From maniac.nl at gmail.com Thu Jul 1 00:00:41 2010 From: maniac.nl at gmail.com (Mark Janssen) Date: Wed, 30 Jun 2010 16:00:41 +0200 Subject: sshd In-Reply-To: References: Message-ID: On Wed, Jun 30, 2010 at 6:44 AM, Angus Thorn wrote: > Hi > > Dont know if its possible, can't find any info on the net, but i wanted to > stop my sshd server from returning authntication failed messages to the > clients. Example, a person tries to login and the user or password is > incorrect, i dont want the server to say 'Received disconnect from IP Too > many authentication failures for user'. Just return nothing as if its not > there. Looks to me to be a bit useles, as the server already responded by issueing a SSH banner, negotiated encryption, negotiated acceptable methods of authentication. You could probably just use something like denyhosts, which will block that IP from connecting on it's next attempt. Which will be done before the SSH banner is printed, so it will appear to be completely gone/not there. -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | From customercare at tcpwave.com Thu Jul 1 05:05:56 2010 From: customercare at tcpwave.com (TCPWave Customer Care) Date: Wed, 30 Jun 2010 15:05:56 -0400 Subject: PAM Module:Openssh and Tacacs+ Question Message-ID: <1277924756.6622.242.camel@twcdns> Hi, I am trying to get Openssh 5.5p1 to work with TACACS+. I have the TACACS + PAM module compiled on Ubuntu. I have compiled SSH --with-pam. When the user is defined in /etc/passwd, the SSH authentication to the TACACS+ server takes place successfully. If I REMOVE the user from /etc/passwd OpenSSH sends a string called INCORRECT to the TACACS+ server and it denies authentication. I am trying not to have a local definition of the user in /etc/passwd. I have the following lines in my /etc/pam.d/sshd auth sufficient /lib/security/pam_tacplus.so debug server=x.x.x.x secret=xxxxxx encrypt login=chap prompt=Enter_TACACS_Password: first_hit auth required /lib/security/pam_unix_auth.so use_first_pass I looked at the source code of openssh 5.5p1. auth-pam.c has this: badpw[] = "\b\n\r\177INCORRECT"; When the user is deleted from /etc/passwd SSH complains saying: sshd: error: PAM: user not known to the underlying authentication module for illegal user **** from ***** sshd: Failed Keyboard-interactive/pam for invalid user ***** from ***** poer ***** sh2 sshd: PAM_SM_authenticate: called pam_tacplis v1.3.2 sshd: pam_SM_authenticate: user [******] obtained sshd: tacacs_get_password: called --> debugging revealed that it sent "\b\n\r\177INCORRECT" to TACACS+ How can I make SSH use the pam_tacplus module and not look at /etc/passwd or LDAP? http://sourceforge.net/projects/tacplus/ has the TACACS+ module source. Thanks in advance. Ajay From dkg at fifthhorseman.net Thu Jul 1 07:41:58 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 30 Jun 2010 17:41:58 -0400 Subject: PAM Module:Openssh and Tacacs+ Question In-Reply-To: <1277924756.6622.242.camel@twcdns> References: <1277924756.6622.242.camel@twcdns> Message-ID: <4C2BBA26.8050302@fifthhorseman.net> On 06/30/2010 03:05 PM, TCPWave Customer Care wrote: > I am trying to get Openssh 5.5p1 to work with TACACS+. I have the TACACS > + PAM module compiled on Ubuntu. I have compiled SSH --with-pam. I think you need to consider both PAM (for authentication) and the name service switch (for directory lookup). is it possible that your system does not know about the user with the given name? for example, if you are trying to log in as "test0", does your system have a numeric ID to associate with that user? if not, ssh won't know how to switch to it. Usually, if you don't want to add the account explicitly to /etc/passwd (and the other associated UNIX system files) this is done by using a name service switch (NSS) extension, such as libnss-ldap, NIS+, etc. But you have said you don't want to use LDAP either. Is there a libnss TACACS+ ? are you using it? Most modern GNU/Linux systems support getent(1). What happens if you run: getent passwd test0 ? (assuming the user you're trying is test0). this should return a "virtual" line you'd expect to see in /etc/passwd (though its source might actually be from some NSS plugin). If the result is an empty string (and the return code is anything other than 0), then no such user account is available. In that case, it doesn't matter whether PAM authentication works, because sshd has no account to switch to once the login is completed anyway. hth, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From jaf at meyersound.com Thu Jul 1 09:06:20 2010 From: jaf at meyersound.com (Jeremy Friesner) Date: Wed, 30 Jun 2010 16:06:20 -0700 Subject: Possible feature request: sync_on_close mode for scp/sftp uploads Message-ID: Hi all, First, my apologies if this is not the right forum for this... if there is a more appropriate place to make OpenSSH feature requests, or if this feature already exists, please let me know. Some background: My company makes an 'embedded' audio server box that runs Debian Linux, and one of the product's features is that users can upload files to the server via SSH, using their favorite SSH-compatible file-transfer program (e.g. command-line scp/sftp, CyberDuck, WinSCP, PSCP, etc). That works fine, but one issue we have is that this box needs to be robust in the face of uncontrolled shut-downs: in particular, since it is a headless "black box", our users expect to be able to just cut power to the box, without logging in and executing a "/sbin/shutdown -h now" first. If cut power soon after completing an scp/sftp upload, however, they often find that last of their uploaded files end up truncated, because some of the uploaded data was cached in RAM and never got flushed to the disk before the power was cut. I know one possible solution to this problem would be to mount the filesystems with the "sync" flag, so that all writes to the filesystem would be done synchronously. However, I'm hesitant to do that because there are other processes running on the box (e.g. real-time audio recording) whose performance might be adversely by forcing every write() call to be synchronous. Given that, my question is: is there an option (or can an option be added) to force sshd to call fsync() on its uploaded-file's file-descriptors just before it calls close() on them? That way when an scp/sftp upload completes, our users could be reasonably certain that all the uploaded data would make it onto the disk in the next second or two. Perhaps a "sync_on_close" keyword in the /etc/sshd_config file would activate this behavior? (I don't think it should be active by default, since that could unnecessarily affect performance in use cases where uncontrolled server shutdowns are not an issue) Thanks for your time, Jeremy Friesner Meyer Sound Laboratories Inc. From imorgan at nas.nasa.gov Thu Jul 1 11:04:04 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Wed, 30 Jun 2010 18:04:04 -0700 Subject: Possible feature request: sync_on_close mode for scp/sftp uploads In-Reply-To: References: Message-ID: <20100701010404.GC14083@linux55.nas.nasa.gov> On Wed, Jun 30, 2010 at 18:06:20 -0500, Jeremy Friesner wrote: > Hi all, > > First, my apologies if this is not the right forum for this... if there is a more appropriate place to make OpenSSH feature requests, or if this feature already exists, please let me know. > > Some background: My company makes an 'embedded' audio server box that runs Debian Linux, and one of the product's features is that users can upload files to the server via SSH, using their favorite SSH-compatible file-transfer program (e.g. command-line scp/sftp, CyberDuck, WinSCP, PSCP, etc). > > That works fine, but one issue we have is that this box needs to be robust in the face of uncontrolled shut-downs: in particular, since it is a headless "black box", our users expect to be able to just cut power to the box, without logging in and executing a "/sbin/shutdown -h now" first. If cut power soon after completing an scp/sftp upload, however, they often find that last of their uploaded files end up truncated, because some of the uploaded data was cached in RAM and never got flushed to the disk before the power was cut. > > I know one possible solution to this problem would be to mount the filesystems with the "sync" flag, so that all writes to the filesystem would be done synchronously. However, I'm hesitant to do that because there are other processes running on the box (e.g. real-time audio recording) whose performance might be adversely by forcing every write() call to be synchronous. > > Given that, my question is: is there an option (or can an option be added) to force sshd to call fsync() on its uploaded-file's file-descriptors just before it calls close() on them? That way when an scp/sftp upload completes, our users could be reasonably certain that all the uploaded data would make it onto the disk in the next second or two. Perhaps a "sync_on_close" keyword in the /etc/sshd_config file would activate this behavior? (I don't think it should be active by default, since that could unnecessarily affect performance in use cases where uncontrolled server shutdowns are not an issue) > > Thanks for your time, > > Jeremy Friesner > Meyer Sound Laboratories Inc. > No such option currently exists. Also, it's scp and sftp-server that would need to call fsync(), neither of which read the sshd_config. -- Iain Morgan From driver at megahappy.net Thu Jul 1 11:11:15 2010 From: driver at megahappy.net (Bryan Whitehead) Date: Wed, 30 Jun 2010 18:11:15 -0700 Subject: Possible feature request: sync_on_close mode for scp/sftp uploads In-Reply-To: References: Message-ID: Try something with "Subsystem" in sshd_config. Where you redefine sftp to be something like "sftp-server && sync". Might need to embed that in a python/bash/perl script so your subsystem isn't a bash expression... ;) On Wed, Jun 30, 2010 at 4:06 PM, Jeremy Friesner wrote: > Hi all, > > First, my apologies if this is not the right forum for this... if there is a more appropriate place to make OpenSSH feature requests, or if this feature already exists, please let me know. > > Some background: ?My company makes an 'embedded' audio server box that runs Debian Linux, and one of the product's features is that users can upload files to the server via SSH, using their favorite SSH-compatible file-transfer program (e.g. command-line scp/sftp, CyberDuck, WinSCP, PSCP, etc). > > That works fine, but one issue we have is that this box needs to be robust in the face of uncontrolled shut-downs: ?in particular, since it is a headless "black box", our users expect to be able to just cut power to the box, without logging in and executing a "/sbin/shutdown -h now" first. ?If cut power soon after completing an scp/sftp upload, however, they often find that last of their uploaded files end up truncated, because some of the uploaded data was cached in RAM and never got flushed to the disk before the power was cut. > > I know one possible solution to this problem would be to mount the filesystems with the "sync" flag, so that all writes to the filesystem would be done synchronously. ?However, I'm hesitant to do that because there are other processes running on the box (e.g. real-time audio recording) whose performance might be adversely by forcing every write() call to be synchronous. > > Given that, my question is: ?is there an option (or can an option be added) to force sshd to call fsync() on its uploaded-file's file-descriptors just before it calls close() on them? ?That way when an scp/sftp upload completes, our users could be reasonably certain that all the uploaded data would make it onto the disk in the next second or two. ?Perhaps a "sync_on_close" keyword in the /etc/sshd_config file would activate this behavior? ?(I don't think it should be active by default, since that could unnecessarily affect performance in use cases where uncontrolled server shutdowns are not an issue) > > Thanks for your time, > > Jeremy Friesner > Meyer Sound Laboratories Inc. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From jaf at meyersound.com Thu Jul 1 11:59:13 2010 From: jaf at meyersound.com (Jeremy Friesner) Date: Wed, 30 Jun 2010 18:59:13 -0700 Subject: Possible feature request: sync_on_close mode for scp/sftp uploads In-Reply-To: References: Message-ID: <88AF92C9-49E3-46D3-B254-4D5372AB6311@meyersound.com> Hi Bryan, Many thanks, that works like a charm for sftp sessions... I can't seem to get it to work for scp uploads though. Is there some nuance that I'm missing? For reference, here is what I put at the end of my /etc/ssh/sshd_config file: Subsystem scp /usr/lib/openssh/scp-and-sync Subsystem sftp /usr/lib/openssh/sftp-server-and-sync ..... and the output below shows the two bash scripts I added and referenced above: Wild-Tracks-1:~# ls -l /usr/lib/openssh/*sync -rwxr-xr-x 1 root root 111 Jul 1 01:50 /usr/lib/openssh/scp-and-sync -rwxr-xr-x 1 root root 131 Jul 1 01:50 /usr/lib/openssh/sftp-server-and-sync Wild-Tracks-1:~# cat /usr/lib/openssh/sftp-server-and-sync #!/bin/sh echo "BEGIN SFTP SESSION!" >>/tmp/sftp_foo /usr/lib/openssh/sftp-server $* echo "END SFTP SESSION!" >>/tmp/sftp_foo sync Wild-Tracks-1:~# cat /usr/lib/openssh/scp-and-sync #!/bin/sh echo "BEGIN SCP SESSION!" >>/tmp/scp_foo /usr/bin/scp $* echo "END SCP SESSION!" >>/tmp/scp_foo sync -Jeremy On Jun 30, 2010, at 6:11 PM, Bryan Whitehead wrote: > Try something with "Subsystem" in sshd_config. Where you redefine sftp > to be something like "sftp-server && sync". > > Might need to embed that in a python/bash/perl script so your > subsystem isn't a bash expression... ;) > > On Wed, Jun 30, 2010 at 4:06 PM, Jeremy Friesner wrote: >> Hi all, >> >> First, my apologies if this is not the right forum for this... if there is a more appropriate place to make OpenSSH feature requests, or if this feature already exists, please let me know. >> >> Some background: My company makes an 'embedded' audio server box that runs Debian Linux, and one of the product's features is that users can upload files to the server via SSH, using their favorite SSH-compatible file-transfer program (e.g. command-line scp/sftp, CyberDuck, WinSCP, PSCP, etc). >> >> That works fine, but one issue we have is that this box needs to be robust in the face of uncontrolled shut-downs: in particular, since it is a headless "black box", our users expect to be able to just cut power to the box, without logging in and executing a "/sbin/shutdown -h now" first. If cut power soon after completing an scp/sftp upload, however, they often find that last of their uploaded files end up truncated, because some of the uploaded data was cached in RAM and never got flushed to the disk before the power was cut. >> >> I know one possible solution to this problem would be to mount the filesystems with the "sync" flag, so that all writes to the filesystem would be done synchronously. However, I'm hesitant to do that because there are other processes running on the box (e.g. real-time audio recording) whose performance might be adversely by forcing every write() call to be synchronous. >> >> Given that, my question is: is there an option (or can an option be added) to force sshd to call fsync() on its uploaded-file's file-descriptors just before it calls close() on them? That way when an scp/sftp upload completes, our users could be reasonably certain that all the uploaded data would make it onto the disk in the next second or two. Perhaps a "sync_on_close" keyword in the /etc/sshd_config file would activate this behavior? (I don't think it should be active by default, since that could unnecessarily affect performance in use cases where uncontrolled server shutdowns are not an issue) >> >> Thanks for your time, >> >> Jeremy Friesner >> Meyer Sound Laboratories Inc. >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> From david-bronder at uiowa.edu Thu Jul 1 12:09:00 2010 From: david-bronder at uiowa.edu (David Bronder) Date: Wed, 30 Jun 2010 21:09:00 -0500 (CDT) Subject: [openssh-unix-dev] Re: Possible feature request: sync_on_close mode for scp/sftp uploads In-Reply-To: <88AF92C9-49E3-46D3-B254-4D5372AB6311@meyersound.com> from "Jeremy Friesner" at Jun 30, 2010 06:59:13 PM Message-ID: <201007010209.o61290T7099970@fire.its.uiowa.edu> Jeremy Friesner wrote: > > Many thanks, that works like a charm for sftp sessions... I can't > seem to get it to work for scp uploads though. Is there some nuance > that I'm missing? > > For reference, here is what I put at the end of my /etc/ssh/sshd_config file: > > Subsystem scp /usr/lib/openssh/scp-and-sync > Subsystem sftp /usr/lib/openssh/sftp-server-and-sync scp is not a subsystem. For your use case, you'll want to rename the existing scp to something else (e.g. "scp.bin") and rename your wrapper to "scp" (in the same location as the original scp). Note that the workaround for sftp will only work if the SFTP session completes and the connection is closed. If a file is transferred but the SFTP session is still open when the power is cut, you won't have the sync (it won't run until sftp-server exits)... -- Hello World. David Bronder - Systems Admin Segmentation Fault ITS-SPA, Univ. of Iowa Core dumped, disk trashed, quota filled, soda warm. david-bronder at uiowa.edu From carson at taltos.org Thu Jul 1 14:26:57 2010 From: carson at taltos.org (Carson Gaspar) Date: Thu, 01 Jul 2010 00:26:57 -0400 Subject: [openssh-unix-dev] Re: Possible feature request: sync_on_close mode for scp/sftp uploads In-Reply-To: <201007010209.o61290T7099970@fire.its.uiowa.edu> References: <201007010209.o61290T7099970@fire.its.uiowa.edu> Message-ID: <4C2C1911.2070607@taltos.org> You can also write a simple LD_PRELOAD module to overload close() to also fsync(), and use it with whichever services you desire. From adrya1984 at gmail.com Thu Jul 1 16:47:47 2010 From: adrya1984 at gmail.com (Adriana Rodean) Date: Thu, 1 Jul 2010 09:47:47 +0300 Subject: ssh server hangs the port even if client machine shuts down Message-ID: Hi, I have the following problem with ssh, hope someone can help me with it: I have 2 processes of ssh server on same Linux machine. One of them is the normal ssh configuration for Linux, the other one starts with a custom configuration on another port. >From the client i do a remote port forwarding to the custom ssh server: ssh -R 1037:localhost:55555. After this command on ssh server process list i see: sshd 29996 root 3r IPv4 1310919488 TCP 10.55.41.92:2233->10.55.40.121:2481 (ESTABLISHED) sshd 30000 615da7706d6c4babbcd6e6fb867ddab1 3u IPv4 1310919488 TCP 10.55.41.92:2233->10.55.40.121:2481 (ESTABLISHED) sshd 30000 615da7706d6c4babbcd6e6fb867ddab1 7u IPv4 1310919539 TCP 127.0.0.1:1037 (LISTEN) sshd 30000 615da7706d6c4babbcd6e6fb867ddab1 8u IPv6 1310919540 TCP [::1]:1037 (LISTEN) sshd 30000 615da7706d6c4babbcd6e6fb867ddab1 9u IPv4 1310919596 TCP 127.0.0.1:48818->127.0.0.1:http-alt (ESTABLISHED) Then after awhile: sshd 29996 root 3r IPv4 1310919488 TCP 10.55.41.92:2233->10.55.40.121:2481 (ESTABLISHED) sshd 30000 615da7706d6c4babbcd6e6fb867ddab1 3u IPv4 1310919488 TCP 10.55.41.92:2233->10.55.40.121:2481 (ESTABLISHED) sshd 30000 615da7706d6c4babbcd6e6fb867ddab1 7u IPv4 1310919539 TCP 127.0.0.1:1037 (LISTEN) sshd 30000 615da7706d6c4babbcd6e6fb867ddab1 8u IPv6 1310919540 TCP [::1]:1037 (LISTEN) sshd 30000 615da7706d6c4babbcd6e6fb867ddab1 9u IPv4 1310919596 TCP 127.0.0.1:48818->127.0.0.1:http-alt (CLOSE_WAIT) Then after awhile: sshd 29996 root 3r IPv4 1310919488 TCP 10.55.41.92:2233->10.55.40.121:2481 (ESTABLISHED) sshd 30000 615da7706d6c4babbcd6e6fb867ddab1 3u IPv4 1310919488 TCP 10.55.41.92:2233->10.55.40.121:2481 (ESTABLISHED) sshd 30000 615da7706d6c4babbcd6e6fb867ddab1 7u IPv4 1310919539 TCP 127.0.0.1:1037 (LISTEN) sshd 30000 615da7706d6c4babbcd6e6fb867ddab1 8u IPv6 1310919540 TCP [::1]:1037 (LISTEN) When client shuts down computer, i noticed that the 1037 port is still listening on the server, but its PID changed. So even when the client computer is completely shut down => no connection with the ssh server, on the ssh server i have: sshd 32025 root 3r IPv4 1310943105 TCP 10.55.41.92:2233->10.55.40.121:2485 (ESTABLISHED) sshd 32029 615da7706d6c4babbcd6e6fb867ddab1 3u IPv4 1310943105 TCP 10.55.41.92:2233->10.55.40.121:2485 (ESTABLISHED) sshd 32029 615da7706d6c4babbcd6e6fb867ddab1 7u IPv4 1310943156 TCP 127.0.0.1:1037 (LISTEN) sshd 32029 615da7706d6c4babbcd6e6fb867ddab1 8u IPv6 1310943157 TCP [::1]:1037 (LISTEN) Problem is when client opens computer again (after shut down/restart) it isn't able to connect with same command: ssh -R 1037:localhost:55555 because that port is still listening on the server :( It takes long time to be able to connect again to server, sometimes even 2 hours :( Why the port still listens on the server even if no client is connected to it? (client pc is closed) How can we solve this problem? I want that process with the client port to be closed when client shuts down PC, so client after restart be able to reconnect with same command when PC is up again... Thank you, Adriana From aris.adamantiadis at belnet.be Thu Jul 1 18:05:40 2010 From: aris.adamantiadis at belnet.be (Aris Adamantiadis) Date: Thu, 01 Jul 2010 10:05:40 +0200 Subject: [openssh-unix-dev] Re: Possible feature request: sync_on_close mode for scp/sftp uploads In-Reply-To: <4C2C1911.2070607@taltos.org> References: <201007010209.o61290T7099970@fire.its.uiowa.edu> <4C2C1911.2070607@taltos.org> Message-ID: <4C2C4C54.6070306@belnet.be> Le 01/07/10 06:26, Carson Gaspar a ?crit : > You can also write a simple LD_PRELOAD module to overload close() to > also fsync(), and use it with whichever services you desire. Or even better, edit the sources of scp.c and sftpd.c and add the fsync thing. It takes 10 minutes at most. Aris -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5610 bytes Desc: S/MIME Cryptographic Signature URL: From peter at stuge.se Thu Jul 1 21:26:21 2010 From: peter at stuge.se (Peter Stuge) Date: Thu, 1 Jul 2010 13:26:21 +0200 Subject: ssh server hangs the port even if client machine shuts down In-Reply-To: References: Message-ID: <20100701112621.23732.qmail@stuge.se> Adriana Rodean wrote: > Why the port still listens on the server even if no client is > connected to it? (client pc is closed) Because TCP by design does not know if the other side of the connection has disappeared when there is no traffic, and SSH does not mandate probing for it. In short, the sshd on the server still believes that the client is connected. > How can we solve this problem? Please read the sshd_config manual page, in particular the ClientAliveCountMax and ClientAliveInterval options. //Peter From jaf at meyersound.com Fri Jul 2 03:20:38 2010 From: jaf at meyersound.com (Jeremy Friesner) Date: Thu, 1 Jul 2010 10:20:38 -0700 Subject: [openssh-unix-dev] Re: Possible feature request: sync_on_close mode for scp/sftp uploads In-Reply-To: <201007010209.o61290T7099970@fire.its.uiowa.edu> References: <201007010209.o61290T7099970@fire.its.uiowa.edu> Message-ID: <1768B7A3-051F-4384-A13C-CD86F257C5D0@meyersound.com> On Jun 30, 2010, at 7:09 PM, David Bronder wrote: > scp is not a subsystem. For your use case, you'll want to rename the > existing scp to something else (e.g. "scp.bin") and rename your wrapper > to "scp" (in the same location as the original scp). Thanks, that works for me. :^) > Note that the workaround for sftp will only work if the SFTP session > completes and the connection is closed. If a file is transferred but > the SFTP session is still open when the power is cut, you won't have > the sync (it won't run until sftp-server exits)... I'll keep that in mind. Thanks again! -Jeremy From rick.jones2 at hp.com Fri Jul 2 03:00:13 2010 From: rick.jones2 at hp.com (Rick Jones) Date: Thu, 01 Jul 2010 10:00:13 -0700 Subject: Possible feature request: sync_on_close mode for scp/sftp uploads In-Reply-To: References: Message-ID: <4C2CC99D.4040104@hp.com> Bryan Whitehead wrote: > Try something with "Subsystem" in sshd_config. Where you redefine sftp > to be something like "sftp-server && sync". Sync will (in theory) cause the entire contents of the filecache to be flushed to disc right? rick jones occasionally still goes sync; sync; sync; reboot.... From jones at tacc.utexas.edu Fri Jul 2 07:52:57 2010 From: jones at tacc.utexas.edu (William Jones) Date: Thu, 1 Jul 2010 16:52:57 -0500 Subject: Possible feature request: sync_on_close mode for scp/sftp uploads In-Reply-To: <4C2CC99D.4040104@hp.com> References: <4C2CC99D.4040104@hp.com> Message-ID: Recalls, stage, have put some pressure on ranch causing about a 3 to 4 hour delay. I made some changes that will help. Were looking into some changes that will help the recalls. Bill Jones -----Original Message----- From: openssh-unix-dev-bounces+jones=tacc.utexas.edu at mindrot.org [mailto:openssh-unix-dev-bounces+jones=tacc.utexas.edu at mindrot.org] On Behalf Of Rick Jones Sent: Thursday, July 01, 2010 12:00 PM To: Bryan Whitehead Cc: Jeremy Friesner; openssh-unix-dev at mindrot.org Subject: Re: Possible feature request: sync_on_close mode for scp/sftp uploads Bryan Whitehead wrote: > Try something with "Subsystem" in sshd_config. Where you redefine sftp > to be something like "sftp-server && sync". Sync will (in theory) cause the entire contents of the filecache to be flushed to disc right? rick jones occasionally still goes sync; sync; sync; reboot.... _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From adrya1984 at gmail.com Fri Jul 2 16:05:23 2010 From: adrya1984 at gmail.com (Adriana Rodean) Date: Fri, 2 Jul 2010 09:05:23 +0300 Subject: ssh server hangs the port even if client machine shuts down In-Reply-To: <20100701112621.23732.qmail@stuge.se> References: <20100701112621.23732.qmail@stuge.se> Message-ID: Thank you so much :) Fixed the problem with: ClientAliveInterval 5 ClientAliveCountMax 2 :) On Thu, Jul 1, 2010 at 14:26, Peter Stuge wrote: > Adriana Rodean wrote: >> Why the port still listens on the server even if no client is >> connected to it? (client pc is closed) > > Because TCP by design does not know if the other side of the > connection has disappeared when there is no traffic, and SSH > does not mandate probing for it. > > In short, the sshd on the server still believes that the client is > connected. > > >> How can we solve this problem? > > Please read the sshd_config manual page, in particular the > ClientAliveCountMax and ClientAliveInterval options. > > > //Peter > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From isravibe at hotmail.com Sat Jul 3 18:54:07 2010 From: isravibe at hotmail.com (k k) Date: Sat, 3 Jul 2010 11:54:07 +0300 Subject: Outgoing IP of forwarded requests Message-ID: I have a linux server with 3 public IPs, and I use SSH tunnelling to connect to each of them. Let's call them: 1.1.1.1 (venet0:0), 1.1.1.2 (venet0:1), 1.1.1.3 (venet0:2). When I tunnel using 1.1.1.1, outgoing IP for the public is: 1.1.1.1. But when I tunnel using 1.1.1.2 or 1.1.1.3, the outgoing IP for the public is still 1.1.1.1. I've been googling for days, and tried relevant channels on freenode. I tried to read the manual but I'm not experienced enough to fully grasp it. According to the manuals of ss5 (SOCKS5 Server) and squid (HTTP Server) - they're both capable of using the outgoing IP while specifying the inbound IP route relation. openssh can't do it? nor there's a indirect workaround to achieve said behavior? Hopes my issue is relevant/valid to your ML. Doori Bar _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 From bob at proulx.com Sun Jul 4 07:07:07 2010 From: bob at proulx.com (Bob Proulx) Date: Sat, 3 Jul 2010 15:07:07 -0600 Subject: Outgoing IP of forwarded requests In-Reply-To: References: Message-ID: <20100703210707.GB3533@dementia.proulx.com> k k wrote: > I have a linux server with 3 public IPs, and I use SSH tunnelling to > connect to each of them. Let's call them: 1.1.1.1 (venet0:0), > 1.1.1.2 (venet0:1), 1.1.1.3 (venet0:2). Okay. A server with multiple public IP addresses. A common situation. > When I tunnel using 1.1.1.1, outgoing IP for the public is: 1.1.1.1. > But when I tunnel using 1.1.1.2 or 1.1.1.3, the outgoing IP for the > public is still 1.1.1.1. I don't understand what you are trying to say here. What is the "outgoing IP"? Are you saying that when you ssh to 1.1.1.2 that the TCP IP packets returning come from 1.1.1.1? That is what your words say when I read them. And that doesn't make any sense. Because if so then I suspect that the connection would fail and you wouldn't be able to complete the connection. Therefore you must be meaning something else but I can't guess what that would be. > According to the manuals of ss5 (SOCKS5 Server) and squid (HTTP > Server) - they're both capable of using the outgoing IP while > specifying the inbound IP route relation. Huh? What? Huh? Of course ssh includes a -D option to support socks port forwarding. But what does squid have to do with it? Is this related to your problem? What problem are you having? > openssh can't do it? nor there's a indirect workaround to achieve > said behavior? Can't do what? What are you trying to do? Please just show us the command that you are running and tell us what it is doing. Bob From alex at alex.org.uk Sun Jul 4 08:38:38 2010 From: alex at alex.org.uk (Alex Bligh) Date: Sat, 03 Jul 2010 23:38:38 +0100 Subject: Outgoing IP of forwarded requests In-Reply-To: <20100703210707.GB3533@dementia.proulx.com> References: <20100703210707.GB3533@dementia.proulx.com> Message-ID: --On 3 July 2010 15:07:07 -0600 Bob Proulx wrote: > Can't do what? What are you trying to do? Please just show us the > command that you are running and tell us what it is doing. I think what OP is saying is that he is using port forwarding, and he is expecting that if he ssh's to one IP address on a server, the forwarded connection will originate from that IP address rather than use the normal routing table rules. -- Alex Bligh From isravibe at hotmail.com Sun Jul 4 08:34:16 2010 From: isravibe at hotmail.com (k k) Date: Sun, 4 Jul 2010 01:34:16 +0300 Subject: Outgoing IP of forwarded requests In-Reply-To: <20100703210707.GB3533@dementia.proulx.com> References: , <20100703210707.GB3533@dementia.proulx.com> Message-ID: Hello Bob, thanks for the fast response and sorry for not making much sense. When I said I was 'tunneling', I meant that I was executing: "ssh -D 1234 user at 1.1.1.1" on my client (my client is local, where 1.1.1.1 is remote). Then, I would set-up my browser proxy, as SOCKS5, 127.0.0.1:1234. Upon browsing with my local browser, it connects to: 127.0.0.1:1234 -> (SOCKS5) SSH TUNNEL -> 1.1.1.1 -> SSH DAEMON -> Forwarded requests would use outgoing IP: 1.1.1.1. Which means the websites I visit sees me as: 1.1.1.1. Now, the problem is, that even if I execute: "ssh -D 1234 user at 1.1.1.2" ... the outgoing IP which external websites see, is still 1.1.1.1. (Now my issue makes more sense?) Is it possible to make a relation between the inbound IP, to the outbound IP while forwarding requests? (inbound 1.1.1.2 -> outbound 1.1.1.2) --- Now not directly related... I have a squid http proxy, which listens on all the public IPs. When I set my browser to use: 1.1.1.1 as my http proxy, external websites sees me as: 1.1.1.1. While setting 1.1.1.2 as the proxy, external websites sees me as: 1.1.1.2. I achieved this behavior by the configuration: # TAG: tcp_outgoing_address # Allows you to map requests to different outgoing IP addresses based on the username or source address of the user making the request. I failed to find anything similar under the ssh daemon configurations, such configuration exists? Again, very appreciate your help, Doori Bar _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 From djm at mindrot.org Sun Jul 4 09:26:05 2010 From: djm at mindrot.org (Damien Miller) Date: Sun, 4 Jul 2010 09:26:05 +1000 (EST) Subject: Outgoing IP of forwarded requests In-Reply-To: References: Message-ID: On Sat, 3 Jul 2010, k k wrote: > > I have a linux server with 3 public IPs, and I use SSH tunnelling to connect to each of them. > Let's call them: 1.1.1.1 (venet0:0), 1.1.1.2 (venet0:1), 1.1.1.3 (venet0:2). > > When I tunnel using 1.1.1.1, outgoing IP for the public is: 1.1.1.1. > But when I tunnel using 1.1.1.2 or 1.1.1.3, the outgoing IP for the > public is still 1.1.1.1. > > I've been googling for days, and tried relevant channels on freenode. > I tried to read the manual but I'm not experienced enough to fully > grasp it. > > According to the manuals of ss5 (SOCKS5 Server) and squid (HTTP > Server) - they're both capable of using the outgoing IP while > specifying the inbound IP route relation. > > openssh can't do it? No, there is no scope in the protocol to specify the bind addresses of outgoing port-forward connections. If you want to add one, you will probably have to add a PortForwardBindAddress option to the client and/or server. > nor there's a indirect workaround to achieve said > behavior? You could possibly use NAT or policy routing rules. -d From dkg at fifthhorseman.net Sun Jul 4 13:40:33 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sat, 03 Jul 2010 23:40:33 -0400 Subject: LPK integration - summary and ideas In-Reply-To: <195922799.689511276178622300.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> References: <195922799.689511276178622300.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> Message-ID: <4C3002B1.3090807@fifthhorseman.net> On 06/10/2010 10:03 AM, Jan Chadima wrote: > please look at > https://bugzilla.mindrot.org/show_bug.cgi?id=1663 > there is a patch solving the above requests > + some ldap backend also A group of monkeysphere developers just reviewed the patchset associated with 1663. It appears to handle modular key-based authentication from the server's perspective (that is, allowing the server to authorize the connecting users, but not the other way around). This is good, and we're happy to see it. We noticed a few concerns about the code, and provided an updated patchset along with an explanation about our changes in the comments on the bz issue. I'd be happy to get feedback on the proposed changes. It would be great to get this functionality folded into OpenSSH if possible, though i think the LDAP and monkeysphere authorization backends should be distributed separately from OpenSSH. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From alex at alex.org.uk Sun Jul 4 18:01:23 2010 From: alex at alex.org.uk (Alex Bligh) Date: Sun, 04 Jul 2010 09:01:23 +0100 Subject: Outgoing IP of forwarded requests In-Reply-To: References: Message-ID: <586936146311C2C3083C1912@nimrod.local> --On 4 July 2010 09:26:05 +1000 Damien Miller wrote: >> According to the manuals of ss5 (SOCKS5 Server) and squid (HTTP >> Server) - they're both capable of using the outgoing IP while >> specifying the inbound IP route relation. >> >> openssh can't do it? > > No, there is no scope in the protocol to specify the bind addresses of > outgoing port-forward connections. If you want to add one, you will > probably have to add a PortForwardBindAddress option to the client and/or > server. Even if you did this, I think the OP would also need to run 3 ssh daemons each bound to one address, each with the different option in. A workaround would be to run (e.g.) 3 x kvm instances plus NAT, each running sshd and each seeing a single network interface. -- Alex Bligh From peter at stuge.se Sun Jul 4 18:34:46 2010 From: peter at stuge.se (Peter Stuge) Date: Sun, 4 Jul 2010 10:34:46 +0200 Subject: Outgoing IP of forwarded requests In-Reply-To: <586936146311C2C3083C1912@nimrod.local> References: <586936146311C2C3083C1912@nimrod.local> Message-ID: <20100704083446.2618.qmail@stuge.se> Alex Bligh wrote: >> add a PortForwardBindAddress option > > Even if you did this, I think the OP would also need to run 3 ssh > daemons each bound to one address, each with the different option in. Make sure it works with Match, and can match on the sshd-local IP address for the session. //Peter From alex at alex.org.uk Sun Jul 4 18:42:50 2010 From: alex at alex.org.uk (Alex Bligh) Date: Sun, 04 Jul 2010 09:42:50 +0100 Subject: Outgoing IP of forwarded requests In-Reply-To: <20100704083446.2618.qmail@stuge.se> References: <586936146311C2C3083C1912@nimrod.local> <20100704083446.2618.qmail@stuge.se> Message-ID: --On 4 July 2010 10:34:46 +0200 Peter Stuge wrote: > Alex Bligh wrote: >>> add a PortForwardBindAddress option >> >> Even if you did this, I think the OP would also need to run 3 ssh >> daemons each bound to one address, each with the different option in. > > Make sure it works with Match, and can match on the sshd-local IP > address for the session. Ah yes, far better idea. -- Alex Bligh From moloney.brendan at gmail.com Wed Jul 7 11:28:20 2010 From: moloney.brendan at gmail.com (Brendan Moloney) Date: Tue, 6 Jul 2010 18:28:20 -0700 Subject: scp forces original access permissions when owner lacks write access Message-ID: Hello, I am not sure if this is a bug or a feature... When I use scp to copy a file to a filesystem which forces or masks permissions on new files (in my case a samba share) the resulting permissions depend on whether the owner had write access in the original permissions. If the owner did have write access then the copied file ends up with the permissions specified by the filesystem. If the owner did not have write access then scp performs a chmod command after copying the data so that the copied file ends up with the original permissions. For example if I have mounted /samba_share which masks new file permissions with 440 on the machine remote_machine: $ touch testfile1 testfile2 $ chmod u-w testfile2 $ ls -l -rw-r--r-- 1 someuser somegroup 0 Jul 6 18:04 testfile1 -r--r--r-- 1 someuser somegroup 0 Jul 6 18:04 testfile2 $ scp testfile* remote_machine:/samba_share $ ssh remote_machine 'ls -l /samba_share' -r--r----- 1 someuser somegroup 0 Jul 6 18:10 testfile1 -r--r--r-- 1 someuser somegroup 0 Jul 6 18:10 testfile2 It seems like the permissions should only be preserved if the -p flag is used. However I am not sure if there is some other case where this is the desired behavior. Thanks for your time, Brendan Moloney From ouchet.florent at laposte.net Wed Jul 7 20:10:47 2010 From: ouchet.florent at laposte.net (Florent Ouchet) Date: Wed, 7 Jul 2010 12:10:47 +0200 (CEST) Subject: ssh client and privileged ports Message-ID: <31059902.244659.1278497447070.JavaMail.www@wwinf8211> Hello, The ssh client checks for privileged ports when a local forward is about to be set. This is done in readconf.c's function "add_local_forward": ??? if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0) ??? ??? fatal("Privileged ports can only be forwarded by root."); The constant IPPORT_RESERVED is system wide and fixed at make time. This test is not compatible with local and dynamic strategies such as authbind. I would like a non-privileged user (uid!=0) to be able to forward local port, such as 443. Authbind is correctly setup on my Linux box: "$ uptime | authbind nc 127.0.0.1 -l 443" runs smoothly. But "$ authbind ssh -L 443:someserver:443 ..." does not because of the previous check. IMO the check should not be done when parsing the argument of the ssh client. The client should die when the port opening fails. I've not reported the bug/compatibility issue yet, I would like some feedback from OpenSSH developers before. Regards, - Florent Ouchet Une messagerie gratuite, garantie ? vie et des services en plus, ?a vous tente ? Je cr?e ma bo?te mail www.laposte.net From jpp1 at frws.com Sun Jul 11 04:07:04 2010 From: jpp1 at frws.com (JPP) Date: Sat, 10 Jul 2010 12:07:04 -0600 Subject: internal-sftp and logging not working with Fedora and chroot using 5.5? Message-ID: <20100710175432.M10603@frws.com> Hope ya'all can help! Been reading and reading, and adjusting... to no avail. We need to have chroot'd SFTP activities logged on a file server and for whatever reason, I simply cannot get it to log with users that are chroot'd (this is necessary for auditing and HIPAA - so it is pretty important) I have tried with Fedora 11/12 and even an older Fedora 8 server, the same results: 1. We can log ALL activities for users on SFTP when **not** chroot'd 2. As soon as I re-enable chroot'd settings in sshd_config, those users are only logged as far as login is concerned, nothing else. And that goes to the / var/log/secure log and NOT /var/log/messages as it does when they are not chroot'd We are using OpenSSH Portable 5.5p1 freshly compiled. And various Fedora versions from 8, to 11 and 12. Using syslog and rsyslog. Pertinent sshd_config settings: # tried with both lower case and upper case, same (should not matter) Subsystem sftp internal-sftp -f AUTH -l VERBOSE # Example of overriding settings on a per-user basis Match Group sftponly ChrootDirectory %h X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp -f AUTH -l VERBOSE #### >From /etc/rsyslog.conf *.info;mail.none;authpriv.none;cron.none;auth.* /var/log/messages ##### Any suggestions would be helpful and VERY appreciated. Nothing I have touched has changed the way its logging - without chroot logging is perfect, with chroot, logging stops. Have not tried the use of logging sockets - BUT from what I have read, these should not be necessary with the newer OpenSSH 5.x versions and this is the newest one, so did not want to head down that trail (yet). Thank you in Advance... JPP -- FRWS WebMail (http://www.frws.com) Cause you deserve Spam and Virus free email... From peter at stuge.se Sun Jul 11 07:22:28 2010 From: peter at stuge.se (Peter Stuge) Date: Sat, 10 Jul 2010 23:22:28 +0200 Subject: internal-sftp and logging not working with Fedora and chroot using 5.5? In-Reply-To: <20100710175432.M10603@frws.com> References: <20100710175432.M10603@frws.com> Message-ID: <20100710212228.13881.qmail@stuge.se> JPP wrote: > I simply cannot get it to log with users that are chroot'd --8<-- sshd_config ChrootDirectory .. The ChrootDirectory must contain the necessary files and directo? ries to support the user's session. For an interactive session this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices. For file transfer sessions using ?sftp?, no additional configuration of the environment is neces? sary if the in-process sftp server is used, though sessions which use logging do require /dev/log inside the chroot directory (see sftp-server(8) for details). -->8-- //Peter From dave at deezee.org Tue Jul 13 19:14:38 2010 From: dave at deezee.org (Dave Saville) Date: Tue, 13 Jul 2010 10:14:38 +0100 (BST) Subject: Trying to compile 5.5p1 Message-ID: <000.988708007e2e3c4c.004@deezee.org> Hi I am trying to compile 5.5p1 for OS/2 ECS. But I am hitting an error on configure: configure:3484: checking whether byte ordering is bigendian configure:3517: gcc -c -D__EMX__ -DOS2 -D__ST_MT_ERRNO__ -O3 -mcpu=pentium3 co nftest.c >&5 configure:3523: $? = 0 configure:3555: gcc -c -D__EMX__ -DOS2 -D__ST_MT_ERRNO__ -O3 -mcpu=pentium3 co nftest.c >&5 conftest.c: In function `main': conftest.c:25: error: `not' undeclared (first use in this function) conftest.c:25: error: (Each undeclared identifier is reported only once conftest.c:25: error: for each function it appears in.) conftest.c:25: error: parse error before "big" configure:3561: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME "OpenSSH" | #define PACKAGE_TARNAME "openssh" | #define PACKAGE_VERSION "Portable" | #define PACKAGE_STRING "OpenSSH Portable" | #define PACKAGE_BUGREPORT "openssh-unix-dev at mindrot.org" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define HAVE_UNISTD_H 1 | /* end confdefs.h. */ | #include | #include | | int | main () | { | #if BYTE_ORDER != BIG_ENDIAN | not big endian | #endif | | ; | return 0; | } I know someone in Russia has already ported this version to ECS but I can't contact him and he has not (yet) published anything other than binaries as far as I know. Unfortuneatly he has built in dependence on another package which seems broken on SMP systems so I thought I would try and compile from source. TIA -- Kind regards Dave Saville From neville.alan at gmail.com Wed Jul 14 01:23:01 2010 From: neville.alan at gmail.com (Alan Neville) Date: Tue, 13 Jul 2010 16:23:01 +0100 Subject: Capture Keystrokes Message-ID: <4C3C84D5.5090605@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi List, This may be a little of an unorthodox question as it somewhat defeats the purpose of encryption, but I'm currently attempting to put together a high-interactive iPhone honeypot project as part of my thesis for a masters course in security and forensics. The project blog is located at http://iphonehoneypot.wordpress.com which details the project's objectives and current status. As it stands, I have one last element to implement and this is to capture keystrokes from an established SSH session. I have looked at various options; kernel modules, writing my own ssh service in python using the twisted framework etc but I'd like to explore the possibility of modifying openssh to record keystrokes to ensure authenticity. Can anyone advise? Is this even possible? Are there other alternatives which I haven't considered? i.e. can I generate a static key which I could use to decrypt the captured traffic later? Many Thanks, A - -- Alan Neville, Postgraduate Education Officer, DCU Students' Union 2009/2010, BS.c Computer Applications DCU (Completed) MS.c Security and Forensics DCU (Attending) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMPITVAAoJEJ1FG8f8Uulu+9sH/0csr66PH4UfUc+peBL3eSZj j0nOvxB8vTwcBR57G7TjmYMfC29czkIIZKvcMGJ1JjwTg1GlGbVSZxfryUubcuEQ xUCBBf9DrTlgs/GrPqjXTwwL4CsMr9fjlZtj0ir95s5yf4hDkcXqB7MMWDBaqPdK z7BZ0vPElU7jPOia1zIyRdfT/9Ooq53sD8sukWrABdgrCvzwb9JalV9mNEj2st+Y hTRBSURLHY/lwNgoqwfTJIH4YpeGC9D6qpgBE6HOrKoTFDUtHsWbBU7KUvoZ/Izn GAvutTdEMd+0qF2yK97krwxDW/7JW7/83aKGZT4sScYzAxzZWN97yhKrZn+kVrc= =rmVf -----END PGP SIGNATURE----- From peter at stuge.se Wed Jul 14 10:11:56 2010 From: peter at stuge.se (Peter Stuge) Date: Wed, 14 Jul 2010 02:11:56 +0200 Subject: Capture Keystrokes In-Reply-To: <4C3C84D5.5090605@gmail.com> References: <4C3C84D5.5090605@gmail.com> Message-ID: <20100714001156.493.qmail@stuge.se> Alan Neville wrote: > capture keystrokes from an established SSH session. .. > I'd like to explore the possibility of modifying openssh to record > keystrokes to ensure authenticity. Authenticity of what? Would you want to modify the client or the server? I guess the server. Maybe you would be interested in: http://freshmeat.net/projects/ttysnoop26/ > can I generate a static key which I could use to decrypt the > captured traffic later? Not with protocol version 2. //Peter From ijbgreen at gmail.com Wed Jul 14 11:42:45 2010 From: ijbgreen at gmail.com (=?ISO-8859-1?Q?Luis_Ort=EDz_Silva?=) Date: Tue, 13 Jul 2010 20:42:45 -0500 Subject: SFTP Chroot Message-ID: HI: I tried to deploy a SFTP server with chroot but when i tried to connnect the client send the next error: Write failed: Broken pipe Couldn't read packet: Connection reset by peer The sshd_conf file is the next: ------------------------------------------------------------------- # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp internal-sftp # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes Match group sftponly ForceCommand internal-sftp ChrootDirectory /ftp/scotia ------------------------------------------------- Please a need help beacuse this server is urgent for the enterprise. I don't know what a need to do. Regards. From neville.alan at gmail.com Wed Jul 14 22:29:36 2010 From: neville.alan at gmail.com (Alan Neville) Date: Wed, 14 Jul 2010 13:29:36 +0100 Subject: Capture Keystrokes In-Reply-To: <20100714001156.493.qmail@stuge.se> References: <4C3C84D5.5090605@gmail.com> <20100714001156.493.qmail@stuge.se> Message-ID: <4C3DADB0.8060101@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 14/07/2010 01:11, Peter Stuge wrote: > Alan Neville wrote: >> capture keystrokes from an established SSH session. > .. >> I'd like to explore the possibility of modifying openssh to record >> keystrokes to ensure authenticity. > > Authenticity of what? I'd like to try retain the authenticity of the session as not to alert users/attackers that keystrokes are being recorded. > > Would you want to modify the client or the server? I guess the > server. Maybe you would be interested in: > > http://freshmeat.net/projects/ttysnoop26/ > This is for Linux. The link I provided shows the project is an iPhone Honeypot which uses PTY type terminals (BSD style) and not TTY. > >> can I generate a static key which I could use to decrypt the >> captured traffic later? > > Not with protocol version 2. > > > //Peter > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev - -- Alan Neville, Postgraduate Education Officer, DCU Students' Union 2009/2010, BS.c Computer Applications DCU (Completed) MS.c Security and Forensics DCU (Attending) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMPa2wAAoJEJ1FG8f8Uuluah0H/jVzYD8J/ZHMeAKm5X0cLhQv iVmZNpSb4SahCPgpyr1LNsTKTYg3UNdoYLE0KnGUxwg2ZpmaN548ZX8gy5Ms8/VH /0YVwyPuowpxjxE5qzrwWcw5WclOW6Ds/bUpH4xVIyUs7T/a58ncOdUke7OAE9/G m4JhBkaH7WvescbiA0yowBhq9lwdiANRqSwD0YRGjSWSH/N6AFpINB8UWjZ2fz2f dgQDJPEFunpJjtvOmhtshGu1bjN51BWEvjxuiyBdq71td4eJEj2ADFq/aFBVN255 yHVUNwukojSTsvd6bTC0Aw2f1d2E7DsRkVoDyCPaYLjm3zM0ccdsxTmi8hYzec8= =ngN5 -----END PGP SIGNATURE----- From peter at stuge.se Thu Jul 15 07:06:41 2010 From: peter at stuge.se (Peter Stuge) Date: Wed, 14 Jul 2010 23:06:41 +0200 Subject: SFTP Chroot In-Reply-To: References: Message-ID: <20100714210641.13490.qmail@stuge.se> Luis Ort?z Silva wrote: > I tried to deploy a SFTP server with chroot but when i tried to > connnect the client send the next error: > > Write failed: Broken pipe > Couldn't read packet: Connection reset by peer > > The sshd_conf file is the next: .. > ------------------------------------------------- > > Please a need help beacuse this server is urgent for the > enterprise. I don't know what a need to do. Either climb the learning curve and fix the problem yourself, or hire someone else who does know what they need to do. In any case, if you want to get help from anyone, then you must provide them with much more detail than you sent to the mailing list. Did you run the server in debug mode and look at the output? I am fairly confident that there will be some information about the problem there. If you can not analyze it yourself then I suggest that you send it to the mailing list. //Peter From ronjobmann at yahoo.com Thu Jul 15 06:10:18 2010 From: ronjobmann at yahoo.com (Ron Jobmann) Date: Wed, 14 Jul 2010 13:10:18 -0700 (PDT) Subject: Limit number of sessions to ALL users Message-ID: <593215.9233.qm@web30904.mail.mud.yahoo.com> I'm running 5.5p1. I want to limit the total number of ssh connections to my box, not necessarily all the connections from the same IP. I've tried setting Maxsessions, but that doesn't seem to do it. Am I missing something simple? ? From drallen at cs.uwaterloo.ca Sat Jul 17 07:26:30 2010 From: drallen at cs.uwaterloo.ca (Daniel Allen) Date: Fri, 16 Jul 2010 17:26:30 -0400 Subject: PermitUserEnvironment In-Reply-To: References: <270edf4c0908251928y2beea913hdaed0ce225871525@mail.gmail.com> Message-ID: Daniel Allen wrote on May 26 18:14:31 EST 2010: > Daniel Allen wrote on Fri Sep 4 23:46:12 EST 2009: > > Damien Miller wrote: > > > > > We could make PermitUserEnvironment accept a pattern-list to match > > > environment variables, while retaining "yes", "no", "true" and "false" > > > as their current meanings of allow/deny-all. > > > > [...] The pattern-list would seem the more elegant approach for our > > use. > > I'd like to let you know that we're reviewing a patch which does just as > described, to accept a pattern for PermitUserEnvironment. It affects vars > defined in $HOME/.ssh/environment and authorized_keys. It > accepts a single pattern, which is used as a case-insensitive prefix for > allowed variables. I will send along the patch as soon as I've had a few > colleagues review it. And here, at last, is the patch, which will go into production in the University of Waterloo campus environment Real Soon Now. Feedback welcome. Note that while the patch refers to openssh-5.4p1, it patches cleanly against 5.5p1 as well. (I'd love to see this make it into the next release!) Thanks, Daniel Allen Computing Technology Specialist Computer Science Computing Facility (CSCF) David R. Cheriton School of Computer Science University of Waterloo (519) 888-4567 ext. 35448 drallen at uwaterloo dot ca -------------- next part -------------- From helmut at subdivi.de Sun Jul 18 09:38:44 2010 From: helmut at subdivi.de (Helmut Grohne) Date: Sun, 18 Jul 2010 01:38:44 +0200 Subject: Feature request: "SetupCommand" invoked before connecting In-Reply-To: <20090708220337.GA10134@alf.mars> References: <20090708220337.GA10134@alf.mars> Message-ID: <20100717233844.GA16147@alf.mars> Hi, On Thu, Jul 09, 2009 at 12:03:37AM +0200, Helmut Grohne wrote: > (I'm not subscribed to the list, so please CC me on reply.) > > I'd like to request adding a feature to OpenSSH: > > Task: > ~~~~~ > It is quite sometime useful to invoke a program prior to connecting to > an ssh server. The most common use case will probably be port knocking. > That is a small program sends certain packets to a server and the server > reacts to this by unlocking the ssh port, which would be blocked > otherwise to defend against brute force attacks. I proposed a SetupCommand earlier and got a few responses. Both Daniel Kahn Gillmor and Jameson Rollins were in favour of merging my patch. However the merge did not happen so far. What is keeping you from merging it? Damien Miller and Peter Stuge questioned the usefulness. I explained that, but never got any follow up question. Were my arguments insufficient? Helmut From peteriva at googlemail.com Mon Jul 19 18:14:11 2010 From: peteriva at googlemail.com (Peter Ivanov) Date: Mon, 19 Jul 2010 10:14:11 +0200 Subject: Disabling lookup for /homedir Message-ID: Hi! I am very new to OpenSSH but I've still read the manuals without any result which can solve my problem - thats why i am contacting you. I have a unix-machine with a subversion server running. authentication is done with ldap and svn is done via ssh (svn+ssh:// my.server.com/my/repository). I have a centralized authorized_keys for pub-key authentication via ssh and users only can do svn. I want to disable the lookup for a home-dir because i don't need it for svn. when i disable the autofs (solaris) ssh tells me everytime i send a svn-request "could not chdir..." but the command succeeds. that's not the main problem: when i try svn with a tool like tortoise it fails because of the missing home-dir - everything works fine when autofs is enabled. To solve this behavior, i uncommented the part of the check for homedir in session.c (the part where the output "Could not chdir home.." is defined) but i am not sure if this is a "clean" way..but it works now. Is there a "clean" method to fully disable the lookup for an existing home-dir in ssh? Pete From drallen at cs.uwaterloo.ca Tue Jul 20 01:10:08 2010 From: drallen at cs.uwaterloo.ca (Daniel Allen) Date: Mon, 19 Jul 2010 11:10:08 -0400 Subject: PermitUserEnvironment In-Reply-To: References: <270edf4c0908251928y2beea913hdaed0ce225871525@mail.gmail.com> Message-ID: <945A614C-896F-4948-AD85-0570AD52FEA4@cs.uwaterloo.ca> On 16-Jul-10, at 5:26 PM, Daniel Allen wrote: > And here, at last, is the patch, which will go into production in > the University > of Waterloo campus environment Real Soon Now. Feedback welcome. For those reading along, the patch can be found at: https://bugzilla.mindrot.org/show_bug.cgi?id=1800 Daniel Allen Computing Technology Specialist Computer Science Computing Facility (CSCF) David R. Cheriton School of Computer Science University of Waterloo (519) 888-4567 ext. 35448 drallen at uwaterloo dot ca From mouring at eviladmin.org Tue Jul 20 01:46:31 2010 From: mouring at eviladmin.org (Ben Lindstrom) Date: Mon, 19 Jul 2010 10:46:31 -0500 Subject: Disabling lookup for /homedir In-Reply-To: References: Message-ID: Umm.. Why don't you just set the home directory to / ? or /tmp ? Seems silly to have a home directory that isn't valid and the solutions is to "stop ssh from checking if it is valid". - Ben On Jul 19, 2010, at 3:14 AM, Peter Ivanov wrote: > Hi! > > I am very new to OpenSSH but I've still read the manuals without any result > which can solve my problem - thats why i am contacting you. > > I have a unix-machine with a subversion server running. authentication is > done with ldap and svn is done via ssh (svn+ssh:// > my.server.com/my/repository). > I have a centralized authorized_keys for pub-key authentication via ssh and > users only can do svn. > > I want to disable the lookup for a home-dir because i don't need it for svn. > when i disable the autofs (solaris) ssh tells me everytime i send a > svn-request "could not chdir..." but the command succeeds. that's not the > main problem: when i try svn with a tool like tortoise it fails because of > the missing home-dir - everything works fine when autofs is enabled. > > To solve this behavior, i uncommented the part of the check for homedir in > session.c (the part where the output "Could not chdir home.." is defined) > but i am not sure if this is a "clean" way..but it works now. Is there a > "clean" method to fully disable the lookup for an existing home-dir in ssh? > > Pete > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From scott_n at xypro.com Tue Jul 20 02:41:56 2010 From: scott_n at xypro.com (Scott Neugroschl) Date: Mon, 19 Jul 2010 09:41:56 -0700 Subject: Disabling lookup for /homedir In-Reply-To: References: Message-ID: <78DD71C304F38B41885A242996B96F730248B55C@xyservd.XYPRO-23.LOCAL> Quoth Peter Ivanov: > I want to disable the lookup for a home-dir because i don't need it for > svn. > Where, exactly, do you expect to find authorized_keys then? From dkg at fifthhorseman.net Tue Jul 20 06:30:13 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 19 Jul 2010 16:30:13 -0400 Subject: Feature request: "SetupCommand" invoked before connecting In-Reply-To: <20100717233844.GA16147@alf.mars> References: <20090708220337.GA10134@alf.mars> <20100717233844.GA16147@alf.mars> Message-ID: <4C44B5D5.3060506@fifthhorseman.net> On 07/17/2010 07:38 PM, Helmut Grohne wrote: > I proposed a SetupCommand earlier and got a few responses. Both Daniel > Kahn Gillmor and Jameson Rollins were in favour of merging my patch. > However the merge did not happen so far. What is keeping you from > merging it? Neither Jameson nor myself has commit access to the canonical OpenSSH repo, so we simply can't do any merges. You pointed out that the main reason you didn't want to use ProxyCommand for this was because TcpKeepAlive (and some other options?) would therefore have no effect. However, a patch for #1766 (exporting the ssh config to child processes) would allow you to propagate the relevant choices to the ProxyCommand: https://bugzilla.mindrot.org/show_bug.cgi?id=1766 Fixing 1766 would also enable fixes to other bugs (like #1233), so it seems more generically useful to me than a specific SetupCommand hook, which only solves your particular problem. I recommend filing your SetupCommand patch as an issue in https://bugzilla.mindrot.org/ so there is a canonical place for public commentary. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From Jefferson.Ogata at noaa.gov Tue Jul 20 03:47:18 2010 From: Jefferson.Ogata at noaa.gov (Jefferson Ogata) Date: Mon, 19 Jul 2010 17:47:18 +0000 Subject: Disabling lookup for /homedir In-Reply-To: <78DD71C304F38B41885A242996B96F730248B55C@xyservd.XYPRO-23.LOCAL> References: <78DD71C304F38B41885A242996B96F730248B55C@xyservd.XYPRO-23.LOCAL> Message-ID: <4C448FA6.1010706@noaa.gov> On 2010-07-19 16:41, Scott Neugroschl wrote: > Quoth Peter Ivanov: >> I want to disable the lookup for a home-dir because i don't need it > for >> svn. >> > Where, exactly, do you expect to find authorized_keys then? Wherever AuthorizedKeysFile points to, I suspect. Note that OP wrote, "I have a centralized authorized_keys for pub-key authentication." -- Jefferson Ogata NOAA Computer Incident Response Team (N-CIRT) "Never try to retrieve anything from a bear."--National Park Service From scott_n at xypro.com Tue Jul 20 06:52:15 2010 From: scott_n at xypro.com (Scott Neugroschl) Date: Mon, 19 Jul 2010 13:52:15 -0700 Subject: Disabling lookup for /homedir In-Reply-To: <4C448FA6.1010706@noaa.gov> References: <78DD71C304F38B41885A242996B96F730248B55C@xyservd.XYPRO-23.LOCAL> <4C448FA6.1010706@noaa.gov> Message-ID: <78DD71C304F38B41885A242996B96F730248B606@xyservd.XYPRO-23.LOCAL> Quoth Jefferson Ogata: > On 2010-07-19 16:41, Scott Neugroschl wrote: > > Quoth Peter Ivanov: > >> I want to disable the lookup for a home-dir because i don't need it > > for > >> svn. > >> > > Where, exactly, do you expect to find authorized_keys then? > > Wherever AuthorizedKeysFile points to, I suspect. Note that OP wrote, > "I > have a centralized authorized_keys for pub-key authentication." > Ah. I missed that. Thanks. From ijbgreen at gmail.com Wed Jul 21 04:19:52 2010 From: ijbgreen at gmail.com (=?ISO-8859-1?Q?Luis_Ort=EDz_Silva?=) Date: Tue, 20 Jul 2010 13:19:52 -0500 Subject: SFTP Chroot In-Reply-To: <20100714210641.13490.qmail@stuge.se> References: <20100714210641.13490.qmail@stuge.se> Message-ID: I did run the server in debug mode but i can't see anything unusual. But let me try to found somthing that can provied me a clue for this issue. 2010/7/14 Peter Stuge > Luis Ort?z Silva wrote: > > I tried to deploy a SFTP server with chroot but when i tried to > > connnect the client send the next error: > > > > Write failed: Broken pipe > > Couldn't read packet: Connection reset by peer > > > > The sshd_conf file is the next: > .. > > ------------------------------------------------- > > > > Please a need help beacuse this server is urgent for the > > enterprise. I don't know what a need to do. > > Either climb the learning curve and fix the problem yourself, or hire > someone else who does know what they need to do. > > In any case, if you want to get help from anyone, then you must > provide them with much more detail than you sent to the mailing list. > > Did you run the server in debug mode and look at the output? I am > fairly confident that there will be some information about the > problem there. If you can not analyze it yourself then I suggest that > you send it to the mailing list. > > > //Peter > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From neville.alan at gmail.com Wed Jul 21 04:21:40 2010 From: neville.alan at gmail.com (Alan Neville) Date: Tue, 20 Jul 2010 19:21:40 +0100 Subject: Record Failed Passwords Message-ID: <4C45E934.4050009@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi OpenSSH'ers, I am emailing you to ask is it possible to record failed passwords attempts and log them to syslog? Are there patches available for this? Has anyone managed to do this before? Are there alternitive methods? Many Thanks, A - -- Alan Neville, Postgraduate Education Officer, DCU Students' Union 2009/2010, BS.c Computer Applications DCU (Completed) MS.c Security and Forensics DCU (Attending) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMRek0AAoJEJ1FG8f8Uuluy9YH/0ZZW7ZUgwpDXnObi9NZ6qPY KPggbt5cKWYAhqp+zNrMKCsy/Foa5T/EmOnWnYzhjTzsWh5xgoihr2g4LgpSoiEY 59eTkXQSDVuayzgaJG9gbMv7eMI+6qHoUMyNm9U3PEkKBxI/0xV3ll/ABvlMHu1l n6VeHhDjh+MQ54UQx5Qob3/9CwQg/p0rjWHSCyEMdf0UkEB9Sv2ehZCwrFEaHh+J YwjkyXeux4NK96/Rllc19CKoPAJkmS3N6kwScAbAez/7lXoW2mbfASqifQRLXbL7 h+jHtiR4j4MjdERQqiOlqCzW/ySC69UPqYsz70JsBnWZneGlCk/Sb8eAHjxHe9c= =fIpI -----END PGP SIGNATURE----- From alex at alex.org.uk Wed Jul 21 04:23:59 2010 From: alex at alex.org.uk (Alex Bligh) Date: Tue, 20 Jul 2010 19:23:59 +0100 Subject: Record Failed Passwords In-Reply-To: <4C45E934.4050009@gmail.com> References: <4C45E934.4050009@gmail.com> Message-ID: <38B0E5ED8EE0DC2086F668C9@Ximines.local> --On 20 July 2010 19:21:40 +0100 Alan Neville wrote: > I am emailing you to ask is it possible to record failed passwords > attempts and log them to syslog? Are there patches available for this? > Has anyone managed to do this before? Are there alternitive methods? Does the logging that denyhosts etc. use not suffice? -- Alex Bligh From neville.alan at gmail.com Wed Jul 21 04:30:30 2010 From: neville.alan at gmail.com (Alan Neville) Date: Tue, 20 Jul 2010 19:30:30 +0100 Subject: Record Failed Passwords In-Reply-To: <38B0E5ED8EE0DC2086F668C9@Ximines.local> References: <4C45E934.4050009@gmail.com> <38B0E5ED8EE0DC2086F668C9@Ximines.local> Message-ID: <4C45EB46.2030306@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Alex, Thank you for the quick response. Currently, the logging for the denyhost only provides IP address based information and not the passwords attempted for both valid and invalid user accounts. I'd like to capture both of these if possible. Kind Regards, A On 20/07/2010 19:23, Alex Bligh wrote: > > > --On 20 July 2010 19:21:40 +0100 Alan Neville > wrote: > >> I am emailing you to ask is it possible to record failed passwords >> attempts and log them to syslog? Are there patches available for this? >> Has anyone managed to do this before? Are there alternitive methods? > > Does the logging that denyhosts etc. use not suffice? > - -- Alan Neville, Postgraduate Education Officer, DCU Students' Union 2009/2010, BS.c Computer Applications DCU (Completed) MS.c Security and Forensics DCU (Attending) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMRetGAAoJEJ1FG8f8Uulu6vEH/AqeYGCkDcnqZCEIczBcL9kD 2U4MBcEoDMZwpu7au4necSYgQqKUKmkLVvBsoF5l8kBr6L9oHjdDFcPLT6wOUWGL 7/5vLtLIxdSBaRSrEVppAuRWI5TVyzWz1MX8rFW3Uc6k4s0bUBrtPTJAUGgnGfCu IyXYq3Y6JSMDPelKjZYd3N/yoAM2t1gezIa3BOK31Kdk91SOpDOeF9EfybuEPJv/ hbvoH/xBd2yLrW9E2iDdy2VHlEznGBG/OSflpr+h1TOhrqkZvK98EAlVgWGSuGfY dUfh+SYZh30U8eVtuZM4Hy8PKFN6H8H2V6iLMZxhnsVG3f7Ng3Q7vMojk/xCMq8= =S2+S -----END PGP SIGNATURE----- From bob at proulx.com Wed Jul 21 06:02:00 2010 From: bob at proulx.com (Bob Proulx) Date: Tue, 20 Jul 2010 14:02:00 -0600 Subject: Record Failed Passwords In-Reply-To: <4C45E934.4050009@gmail.com> References: <4C45E934.4050009@gmail.com> Message-ID: <20100720200200.GA711@dementia.proulx.com> Alan Neville wrote: > I am emailing you to ask is it possible to record failed passwords > attempts and log them to syslog? Are there patches available for this? > Has anyone managed to do this before? Are there alternitive methods? My logs are always filled with cracking attempts to log in but failing the password. The past couple of months the distributed attacks have increased significantly. I currently have around 2,000 IP addresses attacking from a distributed attack engine. (No chance of succeeding however.) Jul 18 07:01:26 joseki sshd[21461]: error: PAM: User not known to the underlying authentication module for illegal user kate from 200.63.163.27 Jul 18 07:01:26 joseki sshd[21461]: Failed keyboard-interactive/pam for invalid user kate from 200.63.163.27 port 16602 ssh2 I don't know what system you are using and you did not say. On a Debian Stable system the above is normal output on a standard installation without additional user patches. What you are asking for seems to already be available. Bob From keisial at gmail.com Wed Jul 21 07:03:34 2010 From: keisial at gmail.com (Keisial) Date: Tue, 20 Jul 2010 23:03:34 +0200 Subject: Record Failed Passwords In-Reply-To: <20100720200200.GA711@dementia.proulx.com> References: <4C45E934.4050009@gmail.com> <20100720200200.GA711@dementia.proulx.com> Message-ID: <4C460F26.40901@gmail.com> Bob Proulx wrote: > Alan Neville wrote: >> I am emailing you to ask is it possible to record failed passwords >> attempts and log them to syslog? Are there patches available for this? >> Has anyone managed to do this before? Are there alternitive methods? > My logs are always filled with cracking attempts to log in but failing > the password. The past couple of months the distributed attacks have > increased significantly. I currently have around 2,000 IP addresses > attacking from a distributed attack engine. (No chance of succeeding > however.) > > Jul 18 07:01:26 joseki sshd[21461]: error: PAM: User not known to the underlying authentication module for illegal user kate from 200.63.163.27 > Jul 18 07:01:26 joseki sshd[21461]: Failed keyboard-interactive/pam for invalid user kate from 200.63.163.27 port 16602 ssh2 > > I don't know what system you are using and you did not say. On a > Debian Stable system the above is normal output on a standard > installation without additional user patches. What you are asking for > seems to already be available. > > Bob I think he wants the actual passwords, Bob. There are some patches for that, Alan, but AFAIK they work only with the traditional passwd, not with PAM. It could be logged with a PAM module I think, but don't know of an existing one. From bob at proulx.com Wed Jul 21 08:10:42 2010 From: bob at proulx.com (Bob Proulx) Date: Tue, 20 Jul 2010 16:10:42 -0600 Subject: Record Failed Passwords In-Reply-To: <4C460F26.40901@gmail.com> References: <4C45E934.4050009@gmail.com> <20100720200200.GA711@dementia.proulx.com> <4C460F26.40901@gmail.com> Message-ID: <20100720221042.GB15825@dementia.proulx.com> Keisial wrote: > Bob Proulx wrote: > > Alan Neville wrote: > >> I am emailing you to ask is it possible to record failed passwords > >> attempts and log them to syslog? Are there patches available for this? > > > My logs are always filled with cracking attempts to log in but failing > > the password. The past couple of months the distributed attacks have > > I think he wants the actual passwords, Bob. Oh! When I read "record failed passwords attempts" I read it as "record failed password attempts". No matter what I think the grammer there is a little ambiguous. And logging actual passwords isn't normally good since normally user passwords shouldn't be stored. But I understand that if you are setting up a honeypot or studying attacks then it is one way to observe the cracking behavior. Bob From rob at nofocus.org Wed Jul 21 07:45:14 2010 From: rob at nofocus.org (Robert Banz) Date: Tue, 20 Jul 2010 14:45:14 -0700 Subject: Record Failed Passwords In-Reply-To: <4C460F26.40901@gmail.com> References: <4C45E934.4050009@gmail.com> <20100720200200.GA711@dementia.proulx.com> <4C460F26.40901@gmail.com> Message-ID: This is probably a *really bad idea*(tm). In logging failed passwords, you're opening up the potential to expose the secrets of valid users. Many people innocently type the wrong password for an account (like, their bank password instead of the one for your server), or simply miss a character, or maybe just tried to log in with the wrong account name and their real password. The UNIX authentication stack is built so that even the administrator of a machine has to jump through hoops to expose someone's password (like you're suggesting doing here), please don't go down this road. (back in the 'telnet' days, we used to consider it "bad" to log failed usernames on login, since folks very regularly would type their password at the wrong prompt -- then follow it up with a correct login from the same IP -- making it obvious to collect passwords) On Tue, Jul 20, 2010 at 2:03 PM, Keisial wrote: > Bob Proulx wrote: > > Alan Neville wrote: > >> I am emailing you to ask is it possible to record failed passwords > >> attempts and log them to syslog? Are there patches available for this? > >> Has anyone managed to do this before? Are there alternitive methods? > > My logs are always filled with cracking attempts to log in but failing > > the password. The past couple of months the distributed attacks have > > increased significantly. I currently have around 2,000 IP addresses > > attacking from a distributed attack engine. (No chance of succeeding > > however.) > > > > Jul 18 07:01:26 joseki sshd[21461]: error: PAM: User not known to the > underlying authentication module for illegal user kate from 200.63.163.27 > > Jul 18 07:01:26 joseki sshd[21461]: Failed keyboard-interactive/pam for > invalid user kate from 200.63.163.27 port 16602 ssh2 > > > > I don't know what system you are using and you did not say. On a > > Debian Stable system the above is normal output on a standard > > installation without additional user patches. What you are asking for > > seems to already be available. > > > > Bob > I think he wants the actual passwords, Bob. > > There are some patches for that, Alan, but AFAIK they work only with the > traditional passwd, not with PAM. > It could be logged with a PAM module I think, but don't know of an existing > one. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From neville.alan at gmail.com Wed Jul 21 10:07:51 2010 From: neville.alan at gmail.com (Alan Neville) Date: Wed, 21 Jul 2010 01:07:51 +0100 Subject: Record Failed Passwords In-Reply-To: <20100720221042.GB15825@dementia.proulx.com> References: <4C45E934.4050009@gmail.com> <20100720200200.GA711@dementia.proulx.com> <4C460F26.40901@gmail.com> <20100720221042.GB15825@dementia.proulx.com> Message-ID: <4C463A57.9040506@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 20/07/2010 23:10, Bob Proulx wrote: > Keisial wrote: >> Bob Proulx wrote: >>> Alan Neville wrote: >>>> I am emailing you to ask is it possible to record failed passwords >>>> attempts and log them to syslog? Are there patches available for this? >> >>> My logs are always filled with cracking attempts to log in but failing >>> the password. The past couple of months the distributed attacks have >> >> I think he wants the actual passwords, Bob. > > Oh! When I read "record failed passwords attempts" I read it as > "record failed password attempts". No matter what I think the grammer > there is a little ambiguous. And logging actual passwords isn't > normally good since normally user passwords shouldn't be stored. But > I understand that if you are setting up a honeypot or studying attacks > then it is one way to observe the cracking behavior. Indeed this is a honeypot. Can anyone provide information on where such patches are available? > > Bob > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev - -- Alan Neville, Postgraduate Education Officer, DCU Students' Union 2009/2010, BS.c Computer Applications DCU (Completed) MS.c Security and Forensics DCU (Attending) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMRjpXAAoJEJ1FG8f8UuluR8kIAJAqHfrENE9kKbTZ8ON7GwkW TjE+JS1ThrJeXK8wgloZVp8CcvmGghLlz2MunYqVeXtzyq7TMSXXMZNT2RQXk7Wc i/A47PTW6PPAGv96x+UldG9cbUetHdekEgEKpj9ZBKesSAQ8TlAwISKVUdEgbxwS f/iNJtW+lw/HTbOUOkG5bcUQwAqunaMYDL7iD8h/wWZ3l89Rx2cF9vaiCpw8YJr1 Eri/045XLWmVITrIoVFHpqvP2KtWLUjwGQwX1VR/eFJcgnzdjhOlaaRMSv01Vci9 NTcZn0ju6qDSvg1wOGBPdzOJXQgJ5d7wcGcYUtOz0QPDEdad9Dh+cCd/xmXWl+k= =22SH -----END PGP SIGNATURE----- From dan at doxpara.com Wed Jul 21 10:48:09 2010 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 20 Jul 2010 20:48:09 -0400 Subject: Record Failed Passwords In-Reply-To: <4C463A57.9040506@gmail.com> References: <4C45E934.4050009@gmail.com> <20100720200200.GA711@dementia.proulx.com> <4C460F26.40901@gmail.com> <20100720221042.GB15825@dementia.proulx.com> <4C463A57.9040506@gmail.com> Message-ID: Alan, The plaintext password is received from the wire as a null terminated string in auth2-passwd.c:userauth_passwd (without privsep) or Monitor.c:mm_answer_authpasswd (with privsep). If authenticated returns false, then syslog passwd. That should work! (Again, this is only a good idea for a honeypot.) On Tue, Jul 20, 2010 at 8:07 PM, Alan Neville wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On 20/07/2010 23:10, Bob Proulx wrote: > > Keisial wrote: > >> Bob Proulx wrote: > >>> Alan Neville wrote: > >>>> I am emailing you to ask is it possible to record failed passwords > >>>> attempts and log them to syslog? Are there patches available for this? > >> > >>> My logs are always filled with cracking attempts to log in but failing > >>> the password. The past couple of months the distributed attacks have > >> > >> I think he wants the actual passwords, Bob. > > > > Oh! When I read "record failed passwords attempts" I read it as > > "record failed password attempts". No matter what I think the grammer > > there is a little ambiguous. And logging actual passwords isn't > > normally good since normally user passwords shouldn't be stored. But > > I understand that if you are setting up a honeypot or studying attacks > > then it is one way to observe the cracking behavior. > > Indeed this is a honeypot. Can anyone provide information on where such > patches are available? > > > > > Bob > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > - -- > > Alan Neville, > Postgraduate Education Officer, > DCU Students' Union 2009/2010, > BS.c Computer Applications DCU (Completed) > MS.c Security and Forensics DCU (Attending) > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJMRjpXAAoJEJ1FG8f8UuluR8kIAJAqHfrENE9kKbTZ8ON7GwkW > TjE+JS1ThrJeXK8wgloZVp8CcvmGghLlz2MunYqVeXtzyq7TMSXXMZNT2RQXk7Wc > i/A47PTW6PPAGv96x+UldG9cbUetHdekEgEKpj9ZBKesSAQ8TlAwISKVUdEgbxwS > f/iNJtW+lw/HTbOUOkG5bcUQwAqunaMYDL7iD8h/wWZ3l89Rx2cF9vaiCpw8YJr1 > Eri/045XLWmVITrIoVFHpqvP2KtWLUjwGQwX1VR/eFJcgnzdjhOlaaRMSv01Vci9 > NTcZn0ju6qDSvg1wOGBPdzOJXQgJ5d7wcGcYUtOz0QPDEdad9Dh+cCd/xmXWl+k= > =22SH > -----END PGP SIGNATURE----- > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From djm at mindrot.org Wed Jul 21 10:55:40 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 21 Jul 2010 10:55:40 +1000 (EST) Subject: Record Failed Passwords In-Reply-To: References: <4C45E934.4050009@gmail.com> <20100720200200.GA711@dementia.proulx.com> <4C460F26.40901@gmail.com> <20100720221042.GB15825@dementia.proulx.com> <4C463A57.9040506@gmail.com> Message-ID: On Tue, 20 Jul 2010, Dan Kaminsky wrote: > Alan, > > The plaintext password is received from the wire as a null terminated > string in auth2-passwd.c:userauth_passwd (without privsep) or > Monitor.c:mm_answer_authpasswd (with privsep). If authenticated returns > false, then syslog passwd. That should work! All roads lead to auth-passwd.c:auth_password() -d From christian.pfaffel-janser at siemens.com Wed Jul 21 17:46:02 2010 From: christian.pfaffel-janser at siemens.com (Christian Pfaffel-Janser) Date: Wed, 21 Jul 2010 09:46:02 +0200 Subject: Record Failed Passwords In-Reply-To: <4C45E934.4050009@gmail.com> References: <4C45E934.4050009@gmail.com> Message-ID: <4C46A5BA.1060004@siemens.com> Alan Neville wrote: > Hi OpenSSH'ers, > > I am emailing you to ask is it possible to record failed passwords > attempts and log them to syslog? Are there patches available for this? > Has anyone managed to do this before? Are there alternitive methods? > > Many Thanks, > > A > Hi Alan, use a pam module and put it in common-auth auth sufficient pam_unix.so nullok_secure auth required pam_log_pw.so auth requisite pam_deny.so Use something like (untestet) ---- begin pam_log_pw.c ----------- #define PAM_SM_AUTHENTICATE #include extern int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char ** argv) { const char *user, *pass, *rhost, *ruser; pam_get_item(pamh, PAM_USER, (const void **) &user); pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); pam_get_item(pamh, PAM_RHOST, (const void **) &rhost); pam_get_item(pamh, PAM_RUSER, (const void **) &ruser); /* do your logging stuff here*/ return PAM_AUTH_ERR; } ----- end ---- compile using something like: gcc -O2 -fPIC -Wall -pedantic -shared -lpam -o pam_log_pw.so \ pam_log_pw.c Best regards, Christian _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- Firma: Siemens Aktiengesellschaft ?sterreich Rechtsform: Aktiengesellschaft Firmensitz: Wien, Firmenbuchnummer: FN 60562 m Firmenbuchgericht: Handelsgericht Wien, DVR: 0001708 From Norbert.Nemec.List at gmx.de Thu Jul 22 20:58:43 2010 From: Norbert.Nemec.List at gmx.de (Norbert Nemec) Date: Thu, 22 Jul 2010 12:58:43 +0200 Subject: Feature request: fsh-like functionality Message-ID: <20100722105843.305380@gmx.net> I have recently found the "fsh" program (http://www.lysator.liu.se/fsh/) which offered exactly what I needed. It is a great program but it is not maintained and was even thrown out of Debian because it was claimed that OpenSSH provided anything FSH offers. In fact, however, I miss a few features in OpenSSH that could easily be added inspired by FSH and make a very valuable addition in general: * Fast remote command execution Current timings: ssh otherhost echo hi -> 1.06 sec # regular connection ssh -f -N -M # setting up master ssh otherhost echo hi -> 0.86 sec # using master fsh otherhost echo hi -> 2.06 sec # this sets up the master fsh otherhost echo hi -> 0.096 sec # this uses the master Is there any fundamental reason for the 0.86 sec delay in a slave connection? After all - fsh demonstrates that the same thing can be done in less than 0.1 sec. This makes a significant difference for the applications that I have in mind. * Automatic generation of *persistent* master connections At the moment the "ControlMaster auto" setting creates a master when a regular ssh command is issued, but this master is closed when the command finishes. There should be an option that creates a master automatically when needed but leaves it alive for subsequent remote commands. * Timeout of persistent master connections When master connections are created on-the-fly, they should also timeout after a certain period of idleness. -- GRATIS f?r alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 From bert.wesarg at googlemail.com Thu Jul 22 22:07:23 2010 From: bert.wesarg at googlemail.com (Bert Wesarg) Date: Thu, 22 Jul 2010 14:07:23 +0200 Subject: Feature request: fsh-like functionality In-Reply-To: <20100722105843.305380@gmx.net> References: <20100722105843.305380@gmx.net> Message-ID: On Thu, Jul 22, 2010 at 12:58, Norbert Nemec wrote: > * Automatic generation of *persistent* master connections > ? ?At the moment the "ControlMaster auto" setting creates a master when a regular ssh command is issued, but this master is closed when the command finishes. There should be an option that creates a master automatically when needed but leaves it alive for subsequent remote commands. I have proposed a patch for this a year ago: http://article.gmane.org/gmane.network.openssh.devel/16018 Bert From djm at mindrot.org Thu Jul 22 22:42:19 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 22 Jul 2010 22:42:19 +1000 (EST) Subject: Feature request: fsh-like functionality In-Reply-To: <20100722105843.305380@gmx.net> References: <20100722105843.305380@gmx.net> Message-ID: On Thu, 22 Jul 2010, Norbert Nemec wrote: > I have recently found the "fsh" program > (http://www.lysator.liu.se/fsh/) which offered exactly what I needed. > It is a great program but it is not maintained and was even thrown out > of Debian because it was claimed that OpenSSH provided anything FSH > offers. In fact, however, I miss a few features in OpenSSH that could > easily be added inspired by FSH and make a very valuable addition in > general: > > * Fast remote command execution > Current timings: > ssh otherhost echo hi -> 1.06 sec # regular connection > ssh -f -N -M # setting up master > ssh otherhost echo hi -> 0.86 sec # using master > fsh otherhost echo hi -> 2.06 sec # this sets up the master > fsh otherhost echo hi -> 0.096 sec # this uses the master > Is there any fundamental reason for the 0.86 sec delay in a slave > connection? After all - fsh demonstrates that the same thing can be > done in less than 0.1 sec. This makes a significant difference for the > applications that I have in mind. I don't see this delay - opening a new mux slave is ~0.02 sec on my host. Is your "otherhost" distant network-wise? Slave sessions incur at least two round-trips between the client and the server, but if you have port-forwards specified in your ssh_config then these will cause additional delays. Closing channels is also more verbose in the SSH protocol, though I don't think there is a round-trip there. > * Automatic generation of *persistent* master connections > At the moment the "ControlMaster auto" setting creates a master > when a regular ssh command is issued, but this master is closed when > the command finishes. There should be an option that creates a master > automatically when needed but leaves it alive for subsequent remote > commands. > > * Timeout of persistent master connections > When master connections are created on-the-fly, they should also > timeout after a certain period of idleness. These are both implemented in -current via the ControlPersist option and will be in openssh-5.6. -d From wierbows at us.ibm.com Fri Jul 23 07:09:19 2010 From: wierbows at us.ibm.com (David Wierbowski) Date: Thu, 22 Jul 2010 17:09:19 -0400 Subject: remote vs local window discrepancy Message-ID: I am utilizing an openssh tunnel between two Linux boxes. On the client box I issue the following commands to set up the tunnel; - ssh -w0:0 root at x.x.x.x -v where x.x.x.x is the IP address of the Linux system running sshd - ip addr add 10.0.5.1/32 peer 10.0.5.2 dev tun0 - ip link set tun0 up On the box running sshd I issue the following commands: - ip addr add 10.0.5.2/32 peer 10.0.5.1 dev tun0 - ip link set tun0 up The SSH tunnel comes up just fine. I have a testcase that runs 5000 byte pings between the two boxes with a .02 increment (e.g. ping -s5000 10.0.5.2 -i .02). After roughly 6000 pings the connection stalls. It does not not matter which box I initiate the pings from. The MTU size is 1500. The stall occurs because the client's remote window count for the tun channel goes to 0. The server's local window count is much larger. Given the discrepancy between the client and server's view of the server's window size a SSH_MSG_CHANNEL_WINDOW_ADJUST message is never sent once the client's remote window count goes to 0. The client never attempts to read off the tun device file descriptor again. After some investigation I determined that for every packet sent the client is decrementing Channel.remote_window by a value that is 4 bytes larger than the amount that the server decrements Channel.local_window and Channel.local_consumed. Prior to the stall the server does send SSH_MSG_CHANNEL_WINDOW_ADJUST messages. When it does the "byte to add" value is off by 4x the number of packets consumed by the server. Eventually over time this drives the client's remote window count to go to zero. As an aside the remote window count has to be exactly 0 for the stall to occur. Initially the following line of code in channel_output_poll that decrements the remote window count for datagram channels looked suspicious: c->remote_window -= dlen + 4; However, the code that updates Channel.local_window and Channel.local_consumed for a datagram channel also includes the +4 in the calculation. Does anybody know why the datagram calculation includes a +4? Anybody know what would cause the 4 byte discrepancy I am seeing? A complicating factor is that in channel_output_poll the calculation to update the remote window in the datagram case does not take into account that dlen may be larger than the remote_window size. Does anybody know why? Perhaps there is a check elsewhere that makes this safe, but I am not seeing it. During problem determination I have observed the value of the remote window does occasionally wrap. When the remote window counter does wrap it goes undetected because Channel.remote_window is an unsigned value. Another item I find confusing is the test in channel_pre_open to decide if the channel's read file descriptor should be turned on in the read fileset. That test includes a check of a variable called limit which is set to Channel.remote_window when compat20 is true. Can somebody explain why this is remote_window instead of local_window? The check is "limit > 0" which is why the wrapping of remote_window goes undetected Any insight into these questions will be appreciated. Thanks. Dave Wierbowski From keisial at gmail.com Fri Jul 23 09:13:43 2010 From: keisial at gmail.com (Keisial) Date: Fri, 23 Jul 2010 01:13:43 +0200 Subject: Feature request: fsh-like functionality In-Reply-To: References: <20100722105843.305380@gmx.net> Message-ID: <4C48D0A7.3010309@gmail.com> Damien Miller wrote: > On Thu, 22 Jul 2010, Norbert Nemec wrote: >> * Fast remote command execution >> Current timings: >> ssh otherhost echo hi -> 1.06 sec # regular connection >> ssh -f -N -M # setting up master >> ssh otherhost echo hi -> 0.86 sec # using master >> fsh otherhost echo hi -> 2.06 sec # this sets up the master >> fsh otherhost echo hi -> 0.096 sec # this uses the master >> Is there any fundamental reason for the 0.86 sec delay in a slave >> connection? After all - fsh demonstrates that the same thing can be >> done in less than 0.1 sec. This makes a significant difference for the >> applications that I have in mind. > I don't see this delay - opening a new mux slave is ~0.02 sec on my > host. Is your "otherhost" distant network-wise? Slave sessions incur > at least two round-trips between the client and the server, but if you > have port-forwards specified in your ssh_config then these will cause > additional delays. Closing channels is also more verbose in the SSH > protocol, though I don't think there is a round-trip there. I see a small delay of 0.07s in ssh. Using fsh, I see one request packet and two response ones. Using a mastered ssh, there are three request packets and three response packets. (I am not counting the ACKs on either case) A wild guess based on the two-packet response is that ssh is first doing a round trip for opening a connection, plus an extra 'I am done packet at the end' whereas fsh skips it completely. Perhaps ssh could optimistically send the new channel open and the data sent to it on one packet? From djm at mindrot.org Fri Jul 23 09:33:22 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 23 Jul 2010 09:33:22 +1000 (EST) Subject: remote vs local window discrepancy In-Reply-To: References: Message-ID: On Thu, 22 Jul 2010, David Wierbowski wrote: > After some investigation I determined that for every packet sent the client > is decrementing Channel.remote_window by a value that is 4 bytes larger > than the amount that the server decrements Channel.local_window and > Channel.local_consumed. Prior to the stall the server does send > SSH_MSG_CHANNEL_WINDOW_ADJUST messages. When it does the "byte to add" > value is off by 4x the number of packets consumed by the server. > Eventually over time this drives the client's remote window count to go to > zero. As an aside the remote window count has to be exactly 0 for the > stall to occur. > > Initially the following line of code in channel_output_poll that decrements > the remote window count for datagram channels looked suspicious: > > c->remote_window -= dlen + 4; The extra 4 bytes are there because datagram channels encode packets as SSH strings. These have a 4-byte length header. > However, the code that updates Channel.local_window and > Channel.local_consumed for a datagram channel also includes the +4 in the > calculation. Does anybody know why the datagram calculation includes a +4? > Anybody know what would cause the 4 byte discrepancy I am seeing? I don't see anything obviously wrong in there. Perhaps the tunnel output filter is messing up dlen as it strips the header? Are you on a platform that uses the output filter in openbsd-compat/port-tun.c ? If this turns out to be true, I guess we will have to change the signature of the output filter function to return the length of the data that was actually dequeued (right now it returns the size of the data to be written). > A complicating factor is that in channel_output_poll the calculation to > update the remote window in the datagram case does not take into account > that dlen may be larger than the remote_window size. Does anybody know > why? Perhaps there is a check elsewhere that makes this safe, but I am not > seeing it. During problem determination I have observed the value of the > remote window does occasionally wrap. When the remote window counter does > wrap it goes undetected because Channel.remote_window is an unsigned value. Yes, it looks like there are missing checks there: Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.308 diff -u -p -r1.308 channels.c --- channels.c 13 Jul 2010 23:13:16 -0000 1.308 +++ channels.c 22 Jul 2010 23:20:02 -0000 @@ -2150,6 +2150,14 @@ channel_output_poll(void) data = buffer_get_string(&c->input, &dlen); + if (dlen > c->remote_window || + dlen > c->remote_maxpacket) { + debug("channel %d: datagram " + "too big for channel", + c->self); + xfree(data); + continue; + } packet_start(SSH2_MSG_CHANNEL_DATA); packet_put_int(c->remote_id); packet_put_string(data, dlen); > Another item I find confusing is the test in channel_pre_open to decide if > the channel's read file descriptor should be turned on in the read fileset. > That test includes a check of a variable called limit which is set to > Channel.remote_window when compat20 is true. Can somebody explain why this > is remote_window instead of local_window? The check is "limit > 0" which > is why the wrapping of remote_window goes undetected It is set to remote_window because we need to determine whether to stop reading if their window is already full or if we already have enough data read but yet to be sent to fill their window. -d From djm at mindrot.org Fri Jul 23 09:35:03 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 23 Jul 2010 09:35:03 +1000 (EST) Subject: Feature request: fsh-like functionality In-Reply-To: <4C48D0A7.3010309@gmail.com> References: <20100722105843.305380@gmx.net> <4C48D0A7.3010309@gmail.com> Message-ID: On Fri, 23 Jul 2010, Keisial wrote: > Using fsh, I see one request packet and two response ones. > Using a mastered ssh, there are three request packets and three > response packets. > (I am not counting the ACKs on either case) > > A wild guess based on the two-packet response is that ssh is first doing > a round trip for opening a connection, plus an extra 'I am done packet > at the end' whereas fsh skips it completely. > > Perhaps ssh could optimistically send the new channel open and the data > sent to it on one packet? No, because we can't perform operations on a channel before we know the ID it is assigned by the remote end. -d From wierbows at us.ibm.com Fri Jul 23 10:29:21 2010 From: wierbows at us.ibm.com (David Wierbowski) Date: Thu, 22 Jul 2010 20:29:21 -0400 Subject: remote vs local window discrepancy In-Reply-To: References: Message-ID: Damien, Thanks for the quick response. I am on a platform that uses the output filter function in openbsd-compat/port-tun.c. I had briefly looked at the sys_tun_outfilter function and was suspicious when I saw that it decremented dlen. I think you might be on to the source of the discrepancy. I will add the checks you provided and rebuild. Your answer about why limit is set to remote_window makes sense. When I was looking at the check I had the purpose of the names backwards. On Thu, 22 Jul 2010, Damien Miller wrote: >On Thu, 22 Jul 2010, David Wierbowski wrote: > >> After some investigation I determined that for every packet sent the client >> is decrementing Channel.remote_window by a value that is 4 bytes larger >> than the amount that the server decrements Channel.local_window and >> Channel.local_consumed. Prior to the stall the server does send >> SSH_MSG_CHANNEL_WINDOW_ADJUST messages. When it does the "byte to add" >> value is off by 4x the number of packets consumed by the server. >> Eventually over time this drives the client's remote window count to go to >> zero. As an aside the remote window count has to be exactly 0 for the >> stall to occur. >> >> Initially the following line of code in channel_output_poll that decrements >> the remote window count for datagram channels looked suspicious: >> >> c->remote_window -= dlen + 4; > >The extra 4 bytes are there because datagram channels encode packets >as SSH strings. These have a 4-byte length header. > >> However, the code that updates Channel.local_window and >> Channel.local_consumed for a datagram channel also includes the +4 in the >> calculation. Does anybody know why the datagram calculation includes a +4? >> Anybody know what would cause the 4 byte discrepancy I am seeing? > >I don't see anything obviously wrong in there. Perhaps the tunnel output >filter is messing up dlen as it strips the header? Are you on a platform >that uses the output filter in openbsd-compat/port-tun.c ? > >If this turns out to be true, I guess we will have to change the signature >of the output filter function to return the length of the data that was >actually dequeued (right now it returns the size of the data to be written). > >> A complicating factor is that in channel_output_poll the calculation to >> update the remote window in the datagram case does not take into account >> that dlen may be larger than the remote_window size. Does anybody know >> why? Perhaps there is a check elsewhere that makes this safe, but I am not >> seeing it. During problem determination I have observed the value of the >> remote window does occasionally wrap. When the remote window counter does >> wrap it goes undetected because Channel.remote_window is an unsigned value. > >Yes, it looks like there are missing checks there: > >Index: channels.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/channels.c,v >retrieving revision 1.308 >diff -u -p -r1.308 channels.c >--- channels.c 13 Jul 2010 23:13:16 -0000 1.308 >+++ channels.c 22 Jul 2010 23:20:02 -0000 >@@ -2150,6 +2150,14 @@ channel_output_poll(void) > > data = buffer_get_string(&c->input, > &dlen); >+ if (dlen > c-> remote_window || >+ dlen > c-> remote_maxpacket) { >+ debug("channel %d: datagram " >+ "too big for channel", >+ c->self); >+ xfree(data); >+ continue; >+ } > packet_start (SSH2_MSG_CHANNEL_DATA); > packet_put_int (c->remote_id); > packet_put_string(data, dlen); > >> Another item I find confusing is the test in channel_pre_open to decide if >> the channel's read file descriptor should be turned on in the read fileset. >> That test includes a check of a variable called limit which is set to >> Channel.remote_window when compat20 is true. Can somebody explain why this >> is remote_window instead of local_window? The check is "limit > 0" which >> is why the wrapping of remote_window goes undetected > >It is set to remote_window because we need to determine whether to stop >reading if their window is already full or if we already have enough data >read but yet to be sent to fill their window. > >-d Dave Wierbowski From djm at mindrot.org Fri Jul 23 10:58:47 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 23 Jul 2010 10:58:47 +1000 (EST) Subject: remote vs local window discrepancy In-Reply-To: References: Message-ID: On Thu, 22 Jul 2010, David Wierbowski wrote: > Damien, > > Thanks for the quick response. I am on a platform that uses the > output filter function in openbsd-compat/port-tun.c. I had briefly > looked at the sys_tun_outfilter function and was suspicious when I saw > that it decremented dlen. I think you might be on to the source of the > discrepancy. If I'm right, then this should fix it: Index: channels.c =================================================================== RCS file: /var/cvs/openssh/channels.c,v retrieving revision 1.299 diff -u -p -r1.299 channels.c --- channels.c 16 Jul 2010 03:58:37 -0000 1.299 +++ channels.c 23 Jul 2010 00:52:07 -0000 @@ -1644,7 +1644,7 @@ channel_handle_wfd(Channel *c, fd_set *r { struct termios tio; u_char *data = NULL, *buf; - u_int dlen; + u_int dlen, wlen; int len; /* Send buffered output data to the socket. */ @@ -1652,7 +1652,8 @@ channel_handle_wfd(Channel *c, fd_set *r FD_ISSET(c->wfd, writeset) && buffer_len(&c->output) > 0) { if (c->output_filter != NULL) { - if ((buf = c->output_filter(c, &data, &dlen)) == NULL) { + if ((buf = c->output_filter(c, &data, &dlen, + &wlen)) == NULL) { debug2("channel %d: filter stops", c->self); if (c->type != SSH_CHANNEL_OPEN) chan_mark_dead(c); @@ -1662,15 +1663,16 @@ channel_handle_wfd(Channel *c, fd_set *r } } else if (c->datagram) { buf = data = buffer_get_string(&c->output, &dlen); + wlen = dlen; } else { buf = data = buffer_ptr(&c->output); - dlen = buffer_len(&c->output); + dlen = wlen = buffer_len(&c->output); } if (c->datagram) { /* ignore truncated writes, datagrams might get lost */ c->local_consumed += dlen + 4; - len = write(c->wfd, buf, dlen); + len = write(c->wfd, buf, wlen); xfree(data); if (len < 0 && (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) @@ -1687,10 +1689,10 @@ channel_handle_wfd(Channel *c, fd_set *r #ifdef _AIX /* XXX: Later AIX versions can't push as much data to tty */ if (compat20 && c->wfd_isatty) - dlen = MIN(dlen, 8*1024); + wlen = MIN(wlen, 8*1024); #endif - len = write(c->wfd, buf, dlen); + len = write(c->wfd, buf, wlen); if (len < 0 && (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) return 1; @@ -1709,7 +1711,7 @@ channel_handle_wfd(Channel *c, fd_set *r return -1; } #ifndef BROKEN_TCGETATTR_ICANON - if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') { + if (compat20 && c->isatty && wlen >= 1 && buf[0] != '\r') { if (tcgetattr(c->wfd, &tio) == 0 && !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { /* @@ -2172,6 +2174,14 @@ channel_output_poll(void) data = buffer_get_string(&c->input, &dlen); + if (dlen > c->remote_window || + dlen > c->remote_maxpacket) { + debug("channel %d: datagram " + "too big for channel", + c->self); + xfree(data); + continue; + } packet_start(SSH2_MSG_CHANNEL_DATA); packet_put_int(c->remote_id); packet_put_string(data, dlen); Index: channels.h =================================================================== RCS file: /var/cvs/openssh/channels.h,v retrieving revision 1.97 diff -u -p -r1.97 channels.h --- channels.h 21 May 2010 04:57:10 -0000 1.97 +++ channels.h 23 Jul 2010 00:52:30 -0000 @@ -64,7 +64,8 @@ typedef void channel_open_fn(int, int, v typedef void channel_callback_fn(int, void *); typedef int channel_infilter_fn(struct Channel *, char *, int); typedef void channel_filter_cleanup_fn(int, void *); -typedef u_char *channel_outfilter_fn(struct Channel *, u_char **, u_int *); +typedef u_char *channel_outfilter_fn(struct Channel *, u_char **, u_int *, + u_int *); /* Channel success/failure callbacks */ typedef void channel_confirm_cb(int, struct Channel *, void *); Index: openbsd-compat/port-tun.c =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/port-tun.c,v retrieving revision 1.14 diff -u -p -r1.14 port-tun.c --- openbsd-compat/port-tun.c 19 May 2008 05:28:36 -0000 1.14 +++ openbsd-compat/port-tun.c 23 Jul 2010 00:55:53 -0000 @@ -245,7 +245,7 @@ sys_tun_infilter(struct Channel *c, char } u_char * -sys_tun_outfilter(struct Channel *c, u_char **data, u_int *dlen) +sys_tun_outfilter(struct Channel *c, u_char **data, u_int *dlen, u_int *wlen) { u_char *buf; u_int32_t *af; @@ -254,9 +254,10 @@ sys_tun_outfilter(struct Channel *c, u_c if (*dlen < sizeof(*af)) return (NULL); buf = *data; + *wlen = *dlen; #if defined(SSH_TUN_PREPEND_AF) - *dlen -= sizeof(u_int32_t); + *wlen -= sizeof(u_int32_t); buf = *data + sizeof(u_int32_t); #elif defined(SSH_TUN_COMPAT_AF) af = ntohl(*(u_int32_t *)buf); Index: openbsd-compat/port-tun.h =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/port-tun.h,v retrieving revision 1.4 diff -u -p -r1.4 port-tun.h --- openbsd-compat/port-tun.h 5 Aug 2006 04:07:21 -0000 1.4 +++ openbsd-compat/port-tun.h 23 Jul 2010 00:58:24 -0000 @@ -27,7 +27,7 @@ int sys_tun_open(int, int); #if defined(SSH_TUN_COMPAT_AF) || defined(SSH_TUN_PREPEND_AF) # define SSH_TUN_FILTER int sys_tun_infilter(struct Channel *, char *, int); -u_char *sys_tun_outfilter(struct Channel *, u_char **, u_int *); +u_char *sys_tun_outfilter(struct Channel *, u_char **, u_int *, u_int *); #endif #endif From Norbert.Nemec.list at gmx.de Fri Jul 23 18:50:05 2010 From: Norbert.Nemec.list at gmx.de (Norbert Nemec) Date: Fri, 23 Jul 2010 09:50:05 +0100 Subject: Feature request: fsh-like functionality In-Reply-To: <4C48D0A7.3010309@gmail.com> References: <20100722105843.305380@gmx.net> <4C48D0A7.3010309@gmail.com> Message-ID: <4C4957BD.3040900@gmx.de> On 23/07/10 00:13, Keisial wrote: > Damien Miller wrote: > >> On Thu, 22 Jul 2010, Norbert Nemec wrote: >> >>> * Fast remote command execution >>> Current timings: >>> ssh otherhost echo hi -> 1.06 sec # regular connection >>> ssh -f -N -M # setting up master >>> ssh otherhost echo hi -> 0.86 sec # using master >>> fsh otherhost echo hi -> 2.06 sec # this sets up the master >>> fsh otherhost echo hi -> 0.096 sec # this uses the master >>> Is there any fundamental reason for the 0.86 sec delay in a slave >>> connection? After all - fsh demonstrates that the same thing can be >>> done in less than 0.1 sec. This makes a significant difference for the >>> applications that I have in mind. >>> >> I don't see this delay - opening a new mux slave is ~0.02 sec on my >> host. Is your "otherhost" distant network-wise? Slave sessions incur >> at least two round-trips between the client and the server, but if you >> have port-forwards specified in your ssh_config then these will cause >> additional delays. Closing channels is also more verbose in the SSH >> protocol, though I don't think there is a round-trip there. >> > I see a small delay of 0.07s in ssh. > Hmm - based by these numbers I did some further test and am now suspecting that it is actually the login process of the bash that is eating up the time. Unfortunately, I cannot easily simplify the login scripts as a number of modules needs to be loaded. Furthermore, it is not quite clear to me which scripts are actually executed when calling 'ssh somehost "command"'. According to the documentation "command" is executed instead of a login shell. Still, the .bashrc seems to be read. If I understand it correctly, FSH effectively eliminates this overhead by starting a login shell only once and running the remote command processor within that shell with a fixed set of environment variables set in the persistent shell. Perhaps there is some way to re-use the environment from the mux master to the mux slaves instead of re-evaluating .bashrc each time? Greetings, Norbert From Norbert.Nemec.list at gmx.de Fri Jul 23 19:14:21 2010 From: Norbert.Nemec.list at gmx.de (Norbert Nemec) Date: Fri, 23 Jul 2010 10:14:21 +0100 Subject: Feature request: fsh-like functionality In-Reply-To: <4C4957BD.3040900@gmx.de> References: <20100722105843.305380@gmx.net> <4C48D0A7.3010309@gmail.com> <4C4957BD.3040900@gmx.de> Message-ID: <4C495D6D.7010008@gmx.de> On 23/07/10 09:50, Norbert Nemec wrote: > Hmm - based by these numbers I did some further test and am now > suspecting that it is actually the login process of the bash that is > eating up the time. Unfortunately, I cannot easily simplify the login > scripts as a number of modules needs to be loaded. Furthermore, it is > not quite clear to me which scripts are actually executed when calling > 'ssh somehost "command"'. According to the documentation "command" is > executed instead of a login shell. Still, the .bashrc seems to be read. Update: The real problem are /etc/bash.bashrc and /etc/profile -- both files are very complex and take significant time to process. I have no influence on the setup of the system. SSH does not seem to offer any way to issue a command without calling either of these two files. Am I missing something? From chrivers at iversen-net.dk Fri Jul 23 19:59:55 2010 From: chrivers at iversen-net.dk (Christian Iversen) Date: Fri, 23 Jul 2010 11:59:55 +0200 Subject: Feature request: fsh-like functionality In-Reply-To: <4C495D6D.7010008@gmx.de> References: <20100722105843.305380@gmx.net> <4C48D0A7.3010309@gmail.com> <4C4957BD.3040900@gmx.de> <4C495D6D.7010008@gmx.de> Message-ID: <4C49681B.4000207@iversen-net.dk> On 2010-07-23 11:14, Norbert Nemec wrote: > On 23/07/10 09:50, Norbert Nemec wrote: >> Hmm - based by these numbers I did some further test and am now >> suspecting that it is actually the login process of the bash that is >> eating up the time. Unfortunately, I cannot easily simplify the login >> scripts as a number of modules needs to be loaded. Furthermore, it is >> not quite clear to me which scripts are actually executed when calling >> 'ssh somehost "command"'. According to the documentation "command" is >> executed instead of a login shell. Still, the .bashrc seems to be read. > Update: The real problem are /etc/bash.bashrc and /etc/profile -- both > files are very complex and take significant time to process. I have no > influence on the setup of the system. SSH does not seem to offer any way > to issue a command without calling either of these two files. Am I > missing something? How about making a wrapper executable, that simply exec's the arguments it gets? If you set this program as the shell, your commands should execute quite quickly. If you need shell expansion, you should use the smallest shell you can use. Note that zsh, even though it is more complex, can be quicker than bash to start because it has more fine-grained support for which startup scripts to load. Also, dash (a version of /bin/sh) is very light. -- Med venlig hilsen Christian Iversen From wmertens at cisco.com Fri Jul 23 19:33:44 2010 From: wmertens at cisco.com (Wout Mertens) Date: Fri, 23 Jul 2010 11:33:44 +0200 Subject: Feature request: fsh-like functionality In-Reply-To: <4C495D6D.7010008@gmx.de> References: <20100722105843.305380@gmx.net> <4C48D0A7.3010309@gmail.com> <4C4957BD.3040900@gmx.de> <4C495D6D.7010008@gmx.de> Message-ID: <8A3E51D1-10AA-4BD1-B4F6-1BB3C7EF0720@cisco.com> On Jul 23, 2010, at 11:14 , Norbert Nemec wrote: > On 23/07/10 09:50, Norbert Nemec wrote: >> Hmm - based by these numbers I did some further test and am now suspecting that it is actually the login process of the bash that is eating up the time. Unfortunately, I cannot easily simplify the login scripts as a number of modules needs to be loaded. Furthermore, it is not quite clear to me which scripts are actually executed when calling 'ssh somehost "command"'. According to the documentation "command" is executed instead of a login shell. Still, the .bashrc seems to be read. > Update: The real problem are /etc/bash.bashrc and /etc/profile -- both files are very complex and take significant time to process. I have no influence on the setup of the system. SSH does not seem to offer any way to issue a command without calling either of these two files. Am I missing something? Try calling a command with a full path and without special shell characters, I think SSH will then execute that directly. Try tracing execs from sshd on the receiving end? Wout. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 195 bytes Desc: This is a digitally signed message part URL: From Norbert.Nemec.list at gmx.de Fri Jul 23 21:05:15 2010 From: Norbert.Nemec.list at gmx.de (Norbert Nemec) Date: Fri, 23 Jul 2010 12:05:15 +0100 Subject: Feature request: fsh-like functionality In-Reply-To: <8A3E51D1-10AA-4BD1-B4F6-1BB3C7EF0720@cisco.com> References: <20100722105843.305380@gmx.net> <4C48D0A7.3010309@gmail.com> <4C4957BD.3040900@gmx.de> <4C495D6D.7010008@gmx.de> <8A3E51D1-10AA-4BD1-B4F6-1BB3C7EF0720@cisco.com> Message-ID: <4C49776B.1070607@gmx.de> On 23/07/10 10:33, Wout Mertens wrote: > On Jul 23, 2010, at 11:14 , Norbert Nemec wrote: > > >> On 23/07/10 09:50, Norbert Nemec wrote: >> >>> Hmm - based by these numbers I did some further test and am now suspecting that it is actually the login process of the bash that is eating up the time. Unfortunately, I cannot easily simplify the login scripts as a number of modules needs to be loaded. Furthermore, it is not quite clear to me which scripts are actually executed when calling 'ssh somehost "command"'. According to the documentation "command" is executed instead of a login shell. Still, the .bashrc seems to be read. >>> >> Update: The real problem are /etc/bash.bashrc and /etc/profile -- both files are very complex and take significant time to process. I have no influence on the setup of the system. SSH does not seem to offer any way to issue a command without calling either of these two files. Am I missing something? >> > Try calling a command with a full path and without special shell characters, I think SSH will then execute that directly. Try tracing execs from sshd on the receiving end? > I checked the OpenSSH sources. Turns out that in session.c the sshd daemon actually *always* uses the login shell to interpret the command. Turns out that furthermore, the bash tries to be smart and get in the way: /etc/bash.bashrc and ~/.bashrc are usually read only for interactive shells, not for shells that simply execute a command via the '-c' option. However -- bash automatically detects when it is called by rshd or alike. In this special case, it reads .bashrc anyways, with no way of switching off this behavior. In most cases, I guess that this makes sense, because the environment would otherwise not be initialized. In my case, unfortunately, it means that a ssh command will always read /etc/bash.bashrc and will always take close to a second for it. Unfortunately, this behavior is defined by sshd which I, as a user, have no control over. Guess, FSH remains the best workaround after all... From wmertens at cisco.com Fri Jul 23 21:42:44 2010 From: wmertens at cisco.com (Wout Mertens) Date: Fri, 23 Jul 2010 13:42:44 +0200 Subject: Feature request: fsh-like functionality In-Reply-To: <4C49776B.1070607@gmx.de> References: <20100722105843.305380@gmx.net> <4C48D0A7.3010309@gmail.com> <4C4957BD.3040900@gmx.de> <4C495D6D.7010008@gmx.de> <8A3E51D1-10AA-4BD1-B4F6-1BB3C7EF0720@cisco.com> <4C49776B.1070607@gmx.de> Message-ID: You can use bash co-processes to keep a link to the remote shell open and execute commands: http://www.gnu.org/software/bash/manual/html_node/Coprocesses.html Wout. On Jul 23, 2010, at 13:05 , Norbert Nemec wrote: > On 23/07/10 10:33, Wout Mertens wrote: >> On Jul 23, 2010, at 11:14 , Norbert Nemec wrote: >> >> >>> On 23/07/10 09:50, Norbert Nemec wrote: >>> >>>> Hmm - based by these numbers I did some further test and am now suspecting that it is actually the login process of the bash that is eating up the time. Unfortunately, I cannot easily simplify the login scripts as a number of modules needs to be loaded. Furthermore, it is not quite clear to me which scripts are actually executed when calling 'ssh somehost "command"'. According to the documentation "command" is executed instead of a login shell. Still, the .bashrc seems to be read. >>>> >>> Update: The real problem are /etc/bash.bashrc and /etc/profile -- both files are very complex and take significant time to process. I have no influence on the setup of the system. SSH does not seem to offer any way to issue a command without calling either of these two files. Am I missing something? >>> >> Try calling a command with a full path and without special shell characters, I think SSH will then execute that directly. Try tracing execs from sshd on the receiving end? >> > I checked the OpenSSH sources. Turns out that in session.c the sshd daemon actually *always* uses the login shell to interpret the command. > > Turns out that furthermore, the bash tries to be smart and get in the way: /etc/bash.bashrc and ~/.bashrc are usually read only for interactive shells, not for shells that simply execute a command via the '-c' option. However -- bash automatically detects when it is called by rshd or alike. In this special case, it reads .bashrc anyways, with no way of switching off this behavior. > > In most cases, I guess that this makes sense, because the environment would otherwise not be initialized. In my case, unfortunately, it means that a ssh command will always read /etc/bash.bashrc and will always take close to a second for it. > > Unfortunately, this behavior is defined by sshd which I, as a user, have no control over. Guess, FSH remains the best workaround after all... > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 195 bytes Desc: This is a digitally signed message part URL: From gert at greenie.muc.de Fri Jul 23 22:41:24 2010 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 23 Jul 2010 14:41:24 +0200 Subject: Feature request: fsh-like functionality In-Reply-To: <4C49776B.1070607@gmx.de> References: <20100722105843.305380@gmx.net> <4C48D0A7.3010309@gmail.com> <4C4957BD.3040900@gmx.de> <4C495D6D.7010008@gmx.de> <8A3E51D1-10AA-4BD1-B4F6-1BB3C7EF0720@cisco.com> <4C49776B.1070607@gmx.de> Message-ID: <20100723124124.GQ361@greenie.muc.de> Hi, On Fri, Jul 23, 2010 at 12:05:15PM +0100, Norbert Nemec wrote: > Turns out that furthermore, the bash tries to be smart and get in the > way: "just don't use bash"... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From brakeb at gmail.com Fri Jul 23 23:31:33 2010 From: brakeb at gmail.com (Bryan) Date: Fri, 23 Jul 2010 08:31:33 -0500 Subject: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows Message-ID: My office is currently using WRQ Reflections as it was FIPS compliant. But this option is an expense that we'd like to get rid of if possible. Putty is not an option for us since it uses it's own OpenSSL libs and we need it FIPS enabled. I've been able to build OpenSSL 0.9.8o and enable the fipcanister.lib and create the openssl executables and libraries. I've been able to find instructions on how to build OpenSSH at this site: http://www.nomachine.com/ar/view.php?ar_id=AR05H00563 and here: http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/compile/ But I can't tell if either method is the correct one for building using cygwin. When I looked through the Configure script for OpenSSH, I did not find anything "FIPS" related to be able to point my build to it. Can I assume that just linking to my FIPS-enabled OpenSSL is enough to FIPS enable OpenSSH? And if someone has a non-vendor or more current version of how to build OpenSSH online, could you provide a link? I would greatly appreciate it. Thanks, Bryan Brake From peter at stuge.se Sat Jul 24 00:42:00 2010 From: peter at stuge.se (Peter Stuge) Date: Fri, 23 Jul 2010 16:42:00 +0200 Subject: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows In-Reply-To: References: Message-ID: <20100723144200.25429.qmail@stuge.se> Bryan wrote: > Putty is not an option for us since it uses it's own OpenSSL libs > and we need it FIPS enabled. If PuTTY uses OpenSSL for encryption then you could of course build PuTTY against your FIPS-enabled OpenSSL. > I've been able to build OpenSSL 0.9.8o and enable the > fipcanister.lib and create the openssl executables and libraries. > I've been able to find instructions on how to build OpenSSH at this > site: > > http://www.nomachine.com/ar/view.php?ar_id=AR05H00563 > > and here: > > http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/compile/ > > But I can't tell if either method is the correct one for building > using cygwin. Note that Cygwin is a very different system from Windows. First decided what it is that you want. Do you want a native binary, or a Cygwin binary? Note that the method at the former URL produces a native binary. The latter URL seems rather uninformed with platform differences in general and Windows platform details vs. UNIX platform details in particular. > When I looked through the Configure script for OpenSSH, > I did not find anything "FIPS" related to be able to point my build > to it. Can I assume that just linking to my FIPS-enabled OpenSSL > is enough to FIPS enable OpenSSH? I don't know FIPS well enough to say for sure, but in any case OpenSSH does not do any crypto operations internally, it relies on OpenSSL for this. If that's good enough (how useless is that requirement?) then yes. > And if someone has a non-vendor or more current version of how to > build OpenSSH online, could you provide a link? I would greatly > appreciate it. You don't say too well what exactly you need. Since you mention PuTTY it's safe to assume that you need an SSH client for Windows. Since Windows has no built-in terminal emulation, you will also need that. PuTTY provides this, as does Cygwin and MinGW. You don't say if you already have a Cygwin environment and thus would be comfortable using a Cygwin OpenSSH, or if you want a native OpenSSH for Windows. In short, please provide more information. //Peter From vinschen at redhat.com Sat Jul 24 00:58:12 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 23 Jul 2010 16:58:12 +0200 Subject: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows In-Reply-To: <20100723144200.25429.qmail@stuge.se> References: <20100723144200.25429.qmail@stuge.se> Message-ID: <20100723145812.GA5068@calimero.vinschen.de> On Jul 23 16:42, Peter Stuge wrote: > Bryan wrote: > > Putty is not an option for us since it uses it's own OpenSSL libs > > and we need it FIPS enabled. > > If PuTTY uses OpenSSL for encryption then you could of course build > PuTTY against your FIPS-enabled OpenSSL. > > > > I've been able to build OpenSSL 0.9.8o and enable the > > fipcanister.lib and create the openssl executables and libraries. > > I've been able to find instructions on how to build OpenSSH at this > > site: > > > > http://www.nomachine.com/ar/view.php?ar_id=AR05H00563 > > > > and here: > > > > http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/compile/ > > > > But I can't tell if either method is the correct one for building > > using cygwin. > > Note that Cygwin is a very different system from Windows. First > decided what it is that you want. Do you want a native binary, or a > Cygwin binary? And, if using OpenSSH 5.5p1, using OpenSSL 0.9.8o under Cygwin is an option for you, just use the pre-build packages from the Cygwin distro. See http://cygwin.com/ Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From brakeb at gmail.com Sat Jul 24 01:09:34 2010 From: brakeb at gmail.com (Bryan) Date: Fri, 23 Jul 2010 10:09:34 -0500 Subject: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows In-Reply-To: <20100723144200.25429.qmail@stuge.se> References: <20100723144200.25429.qmail@stuge.se> Message-ID: On Fri, Jul 23, 2010 at 09:42, Peter Stuge wrote: > Bryan wrote: >> Putty is not an option for us since it uses it's own OpenSSL libs >> and we need it FIPS enabled. > > If PuTTY uses OpenSSL for encryption then you could of course build > PuTTY against your FIPS-enabled OpenSSL. > > >> I've been able to build OpenSSL 0.9.8o and enable the >> fipcanister.lib and create the openssl executables and libraries. >> I've been able to find instructions on how to build OpenSSH at this >> site: >> >> http://www.nomachine.com/ar/view.php?ar_id=AR05H00563 >> >> and here: >> >> http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/compile/ >> >> But I can't tell if either method is the correct one for building >> using cygwin. > > Note that Cygwin is a very different system from Windows. First > decided what it is that you want. Do you want a native binary, or a > Cygwin binary? > I've read that it is possible to build openssh and use it with a minimal cygwin presence (i.e. just the necessary dlls, like cygwin1.dll, etc) > Note that the method at the former URL produces a native binary. The > latter URL seems rather uninformed with platform differences in > general and Windows platform details vs. UNIX platform details in > particular. > Well, to be fair, the "nomachine" link seemed to be for running openssh on an vendor specific environment, but I have not found a decent how-to yet. The other link was good to show what was needed for a minimal cygwin environment, but from 3 years ago, and things have changed in both cygwin and openssh. If that will work, then I'll follow those instructions. > >> When I looked through the Configure script for OpenSSH, >> I did not find anything "FIPS" related to be able to point my build >> to it. ?Can I assume that just linking to my FIPS-enabled OpenSSL >> is enough to FIPS enable OpenSSH? > > I don't know FIPS well enough to say for sure, but in any case > OpenSSH does not do any crypto operations internally, it relies on > OpenSSL for this. If that's good enough (how useless is that > requirement?) then yes. > > >> And if someone has a non-vendor or more current version of how to >> build OpenSSH online, could you provide a link? ?I would greatly >> appreciate it. > > You don't say too well what exactly you need. > > Since you mention PuTTY it's safe to assume that you need an SSH > client for Windows. Since Windows has no built-in terminal emulation, > you will also need that. PuTTY provides this, as does Cygwin and > MinGW. You don't say if you already have a Cygwin environment and > thus would be comfortable using a Cygwin OpenSSH, or if you want a > native OpenSSH for Windows. > > In short, please provide more information. We are looking to create scp/sftp executables that will allow us to send updates to Linux. sftp is more important than having terminal emulation, as I need the ability to script the transfer from one to another. As I said earlier, we are using WRQ Reflections for our transfer, but it requires us to buy a license for each box we install it on, and that gets expensive. Someone must have run into this issue before, or does no one need FIPS enabled software? If OpenSSH just needs to link to an FIPS-OpenSSL, then I'm all good. I just need to figure out how to build OpenSSH with a link to the already build OpenSSL libs in cygwin. From peter at stuge.se Sat Jul 24 02:37:08 2010 From: peter at stuge.se (Peter Stuge) Date: Fri, 23 Jul 2010 18:37:08 +0200 Subject: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows In-Reply-To: References: <20100723144200.25429.qmail@stuge.se> Message-ID: <20100723163708.12515.qmail@stuge.se> Bryan wrote: > > In short, please provide more information. > > We are looking to create scp/sftp executables that will allow us to > send updates to Linux. sftp is more important than having terminal > emulation, as I need the ability to script the transfer from one to > another. I understand! Then perhaps you could make use of libssh2 which is very easy to work with on Windows and allows good programmatic control over things SSH, including SFTP. Since libssh2 is a library it would probably require you to do a little bit of programming (there are some very simple examples that you might be able to use) but if you want automated control over SFTP transfers then a custom program may be the best tool for the job anyway. libssh2 uses either libgcrypt or OpenSSL for crypto, so will work well with your FIPS-enabled OpenSSL. More info at http://libssh2.org/ > As I said earlier, we are using WRQ Reflections for our transfer, > but it requires us to buy a license for each box we install it on, > and that gets expensive. Unfortunately I don't know anything about that product. IIRC there was at some point a Reflection-X product, an X server for Windows, so I guessed that it was some kind of remote access application similar to PuTTY.. > Someone must have run into this issue before, or does no one need > FIPS enabled software? If OpenSSH just needs to link to an > FIPS-OpenSSL, then I'm all good. OpenSSH can be built without any other dependencies, so this could certainly be one path to success. > I just need to figure out how to build OpenSSH with a link to the > already build OpenSSL libs in cygwin. It's just ./configure with appropriate flags and then make. Run ./configure --help to learn about the supported flags. You'll probably need to worry only about the --enable-* --disable-* --with-* --without-* ones. //Peter From deengert at anl.gov Sat Jul 24 04:16:29 2010 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 23 Jul 2010 13:16:29 -0500 Subject: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows In-Reply-To: References: <20100723144200.25429.qmail@stuge.se> Message-ID: <4C49DC7D.4050508@anl.gov> On 7/23/2010 10:09 AM, Bryan wrote: > On Fri, Jul 23, 2010 at 09:42, Peter Stuge wrote: >> Bryan wrote: >>> Putty is not an option for us since it uses it's own OpenSSL libs >>> and we need it FIPS enabled. >> >> If PuTTY uses OpenSSL for encryption then you could of course build >> PuTTY against your FIPS-enabled OpenSSL. No, PuTTY uses its own internal encryption routines. Have you looked at SecureCRT for Windows? It does have a FIPS mode. http://www.vandyke.com/products/fips_info.html Some other SSH clients that do FIPS: http://en.wikipedia.org/wiki/Comparison_of_SSH_clients >> >> >>> I've been able to build OpenSSL 0.9.8o and enable the >>> fipcanister.lib and create the openssl executables and libraries. >>> I've been able to find instructions on how to build OpenSSH at this >>> site: >>> >>> http://www.nomachine.com/ar/view.php?ar_id=AR05H00563 >>> >>> and here: >>> >>> http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/compile/ >>> >>> But I can't tell if either method is the correct one for building >>> using cygwin. >> >> Note that Cygwin is a very different system from Windows. First >> decided what it is that you want. Do you want a native binary, or a >> Cygwin binary? >> > > I've read that it is possible to build openssh and use it with a > minimal cygwin presence (i.e. just the necessary dlls, like > cygwin1.dll, etc) > >> Note that the method at the former URL produces a native binary. The >> latter URL seems rather uninformed with platform differences in >> general and Windows platform details vs. UNIX platform details in >> particular. >> > Well, to be fair, the "nomachine" link seemed to be for running > openssh on an vendor specific environment, but I have not found a > decent how-to yet. > > The other link was good to show what was needed for a minimal cygwin > environment, but from 3 years ago, and things have changed in both > cygwin and openssh. If that will work, then I'll follow those > instructions. > >> >>> When I looked through the Configure script for OpenSSH, >>> I did not find anything "FIPS" related to be able to point my build >>> to it. Can I assume that just linking to my FIPS-enabled OpenSSL >>> is enough to FIPS enable OpenSSH? >> >> I don't know FIPS well enough to say for sure, but in any case >> OpenSSH does not do any crypto operations internally, it relies on >> OpenSSL for this. If that's good enough (how useless is that >> requirement?) then yes. >> >> >>> And if someone has a non-vendor or more current version of how to >>> build OpenSSH online, could you provide a link? I would greatly >>> appreciate it. >> >> You don't say too well what exactly you need. >> >> Since you mention PuTTY it's safe to assume that you need an SSH >> client for Windows. Since Windows has no built-in terminal emulation, >> you will also need that. PuTTY provides this, as does Cygwin and >> MinGW. You don't say if you already have a Cygwin environment and >> thus would be comfortable using a Cygwin OpenSSH, or if you want a >> native OpenSSH for Windows. >> >> In short, please provide more information. > > We are looking to create scp/sftp executables that will allow us to > send updates to Linux. sftp is more important than having terminal > emulation, as I need the ability to script the transfer from one to > another. As I said earlier, we are using WRQ Reflections for our > transfer, but it requires us to buy a license for each box we install > it on, and that gets expensive. > > Someone must have run into this issue before, or does no one need FIPS > enabled software? If OpenSSH just needs to link to an FIPS-OpenSSL, > then I'm all good. I just need to figure out how to build OpenSSH > with a link to the already build OpenSSL libs in cygwin. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From brakeb at gmail.com Sat Jul 24 06:00:35 2010 From: brakeb at gmail.com (Bryan) Date: Fri, 23 Jul 2010 15:00:35 -0500 Subject: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows In-Reply-To: <4C49DC7D.4050508@anl.gov> References: <20100723144200.25429.qmail@stuge.se> <4C49DC7D.4050508@anl.gov> Message-ID: On Fri, Jul 23, 2010 at 13:16, Douglas E. Engert wrote: > > > On 7/23/2010 10:09 AM, Bryan wrote: >> >> On Fri, Jul 23, 2010 at 09:42, Peter Stuge ?wrote: >>> >>> Bryan wrote: >>>> >>>> Putty is not an option for us since it uses it's own OpenSSL libs >>>> and we need it FIPS enabled. >>> >>> If PuTTY uses OpenSSL for encryption then you could of course build >>> PuTTY against your FIPS-enabled OpenSSL. > > No, PuTTY uses its own internal encryption routines. > > Have you looked at SecureCRT for Windows? It does have a FIPS mode. > http://www.vandyke.com/products/fips_info.html > > Some other SSH clients that do FIPS: > http://en.wikipedia.org/wiki/Comparison_of_SSH_clients > > SecureCRT costs... so that is out. I'm looking at the others. Thanks for the links... > -- > > ?Douglas E. Engert ? > ?Argonne National Laboratory > ?9700 South Cass Avenue > ?Argonne, Illinois ?60439 > ?(630) 252-5444 > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From jmknoble at pobox.com Sat Jul 24 05:56:42 2010 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 23 Jul 2010 15:56:42 -0400 Subject: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows In-Reply-To: References: <20100723144200.25429.qmail@stuge.se> Message-ID: <20100723195642.GC18123@crawfish.ais.com> On 2010-07-23 11:09, Bryan wrote: : On Fri, Jul 23, 2010 at 09:42, Peter Stuge wrote: : > Bryan wrote: : >> Putty is not an option for us since it uses it's own OpenSSL libs : >> and we need it FIPS enabled. [...] : > : >> I've been able to build OpenSSL 0.9.8o and enable the : >> fipcanister.lib and create the openssl executables and libraries. : >> I've been able to find instructions on how to build OpenSSH at this : >> site: : >> : >> http://www.nomachine.com/ar/view.php?ar_id=AR05H00563 : >> : >> and here: : >> : >> http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/compile/ : >> : >> But I can't tell if either method is the correct one for building : >> using cygwin. A simple Google for "openssh fips cygwin" produces the following: http://www.sslshopper.com/article-how-to-set-up-openssh-on-windows.html That doesn't sound like a "minimal Cygwin presence", but it may well work (once the binary is built) with a base Cygwin install.... -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ ) (GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA) From brakeb at gmail.com Sat Jul 24 06:36:33 2010 From: brakeb at gmail.com (Bryan) Date: Fri, 23 Jul 2010 15:36:33 -0500 Subject: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows In-Reply-To: <20100723195642.GC18123@crawfish.ais.com> References: <20100723144200.25429.qmail@stuge.se> <20100723195642.GC18123@crawfish.ais.com> Message-ID: On Fri, Jul 23, 2010 at 14:56, Jim Knoble wrote: > > A simple Google for "openssh fips cygwin" produces the following: > > http://www.sslshopper.com/article-how-to-set-up-openssh-on-windows.html > > That doesn't sound like a "minimal Cygwin presence", but it may well > work (once the binary is built) with a base Cygwin install.... > I agree. I am running ssh on my other windows boxes at home, but i just d/led the packages from cygwin, never built them from source. Haven't had to built openssl from source since playing with Solaris 7... I'll update on Monday if the above link works... Thanks... Bryan From jmknoble at pobox.com Sat Jul 24 06:06:42 2010 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 23 Jul 2010 16:06:42 -0400 Subject: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows In-Reply-To: <4C49DC7D.4050508@anl.gov> References: <20100723144200.25429.qmail@stuge.se> <4C49DC7D.4050508@anl.gov> Message-ID: <20100723200642.GD18123@crawfish.ais.com> On 2010-07-23 14:16, Douglas E. Engert wrote: : : : On 7/23/2010 10:09 AM, Bryan wrote: : >On Fri, Jul 23, 2010 at 09:42, Peter Stuge wrote: : >>Bryan wrote: : >>>Putty is not an option for us since it uses it's own OpenSSL libs : >>>and we need it FIPS enabled. [...] : Some other SSH clients that do FIPS: : http://en.wikipedia.org/wiki/Comparison_of_SSH_clients Quasi-missing from the list is 'lftp', which can do sftp transfers: http://en.wikipedia.org/wiki/Lftp http://lftp.yar.ru/ Can link against OpenSSL, which means your FIPS-OpenSSL may work. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG key ID: C6F31FFA >>>>>> http://www.pobox.com/~jmknoble/keys/ ) (GnuPG fingerprint: 99D8:1D89:8C66:08B5:5C34::5527:A543:8C33:C6F3:1FFA) From imorgan at nas.nasa.gov Sat Jul 24 07:31:48 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Fri, 23 Jul 2010 14:31:48 -0700 Subject: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows In-Reply-To: <20100723200642.GD18123@crawfish.ais.com> References: <20100723144200.25429.qmail@stuge.se> <4C49DC7D.4050508@anl.gov> <20100723200642.GD18123@crawfish.ais.com> Message-ID: <20100723213148.GF14083@linux55.nas.nasa.gov> On Fri, Jul 23, 2010 at 15:06:42 -0500, Jim Knoble wrote: > On 2010-07-23 14:16, Douglas E. Engert wrote: > > : > : > : On 7/23/2010 10:09 AM, Bryan wrote: > : >On Fri, Jul 23, 2010 at 09:42, Peter Stuge wrote: > : >>Bryan wrote: > : >>>Putty is not an option for us since it uses it's own OpenSSL libs > : >>>and we need it FIPS enabled. > [...] > : Some other SSH clients that do FIPS: > : http://en.wikipedia.org/wiki/Comparison_of_SSH_clients > > Quasi-missing from the list is 'lftp', which can do sftp transfers: > > http://en.wikipedia.org/wiki/Lftp > http://lftp.yar.ru/ > > Can link against OpenSSL, which means your FIPS-OpenSSL may work. > Sorry, I haven't been following this thread very closely, but in the case of lftp the OpenSSL library would only be a consideration for FTPS and HTTPS. For SFTP it, by default, uses ssh. It does not implement the SSH protocol directly. -- Iain Morgan From brakeb at gmail.com Tue Jul 27 01:19:13 2010 From: brakeb at gmail.com (Bryan) Date: Mon, 26 Jul 2010 10:19:13 -0500 Subject: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows In-Reply-To: <20100723195642.GC18123@crawfish.ais.com> References: <20100723144200.25429.qmail@stuge.se> <20100723195642.GC18123@crawfish.ais.com> Message-ID: On Fri, Jul 23, 2010 at 14:56, Jim Knoble wrote: > On 2010-07-23 11:09, Bryan wrote: > > : On Fri, Jul 23, 2010 at 09:42, Peter Stuge wrote: > : > Bryan wrote: > : >> Putty is not an option for us since it uses it's own OpenSSL libs > : >> and we need it FIPS enabled. > ?[...] > : > > : >> I've been able to build OpenSSL 0.9.8o and enable the > : >> fipcanister.lib and create the openssl executables and libraries. > : >> I've been able to find instructions on how to build OpenSSH at this > : >> site: > : >> > : >> http://www.nomachine.com/ar/view.php?ar_id=AR05H00563 > : >> > : >> and here: > : >> > : >> http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/compile/ > : >> > : >> But I can't tell if either method is the correct one for building > : >> using cygwin. > > A simple Google for "openssh fips cygwin" produces the following: > > http://www.sslshopper.com/article-how-to-set-up-openssh-on-windows.html > > That doesn't sound like a "minimal Cygwin presence", but it may well > work (once the binary is built) with a base Cygwin install.... I tried building OpenSSH and used the following to try and build: bbrake at IAVA-DEV-0% ./configure --with-ssl-dir=/cygdrive/f/TRUNK/UPDATES/Linux/FIPS_SSL/openssl-0.9.8o checking for useradd... useradd checking for pkgmk... no checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... no checking for login... /usr/bin//login checking for passwd... /usr/bin//passwd checking for inline... inline checking whether LLONG_MAX is declared... yes checking if gcc accepts -fno-builtin-memset... yes checking if gcc supports -fstack-protector-all... no checking if gcc supports -fstack-protector... no checking bstring.h usability... no checking bstring.h presence... no checking for bstring.h... no checking crypt.h usability... yes checking crypt.h presence... yes checking for crypt.h... yes checking crypto/sha2.h usability... no checking crypto/sha2.h presence... no checking for crypto/sha2.h... no checking dirent.h usability... yes checking dirent.h presence... yes checking for dirent.h... yes checking endian.h usability... yes checking endian.h presence... yes checking for endian.h... yes checking features.h usability... yes checking features.h presence... yes checking for features.h... yes checking fcntl.h usability... yes checking fcntl.h presence... yes checking for fcntl.h... yes checking floatingpoint.h usability... no checking floatingpoint.h presence... no checking for floatingpoint.h... no checking getopt.h usability... yes checking getopt.h presence... yes checking for getopt.h... yes checking glob.h usability... yes checking glob.h presence... yes checking for glob.h... yes checking ia.h usability... no checking ia.h presence... no checking for ia.h... no checking iaf.h usability... no checking iaf.h presence... no checking for iaf.h... no checking limits.h usability... yes checking limits.h presence... yes checking for limits.h... yes checking login.h usability... no checking login.h presence... no checking for login.h... no checking maillock.h usability... no checking maillock.h presence... no checking for maillock.h... no checking ndir.h usability... no checking ndir.h presence... no checking for ndir.h... no checking net/if_tun.h usability... no checking net/if_tun.h presence... no checking for net/if_tun.h... no checking netdb.h usability... yes checking netdb.h presence... yes checking for netdb.h... yes checking netgroup.h usability... no checking netgroup.h presence... no checking for netgroup.h... no checking pam/pam_appl.h usability... no checking pam/pam_appl.h presence... no checking for pam/pam_appl.h... no checking paths.h usability... yes checking paths.h presence... yes checking for paths.h... yes checking poll.h usability... yes checking poll.h presence... yes checking for poll.h... yes checking pty.h usability... yes checking pty.h presence... yes checking for pty.h... yes checking readpassphrase.h usability... no checking readpassphrase.h presence... no checking for readpassphrase.h... no checking rpc/types.h usability... yes checking rpc/types.h presence... yes checking for rpc/types.h... yes checking security/pam_appl.h usability... no checking security/pam_appl.h presence... no checking for security/pam_appl.h... no checking sha2.h usability... no checking sha2.h presence... no checking for sha2.h... no checking shadow.h usability... no checking shadow.h presence... no checking for shadow.h... no checking stddef.h usability... yes checking stddef.h presence... yes checking for stddef.h... yes checking for stdint.h... (cached) yes checking for string.h... (cached) yes checking for strings.h... (cached) yes checking sys/audit.h usability... no checking sys/audit.h presence... no checking for sys/audit.h... no checking sys/bitypes.h usability... no checking sys/bitypes.h presence... no checking for sys/bitypes.h... no checking sys/bsdtty.h usability... no checking sys/bsdtty.h presence... no checking for sys/bsdtty.h... no checking sys/cdefs.h usability... yes checking sys/cdefs.h presence... yes checking for sys/cdefs.h... yes checking sys/dir.h usability... no checking sys/dir.h presence... no checking for sys/dir.h... no checking sys/mman.h usability... yes checking sys/mman.h presence... yes checking for sys/mman.h... yes checking sys/ndir.h usability... no checking sys/ndir.h presence... no checking for sys/ndir.h... no checking sys/poll.h usability... yes checking sys/poll.h presence... yes checking for sys/poll.h... yes checking sys/prctl.h usability... no checking sys/prctl.h presence... no checking for sys/prctl.h... no checking sys/pstat.h usability... no checking sys/pstat.h presence... no checking for sys/pstat.h... no checking sys/select.h usability... yes checking sys/select.h presence... yes checking for sys/select.h... yes checking for sys/stat.h... (cached) yes checking sys/stream.h usability... no checking sys/stream.h presence... no checking for sys/stream.h... no checking sys/stropts.h usability... no checking sys/stropts.h presence... no checking for sys/stropts.h... no checking sys/strtio.h usability... no checking sys/strtio.h presence... no checking for sys/strtio.h... no checking sys/statvfs.h usability... yes checking sys/statvfs.h presence... yes checking for sys/statvfs.h... yes checking sys/sysmacros.h usability... yes checking sys/sysmacros.h presence... yes checking for sys/sysmacros.h... yes checking sys/time.h usability... yes checking sys/time.h presence... yes checking for sys/time.h... yes checking sys/timers.h usability... no checking sys/timers.h presence... no checking for sys/timers.h... no checking sys/un.h usability... yes checking sys/un.h presence... yes checking for sys/un.h... yes checking time.h usability... yes checking time.h presence... yes checking for time.h... yes checking tmpdir.h usability... no checking tmpdir.h presence... no checking for tmpdir.h... no checking ttyent.h usability... no checking ttyent.h presence... no checking for ttyent.h... no checking ucred.h usability... no checking ucred.h presence... no checking for ucred.h... no checking for unistd.h... (cached) yes checking usersec.h usability... no checking usersec.h presence... no checking for usersec.h... no checking util.h usability... no checking util.h presence... no checking for util.h... no checking utime.h usability... yes checking utime.h presence... yes checking for utime.h... yes checking utmp.h usability... yes checking utmp.h presence... yes checking for utmp.h... yes checking utmpx.h usability... yes checking utmpx.h presence... yes checking for utmpx.h... yes checking vis.h usability... no checking vis.h presence... no checking for vis.h... no checking for lastlog.h... yes checking for sys/ptms.h... no checking for login_cap.h... no checking for sys/mount.h... yes checking compiler and flags for sanity... yes checking for yp_match... no checking for yp_match in -lnsl... no checking for setsockopt... yes checking for dirname... yes checking libgen.h usability... yes checking libgen.h presence... yes checking for libgen.h... yes checking for getspnam... no checking for getspnam in -lgen... no checking for library containing basename... none required checking zlib.h usability... yes checking zlib.h presence... yes checking for zlib.h... yes checking for deflate in -lz... yes checking for possibly buggy zlib... no checking for strcasecmp... yes checking for utimes... yes checking libutil.h usability... no checking libutil.h presence... no checking for libutil.h... no checking for library containing login... none required checking for fmt_scaled... no checking for logout... yes checking for updwtmp... yes checking for logwtmp... yes checking for strftime... yes checking for GLOB_ALTDIRFUNC support... yes checking for gl_matchc field in glob_t... yes checking whether GLOB_NOMATCH is declared... yes checking whether struct dirent allocates space for d_name... yes checking for /proc/pid/fd directory... yes checking for arc4random... no checking for arc4random_buf... no checking for arc4random_uniform... no checking for asprintf... yes checking for b64_ntop... no checking for __b64_ntop... no checking for b64_pton... no checking for __b64_pton... no checking for bcopy... yes checking for bindresvport_sa... yes checking for clock... yes checking for closefrom... no checking for dirfd... yes checking for fchmod... yes checking for fchown... yes checking for freeaddrinfo... yes checking for fstatvfs... yes checking for futimes... yes checking for getaddrinfo... yes checking for getcwd... yes checking for getgrouplist... no checking for getnameinfo... yes checking for getopt... yes checking for getpeereid... yes checking for getpeerucred... no checking for _getpty... no checking for getrlimit... yes checking for getttyent... no checking for glob... yes checking for group_from_gid... no checking for inet_aton... yes checking for inet_ntoa... yes checking for inet_ntop... yes checking for innetgr... no checking for login_getcapbool... no checking for md5_crypt... no checking for memmove... yes checking for mkdtemp... yes checking for mmap... yes checking for ngetaddrinfo... no checking for nsleep... no checking for ogetaddrinfo... no checking for openlog_r... no checking for openpty... yes checking for poll... yes checking for prctl... no checking for pstat... no checking for readpassphrase... no checking for realpath... yes checking for recvmsg... yes checking for rresvport_af... yes checking for sendmsg... yes checking for setdtablesize... yes checking for setegid... yes checking for setenv... yes checking for seteuid... yes checking for setgroupent... no checking for setgroups... yes checking for setlogin... no checking for setpassent... yes checking for setpcred... no checking for setproctitle... no checking for setregid... yes checking for setreuid... yes checking for setrlimit... yes checking for setsid... yes checking for setvbuf... yes checking for sigaction... yes checking for sigvec... no checking for snprintf... yes checking for socketpair... yes checking for statfs... yes checking for statvfs... yes checking for strdup... yes checking for strerror... yes checking for strlcat... yes checking for strlcpy... yes checking for strmode... no checking for strnvis... no checking for strtonum... no checking for strtoll... yes checking for strtoul... yes checking for swap32... no checking for sysconf... yes checking for tcgetpgrp... yes checking for truncate... yes checking for unsetenv... yes checking for updwtmpx... yes checking for user_from_uid... no checking for vasprintf... yes checking for vhangup... yes checking for vsnprintf... yes checking for waitpid... yes checking for library containing dlopen... none required checking for gai_strerror... yes checking for library containing nanosleep... none required checking whether getrusage is declared... no checking whether strsep is declared... yes checking for strsep... yes checking whether tcsendbreak is declared... yes checking whether h_errno is declared... yes checking whether SHUT_RD is declared... yes checking whether O_NONBLOCK is declared... yes checking whether writev is declared... yes checking whether MAXSYMLINKS is declared... no checking whether offsetof is declared... yes checking for setresuid... no checking for setresgid... no checking for gettimeofday... yes checking for time... yes checking for endutent... yes checking for getutent... yes checking for getutid... yes checking for getutline... yes checking for pututline... yes checking for setutent... yes checking for utmpname... yes checking for endutxent... yes checking for getutxent... yes checking for getutxid... yes checking for getutxline... yes checking for getutxuser... no checking for pututxline... yes checking for setutxdb... no checking for setutxent... yes checking for utmpxname... yes checking for getlastlogxbyname... no checking for daemon... yes checking for getpagesize... yes checking whether snprintf correctly terminates long strings... yes checking whether snprintf can declare const char *fmt... yes checking for (overly) strict mkstemp... yes checking whether getpgrp requires zero arguments... yes checking openssl/opensslv.h usability... no checking openssl/opensslv.h presence... no checking for openssl/opensslv.h... no configure: error: *** OpenSSL headers missing - please install first or check config.log *** ----------------------------------------------------------------------------------------------------------------- How can I get openssh not to look for the headers. I already built OpenSSL. I found the opensslv.h in the crypto directory under openssl-0.9.8o, but pointing the '--with-ssl-dir' to that fails as well. I've added the location of the FIPS-enabled OpenSSL executables to my PATH, but it's still not working... From Ervin_Yan at symantec.com Mon Jul 26 18:55:13 2010 From: Ervin_Yan at symantec.com (Ervin Yan) Date: Mon, 26 Jul 2010 01:55:13 -0700 Subject: Any workarounds for SSH hang issue? Message-ID: Hi, Recently, I got some problems that my program is very easy to hang when call ssh commands in a forked process on unix platforms. And I understand that it maybe a tricky issue for ssh according to the following FAQs: http://www.snailbook.com/faq/background-jobs.auto.html http://www.openssh.org/faq.html#3.10 My question is: do we have any workarounds so that ssh do not hang there. We do not care the data loss cases. I would really appreciate if you could give me some ideas to solve this issue. Thanks, Ervin. From jeremy at nickurak.ca Tue Jul 27 15:48:16 2010 From: jeremy at nickurak.ca (Jeremy Nickurak) Date: Mon, 26 Jul 2010 23:48:16 -0600 Subject: Any workarounds for SSH hang issue? In-Reply-To: References: Message-ID: If all you want to do is ensure that the ssh connection terminates when the command you specify exits, here's what I'm doing, specifically to have a system inside a VM display its login session on the host's X server: ssh -X host "/etc/X11/Xsession; kill \$PPID" In this case, the $PPID (with backslash) gets replaced with the pid of the parent process running the commands, specifically, the user's sshd process. Kill that, and the whole thing shuts down. In this case, it's intended to behave the same way an Xinitrc script works. When the last command in an Xinitrc script executes, the X server shuts down, and any processes left lose their connection. On Mon, Jul 26, 2010 at 02:55, Ervin Yan wrote: > Hi, > > > > Recently, I got some problems that my program is very easy to hang when > call ssh commands in a forked process on unix platforms. > > > > And I understand that it maybe a tricky issue for ssh according to the > following FAQs: > > http://www.snailbook.com/faq/background-jobs.auto.html > > http://www.openssh.org/faq.html#3.10 > > > > My question is: do we have any workarounds so that ssh do not hang > there. We do not care the data loss cases. > > > > I would really appreciate if you could give me some ideas to solve this > issue. > > > > Thanks, > > Ervin. > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Jeremy Nickurak -= Email/XMPP: -= jeremy at nickurak.ca =- From Shyamal_Pandya1 at symantec.com Tue Jul 27 16:25:42 2010 From: Shyamal_Pandya1 at symantec.com (Shyamal Pandya1) Date: Tue, 27 Jul 2010 11:55:42 +0530 Subject: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows In-Reply-To: References: <20100723144200.25429.qmail@stuge.se> <20100723195642.GC18123@crawfish.ais.com> Message-ID: <76D1B73C8A925F4E9334186339689B8A07CFC14B@PUNAXCHCLUPIN06.enterprise.veritas.com> You need to make sure that the openssl fips libraries are there in the library path. On Linux it means setting the LD_LIBRARY_PATH environment variable to the directory where those libraries are. Shyamal -----Original Message----- From: openssh-unix-dev-bounces+shyamal_pandya1=symantec.com at mindrot.org [mailto:openssh-unix-dev-bounces+shyamal_pandya1=symantec.com at mindrot.org] On Behalf Of Bryan Sent: Monday, July 26, 2010 8:49 PM To: openssh-unix-dev at mindrot.org Subject: Re: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows On Fri, Jul 23, 2010 at 14:56, Jim Knoble wrote: > On 2010-07-23 11:09, Bryan wrote: > > : On Fri, Jul 23, 2010 at 09:42, Peter Stuge wrote: > : > Bryan wrote: > : >> Putty is not an option for us since it uses it's own OpenSSL libs > : >> and we need it FIPS enabled. > ?[...] > : > > : >> I've been able to build OpenSSL 0.9.8o and enable the > : >> fipcanister.lib and create the openssl executables and libraries. > : >> I've been able to find instructions on how to build OpenSSH at this > : >> site: > : >> > : >> http://www.nomachine.com/ar/view.php?ar_id=AR05H00563 > : >> > : >> and here: > : >> > : >> http://www.cs.bham.ac.uk/~smp/projects/ssh-windows/compile/ > : >> > : >> But I can't tell if either method is the correct one for building > : >> using cygwin. > > A simple Google for "openssh fips cygwin" produces the following: > > http://www.sslshopper.com/article-how-to-set-up-openssh-on-windows.html > > That doesn't sound like a "minimal Cygwin presence", but it may well > work (once the binary is built) with a base Cygwin install.... I tried building OpenSSH and used the following to try and build: bbrake at IAVA-DEV-0% ./configure --with-ssl-dir=/cygdrive/f/TRUNK/UPDATES/Linux/FIPS_SSL/openssl-0.9.8o checking for useradd... useradd checking for pkgmk... no checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... no checking for login... /usr/bin//login checking for passwd... /usr/bin//passwd checking for inline... inline checking whether LLONG_MAX is declared... yes checking if gcc accepts -fno-builtin-memset... yes checking if gcc supports -fstack-protector-all... no checking if gcc supports -fstack-protector... no checking bstring.h usability... no checking bstring.h presence... no checking for bstring.h... no checking crypt.h usability... yes checking crypt.h presence... yes checking for crypt.h... yes checking crypto/sha2.h usability... no checking crypto/sha2.h presence... no checking for crypto/sha2.h... no checking dirent.h usability... yes checking dirent.h presence... yes checking for dirent.h... yes checking endian.h usability... yes checking endian.h presence... yes checking for endian.h... yes checking features.h usability... yes checking features.h presence... yes checking for features.h... yes checking fcntl.h usability... yes checking fcntl.h presence... yes checking for fcntl.h... yes checking floatingpoint.h usability... no checking floatingpoint.h presence... no checking for floatingpoint.h... no checking getopt.h usability... yes checking getopt.h presence... yes checking for getopt.h... yes checking glob.h usability... yes checking glob.h presence... yes checking for glob.h... yes checking ia.h usability... no checking ia.h presence... no checking for ia.h... no checking iaf.h usability... no checking iaf.h presence... no checking for iaf.h... no checking limits.h usability... yes checking limits.h presence... yes checking for limits.h... yes checking login.h usability... no checking login.h presence... no checking for login.h... no checking maillock.h usability... no checking maillock.h presence... no checking for maillock.h... no checking ndir.h usability... no checking ndir.h presence... no checking for ndir.h... no checking net/if_tun.h usability... no checking net/if_tun.h presence... no checking for net/if_tun.h... no checking netdb.h usability... yes checking netdb.h presence... yes checking for netdb.h... yes checking netgroup.h usability... no checking netgroup.h presence... no checking for netgroup.h... no checking pam/pam_appl.h usability... no checking pam/pam_appl.h presence... no checking for pam/pam_appl.h... no checking paths.h usability... yes checking paths.h presence... yes checking for paths.h... yes checking poll.h usability... yes checking poll.h presence... yes checking for poll.h... yes checking pty.h usability... yes checking pty.h presence... yes checking for pty.h... yes checking readpassphrase.h usability... no checking readpassphrase.h presence... no checking for readpassphrase.h... no checking rpc/types.h usability... yes checking rpc/types.h presence... yes checking for rpc/types.h... yes checking security/pam_appl.h usability... no checking security/pam_appl.h presence... no checking for security/pam_appl.h... no checking sha2.h usability... no checking sha2.h presence... no checking for sha2.h... no checking shadow.h usability... no checking shadow.h presence... no checking for shadow.h... no checking stddef.h usability... yes checking stddef.h presence... yes checking for stddef.h... yes checking for stdint.h... (cached) yes checking for string.h... (cached) yes checking for strings.h... (cached) yes checking sys/audit.h usability... no checking sys/audit.h presence... no checking for sys/audit.h... no checking sys/bitypes.h usability... no checking sys/bitypes.h presence... no checking for sys/bitypes.h... no checking sys/bsdtty.h usability... no checking sys/bsdtty.h presence... no checking for sys/bsdtty.h... no checking sys/cdefs.h usability... yes checking sys/cdefs.h presence... yes checking for sys/cdefs.h... yes checking sys/dir.h usability... no checking sys/dir.h presence... no checking for sys/dir.h... no checking sys/mman.h usability... yes checking sys/mman.h presence... yes checking for sys/mman.h... yes checking sys/ndir.h usability... no checking sys/ndir.h presence... no checking for sys/ndir.h... no checking sys/poll.h usability... yes checking sys/poll.h presence... yes checking for sys/poll.h... yes checking sys/prctl.h usability... no checking sys/prctl.h presence... no checking for sys/prctl.h... no checking sys/pstat.h usability... no checking sys/pstat.h presence... no checking for sys/pstat.h... no checking sys/select.h usability... yes checking sys/select.h presence... yes checking for sys/select.h... yes checking for sys/stat.h... (cached) yes checking sys/stream.h usability... no checking sys/stream.h presence... no checking for sys/stream.h... no checking sys/stropts.h usability... no checking sys/stropts.h presence... no checking for sys/stropts.h... no checking sys/strtio.h usability... no checking sys/strtio.h presence... no checking for sys/strtio.h... no checking sys/statvfs.h usability... yes checking sys/statvfs.h presence... yes checking for sys/statvfs.h... yes checking sys/sysmacros.h usability... yes checking sys/sysmacros.h presence... yes checking for sys/sysmacros.h... yes checking sys/time.h usability... yes checking sys/time.h presence... yes checking for sys/time.h... yes checking sys/timers.h usability... no checking sys/timers.h presence... no checking for sys/timers.h... no checking sys/un.h usability... yes checking sys/un.h presence... yes checking for sys/un.h... yes checking time.h usability... yes checking time.h presence... yes checking for time.h... yes checking tmpdir.h usability... no checking tmpdir.h presence... no checking for tmpdir.h... no checking ttyent.h usability... no checking ttyent.h presence... no checking for ttyent.h... no checking ucred.h usability... no checking ucred.h presence... no checking for ucred.h... no checking for unistd.h... (cached) yes checking usersec.h usability... no checking usersec.h presence... no checking for usersec.h... no checking util.h usability... no checking util.h presence... no checking for util.h... no checking utime.h usability... yes checking utime.h presence... yes checking for utime.h... yes checking utmp.h usability... yes checking utmp.h presence... yes checking for utmp.h... yes checking utmpx.h usability... yes checking utmpx.h presence... yes checking for utmpx.h... yes checking vis.h usability... no checking vis.h presence... no checking for vis.h... no checking for lastlog.h... yes checking for sys/ptms.h... no checking for login_cap.h... no checking for sys/mount.h... yes checking compiler and flags for sanity... yes checking for yp_match... no checking for yp_match in -lnsl... no checking for setsockopt... yes checking for dirname... yes checking libgen.h usability... yes checking libgen.h presence... yes checking for libgen.h... yes checking for getspnam... no checking for getspnam in -lgen... no checking for library containing basename... none required checking zlib.h usability... yes checking zlib.h presence... yes checking for zlib.h... yes checking for deflate in -lz... yes checking for possibly buggy zlib... no checking for strcasecmp... yes checking for utimes... yes checking libutil.h usability... no checking libutil.h presence... no checking for libutil.h... no checking for library containing login... none required checking for fmt_scaled... no checking for logout... yes checking for updwtmp... yes checking for logwtmp... yes checking for strftime... yes checking for GLOB_ALTDIRFUNC support... yes checking for gl_matchc field in glob_t... yes checking whether GLOB_NOMATCH is declared... yes checking whether struct dirent allocates space for d_name... yes checking for /proc/pid/fd directory... yes checking for arc4random... no checking for arc4random_buf... no checking for arc4random_uniform... no checking for asprintf... yes checking for b64_ntop... no checking for __b64_ntop... no checking for b64_pton... no checking for __b64_pton... no checking for bcopy... yes checking for bindresvport_sa... yes checking for clock... yes checking for closefrom... no checking for dirfd... yes checking for fchmod... yes checking for fchown... yes checking for freeaddrinfo... yes checking for fstatvfs... yes checking for futimes... yes checking for getaddrinfo... yes checking for getcwd... yes checking for getgrouplist... no checking for getnameinfo... yes checking for getopt... yes checking for getpeereid... yes checking for getpeerucred... no checking for _getpty... no checking for getrlimit... yes checking for getttyent... no checking for glob... yes checking for group_from_gid... no checking for inet_aton... yes checking for inet_ntoa... yes checking for inet_ntop... yes checking for innetgr... no checking for login_getcapbool... no checking for md5_crypt... no checking for memmove... yes checking for mkdtemp... yes checking for mmap... yes checking for ngetaddrinfo... no checking for nsleep... no checking for ogetaddrinfo... no checking for openlog_r... no checking for openpty... yes checking for poll... yes checking for prctl... no checking for pstat... no checking for readpassphrase... no checking for realpath... yes checking for recvmsg... yes checking for rresvport_af... yes checking for sendmsg... yes checking for setdtablesize... yes checking for setegid... yes checking for setenv... yes checking for seteuid... yes checking for setgroupent... no checking for setgroups... yes checking for setlogin... no checking for setpassent... yes checking for setpcred... no checking for setproctitle... no checking for setregid... yes checking for setreuid... yes checking for setrlimit... yes checking for setsid... yes checking for setvbuf... yes checking for sigaction... yes checking for sigvec... no checking for snprintf... yes checking for socketpair... yes checking for statfs... yes checking for statvfs... yes checking for strdup... yes checking for strerror... yes checking for strlcat... yes checking for strlcpy... yes checking for strmode... no checking for strnvis... no checking for strtonum... no checking for strtoll... yes checking for strtoul... yes checking for swap32... no checking for sysconf... yes checking for tcgetpgrp... yes checking for truncate... yes checking for unsetenv... yes checking for updwtmpx... yes checking for user_from_uid... no checking for vasprintf... yes checking for vhangup... yes checking for vsnprintf... yes checking for waitpid... yes checking for library containing dlopen... none required checking for gai_strerror... yes checking for library containing nanosleep... none required checking whether getrusage is declared... no checking whether strsep is declared... yes checking for strsep... yes checking whether tcsendbreak is declared... yes checking whether h_errno is declared... yes checking whether SHUT_RD is declared... yes checking whether O_NONBLOCK is declared... yes checking whether writev is declared... yes checking whether MAXSYMLINKS is declared... no checking whether offsetof is declared... yes checking for setresuid... no checking for setresgid... no checking for gettimeofday... yes checking for time... yes checking for endutent... yes checking for getutent... yes checking for getutid... yes checking for getutline... yes checking for pututline... yes checking for setutent... yes checking for utmpname... yes checking for endutxent... yes checking for getutxent... yes checking for getutxid... yes checking for getutxline... yes checking for getutxuser... no checking for pututxline... yes checking for setutxdb... no checking for setutxent... yes checking for utmpxname... yes checking for getlastlogxbyname... no checking for daemon... yes checking for getpagesize... yes checking whether snprintf correctly terminates long strings... yes checking whether snprintf can declare const char *fmt... yes checking for (overly) strict mkstemp... yes checking whether getpgrp requires zero arguments... yes checking openssl/opensslv.h usability... no checking openssl/opensslv.h presence... no checking for openssl/opensslv.h... no configure: error: *** OpenSSL headers missing - please install first or check config.log *** ----------------------------------------------------------------------------------------------------------------- How can I get openssh not to look for the headers. I already built OpenSSL. I found the opensslv.h in the crypto directory under openssl-0.9.8o, but pointing the '--with-ssl-dir' to that fails as well. I've added the location of the FIPS-enabled OpenSSL executables to my PATH, but it's still not working... _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From wierbows at us.ibm.com Wed Jul 28 00:51:07 2010 From: wierbows at us.ibm.com (David Wierbowski) Date: Tue, 27 Jul 2010 10:51:07 -0400 Subject: remote vs local window discrepancy In-Reply-To: References: Message-ID: Damien, I tried the change below. This appears to take care of the issue with the remote_window being decremented by a value that is off by 4. Unfortunately, now the local_window is growing by a value of 4, It seems that local_window is being decremented by 4 bytes less than local_consumed. Dave Wierbowski From: Damien Miller To: David Wierbowski/Endicott/IBM at IBMUS Cc: openssh-unix-dev at mindrot.org Date: 07/22/2010 07:34 PM Subject: Re: remote vs local window discrepancy On Thu, 22 Jul 2010, David Wierbowski wrote: > After some investigation I determined that for every packet sent the client > is decrementing Channel.remote_window by a value that is 4 bytes larger > than the amount that the server decrements Channel.local_window and > Channel.local_consumed. Prior to the stall the server does send > SSH_MSG_CHANNEL_WINDOW_ADJUST messages. When it does the "byte to add" > value is off by 4x the number of packets consumed by the server. > Eventually over time this drives the client's remote window count to go to > zero. As an aside the remote window count has to be exactly 0 for the > stall to occur. > > Initially the following line of code in channel_output_poll that decrements > the remote window count for datagram channels looked suspicious: > > c->remote_window -= dlen + 4; The extra 4 bytes are there because datagram channels encode packets as SSH strings. These have a 4-byte length header. > However, the code that updates Channel.local_window and > Channel.local_consumed for a datagram channel also includes the +4 in the > calculation. Does anybody know why the datagram calculation includes a +4? > Anybody know what would cause the 4 byte discrepancy I am seeing? I don't see anything obviously wrong in there. Perhaps the tunnel output filter is messing up dlen as it strips the header? Are you on a platform that uses the output filter in openbsd-compat/port-tun.c ? If this turns out to be true, I guess we will have to change the signature of the output filter function to return the length of the data that was actually dequeued (right now it returns the size of the data to be written). > A complicating factor is that in channel_output_poll the calculation to > update the remote window in the datagram case does not take into account > that dlen may be larger than the remote_window size. Does anybody know > why? Perhaps there is a check elsewhere that makes this safe, but I am not > seeing it. During problem determination I have observed the value of the > remote window does occasionally wrap. When the remote window counter does > wrap it goes undetected because Channel.remote_window is an unsigned value. Yes, it looks like there are missing checks there: Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.308 diff -u -p -r1.308 channels.c --- channels.c 13 Jul 2010 23:13:16 -0000 1.308 +++ channels.c 22 Jul 2010 23:20:02 -0000 @@ -2150,6 +2150,14 @@ channel_output_poll(void) data = buffer_get_string(&c->input, &dlen); + if (dlen > c-> remote_window || + dlen > c-> remote_maxpacket) { + debug("channel %d: datagram " + "too big for channel", + c->self); + xfree(data); + continue; + } packet_start (SSH2_MSG_CHANNEL_DATA); packet_put_int (c->remote_id); packet_put_string(data, dlen); > Another item I find confusing is the test in channel_pre_open to decide if > the channel's read file descriptor should be turned on in the read fileset. > That test includes a check of a variable called limit which is set to > Channel.remote_window when compat20 is true. Can somebody explain why this > is remote_window instead of local_window? The check is "limit > 0" which > is why the wrapping of remote_window goes undetected It is set to remote_window because we need to determine whether to stop reading if their window is already full or if we already have enough data read but yet to be sent to fill their window. -d From brakeb at gmail.com Wed Jul 28 07:22:04 2010 From: brakeb at gmail.com (Bryan) Date: Tue, 27 Jul 2010 16:22:04 -0500 Subject: Compiling OpenSSH with OpenSSL-fips 0.9.8o on Windows In-Reply-To: <76D1B73C8A925F4E9334186339689B8A07CFC14B@PUNAXCHCLUPIN06.enterprise.veritas.com> References: <20100723144200.25429.qmail@stuge.se> <20100723195642.GC18123@crawfish.ais.com> <76D1B73C8A925F4E9334186339689B8A07CFC14B@PUNAXCHCLUPIN06.enterprise.veritas.com> Message-ID: On Tue, Jul 27, 2010 at 01:25, Shyamal Pandya1 wrote: > You need to make sure that the openssl fips libraries are there in the library path. On Linux it means setting the LD_LIBRARY_PATH environment variable to the directory where those libraries are. > > Shyamal > > okay, let's make sure I clarify. When building with CYGWIN, I need to build openssh with the openssl libraries in the "library path"? I added "/cygdrive/f/TRUNK/UPDATES/Linux/FIP_SSL/openssl-0.9.8o/out32dll" directory to $LIB, $LIBPATH, $LD_LIBRARY_PATH, and nothing works. That is where a copy of opensslv.h is located. I also found a copy in /cygdrive/f/TRUNK/UPDATES/Linux/FIP_SSL/openssl-0.9.8o/include. I have tried to add that to $PATH, and to $LIB. I wouldn't mind it so much, but it takes 15-20 minutes to build to the point where it fails. Nothing seems to work. I am sure it is possible to build OpenSSH with OpenSSL-fips, but I am at a loss because of lack of good documentation that is available. From djm at mindrot.org Wed Jul 28 09:41:42 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Jul 2010 09:41:42 +1000 (EST) Subject: Any workarounds for SSH hang issue? In-Reply-To: References: Message-ID: On Mon, 26 Jul 2010, Ervin Yan wrote: > Hi, > > Recently, I got some problems that my program is very easy to hang when > call ssh commands in a forked process on unix platforms. > > And I understand that it maybe a tricky issue for ssh according to the > following FAQs: > > http://www.snailbook.com/faq/background-jobs.auto.html > > http://www.openssh.org/faq.html#3.10 > > My question is: do we have any workarounds so that ssh do not hang > there. We do not care the data loss cases. > > I would really appreciate if you could give me some ideas to solve this > issue. 1) Run a recent sshd - the unwanted hangs at exit are fixed. 2) Redirect stdio to /dev/null or to a file, then you won't hang regardless of which sshd you are running under. -d From djm at mindrot.org Wed Jul 28 11:16:56 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Jul 2010 11:16:56 +1000 (EST) Subject: remote vs local window discrepancy In-Reply-To: References: Message-ID: On Tue, 27 Jul 2010, David Wierbowski wrote: > Damien, > > I tried the change below. This appears to take care of the issue with the > remote_window being decremented by a value that is off by 4. > Unfortunately, now the local_window is growing by a value of 4, It seems > that local_window is being decremented by 4 bytes less than local_consumed. Ok, please remove the previous diff and try this one. It changes the way that local_consumed is calculated to be more simple and robust against fiddling with lengths inside channel_handle_wrd() Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.308 diff -u -p -r1.308 channels.c --- channels.c 13 Jul 2010 23:13:16 -0000 1.308 +++ channels.c 28 Jul 2010 01:14:18 -0000 @@ -1632,13 +1632,14 @@ channel_handle_wfd(Channel *c, fd_set *r { struct termios tio; u_char *data = NULL, *buf; - u_int dlen; + u_int dlen, olen = 0; int len; /* Send buffered output data to the socket. */ if (c->wfd != -1 && FD_ISSET(c->wfd, writeset) && buffer_len(&c->output) > 0) { + olen = buffer_len(&c->output); if (c->output_filter != NULL) { if ((buf = c->output_filter(c, &data, &dlen)) == NULL) { debug2("channel %d: filter stops", c->self); @@ -1657,7 +1658,6 @@ channel_handle_wfd(Channel *c, fd_set *r if (c->datagram) { /* ignore truncated writes, datagrams might get lost */ - c->local_consumed += dlen + 4; len = write(c->wfd, buf, dlen); xfree(data); if (len < 0 && (errno == EINTR || errno == EAGAIN)) @@ -1669,7 +1669,7 @@ channel_handle_wfd(Channel *c, fd_set *r chan_write_failed(c); return -1; } - return 1; + goto out; } len = write(c->wfd, buf, dlen); @@ -1703,10 +1703,10 @@ channel_handle_wfd(Channel *c, fd_set *r } } buffer_consume(&c->output, len); - if (compat20 && len > 0) { - c->local_consumed += len; - } } + out: + if (compat20 && olen > 0) + c->local_consumed += olen - buffer_len(&c->output); return 1; } @@ -2150,6 +2150,14 @@ channel_output_poll(void) data = buffer_get_string(&c->input, &dlen); + if (dlen > c->remote_window || + dlen > c->remote_maxpacket) { + debug("channel %d: datagram " + "too big for channel", + c->self); + xfree(data); + continue; + } packet_start(SSH2_MSG_CHANNEL_DATA); packet_put_int(c->remote_id); packet_put_string(data, dlen); From wierbows at us.ibm.com Thu Jul 29 09:02:27 2010 From: wierbows at us.ibm.com (David Wierbowski) Date: Wed, 28 Jul 2010 19:02:27 -0400 Subject: remote vs local window discrepancy In-Reply-To: References: Message-ID: Damien, Your latest suggested fix worked exactly the same as your previous fix (at least in my environment). I believe both fixes calculate local_consumed such that it agrees with the amount the remote side decrements remote_window. I believe both fixes decrement local_window by a value that is 4 bytes less per packet than the amount that local_consumed is incremented. I believe I should see a pattern of local_consumed being incremented as follows: 1508, 1508, 1508, 596 and local_window being decremented as follows: 1508, 1508, 1508, 596. What I am seeing is a pattern of local_consumed being incremented as follows: 1508, 1508, 1508, 596 and local_window being decremented as follows: 1504, 1504, 1504, 592. Just as a quick test I've made the following change in addition to your fix and the counts seem to work as I would expect them (although I admit that I did not check to see if remote_window was still as I expected). In channel_input_data I added an extra 4 bytes to the amount that local_window is decremented : if (compat20) { if (data_len > c->local_maxpacket) { logit("channel %d: rcvd big packet %d, maxpack %d", c->self, data_len, c->local_maxpacket); } if (data_len > c->local_window) { logit("channel %d: rcvd too much data %d, win %d", c->self, data_len, c->local_window); return; } - c->local_window -= data_len; + c->local_window -= data_len+4; } if (c->datagram) buffer_put_string(&c->output, data, data_len); else buffer_append(&c->output, data, data_len); packet_check_eom(); } It's not jumping out at me as to why the local_window counter seems to be off by 4 bytes. Hopefully it will make more sense to you :>). In a case like this, how do we maintain compatibility when one side of the SSH channel has a fix to this issue and the other side does not have the fix? Thanks Dave Wierbowski From: Damien Miller To: David Wierbowski/Endicott/IBM at IBMUS Cc: openssh-unix-dev at mindrot.org Date: 07/27/2010 09:17 PM Subject: Re: remote vs local window discrepancy On Tue, 27 Jul 2010, David Wierbowski wrote: > Damien, > > I tried the change below. This appears to take care of the issue with the > remote_window being decremented by a value that is off by 4. > Unfortunately, now the local_window is growing by a value of 4, It seems > that local_window is being decremented by 4 bytes less than local_consumed. Ok, please remove the previous diff and try this one. It changes the way that local_consumed is calculated to be more simple and robust against fiddling with lengths inside channel_handle_wrd() Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.308 diff -u -p -r1.308 channels.c --- channels.c 13 Jul 2010 23:13:16 -0000 1.308 +++ channels.c 28 Jul 2010 01:14:18 -0000 @@ -1632,13 +1632,14 @@ channel_handle_wfd(Channel *c, fd_set *r { struct termios tio; u_char *data = NULL, *buf; - u_int dlen; + u_int dlen, olen = 0; int len; /* Send buffered output data to the socket. */ if (c->wfd != -1 && FD_ISSET(c->wfd, writeset) && buffer_len(&c->output) > 0) { + olen = buffer_len(&c->output); if (c->output_filter != NULL) { if ((buf = c->output_filter(c, &data, &dlen)) == NULL) { debug2("channel %d: filter stops", c->self); @@ -1657,7 +1658,6 @@ channel_handle_wfd(Channel *c, fd_set *r if (c->datagram) { /* ignore truncated writes, datagrams might get lost */ - c->local_consumed += dlen + 4; len = write(c->wfd, buf, dlen); xfree(data); if (len < 0 && (errno == EINTR || errno == EAGAIN)) @@ -1669,7 +1669,7 @@ channel_handle_wfd(Channel *c, fd_set *r chan_write_failed(c); return -1; } - return 1; + goto out; } len = write(c->wfd, buf, dlen); @@ -1703,10 +1703,10 @@ channel_handle_wfd(Channel *c, fd_set *r } } buffer_consume(&c->output, len); - if (compat20 && len > 0) { - c->local_consumed += len; - } } + out: + if (compat20 && olen > 0) + c->local_consumed += olen - buffer_len(&c-> output); return 1; } @@ -2150,6 +2150,14 @@ channel_output_poll(void) data = buffer_get_string(&c->input, &dlen); + if (dlen > c-> remote_window || + dlen > c-> remote_maxpacket) { + debug("channel %d: datagram " + "too big for channel", + c->self); + xfree(data); + continue; + } packet_start (SSH2_MSG_CHANNEL_DATA); packet_put_int (c->remote_id); packet_put_string(data, dlen); From djm at mindrot.org Thu Jul 29 11:42:37 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 29 Jul 2010 11:42:37 +1000 (EST) Subject: remote vs local window discrepancy In-Reply-To: References: Message-ID: On Wed, 28 Jul 2010, David Wierbowski wrote: > Damien, > > Your latest suggested fix worked exactly the same as your previous fix (at > least in my environment). > > I believe both fixes calculate local_consumed such that it agrees with the > amount the remote side decrements remote_window. I believe both fixes > decrement local_window by a value that is 4 bytes less per packet than the > amount that local_consumed is incremented. > > I believe I should see a pattern of local_consumed being incremented as > follows: 1508, 1508, 1508, 596 and local_window being decremented as > follows: 1508, 1508, 1508, 596. > > What I am seeing is a pattern of local_consumed being incremented as > follows: 1508, 1508, 1508, 596 and local_window being decremented as > follows: 1504, 1504, 1504, 592. > > Just as a quick test I've made the following change in addition to your fix > and the counts seem to work as I would expect them (although I admit that I > did not check to see if remote_window was still as I expected). In > channel_input_data I added an extra 4 bytes to the amount that local_window > is decremented : I think you change breaks window calculation for non-datagram channels, please try this (on top of the other patch): Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.308 diff -u -p -r1.308 channels.c --- channels.c 13 Jul 2010 23:13:16 -0000 1.308 +++ channels.c 29 Jul 2010 01:42:02 -0000 @@ -2235,7 +2243,7 @@ channel_input_data(int type, u_int32_t s { int id; char *data; - u_int data_len; + u_int data_len, win_len; Channel *c; /* Get the channel number and verify it. */ @@ -2251,6 +2259,9 @@ channel_input_data(int type, u_int32_t s /* Get the data. */ data = packet_get_string_ptr(&data_len); + win_len = data_len; + if (c->datagram) + win_len += 4; /* string length header */ /* * Ignore data for protocol > 1.3 if output end is no longer open. @@ -2261,23 +2272,23 @@ channel_input_data(int type, u_int32_t s */ if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) { if (compat20) { - c->local_window -= data_len; - c->local_consumed += data_len; + c->local_window -= win_len; + c->local_consumed += win_len; } return; } if (compat20) { - if (data_len > c->local_maxpacket) { + if (win_len > c->local_maxpacket) { logit("channel %d: rcvd big packet %d, maxpack %d", - c->self, data_len, c->local_maxpacket); + c->self, win_len, c->local_maxpacket); } - if (data_len > c->local_window) { + if (win_len > c->local_window) { logit("channel %d: rcvd too much data %d, win %d", - c->self, data_len, c->local_window); + c->self, win_len, c->local_window); return; } - c->local_window -= data_len; + c->local_window -= win_len; } if (c->datagram) buffer_put_string(&c->output, data, data_len); From brakeb at gmail.com Fri Jul 30 02:54:20 2010 From: brakeb at gmail.com (Bryan) Date: Thu, 29 Jul 2010 11:54:20 -0500 Subject: building openssh with openssl-fips: cygwin can't find libcrypto Message-ID: I am almost done here... I was able to symlink the headers to get past the opensslv header files, but the build process fails because openssl didn't build libcypto. The problem is that when building openssl with fips, it doesn't not appear to build libcrypto, and changing anything in the ./Configure makes in non-FIPs compliant. Is there something I can do here to get a FIPs compliant openssl with libcrypto? From apb at cequrux.com Sat Jul 31 02:01:50 2010 From: apb at cequrux.com (Alan Barrett) Date: Fri, 30 Jul 2010 18:01:50 +0200 Subject: Capture Keystrokes In-Reply-To: <4C3C84D5.5090605@gmail.com> References: <4C3C84D5.5090605@gmail.com> Message-ID: <20100730160150.GE10721@apb-laptoy.apb.alt.za> On Tue, 13 Jul 2010, Alan Neville wrote: > As it stands, I have one last element to implement and this is to > capture keystrokes from an established SSH session. You control the ssh server, right? Then configure it to run the user's shell inside a keystroke recorder. I suggest using NetBSD's version of the "script" program, because it has options that let you record both directions, and associate a timestamp with each chunk of captured data. You should be able to compile NetBSD's version of script under some other BSD, or maybe even Linux, without much trouble; you can get the files from cvsweb here: . --apb (Alan Barrett) From ray at cyth.net Sat Jul 31 17:25:17 2010 From: ray at cyth.net (Ray Lai) Date: Sat, 31 Jul 2010 00:25:17 -0700 (PDT) Subject: sftp interrupt hang Message-ID: When downloading a file and the connection hangs due to crappy wifi, sftp just says "0.0 KB/s - stalled -". I hit ^C to kill it, but it just prints "Interrupt" and doesn't do anything, no matter how many times I hit ^C or how long I wait. Is this expected behavior? Or am I expected to kill the ssh connection itself with "~."? From djm at mindrot.org Sat Jul 31 19:20:45 2010 From: djm at mindrot.org (Damien Miller) Date: Sat, 31 Jul 2010 19:20:45 +1000 (EST) Subject: sftp interrupt hang In-Reply-To: References: Message-ID: On Sat, 31 Jul 2010, Ray Lai wrote: > When downloading a file and the connection hangs due to crappy wifi, > sftp just says "0.0 KB/s - stalled -". I hit ^C to kill it, but it > just prints "Interrupt" and doesn't do anything, no matter how many > times I hit ^C or how long I wait. Is this expected behavior? Or > am I expected to kill the ssh connection itself with "~."? When you interrupt a sftp transfer, it will wait for the server to drain all its outstanding requests so it remains in a clean state to issue another request. If you really need to Kill It Right Now, use SIGQUIT (ctrl-\ usually). -d From dtucker at zip.com.au Sat Jul 31 21:23:00 2010 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 31 Jul 2010 21:23:00 +1000 Subject: sftp interrupt hang In-Reply-To: References: Message-ID: <4C540794.7090701@zip.com.au> On 31/07/10 5:25 PM, Ray Lai wrote: > When downloading a file and the connection hangs due to crappy wifi, > sftp just says "0.0 KB/s - stalled -". I hit ^C to kill it, but it > just prints "Interrupt" and doesn't do anything, no matter how many > times I hit ^C or how long I wait. Is this expected behavior? Or > am I expected to kill the ssh connection itself with "~."? What version of OpenSSH is this and on what platform? It sounds a lot like https://bugzilla.mindrot.org/show_bug.cgi?id=1590 which was fixed in the 5.4 release. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.