials to authenticate, but assigns the user to > > a role account). > > > > First, is the openssh community interested in this patch? > > Maybe. I'm not convinced it's the right thing to do, though. I know of several implementations of some variety of template/role user support for openssh, so I suspect there would be a reasonable amount of interest in seeing this as an officially supported feature. Perhaps with an option to allow/disallow it. -Ed From svallet at genoscope.cns.fr Tue May 29 19:01:30 2007 From: svallet at genoscope.cns.fr (Simon Vallet) Date: Tue, 29 May 2007 11:01:30 +0200 Subject: [PATCH] Add support for ldns In-Reply-To: <20070521155507.0c856d78@tx174.tx.local> References: <20070521155507.0c856d78@tx174.tx.local> Message-ID: <20070529110130.74f25c80@tx174.tx.local> nobody on this one ? I really think autonomous signature validation capabilities are a useful feature in an ssh client. In a mobile scenario, simply trusting the next DNS hop seems only marginally better as having no signed records at all. I'm willing to spend more time on this patch if necessary, so any feedback is welcome Simon On Mon, 21 May 2007 15:55:07 +0200 Simon Vallet wrote: > Hi, > > as discussed before, we're trying to make use of SSHFP records (RFC > 4255) to publish host key fingerprints in the DNS. > > However, some non-OpenBSD platforms don't support DNSSEC in the native > resolver (e.g. glibc), which renders the whole thing quite useless, > since openssh correctly requires the RRs to be signed and validated. > > The following patch adds support for ldns, an external resolver > library, with the following functionality: > - Set DO on the SSHFP query > - Support AD if the answer comes from a validating resolver > - Support autonomous validation using a configured trust anchor in case > the answer is not marked as authentic. > > It depends on the SVN version of ldns (revision 2345), which is available > there: http://www.nlnetlabs.nl/ldns/ From jleu at inoc.com Wed May 30 02:32:57 2007 From: jleu at inoc.com (James R. Leu) Date: Tue, 29 May 2007 11:32:57 -0500 Subject: [RFC][PATCH] Detect and handle PAM changing user name In-Reply-To: <4656108D.80007@zip.com.au> References: <20070524191831.GC12756@inoc.com> <4656108D.80007@zip.com.au> Message-ID: <20070529163253.GB3002@inoc.com> On Fri, May 25, 2007 at 08:24:13AM +1000, Darren Tucker wrote: > James R. Leu wrote: > > I've implemented a patch to openssh which allows the PAM auth layer > > to detect if the PAM stack has changed the user name and then adjusts > > its internal data structures accordingly. (imagine a PAM stack that > > uses individual credentials to authenticate, but assigns the user to > > a role account). > > > > First, is the openssh community interested in this patch? > > Maybe. I'm not convinced it's the right thing to do, though. I'm re-posting an updated patch. This one has a run-time option to enable the patched behavior: PermitPAMUserChange > > Second, if there is interest in the patch, how do I go about > > submitting the patch for formal review? > > Attach it to http://bugzilla.mindrot.org/show_bug.cgi?id=1215, but from > a brief look it appears your patch is a subset of the one already there > (which also handles the case where the user doesn't exist on the system, > normally this would get the login marked as invalid). I would agree that the functionality I've implemented is a subset of one of these patches. > > Third, regardless of interest by the openssh community, is there > > anyone willing to review this code for me? > > > > PS I've tested the code path going through sshpam_auth_passwd(), > > but do know how to test the code path that goes through sshpam_thread(). > > Use ChallengeResponseAuthentication. Thank you. I tested with this and my code does not work in this mode. I theorize it is because any changes made in sshpam_thread are not seen by the rest of sshd. I think I need some additional assistance from someone with more knowledge of the monitor code. First, I need to know if my theory s correct. If so, where and how would the correct change be make (someplace in monitor_child_postauth or monitor_sync?) For now I've attached my patch to bugzilla 1215 > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. -- James R. Leu jleu at inoc.com INOC -> http://inoc.com/ DELIVERING UPTIME -------------- next part -------------- diff -uNr openssh-4.6p1/auth-pam.c openssh-4.6p1.jleu2/auth-pam.c --- openssh-4.6p1/auth-pam.c 2006-09-16 20:57:47.000000000 -0500 +++ openssh-4.6p1.jleu2/auth-pam.c 2007-05-29 11:12:45.000000000 -0500 @@ -334,6 +334,40 @@ #endif } +static +int sshpam_handle_user_change(pam_handle_t *sshpam_handle, Authctxt *authctxt) +{ + const char *pam_user; + const char **ptr_pam_user = &pam_user; + + error("PAM: sshpam_handle_user_change enter"); + + if (pam_get_item(sshpam_handle, PAM_USER, + (sshpam_const void **)ptr_pam_user) != PAM_SUCCESS) + return PAM_AUTH_ERR; + + if (strcmp(authctxt->user, pam_user)) { + char *user = strdup(pam_user); + struct passwd *pw; + + if (!user) + return PAM_AUTH_ERR; + + if (!(pw = getpwnamallow(user))) { + free(user); + return PAM_AUTH_ERR; + } + + free(authctxt->pw); + authctxt->pw = pw; + free(authctxt->user); + authctxt->user = user; + error("PAM: sshpam_handle_user_change user changed to %s", user); + } + error("PAM: sshpam_handle_user_change exit"); + return PAM_SUCCESS; +} + /* * Conversation function for authentication thread. */ @@ -469,6 +503,20 @@ if (sshpam_err != PAM_SUCCESS) goto auth_fail; + if (options.permit_pam_user_change) { + /* + * this should work, but it doesn't. The monitor hands + * us a copy of the authctx and never copies the results + * back to the _real_ authctx. So the following call + * does all the right stuff to sshpam_authctxt, but no + * one is ever going to see it. + */ + sshpam_err = sshpam_handle_user_change(sshpam_handle, + sshpam_authctxt); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + } + if (compat20) { if (!do_pam_account()) { sshpam_err = PAM_ACCT_EXPIRED; @@ -1206,15 +1254,25 @@ sshpam_err = pam_authenticate(sshpam_handle, flags); sshpam_password = NULL; - if (sshpam_err == PAM_SUCCESS && authctxt->valid) { - debug("PAM: password authentication accepted for %.100s", - authctxt->user); - return 1; - } else { + if (!(sshpam_err == PAM_SUCCESS && authctxt->valid)) { debug("PAM: password authentication failed for %.100s: %s", authctxt->valid ? authctxt->user : "an illegal user", pam_strerror(sshpam_handle, sshpam_err)); return 0; } + + if (options.permit_pam_user_change) { + sshpam_err = sshpam_handle_user_change(sshpam_handle, + sshpam_authctxt); + if (sshpam_err != PAM_SUCCESS) { + debug("PAM: failure checking for user change: %s", + pam_strerror(sshpam_handle, sshpam_err)); + return 0; + } + } + + debug("PAM: password authentication accepted for %.100s", + authctxt->user); + return 1; } #endif /* USE_PAM */ diff -uNr openssh-4.6p1/servconf.c openssh-4.6p1.jleu2/servconf.c --- openssh-4.6p1/servconf.c 2007-03-01 04:31:29.000000000 -0600 +++ openssh-4.6p1.jleu2/servconf.c 2007-05-29 11:13:45.000000000 -0500 @@ -56,6 +56,7 @@ /* Portable-specific options */ options->use_pam = -1; + options->permit_pam_user_change = -1; /* Standard Options */ options->num_ports = 0; @@ -130,6 +131,8 @@ /* Portable-specific options */ if (options->use_pam == -1) options->use_pam = 0; + if (options->permit_pam_user_change == -1) + options->permit_pam_user_change = 0; /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) @@ -269,7 +272,7 @@ typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ - sUsePAM, + sUsePAM, sPermitPAMUserChange, /* Standard Options */ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, @@ -309,8 +312,10 @@ /* Portable-specific options */ #ifdef USE_PAM { "usepam", sUsePAM, SSHCFG_GLOBAL }, + { "permitpamuserchange", sPermitPAMUserChange, SSHCFG_GLOBAL } #else { "usepam", sUnsupported, SSHCFG_GLOBAL }, + { "permitpamuserchange", sUnsupported, SSHCFG_GLOBAL } #endif { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ @@ -662,6 +667,10 @@ intptr = &options->use_pam; goto parse_flag; + case sPermitPAMUserChange: + intptr = &options->permit_pam_user_change; + goto parse_flag; + /* Standard Options */ case sBadOption: return -1; diff -uNr openssh-4.6p1/servconf.h openssh-4.6p1.jleu2/servconf.h --- openssh-4.6p1/servconf.h 2007-02-19 05:25:38.000000000 -0600 +++ openssh-4.6p1.jleu2/servconf.h 2007-05-29 11:12:45.000000000 -0500 @@ -137,6 +137,7 @@ char *adm_forced_command; int use_pam; /* Enable auth via PAM */ + int permit_pam_user_change; /* Allow PAM to change user name */ int permit_tun; diff -uNr openssh-4.6p1/sshd_config openssh-4.6p1.jleu2/sshd_config --- openssh-4.6p1/sshd_config 2006-07-23 23:06:47.000000000 -0500 +++ openssh-4.6p1.jleu2/sshd_config 2007-05-29 11:14:36.000000000 -0500 @@ -80,6 +80,10 @@ # and ChallengeResponseAuthentication to 'no'. #UsePAM no +# Set to 'yes' to allow the PAM stack to change the user name during +# calls to authentication +#PermitPAMUserChange no + #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no diff -uNr openssh-4.6p1/sshd_config.5 openssh-4.6p1.jleu2/sshd_config.5 --- openssh-4.6p1/sshd_config.5 2007-03-06 04:21:18.000000000 -0600 +++ openssh-4.6p1.jleu2/sshd_config.5 2007-05-29 11:12:45.000000000 -0500 @@ -820,6 +820,12 @@ as a non-root user. The default is .Dq no . +.It Cm PermitPAMUserChange +If set to +.Dq yes +this will enable PAM authentication to change the name of the user being +authenticated. The default is +.Dq no . .It Cm UsePrivilegeSeparation Specifies whether .Xr sshd 8 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070529/9a371ed2/attachment-0001.bin From postmaster at lewisham.gov.uk Thu May 31 17:16:37 2007 From: postmaster at lewisham.gov.uk (postmaster at lewisham.gov.uk) Date: Thu, 31 May 2007 08:16:37 +0100 Subject: Delivery Status Notification (Failure) Message-ID: This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. opening.doors at lewisham.gov.uk -------------- next part -------------- An embedded message was scrubbed... From: admin at stockcross.com Subject: RE: Daily News Date: 31 May 2007 08:16:36 +0100 Size: 843 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070531/724b3d1d/attachment.mht