From djm at mindrot.org Mon Mar 1 04:33:05 2010 From: djm at mindrot.org (Damien Miller) Date: Mon, 1 Mar 2010 04:33:05 +1100 (EST) Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: <20100228125926.GA30136@calimero.vinschen.de> References: <20100202113902.GA19205@calimero.vinschen.de> <12FF1C857C510C43BA8B1B028B69AD52C8183A@HICGWSEX01.ad.harman.com> <20100218155921.GS5683@calimero.vinschen.de> <20100228125926.GA30136@calimero.vinschen.de> Message-ID: On Sun, 28 Feb 2010, Corinna Vinschen wrote: > Yes, that's better. There are just a few glitches. The test for > pw == NULL should come first and the #if should be an #ifdef. And > I think it wouldn't hurt to have a comment which explains why this is > done. What about this? I prefer this - the test needs to be before the (pw == NULL) test so the usual processing for invalid users fires - I don't want to change the flow of the authentication code more than strictly necessary. Index: auth.c =================================================================== RCS file: /var/cvs/openssh/auth.c,v retrieving revision 1.136 diff -u -r1.136 auth.c --- auth.c 11 Feb 2010 22:25:29 -0000 1.136 +++ auth.c 28 Feb 2010 17:30:15 -0000 @@ -535,6 +535,19 @@ get_canonical_hostname(options.use_dns), get_remote_ipaddr()); pw = getpwnam(user); +#ifdef HAVE_CYGWIN + /* + * Windows usernames are case-insensitive. To avoid later problems + * when trying to match the username, the user is only allowed to + * login if the username is given in the same case as stored in the + * user database. + */ + if (pw != NULL && strcmp(user, pw->pw_name) != 0) { + logit("Login name %.100s does not match stored username %.100s", + user, pw->pw_name); + pw = NULL; + } +#endif if (pw == NULL) { logit("Invalid user %.100s from %.100s", user, get_remote_ipaddr()); From vinschen at redhat.com Mon Mar 1 04:40:53 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Sun, 28 Feb 2010 18:40:53 +0100 Subject: case sensitivity, "Match User" and "AllowUsers" In-Reply-To: References: <20100202113902.GA19205@calimero.vinschen.de> <12FF1C857C510C43BA8B1B028B69AD52C8183A@HICGWSEX01.ad.harman.com> <20100218155921.GS5683@calimero.vinschen.de> <20100228125926.GA30136@calimero.vinschen.de> Message-ID: <20100228174053.GL5683@calimero.vinschen.de> On Mar 1 04:33, Damien Miller wrote: > On Sun, 28 Feb 2010, Corinna Vinschen wrote: > > > Yes, that's better. There are just a few glitches. The test for > > pw == NULL should come first and the #if should be an #ifdef. And > > I think it wouldn't hurt to have a comment which explains why this is > > done. What about this? > > I prefer this - the test needs to be before the (pw == NULL) test > so the usual processing for invalid users fires - I don't want > to change the flow of the authentication code more than strictly > necessary. > > Index: auth.c > =================================================================== > RCS file: /var/cvs/openssh/auth.c,v > retrieving revision 1.136 > diff -u -r1.136 auth.c > --- auth.c 11 Feb 2010 22:25:29 -0000 1.136 > +++ auth.c 28 Feb 2010 17:30:15 -0000 > @@ -535,6 +535,19 @@ > get_canonical_hostname(options.use_dns), get_remote_ipaddr()); > > pw = getpwnam(user); > +#ifdef HAVE_CYGWIN > + /* > + * Windows usernames are case-insensitive. To avoid later problems > + * when trying to match the username, the user is only allowed to > + * login if the username is given in the same case as stored in the > + * user database. > + */ > + if (pw != NULL && strcmp(user, pw->pw_name) != 0) { > + logit("Login name %.100s does not match stored username %.100s", > + user, pw->pw_name); > + pw = NULL; > + } > +#endif > if (pw == NULL) { > logit("Invalid user %.100s from %.100s", > user, get_remote_ipaddr()); That's fine, thank you! Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From adrya1984 at gmail.com Mon Mar 1 19:49:50 2010 From: adrya1984 at gmail.com (Adriana Rodean) Date: Mon, 1 Mar 2010 10:49:50 +0200 Subject: Firewall conditions for OpenSSH client Message-ID: <496c8fcc1003010049s5e78e0c2h34ef5e422997ae7e@mail.gmail.com> Hi, What are the windows firewall conditions for an OpenSSH client in order to be able communicate with server? Any ports need to be opened on client? or something else? Here is the command i use: ssh -L 30300:localhost:8080 -R 1037:localhost:55555? -F ssh_config Thanks, Adriana From frphoebus at yahoo.fr Mon Mar 1 23:51:07 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Mon, 1 Mar 2010 12:51:07 +0000 (GMT) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <463149.91460.qm@web23806.mail.ird.yahoo.com> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> <4B7DE1FA.7000900@zip.com.au> <826870.58162.qm@web23805.mail.ird.yahoo.com> <4B7E532B.6080105@zip.com.au> <4B7E54FE.8040804@zip.com.au> <120475.44703.qm@web23806.mail.ird.yahoo.com> <4B7E787F.3030508@zip.com.au> <465680.58111.qm@web23803.mail.ird.yahoo.com> <645093.80297.qm@web23802.mail.ird.yahoo.com> <463149.91460.qm@web23806.mail.ird.yahoo.com> Message-ID: <593708.65287.qm@web23804.mail.ird.yahoo.com> Hi Darren, ? I built MIT kerberos on AIX with success. I tried to link after Openshh with kerberos. The source path for kbr5 is: /home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src (case 2) The installation path for kbr5 is: /usr/local/kerberos (case 1) I don't understand why in one case with the same parametes identical execept the with-kerberos5. The binary (ssh_keygen, sshd) doesn't find library libcrypto.a in /opt/freeware/lib when with-kerberos5=/usr/local/kerberos (case 1: KO) and find it when with-kerberos5=/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src (case 2) ??????? ca06:/home/frphoebus/openssh/openssh-5.3p1# which libcrypto.a ??????? /opt/freeware/ ? Thanks for your advices. I passed the weekend to update blibpath in severals way. But i not working with the kerberos installation directory (/usr/local/kerberos). I'm only sucess with the find src path where i built kerberos. Regards, Frphoebus ? Case 1: KO I launch the configure with this option: ??????? ca06:/home/frphoebus/openssh/openssh-5.3p1# cat launchosshkbr.ksh ??????? #!/bin/ksh ??????? set -x ??????? export PATH=/usr/vac/bin:/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/java14/jre/bin:/usr/java14/bin:/usr/local/bin:/opt/freeware/lib ??????? export CC=cc ??????? export CFLAGS="-I/usr/local/include" ??????? #export LDFLAGS="-L/opt/freeware/lib -L/usr/local/lib" ??????? export CPP="cc -E" ??????? blibpath=/opt/freeware/lib:/lib:/usr/lib ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc/ssh \ ??????????????????????? --with-cflags="-O -D__STR31__ -qmaxmem=-1" --with-cflags="-DBROKEN_GETADDRINFO" \ ??????????????????????? --with-tcp-wrappers=/usr/local/lib \ ??????????????????????? --with-zlib=/opt/freeware \ ??????????????????????? --with-ssl-dir=/opt/freeware \ ??????????????????????? --with-xauth=/usr/bin/X11/xauth \ ??????????????????????? --with-kerberos5=/usr/local/kerberos? \ ??????????????????????? --with-md5-passwords \ ??????????????????????? --with-pam \ ??????????????????????? --with-pid-dir=/var/run ??????? ca06:/home/frphoebus/openssh/openssh-5.3p1# The ouput of confuigure is: ??????? OpenSSH has been configured with the following options: ???????????????????????????? User binaries: /usr/local/bin ?????????????????????????? System binaries: /usr/local/sbin ?????????????????????? Configuration files: /usr/local/etc/ssh ?????????????????????????? Askpass program: /usr/local/libexec/ssh-askpass ????????????????????????????? Manual pages: /usr/local/share/man/manX ????????????????????????????????? PID file: /var/run ????????? Privilege separation chroot path: /var/empty ??????????????????? sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin ??????????????????????????? Manpage format: man ?????????????????????????????? PAM support: yes ?????????????????????????? OSF SIA support: no ???????????????????????? KerberosV support: yes ?????????????????????????? SELinux support: no ???????????????????????? Smartcard support: no ???????????????????????????? S/KEY support: no ????????????????????? TCP Wrappers support: yes ????????????????????? MD5 password support: yes ?????????????????????????? libedit support: no ????????? Solaris process contract support: no ?????????????? IP address in $DISPLAY hack: no ?????????????????? Translate v4 in v6 hack: no ????????????????????????? BSD Auth support: no ????????????????????? Random number source: OpenSSL internal ONLY ????????????????????? Host: powerpc-ibm-aix5.3.0.0 ????????????????? Compiler: cc -qlanglvl=extc89 ??????????? Compiler flags: -I/usr/local/include -DBROKEN_GETADDRINFO ??????? Preprocessor flags: -I/opt/freeware/include -I/usr/local/lib -I/opt/freeware/include? -I/usr/local/kerberos/include ????????????? Linker flags: -L/opt/freeware/lib -L/usr/local/lib -L/opt/freeware/lib? -blibpath:/opt/freeware/lib:/lib:/usr/lib:/usr/local/kerberos/lib ???????????????? Libraries: -lcrypto -lz? -L/usr/local/kerberos/lib -blibpath:/usr/local/kerberos/lib::/usr/lib:/lib -I/usr/local/include -DBROKEN_GETADDRINFO -L/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lpthreads ???????????????? +for sshd:? -lwrap -lpam -ldl ??????? PAM is enabled. You may need to install a PAM control file ??????? for sshd, otherwise password authentication may fail. ??????? Example PAM control files can be found in the contrib/ ??????? subdirectory I run make (succesfull) and make install (failed) with the following output: ??????????????? ./install-sh -c -m 644 sftp.1.out /usr/local/share/man/man1/sftp.1 ??????????????? ./install-sh -c -m 644 sftp-server.8.out /usr/local/share/man/man8/sftp-server.8 ??????????????? ./install-sh -c -m 644 ssh-keysign.8.out /usr/local/share/man/man8/ssh-keysign.8 ??????????????? rm -f /usr/local/bin/slogin ??????????????? ln -s ./ssh /usr/local/bin/slogin ??????????????? rm -f /usr/local/share/man/man1/slogin.1 ??????????????? ln -s ./ssh.1 /usr/local/share/man/man1/slogin.1 ??????????????? if [ ! -d /usr/local/etc/ssh ]; then? ./mkinstalldirs /usr/local/etc/ssh;? fi ??????? mkdir /usr/local/etc/ssh ??????? exec(): 0509-036 Cannot load program ./ssh-keygen because of the following errors: ??????????????? 0509-150?? Dependent module libcrypto.a(libcrypto.so.0.9.7) could not be loaded. ??????????????? 0509-022 Cannot load module libcrypto.a(libcrypto.so.0.9.7). ??????????????? 0509-026 System error: A file or directory in the path name does not exist. ??????? make: 1254-004 The error code from the last command is 255. ??????? Stop. The dump indicathe the binary PATH is: /usr/local/kerberos/lib::/usr/lib:/lib. It doesn't take care of the blibpath ??????? ca06:/usr/local# dump -H bin/ssh-keygen ??????? bin/ssh-keygen: ??????????????????????????????? ***Loader Section*** ????????????????????????????? Loader Header Information ??????? VERSION#???????? #SYMtableENT???? #RELOCent??????? LENidSTR ??????? 0x00000001?????? 0x000000cf?????? 0x000001fb?????? 0x00000071 ??????? #IMPfilID??????? OFFidSTR???????? LENstrTBL??????? OFFstrTBL ??????? 0x00000004?????? 0x00002b4c?????? 0x00000617?????? 0x00002bbd ??????????????????????????????? ***Import File Strings*** ??????? INDEX? PATH????????????????????????? BASE??????????????? MEMBER ??????? 0????? /usr/local/kerberos/lib::/usr/lib:/lib?????????????????????????????????? ??????? 1??????????????????????????????????? libc.a????????????? shr.o ??????? 2??????????????????????????????????? libpthreads.a?????? shr_xpg5.o ??????? 3??????????????????????????????????? libcrypto.a???????? libcrypto.so.0.9.7 ??????? ca06:/usr/local# ldd bin/ssh-keygen ??????? bin/ssh-keygen needs: ???????????????? /usr/lib/libc.a(shr.o) ???????????????? /usr/lib/libpthreads.a(shr_xpg5.o) ??????? Cannot find????? /unix ???????????????? /usr/lib/libcrypt.a(shr.o) ???????????????? /usr/lib/libpthreads.a(shr_comm.o) ??????? ca06:/usr/local# ??????? case 2: OK ??????? ca06:/home/frphoebus/openssh/openssh-5.3p1# cat launchosshkbr.ksh ??????? #!/bin/ksh ??????? set -x ??????? export PATH=/usr/vac/bin:/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/java14/jre/bin:/usr/java14/bin:/usr/local/bin:/opt/freeware/lib ??????? export CC=cc ??????? export CFLAGS="-I/usr/local/include" ??????? #export LDFLAGS="-L/opt/freeware/lib -L/usr/local/lib" ??????? export CPP="cc -E" ??????? blibpath=/opt/freeware/lib:/lib:/usr/lib ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc/ssh \ ??????????????????????? --with-cflags="-O -D__STR31__ -qmaxmem=-1" --with-cflags="-DBROKEN_GETADDRINFO" \ ??????????????????????? --with-tcp-wrappers=/usr/local/lib \ ??????????????????????? --with-zlib=/opt/freeware \ ??????????????????????? --with-ssl-dir=/opt/freeware \ ??????????????????????? --with-xauth=/usr/bin/X11/xauth \ ??????????????????????? --with-kerberos5=/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src? \ ??????????????????????? --with-md5-passwords \ ??????????????????????? --with-pam \ ??????????????????????? --with-pid-dir=/var/run ??????? ca06:/home/frphoebus/openssh/openssh-5.3p1# The ouput of confuigure is: ??????? OpenSSH has been configured with the following options: ???????????????????????????? User binaries: /usr/local/bin ?????????????????????????? System binaries: /usr/local/sbin ?????????????????????? Configuration files: /usr/local/etc/ssh ?????????????????????????? Askpass program: /usr/local/libexec/ssh-askpass ????????????????????????????? Manual pages: /usr/local/share/man/manX ????????????????????????????????? PID file: /var/run ????????? Privilege separation chroot path: /var/empty ??????????????????? sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin ??????????????????????????? Manpage format: man ?????????????????????????????? PAM support: yes ?????????????????????????? OSF SIA support: no ???????????????????????? KerberosV support: yes ?????????????????????????? SELinux support: no ???????????????????????? Smartcard support: no ???????????????????????????? S/KEY support: no ????????????????????? TCP Wrappers support: yes ????????????????????? MD5 password support: yes ?????????????????????????? libedit support: no ????????? Solaris process contract support: no ?????????????? IP address in $DISPLAY hack: no ?????????????????? Translate v4 in v6 hack: no ????????????????????????? BSD Auth support: no ????????????????????? Random number source: OpenSSL internal ONLY ????????????????????? Host: powerpc-ibm-aix5.3.0.0 ????????????????? Compiler: cc -qlanglvl=extc89 ??????????? Compiler flags: -I/usr/local/include -DBROKEN_GETADDRINFO ??????? Preprocessor flags: -I/opt/freeware/include -I/usr/local/lib -I/opt/freeware/include? -I/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src/include -I/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src/include/gssapi ????????????? Linker flags: -L/opt/freeware/lib -L/usr/local/lib -L/opt/freeware/lib? -L/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src/lib -blibpath:/opt/freeware/lib:/lib:/usr/lib:/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src/lib ???????????????? Libraries: -lcrypto -lz? -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err ???????????????? +for sshd:? -lwrap -lpam -ldl ??????? PAM is enabled. You may need to install a PAM control file ??????? for sshd, otherwise password authentication may fail. ??????? Example PAM control files can be found in the contrib/ ??????? subdirectory I run make (succesfull) and make install (sucessfull). The dump indicathe the binary PATH is: /usr/local/kerberos/lib::/usr/lib:/lib. It doesn't take care of the blibpath ??????? ca06:/usr/local# dump -H bin/ssh-keygen ??????? bin/ssh-keygen: ??????????????????????????????? ***Loader Section*** ????????????????????????????? Loader Header Information ??????? VERSION#???????? #SYMtableENT???? #RELOCent??????? LENidSTR ??????? 0x00000001?????? 0x000000cd?????? 0x000001f5?????? 0x00000081 ??????? #IMPfilID??????? OFFidSTR???????? LENstrTBL??????? OFFstrTBL ??????? 0x00000003?????? 0x00002ad4?????? 0x000005fe?????? 0x00002b55 ??????????????????????????????? ***Import File Strings*** ??????? INDEX? PATH????????????????????????? BASE??????????????? MEMBER ??????? 0????? /opt/freeware/lib:/lib:/usr/lib:/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src/lib ??????? 1??????????????????????????????????? libc.a????????????? shr.o ??????? 2??????????????????????????????????? libcrypto.a???????? libcrypto.so.0.9.7 ??????? ca06:/usr/local# ldd bin/ssh-keygen ??????? bin/ssh-keygen needs: ???????????????? /lib/libc.a(shr.o) ???????????????? /opt/freeware/lib/libcrypto.a(libcrypto.so.0.9.7) ???????????????? /unix ???????????????? /lib/libcrypt.a(shr.o) ??????? ca06:/usr/local# From frphoebus at yahoo.fr Tue Mar 2 00:52:41 2010 From: frphoebus at yahoo.fr (phoebus phoebus) Date: Mon, 1 Mar 2010 13:52:41 +0000 (GMT) Subject: "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 In-Reply-To: <593708.65287.qm@web23804.mail.ird.yahoo.com> References: <4885.49349.qm@web23805.mail.ird.yahoo.com> <4B7DE1FA.7000900@zip.com.au> <826870.58162.qm@web23805.mail.ird.yahoo.com> <4B7E532B.6080105@zip.com.au> <4B7E54FE.8040804@zip.com.au> <120475.44703.qm@web23806.mail.ird.yahoo.com> <4B7E787F.3030508@zip.com.au> <465680.58111.qm@web23803.mail.ird.yahoo.com> <645093.80297.qm@web23802.mail.ird.yahoo.com> <463149.91460.qm@web23806.mail.ird.yahoo.com> <593708.65287.qm@web23804.mail.ird.yahoo.com> Message-ID: <626784.63690.qm@web23802.mail.ird.yahoo.com> Sorry for the typo. in case 2, you should read: The dump indicathe the binary PATH is: /opt/freeware/lib:/lib:/usr/lib:/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src/lib It?take care of the blibpath becasue there are well /opt/freeware/lib. Cheers, Frphoebus ________________________________ De : phoebus phoebus ? : Darren Tucker Cc : openssh-unix-dev at mindrot.org Envoy? le : Lun 1 Mars 2010, 13 h 51 min 07 s Objet?: Re : Re : Re : Re : Re : Re : Re : Re : "../openbsd-compat/port-aix.h", line 92.44: 1506-046 (S) Syntax error. openssh-5.3p1 on aix 5.3 Hi Darren, ? I built MIT kerberos on AIX with success. I tried to link after Openshh with kerberos. The source path for kbr5 is: /home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src (case 2) The installation path for kbr5 is: /usr/local/kerberos (case 1) I don't understand why in one case with the same parametes identical execept the with-kerberos5. The binary (ssh_keygen, sshd) doesn't find library libcrypto.a in /opt/freeware/lib when with-kerberos5=/usr/local/kerberos (case 1: KO) and find it when with-kerberos5=/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src (case 2) ??????? ca06:/home/frphoebus/openssh/openssh-5.3p1# which libcrypto.a ??????? /opt/freeware/ ? Thanks for your advices. I passed the weekend to update blibpath in severals way. But i not working with the kerberos installation directory (/usr/local/kerberos). I'm only sucess with the find src path where i built kerberos. Regards, Frphoebus ? Case 1: KO I launch the configure with this option: ??????? ca06:/home/frphoebus/openssh/openssh-5.3p1# cat launchosshkbr.ksh ??????? #!/bin/ksh ??????? set -x ??????? export PATH=/usr/vac/bin:/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/java14/jre/bin:/usr/java14/bin:/usr/local/bin:/opt/freeware/lib ??????? export CC=cc ??????? export CFLAGS="-I/usr/local/include" ??????? #export LDFLAGS="-L/opt/freeware/lib -L/usr/local/lib" ??????? export CPP="cc -E" ??????? blibpath=/opt/freeware/lib:/lib:/usr/lib ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc/ssh \ ??????????????????????? --with-cflags="-O -D__STR31__ -qmaxmem=-1" --with-cflags="-DBROKEN_GETADDRINFO" \ ??????????????????????? --with-tcp-wrappers=/usr/local/lib \ ??????????????????????? --with-zlib=/opt/freeware \ ??????????????????????? --with-ssl-dir=/opt/freeware \ ??????????????????????? --with-xauth=/usr/bin/X11/xauth \ ??????????????????????? --with-kerberos5=/usr/local/kerberos? \ ??????????????????????? --with-md5-passwords \ ??????????????????????? --with-pam \ ??????????????????????? --with-pid-dir=/var/run ??????? ca06:/home/frphoebus/openssh/openssh-5.3p1# The ouput of confuigure is: ??????? OpenSSH has been configured with the following options: ???????????????????????????? User binaries: /usr/local/bin ?????????????????????????? System binaries: /usr/local/sbin ?????????????????????? Configuration files: /usr/local/etc/ssh ?????????????????????????? Askpass program: /usr/local/libexec/ssh-askpass ????????????????????????????? Manual pages: /usr/local/share/man/manX ????????????????????????????????? PID file: /var/run ????????? Privilege separation chroot path: /var/empty ??????????????????? sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin ??????????????????????????? Manpage format: man ?????????????????????????????? PAM support: yes ?????????????????????????? OSF SIA support: no ???????????????????????? KerberosV support: yes ?????????????????????????? SELinux support: no ???????????????????????? Smartcard support: no ???????????????????????????? S/KEY support: no ????????????????????? TCP Wrappers support: yes ????????????????????? MD5 password support: yes ?????????????????????????? libedit support: no ????????? Solaris process contract support: no ?????????????? IP address in $DISPLAY hack: no ?????????????????? Translate v4 in v6 hack: no ????????????????????????? BSD Auth support: no ????????????????????? Random number source: OpenSSL internal ONLY ????????????????????? Host: powerpc-ibm-aix5.3.0.0 ????????????????? Compiler: cc -qlanglvl=extc89 ??????????? Compiler flags: -I/usr/local/include -DBROKEN_GETADDRINFO ??????? Preprocessor flags: -I/opt/freeware/include -I/usr/local/lib -I/opt/freeware/include? -I/usr/local/kerberos/include ????????????? Linker flags: -L/opt/freeware/lib -L/usr/local/lib -L/opt/freeware/lib? -blibpath:/opt/freeware/lib:/lib:/usr/lib:/usr/local/kerberos/lib ???????????????? Libraries: -lcrypto -lz? -L/usr/local/kerberos/lib -blibpath:/usr/local/kerberos/lib::/usr/lib:/lib -I/usr/local/include -DBROKEN_GETADDRINFO -L/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lpthreads ???????????????? +for sshd:? -lwrap -lpam -ldl ??????? PAM is enabled. You may need to install a PAM control file ??????? for sshd, otherwise password authentication may fail. ??????? Example PAM control files can be found in the contrib/ ??????? subdirectory I run make (succesfull) and make install (failed) with the following output: ??????????????? ./install-sh -c -m 644 sftp.1.out /usr/local/share/man/man1/sftp.1 ??????????????? ./install-sh -c -m 644 sftp-server.8.out /usr/local/share/man/man8/sftp-server.8 ??????????????? ./install-sh -c -m 644 ssh-keysign.8.out /usr/local/share/man/man8/ssh-keysign.8 ??????????????? rm -f /usr/local/bin/slogin ??????????????? ln -s ./ssh /usr/local/bin/slogin ??????????????? rm -f /usr/local/share/man/man1/slogin.1 ??????????????? ln -s ./ssh.1 /usr/local/share/man/man1/slogin.1 ??????????????? if [ ! -d /usr/local/etc/ssh ]; then? ./mkinstalldirs /usr/local/etc/ssh;? fi ??????? mkdir /usr/local/etc/ssh ??????? exec(): 0509-036 Cannot load program ./ssh-keygen because of the following errors: ??????????????? 0509-150?? Dependent module libcrypto.a(libcrypto.so.0.9.7) could not be loaded. ??????????????? 0509-022 Cannot load module libcrypto.a(libcrypto.so.0.9.7). ??????????????? 0509-026 System error: A file or directory in the path name does not exist. ??????? make: 1254-004 The error code from the last command is 255. ??????? Stop. The dump indicathe the binary PATH is: /usr/local/kerberos/lib::/usr/lib:/lib. It doesn't take care of the blibpath ??????? ca06:/usr/local# dump -H bin/ssh-keygen ??????? bin/ssh-keygen: ??????????????????????????????? ***Loader Section*** ????????????????????????????? Loader Header Information ??????? VERSION#???????? #SYMtableENT???? #RELOCent??????? LENidSTR ??????? 0x00000001?????? 0x000000cf?????? 0x000001fb?????? 0x00000071 ??????? #IMPfilID??????? OFFidSTR???????? LENstrTBL??????? OFFstrTBL ??????? 0x00000004?????? 0x00002b4c?????? 0x00000617?????? 0x00002bbd ??????????????????????????????? ***Import File Strings*** ??????? INDEX? PATH????????????????????????? BASE??????????????? MEMBER ??????? 0????? /usr/local/kerberos/lib::/usr/lib:/lib?????????????????????????????????? ??????? 1??????????????????????????????????? libc.a????????????? shr.o ??????? 2??????????????????????????????????? libpthreads.a?????? shr_xpg5.o ??????? 3??????????????????????????????????? libcrypto.a???????? libcrypto.so.0.9.7 ??????? ca06:/usr/local# ldd bin/ssh-keygen ??????? bin/ssh-keygen needs: ???????????????? /usr/lib/libc.a(shr.o) ???????????????? /usr/lib/libpthreads.a(shr_xpg5.o) ??????? Cannot find????? /unix ???????????????? /usr/lib/libcrypt.a(shr.o) ???????????????? /usr/lib/libpthreads.a(shr_comm.o) ??????? ca06:/usr/local# ??????? case 2: OK ??????? ca06:/home/frphoebus/openssh/openssh-5.3p1# cat launchosshkbr.ksh ??????? #!/bin/ksh ??????? set -x ??????? export PATH=/usr/vac/bin:/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/java14/jre/bin:/usr/java14/bin:/usr/local/bin:/opt/freeware/lib ??????? export CC=cc ??????? export CFLAGS="-I/usr/local/include" ??????? #export LDFLAGS="-L/opt/freeware/lib -L/usr/local/lib" ??????? export CPP="cc -E" ??????? blibpath=/opt/freeware/lib:/lib:/usr/lib ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc/ssh \ ??????????????????????? --with-cflags="-O -D__STR31__ -qmaxmem=-1" --with-cflags="-DBROKEN_GETADDRINFO" \ ??????????????????????? --with-tcp-wrappers=/usr/local/lib \ ??????????????????????? --with-zlib=/opt/freeware \ ??????????????????????? --with-ssl-dir=/opt/freeware \ ??????????????????????? --with-xauth=/usr/bin/X11/xauth \ ??????????????????????? --with-kerberos5=/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src? \ ??????????????????????? --with-md5-passwords \ ??????????????????????? --with-pam \ ??????????????????????? --with-pid-dir=/var/run ??????? ca06:/home/frphoebus/openssh/openssh-5.3p1# The ouput of confuigure is: ??????? OpenSSH has been configured with the following options: ???????????????????????????? User binaries: /usr/local/bin ?????????????????????????? System binaries: /usr/local/sbin ?????????????????????? Configuration files: /usr/local/etc/ssh ?????????????????????????? Askpass program: /usr/local/libexec/ssh-askpass ????????????????????????????? Manual pages: /usr/local/share/man/manX ????????????????????????????????? PID file: /var/run ????????? Privilege separation chroot path: /var/empty ??????????????????? sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin ??????????????????????????? Manpage format: man ?????????????????????????????? PAM support: yes ?????????????????????????? OSF SIA support: no ???????????????????????? KerberosV support: yes ?????????????????????????? SELinux support: no ???????????????????????? Smartcard support: no ???????????????????????????? S/KEY support: no ????????????????????? TCP Wrappers support: yes ????????????????????? MD5 password support: yes ?????????????????????????? libedit support: no ????????? Solaris process contract support: no ?????????????? IP address in $DISPLAY hack: no ?????????????????? Translate v4 in v6 hack: no ????????????????????????? BSD Auth support: no ????????????????????? Random number source: OpenSSL internal ONLY ????????????????????? Host: powerpc-ibm-aix5.3.0.0 ????????????????? Compiler: cc -qlanglvl=extc89 ??????????? Compiler flags: -I/usr/local/include -DBROKEN_GETADDRINFO ??????? Preprocessor flags: -I/opt/freeware/include -I/usr/local/lib -I/opt/freeware/include? -I/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src/include -I/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src/include/gssapi ????????????? Linker flags: -L/opt/freeware/lib -L/usr/local/lib -L/opt/freeware/lib? -L/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src/lib -blibpath:/opt/freeware/lib:/lib:/usr/lib:/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src/lib ???????????????? Libraries: -lcrypto -lz? -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err ???????????????? +for sshd:? -lwrap -lpam -ldl ??????? PAM is enabled. You may need to install a PAM control file ??????? for sshd, otherwise password authentication may fail. ??????? Example PAM control files can be found in the contrib/ ??????? subdirectory I run make (succesfull) and make install (sucessfull). The dump indicathe the binary PATH is: /usr/local/kerberos/lib::/usr/lib:/lib. It doesn't take care of the blibpath ??????? ca06:/usr/local# dump -H bin/ssh-keygen ??????? bin/ssh-keygen: ??????????????????????????????? ***Loader Section*** ????????????????????????????? Loader Header Information ??????? VERSION#???????? #SYMtableENT???? #RELOCent??????? LENidSTR ??????? 0x00000001?????? 0x000000cd?????? 0x000001f5?????? 0x00000081 ??????? #IMPfilID??????? OFFidSTR???????? LENstrTBL??????? OFFstrTBL ??????? 0x00000003?????? 0x00002ad4?????? 0x000005fe?????? 0x00002b55 ??????????????????????????????? ***Import File Strings*** ??????? INDEX? PATH????????????????????????? BASE??????????????? MEMBER ??????? 0????? /opt/freeware/lib:/lib:/usr/lib:/home/frphoebus/openssh/kbr5/krb5-1.7.1-cc/src/lib ??????? 1??????????????????????????????????? libc.a????????????? shr.o ??????? 2??????????????????????????????????? libcrypto.a???????? libcrypto.so.0.9.7 ??????? ca06:/usr/local# ldd bin/ssh-keygen ??????? bin/ssh-keygen needs: ???????????????? /lib/libc.a(shr.o) ???????????????? /opt/freeware/lib/libcrypto.a(libcrypto.so.0.9.7) ???????????????? /unix ???????????????? /lib/libcrypt.a(shr.o) ??????? ca06:/usr/local# ? ? ? _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From doctor at doctor.nl2k.ab.ca Tue Mar 2 00:59:58 2010 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Mon, 1 Mar 2010 06:59:58 -0700 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <20100301135958.GA14715@doctor.nl2k.ab.ca> On Sat, Feb 27, 2010 at 06:25:38PM +1100, Damien Miller wrote: > Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > I do have 2 suggestions only 1 I can recall. 1st is to check if poll is an available option on a system and if not anyone here has an idea for compensating around it? -- Member - Liberal International This is doctor at nl2k.ab.ca Ici doctor at nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! http://twitter.com/rootnl2k http://www.facebook.com/dyadallee USenet NEwsgroups is the ULTIMATE form of blogging and social networking! From sayan.chaliha at webyog.com Tue Mar 2 01:58:58 2010 From: sayan.chaliha at webyog.com (Sayan Chaliha) Date: Mon, 1 Mar 2010 20:28:58 +0530 Subject: ClientAliveInterval In-Reply-To: References: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> <9515bbd41002260538h27bc48ffg2863e52ae225a309@mail.gmail.com> Message-ID: <9515bbd41003010658k2ae7ea3bg4293771fae587a32@mail.gmail.com> @Damien: Yes, well, I understand that. But I am experiencing some weird behavior with libssh... So I was wondering whether it had anything to do with not replying to keepalive at openssh.com Here's what I'm experiencing: -- When the app gets disconnected from the OpenSSH 4.3 server, it tries to reconnect. -- Reconnection and authorization are successful, but libssh fails when trying to open a new channel (with some obscure 'unrecognized packet' message). -- This continues until the ClientAliveInterval has expired. Anyway, thanks for all the help. I'm now sure that the problem in not with my application but rather with libssh. I've gotten in touch with them (ie, the developers of libssh) to have this issue solved. Thanks again for your time! On Sat, Feb 27, 2010 at 5:59 AM, Damien Miller wrote: > On Fri, 26 Feb 2010, Sayan Chaliha wrote: > > > @Damien, could you also tell me what would happen if the client didn't > > respond to that request, and instead tried to create new session and > channel > > afresh? Would the server send the same message again? > > A client that is compliant with the protocol _must_ respond, even just to > say "I have no idea what this command is". Any response will reset the > keepalive timer. > > > On Fri, Feb 26, 2010 at 12:40 PM, Damien Miller wrote: > > > > > On Fri, 26 Feb 2010, Sayan Chaliha wrote: > > > > > > > Hi, > > > > > > > > I am having some trouble with the ClientAliveInterval server setting. > My > > > > (C++) application fails to start an SSH channel to an OpensSSH server > > > within > > > > this time-out period if it doesn't reply correctly to this > 'keep-alive' > > > > no-op that is sent by the server. How is this no-op handled? I am > using > > > the > > > > libssh client library, and I could find no references on how to > handle > > > this. > > > > > > Client aliver interval is implemented by sending a global or channel > > > request of type "keepalive at openssh.com" with want-reply turned on. > > > You shouldn't need to implement anything for this to work - a client > > > should return SSH2_MSG_REQUEST_FAILURE if it doesn't implement this > request > > > type and that should be enough to reset the keepalive watchdog timer. > > > > > > If you would like to explicitly support it, you can just send an > > > approprate SSH2_MSG_REQUEST_SUCCESS (global request) or > > > SSH2_MSG_CHANNEL_SUCCESS (channel request) message, but this is purely > > > optional. > > > > > > -d > > > > > > > > > > > -- > > Regards, > > Sayan Chaliha > > Webyog Softworks Private Limited > > 2nd Floor, Novel Team Building > > #10, 100 Feet Ring Road > > BTM Layout 1st Stage > > Bangalore - 560068 > > > > +91-9743357501 > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > -- Regards, Sayan Chaliha Webyog Softworks Private Limited 2nd Floor, Novel Team Building #10, 100 Feet Ring Road BTM Layout 1st Stage Bangalore - 560068 +91-9743357501 From peter at stuge.se Tue Mar 2 02:09:49 2010 From: peter at stuge.se (Peter Stuge) Date: Mon, 1 Mar 2010 16:09:49 +0100 Subject: ClientAliveInterval In-Reply-To: <9515bbd41003010658k2ae7ea3bg4293771fae587a32@mail.gmail.com> References: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> <9515bbd41002260538h27bc48ffg2863e52ae225a309@mail.gmail.com> <9515bbd41003010658k2ae7ea3bg4293771fae587a32@mail.gmail.com> Message-ID: <20100301150949.27924.qmail@stuge.se> Sayan Chaliha wrote: > I've gotten in touch with them (ie, the developers of libssh) to > have this issue solved. If it doesn't work out you could also try libssh2. Also has issues of course, but it should work reliably. //Peter From aris.adamantiadis at belnet.be Tue Mar 2 02:18:18 2010 From: aris.adamantiadis at belnet.be (Aris Adamantiadis) Date: Mon, 01 Mar 2010 16:18:18 +0100 Subject: ClientAliveInterval In-Reply-To: <9515bbd41003010658k2ae7ea3bg4293771fae587a32@mail.gmail.com> References: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> <9515bbd41002260538h27bc48ffg2863e52ae225a309@mail.gmail.com> <9515bbd41003010658k2ae7ea3bg4293771fae587a32@mail.gmail.com> Message-ID: <4B8BDABA.6090601@belnet.be> Hello Sayan, As I told to Sabaya, this will be corrected in libssh soon. This problem was not spotted because the ClientAliveInterval was not a default parameter of most systems. Peter, I think Sayan had understood your message the first time. Best regards, Aris Sayan Chaliha a ?crit : > @Damien: > > Yes, well, I understand that. But I am experiencing some weird behavior with > libssh... So I was wondering whether it had anything to do with not replying > to keepalive at openssh.com > > Here's what I'm experiencing: > -- When the app gets disconnected from the OpenSSH 4.3 server, it tries to > reconnect. > -- Reconnection and authorization are successful, but libssh fails when > trying to open a new channel (with some obscure 'unrecognized packet' > message). > -- This continues until the ClientAliveInterval has expired. > > Anyway, thanks for all the help. I'm now sure that the problem in not with > my application but rather with libssh. I've gotten in touch with them (ie, > the developers of libssh) to have this issue solved. > > Thanks again for your time! > > On Sat, Feb 27, 2010 at 5:59 AM, Damien Miller wrote: > >> On Fri, 26 Feb 2010, Sayan Chaliha wrote: >> >>> @Damien, could you also tell me what would happen if the client didn't >>> respond to that request, and instead tried to create new session and >> channel >>> afresh? Would the server send the same message again? >> A client that is compliant with the protocol _must_ respond, even just to >> say "I have no idea what this command is". Any response will reset the >> keepalive timer. >> >>> On Fri, Feb 26, 2010 at 12:40 PM, Damien Miller wrote: >>> >>>> On Fri, 26 Feb 2010, Sayan Chaliha wrote: >>>> >>>>> Hi, >>>>> >>>>> I am having some trouble with the ClientAliveInterval server setting. >> My >>>>> (C++) application fails to start an SSH channel to an OpensSSH server >>>> within >>>>> this time-out period if it doesn't reply correctly to this >> 'keep-alive' >>>>> no-op that is sent by the server. How is this no-op handled? I am >> using >>>> the >>>>> libssh client library, and I could find no references on how to >> handle >>>> this. >>>> >>>> Client aliver interval is implemented by sending a global or channel >>>> request of type "keepalive at openssh.com" with want-reply turned on. >>>> You shouldn't need to implement anything for this to work - a client >>>> should return SSH2_MSG_REQUEST_FAILURE if it doesn't implement this >> request >>>> type and that should be enough to reset the keepalive watchdog timer. >>>> >>>> If you would like to explicitly support it, you can just send an >>>> approprate SSH2_MSG_REQUEST_SUCCESS (global request) or >>>> SSH2_MSG_CHANNEL_SUCCESS (channel request) message, but this is purely >>>> optional. >>>> >>>> -d >>>> >>> >>> >>> -- >>> Regards, >>> Sayan Chaliha >>> Webyog Softworks Private Limited >>> 2nd Floor, Novel Team Building >>> #10, 100 Feet Ring Road >>> BTM Layout 1st Stage >>> Bangalore - 560068 >>> >>> +91-9743357501 >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev at mindrot.org >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >>> > > > From dtucker at zip.com.au Tue Mar 2 06:33:05 2010 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 02 Mar 2010 06:33:05 +1100 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: <20100301135958.GA14715@doctor.nl2k.ab.ca> References: <20100301135958.GA14715@doctor.nl2k.ab.ca> Message-ID: <4B8C1671.4020505@zip.com.au> The Doctor wrote: > 1st is to check if poll is an available option on a system and if not > anyone here has an idea for compensating around it? There's a (not particularly efficient, but functional) implementation of poll() in openbsd-compat/. It should be enabled if configure doesn't find a native implementation. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vinschen at redhat.com Tue Mar 2 07:09:14 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 1 Mar 2010 21:09:14 +0100 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <20100301200914.GH5683@calimero.vinschen.de> On Feb 27 18:25, Damien Miller wrote: > Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. Including the latest Cygwin-specific changes, OpenSSH from CVS builds fine on Cygwin 1.7. The testsuite runs successfully with a single exception. The exception is sftp-glob.sh, which is an expected failure on Cygwin due to the slash/backslash weirdness on Windows. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From scott_n at xypro.com Tue Mar 2 08:18:19 2010 From: scott_n at xypro.com (Scott Neugroschl) Date: Mon, 1 Mar 2010 13:18:19 -0800 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <78DD71C304F38B41885A242996B96F73022141D1@xyservd.XYPRO-23.LOCAL> > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > Passes all tests on Mandriva One 2010.0 32-bit. From vadud3 at gmail.com Tue Mar 2 09:15:13 2010 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 1 Mar 2010 17:15:13 -0500 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: all tests passed on ubuntu 9.10 32bit using gcc version 4.4.1 only errors I got was run test connect.sh ... Missing privilege separation directory: /var/empty FATAL: sshd_proxy broken make[1]: *** [t-exec] Error 1 make[1]: Leaving directory `/home/iqbala/Downloads/openssh/regress' make: *** [tests] Error 2 and skipped: need SUDO to switch to uid nobody after I ran it again as `sudo make tests' it were able to create the /var/empty and no SUDO error. On Mon, Mar 1, 2010 at 4:59 PM, Asif Iqbal wrote: > On Mon, Mar 1, 2010 at 4:49 PM, Asif Iqbal wrote: >> failing on opensolaris snv_133 >> >> SunOS scrub 5.11 snv_133 i86pc i386 i86pc >> >> gcc version 3.4.3 (csl-sol210-3_4-20050802) >> >> >> gunzip openssh-SNAP-20100302.tar.gz >> tar tvf openssh-SNAP-20100302.tar >> tar xvf openssh-SNAP-20100302.tar >> cd openssh >> ./configure >> make tests >> [...] >> run test cert-hostkey.sh ... >> certified host keys: sign host rsa cert >> certified host keys: sign host dsa cert >> certified host keys: host rsa cert connect privsep yes >> certified host keys: host dsa cert connect privsep yes >> certified host keys: host rsa cert connect privsep no >> certified host keys: host dsa cert connect privsep no >> certified host keys: test host cert connect user-certificate expect failure >> certified host keys: test host cert connect empty principals expect success >> certified host keys: test host cert connect wrong principals expect failure >> certified host keys: test host cert connect cert not yet valid expect failure >> certified host keys: test host cert connect cert expired expect failure >> certified host keys: test host cert connect cert valid interval expect success >> certified host keys: test host cert connect cert has constraints expect failure >> certified host keys: host rsa cert downgrade to raw key >> certified host keys: host dsa cert downgrade to raw key >> ok certified host keys >> run test cert-userkey.sh ... >> certified user keys: sign user rsa cert >> certified user keys: sign user dsa cert >> certified user keys: user rsa cert connect privsep yes >> Permission denied (publickey,password,keyboard-interactive). >> ssh cert connect failed >> certified user keys: user dsa cert connect privsep yes >> Permission denied (publickey,password,keyboard-interactive). >> ssh cert connect failed >> certified user keys: user rsa cert connect privsep no >> Permission denied (publickey,password,keyboard-interactive). >> ssh cert connect failed >> certified user keys: user dsa cert connect privsep no >> Permission denied (publickey,password,keyboard-interactive). >> ssh cert connect failed >> certified user keys: ensure CA key does not authenticate user >> ssh cert connect with CA key succeeded unexpectedly >> certified user keys: test user cert connect host-certificate expect failure >> certified user keys: test user cert connect empty principals expect success >> ssh cert connect empty principals failed unexpectedly >> certified user keys: test user cert connect wrong principals expect failure >> certified user keys: test user cert connect cert not yet valid expect failure >> certified user keys: test user cert connect cert expired expect failure >> certified user keys: test user cert connect cert valid interval expect success >> ssh cert connect cert valid interval failed unexpectedly >> certified user keys: test user cert connect wrong source-address expect failure >> certified user keys: test user cert connect force-command expect failure >> failed certified user keys >> *** Error code 1 >> The following command caused the error: >> if [ "xconnect.sh proxy-connect.sh connect-privsep.sh proto-version.sh >> proto-mismatch.sh exit-status.sh envpass.sh transfer.sh banner.sh >> rekey.sh stderr-data.sh stderr-after-eof.sh broken-pipe.sh >> try-ciphers.sh yes-head.sh login-timeout.sh agent.sh >> agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh >> keygen-change.sh keygen-convert.sh key-options.sh scp.sh sftp.sh >> sftp-cmds.sh sftp-badcmds.sh sftp-batch.sh sftp-glob.sh reconfigure.sh >> dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh >> cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh portnum.sh >> cert-hostkey.sh cert-userkey.sh" = "x" ]; then exit 0; fi; \ >> for TEST in ""connect.sh proxy-connect.sh connect-privsep.sh >> proto-version.sh proto-mismatch.sh exit-status.sh envpass.sh >> transfer.sh banner.sh rekey.sh stderr-data.sh stderr-after-eof.sh >> broken-pipe.sh try-ciphers.sh yes-head.sh login-timeout.sh agent.sh >> agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh >> keygen-change.sh keygen-convert.sh key-options.sh scp.sh sftp.sh >> sftp-cmds.sh sftp-badcmds.sh sftp-batch.sh sftp-glob.sh reconfigure.sh >> dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh >> cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh portnum.sh >> cert-hostkey.sh cert-userkey.sh; do \ >> ? ? ? ?echo "run test ${TEST}" ... 1>&2; \ >> ? ? ? ?(env SUDO= TEST_ENV="MALLOC_OPTIONS=AFGJPRX" sh >> /export/home/iqbala/Download/openssh/regress/test-exec.sh >> /export/home/iqbala/Download/openssh/regress >> /export/home/iqbala/Download/openssh/regress/${TEST}) || exit $?; \ >> done >> make: Fatal error: Command failed for target `t-exec' >> Current working directory /export/home/iqbala/Download/openssh/regress >> *** Error code 1 >> make: Fatal error: Command failed for target `tests' > > > fails with sunstudio cc: Sun C 5.10 SunOS_i386 2009/06/03 > on opensolaris snv_133 > > run test cert-userkey.sh ... > certified user keys: sign user rsa cert > certified user keys: sign user dsa cert > certified user keys: user rsa cert connect privsep yes > Permission denied (publickey,password,keyboard-interactive). > ssh cert connect failed > certified user keys: user dsa cert connect privsep yes > Permission denied (publickey,password,keyboard-interactive). > ssh cert connect failed > certified user keys: user rsa cert connect privsep no > Permission denied (publickey,password,keyboard-interactive). > ssh cert connect failed > certified user keys: user dsa cert connect privsep no > Permission denied (publickey,password,keyboard-interactive). > ssh cert connect failed > certified user keys: ensure CA key does not authenticate user > ssh cert connect with CA key succeeded unexpectedly > certified user keys: test user cert connect host-certificate expect failure > certified user keys: test user cert connect empty principals expect success > ssh cert connect empty principals failed unexpectedly > certified user keys: test user cert connect wrong principals expect failure > certified user keys: test user cert connect cert not yet valid expect failure > certified user keys: test user cert connect cert expired expect failure > certified user keys: test user cert connect cert valid interval expect success > ssh cert connect cert valid interval failed unexpectedly > certified user keys: test user cert connect wrong source-address expect failure > certified user keys: test user cert connect force-command expect failure > failed certified user keys > *** Error code 1 > The following command caused the error: > if [ "xconnect.sh proxy-connect.sh connect-privsep.sh proto-version.sh > proto-mismatch.sh exit-status.sh envpass.sh transfer.sh banner.sh > rekey.sh stderr-data.sh stderr-after-eof.sh broken-pipe.sh > try-ciphers.sh yes-head.sh login-timeout.sh agent.sh > agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh > keygen-change.sh keygen-convert.sh key-options.sh scp.sh sftp.sh > sftp-cmds.sh sftp-badcmds.sh sftp-batch.sh sftp-glob.sh reconfigure.sh > dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh > cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh portnum.sh > cert-hostkey.sh cert-userkey.sh" = "x" ]; then exit 0; fi; \ > for TEST in ""connect.sh proxy-connect.sh connect-privsep.sh > proto-version.sh proto-mismatch.sh exit-status.sh envpass.sh > transfer.sh banner.sh rekey.sh stderr-data.sh stderr-after-eof.sh > broken-pipe.sh try-ciphers.sh yes-head.sh login-timeout.sh agent.sh > agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh > keygen-change.sh keygen-convert.sh key-options.sh scp.sh sftp.sh > sftp-cmds.sh sftp-badcmds.sh sftp-batch.sh sftp-glob.sh reconfigure.sh > dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh > cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh portnum.sh > cert-hostkey.sh cert-userkey.sh; do \ > ? ? ? ?echo "run test ${TEST}" ... 1>&2; \ > ? ? ? ?(env SUDO= TEST_ENV="MALLOC_OPTIONS=AFGJPRX" sh > /export/home/iqbala/Download/openssh/regress/test-exec.sh > /export/home/iqbala/Download/openssh/regress > /export/home/iqbala/Download/openssh/regress/${TEST}) || exit $?; \ > done > make: Fatal error: Command failed for target `t-exec' > Current working directory /export/home/iqbala/Download/openssh/regress > *** Error code 1 > make: Fatal error: Command failed for target `tests' > >> >> >> On Sat, Feb 27, 2010 at 2:25 AM, Damien Miller wrote: >>> Hi, >>> >>> OpenSSH 5.4 is almost ready for release, so we would appreciate testing >>> on as many platforms and systems as possible. This is a big release, >>> with a number of major new features and many bug fixes. >>> >>> Snapshot releases for portable OpenSSH are available from >>> http://www.mindrot.org/openssh_snap/ >>> >>> The OpenBSD version is available in CVS HEAD: >>> http://www.openbsd.org/anoncvs.html >>> >>> Portable OpenSSH is also available via anonymous CVS using the >>> instructions at http://www.openssh.com/portable.html#cvs >>> >>> Running the regression tests supplied with Portable OpenSSH does not >>> require installation and is a simply: >>> >>> $ ./configure && make tests >>> >>> Live testing on suitable non-production systems is also >>> appreciated. Please send reports of success or failure to >>> openssh-unix-dev at mindrot.org. >>> >>> Below is a summary of changes. More detail may be found in the ChangeLog >>> in the portable OpenSSH tarballs. >>> >>> Thanks to the many people who contributed to this release. >>> >>> ------------------------------- >>> >>> Changes since OpenSSH 5.3 >>> ========================= >>> >>> Features: >>> >>> ?* After a transition period of about 10 years, this release disables >>> ? SSH protocol 1 by default. Clients and servers that need to use the >>> ? legacy protocol must explicitly enable it in ssh_config / sshd_config >>> ? or on the command-line. >>> >>> ?* Deprecate the libsectok/OpenSC-based smartcard code and add >>> ? support for PKCS#11 tokens. PKCS#11 support is automatically enabled >>> ? on all platforms that support dlopen(3) and was inspired by patches >>> ? written by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) >>> ? manpages >>> >>> ?* Add support for certificate authentication of users and hosts using a >>> ? new, minimal OpenSSH certificate format (not X.509). Certificates >>> ? contain a public key, identity information and some validity >>> ? constraints and are signed with a standard SSH public key using >>> ? ssh-keygen(1). CA keys may be marked as trusted in authorized_keys >>> ? (for user authentication) or known_hosts (for host authentication). >>> >>> ? Documentation for certificate support may be found in ssh-keygen(1), >>> ? sshd(8) and ssh(1) and a description of the protocol changes in >>> ? PROTOCOL.certkeys. >>> >>> ?* Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects >>> ? stdio on the client to a single port forward on the server. This >>> ? allows, for example, using ssh as a ProxyCommand to route connections >>> ? via intermediate servers. bz#1618 >>> >>> ?* Rewrite the ssh(1) multiplexing support to support non-blocking >>> ? operation of the mux master, improve the resilience of the master to >>> ? malformed messages sent to it by the slave and add support for >>> ? requesting port- forwardings via the multiplex protocol. The new >>> ? stdio-to-local forward mode ("ssh -W host:port ...") is also >>> ? supported. The revised multiplexing protocol is documented in the >>> ? file PROTOCOL.mux in the source distribution. >>> >>> ?* Add a 'read-only' mode to sftp-server(8) that disables open in write >>> ? mode and all other fs-modifying protocol methods. bz#430 >>> >>> ?* Allow setting an explicit umask on the sftp-server(8) commandline to >>> ? override whatever default the user has. bz#1229 >>> >>> ?* Many improvements to the sftp(1) client, many of which were >>> ? implemented by Carlos Silva through the Google Summer of Code >>> ? program: >>> ? - Support the "-h" (human-readable units) flag for ls >>> ? - Implement tab-completion of commands, local and remote filenames >>> ? - Support most of scp(1)'s commandline arguments in sftp(1), as a >>> ? ? first step towards making sftp(1) a drop-in replacement for scp(1). >>> ? ? Note that the rarely-used "-P sftp_server_path" option has been >>> ? ? moved to "-D sftp_server_path" to make way for "-P port" to match >>> ? ? scp(1). >>> ? - Add recursive transfer support for get/put and on the commandline >>> >>> ?* New RSA keys will be generated with a public exponent of RSA_F4 == >>> ? (2**16)+1 == 65537 instead of the previous value 35. >>> >>> ?* Passphrase-protected SSH protocol 2 private keys are now protected >>> ? with AES-128 instead of 3DES. This applied to freshly-generated keys >>> ? as well as keys that are reencrypted (e.g. by changing their >>> ? passphrase). >>> >>> Bugfixes: >>> >>> ?* When using ChrootDirectory, make sure we test for the existence of >>> ? the user's shell inside the chroot and not outside (bz#1679) >>> ?* Cache user and group name lookups in sftp-server using >>> ? user_from_[ug]id(3) to improve performance on hosts where these >>> ? operations are slow (e.g. NIS or LDAP). bz#1495 >>> ?* Fix problem that prevented passphrase reading from being interrupted >>> ? in some circumstances; bz#1590 >>> ?* Ignore and log any Protocol 1 keys where the claimed size is not >>> ? equal to the actual size. >>> ?* Make HostBased authentication work with a ProxyCommand. bz#1569 >>> ?* Avoid run-time failures when specifying hostkeys via a relative >>> ? path by prepending the current working directory in these cases. >>> ? bz#1290 >>> ?* Do not prompt for a passphrase if we fail to open a keyfile, and log >>> ? the reason why the open failed to debug. bz#1693 >>> ?* Document that the PubkeyAuthentication directive is allowed in a >>> ? sshd_config(5) Match block. bz#1577 >>> ?* When converting keys, truncate key comments at 72 chars as per >>> ? RFC4716. bz#1630 >>> ?* Do not allow logins if /etc/nologin exists but is not readable by the >>> ? user logging in. >>> ?* Output a debug log if sshd(8) can't open an existing authorized_keys. >>> ? bz#1694 >>> ?* Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we >>> ? usually don't actually have a tty to read/set; bz#1686 >>> ?* Prevent sftp from crashing when given a "-" without a command. >>> ? Also, allow whitespace to follow a "-". bz#1691 >>> ?* After sshd receives a SIGHUP, ignore subsequent HUPs while sshd >>> ? re-execs itself. Prevents two HUPs in quick succession from resulting >>> ? in sshd dying. bz#1692 >>> ?* Clarify in sshd_config(5) that StrictModes does not apply to >>> ? ChrootDirectory. Permissions and ownership are always checked when >>> ? chrooting. bz#1532 >>> ?* Set close-on-exec on various descriptors so they don't get leaked to >>> ? child processes. bz#1643 >>> ?* Fix very rare race condition in x11/agent channel allocation: don't >>> ? read after the end of the select read/write fdset and make sure a >>> ? reused FD is not touched before the pre-handlers are called. >>> ?* Fix incorrect exit status when multiplexing and channel ID 0 is >>> ? recycled. bz#1570 >>> ?* Fail with an error when an attempt is made to connect to a server >>> ? with ForceCommand=internal-sftp with a shell session (i.e. not a >>> ? subsystem session). Avoids stuck client when attempting to ssh to >>> ? such a service. bz#1606: >>> ?* Warn but do not fail if stat()ing the subsystem binary fails. This >>> ? helps with chrootdirectory+forcecommand=sftp-server and restricted >>> ? shells. bz #1599 >>> ?* Change "Connecting to host..." message to "Connected to host." >>> ? and delay it until after the sftp protocol connection has been >>> ? established. Avoids confusing sequence of messages when the >>> ? underlying ssh connection experiences problems. bz#1588 >>> ?* Use the HostKeyAlias rather than the hostname specified on the >>> ? commandline when prompting for passwords. bz#1039 >>> ?* Correct off-by-one in percent_expand(): we would fatal() when trying >>> ? to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to >>> ? actually work. Note that nothing in OpenSSH actually uses close to >>> ? this limit at present. bz#1607 >>> ?* Fix passing of empty options from scp(1) and sftp(1) to the >>> ? underlying ssh(1). Also add support for the stop option "--". >>> ?* Fix an incorrect magic number and typo in PROTOCOL; bz#1688 >>> ?* Don't escape backslashes when displaying the SSH2 banner. bz#1533 >>> ?* Don't unnecessarily dup() the in and out fds for sftp-server. bz#1566 >>> ?* Force use of the correct hash function for random-art signature >>> ? display as it was inheriting the wrong one when bubblebabble >>> ? signatures were activated. bz#1611 >>> ?* Do not fall back to adding keys without contraints (ssh-add -c / >>> ? -t ...) when the agent refuses the constrained add request. bz#1612 >>> ?* Fix a race condition in ssh-agent that could result in a wedged or >>> ? spinning agent. bz#1633 >>> ?* Flush stdio before exec() to ensure that everying (motd >>> ? in particular) has made it out before the streams go away. bz#1596 >>> ?* Set FD_CLOEXEC on in/out sockets in sshd(8). bz#1706 >>> >>> Portable OpenSSH Bugfixes: >>> >>> ?* Use system's kerberos principal name on AIX if it's available. >>> ? bz#1583 >>> ?* Disable OOM-killing of the listening sshd on Linux. bz#1740 >>> ?* Use pkg-config for opensc config if it's available. bz#1160 >>> ?* Unbreak Redhat spec to allow building without askpass. bz#1677 >>> ?* If PidFile is set in sshd_config, use it in SMF init file. bz#1628 >>> ?* Print error and usage() when ssh-rand-helper is passed command- >>> ? line arguments as none are supported. bz#1568 >>> ?* Add missing setsockopt() to set IPV6_V6ONLY for local forwarding >>> ? with GatwayPorts=yes. bz#1648 >>> ?* Make GNOME 2 askpass dialog desktop-modal. bz#1645 >>> ?* If SELinux is enabled set the security context to "sftpd_t" before >>> ? running the internal sftp server. bz#1637 >>> ?* Correctly check libselinux for necessary SELinux functions; bz#1713 >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev at mindrot.org >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >>> >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From vadud3 at gmail.com Tue Mar 2 08:49:52 2010 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 1 Mar 2010 16:49:52 -0500 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: failing on opensolaris snv_133 SunOS scrub 5.11 snv_133 i86pc i386 i86pc gcc version 3.4.3 (csl-sol210-3_4-20050802) gunzip openssh-SNAP-20100302.tar.gz tar tvf openssh-SNAP-20100302.tar tar xvf openssh-SNAP-20100302.tar cd openssh ./configure make tests [...] run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure certified host keys: test host cert connect cert expired expect failure certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key ok certified host keys run test cert-userkey.sh ... certified user keys: sign user rsa cert certified user keys: sign user dsa cert certified user keys: user rsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user rsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: ensure CA key does not authenticate user ssh cert connect with CA key succeeded unexpectedly certified user keys: test user cert connect host-certificate expect failure certified user keys: test user cert connect empty principals expect success ssh cert connect empty principals failed unexpectedly certified user keys: test user cert connect wrong principals expect failure certified user keys: test user cert connect cert not yet valid expect failure certified user keys: test user cert connect cert expired expect failure certified user keys: test user cert connect cert valid interval expect success ssh cert connect cert valid interval failed unexpectedly certified user keys: test user cert connect wrong source-address expect failure certified user keys: test user cert connect force-command expect failure failed certified user keys *** Error code 1 The following command caused the error: if [ "xconnect.sh proxy-connect.sh connect-privsep.sh proto-version.sh proto-mismatch.sh exit-status.sh envpass.sh transfer.sh banner.sh rekey.sh stderr-data.sh stderr-after-eof.sh broken-pipe.sh try-ciphers.sh yes-head.sh login-timeout.sh agent.sh agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh keygen-change.sh keygen-convert.sh key-options.sh scp.sh sftp.sh sftp-cmds.sh sftp-badcmds.sh sftp-batch.sh sftp-glob.sh reconfigure.sh dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh portnum.sh cert-hostkey.sh cert-userkey.sh" = "x" ]; then exit 0; fi; \ for TEST in ""connect.sh proxy-connect.sh connect-privsep.sh proto-version.sh proto-mismatch.sh exit-status.sh envpass.sh transfer.sh banner.sh rekey.sh stderr-data.sh stderr-after-eof.sh broken-pipe.sh try-ciphers.sh yes-head.sh login-timeout.sh agent.sh agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh keygen-change.sh keygen-convert.sh key-options.sh scp.sh sftp.sh sftp-cmds.sh sftp-badcmds.sh sftp-batch.sh sftp-glob.sh reconfigure.sh dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh portnum.sh cert-hostkey.sh cert-userkey.sh; do \ echo "run test ${TEST}" ... 1>&2; \ (env SUDO= TEST_ENV="MALLOC_OPTIONS=AFGJPRX" sh /export/home/iqbala/Download/openssh/regress/test-exec.sh /export/home/iqbala/Download/openssh/regress /export/home/iqbala/Download/openssh/regress/${TEST}) || exit $?; \ done make: Fatal error: Command failed for target `t-exec' Current working directory /export/home/iqbala/Download/openssh/regress *** Error code 1 make: Fatal error: Command failed for target `tests' On Sat, Feb 27, 2010 at 2:25 AM, Damien Miller wrote: > Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > ------------------------------- > > Changes since OpenSSH 5.3 > ========================= > > Features: > > ?* After a transition period of about 10 years, this release disables > ? SSH protocol 1 by default. Clients and servers that need to use the > ? legacy protocol must explicitly enable it in ssh_config / sshd_config > ? or on the command-line. > > ?* Deprecate the libsectok/OpenSC-based smartcard code and add > ? support for PKCS#11 tokens. PKCS#11 support is automatically enabled > ? on all platforms that support dlopen(3) and was inspired by patches > ? written by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) > ? manpages > > ?* Add support for certificate authentication of users and hosts using a > ? new, minimal OpenSSH certificate format (not X.509). Certificates > ? contain a public key, identity information and some validity > ? constraints and are signed with a standard SSH public key using > ? ssh-keygen(1). CA keys may be marked as trusted in authorized_keys > ? (for user authentication) or known_hosts (for host authentication). > > ? Documentation for certificate support may be found in ssh-keygen(1), > ? sshd(8) and ssh(1) and a description of the protocol changes in > ? PROTOCOL.certkeys. > > ?* Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects > ? stdio on the client to a single port forward on the server. This > ? allows, for example, using ssh as a ProxyCommand to route connections > ? via intermediate servers. bz#1618 > > ?* Rewrite the ssh(1) multiplexing support to support non-blocking > ? operation of the mux master, improve the resilience of the master to > ? malformed messages sent to it by the slave and add support for > ? requesting port- forwardings via the multiplex protocol. The new > ? stdio-to-local forward mode ("ssh -W host:port ...") is also > ? supported. The revised multiplexing protocol is documented in the > ? file PROTOCOL.mux in the source distribution. > > ?* Add a 'read-only' mode to sftp-server(8) that disables open in write > ? mode and all other fs-modifying protocol methods. bz#430 > > ?* Allow setting an explicit umask on the sftp-server(8) commandline to > ? override whatever default the user has. bz#1229 > > ?* Many improvements to the sftp(1) client, many of which were > ? implemented by Carlos Silva through the Google Summer of Code > ? program: > ? - Support the "-h" (human-readable units) flag for ls > ? - Implement tab-completion of commands, local and remote filenames > ? - Support most of scp(1)'s commandline arguments in sftp(1), as a > ? ? first step towards making sftp(1) a drop-in replacement for scp(1). > ? ? Note that the rarely-used "-P sftp_server_path" option has been > ? ? moved to "-D sftp_server_path" to make way for "-P port" to match > ? ? scp(1). > ? - Add recursive transfer support for get/put and on the commandline > > ?* New RSA keys will be generated with a public exponent of RSA_F4 == > ? (2**16)+1 == 65537 instead of the previous value 35. > > ?* Passphrase-protected SSH protocol 2 private keys are now protected > ? with AES-128 instead of 3DES. This applied to freshly-generated keys > ? as well as keys that are reencrypted (e.g. by changing their > ? passphrase). > > Bugfixes: > > ?* When using ChrootDirectory, make sure we test for the existence of > ? the user's shell inside the chroot and not outside (bz#1679) > ?* Cache user and group name lookups in sftp-server using > ? user_from_[ug]id(3) to improve performance on hosts where these > ? operations are slow (e.g. NIS or LDAP). bz#1495 > ?* Fix problem that prevented passphrase reading from being interrupted > ? in some circumstances; bz#1590 > ?* Ignore and log any Protocol 1 keys where the claimed size is not > ? equal to the actual size. > ?* Make HostBased authentication work with a ProxyCommand. bz#1569 > ?* Avoid run-time failures when specifying hostkeys via a relative > ? path by prepending the current working directory in these cases. > ? bz#1290 > ?* Do not prompt for a passphrase if we fail to open a keyfile, and log > ? the reason why the open failed to debug. bz#1693 > ?* Document that the PubkeyAuthentication directive is allowed in a > ? sshd_config(5) Match block. bz#1577 > ?* When converting keys, truncate key comments at 72 chars as per > ? RFC4716. bz#1630 > ?* Do not allow logins if /etc/nologin exists but is not readable by the > ? user logging in. > ?* Output a debug log if sshd(8) can't open an existing authorized_keys. > ? bz#1694 > ?* Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we > ? usually don't actually have a tty to read/set; bz#1686 > ?* Prevent sftp from crashing when given a "-" without a command. > ? Also, allow whitespace to follow a "-". bz#1691 > ?* After sshd receives a SIGHUP, ignore subsequent HUPs while sshd > ? re-execs itself. Prevents two HUPs in quick succession from resulting > ? in sshd dying. bz#1692 > ?* Clarify in sshd_config(5) that StrictModes does not apply to > ? ChrootDirectory. Permissions and ownership are always checked when > ? chrooting. bz#1532 > ?* Set close-on-exec on various descriptors so they don't get leaked to > ? child processes. bz#1643 > ?* Fix very rare race condition in x11/agent channel allocation: don't > ? read after the end of the select read/write fdset and make sure a > ? reused FD is not touched before the pre-handlers are called. > ?* Fix incorrect exit status when multiplexing and channel ID 0 is > ? recycled. bz#1570 > ?* Fail with an error when an attempt is made to connect to a server > ? with ForceCommand=internal-sftp with a shell session (i.e. not a > ? subsystem session). Avoids stuck client when attempting to ssh to > ? such a service. bz#1606: > ?* Warn but do not fail if stat()ing the subsystem binary fails. This > ? helps with chrootdirectory+forcecommand=sftp-server and restricted > ? shells. bz #1599 > ?* Change "Connecting to host..." message to "Connected to host." > ? and delay it until after the sftp protocol connection has been > ? established. Avoids confusing sequence of messages when the > ? underlying ssh connection experiences problems. bz#1588 > ?* Use the HostKeyAlias rather than the hostname specified on the > ? commandline when prompting for passwords. bz#1039 > ?* Correct off-by-one in percent_expand(): we would fatal() when trying > ? to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to > ? actually work. Note that nothing in OpenSSH actually uses close to > ? this limit at present. bz#1607 > ?* Fix passing of empty options from scp(1) and sftp(1) to the > ? underlying ssh(1). Also add support for the stop option "--". > ?* Fix an incorrect magic number and typo in PROTOCOL; bz#1688 > ?* Don't escape backslashes when displaying the SSH2 banner. bz#1533 > ?* Don't unnecessarily dup() the in and out fds for sftp-server. bz#1566 > ?* Force use of the correct hash function for random-art signature > ? display as it was inheriting the wrong one when bubblebabble > ? signatures were activated. bz#1611 > ?* Do not fall back to adding keys without contraints (ssh-add -c / > ? -t ...) when the agent refuses the constrained add request. bz#1612 > ?* Fix a race condition in ssh-agent that could result in a wedged or > ? spinning agent. bz#1633 > ?* Flush stdio before exec() to ensure that everying (motd > ? in particular) has made it out before the streams go away. bz#1596 > ?* Set FD_CLOEXEC on in/out sockets in sshd(8). bz#1706 > > Portable OpenSSH Bugfixes: > > ?* Use system's kerberos principal name on AIX if it's available. > ? bz#1583 > ?* Disable OOM-killing of the listening sshd on Linux. bz#1740 > ?* Use pkg-config for opensc config if it's available. bz#1160 > ?* Unbreak Redhat spec to allow building without askpass. bz#1677 > ?* If PidFile is set in sshd_config, use it in SMF init file. bz#1628 > ?* Print error and usage() when ssh-rand-helper is passed command- > ? line arguments as none are supported. bz#1568 > ?* Add missing setsockopt() to set IPV6_V6ONLY for local forwarding > ? with GatwayPorts=yes. bz#1648 > ?* Make GNOME 2 askpass dialog desktop-modal. bz#1645 > ?* If SELinux is enabled set the security context to "sftpd_t" before > ? running the internal sftp server. bz#1637 > ?* Correctly check libselinux for necessary SELinux functions; bz#1713 > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From cjwatson at debian.org Tue Mar 2 09:44:47 2010 From: cjwatson at debian.org (Colin Watson) Date: Mon, 01 Mar 2010 22:44:47 +0000 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: Message-ID: In article , Damien Miller wrote: >Running the regression tests supplied with Portable OpenSSH does not >require installation and is a simply: > >$ ./configure && make tests I built this from CVS on Ubuntu 10.04 (in development). I used configure options which closely approximate those we use for the Debian package, omitting a couple that go along with Debian patches: ./configure --build=i486-linux-gnu --prefix=/usr --sysconfdir=/etc/ssh --libexecdir=/usr/lib/openssh --mandir=/usr/share/man --disable-strip --with-mantype=doc --with-4in6 --with-privsep-path=/var/run/sshd --without-rand-helper --with-tcp-wrappers --with-pam --with-libedit --with-ssl-engine --with-selinux --with-xauth=/usr/bin/X11/xauth --with-default-path=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11 --with-cflags='-O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT' --with-ldflags='-Wl,--as-needed -fPIE -pie -Wl,-z,relro -Wl,-z,now' There were a few compiler warnings most of which I don't think are particularly new, although I don't recognise the one in openssl-compat.c. I don't know if you care about all of these but I'll list them for completeness. All regression tests passed. I haven't done serious testing beyond that, although I confirmed that sftp's tab-completion seemed to be working. gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c openssl-compat.c openssl-compat.c: In function ???ssh_SSLeay_add_all_algorithms???: openssl-compat.c:70: warning: implicit declaration of function ???OPENSSL_config??? gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c bindresvport.c bindresvport.c: In function ???bindresvport_sa???: bindresvport.c:71: warning: dereferencing pointer ???sa??? does break strict-aliasing rules bindresvport.c:66: note: initialized from here gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c readpassphrase.c readpassphrase.c: In function ???readpassphrase???: readpassphrase.c:127: warning: ignoring return value of ???write???, declared with attribute warn_unused_result readpassphrase.c:146: warning: ignoring return value of ???write???, declared with attribute warn_unused_result gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c channels.c channels.c: In function ???channel_decode_socks5???: channels.c:1235: warning: dereferencing type-punned pointer will break strict-aliasing rules gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c log.c log.c: In function ???do_log???: log.c:388: warning: ignoring return value of ???write???, declared with attribute warn_unused_result gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c packet.c packet.c: In function ???packet_connection_is_ipv4???: packet.c:441: warning: dereferencing pointer ???to.48??? does break strict-aliasing rules packet.c:441: note: initialized from here packet.c:441: warning: dereferencing pointer ???to.48??? does break strict-aliasing rules packet.c:441: note: initialized from here packet.c:441: warning: dereferencing pointer ???to.48??? does break strict-aliasing rules packet.c:441: note: initialized from here gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c monitor_fdpass.c monitor_fdpass.c: In function ???mm_send_fd???: monitor_fdpass.c:74: warning: dereferencing type-punned pointer will break strict-aliasing rules monitor_fdpass.c: In function ???mm_receive_fd???: monitor_fdpass.c:175: warning: dereferencing type-punned pointer will break strict-aliasing rules gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c umac.c umac.c: In function ???pdf_gen_xor???: umac.c:254: warning: dereferencing type-punned pointer will break strict-aliasing rules umac.c:257: warning: dereferencing type-punned pointer will break strict-aliasing rules umac.c:258: warning: dereferencing type-punned pointer will break strict-aliasing rules umac.c:260: warning: dereferencing type-punned pointer will break strict-aliasing rules umac.c:261: warning: dereferencing type-punned pointer will break strict-aliasing rules gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c schnorr.c schnorr.c: In function ???debug3_bn???: schnorr.c:468: warning: ignoring return value of ???vasprintf???, declared with attribute warn_unused_result schnorr.c: In function ???debug3_buf???: schnorr.c:493: warning: ignoring return value of ???vasprintf???, declared with attribute warn_unused_result gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c sshd.c sshd.c: In function ???main???: sshd.c:1742: warning: ignoring return value of ???chdir???, declared with attribute warn_unused_result gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c serverloop.c serverloop.c: In function ???notify_parent???: serverloop.c:151: warning: ignoring return value of ???write???, declared with attribute warn_unused_result gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-agent.c ssh-agent.c: In function ???main???: ssh-agent.c:1258: warning: ignoring return value of ???chdir???, declared with attribute warn_unused_result gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c scp.c scp.c: In function ???lostconn???: scp.c:1289: warning: ignoring return value of ???write???, declared with attribute warn_unused_result gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-rand-helper.c ssh-rand-helper.c: In function ???get_random_bytes_prngd???: ssh-rand-helper.c:167: warning: dereferencing pointer ???addr_in??? does break strict-aliasing rules ssh-rand-helper.c:166: warning: dereferencing pointer ???addr_in??? does break strict-aliasing rules ssh-rand-helper.c:168: warning: dereferencing pointer ???addr_in??? does break strict-aliasing rules ssh-rand-helper.c:150: note: initialized from here ssh-rand-helper.c:171: warning: dereferencing pointer ???addr_un??? does break strict-aliasing rules ssh-rand-helper.c:151: note: initialized from here gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset -fstack-protector-all -O2 -fPIE -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -DLOGIN_PROGRAM=\"/bin/login\" -DLOGIN_NO_ENDOPT -I. -I. -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/lib/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/lib/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/lib/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/lib/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/run/sshd\" -DSSH_RAND_HELPER=\"/usr/lib/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c sftp.c sftp.c: In function ???cmd_interrupt???: sftp.c:219: warning: ignoring return value of ???write???, declared with attribute warn_unused_result Thanks, -- Colin Watson [cjwatson at debian.org] From vadud3 at gmail.com Tue Mar 2 08:59:59 2010 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 1 Mar 2010 16:59:59 -0500 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: On Mon, Mar 1, 2010 at 4:49 PM, Asif Iqbal wrote: > failing on opensolaris snv_133 > > SunOS scrub 5.11 snv_133 i86pc i386 i86pc > > gcc version 3.4.3 (csl-sol210-3_4-20050802) > > > gunzip openssh-SNAP-20100302.tar.gz > tar tvf openssh-SNAP-20100302.tar > tar xvf openssh-SNAP-20100302.tar > cd openssh > ./configure > make tests > [...] > run test cert-hostkey.sh ... > certified host keys: sign host rsa cert > certified host keys: sign host dsa cert > certified host keys: host rsa cert connect privsep yes > certified host keys: host dsa cert connect privsep yes > certified host keys: host rsa cert connect privsep no > certified host keys: host dsa cert connect privsep no > certified host keys: test host cert connect user-certificate expect failure > certified host keys: test host cert connect empty principals expect success > certified host keys: test host cert connect wrong principals expect failure > certified host keys: test host cert connect cert not yet valid expect failure > certified host keys: test host cert connect cert expired expect failure > certified host keys: test host cert connect cert valid interval expect success > certified host keys: test host cert connect cert has constraints expect failure > certified host keys: host rsa cert downgrade to raw key > certified host keys: host dsa cert downgrade to raw key > ok certified host keys > run test cert-userkey.sh ... > certified user keys: sign user rsa cert > certified user keys: sign user dsa cert > certified user keys: user rsa cert connect privsep yes > Permission denied (publickey,password,keyboard-interactive). > ssh cert connect failed > certified user keys: user dsa cert connect privsep yes > Permission denied (publickey,password,keyboard-interactive). > ssh cert connect failed > certified user keys: user rsa cert connect privsep no > Permission denied (publickey,password,keyboard-interactive). > ssh cert connect failed > certified user keys: user dsa cert connect privsep no > Permission denied (publickey,password,keyboard-interactive). > ssh cert connect failed > certified user keys: ensure CA key does not authenticate user > ssh cert connect with CA key succeeded unexpectedly > certified user keys: test user cert connect host-certificate expect failure > certified user keys: test user cert connect empty principals expect success > ssh cert connect empty principals failed unexpectedly > certified user keys: test user cert connect wrong principals expect failure > certified user keys: test user cert connect cert not yet valid expect failure > certified user keys: test user cert connect cert expired expect failure > certified user keys: test user cert connect cert valid interval expect success > ssh cert connect cert valid interval failed unexpectedly > certified user keys: test user cert connect wrong source-address expect failure > certified user keys: test user cert connect force-command expect failure > failed certified user keys > *** Error code 1 > The following command caused the error: > if [ "xconnect.sh proxy-connect.sh connect-privsep.sh proto-version.sh > proto-mismatch.sh exit-status.sh envpass.sh transfer.sh banner.sh > rekey.sh stderr-data.sh stderr-after-eof.sh broken-pipe.sh > try-ciphers.sh yes-head.sh login-timeout.sh agent.sh > agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh > keygen-change.sh keygen-convert.sh key-options.sh scp.sh sftp.sh > sftp-cmds.sh sftp-badcmds.sh sftp-batch.sh sftp-glob.sh reconfigure.sh > dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh > cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh portnum.sh > cert-hostkey.sh cert-userkey.sh" = "x" ]; then exit 0; fi; \ > for TEST in ""connect.sh proxy-connect.sh connect-privsep.sh > proto-version.sh proto-mismatch.sh exit-status.sh envpass.sh > transfer.sh banner.sh rekey.sh stderr-data.sh stderr-after-eof.sh > broken-pipe.sh try-ciphers.sh yes-head.sh login-timeout.sh agent.sh > agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh > keygen-change.sh keygen-convert.sh key-options.sh scp.sh sftp.sh > sftp-cmds.sh sftp-badcmds.sh sftp-batch.sh sftp-glob.sh reconfigure.sh > dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh > cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh portnum.sh > cert-hostkey.sh cert-userkey.sh; do \ > ? ? ? ?echo "run test ${TEST}" ... 1>&2; \ > ? ? ? ?(env SUDO= TEST_ENV="MALLOC_OPTIONS=AFGJPRX" sh > /export/home/iqbala/Download/openssh/regress/test-exec.sh > /export/home/iqbala/Download/openssh/regress > /export/home/iqbala/Download/openssh/regress/${TEST}) || exit $?; \ > done > make: Fatal error: Command failed for target `t-exec' > Current working directory /export/home/iqbala/Download/openssh/regress > *** Error code 1 > make: Fatal error: Command failed for target `tests' fails with sunstudio cc: Sun C 5.10 SunOS_i386 2009/06/03 on opensolaris snv_133 run test cert-userkey.sh ... certified user keys: sign user rsa cert certified user keys: sign user dsa cert certified user keys: user rsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user rsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: ensure CA key does not authenticate user ssh cert connect with CA key succeeded unexpectedly certified user keys: test user cert connect host-certificate expect failure certified user keys: test user cert connect empty principals expect success ssh cert connect empty principals failed unexpectedly certified user keys: test user cert connect wrong principals expect failure certified user keys: test user cert connect cert not yet valid expect failure certified user keys: test user cert connect cert expired expect failure certified user keys: test user cert connect cert valid interval expect success ssh cert connect cert valid interval failed unexpectedly certified user keys: test user cert connect wrong source-address expect failure certified user keys: test user cert connect force-command expect failure failed certified user keys *** Error code 1 The following command caused the error: if [ "xconnect.sh proxy-connect.sh connect-privsep.sh proto-version.sh proto-mismatch.sh exit-status.sh envpass.sh transfer.sh banner.sh rekey.sh stderr-data.sh stderr-after-eof.sh broken-pipe.sh try-ciphers.sh yes-head.sh login-timeout.sh agent.sh agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh keygen-change.sh keygen-convert.sh key-options.sh scp.sh sftp.sh sftp-cmds.sh sftp-badcmds.sh sftp-batch.sh sftp-glob.sh reconfigure.sh dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh portnum.sh cert-hostkey.sh cert-userkey.sh" = "x" ]; then exit 0; fi; \ for TEST in ""connect.sh proxy-connect.sh connect-privsep.sh proto-version.sh proto-mismatch.sh exit-status.sh envpass.sh transfer.sh banner.sh rekey.sh stderr-data.sh stderr-after-eof.sh broken-pipe.sh try-ciphers.sh yes-head.sh login-timeout.sh agent.sh agent-getpeereid.sh agent-timeout.sh agent-ptrace.sh keyscan.sh keygen-change.sh keygen-convert.sh key-options.sh scp.sh sftp.sh sftp-cmds.sh sftp-badcmds.sh sftp-batch.sh sftp-glob.sh reconfigure.sh dynamic-forward.sh forwarding.sh multiplex.sh reexec.sh brokenkeys.sh cfgmatch.sh addrmatch.sh localcommand.sh forcecommand.sh portnum.sh cert-hostkey.sh cert-userkey.sh; do \ echo "run test ${TEST}" ... 1>&2; \ (env SUDO= TEST_ENV="MALLOC_OPTIONS=AFGJPRX" sh /export/home/iqbala/Download/openssh/regress/test-exec.sh /export/home/iqbala/Download/openssh/regress /export/home/iqbala/Download/openssh/regress/${TEST}) || exit $?; \ done make: Fatal error: Command failed for target `t-exec' Current working directory /export/home/iqbala/Download/openssh/regress *** Error code 1 make: Fatal error: Command failed for target `tests' > > > On Sat, Feb 27, 2010 at 2:25 AM, Damien Miller wrote: >> Hi, >> >> OpenSSH 5.4 is almost ready for release, so we would appreciate testing >> on as many platforms and systems as possible. This is a big release, >> with a number of major new features and many bug fixes. >> >> Snapshot releases for portable OpenSSH are available from >> http://www.mindrot.org/openssh_snap/ >> >> The OpenBSD version is available in CVS HEAD: >> http://www.openbsd.org/anoncvs.html >> >> Portable OpenSSH is also available via anonymous CVS using the >> instructions at http://www.openssh.com/portable.html#cvs >> >> Running the regression tests supplied with Portable OpenSSH does not >> require installation and is a simply: >> >> $ ./configure && make tests >> >> Live testing on suitable non-production systems is also >> appreciated. Please send reports of success or failure to >> openssh-unix-dev at mindrot.org. >> >> Below is a summary of changes. More detail may be found in the ChangeLog >> in the portable OpenSSH tarballs. >> >> Thanks to the many people who contributed to this release. >> >> ------------------------------- >> >> Changes since OpenSSH 5.3 >> ========================= >> >> Features: >> >> ?* After a transition period of about 10 years, this release disables >> ? SSH protocol 1 by default. Clients and servers that need to use the >> ? legacy protocol must explicitly enable it in ssh_config / sshd_config >> ? or on the command-line. >> >> ?* Deprecate the libsectok/OpenSC-based smartcard code and add >> ? support for PKCS#11 tokens. PKCS#11 support is automatically enabled >> ? on all platforms that support dlopen(3) and was inspired by patches >> ? written by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) >> ? manpages >> >> ?* Add support for certificate authentication of users and hosts using a >> ? new, minimal OpenSSH certificate format (not X.509). Certificates >> ? contain a public key, identity information and some validity >> ? constraints and are signed with a standard SSH public key using >> ? ssh-keygen(1). CA keys may be marked as trusted in authorized_keys >> ? (for user authentication) or known_hosts (for host authentication). >> >> ? Documentation for certificate support may be found in ssh-keygen(1), >> ? sshd(8) and ssh(1) and a description of the protocol changes in >> ? PROTOCOL.certkeys. >> >> ?* Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects >> ? stdio on the client to a single port forward on the server. This >> ? allows, for example, using ssh as a ProxyCommand to route connections >> ? via intermediate servers. bz#1618 >> >> ?* Rewrite the ssh(1) multiplexing support to support non-blocking >> ? operation of the mux master, improve the resilience of the master to >> ? malformed messages sent to it by the slave and add support for >> ? requesting port- forwardings via the multiplex protocol. The new >> ? stdio-to-local forward mode ("ssh -W host:port ...") is also >> ? supported. The revised multiplexing protocol is documented in the >> ? file PROTOCOL.mux in the source distribution. >> >> ?* Add a 'read-only' mode to sftp-server(8) that disables open in write >> ? mode and all other fs-modifying protocol methods. bz#430 >> >> ?* Allow setting an explicit umask on the sftp-server(8) commandline to >> ? override whatever default the user has. bz#1229 >> >> ?* Many improvements to the sftp(1) client, many of which were >> ? implemented by Carlos Silva through the Google Summer of Code >> ? program: >> ? - Support the "-h" (human-readable units) flag for ls >> ? - Implement tab-completion of commands, local and remote filenames >> ? - Support most of scp(1)'s commandline arguments in sftp(1), as a >> ? ? first step towards making sftp(1) a drop-in replacement for scp(1). >> ? ? Note that the rarely-used "-P sftp_server_path" option has been >> ? ? moved to "-D sftp_server_path" to make way for "-P port" to match >> ? ? scp(1). >> ? - Add recursive transfer support for get/put and on the commandline >> >> ?* New RSA keys will be generated with a public exponent of RSA_F4 == >> ? (2**16)+1 == 65537 instead of the previous value 35. >> >> ?* Passphrase-protected SSH protocol 2 private keys are now protected >> ? with AES-128 instead of 3DES. This applied to freshly-generated keys >> ? as well as keys that are reencrypted (e.g. by changing their >> ? passphrase). >> >> Bugfixes: >> >> ?* When using ChrootDirectory, make sure we test for the existence of >> ? the user's shell inside the chroot and not outside (bz#1679) >> ?* Cache user and group name lookups in sftp-server using >> ? user_from_[ug]id(3) to improve performance on hosts where these >> ? operations are slow (e.g. NIS or LDAP). bz#1495 >> ?* Fix problem that prevented passphrase reading from being interrupted >> ? in some circumstances; bz#1590 >> ?* Ignore and log any Protocol 1 keys where the claimed size is not >> ? equal to the actual size. >> ?* Make HostBased authentication work with a ProxyCommand. bz#1569 >> ?* Avoid run-time failures when specifying hostkeys via a relative >> ? path by prepending the current working directory in these cases. >> ? bz#1290 >> ?* Do not prompt for a passphrase if we fail to open a keyfile, and log >> ? the reason why the open failed to debug. bz#1693 >> ?* Document that the PubkeyAuthentication directive is allowed in a >> ? sshd_config(5) Match block. bz#1577 >> ?* When converting keys, truncate key comments at 72 chars as per >> ? RFC4716. bz#1630 >> ?* Do not allow logins if /etc/nologin exists but is not readable by the >> ? user logging in. >> ?* Output a debug log if sshd(8) can't open an existing authorized_keys. >> ? bz#1694 >> ?* Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we >> ? usually don't actually have a tty to read/set; bz#1686 >> ?* Prevent sftp from crashing when given a "-" without a command. >> ? Also, allow whitespace to follow a "-". bz#1691 >> ?* After sshd receives a SIGHUP, ignore subsequent HUPs while sshd >> ? re-execs itself. Prevents two HUPs in quick succession from resulting >> ? in sshd dying. bz#1692 >> ?* Clarify in sshd_config(5) that StrictModes does not apply to >> ? ChrootDirectory. Permissions and ownership are always checked when >> ? chrooting. bz#1532 >> ?* Set close-on-exec on various descriptors so they don't get leaked to >> ? child processes. bz#1643 >> ?* Fix very rare race condition in x11/agent channel allocation: don't >> ? read after the end of the select read/write fdset and make sure a >> ? reused FD is not touched before the pre-handlers are called. >> ?* Fix incorrect exit status when multiplexing and channel ID 0 is >> ? recycled. bz#1570 >> ?* Fail with an error when an attempt is made to connect to a server >> ? with ForceCommand=internal-sftp with a shell session (i.e. not a >> ? subsystem session). Avoids stuck client when attempting to ssh to >> ? such a service. bz#1606: >> ?* Warn but do not fail if stat()ing the subsystem binary fails. This >> ? helps with chrootdirectory+forcecommand=sftp-server and restricted >> ? shells. bz #1599 >> ?* Change "Connecting to host..." message to "Connected to host." >> ? and delay it until after the sftp protocol connection has been >> ? established. Avoids confusing sequence of messages when the >> ? underlying ssh connection experiences problems. bz#1588 >> ?* Use the HostKeyAlias rather than the hostname specified on the >> ? commandline when prompting for passwords. bz#1039 >> ?* Correct off-by-one in percent_expand(): we would fatal() when trying >> ? to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to >> ? actually work. Note that nothing in OpenSSH actually uses close to >> ? this limit at present. bz#1607 >> ?* Fix passing of empty options from scp(1) and sftp(1) to the >> ? underlying ssh(1). Also add support for the stop option "--". >> ?* Fix an incorrect magic number and typo in PROTOCOL; bz#1688 >> ?* Don't escape backslashes when displaying the SSH2 banner. bz#1533 >> ?* Don't unnecessarily dup() the in and out fds for sftp-server. bz#1566 >> ?* Force use of the correct hash function for random-art signature >> ? display as it was inheriting the wrong one when bubblebabble >> ? signatures were activated. bz#1611 >> ?* Do not fall back to adding keys without contraints (ssh-add -c / >> ? -t ...) when the agent refuses the constrained add request. bz#1612 >> ?* Fix a race condition in ssh-agent that could result in a wedged or >> ? spinning agent. bz#1633 >> ?* Flush stdio before exec() to ensure that everying (motd >> ? in particular) has made it out before the streams go away. bz#1596 >> ?* Set FD_CLOEXEC on in/out sockets in sshd(8). bz#1706 >> >> Portable OpenSSH Bugfixes: >> >> ?* Use system's kerberos principal name on AIX if it's available. >> ? bz#1583 >> ?* Disable OOM-killing of the listening sshd on Linux. bz#1740 >> ?* Use pkg-config for opensc config if it's available. bz#1160 >> ?* Unbreak Redhat spec to allow building without askpass. bz#1677 >> ?* If PidFile is set in sshd_config, use it in SMF init file. bz#1628 >> ?* Print error and usage() when ssh-rand-helper is passed command- >> ? line arguments as none are supported. bz#1568 >> ?* Add missing setsockopt() to set IPV6_V6ONLY for local forwarding >> ? with GatwayPorts=yes. bz#1648 >> ?* Make GNOME 2 askpass dialog desktop-modal. bz#1645 >> ?* If SELinux is enabled set the security context to "sftpd_t" before >> ? running the internal sftp server. bz#1637 >> ?* Correctly check libselinux for necessary SELinux functions; bz#1713 >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? From scott_n at xypro.com Tue Mar 2 11:19:23 2010 From: scott_n at xypro.com (Scott Neugroschl) Date: Mon, 1 Mar 2010 16:19:23 -0800 Subject: Call for testing: OpenSSH-5.4 References: Message-ID: <78DD71C304F38B41885A242996B96F7302214229@xyservd.XYPRO-23.LOCAL> > -----Original Message----- > From: Scott Neugroschl > Sent: Monday, March 01, 2010 1:18 PM > To: openssh-unix-dev at mindrot.org > Subject: RE: Call for testing: OpenSSH-5.4 > > > > > OpenSSH 5.4 is almost ready for release, so we would appreciate > testing > > on as many platforms and systems as possible. This is a big release, > > with a number of major new features and many bug fixes. > > > > Passes all tests on Mandriva One 2010.0 32-bit. Addendum: This was the 20100302 snapshot. From imorgan at nas.nasa.gov Tue Mar 2 12:44:53 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Mon, 1 Mar 2010 17:44:53 -0800 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <20100302014453.GF17027@linux55.nas.nasa.gov> On Sat, Feb 27, 2010 at 01:25:38 -0600, Damien Miller wrote: > Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > The 20100302 snapshot builds and tests successfully on the following platforms: RHEL 5 (x86_64) SLES 10 (x86_64) SLES 10 (ia64) On OS X (Intel), the snapshot builds but fails the regression tests: run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key failed certified host keys make[1]: *** [t-exec] Error 1 make: *** [tests] Error 2 And on Solaris 9 (SPARC/gcc) the tests likewise fail: run test cert-userkey.sh ... certified user keys: sign user rsa cert certified user keys: sign user dsa cert certified user keys: user rsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user rsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: ensure CA key does not authenticate user ssh cert connect with CA key succeeded unexpectedly certified user keys: test user cert connect host-certificate expect failure certified user keys: test user cert connect empty principals expect success ssh cert connect empty principals failed unexpectedly certified user keys: test user cert connect wrong principals expect failure certified user keys: test user cert connect cert not yet valid expect failure certified user keys: test user cert connect cert expired expect failure certified user keys: test user cert connect cert valid interval expect success ssh cert connect cert valid interval failed unexpectedly certified user keys: test user cert connect wrong source-address expect failure certified user keys: test user cert connect force-command expect failure failed certified user keys *** Error code 1 make: Fatal error: Command failed for target `t-exec' Current working directory /u/wk/imorgan/src/openssh/openssh/regress *** Error code 1 make: Fatal error: Command failed for target 'tests' -- Iain Morgan From tim at multitalents.net Tue Mar 2 13:06:46 2010 From: tim at multitalents.net (Tim Rice) Date: Mon, 1 Mar 2010 18:06:46 -0800 (PST) Subject: cert-hostkey.sh [was Re: Call for testing: OpenSSH-5.4] In-Reply-To: <20100302014453.GF17027@linux55.nas.nasa.gov> References: <20100302014453.GF17027@linux55.nas.nasa.gov> Message-ID: On Mon, 1 Mar 2010, Iain Morgan wrote: > On OS X (Intel), the snapshot builds but fails the regression tests: > > run test cert-hostkey.sh ... [....] > certified host keys: test host cert connect cert not yet valid expect failure > Invalid certificate time 20200101 > couldn't sign cert_host_key_rsa [....] > failed certified host keys It looks like ssh-keygen will fail to sign the key with an invalid date on some platforms. How does this patch look? ............ --- cert-hostkey.sh.old 2010-02-28 20:06:40.570868016 -0800 +++ cert-hostkey.sh 2010-03-01 17:57:56.766466000 -0800 @@ -59,8 +59,13 @@ ${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \ $sign_opts \ - $OBJ/cert_host_key_rsa || - fail "couldn't sign cert_host_key_rsa" + $OBJ/cert_host_key_rsa + rc=$? + if [ "x$result" = "xsuccess" ] ; then + if [ $rc -ne 0 ]; then + fail "ssh-keygen sign cert_host_key_rsa $ident failed unexpectedly" + fi + fi ( cat $OBJ/sshd_proxy_bak echo HostKey $OBJ/cert_host_key_rsa ............ -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Tue Mar 2 18:03:36 2010 From: djm at mindrot.org (Damien Miller) Date: Tue, 2 Mar 2010 18:03:36 +1100 (EST) Subject: Call for testing: OpenSSH-5.4 In-Reply-To: <20100301135958.GA14715@doctor.nl2k.ab.ca> References: <20100301135958.GA14715@doctor.nl2k.ab.ca> Message-ID: On Mon, 1 Mar 2010, The Doctor wrote: > I do have 2 suggestions only 1 I can recall. > > 1st is to check if poll is an available option on a system and if not > anyone here has an idea for compensating around it? We do already, see openbsd-compat/bsd-poll.c -d From mdb at juniper.net Wed Mar 3 06:21:04 2010 From: mdb at juniper.net (Mark D. Baushke) Date: Tue, 2 Mar 2010 11:21:04 -0800 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <4425.1267557664@eng-mail01.juniper.net> On Mac OS X 10.5.8 (Intel) $ ./configure && make tests ... run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key failed certified host keys make[1]: *** [t-exec] Error 1 make: *** [tests] Error 2 $ Application of Tim Rice's patch to regress/cert-hostkey.sh lets things get a bit further... $ make tests ... run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key ok certified host keys run test cert-userkey.sh ... certified user keys: sign user rsa cert certified user keys: sign user dsa cert certified user keys: user rsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user rsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: ensure CA key does not authenticate user ssh cert connect with CA key succeeded unexpectedly certified user keys: test user cert connect host-certificate expect failure certified user keys: test user cert connect empty principals expect success ssh cert connect empty principals failed unexpectedly certified user keys: test user cert connect wrong principals expect failure certified user keys: test user cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_user_key_rsa certified user keys: test user cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_user_key_rsa certified user keys: test user cert connect cert valid interval expect success ssh cert connect cert valid interval failed unexpectedly certified user keys: test user cert connect wrong source-address expect failure certified user keys: test user cert connect force-command expect failure failed certified user keys make[1]: *** [t-exec] Error 1 make: *** [tests] Error 2 $ -- Mark From tim at multitalents.net Wed Mar 3 06:55:41 2010 From: tim at multitalents.net (Tim Rice) Date: Tue, 2 Mar 2010 11:55:41 -0800 (PST) Subject: Call for testing: OpenSSH-5.4 In-Reply-To: <4425.1267557664@eng-mail01.juniper.net> References: <4425.1267557664@eng-mail01.juniper.net> Message-ID: On Tue, 2 Mar 2010, Mark D. Baushke wrote: > On Mac OS X 10.5.8 (Intel) > > $ ./configure && make tests [....] > failed certified host keys > make[1]: *** [t-exec] Error 1 > make: *** [tests] Error 2 > $ > > Application of Tim Rice's patch to regress/cert-hostkey.sh lets things > get a bit further... > > $ make tests > ... > run test cert-hostkey.sh ... [....] > certified host keys: test host cert connect cert not yet valid expect failure > Invalid certificate time 20200101 A similar patch is needed for cert-userkey.sh .......... --- cert-userkey.sh.old 2010-02-26 12:57:15.000000000 -0800 +++ cert-userkey.sh 2010-03-01 20:25:40.281586000 -0800 @@ -59,8 +59,13 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ $sign_opts \ - $OBJ/cert_user_key_rsa || - fail "couldn't sign cert_user_key_rsa" + $OBJ/cert_user_key_rsa + rc=$? + if [ "x$result" = "xsuccess" ] ; then + if [ $rc -ne 0 ]; then + fail "ssh-keygen sign cert_user_key_rsa $ident failed unexpectedly" + fi + fi ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \ somehost true >/dev/null 2>&1 .......... -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Wed Mar 3 10:28:07 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 3 Mar 2010 10:28:07 +1100 (EST) Subject: Call for testing: OpenSSH-5.4 In-Reply-To: <20100301200914.GH5683@calimero.vinschen.de> References: <20100301200914.GH5683@calimero.vinschen.de> Message-ID: On Mon, 1 Mar 2010, Corinna Vinschen wrote: > Including the latest Cygwin-specific changes, OpenSSH from CVS builds > fine on Cygwin 1.7. The testsuite runs successfully with a single > exception. The exception is sftp-glob.sh, which is an expected failure > on Cygwin due to the slash/backslash weirdness on Windows. Does this cause the test to abort? If so, we should probably build the exception into the test script (conditional on Cygwin) so users who compile themselves aren't surprised. -d From djm at mindrot.org Wed Mar 3 10:30:07 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 3 Mar 2010 10:30:07 +1100 (EST) Subject: Call for testing: OpenSSH-5.4 In-Reply-To: <20100302014453.GF17027@linux55.nas.nasa.gov> References: <20100302014453.GF17027@linux55.nas.nasa.gov> Message-ID: On Mon, 1 Mar 2010, Iain Morgan wrote: > On OS X (Intel), the snapshot builds but fails the regression tests: > > certified host keys: test host cert connect cert not yet valid expect failure > Invalid certificate time 20200101 > couldn't sign cert_host_key_rsa > certified host keys: test host cert connect cert expired expect failure > Invalid certificate time 19800101 > couldn't sign cert_host_key_rsa Thanks for the report, this problem is now fixed in CVS and will be in tomorrow's snapshot. If you can't wait or are curious, then this is the diff: Index: ssh-keygen.c =================================================================== RCS file: /var/cvs/openssh/ssh-keygen.c,v retrieving revision 1.192 diff -u -r1.192 ssh-keygen.c --- ssh-keygen.c 26 Feb 2010 20:55:06 -0000 1.192 +++ ssh-keygen.c 2 Mar 2010 23:05:12 -0000 @@ -1243,13 +1243,29 @@ { struct tm tm; time_t tt; + char buf[32], *fmt; - if (strlen(s) != 8 && strlen(s) != 14) + /* + * POSIX strptime says "The application shall ensure that there + * is white-space or other non-alphanumeric characters between + * any two conversion specifications" so arrange things this way. + */ + switch (strlen(s)) { + case 8: + fmt = "%Y/%m/%d"; + snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s", s, s + 4, s + 6); + break; + case 14: + fmt = "%Y/%m/%d %H:%M:%S"; + snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s %.2s:%.2s:%.2s", + s, s + 4, s + 6, s + 8, s + 10, s + 12); + break; + default: fatal("Invalid certificate time format %s", s); + } bzero(&tm, sizeof(tm)); - if (strptime(s, - strlen(s) == 8 ? "%Y%m%d" : "%Y%m%d%H%M%S", &tm) == NULL) + if (strptime(buf, fmt, &tm) == NULL) fatal("Invalid certificate time %s", s); if ((tt = mktime(&tm)) < 0) fatal("Certificate time %s cannot be represented", s); From kevin.brott at gmail.com Wed Mar 3 10:47:23 2010 From: kevin.brott at gmail.com (Kevin Brott) Date: Tue, 2 Mar 2010 15:47:23 -0800 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <574324a31003021547t4fb56e6fi97ed7c4dac55b031@mail.gmail.com> Please forgive if I'm "doin it wrong" ... but here's what I've got so far in our lab environment ... Using openssh-SNAP-20100303.tar.gz ===== Red Hat Linux 6.2 (Zoot) Kernel: 2.2.14-6.0 i686 egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) - Target: i686-pc-linux-gnu OpenSSL 0.9.8j 07 Jan 2009 ./configure && make tests ... run test agent-ptrace.sh ... [had to kill -9 the gdb process after 10 minutes without any activity] gdb failed: exit code 0 ** Inserting 'exit 0' at the beginning of agent-ptrace.sh and re-running 'make tests' lets the rest of the tests complete ... all tests passed ** Note: the ssh/sshd binaries appear to be fully functional ***PARTIAL SUCCESS*** ===== Red Hat Enterprise Linux ES release 4 (Nahant Update 5) Kernel: 2.6.9-55.0.2.ELsmp i686 gcc version 3.4.6 20060404 (Red Hat 3.4.6-8) - Target: i686-pc-linux-gnu OpenSSL 0.9.7a Feb 19 2003 ./configure --without-zlib-version-check && make tests ssh-keygen.c: In function `parse_cert_times': ssh-keygen.c:1287: error: `BSDoptarg' undeclared (first use in this function) ssh-keygen.c:1287: error: (Each undeclared identifier is reported only once ssh-keygen.c:1287: error: for each function it appears in.) make: *** [ssh-keygen.o] Error 1 # rpmbuild -bb ./contrib/redhat/openssh.spec error: parse error in expression error: /usr/src/openssh/contrib/redhat/openssh.spec:77: parseExpressionBoolean returns -1 error: Group field must be present in package: (main package) error: License field must be present in package: (main package) ** spec file broken ***FAILED*** ===== Red Hat Enterprise Linux Server release 5.4 (Tikanga) Kernel: 2.6.18-128.2.1.el5 x86_64 gcc version 4.1.2 20080704 (Red Hat 4.1.2-46) - Target: x86_64-redhat-linux OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 ./configure && make tests all tests passed # rpmbuild -bb contrib/redhat/openssh.spec error: parse error in expression error: /usr/src/openssh/contrib/redhat/openssh.spec:77: parseExpressionBoolean returns -1 error: Group field must be present in package: (main package) error: License field must be present in package: (main package) ** spec file broken ***SUCCESS*** ===== Ubuntu 9.10 (karmic) x86_64 Kernel: 2.6.31-19-generic gcc version 4.4.1 (Ubuntu 4.4.1-4ubuntu9) - Target: x86_64-linux-gnu OpenSSL 0.9.8g 19 Oct 2007 ./configure && make tests all tests passed ***SUCCESS*** ===== HP-UX B.11.23 gcc version 4.1.1 - Target: ia64-hp-hpux11.23 OpenSSL 0.9.7m 23 Feb 2007 ./configure && gmake tests loginrec.c:725: warning: 'struct utmpx' declared inside parameter list loginrec.c:725: warning: its scope is only this definition or declaration, which is probably not what you want loginrec.c:736: warning: 'struct utmpx' declared inside parameter list loginrec.c: In function 'construct_utmpx': loginrec.c:741: error: dereferencing pointer to incomplete type loginrec.c:750: error: dereferencing pointer to incomplete type loginrec.c:753: error: dereferencing pointer to incomplete type loginrec.c:756: error: dereferencing pointer to incomplete type loginrec.c:756: error: dereferencing pointer to incomplete type loginrec.c:757: warning: passing argument 2 of 'set_utmpx_time' from incompatible pointer type loginrec.c:758: error: dereferencing pointer to incomplete type loginrec.c:761: error: dereferencing pointer to incomplete type loginrec.c:762: error: dereferencing pointer to incomplete type loginrec.c:762: error: dereferencing pointer to incomplete type loginrec.c: At top level: loginrec.c:987: warning: 'struct utmpx' declared inside parameter list loginrec.c: In function 'utmpx_write_library': loginrec.c:989: warning: implicit declaration of function 'setutxent' loginrec.c:990: warning: implicit declaration of function 'pututxline' loginrec.c:993: warning: implicit declaration of function 'endutxent' loginrec.c: In function 'utmpx_perform_login': loginrec.c:1012: error: storage size of 'utx' isn't known loginrec.c:1012: warning: unused variable 'utx' loginrec.c: In function 'utmpx_perform_logout': loginrec.c:1033: error: storage size of 'utx' isn't known loginrec.c:1033: warning: unused variable 'utx' loginrec.c: In function 'record_failed_login': loginrec.c:1628: warning: unused variable 'a6' gmake: *** [loginrec.o] Error 1 gmake clean && ./configure --disable-utmpx --disable-wtmpx && make tests ... run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key failed certified host keys gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/compile/build/openssh/regress' make: *** [tests] Error 2 ***FAILED*** ===== HP-UX B.11.31 ia64 gcc version 4.3.3 (GCC) - Target: ia64-hp-hpux11.31 OpenSSL 0.9.8l 5 Nov 2009 ./configure && gmake tests ... run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key failed certified host keys gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/usr/src/openssh/regress' gmake: *** [tests] Error 2 ***FAILED*** ===== HP-UX B.11.31 ia64 cc: HP C/aC++ B3910B A.06.20 [May 13 2008] OpenSSL 0.9.8l 5 Nov 2009 ./configure && gmake tests ... run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key failed certified host keys gmake: *** [t-exec] Error 1 *** Error exit code 2 Stop. ***FAILED*** ===== AIX 5.3sp7 (5300-07-02-0806) gcc version 4.2.0 - Target: powerpc-ibm-aix5.3.0.0 OpenSSL 0.9.8k 25 Mar 2009 ./configure && gmake tests ... run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key failed certified host keys gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/lppdir/build/phs-openssh/openssh/regress' gmake: *** [tests] Error 2 ***FAILED*** ===== AIX 6.1sp4 (6100-04-00-0000) - gcc version 4.2.0 - Target: powerpc-ibm-aix6.1.0.0 OpenSSL 0.9.8k 25 Mar 2009 ./configure && gmake tests ... run test cert-hostkey.sh ... certified host keys: sign host rsa cert certified host keys: sign host dsa cert certified host keys: host rsa cert connect privsep yes certified host keys: host dsa cert connect privsep yes certified host keys: host rsa cert connect privsep no certified host keys: host dsa cert connect privsep no certified host keys: test host cert connect user-certificate expect failure certified host keys: test host cert connect empty principals expect success certified host keys: test host cert connect wrong principals expect failure certified host keys: test host cert connect cert not yet valid expect failure Invalid certificate time 20200101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert expired expect failure Invalid certificate time 19800101 couldn't sign cert_host_key_rsa certified host keys: test host cert connect cert valid interval expect success certified host keys: test host cert connect cert has constraints expect failure certified host keys: host rsa cert downgrade to raw key certified host keys: host dsa cert downgrade to raw key failed certified host keys gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/lppdir/build/phs-openssh/openssh/regress' gmake: *** [tests] Error 2 ***FAILED*** ===== Not yet sure why the AIX/HP-UX boxes are failing on cert-hostkey.sh. Trying to get sensibly verbose output out of the test script. Suspecting a bsd/linux/gnu difference in command syntax/output vs AIX/HP-UX in the test script. -- # include /* Kevin Brott */ From kevin.brott at gmail.com Wed Mar 3 11:39:17 2010 From: kevin.brott at gmail.com (Kevin Brott) Date: Tue, 2 Mar 2010 16:39:17 -0800 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: <20100302014453.GF17027@linux55.nas.nasa.gov> Message-ID: <574324a31003021639g29225623x8dfb000800af8430@mail.gmail.com> On Tue, Mar 2, 2010 at 15:30, Damien Miller wrote: > On Mon, 1 Mar 2010, Iain Morgan wrote: > > > On OS X (Intel), the snapshot builds but fails the regression tests: > > > > certified host keys: test host cert connect cert not yet valid expect > failure > > Invalid certificate time 20200101 > > couldn't sign cert_host_key_rsa > > certified host keys: test host cert connect cert expired expect failure > > Invalid certificate time 19800101 > > couldn't sign cert_host_key_rsa > > Thanks for the report, this problem is now fixed in CVS and will be in > tomorrow's snapshot. If you can't wait or are curious, then this is the > diff: > > Index: ssh-keygen.c > =================================================================== > RCS file: /var/cvs/openssh/ssh-keygen.c,v > retrieving revision 1.192 > diff -u -r1.192 ssh-keygen.c > --- ssh-keygen.c 26 Feb 2010 20:55:06 -0000 1.192 > +++ ssh-keygen.c 2 Mar 2010 23:05:12 -0000 > @@ -1243,13 +1243,29 @@ > { > struct tm tm; > time_t tt; > + char buf[32], *fmt; > > - if (strlen(s) != 8 && strlen(s) != 14) > + /* > + * POSIX strptime says "The application shall ensure that there > + * is white-space or other non-alphanumeric characters between > + * any two conversion specifications" so arrange things this way. > + */ > + switch (strlen(s)) { > + case 8: > + fmt = "%Y/%m/%d"; > + snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s", s, s + 4, s + > 6); > + break; > + case 14: > + fmt = "%Y/%m/%d %H:%M:%S"; > + snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s %.2s:%.2s:%.2s", > + s, s + 4, s + 6, s + 8, s + 10, s + 12); > + break; > + default: > fatal("Invalid certificate time format %s", s); > + } > > bzero(&tm, sizeof(tm)); > - if (strptime(s, > - strlen(s) == 8 ? "%Y%m%d" : "%Y%m%d%H%M%S", &tm) == NULL) > + if (strptime(buf, fmt, &tm) == NULL) > fatal("Invalid certificate time %s", s); > if ((tt = mktime(&tm)) < 0) > fatal("Certificate time %s cannot be represented", s); > > Gah. What I get for going into heads-down mode with my gmail client open in edit mode. This patch fixes the cert-hostkey.sh regression failure on AIX and HP-UX, but the test results for those builds is now: ... ok certified host keys run test cert-userkey.sh ... certified user keys: sign user rsa cert certified user keys: sign user dsa cert certified user keys: user rsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep yes Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user rsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: user dsa cert connect privsep no Permission denied (publickey,password,keyboard-interactive). ssh cert connect failed certified user keys: ensure CA key does not authenticate user ssh cert connect with CA key succeeded unexpectedly certified user keys: test user cert connect host-certificate expect failure certified user keys: test user cert connect empty principals expect success ssh cert connect empty principals failed unexpectedly certified user keys: test user cert connect wrong principals expect failure certified user keys: test user cert connect cert not yet valid expect failure certified user keys: test user cert connect cert expired expect failure certified user keys: test user cert connect cert valid interval expect success ssh cert connect cert valid interval failed unexpectedly certified user keys: test user cert connect wrong source-address expect failure certified user keys: test user cert connect force-command expect failure failed certified user keys gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `./openssh/regress' make: *** [tests] Error 2 Summary: RH 6.2 - builds - works - agent-ptrace.sh hangs - all other tests pass RHEL 4.6 i686 - build fails in ssh-keygen.c for undefined BSDoptarg - openssh.spec broken RHEL 5.4 x86_64 - builds - works - alll tests passed - openssh.spec broken Ubuntu 9.10 x86_64 - builds - works - alll tests passed HP-UX B.11.23 ia64 - builds - works - regression tests fail at cert-userkey.sh HP-UX B.11.31 ia64 - gcc - builds - works - regression tests fail at cert-userkey.sh HP-UX B.11.31 ia64 - cc/aC++ - builds - works - regression tests fail at cert-userkey.sh AIX 5.3sp7 - builds - works - regression tests fail at cert-userkey.sh AIX 6.1sp4 - builds - works - regression tests fail at cert-userkey.sh -- # include /* Kevin Brott */ From djm at mindrot.org Wed Mar 3 11:45:06 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 3 Mar 2010 11:45:06 +1100 (EST) Subject: Call for testing: OpenSSH-5.4 In-Reply-To: <574324a31003021639g29225623x8dfb000800af8430@mail.gmail.com> References: <20100302014453.GF17027@linux55.nas.nasa.gov> <574324a31003021639g29225623x8dfb000800af8430@mail.gmail.com> Message-ID: Thanks for the detailed test results! Darren fixed a portability bug in the test scripts on the weekend. Could you take a quick look at the start of regress/cert-hostkey.sh to see if it uses "echo -n" or "echon" in this block: # Create a CA key and add it to known hosts ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ fail "ssh-keygen of host_ca_key failed" ( echon '@cert-authority ' echon "$HOSTS " cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert If it uses "echo -n" then you are using the version with the portability bug which will cause these tests to fail unexpectedly. -d On Tue, 2 Mar 2010, Kevin Brott wrote: > On Tue, Mar 2, 2010 at 15:30, Damien Miller wrote: > On Mon, 1 Mar 2010, Iain Morgan wrote: > > > On OS X (Intel), the snapshot builds but fails the regression > tests: > > > > certified host keys: test host cert connect cert not yet valid > expect failure > > Invalid certificate time 20200101 > > couldn't sign cert_host_key_rsa > > certified host keys: test host cert connect cert expired expect > failure > > Invalid certificate time 19800101 > > couldn't sign cert_host_key_rsa > > Thanks for the report, this problem is now fixed in CVS and will be in > tomorrow's snapshot. If you can't wait or are curious, then this is > the > diff: > > Index: ssh-keygen.c > =================================================================== > RCS file: /var/cvs/openssh/ssh-keygen.c,v > retrieving revision 1.192 > diff -u -r1.192 ssh-keygen.c > --- ssh-keygen.c 26 Feb 2010 20:55:06 -0000 1.192 > +++ ssh-keygen.c 2 Mar 2010 23:05:12 -0000 > @@ -1243,13 +1243,29 @@ > { > struct tm tm; > time_t tt; > + char buf[32], *fmt; > > - if (strlen(s) != 8 && strlen(s) != 14) > + /* > + * POSIX strptime says "The application shall ensure that > there > + * is white-space or other non-alphanumeric characters between > + * any two conversion specifications" so arrange things this > way. > + */ > + switch (strlen(s)) { > + case 8: > + fmt = "%Y/%m/%d"; > + snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s", s, s + 4, > s + 6); > + break; > + case 14: > + fmt = "%Y/%m/%d %H:%M:%S"; > + snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s > %.2s:%.2s:%.2s", > + s, s + 4, s + 6, s + 8, s + 10, s + 12); > + break; > + default: > fatal("Invalid certificate time format %s", s); > + } > > bzero(&tm, sizeof(tm)); > - if (strptime(s, > - strlen(s) == 8 ? "%Y%m%d" : "%Y%m%d%H%M%S", &tm) == NULL) > + if (strptime(buf, fmt, &tm) == NULL) > fatal("Invalid certificate time %s", s); > if ((tt = mktime(&tm)) < 0) > fatal("Certificate time %s cannot be represented", s); > > > Gah. What I get for going into heads-down mode with my gmail client open in > edit mode. > > This patch fixes the cert-hostkey.sh regression failure on AIX and HP-UX, > but the test results for those builds is now: > ... > ok certified host keys > run test cert-userkey.sh ... > certified user keys: sign user rsa cert > certified user keys: sign user dsa cert > certified user keys: user rsa cert connect privsep yes > Permission denied (publickey,password,keyboard-interactive). > ssh cert connect failed > certified user keys: user dsa cert connect privsep yes > Permission denied (publickey,password,keyboard-interactive). > ssh cert connect failed > certified user keys: user rsa cert connect privsep no > Permission denied (publickey,password,keyboard-interactive). > ssh cert connect failed > certified user keys: user dsa cert connect privsep no > Permission denied (publickey,password,keyboard-interactive). > ssh cert connect failed > certified user keys: ensure CA key does not authenticate user > ssh cert connect with CA key succeeded unexpectedly > certified user keys: test user cert connect host-certificate expect failure > certified user keys: test user cert connect empty principals expect success > ssh cert connect empty principals failed unexpectedly > certified user keys: test user cert connect wrong principals expect failure > certified user keys: test user cert connect cert not yet valid expect > failure > certified user keys: test user cert connect cert expired expect failure > certified user keys: test user cert connect cert valid interval expect > success > ssh cert connect cert valid interval failed unexpectedly > certified user keys: test user cert connect wrong source-address expect > failure > certified user keys: test user cert connect force-command expect failure > failed certified user keys > gmake[1]: *** [t-exec] Error 1 > gmake[1]: Leaving directory `./openssh/regress' > make: *** [tests] Error 2 > > Summary: > RH 6.2 - builds - works - agent-ptrace.sh hangs - all other tests pass > RHEL 4.6 i686 - build fails in ssh-keygen.c for undefined BSDoptarg - > openssh.spec broken > RHEL 5.4 x86_64 - builds - works - alll tests passed - openssh.spec broken > Ubuntu 9.10 x86_64 - builds - works - alll tests passed > HP-UX B.11.23 ia64 - builds - works - regression tests fail at > cert-userkey.sh > HP-UX B.11.31 ia64 - gcc - builds - works - regression tests fail at > cert-userkey.sh > HP-UX B.11.31 ia64 - cc/aC++ - builds - works - regression tests fail at > cert-userkey.sh > AIX 5.3sp7 - builds - works - regression tests fail at cert-userkey.sh > AIX 6.1sp4 - builds - works - regression tests fail at cert-userkey.sh > -- > # include > /* Kevin Brott */ > > > > From imorgan at nas.nasa.gov Wed Mar 3 13:15:44 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Tue, 2 Mar 2010 18:15:44 -0800 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: <20100302014453.GF17027@linux55.nas.nasa.gov> <574324a31003021639g29225623x8dfb000800af8430@mail.gmail.com> Message-ID: <20100303021544.GO10976@linux55.nas.nasa.gov> On Tue, Mar 02, 2010 at 18:45:06 -0600, Damien Miller wrote: > Thanks for the detailed test results! Darren fixed a portability bug in > the test scripts on the weekend. Could you take a quick look at the start > of regress/cert-hostkey.sh to see if it uses "echo -n" or "echon" in this > block: > > # Create a CA key and add it to known hosts > ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ > fail "ssh-keygen of host_ca_key failed" > ( > echon '@cert-authority ' > echon "$HOSTS " > cat $OBJ/host_ca_key.pub > ) > $OBJ/known_hosts-cert > > If it uses "echo -n" then you are using the version with the portability > bug which will cause these tests to fail unexpectedly. > The version of cert-hostkey.sh that I have been using (from the 20100302 snapshot) uses "echon" rather than "echo -n." However, I should note that cert-userkey.sh still uses "echo -n", even in CVS. -- Iain Morgan From djm at mindrot.org Wed Mar 3 13:23:24 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 3 Mar 2010 13:23:24 +1100 (EST) Subject: Call for testing: OpenSSH-5.4 In-Reply-To: <20100303021544.GO10976@linux55.nas.nasa.gov> References: <20100302014453.GF17027@linux55.nas.nasa.gov> <574324a31003021639g29225623x8dfb000800af8430@mail.gmail.com> <20100303021544.GO10976@linux55.nas.nasa.gov> Message-ID: On Tue, 2 Mar 2010, Iain Morgan wrote: > On Tue, Mar 02, 2010 at 18:45:06 -0600, Damien Miller wrote: > > Thanks for the detailed test results! Darren fixed a portability bug in > > the test scripts on the weekend. Could you take a quick look at the start > > of regress/cert-hostkey.sh to see if it uses "echo -n" or "echon" in this > > block: > > > > # Create a CA key and add it to known hosts > > ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ > > fail "ssh-keygen of host_ca_key failed" > > ( > > echon '@cert-authority ' > > echon "$HOSTS " > > cat $OBJ/host_ca_key.pub > > ) > $OBJ/known_hosts-cert > > > > If it uses "echo -n" then you are using the version with the portability > > bug which will cause these tests to fail unexpectedly. > > > > The version of cert-hostkey.sh that I have been using (from the 20100302 > snapshot) uses "echon" rather than "echo -n." However, I should note > that cert-userkey.sh still uses "echo -n", even in CVS. oops, fixed now: http://anoncvs.mindrot.org/index.cgi/openssh/regress/cert-userkey.sh?revision=1.2&view=markup Thanks for noticing -d From kevin.brott at gmail.com Wed Mar 3 13:30:16 2010 From: kevin.brott at gmail.com (Kevin Brott) Date: Tue, 2 Mar 2010 18:30:16 -0800 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: <20100302014453.GF17027@linux55.nas.nasa.gov> <574324a31003021639g29225623x8dfb000800af8430@mail.gmail.com> Message-ID: <574324a31003021830j6398d991p516e99a5b889be72@mail.gmail.com> That chunk looks okay in regress/cert-hostkey.sh, but since I'm failing in regress/cert-userkey.sh, I go look and see a block at the top which contains the following, which looks to be the portability bug: # Create a CA key and add it to authorized_keys ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ fail "ssh-keygen of user_ca_key failed" ( echo -n 'cert-authority ' cat $OBJ/user_ca_key.pub ) > $OBJ/authorized_keys_$USER Fixing 'echo -n' to 'echon' in regress/cert-userkey.sh causes that test to pass. So all but one system builds (RHEL 4.5, I'll dig into that tomorrow), and regression tests work on everything that builds (except the RH 6.2 build which is apparently having a gdb issue in agent-ptrace.sh). Summary 2010.03.02 18:30 PST: = RH 6.2 i686 - builds - works - agent-ptrace.sh hangs - all other tests pass - RHEL 4.6 i686 - BUILD FAILS in ssh-keygen.c for undefined BSDoptarg - openssh.spec broken + RHEL 5.4 x86_64 - builds - works - alll tests passed - openssh.spec broken + Ubuntu 9.10 x86_64 - builds - works - alll tests passed + HP-UX B.11.23 ia64 - builds - works - all tests passed + HP-UX B.11.31 ia64 - gcc - builds - works - all tests passed + HP-UX B.11.31 ia64 - cc/aC++ - builds - works - all tests passed + AIX 5.3sp7 - builds - works - all tests passed + AIX 6.1sp4 - builds - works - all tests passed One note on the HP-UX builds - saw several warnings during compile in auth-options.c like the following, not sure if they're indicative of anything serious, but it looks like a type conflict. "auth-options.c", line 421: warning #4212-D: mismatch between character pointer types "u_char *" and "const char *" if (strcmp(name, "permit-X11-forwarding") == 0) ^ Couple of more test systems tomorrow, as cycles permit. ===== On Tue, Mar 2, 2010 at 16:45, Damien Miller wrote: > Thanks for the detailed test results! Darren fixed a portability bug in > the test scripts on the weekend. Could you take a quick look at the start > of regress/cert-hostkey.sh to see if it uses "echo -n" or "echon" in this > block: > > # Create a CA key and add it to known hosts > ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ > fail "ssh-keygen of host_ca_key failed" > ( > echon '@cert-authority ' > echon "$HOSTS " > cat $OBJ/host_ca_key.pub > ) > $OBJ/known_hosts-cert > > If it uses "echo -n" then you are using the version with the portability > bug which will cause these tests to fail unexpectedly. > > -d > > On Tue, 2 Mar 2010, Kevin Brott wrote: > > > On Tue, Mar 2, 2010 at 15:30, Damien Miller wrote: > > On Mon, 1 Mar 2010, Iain Morgan wrote: > > > > > On OS X (Intel), the snapshot builds but fails the regression > > tests: > > > > > > certified host keys: test host cert connect cert not yet valid > > expect failure > > > Invalid certificate time 20200101 > > > couldn't sign cert_host_key_rsa > > > certified host keys: test host cert connect cert expired expect > > failure > > > Invalid certificate time 19800101 > > > couldn't sign cert_host_key_rsa > > > > Thanks for the report, this problem is now fixed in CVS and will be in > > tomorrow's snapshot. If you can't wait or are curious, then this is > > the > > diff: > > > > Index: ssh-keygen.c > > =================================================================== > > RCS file: /var/cvs/openssh/ssh-keygen.c,v > > retrieving revision 1.192 > > diff -u -r1.192 ssh-keygen.c > > --- ssh-keygen.c 26 Feb 2010 20:55:06 -0000 1.192 > > +++ ssh-keygen.c 2 Mar 2010 23:05:12 -0000 > > @@ -1243,13 +1243,29 @@ > > { > > struct tm tm; > > time_t tt; > > + char buf[32], *fmt; > > > > - if (strlen(s) != 8 && strlen(s) != 14) > > + /* > > + * POSIX strptime says "The application shall ensure that > > there > > + * is white-space or other non-alphanumeric characters between > > + * any two conversion specifications" so arrange things this > > way. > > + */ > > + switch (strlen(s)) { > > + case 8: > > + fmt = "%Y/%m/%d"; > > + snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s", s, s + 4, > > s + 6); > > + break; > > + case 14: > > + fmt = "%Y/%m/%d %H:%M:%S"; > > + snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s > > %.2s:%.2s:%.2s", > > + s, s + 4, s + 6, s + 8, s + 10, s + 12); > > + break; > > + default: > > fatal("Invalid certificate time format %s", s); > > + } > > > > bzero(&tm, sizeof(tm)); > > - if (strptime(s, > > - strlen(s) == 8 ? "%Y%m%d" : "%Y%m%d%H%M%S", &tm) == NULL) > > + if (strptime(buf, fmt, &tm) == NULL) > > fatal("Invalid certificate time %s", s); > > if ((tt = mktime(&tm)) < 0) > > fatal("Certificate time %s cannot be represented", s); > > > > > > Gah. What I get for going into heads-down mode with my gmail client open > in > > edit mode. > > > > This patch fixes the cert-hostkey.sh regression failure on AIX and HP-UX, > > but the test results for those builds is now: > > ... > > ok certified host keys > > run test cert-userkey.sh ... > > certified user keys: sign user rsa cert > > certified user keys: sign user dsa cert > > certified user keys: user rsa cert connect privsep yes > > Permission denied (publickey,password,keyboard-interactive). > > ssh cert connect failed > > certified user keys: user dsa cert connect privsep yes > > Permission denied (publickey,password,keyboard-interactive). > > ssh cert connect failed > > certified user keys: user rsa cert connect privsep no > > Permission denied (publickey,password,keyboard-interactive). > > ssh cert connect failed > > certified user keys: user dsa cert connect privsep no > > Permission denied (publickey,password,keyboard-interactive). > > ssh cert connect failed > > certified user keys: ensure CA key does not authenticate user > > ssh cert connect with CA key succeeded unexpectedly > > certified user keys: test user cert connect host-certificate expect > failure > > certified user keys: test user cert connect empty principals expect > success > > ssh cert connect empty principals failed unexpectedly > > certified user keys: test user cert connect wrong principals expect > failure > > certified user keys: test user cert connect cert not yet valid expect > > failure > > certified user keys: test user cert connect cert expired expect failure > > certified user keys: test user cert connect cert valid interval expect > > success > > ssh cert connect cert valid interval failed unexpectedly > > certified user keys: test user cert connect wrong source-address expect > > failure > > certified user keys: test user cert connect force-command expect failure > > failed certified user keys > > gmake[1]: *** [t-exec] Error 1 > > gmake[1]: Leaving directory `./openssh/regress' > > make: *** [tests] Error 2 > > > > Summary: > > RH 6.2 - builds - works - agent-ptrace.sh hangs - all other tests pass > > RHEL 4.6 i686 - build fails in ssh-keygen.c for undefined BSDoptarg - > > openssh.spec broken > > RHEL 5.4 x86_64 - builds - works - alll tests passed - openssh.spec > broken > > Ubuntu 9.10 x86_64 - builds - works - alll tests passed > > HP-UX B.11.23 ia64 - builds - works - regression tests fail at > > cert-userkey.sh > > HP-UX B.11.31 ia64 - gcc - builds - works - regression tests fail at > > cert-userkey.sh > > HP-UX B.11.31 ia64 - cc/aC++ - builds - works - regression tests fail > at > > cert-userkey.sh > > AIX 5.3sp7 - builds - works - regression tests fail at cert-userkey.sh > > AIX 6.1sp4 - builds - works - regression tests fail at cert-userkey.sh > > -- > > # include > > /* Kevin Brott */ > > > > > > > > > -- # include /* Kevin Brott */ From imorgan at nas.nasa.gov Wed Mar 3 14:47:00 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Tue, 2 Mar 2010 19:47:00 -0800 Subject: cert-authority and authorized_keys file Message-ID: <20100303034700.GG17027@linux55.nas.nasa.gov> Hi, I noticed that in regress/cert-userkey.sh the signing key is added to the authorized_keys file with the tag "cert-authority" whereas in sshd(8) the tag is documented as "from=cert-authority." Since the former seems to work, I assume the latter is a typo. While on the subject of typos (which I have been known to make more than my fair share of) I noticed the phrase 'similar same" in PROTOCOL.certkey (line 51) which should simply be "similar." -- Iain Morgan From vinschen at redhat.com Wed Mar 3 21:43:08 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 3 Mar 2010 11:43:08 +0100 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: <20100301200914.GH5683@calimero.vinschen.de> Message-ID: <20100303104308.GK17293@calimero.vinschen.de> On Mar 3 10:28, Damien Miller wrote: > On Mon, 1 Mar 2010, Corinna Vinschen wrote: > > > Including the latest Cygwin-specific changes, OpenSSH from CVS builds > > fine on Cygwin 1.7. The testsuite runs successfully with a single > > exception. The exception is sftp-glob.sh, which is an expected failure > > on Cygwin due to the slash/backslash weirdness on Windows. > > Does this cause the test to abort? If so, we should probably build the > exception into the test script (conditional on Cygwin) so users who > compile themselves aren't surprised. Yes, the test aborts in this case, thanks for asking. I helped myself by tweaking regress/Makefile so I ran the later tests after skipping sftp-glob.sh. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From vinschen at redhat.com Wed Mar 3 21:52:10 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 3 Mar 2010 11:52:10 +0100 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: <20100302014453.GF17027@linux55.nas.nasa.gov> <574324a31003021639g29225623x8dfb000800af8430@mail.gmail.com> <20100303021544.GO10976@linux55.nas.nasa.gov> Message-ID: <20100303105210.GL17293@calimero.vinschen.de> On Mar 3 13:23, Damien Miller wrote: > On Tue, 2 Mar 2010, Iain Morgan wrote: > > > On Tue, Mar 02, 2010 at 18:45:06 -0600, Damien Miller wrote: > > > Thanks for the detailed test results! Darren fixed a portability bug in > > > the test scripts on the weekend. Could you take a quick look at the start > > > of regress/cert-hostkey.sh to see if it uses "echo -n" or "echon" in this > > > block: > > > > > > # Create a CA key and add it to known hosts > > > ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ > > > fail "ssh-keygen of host_ca_key failed" > > > ( > > > echon '@cert-authority ' > > > echon "$HOSTS " > > > cat $OBJ/host_ca_key.pub > > > ) > $OBJ/known_hosts-cert > > > > > > If it uses "echo -n" then you are using the version with the portability > > > bug which will cause these tests to fail unexpectedly. > > > > > > > The version of cert-hostkey.sh that I have been using (from the 20100302 > > snapshot) uses "echon" rather than "echo -n." However, I should note > > that cert-userkey.sh still uses "echo -n", even in CVS. > > oops, fixed now: > > http://anoncvs.mindrot.org/index.cgi/openssh/regress/cert-userkey.sh?revision=1.2&view=markup Just a question. Why do you use slashes as separators, instead of using the ISO 8601 format, as you already do in ssh-keygen.c, function fmt_validity()? Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From freddy.dsx at free.fr Thu Mar 4 00:46:22 2010 From: freddy.dsx at free.fr (Freddy DISSAUX) Date: Wed, 3 Mar 2010 14:46:22 +0100 Subject: snapshot openssh 5.3 on freebsd 8.0/ia64 Message-ID: <20100303134622.GC3305@linutop.bsdsx.fr> Hello, hope this help: host% FreeBSD itanium.lncsa.com 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #1: Tue Feb 23 19:43:11 CET 2010 root@:/usr/obj/usr/src/sys/GENERIC ia64 jail% uname -a FreeBSD compil.ia64.lncsa.com 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #1: Tue Feb 23 19:43:11 CET 2010 root@:/usr/obj/usr/src/sys/GENERIC ia64 snapshot: http://www.mindrot.org/openssh_snap/openssh-SNAP-20100303.tar.gz OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty At runtime, sshd will use the path defined in /etc/login.conf Make sure the path to scp is present, otherwise scp will not work Manpage format: doc PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no TCP Wrappers support: no MD5 password support: no libedit support: no Solaris process contract support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Host: ia64-unknown-freebsd8.0 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-security -fno-builtin-memset Preprocessor flags: Linker flags: Libraries: -lcrypto -lutil -lz -lcrypt [ snip test ] all tests passed From imorgan at nas.nasa.gov Thu Mar 4 05:57:17 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Wed, 3 Mar 2010 10:57:17 -0800 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <20100303185717.GH17027@linux55.nas.nasa.gov> On Sat, Feb 27, 2010 at 01:25:38 -0600, Damien Miller wrote: > Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > The 20100304 snapshot now builds and tests successfully on the following platforms: Solaris 9 (SPARC) OS X 10.5 (Intel) AIX 5.3 -- Iain Morgan From thesource at ldb-jab.org Thu Mar 4 06:24:38 2010 From: thesource at ldb-jab.org (LDB) Date: Wed, 03 Mar 2010 14:24:38 -0500 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <4B8EB776.2040605@master.ldb-jab.org> On 02/27/2010 02:25 AM, Damien Miller wrote: > Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > ------------------------------- > > Changes since OpenSSH 5.3 > ========================= > > Features: > > * After a transition period of about 10 years, this release disables > SSH protocol 1 by default. Clients and servers that need to use the > legacy protocol must explicitly enable it in ssh_config / sshd_config > or on the command-line. > > * Deprecate the libsectok/OpenSC-based smartcard code and add > support for PKCS#11 tokens. PKCS#11 support is automatically enabled > on all platforms that support dlopen(3) and was inspired by patches > written by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) > manpages > > * Add support for certificate authentication of users and hosts using a > new, minimal OpenSSH certificate format (not X.509). Certificates > contain a public key, identity information and some validity > constraints and are signed with a standard SSH public key using > ssh-keygen(1). CA keys may be marked as trusted in authorized_keys > (for user authentication) or known_hosts (for host authentication). > > Documentation for certificate support may be found in ssh-keygen(1), > sshd(8) and ssh(1) and a description of the protocol changes in > PROTOCOL.certkeys. > > * Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects > stdio on the client to a single port forward on the server. This > allows, for example, using ssh as a ProxyCommand to route connections > via intermediate servers. bz#1618 > > * Rewrite the ssh(1) multiplexing support to support non-blocking > operation of the mux master, improve the resilience of the master to > malformed messages sent to it by the slave and add support for > requesting port- forwardings via the multiplex protocol. The new > stdio-to-local forward mode ("ssh -W host:port ...") is also > supported. The revised multiplexing protocol is documented in the > file PROTOCOL.mux in the source distribution. > > * Add a 'read-only' mode to sftp-server(8) that disables open in write > mode and all other fs-modifying protocol methods. bz#430 > > * Allow setting an explicit umask on the sftp-server(8) commandline to > override whatever default the user has. bz#1229 > > * Many improvements to the sftp(1) client, many of which were > implemented by Carlos Silva through the Google Summer of Code > program: > - Support the "-h" (human-readable units) flag for ls > - Implement tab-completion of commands, local and remote filenames > - Support most of scp(1)'s commandline arguments in sftp(1), as a > first step towards making sftp(1) a drop-in replacement for scp(1). > Note that the rarely-used "-P sftp_server_path" option has been > moved to "-D sftp_server_path" to make way for "-P port" to match > scp(1). > - Add recursive transfer support for get/put and on the commandline > > * New RSA keys will be generated with a public exponent of RSA_F4 == > (2**16)+1 == 65537 instead of the previous value 35. > > * Passphrase-protected SSH protocol 2 private keys are now protected > with AES-128 instead of 3DES. This applied to freshly-generated keys > as well as keys that are reencrypted (e.g. by changing their > passphrase). > > Bugfixes: > > * When using ChrootDirectory, make sure we test for the existence of > the user's shell inside the chroot and not outside (bz#1679) > * Cache user and group name lookups in sftp-server using > user_from_[ug]id(3) to improve performance on hosts where these > operations are slow (e.g. NIS or LDAP). bz#1495 > * Fix problem that prevented passphrase reading from being interrupted > in some circumstances; bz#1590 > * Ignore and log any Protocol 1 keys where the claimed size is not > equal to the actual size. > * Make HostBased authentication work with a ProxyCommand. bz#1569 > * Avoid run-time failures when specifying hostkeys via a relative > path by prepending the current working directory in these cases. > bz#1290 > * Do not prompt for a passphrase if we fail to open a keyfile, and log > the reason why the open failed to debug. bz#1693 > * Document that the PubkeyAuthentication directive is allowed in a > sshd_config(5) Match block. bz#1577 > * When converting keys, truncate key comments at 72 chars as per > RFC4716. bz#1630 > * Do not allow logins if /etc/nologin exists but is not readable by the > user logging in. > * Output a debug log if sshd(8) can't open an existing authorized_keys. > bz#1694 > * Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we > usually don't actually have a tty to read/set; bz#1686 > * Prevent sftp from crashing when given a "-" without a command. > Also, allow whitespace to follow a "-". bz#1691 > * After sshd receives a SIGHUP, ignore subsequent HUPs while sshd > re-execs itself. Prevents two HUPs in quick succession from resulting > in sshd dying. bz#1692 > * Clarify in sshd_config(5) that StrictModes does not apply to > ChrootDirectory. Permissions and ownership are always checked when > chrooting. bz#1532 > * Set close-on-exec on various descriptors so they don't get leaked to > child processes. bz#1643 > * Fix very rare race condition in x11/agent channel allocation: don't > read after the end of the select read/write fdset and make sure a > reused FD is not touched before the pre-handlers are called. > * Fix incorrect exit status when multiplexing and channel ID 0 is > recycled. bz#1570 > * Fail with an error when an attempt is made to connect to a server > with ForceCommand=internal-sftp with a shell session (i.e. not a > subsystem session). Avoids stuck client when attempting to ssh to > such a service. bz#1606: > * Warn but do not fail if stat()ing the subsystem binary fails. This > helps with chrootdirectory+forcecommand=sftp-server and restricted > shells. bz #1599 > * Change "Connecting to host..." message to "Connected to host." > and delay it until after the sftp protocol connection has been > established. Avoids confusing sequence of messages when the > underlying ssh connection experiences problems. bz#1588 > * Use the HostKeyAlias rather than the hostname specified on the > commandline when prompting for passwords. bz#1039 > * Correct off-by-one in percent_expand(): we would fatal() when trying > to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to > actually work. Note that nothing in OpenSSH actually uses close to > this limit at present. bz#1607 > * Fix passing of empty options from scp(1) and sftp(1) to the > underlying ssh(1). Also add support for the stop option "--". > * Fix an incorrect magic number and typo in PROTOCOL; bz#1688 > * Don't escape backslashes when displaying the SSH2 banner. bz#1533 > * Don't unnecessarily dup() the in and out fds for sftp-server. bz#1566 > * Force use of the correct hash function for random-art signature > display as it was inheriting the wrong one when bubblebabble > signatures were activated. bz#1611 > * Do not fall back to adding keys without contraints (ssh-add -c / > -t ...) when the agent refuses the constrained add request. bz#1612 > * Fix a race condition in ssh-agent that could result in a wedged or > spinning agent. bz#1633 > * Flush stdio before exec() to ensure that everying (motd > in particular) has made it out before the streams go away. bz#1596 > * Set FD_CLOEXEC on in/out sockets in sshd(8). bz#1706 > > Portable OpenSSH Bugfixes: > > * Use system's kerberos principal name on AIX if it's available. > bz#1583 > * Disable OOM-killing of the listening sshd on Linux. bz#1740 > * Use pkg-config for opensc config if it's available. bz#1160 > * Unbreak Redhat spec to allow building without askpass. bz#1677 > * If PidFile is set in sshd_config, use it in SMF init file. bz#1628 > * Print error and usage() when ssh-rand-helper is passed command- > line arguments as none are supported. bz#1568 > * Add missing setsockopt() to set IPV6_V6ONLY for local forwarding > with GatwayPorts=yes. bz#1648 > * Make GNOME 2 askpass dialog desktop-modal. bz#1645 > * If SELinux is enabled set the security context to "sftpd_t" before > running the internal sftp server. bz#1637 > * Correctly check libselinux for necessary SELinux functions; bz#1713 > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > openSUSE 11.2 (x86_64) VERSION = 11.2 Linux allison 2.6.31.12-0.1-desktop #1 SMP PREEMPT 2010-01-27 08:20:11 +0100 x86_64 x86_64 x86_64 GNU/Linux Passed all tests with snapshot, openssh-SNAP-20100303.tar.gz LDB From thesource at ldb-jab.org Thu Mar 4 06:29:27 2010 From: thesource at ldb-jab.org (LDB) Date: Wed, 03 Mar 2010 14:29:27 -0500 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <4B8EB897.8010709@master.ldb-jab.org> openSUSE 11.2 (x86_64) VERSION = 11.2 Linux allison 2.6.31.12-0.1-desktop #1 SMP PREEMPT 2010-01-27 08:20:11 +0100 x86_64 x86_64 x86_64 GNU/Linux Passed all tests with snapshot, openssh-SNAP-20100303.tar.gz LDB From imorgan at nas.nasa.gov Thu Mar 4 06:30:48 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Wed, 3 Mar 2010 11:30:48 -0800 Subject: Viewing cetificate details Message-ID: <20100303193048.GI17027@linux55.nas.nasa.gov> Hi, I don't see any way to view the details of a certificate once it is generated. Having such a capability would be very handy for debugging purposes to check what constraints, principals, and validity interval are associated with a given cert. -- Iain Morgan From scott_n at xypro.com Thu Mar 4 07:52:34 2010 From: scott_n at xypro.com (Scott Neugroschl) Date: Wed, 3 Mar 2010 12:52:34 -0800 Subject: Viewing cetificate details In-Reply-To: <20100303193048.GI17027@linux55.nas.nasa.gov> References: <20100303193048.GI17027@linux55.nas.nasa.gov> Message-ID: <78DD71C304F38B41885A242996B96F7302214457@xyservd.XYPRO-23.LOCAL> Iain Morgan: > > I don't see any way to view the details of a certificate once it is > generated. Having such a capability would be very handy for debugging > purposes to check what constraints, principals, and validity interval > are associated with a given cert. openssl asn1parse, maybe? From djm at mindrot.org Thu Mar 4 09:51:24 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 4 Mar 2010 09:51:24 +1100 (EST) Subject: cert-authority and authorized_keys file In-Reply-To: <20100303034700.GG17027@linux55.nas.nasa.gov> References: <20100303034700.GG17027@linux55.nas.nasa.gov> Message-ID: On Tue, 2 Mar 2010, Iain Morgan wrote: > Hi, > > I noticed that in regress/cert-userkey.sh the signing key is added to > the authorized_keys file with the tag "cert-authority" whereas in > sshd(8) the tag is documented as "from=cert-authority." Since the former > seems to work, I assume the latter is a typo. oops - fixed. > While on the subject of typos (which I have been known to make more than > my fair share of) I noticed the phrase 'similar same" in > PROTOCOL.certkey (line 51) which should simply be "similar." fixed too Thanks, Damien From kevin.brott at gmail.com Thu Mar 4 12:14:11 2010 From: kevin.brott at gmail.com (Kevin Brott) Date: Wed, 3 Mar 2010 17:14:11 -0800 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <574324a31003031714w26218a7fpebe689895c1877cb@mail.gmail.com> Going for brevity here - full test results/output are available on request ... Using openssh-SNAP-20100304.tar.gz Summary: + Ubunto 6.10 i686 - gcc 4.1.3 - OpenSSL 0.9.8m - build OK - all tests passed + Ubuntu 9.10 x86_64 - gcc 4.4.1 - OpenSSL 0.9.8g - build OK - all tests passed + AIX 5.2 sp10 power - gcc 3.3.2 - OpenSSL 0.9.8f - build OK - all tests passed + AIX 5.3 sp7 power - gcc 4.2.0 - OpenSSL 0.9.8k - build OK - all tests passed + AIX 6.1 sp4 power - gcc 4.2.0 - OpenSSL 0.9.8k - build OK - all tests passed + HP-UX 11.11 hppa2 - gcc 4.1.1 - OpenSSL 0.9.7m - build OK - all tests passed + HP-UX 11.23 ia64 - gcc 4.1.1 - OpenSSL 0.9.7m - build OK**1* - all tests passed + HP-UX 11.31 ia64 - gcc 4.3.3 - OpenSSL 0.9.8l - build OK**1* - all tests passed + HP-UX 11.31 ia64 - HP C/aC++ A.06.20 - OpenSSL 0.9.8l - build OK - all tests passed + RH 6.2 i686 - egcs-2.91.66 - OpenSSL 0.9.8j - build OK - all tests passed**2* + RH 8.0 i686 - gcc 3.2.2 - OpenSSL 0.9.7a - build OK - all tests passed + RHEL 2.1 i686 - gcc 2.9.6 - OpenSSL 0.9.8m - build OK - all tests passed + RHEL 3.0 TU6 i686 - gcc 2.9.6 - OpenSSL 0.9.8m - build OK - all tests passed - RHEL 4.0 NU5 i686 - gcc 3.4.6 - OpenSSL 0.9.7a - *build FAIL* - **3* + RHEL 5.4 x86_64 - gcc 4.1.2 - OpenSSL 0.9.8e-fips-rhel5 - build OK - all tests passed **1 ::* HP-UX 11.23/11.31 systems using gcc apparently must './configure --disable-utmpx' or compile aborts here, (interesting to note that the HP Ansi C/C++ compiler doesn't have this problem): loginrec.c:725: warning: 'struct utmpx' declared inside parameter list loginrec.c:725: warning: its scope is only this definition or declaration, which is probably not what you want loginrec.c:736: warning: 'struct utmpx' declared inside parameter list loginrec.c: In function 'construct_utmpx': loginrec.c:741: error: dereferencing pointer to incomplete type loginrec.c:750: error: dereferencing pointer to incomplete type loginrec.c:753: error: dereferencing pointer to incomplete type loginrec.c:756: error: dereferencing pointer to incomplete type loginrec.c:756: error: dereferencing pointer to incomplete type loginrec.c:757: warning: passing argument 2 of 'set_utmpx_time' from incompatible pointer type loginrec.c:758: error: dereferencing pointer to incomplete type loginrec.c:761: error: dereferencing pointer to incomplete type loginrec.c:762: error: dereferencing pointer to incomplete type loginrec.c:762: error: dereferencing pointer to incomplete type loginrec.c: At top level: loginrec.c:987: warning: 'struct utmpx' declared inside parameter list loginrec.c: In function 'utmpx_write_library': loginrec.c:989: warning: implicit declaration of function 'setutxent' loginrec.c:990: warning: implicit declaration of function 'pututxline' loginrec.c:993: warning: implicit declaration of function 'endutxent' loginrec.c: In function 'utmpx_perform_login': loginrec.c:1012: error: storage size of 'utx' isn't known loginrec.c:1012: warning: unused variable 'utx' loginrec.c: In function 'utmpx_perform_logout': loginrec.c:1033: error: storage size of 'utx' isn't known loginrec.c:1033: warning: unused variable 'utx' loginrec.c: In function 'record_failed_login': loginrec.c:1628: warning: unused variable 'a6' gmake: *** [loginrec.o] Error 1 **2 ::* On Red Hat 6.2 openssh builds cleanly and appears to work fine, but test 'regress/agent-ptrace.sh' hangs hard and requires a 'kill -9' of the gdb process to continue - hacking the script to exit 0 at the beginning works around this. Still investigating what's wrong here. **3 ::* replicated this on three different servers running these releases - maybe there's something wrong with how configure is identifying these boxes? OPSYS: Red Hat Enterprise Linux AS release 4 (Nahant Update 6) KERNEL: 2.6.9-67.ELsmp i686 CC: gcc version 3.4.6 20060404 (Red Hat 3.4.6-9) TARGET: i686-pc-linux-gnu SSL: OpenSSL 0.9.7a Feb 19 2003 OPSYS: Red Hat Enterprise Linux ES release 4 (Nahant Update 5) KERNEL: 2.6.9-55.0.2.ELsmp i686 CC: gcc version 3.4.6 20060404 (Red Hat 3.4.6-8) TARGET: i686-pc-linux-gnu SSL: OpenSSL 0.9.7a Feb 19 2003 ./configure --with-zlib=/var/tmp/zlib && make tests ... OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no TCP Wrappers support: no MD5 password support: no libedit support: no Solaris process contract support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-builtin-memset -std=gnu99 Preprocessor flags: -I/var/tmp/zlib/include Linker flags: -L/var/tmp/zlib/lib Libraries: -lcrypto -ldl -lutil -lz -lnsl -lcrypt ... ssh-keygen.c: In function `parse_cert_times': ssh-keygen.c:1303: error: `BSDoptarg' undeclared (first use in this function) ssh-keygen.c:1303: error: (Each undeclared identifier is reported only once ssh-keygen.c:1303: error: for each function it appears in.) make: *** [ssh-keygen.o] Error 1 Looks to be this bit here: if (to == NULL || from == to || *(to + 1) == '\0') >>> fatal("Invalid certificate life specification %s", optarg); *to++ = '\0'; -- # include /* Kevin Brott */ From djm at mindrot.org Thu Mar 4 13:08:58 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 4 Mar 2010 13:08:58 +1100 (EST) Subject: Viewing cetificate details In-Reply-To: <20100303193048.GI17027@linux55.nas.nasa.gov> References: <20100303193048.GI17027@linux55.nas.nasa.gov> Message-ID: On Wed, 3 Mar 2010, Iain Morgan wrote: > Hi, > > I don't see any way to view the details of a certificate once it is > generated. Having such a capability would be very handy for debugging > purposes to check what constraints, principals, and validity interval > are associated with a given cert. Yes, I had been meaning to add that - thanks for reminding me. This diff adds "ssh-keygen -L" to print certificate details. Index: ssh-keygen.1 =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v retrieving revision 1.85 diff -u -p -r1.85 ssh-keygen.1 --- ssh-keygen.1 26 Feb 2010 22:09:28 -0000 1.85 +++ ssh-keygen.1 4 Mar 2010 02:07:48 -0000 @@ -115,6 +115,10 @@ .Op Fl O Ar constraint .Op Fl V Ar validity_interval .Ar +.Nm ssh-keygen +.Bk -words +.Fl L +.Op Fl f Ar input_keyfile .Ek .Sh DESCRIPTION .Nm @@ -275,6 +279,8 @@ also reads the RFC 4716 SSH Public Key File Format. This option allows importing keys from several commercial SSH implementations. +.It Fl L +Prints the contents of a certificate. .It Fl l Show fingerprint of specified public key file. Private RSA1 keys are also supported. Index: ssh-keygen.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.180 diff -u -p -r1.180 ssh-keygen.c --- ssh-keygen.c 2 Mar 2010 23:20:57 -0000 1.180 +++ ssh-keygen.c 4 Mar 2010 02:07:49 -0000 @@ -74,6 +74,9 @@ int find_host = 0; /* Flag indicating that we want to delete a host from a known_hosts file */ int delete_host = 0; +/* Flag indicating that we want to show the contents of a certificate */ +int show_cert = 0; + /* Flag indicating that we just want to see the key fingerprint */ int print_fingerprint = 0; int print_bubblebabble = 0; @@ -1055,7 +1058,7 @@ do_change_comment(struct passwd *pw) } static const char * -fmt_validity(void) +fmt_validity(u_int64_t valid_from, u_int64_t valid_to) { char from[32], to[32]; static char ret[64]; @@ -1063,28 +1066,27 @@ fmt_validity(void) struct tm *tm; *from = *to = '\0'; - if (cert_valid_from == 0 && - cert_valid_to == 0xffffffffffffffffULL) + if (valid_from == 0 && valid_to == 0xffffffffffffffffULL) return "forever"; - if (cert_valid_from != 0) { + if (valid_from != 0) { /* XXX revisit INT_MAX in 2038 :) */ - tt = cert_valid_from > INT_MAX ? INT_MAX : cert_valid_from; + tt = valid_from > INT_MAX ? INT_MAX : valid_from; tm = localtime(&tt); strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); } - if (cert_valid_to != 0xffffffffffffffffULL) { + if (valid_to != 0xffffffffffffffffULL) { /* XXX revisit INT_MAX in 2038 :) */ - tt = cert_valid_to > INT_MAX ? INT_MAX : cert_valid_to; + tt = valid_to > INT_MAX ? INT_MAX : valid_to; tm = localtime(&tt); strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); } - if (cert_valid_from == 0) { + if (valid_from == 0) { snprintf(ret, sizeof(ret), "before %s", to); return ret; } - if (cert_valid_to == 0xffffffffffffffffULL) { + if (valid_to == 0xffffffffffffffffULL) { snprintf(ret, sizeof(ret), "after %s", from); return ret; } @@ -1208,7 +1210,7 @@ do_ca_sign(struct passwd *pw, int argc, out, cert_key_id, cert_principals != NULL ? " for " : "", cert_principals != NULL ? cert_principals : "", - fmt_validity()); + fmt_validity(cert_valid_from, cert_valid_to)); key_free(public); xfree(out); @@ -1358,6 +1360,89 @@ add_cert_constraint(char *opt) } static void +do_show_cert(struct passwd *pw) +{ + Key *key; + struct stat st; + char *key_fp, *ca_fp; + Buffer constraints, constraint; + u_char *name, *data; + u_int i, dlen; + + if (!have_identity) + ask_filename(pw, "Enter file in which the key is"); + if (stat(identity_file, &st) < 0) { + perror(identity_file); + exit(1); + } + if ((key = key_load_public(identity_file, NULL)) == NULL) + fatal("%s is not a public key", identity_file); + if (!key_is_cert(key)) + fatal("%s is not a certificate", identity_file); + + key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + ca_fp = key_fingerprint(key->cert->signature_key, + SSH_FP_MD5, SSH_FP_HEX); + + printf("%s:\n", identity_file); + printf(" %s certificate %s\n", key_type(key), key_fp); + printf(" Signed by %s CA %s\n", + key_type(key->cert->signature_key), ca_fp); + printf(" Key ID \"%s\"\n", key->cert->key_id); + printf(" Valid: %s\n", + fmt_validity(key->cert->valid_after, key->cert->valid_before)); + printf(" Principals: "); + if (key->cert->nprincipals == 0) + printf("(none)\n"); + else { + for (i = 0; i < key->cert->nprincipals; i++) + printf("\n %s", + key->cert->principals[i]); + printf("\n"); + } + printf(" Constraints: "); + if (buffer_len(&key->cert->constraints) == 0) + printf("(none)\n"); + else { + printf("\n"); + buffer_init(&constraints); + buffer_append(&constraints, + buffer_ptr(&key->cert->constraints), + buffer_len(&key->cert->constraints)); + buffer_init(&constraint); + while (buffer_len(&constraints) != 0) { + name = buffer_get_string(&constraints, NULL); + data = buffer_get_string_ptr(&constraints, &dlen); + buffer_append(&constraint, data, dlen); + printf(" %s", name); + if (strcmp(name, "permit-X11-forwarding") == 0 || + strcmp(name, "permit-agent-forwarding") == 0 || + strcmp(name, "permit-port-forwarding") == 0 || + strcmp(name, "permit-pty") == 0 || + strcmp(name, "permit-user-rc") == 0) + printf("\n"); + else if (strcmp(name, "force-command") == 0 || + strcmp(name, "source-address") == 0) { + data = buffer_get_string(&constraint, NULL); + printf(" %s\n", data); + xfree(data); + } else { + printf(" UNKNOWN CONSTRAINT (len %u)\n", + buffer_len(&constraint)); + buffer_clear(&constraint); + } + xfree(name); + if (buffer_len(&constraint) != 0) + fatal("Constraint corrupt: extra data at end"); + } + buffer_free(&constraint); + buffer_free(&constraints); + } + + exit(0); +} + +static void usage(void) { fprintf(stderr, "usage: %s [options]\n", __progname); @@ -1379,6 +1464,7 @@ usage(void) fprintf(stderr, " -h Generate host certificate instead of a user certificate.\n"); fprintf(stderr, " -I key_id Key identifier to include in certificate.\n"); fprintf(stderr, " -i Convert RFC 4716 to OpenSSH key file.\n"); + fprintf(stderr, " -L Print the contents of a certificate.\n"); fprintf(stderr, " -l Show fingerprint of key file.\n"); fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n"); fprintf(stderr, " -n name,... User/host principal names to include in certificate\n"); @@ -1440,7 +1526,7 @@ main(int argc, char **argv) exit(1); } - while ((opt = getopt(argc, argv, "degiqpclBHhvxXyF:b:f:t:D:I:P:N:n:" + while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:N:n:" "O:C:r:g:R:T:G:M:S:s:a:V:W:")) != -1) { switch (opt) { case 'b': @@ -1463,6 +1549,9 @@ main(int argc, char **argv) delete_host = 1; rr_hostname = optarg; break; + case 'L': + show_cert = 1; + break; case 'l': print_fingerprint = 1; break; @@ -1616,6 +1705,8 @@ main(int argc, char **argv) fatal("Must specify key id (-I) when certifying"); do_ca_sign(pw, argc, argv); } + if (show_cert) + do_show_cert(pw); if (delete_host || hash_hosts || find_host) do_known_hosts(pw, rr_hostname); if (print_fingerprint || print_bubblebabble) From djm at mindrot.org Thu Mar 4 13:11:32 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 4 Mar 2010 13:11:32 +1100 (EST) Subject: Viewing cetificate details In-Reply-To: <78DD71C304F38B41885A242996B96F7302214457@xyservd.XYPRO-23.LOCAL> References: <20100303193048.GI17027@linux55.nas.nasa.gov> <78DD71C304F38B41885A242996B96F7302214457@xyservd.XYPRO-23.LOCAL> Message-ID: On Wed, 3 Mar 2010, Scott Neugroschl wrote: > Iain Morgan: > > > > I don't see any way to view the details of a certificate once it is > > generated. Having such a capability would be very handy for debugging > > purposes to check what constraints, principals, and validity interval > > are associated with a given cert. > > openssl asn1parse, maybe? Nooooo. We do _not_ use ASN.1 -d From cmadams at hiwaay.net Thu Mar 4 13:13:13 2010 From: cmadams at hiwaay.net (Chris Adams) Date: Wed, 3 Mar 2010 20:13:13 -0600 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <20100304021313.GA1446665@hiwaay.net> Once upon a time, Damien Miller said: > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. Hmm, build of 20100304 fails on Tru64 (ignore the "long long" info messages): cc -I/usr/local/include -O -ieee -std1 -arch generic -tune ev67 -I. -I. -DSSHDIR=\"/usr/local/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/openssh/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/openssh/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/openssh/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/openssh/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty/sshd\" -DSSH_RAND_HELPER=\"/usr/local/libexec/openssh/ssh-rand-helper\" -DHAVE_CONFIG_H -c ssh-keygen.c cc: Info: ssh-keygen.c, line 116: The integer constant is of type "unsigned long long", which is a new feature of C99 might not be portable. (longlongsufx) u_int64_t cert_valid_to = ~0ULL; ---------------------------^ cc: Info: openbsd-compat/openbsd-compat.h, line 106: In this declaration, type "long long" is a new feature in C99. (longlongtype) int fmt_scaled(long long number, char *result); -------------------^ cc: Info: openbsd-compat/openbsd-compat.h, line 184: In this declaration, type "long long" is a new feature in C99. (longlongtype) long long strtoll(const char *, char **, int); ^ cc: Info: openbsd-compat/openbsd-compat.h, line 188: In this declaration, type "long long" is a new feature in C99. (longlongtype) long long strtonum(const char *, long long, long long, const char **); ^ cc: Info: openbsd-compat/openbsd-compat.h, line 188: In this declaration, type "long long" is a new feature in C99. (longlongtype) long long strtonum(const char *, long long, long long, const char **); ---------------------------------^ cc: Info: openbsd-compat/openbsd-compat.h, line 188: In this declaration, type "long long" is a new feature in C99. (longlongtype) long long strtonum(const char *, long long, long long, const char **); --------------------------------------------^ cc: Error: ssh-keygen.c, line 1303: In this statement, "BSDoptarg" is not declared. (undeclared) fatal("Invalid certificate life specification %s", optarg); -------------------------------------------------------------------^ make: *** [ssh-keygen.o] Error 1 -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From djm at mindrot.org Thu Mar 4 14:16:29 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 4 Mar 2010 14:16:29 +1100 (EST) Subject: Call for testing: OpenSSH-5.4 In-Reply-To: <20100304021313.GA1446665@hiwaay.net> References: <20100304021313.GA1446665@hiwaay.net> Message-ID: On Wed, 3 Mar 2010, Chris Adams wrote: > Once upon a time, Damien Miller said: > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a big release, > > with a number of major new features and many bug fixes. > > Hmm, build of 20100304 fails on Tru64 (ignore the "long long" info > messages): > > cc: Error: ssh-keygen.c, line 1303: In this statement, "BSDoptarg" is not declared. (undeclared) > fatal("Invalid certificate life specification %s", optarg); Found the problem. The following patch will be in tomorrow's snapshot. -d Index: ssh-keygen.c =================================================================== RCS file: /var/cvs/openssh/ssh-keygen.c,v retrieving revision 1.193 diff -u -p -r1.193 ssh-keygen.c --- ssh-keygen.c 3 Mar 2010 01:14:15 -0000 1.193 +++ ssh-keygen.c 4 Mar 2010 03:15:46 -0000 @@ -1300,7 +1300,7 @@ parse_cert_times(char *timespec) from = xstrdup(timespec); to = strchr(from, ':'); if (to == NULL || from == to || *(to + 1) == '\0') - fatal("Invalid certificate life specification %s", optarg); + fatal("Invalid certificate life specification %s", timespec); *to++ = '\0'; if (*from == '-' || *from == '+') From djm at mindrot.org Thu Mar 4 22:06:51 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 4 Mar 2010 22:06:51 +1100 (EST) Subject: Call for testing: OpenSSH-5.4 In-Reply-To: <20100303105210.GL17293@calimero.vinschen.de> References: <20100302014453.GF17027@linux55.nas.nasa.gov> <574324a31003021639g29225623x8dfb000800af8430@mail.gmail.com> <20100303021544.GO10976@linux55.nas.nasa.gov> <20100303105210.GL17293@calimero.vinschen.de> Message-ID: On Wed, 3 Mar 2010, Corinna Vinschen wrote: > > > The version of cert-hostkey.sh that I have been using (from the 20100302 > > > snapshot) uses "echon" rather than "echo -n." However, I should note > > > that cert-userkey.sh still uses "echo -n", even in CVS. > > > > oops, fixed now: > > > > http://anoncvs.mindrot.org/index.cgi/openssh/regress/cert-userkey.sh?revision=1.2&view=markup > > Just a question. Why do you use slashes as separators, instead of > using the ISO 8601 format, as you already do in ssh-keygen.c, function > fmt_validity()? Did you mean "Why _don't_ you use slashes as separators"? Brevity of input mainly. -d From djm at mindrot.org Thu Mar 4 22:13:37 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 4 Mar 2010 22:13:37 +1100 (EST) Subject: OpenSSH PKI [was: Re: Call for testing: OpenSSH-5.4] In-Reply-To: References: <4B897AA9.7080405@fifthhorseman.net> Message-ID: On Sun, 28 Feb 2010, Damien Miller wrote: > On Sat, 27 Feb 2010, Daniel Kahn Gillmor wrote: > > > 1) Revocations -- there is no room in the infrastructure i can see for > > revocations. What should a certificate authority do if it discovers > > that the private key belonging to a certificate has been compromised, > > and the certificate is not yet expired? What should a server operator > > do who knows this situation, but currently relies on other > > certifications from that CA? > > Revocation is planned to be implemented as a simple file containing a list > of banned keys. This is now implemented and will be in tomorrow's snapshot. sshd_config gets a new RevokedKeys directive that can point to a file containing keys to ban. ssh(1) will look for a new @revoked marker in known_hosts and ban any key that it sees with the following warning: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REVOKED HOST KEY DETECTED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ The RSA host key for localhost is marked as revoked. This could mean that a stolen key is being used to impersonate this host. > > If i certify > > a key for "foo" does that work on all "foo" accounts on every machine > > that trusts my CA? > > yes. Remember that CA keys can be trusted on an account by account basis, > so if there are subsets of hosts within a domain that use a different > naming scheme then the users who trust the CA for login can be subsetted. > > I'm planning to add a sshd-wide (well, Match block wide) way to specify > trusted CA keys too. This is done too, there is a sshd_config TrustedUserCAKeys option that allows sshd to trust zero or more CA keys to authenticate and authorize users. This option can be set or overridden in a Match block, so it is possible to turn it on for certain users or groups only. There are a bunch more regress tests for these, so please rerun the tests using the latest snapshots if you get a chance. -d From vinschen at redhat.com Thu Mar 4 22:46:08 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 4 Mar 2010 12:46:08 +0100 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: <20100302014453.GF17027@linux55.nas.nasa.gov> <574324a31003021639g29225623x8dfb000800af8430@mail.gmail.com> <20100303021544.GO10976@linux55.nas.nasa.gov> <20100303105210.GL17293@calimero.vinschen.de> Message-ID: <20100304114608.GB7980@calimero.vinschen.de> On Mar 4 22:06, Damien Miller wrote: > > On Wed, 3 Mar 2010, Corinna Vinschen wrote: > > > > > The version of cert-hostkey.sh that I have been using (from the 20100302 > > > > snapshot) uses "echon" rather than "echo -n." However, I should note > > > > that cert-userkey.sh still uses "echo -n", even in CVS. > > > > > > oops, fixed now: > > > > > > http://anoncvs.mindrot.org/index.cgi/openssh/regress/cert-userkey.sh?revision=1.2&view=markup > > > > Just a question. Why do you use slashes as separators, instead of > > using the ISO 8601 format, as you already do in ssh-keygen.c, function > > fmt_validity()? > > Did you mean "Why _don't_ you use slashes as separators"? Brevity of input > mainly. No, I meant to ask why you *use* slashes. That's part of the new code: 1254 case 8: 1255 fmt = "%Y/%m/%d"; 1256 snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s", s, s + 4, 1257 break; 1258 case 14: 1259 fmt = "%Y/%m/%d %H:%M:%S"; 1260 snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s I would opt for using the ISO 8601 format instead, just as it is already done in fmt_validity: 1082 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); [...] 1088 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From jchadima at redhat.com Thu Mar 4 20:21:35 2010 From: jchadima at redhat.com (Jan Chadima) Date: Thu, 4 Mar 2010 04:21:35 -0500 (EST) Subject: Call for testing: OpenSSH-5.4 In-Reply-To: <1644501183.163401267694434283.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> Message-ID: <1457043988.163421267694495576.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> The openssh 5.4 snap 20100302 compiles on fedora rawhide. -- JFCh From scott_n at xypro.com Fri Mar 5 02:51:37 2010 From: scott_n at xypro.com (Scott Neugroschl) Date: Thu, 4 Mar 2010 07:51:37 -0800 Subject: Viewing cetificate details In-Reply-To: References: <20100303193048.GI17027@linux55.nas.nasa.gov> <78DD71C304F38B41885A242996B96F7302214457@xyservd.XYPRO-23.LOCAL> Message-ID: <78DD71C304F38B41885A242996B96F7302214527@xyservd.XYPRO-23.LOCAL> From: Damien Miller > On Wed, 3 Mar 2010, Scott Neugroschl wrote: > > > Iain Morgan: > > > > > > I don't see any way to view the details of a certificate once it is > > > generated. Having such a capability would be very handy for > debugging > > > purposes to check what constraints, principals, and validity > interval > > > are associated with a given cert. > > > > openssl asn1parse, maybe? > > Nooooo. We do _not_ use ASN.1 Oops. Senior moment. For some reason I was thinking of a stock X.509 cert. From imorgan at nas.nasa.gov Fri Mar 5 05:33:49 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 4 Mar 2010 10:33:49 -0800 Subject: Minor tweak to sshd_config(5) Message-ID: <20100304183349.GJ17027@linux55.nas.nasa.gov> Hi, There are a few minor tweaks I would like to suggest regrading the recently added TrustedUserCAKeys section in sshd_config(5). TrustedUserCAKeys Specifies a file containing public keys of certificate authorities that are trusted sign user certificates for authentication. Keys are listed one per line, empty lines and comments starting with '#' are allowed. If a cer- tificate is presented for authentication and has its signing CA key listed in this file, then it may be used for authentication for any user listed in the certificate's principals list. Note that certificates that lack a list of principals will not be permitted for authentication using TrustedUserCAKeys. For more details in certificates, please see the CERTIFICATES section in ssh-keygen(1). Replace "trusted sign user" with "trusted to sign user." Also, the next sentence should probably be split into two sentences to avoid a run-on: "Keys are listed one per line. Empty lines and comments..." Lastly, "more details in certificates" should be "more details on certificates." -- Iain Morgan From imorgan at nas.nasa.gov Fri Mar 5 09:47:51 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 4 Mar 2010 14:47:51 -0800 Subject: Viewing cetificate details In-Reply-To: References: <20100303193048.GI17027@linux55.nas.nasa.gov> Message-ID: <20100304224751.GS10976@linux55.nas.nasa.gov> On Wed, Mar 03, 2010 at 20:08:58 -0600, Damien Miller wrote: > On Wed, 3 Mar 2010, Iain Morgan wrote: > > > Hi, > > > > I don't see any way to view the details of a certificate once it is > > generated. Having such a capability would be very handy for debugging > > purposes to check what constraints, principals, and validity interval > > are associated with a given cert. > > Yes, I had been meaning to add that - thanks for reminding me. This > diff adds "ssh-keygen -L" to print certificate details. > > Index: ssh-keygen.1 > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v > retrieving revision 1.85 > diff -u -p -r1.85 ssh-keygen.1 > --- ssh-keygen.1 26 Feb 2010 22:09:28 -0000 1.85 > +++ ssh-keygen.1 4 Mar 2010 02:07:48 -0000 > @@ -115,6 +115,10 @@ > .Op Fl O Ar constraint > .Op Fl V Ar validity_interval > .Ar > +.Nm ssh-keygen > +.Bk -words > +.Fl L > +.Op Fl f Ar input_keyfile > .Ek > .Sh DESCRIPTION > .Nm > @@ -275,6 +279,8 @@ also reads the > RFC 4716 SSH Public Key File Format. > This option allows importing keys from several commercial > SSH implementations. > +.It Fl L > +Prints the contents of a certificate. > .It Fl l > Show fingerprint of specified public key file. > Private RSA1 keys are also supported. > Index: ssh-keygen.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v > retrieving revision 1.180 > diff -u -p -r1.180 ssh-keygen.c > --- ssh-keygen.c 2 Mar 2010 23:20:57 -0000 1.180 > +++ ssh-keygen.c 4 Mar 2010 02:07:49 -0000 > @@ -74,6 +74,9 @@ int find_host = 0; > /* Flag indicating that we want to delete a host from a known_hosts file */ > int delete_host = 0; > > +/* Flag indicating that we want to show the contents of a certificate */ > +int show_cert = 0; > + > /* Flag indicating that we just want to see the key fingerprint */ > int print_fingerprint = 0; > int print_bubblebabble = 0; > @@ -1055,7 +1058,7 @@ do_change_comment(struct passwd *pw) > } > > static const char * > -fmt_validity(void) > +fmt_validity(u_int64_t valid_from, u_int64_t valid_to) > { > char from[32], to[32]; > static char ret[64]; > @@ -1063,28 +1066,27 @@ fmt_validity(void) > struct tm *tm; > > *from = *to = '\0'; > - if (cert_valid_from == 0 && > - cert_valid_to == 0xffffffffffffffffULL) > + if (valid_from == 0 && valid_to == 0xffffffffffffffffULL) > return "forever"; > > - if (cert_valid_from != 0) { > + if (valid_from != 0) { > /* XXX revisit INT_MAX in 2038 :) */ > - tt = cert_valid_from > INT_MAX ? INT_MAX : cert_valid_from; > + tt = valid_from > INT_MAX ? INT_MAX : valid_from; > tm = localtime(&tt); > strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); > } > - if (cert_valid_to != 0xffffffffffffffffULL) { > + if (valid_to != 0xffffffffffffffffULL) { > /* XXX revisit INT_MAX in 2038 :) */ > - tt = cert_valid_to > INT_MAX ? INT_MAX : cert_valid_to; > + tt = valid_to > INT_MAX ? INT_MAX : valid_to; > tm = localtime(&tt); > strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); > } > > - if (cert_valid_from == 0) { > + if (valid_from == 0) { > snprintf(ret, sizeof(ret), "before %s", to); > return ret; > } > - if (cert_valid_to == 0xffffffffffffffffULL) { > + if (valid_to == 0xffffffffffffffffULL) { > snprintf(ret, sizeof(ret), "after %s", from); > return ret; > } > @@ -1208,7 +1210,7 @@ do_ca_sign(struct passwd *pw, int argc, > out, cert_key_id, > cert_principals != NULL ? " for " : "", > cert_principals != NULL ? cert_principals : "", > - fmt_validity()); > + fmt_validity(cert_valid_from, cert_valid_to)); > > key_free(public); > xfree(out); > @@ -1358,6 +1360,89 @@ add_cert_constraint(char *opt) > } > > static void > +do_show_cert(struct passwd *pw) > +{ > + Key *key; > + struct stat st; > + char *key_fp, *ca_fp; > + Buffer constraints, constraint; > + u_char *name, *data; > + u_int i, dlen; > + > + if (!have_identity) > + ask_filename(pw, "Enter file in which the key is"); > + if (stat(identity_file, &st) < 0) { > + perror(identity_file); > + exit(1); > + } > + if ((key = key_load_public(identity_file, NULL)) == NULL) > + fatal("%s is not a public key", identity_file); > + if (!key_is_cert(key)) > + fatal("%s is not a certificate", identity_file); > + > + key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); > + ca_fp = key_fingerprint(key->cert->signature_key, > + SSH_FP_MD5, SSH_FP_HEX); > + > + printf("%s:\n", identity_file); > + printf(" %s certificate %s\n", key_type(key), key_fp); > + printf(" Signed by %s CA %s\n", > + key_type(key->cert->signature_key), ca_fp); > + printf(" Key ID \"%s\"\n", key->cert->key_id); > + printf(" Valid: %s\n", > + fmt_validity(key->cert->valid_after, key->cert->valid_before)); > + printf(" Principals: "); > + if (key->cert->nprincipals == 0) > + printf("(none)\n"); > + else { > + for (i = 0; i < key->cert->nprincipals; i++) > + printf("\n %s", > + key->cert->principals[i]); > + printf("\n"); > + } > + printf(" Constraints: "); > + if (buffer_len(&key->cert->constraints) == 0) > + printf("(none)\n"); > + else { > + printf("\n"); > + buffer_init(&constraints); > + buffer_append(&constraints, > + buffer_ptr(&key->cert->constraints), > + buffer_len(&key->cert->constraints)); > + buffer_init(&constraint); > + while (buffer_len(&constraints) != 0) { > + name = buffer_get_string(&constraints, NULL); > + data = buffer_get_string_ptr(&constraints, &dlen); > + buffer_append(&constraint, data, dlen); > + printf(" %s", name); > + if (strcmp(name, "permit-X11-forwarding") == 0 || > + strcmp(name, "permit-agent-forwarding") == 0 || > + strcmp(name, "permit-port-forwarding") == 0 || > + strcmp(name, "permit-pty") == 0 || > + strcmp(name, "permit-user-rc") == 0) > + printf("\n"); > + else if (strcmp(name, "force-command") == 0 || > + strcmp(name, "source-address") == 0) { > + data = buffer_get_string(&constraint, NULL); > + printf(" %s\n", data); > + xfree(data); > + } else { > + printf(" UNKNOWN CONSTRAINT (len %u)\n", > + buffer_len(&constraint)); > + buffer_clear(&constraint); > + } > + xfree(name); > + if (buffer_len(&constraint) != 0) > + fatal("Constraint corrupt: extra data at end"); > + } > + buffer_free(&constraint); > + buffer_free(&constraints); > + } > + > + exit(0); > +} > + > +static void > usage(void) > { > fprintf(stderr, "usage: %s [options]\n", __progname); > @@ -1379,6 +1464,7 @@ usage(void) > fprintf(stderr, " -h Generate host certificate instead of a user certificate.\n"); > fprintf(stderr, " -I key_id Key identifier to include in certificate.\n"); > fprintf(stderr, " -i Convert RFC 4716 to OpenSSH key file.\n"); > + fprintf(stderr, " -L Print the contents of a certificate.\n"); > fprintf(stderr, " -l Show fingerprint of key file.\n"); > fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n"); > fprintf(stderr, " -n name,... User/host principal names to include in certificate\n"); > @@ -1440,7 +1526,7 @@ main(int argc, char **argv) > exit(1); > } > > - while ((opt = getopt(argc, argv, "degiqpclBHhvxXyF:b:f:t:D:I:P:N:n:" > + while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:N:n:" > "O:C:r:g:R:T:G:M:S:s:a:V:W:")) != -1) { > switch (opt) { > case 'b': > @@ -1463,6 +1549,9 @@ main(int argc, char **argv) > delete_host = 1; > rr_hostname = optarg; > break; > + case 'L': > + show_cert = 1; > + break; > case 'l': > print_fingerprint = 1; > break; > @@ -1616,6 +1705,8 @@ main(int argc, char **argv) > fatal("Must specify key id (-I) when certifying"); > do_ca_sign(pw, argc, argv); > } > + if (show_cert) > + do_show_cert(pw); > if (delete_host || hash_hosts || find_host) > do_known_hosts(pw, rr_hostname); > if (print_fingerprint || print_bubblebabble) Hi Damien, Thanks. This is what I was looking for. So, far I've only tested it on one system, but it seems to work. There does seem to be an oddity however with the handling of the force-command constraint. For example: $ openssh/ssh-keygen -s ca_key -I "Test cert" -n test -V +12m -O clear -O source-address=10.2.3.0/24 -O force-command=/bin/date id_test.pub Enter passphrase: Signed user key id_test-cert.pub: id "Test cert" for test valid from 2010-03-04T13:52:00 to 2010-03-04T14:05:24 $ $ openssh/ssh-keygen -Lf id_test-cert.pub id_test-cert.pub: RSA-CERT certificate 1b:9b:58:e0:ef:9b:51:17:7b:05:b4:86:16:db:42:19 Signed by RSA CA d5:1f:0f:3d:84:a1:16:a5:f5:3a:5e:c8:3e:54:1d:92 Key ID "Test cert" Valid: from 2010-03-04T13:52:00 to 2010-03-04T14:05:24 Principals: test Constraints: forced-command UNKNOWN CONSTRAINT (len 13) source-address 10.2.3.0/24 $ Note that the output refers to "forced-command" rather than "force-command. It looks like the problem is in ssh-keygen.c:1145. add_string_constraint(c, "forced-command", constraint_command); There also seems to be a less significant error in auth-optins.c. 448- error("Certificate has multiple " 449: "forced-command constraints"); -- Iain Morgan From djm at mindrot.org Fri Mar 5 10:28:07 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Mar 2010 10:28:07 +1100 (EST) Subject: Viewing cetificate details In-Reply-To: <20100304224751.GS10976@linux55.nas.nasa.gov> References: <20100303193048.GI17027@linux55.nas.nasa.gov> <20100304224751.GS10976@linux55.nas.nasa.gov> Message-ID: On Thu, 4 Mar 2010, Iain Morgan wrote: > Hi Damien, > > Thanks. This is what I was looking for. So, far I've only tested it on > one system, but it seems to work. There does seem to be an oddity > however with the handling of the force-command constraint. Thanks - fixed in CVS and in tomorrow's snapshot. -d From djm at mindrot.org Fri Mar 5 10:29:07 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Mar 2010 10:29:07 +1100 (EST) Subject: Call for testing: OpenSSH-5.4 In-Reply-To: <20100304114608.GB7980@calimero.vinschen.de> References: <20100302014453.GF17027@linux55.nas.nasa.gov> <574324a31003021639g29225623x8dfb000800af8430@mail.gmail.com> <20100303021544.GO10976@linux55.nas.nasa.gov> <20100303105210.GL17293@calimero.vinschen.de> <20100304114608.GB7980@calimero.vinschen.de> Message-ID: On Thu, 4 Mar 2010, Corinna Vinschen wrote: > > Did you mean "Why _don't_ you use slashes as separators"? Brevity of input > > mainly. > > No, I meant to ask why you *use* slashes. That's part of the new code: The exact format here is pretty much irrelevant, since it is used only internally. -d From djm at mindrot.org Fri Mar 5 10:31:52 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Mar 2010 10:31:52 +1100 (EST) Subject: Minor tweak to sshd_config(5) In-Reply-To: <20100304183349.GJ17027@linux55.nas.nasa.gov> References: <20100304183349.GJ17027@linux55.nas.nasa.gov> Message-ID: On Thu, 4 Mar 2010, Iain Morgan wrote: > Hi, > > There are a few minor tweaks I would like to suggest regrading the > Trecently added rustedUserCAKeys section in sshd_config(5). > > TrustedUserCAKeys Specifies a file containing public keys of > certificate authorities that are trusted sign user certificates > for authentication. Keys are listed one per line, empty lines > and comments starting with '#' are allowed. If a cer- tificate > is presented for authentication and has its signing CA key > listed in this file, then it may be used for authentication > for any user listed in the certificate's principals list. Note > that certificates that lack a list of principals will not be > permitted for authentication using TrustedUserCAKeys. For more > details in certificates, please see the CERTIFICATES section in > ssh-keygen(1). > > Replace "trusted sign user" with "trusted to sign user." Also, the > next sentence should probably be split into two sentences to avoid a > run-on: "Keys are listed one per line. Empty lines and comments..." > Lastly, "more details in certificates" should be "more details on > certificates." Jason McIntyre (manpage whacker supreme) already found and fixed these :) -d From imorgan at nas.nasa.gov Fri Mar 5 10:50:40 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 4 Mar 2010 15:50:40 -0800 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <20100304235040.GK17027@linux55.nas.nasa.gov> On Sat, Feb 27, 2010 at 01:25:38 -0600, Damien Miller wrote: > Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > The 20100305 snapshot built and tested successfuly on the following: RHEL 5 (x86_64) SLES 10 (x86_64) SLES 10 (ia64) AIX 5.3 Solaris 9 (SPARC) OS X 10.5 (Intel) -- Iain Morgan From kevin.brott at gmail.com Fri Mar 5 11:31:55 2010 From: kevin.brott at gmail.com (Kevin Brott) Date: Thu, 4 Mar 2010 16:31:55 -0800 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: <20100304021313.GA1446665@hiwaay.net> Message-ID: <574324a31003041631k724ef74fr3564cbacf43a983e@mail.gmail.com> On Wed, Mar 3, 2010 at 19:16, Damien Miller wrote: > On Wed, 3 Mar 2010, Chris Adams wrote: > > > Once upon a time, Damien Miller said: > > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > > > on as many platforms and systems as possible. This is a big release, > > > with a number of major new features and many bug fixes. > > > > Hmm, build of 20100304 fails on Tru64 (ignore the "long long" info > > messages): > > > > cc: Error: ssh-keygen.c, line 1303: In this statement, "BSDoptarg" is not > declared. (undeclared) > > fatal("Invalid certificate life specification %s", > optarg); > > Found the problem. The following patch will be in tomorrow's snapshot. > > -d > > Index: ssh-keygen.c > =================================================================== > RCS file: /var/cvs/openssh/ssh-keygen.c,v > retrieving revision 1.193 > diff -u -p -r1.193 ssh-keygen.c > --- ssh-keygen.c 3 Mar 2010 01:14:15 -0000 1.193 > +++ ssh-keygen.c 4 Mar 2010 03:15:46 -0000 > @@ -1300,7 +1300,7 @@ parse_cert_times(char *timespec) > from = xstrdup(timespec); > to = strchr(from, ':'); > if (to == NULL || from == to || *(to + 1) == '\0') > - fatal("Invalid certificate life specification %s", optarg); > + fatal("Invalid certificate life specification %s", > timespec); > *to++ = '\0'; > > if (*from == '-' || *from == '+') > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > building openssh-SNAP-20100305.tar.gz RHEL ES 4 update5 - i686 still fails to build, but drops out in ssh-rand-helper.c instead of ssh-keygen.c ... ssh-rand-helper.c: In function `main': ssh-rand-helper.c:861: error: `BSDoptind' undeclared (first use in this function) ssh-rand-helper.c:861: error: (Each undeclared identifier is reported only once ssh-rand-helper.c:861: error: for each function it appears in.) make: *** [ssh-rand-helper.o] Error 1 log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1); :-> if (argc != optind) { error("Unexpected commandline arguments."); usage(); exit(1); } No new test failures anywhere else. -- # include /* Kevin Brott */ From djm at mindrot.org Fri Mar 5 11:40:48 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Mar 2010 11:40:48 +1100 (EST) Subject: Call for testing: OpenSSH-5.4 In-Reply-To: <574324a31003041631k724ef74fr3564cbacf43a983e@mail.gmail.com> References: <20100304021313.GA1446665@hiwaay.net> <574324a31003041631k724ef74fr3564cbacf43a983e@mail.gmail.com> Message-ID: On Thu, 4 Mar 2010, Kevin Brott wrote: > building openssh-SNAP-20100305.tar.gz > > RHEL ES 4 update5 - i686 still fails to build, but drops out in > ssh-rand-helper.c instead of ssh-keygen.c > > ... > ssh-rand-helper.c: In function `main': > ssh-rand-helper.c:861: error: `BSDoptind' undeclared (first use in this > function) Try this diff: Index: ChangeLog =================================================================== RCS file: /var/cvs/openssh/ChangeLog,v retrieving revision 1.5493 diff -u -p -r1.5493 ChangeLog --- ChangeLog 4 Mar 2010 20:48:05 -0000 1.5493 +++ ChangeLog 5 Mar 2010 00:39:36 -0000 @@ -8,6 +8,8 @@ Add a -L flag to print the contents of a certificate; ok markus@ - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older compilers. OK djm@ + - (djm) [ssh-rand-helper.c] declare optind, avoiding compilation failure + on some platforms 20100304 - (djm) [ssh-keygen.c] Use correct local variable, instead of Index: ssh-rand-helper.c =================================================================== RCS file: /var/cvs/openssh/ssh-rand-helper.c,v retrieving revision 1.42 diff -u -p -r1.42 ssh-rand-helper.c --- ssh-rand-helper.c 20 Nov 2009 04:16:35 -0000 1.42 +++ ssh-rand-helper.c 5 Mar 2010 00:39:04 -0000 @@ -818,6 +818,7 @@ main(int argc, char **argv) unsigned char *buf; int ret, ch, debug_level, output_hex, bytes; extern char *optarg; + extern int optind; LogLevel ll; __progname = ssh_get_progname(argv[0]); From sayan.chaliha at webyog.com Fri Mar 5 16:55:51 2010 From: sayan.chaliha at webyog.com (Sayan Chaliha) Date: Fri, 5 Mar 2010 11:25:51 +0530 Subject: ClientAliveInterval In-Reply-To: <9515bbd41003010658k2ae7ea3bg4293771fae587a32@mail.gmail.com> References: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> <9515bbd41002260538h27bc48ffg2863e52ae225a309@mail.gmail.com> <9515bbd41003010658k2ae7ea3bg4293771fae587a32@mail.gmail.com> Message-ID: <9515bbd41003042155r7f602dd1j79ea342944f641a4@mail.gmail.com> Hey guys, I have one more question: Is it possible to query sshd for settings and parameters it was configured with? Something like executing SHOW GLOBAL VARIABLES on mysqld, perhaps? On Mon, Mar 1, 2010 at 8:28 PM, Sayan Chaliha wrote: > @Damien: > > Yes, well, I understand that. But I am experiencing some weird behavior > with libssh... So I was wondering whether it had anything to do with not > replying to keepalive at openssh.com > > Here's what I'm experiencing: > -- When the app gets disconnected from the OpenSSH 4.3 server, it tries to > reconnect. > -- Reconnection and authorization are successful, but libssh fails when > trying to open a new channel (with some obscure 'unrecognized packet' > message). > -- This continues until the ClientAliveInterval has expired. > > Anyway, thanks for all the help. I'm now sure that the problem in not with > my application but rather with libssh. I've gotten in touch with them (ie, > the developers of libssh) to have this issue solved. > > Thanks again for your time! > > > On Sat, Feb 27, 2010 at 5:59 AM, Damien Miller wrote: > >> On Fri, 26 Feb 2010, Sayan Chaliha wrote: >> >> > @Damien, could you also tell me what would happen if the client didn't >> > respond to that request, and instead tried to create new session and >> channel >> > afresh? Would the server send the same message again? >> >> A client that is compliant with the protocol _must_ respond, even just to >> say "I have no idea what this command is". Any response will reset the >> keepalive timer. >> >> > On Fri, Feb 26, 2010 at 12:40 PM, Damien Miller >> wrote: >> > >> > > On Fri, 26 Feb 2010, Sayan Chaliha wrote: >> > > >> > > > Hi, >> > > > >> > > > I am having some trouble with the ClientAliveInterval server >> setting. My >> > > > (C++) application fails to start an SSH channel to an OpensSSH >> server >> > > within >> > > > this time-out period if it doesn't reply correctly to this >> 'keep-alive' >> > > > no-op that is sent by the server. How is this no-op handled? I am >> using >> > > the >> > > > libssh client library, and I could find no references on how to >> handle >> > > this. >> > > >> > > Client aliver interval is implemented by sending a global or channel >> > > request of type "keepalive at openssh.com" with want-reply turned on. >> > > You shouldn't need to implement anything for this to work - a client >> > > should return SSH2_MSG_REQUEST_FAILURE if it doesn't implement this >> request >> > > type and that should be enough to reset the keepalive watchdog timer. >> > > >> > > If you would like to explicitly support it, you can just send an >> > > approprate SSH2_MSG_REQUEST_SUCCESS (global request) or >> > > SSH2_MSG_CHANNEL_SUCCESS (channel request) message, but this is purely >> > > optional. >> > > >> > > -d >> > > >> > >> > >> > >> > -- >> > Regards, >> > Sayan Chaliha >> > Webyog Softworks Private Limited >> > 2nd Floor, Novel Team Building >> > #10, 100 Feet Ring Road >> > BTM Layout 1st Stage >> > Bangalore - 560068 >> > >> > +91-9743357501 >> > _______________________________________________ >> > openssh-unix-dev mailing list >> > openssh-unix-dev at mindrot.org >> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > >> > > > > -- > Regards, > Sayan Chaliha > Webyog Softworks Private Limited > 2nd Floor, Novel Team Building > #10, 100 Feet Ring Road > BTM Layout 1st Stage > Bangalore - 560068 > > +91-9743357501 > -- Regards, Sayan Chaliha Webyog Softworks Private Limited 2nd Floor, Novel Team Building #10, 100 Feet Ring Road BTM Layout 1st Stage Bangalore - 560068 +91-9743357501 From djm at mindrot.org Fri Mar 5 17:03:42 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Mar 2010 17:03:42 +1100 (EST) Subject: ClientAliveInterval In-Reply-To: <9515bbd41003042155r7f602dd1j79ea342944f641a4@mail.gmail.com> References: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> <9515bbd41002260538h27bc48ffg2863e52ae225a309@mail.gmail.com> <9515bbd41003010658k2ae7ea3bg4293771fae587a32@mail.gmail.com> <9515bbd41003042155r7f602dd1j79ea342944f641a4@mail.gmail.com> Message-ID: On Fri, 5 Mar 2010, Sayan Chaliha wrote: > Hey guys, > > I have one more question: Is it possible to query sshd for settings and > parameters it was configured with? Something like executing SHOW GLOBAL > VARIABLES on mysqld, perhaps? There is "sshd -T" that will print the current configuration, but it does not include compile-time settings. -d From sayan.chaliha at webyog.com Fri Mar 5 17:06:11 2010 From: sayan.chaliha at webyog.com (Sayan Chaliha) Date: Fri, 5 Mar 2010 11:36:11 +0530 Subject: ClientAliveInterval In-Reply-To: References: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> <9515bbd41002260538h27bc48ffg2863e52ae225a309@mail.gmail.com> <9515bbd41003010658k2ae7ea3bg4293771fae587a32@mail.gmail.com> <9515bbd41003042155r7f602dd1j79ea342944f641a4@mail.gmail.com> Message-ID: <9515bbd41003042206q5c151008xd35e4e94379e35e7@mail.gmail.com> Thanks Damien! This is just what I needed... So, I can login to sshd, and execute the command sshd -T and parse the result.. Right? On Fri, Mar 5, 2010 at 11:33 AM, Damien Miller wrote: > On Fri, 5 Mar 2010, Sayan Chaliha wrote: > > > Hey guys, > > > > I have one more question: Is it possible to query sshd for settings and > > parameters it was configured with? Something like executing SHOW GLOBAL > > VARIABLES on mysqld, perhaps? > > There is "sshd -T" that will print the current configuration, but it does > not include compile-time settings. > > -d > -- Regards, Sayan Chaliha Webyog Softworks Private Limited 2nd Floor, Novel Team Building #10, 100 Feet Ring Road BTM Layout 1st Stage Bangalore - 560068 +91-9743357501 From djm at mindrot.org Fri Mar 5 17:23:24 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Mar 2010 17:23:24 +1100 (EST) Subject: ClientAliveInterval In-Reply-To: <9515bbd41003042206q5c151008xd35e4e94379e35e7@mail.gmail.com> References: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> <9515bbd41002260538h27bc48ffg2863e52ae225a309@mail.gmail.com> <9515bbd41003010658k2ae7ea3bg4293771fae587a32@mail.gmail.com> <9515bbd41003042155r7f602dd1j79ea342944f641a4@mail.gmail.com> <9515bbd41003042206q5c151008xd35e4e94379e35e7@mail.gmail.com> Message-ID: On Fri, 5 Mar 2010, Sayan Chaliha wrote: > Thanks Damien! > > This is just what I needed... So, I can login to sshd, and execute the > command sshd -T and parse the result.. Right? Yes, and you can even simulate the effects of Match blocks changing the configuration for different source hosts/addresses or users by using sshd's -C option - see the sshd(8) manpage for details. -d From vinschen at redhat.com Fri Mar 5 20:40:30 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 5 Mar 2010 10:40:30 +0100 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: <20100302014453.GF17027@linux55.nas.nasa.gov> <574324a31003021639g29225623x8dfb000800af8430@mail.gmail.com> <20100303021544.GO10976@linux55.nas.nasa.gov> <20100303105210.GL17293@calimero.vinschen.de> <20100304114608.GB7980@calimero.vinschen.de> Message-ID: <20100305094030.GJ7980@calimero.vinschen.de> On Mar 5 10:29, Damien Miller wrote: > On Thu, 4 Mar 2010, Corinna Vinschen wrote: > > > > Did you mean "Why _don't_ you use slashes as separators"? Brevity of input > > > mainly. > > > > No, I meant to ask why you *use* slashes. That's part of the new code: > > The exact format here is pretty much irrelevant, since it is used only > internally. That's ok. I was just asking because I think that using two different time formats now is a good starting point for later confusion. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From peter at stuge.se Sat Mar 6 06:26:35 2010 From: peter at stuge.se (Peter Stuge) Date: Fri, 5 Mar 2010 20:26:35 +0100 Subject: ClientAliveInterval In-Reply-To: <9515bbd41003042206q5c151008xd35e4e94379e35e7@mail.gmail.com> References: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> <9515bbd41002260538h27bc48ffg2863e52ae225a309@mail.gmail.com> <9515bbd41003010658k2ae7ea3bg4293771fae587a32@mail.gmail.com> <9515bbd41003042155r7f602dd1j79ea342944f641a4@mail.gmail.com> <9515bbd41003042206q5c151008xd35e4e94379e35e7@mail.gmail.com> Message-ID: <20100305192635.29910.qmail@stuge.se> Sayan Chaliha wrote: > This is just what I needed... So, I can login to sshd, and execute > the command sshd -T and parse the result.. Right? Just be prepared that the sshd you run with -T may be different from the sshd you logged in to. //Peter From mouring at eviladmin.org Sat Mar 6 07:32:23 2010 From: mouring at eviladmin.org (Ben Lindstrom) Date: Fri, 5 Mar 2010 14:32:23 -0600 Subject: ClientAliveInterval In-Reply-To: <20100305192635.29910.qmail@stuge.se> References: <9515bbd41002252207o5ce02efev7a83376071d981a1@mail.gmail.com> <9515bbd41002260538h27bc48ffg2863e52ae225a309@mail.gmail.com> <9515bbd41003010658k2ae7ea3bg4293771fae587a32@mail.gmail.com> <9515bbd41003042155r7f602dd1j79ea342944f641a4@mail.gmail.com> <9515bbd41003042206q5c151008xd35e4e94379e35e7@mail.gmail.com> <20100305192635.29910.qmail@stuge.se> Message-ID: <020E7101-ABA1-4DAB-8559-45739541152A@eviladmin.org> On Mar 5, 2010, at 1:26 PM, Peter Stuge wrote: > Sayan Chaliha wrote: >> This is just what I needed... So, I can login to sshd, and execute >> the command sshd -T and parse the result.. Right? > > Just be prepared that the sshd you run with -T may be different from > the sshd you logged in to. Or almost as likely they defined sshd -f /path/to/file.conf in which may be different than the default config file than what sshd is compiled with. - Ben From kevin.brott at gmail.com Sat Mar 6 09:39:28 2010 From: kevin.brott at gmail.com (Kevin Brott) Date: Fri, 5 Mar 2010 14:39:28 -0800 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <574324a31003051439k4c839e40r9229893a3e5a2c7f@mail.gmail.com> On Fri, Feb 26, 2010 at 23:25, Damien Miller wrote: > Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > > Using openssh-SNAP-20100306.tar.gz new issue on RHEL 5.4 x86_64: with SUDO set .. ... run test agent.sh ... sudo: sorry, you must have a tty to run sudo ssh_exchange_identification: Connection closed by remote host agent fwd proto 1 failed (exit code 0) sudo: sorry, you must have a tty to run sudo ssh_exchange_identification: Connection closed by remote host agent fwd proto 2 failed (exit code 0) failed simple agent test gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 Caused by: http://kbase.redhat.com/faq/docs/15839 ... The /etc/sudoers file in Red Hat Enterprise Linux 5 has a default flag 'requiretty'. With this flag set, only logged in users can execute commands through sudo. This will disallow execution of sudo commands remotely through rsh or ssh. The rsh and ssh utilities do not allocate a tty. It is recommended to keep this flag to prevent a user from entering a visible password. With ssh, use -t to force pseudo-tty allocation My proposed fix ... *** regress/agent.sh 2010-03-05 14:01:13.000000000 -0800 --- regress/agent.sh.orig 2008-03-12 05:58:56.000000000 -0700 *************** *** 45,51 **** trace "simple connect via agent" for p in 1 2; do ! ${SSH} -t -$p -F $OBJ/ssh_proxy somehost exit 5$p if [ $? -ne 5$p ]; then fail "ssh connect with protocol $p failed (exit code $?)" fi --- 45,51 ---- trace "simple connect via agent" for p in 1 2; do ! ${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p if [ $? -ne 5$p ]; then fail "ssh connect with protocol $p failed (exit code $?)" fi *************** *** 53,63 **** trace "agent forwarding" for p in 1 2; do ! ${SSH} -t -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 if [ $? -ne 0 ]; then fail "ssh-add -l via agent fwd proto $p failed (exit code $?)" fi ! ${SSH} -t -A -$p -F $OBJ/ssh_proxy somehost \ "${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p" if [ $? -ne 5$p ]; then fail "agent fwd proto $p failed (exit code $?)" --- 53,63 ---- trace "agent forwarding" for p in 1 2; do ! ${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 if [ $? -ne 0 ]; then fail "ssh-add -l via agent fwd proto $p failed (exit code $?)" fi ! ${SSH} -A -$p -F $OBJ/ssh_proxy somehost \ "${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p" if [ $? -ne 5$p ]; then fail "agent fwd proto $p failed (exit code $?)" Once this is applied - all tests passed -- # include /* Kevin Brott */ From kevin.brott at gmail.com Sat Mar 6 12:36:19 2010 From: kevin.brott at gmail.com (Kevin Brott) Date: Fri, 5 Mar 2010 17:36:19 -0800 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <574324a31003051736s1a39562akdd398b3fe4d564ef@mail.gmail.com> On Fri, Feb 26, 2010 at 23:25, Damien Miller wrote: > Hi, > > OpenSSH 5.4 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This is a big release, > with a number of major new features and many bug fixes. > > Using openssh-SNAP-20100306.tar.gz Summary: lx1072 + Ubunto 6.10 i686 - builds - all tests passed hobbes + Ubuntu 9.10 x86_64 - builds - all tests passed ux0643 + AIX 5.2 sp10 power - builds - all tests passed ux9039 + AIX 5.3 sp7 power - builds - all tests passed ux9001 + AIX 6.1 sp4 power - builds - all tests passed ux1090 + HP-UX 11.11 hppa2 - builds - all tests passed ux1025 + HP-UX 11.23 ia64 - builds - tests *PARTIAL FAIL *1* ux9115 + HP-UX 11.31 ia64 gcc - builds - tests *FAIL: *2* ux9115 + HP-UX 11.31 ia64 aCC - builds - all tests passed phswaora01 + RH 6.2 i686 - builds - tests *PATRIAL FAIL *3* lx1030 + RH 8.0 i686 - builds - all tests passed lx0527 + RHEL 2.1 i686 - builds - tests *PATRIAL FAIL *4* lx1098 + RHEL 3.0 tu8 i686 - builds - all tests passed lx9002 + RHEL 4.0 nu5 i686 - builds - all tests passed lx9003 + RHEL 5.4 i686 - builds - all tests passed * *5* *1 :: Tests run as non-root user ... export SUDO=`which sudo` ... run test connect.sh ... Password: cat: Cannot open /var/tmp/ssh/openssh/regress/pidfile: Permission denied (root:sys 0600) no sshd running ok simple connect run test proxy-connect.sh ... cat: Cannot open /var/tmp/ssh/openssh/regress/pidfile: Permission denied no sshd running ok proxy connect ...etc... run test reconfigure.sh ... cat: Cannot open /var/tmp/ssh/openssh/regress/pidfile: Permission denied usage: kill [ -signo ] pid ... FATAL: sshd did not restart gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 stale sshd process running from build dir - killed it unset SUDO ... run test connect.sh ... Permission denied. ssh connect with protocol 1 failed Permission denied (publickey,password,keyboard-interactive). ssh connect with protocol 2 failed failed simple connect gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 :: Run as root user, or 'sudo gmake tests' - all tests passed *2 :: Tests fail (root/non-root): ... run test agent-ptrace.sh ... ptrace succeeded?: exit code 1 failed disallow agent ptrace attach gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 *3 :: Tests fail as non-root user (w/out SUDO) at: ... run test connect.sh ... Connection closed by 127.0.0.1 ssh connect with protocol 1 failed Read from socket failed: Broken pipe ssh connect with protocol 2 failed failed simple connect gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 :: export SUDO=`which sudo` ... all(-1) tests passed (agent-ptrace.sh which still hangs in gdb) *4 :: Tests fail as non-root user (w/wout SUDO) at ... run test agent-getpeereid.sh ... ssh-add did not fail for nobody: 1 < 2 failed disallow agent attach from other uid gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/var/tmp/ssh/openssh/regress' gmake: *** [tests] Error 2 :: Run as root user, or 'sudo gmake tests' - all tests passed *5 :: patch of regress/agents.sh required. See previous email. -- # include /* Kevin Brott */ From logsnaath at gmx.net Sat Mar 6 15:48:09 2010 From: logsnaath at gmx.net (Logu) Date: Sat, 6 Mar 2010 10:18:09 +0530 Subject: Call for testing: OpenSSH-5.4 In-Reply-To: References: Message-ID: <5F497622-9C9B-4C15-BD3B-DF55645FFB84@gmx.net> > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > all tests passed on mac-osx logu at logu-osx: openssh$ uname -a Darwin logu-osx.local 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386 i386 logu at logu-osx: openssh$ gcc i686-apple-darwin9-gcc-4.0.1: no input files From ed at 80386.nl Sat Mar 6 20:11:56 2010 From: ed at 80386.nl (Ed Schouten) Date: Sat, 6 Mar 2010 10:11:56 +0100 Subject: [Patch] Make OpenSSH work with FreeBSD's utmpx implementation In-Reply-To: <20100113210439.GU64905@hoeg.nl> References: <20100113210439.GU64905@hoeg.nl> Message-ID: <20100306091156.GG8200@hoeg.nl> Hello all, * Ed Schouten wrote: > The next version of FreeBSD will use utmpx for its user accounting > database, as opposed to utmp which is used right now. > > > > The attached patch makes OpenSSH from CVS build on FreeBSD HEAD again. > It would be nice if it could be incorporated into the next version. I sent this patch some time ago but I never got a response and it doesn't seem to be committed to CVS. Is there any chance it could get integrated into the nearby future? -- Ed Schouten WWW: http://80386.nl/ -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh.diff Type: text/x-diff Size: 4407 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From djm at mindrot.org Sat Mar 6 21:53:53 2010 From: djm at mindrot.org (Damien Miller) Date: Sat, 6 Mar 2010 21:53:53 +1100 (EST) Subject: [Patch] Make OpenSSH work with FreeBSD's utmpx implementation In-Reply-To: <20100306091156.GG8200@hoeg.nl> References: <20100113210439.GU64905@hoeg.nl> <20100306091156.GG8200@hoeg.nl> Message-ID: On Sat, 6 Mar 2010, Ed Schouten wrote: > Hello all, > > * Ed Schouten wrote: > > The next version of FreeBSD will use utmpx for its user accounting > > database, as opposed to utmp which is used right now. > > > > > > > > The attached patch makes OpenSSH from CVS build on FreeBSD HEAD again. > > It would be nice if it could be incorporated into the next version. > > I sent this patch some time ago but I never got a response and it > doesn't seem to be committed to CVS. Is there any chance it could get > integrated into the nearby future? Did you post it to bugzilla? That is the best way to ensure that patches don't get lost. It is probably a bit late for 5.4 unfortunately. -d From ed at 80386.nl Sat Mar 6 22:01:39 2010 From: ed at 80386.nl (Ed Schouten) Date: Sat, 6 Mar 2010 12:01:39 +0100 Subject: [Patch] Make OpenSSH work with FreeBSD's utmpx implementation In-Reply-To: References: <20100113210439.GU64905@hoeg.nl> <20100306091156.GG8200@hoeg.nl> Message-ID: <20100306110139.GH8200@hoeg.nl> * Damien Miller wrote: > Did you post it to bugzilla? That is the best way to ensure that patches > don't get lost. It is probably a bit late for 5.4 unfortunately. Done. https://bugzilla.mindrot.org/show_bug.cgi?id=1732 -- Ed Schouten WWW: http://80386.nl/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From joachim at joachimschipper.nl Sun Mar 7 08:05:49 2010 From: joachim at joachimschipper.nl (Joachim Schipper) Date: Sat, 6 Mar 2010 22:05:49 +0100 Subject: ssh-keyscan bug (not really exploitable) Message-ID: <20100306210548.GA32662@polymnia.sshunet.nl> ssh-keyscan may, under very specific circumstances, be vulnerable to something akin to a buffer overflow. It's probably impossible to exploit, though, if only because ssh-keyscan is not usually run on very large untrusted input files. ssh-keyscan uses an fgets() wrapper that uses an unsigned int to keep track of the length of a buffer holding the current line. On machines with sufficient address space to hold UINT_MAX / 2 bytes, e.g. amd64, one can fill those bytes. The next call will be realloc(buf, 0), which free()s the buffer and returns a non-NULL zero-size chunk of memory. The program will then try to write to some point in memory about UINT_MAX / 2 past this newly-returned chunk. Test case: $ while true; do echo -n 'AAAAAAAAAAAAAAAA'; done | ssh-keyscan -f - I stumbled upon this a while ago; I was trying to solve https://bugzilla.mindrot.org/show_bug.cgi?id=1565 ("ssh-keyscan doesn't like comment-lines"). The patch below rips out the fgets() wrapper and correctly handles both comments and ridiculously long lines. Joachim Index: ssh-keyscan.c =================================================================== RCS file: /usr/cvs/src/src/usr.bin/ssh/ssh-keyscan.c,v retrieving revision 1.81 diff -u -p -r1.81 ssh-keyscan.c --- ssh-keyscan.c 9 Jan 2010 23:04:13 -0000 1.81 +++ ssh-keyscan.c 6 Mar 2010 20:33:34 -0000 @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.78 2009/01/22 10:02:34 djm Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.81 2010/01/09 23:04:13 dtucker Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -99,122 +99,6 @@ typedef struct Connection { TAILQ_HEAD(conlist, Connection) tq; /* Timeout Queue */ con *fdcon; -/* - * This is just a wrapper around fgets() to make it usable. - */ - -/* Stress-test. Increase this later. */ -#define LINEBUF_SIZE 16 - -typedef struct { - char *buf; - u_int size; - int lineno; - const char *filename; - FILE *stream; - void (*errfun) (const char *,...); -} Linebuf; - -static Linebuf * -Linebuf_alloc(const char *filename, void (*errfun) (const char *,...)) -{ - Linebuf *lb; - - if (!(lb = malloc(sizeof(*lb)))) { - if (errfun) - (*errfun) ("linebuf (%s): malloc failed\n", - filename ? filename : "(stdin)"); - return (NULL); - } - if (filename) { - lb->filename = filename; - if (!(lb->stream = fopen(filename, "r"))) { - xfree(lb); - if (errfun) - (*errfun) ("%s: %s\n", filename, strerror(errno)); - return (NULL); - } - } else { - lb->filename = "(stdin)"; - lb->stream = stdin; - } - - if (!(lb->buf = malloc((lb->size = LINEBUF_SIZE)))) { - if (errfun) - (*errfun) ("linebuf (%s): malloc failed\n", lb->filename); - xfree(lb); - return (NULL); - } - lb->errfun = errfun; - lb->lineno = 0; - return (lb); -} - -static void -Linebuf_free(Linebuf * lb) -{ - fclose(lb->stream); - xfree(lb->buf); - xfree(lb); -} - -#if 0 -static void -Linebuf_restart(Linebuf * lb) -{ - clearerr(lb->stream); - rewind(lb->stream); - lb->lineno = 0; -} - -static int -Linebuf_lineno(Linebuf * lb) -{ - return (lb->lineno); -} -#endif - -static char * -Linebuf_getline(Linebuf * lb) -{ - size_t n = 0; - void *p; - - lb->lineno++; - for (;;) { - /* Read a line */ - if (!fgets(&lb->buf[n], lb->size - n, lb->stream)) { - if (ferror(lb->stream) && lb->errfun) - (*lb->errfun)("%s: %s\n", lb->filename, - strerror(errno)); - return (NULL); - } - n = strlen(lb->buf); - - /* Return it or an error if it fits */ - if (n > 0 && lb->buf[n - 1] == '\n') { - lb->buf[n - 1] = '\0'; - return (lb->buf); - } - if (n != lb->size - 1) { - if (lb->errfun) - (*lb->errfun)("%s: skipping incomplete last line\n", - lb->filename); - return (NULL); - } - /* Double the buffer if we need more space */ - lb->size *= 2; - if ((p = realloc(lb->buf, lb->size)) == NULL) { - lb->size /= 2; - if (lb->errfun) - (*lb->errfun)("linebuf (%s): realloc failed\n", - lb->filename); - return (NULL); - } - lb->buf = p; - } -} - static int fdlim_get(int hard) { @@ -709,8 +593,10 @@ int main(int argc, char **argv) { int debug_flag = 0, log_level = SYSLOG_LEVEL_INFO; - int opt, fopt_count = 0; - char *tname; + int opt, fopt_count = 0, j; + char *tname, *line; + size_t i, line_len; + FILE *fp; extern int optind; extern char *optarg; @@ -808,20 +694,52 @@ main(int argc, char **argv) read_wait_nfdset = howmany(maxfd, NFDBITS); read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask)); - if (fopt_count) { - Linebuf *lb; - char *line; - int j; - - for (j = 0; j < fopt_count; j++) { - lb = Linebuf_alloc(argv[j], error); - if (!lb) + line = NULL; + + for (j = 0; j < fopt_count; j++) { + if (line == NULL) + line = xmalloc(line_len = BUFSIZ); + + if ((fp = fopen(argv[j], "r")) == NULL) + fatal("%s: %s: %s", __progname, argv[j], + strerror(errno)); + + i = 0; + while (fgets(&line[i], line_len - i, fp)) { + /* Read a line */ + i += strcspn(&line[i], "\n"); + if (line[i] == '\0' && i == line_len - 1) { + if (line_len > SIZE_MAX / 2) + fatal("%s: %s: line %.20s too long", + __progname, argv[j], line); + line = xrealloc(line, line_len *= 2, 1); + continue; + } + + /* Strip off comments and whitespace at end */ + for (i = strcspn(line, "#\n"); + i > 0 && strchr(" \t", line[i - 1]); + i--); + line[i] = '\0'; + + /* Skip empty lines, comments */ + if (i == 0) continue; - while ((line = Linebuf_getline(lb)) != NULL) - do_host(line); - Linebuf_free(lb); + + do_host(line); + + i = 0; } + + if (ferror(fp)) + fatal("%s: %s: %s", __progname, argv[j], + strerror(errno)); + + fclose(fp); } + + if (line) + xfree(line); while (optind < argc) do_host(argv[optind++]); From djm at mindrot.org Sun Mar 7 08:20:02 2010 From: djm at mindrot.org (Damien Miller) Date: Sun, 7 Mar 2010 08:20:02 +1100 (EST) Subject: ssh-keyscan bug (not really exploitable) In-Reply-To: <20100306210548.GA32662@polymnia.sshunet.nl> References: <20100306210548.GA32662@polymnia.sshunet.nl> Message-ID: On Sat, 6 Mar 2010, Joachim Schipper wrote: > ssh-keyscan may, under very specific circumstances, be vulnerable to > something akin to a buffer overflow. It's probably impossible to > exploit, though, if only because ssh-keyscan is not usually run on very > large untrusted input files. Not to mention adversarial ones. > ssh-keyscan uses an fgets() wrapper that uses an unsigned int to keep > track of the length of a buffer holding the current line. On machines > with sufficient address space to hold UINT_MAX / 2 bytes, e.g. amd64, > one can fill those bytes. The next call will be realloc(buf, 0), which > free()s the buffer and returns a non-NULL zero-size chunk of memory. The > program will then try to write to some point in memory about UINT_MAX / > 2 past this newly-returned chunk. > > Test case: > > $ while true; do echo -n 'AAAAAAAAAAAAAAAA'; done | ssh-keyscan -f - > > I stumbled upon this a while ago; I was trying to solve > https://bugzilla.mindrot.org/show_bug.cgi?id=1565 ("ssh-keyscan doesn't > like comment-lines"). The patch below rips out the fgets() wrapper and > correctly handles both comments and ridiculously long lines. please attach the patch to the bug if any haven't already done so. -d From djm at cvs.openbsd.org Mon Mar 8 13:05:58 2010 From: djm at cvs.openbsd.org (Damien Miller) Date: Sun, 7 Mar 2010 19:05:58 -0700 (MST) Subject: Announce: OpenSSH 5.4 released Message-ID: <201003080205.o2825w7s012853@cvs.openbsd.org> OpenSSH 5.4 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: http://www.openssh.com/donations.html This is a major feature and bugfix release. Changes since OpenSSH 5.3 ========================= Features: * After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. * Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is automatically enabled on all platforms that support dlopen(3) and was inspired by patches written by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) manpages. * Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (not X.509). Certificates contain a public key, identity information and some validity constraints and are signed with a standard SSH public key using ssh-keygen(1). CA keys may be marked as trusted in authorized_keys or via a TrustedUserCAKeys option in sshd_config(5) (for user authentication), or in known_hosts (for host authentication). Documentation for certificate support may be found in ssh-keygen(1), sshd(8) and ssh(1) and a description of the protocol extensions in PROTOCOL.certkeys. * Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers. bz#1618 * Add the ability to revoke keys in sshd(8) and ssh(1). User keys may be revoked using a new sshd_config(5) option "RevokedKeys". Host keys are revoked through known_hosts (details in the sshd(8) man page). Revoked keys cannot be used for user or host authentication and will trigger a warning if used. * Rewrite the ssh(1) multiplexing support to support non-blocking operation of the mux master, improve the resilience of the master to malformed messages sent to it by the slave and add support for requesting port- forwardings via the multiplex protocol. The new stdio-to-local forward mode ("ssh -W host:port ...") is also supported. The revised multiplexing protocol is documented in the file PROTOCOL.mux in the source distribution. * Add a 'read-only' mode to sftp-server(8) that disables open in write mode and all other fs-modifying protocol methods. bz#430 * Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has. bz#1229 * Many improvements to the sftp(1) client, many of which were implemented by Carlos Silva through the Google Summer of Code program: - Support the "-h" (human-readable units) flag for ls - Implement tab-completion of commands, local and remote filenames - Support most of scp(1)'s commandline arguments in sftp(1), as a first step towards making sftp(1) a drop-in replacement for scp(1). Note that the rarely-used "-P sftp_server_path" option has been moved to "-D sftp_server_path" to make way for "-P port" to match scp(1). - Add recursive transfer support for get/put and on the commandline * New RSA keys will be generated with a public exponent of RSA_F4 == (2**16)+1 == 65537 instead of the previous value 35. * Passphrase-protected SSH protocol 2 private keys are now protected with AES-128 instead of 3DES. This applied to newly-generated keys as well as keys that are reencrypted (e.g. by changing their passphrase). Bugfixes: * Hold authentication debug messages until after successful authentication. Fixes a minor information leak of environment variables specified in authorized_keys if an attacker happens to know the public key in use. * When using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot and not outside (bz#1679) * Cache user and group name lookups in sftp-server using user_from_[ug]id(3) to improve performance on hosts where these operations are slow (e.g. NIS or LDAP). bz#1495 * Fix problem that prevented passphrase reading from being interrupted in some circumstances; bz#1590 * Ignore and log any Protocol 1 keys where the claimed size is not equal to the actual size. * Make HostBased authentication work with a ProxyCommand. bz#1569 * Avoid run-time failures when specifying hostkeys via a relative path by prepending the current working directory in these cases. bz#1290 * Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug. bz#1693 * Document that the PubkeyAuthentication directive is allowed in a sshd_config(5) Match block. bz#1577 * When converting keys, truncate key comments at 72 chars as per RFC4716. bz#1630 * Do not allow logins if /etc/nologin exists but is not readable by the user logging in. * Output a debug log if sshd(8) can't open an existing authorized_keys. bz#1694 * Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we usually don't actually have a tty to read/set; bz#1686 * Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-". bz#1691 * After sshd receives a SIGHUP, ignore subsequent HUPs while sshd re-execs itself. Prevents two HUPs in quick succession from resulting in sshd dying. bz#1692 * Clarify in sshd_config(5) that StrictModes does not apply to ChrootDirectory. Permissions and ownership are always checked when chrooting. bz#1532 * Set close-on-exec on various descriptors so they don't get leaked to child processes. bz#1643 * Fix very rare race condition in x11/agent channel allocation: don't read after the end of the select read/write fdset and make sure a reused FD is not touched before the pre-handlers are called. * Fix incorrect exit status when multiplexing and channel ID 0 is recycled. bz#1570 * Fail with an error when an attempt is made to connect to a server with ForceCommand=internal-sftp with a shell session (i.e. not a subsystem session). Avoids stuck client when attempting to ssh to such a service. bz#1606: * Warn but do not fail if stat()ing the subsystem binary fails. This helps with chrootdirectory+forcecommand=sftp-server and restricted shells. bz #1599 * Change "Connecting to host..." message to "Connected to host." and delay it until after the sftp protocol connection has been established. Avoids confusing sequence of messages when the underlying ssh connection experiences problems. bz#1588 * Use the HostKeyAlias rather than the hostname specified on the commandline when prompting for passwords. bz#1039 * Correct off-by-one in percent_expand(): we would fatal() when trying to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually work. Note that nothing in OpenSSH actually uses close to this limit at present. bz#1607 * Fix passing of empty options from scp(1) and sftp(1) to the underlying ssh(1). Also add support for the stop option "--". * Fix an incorrect magic number and typo in PROTOCOL; bz#1688 * Don't escape backslashes when displaying the SSH2 banner. bz#1533 * Don't unnecessarily dup() the in and out fds for sftp-server. bz#1566 * Force use of the correct hash function for random-art signature display as it was inheriting the wrong one when bubblebabble signatures were activated. bz#1611 * Do not fall back to adding keys without constraints (ssh-add -c / -t ...) when the agent refuses the constrained add request. bz#1612 * Fix a race condition in ssh-agent that could result in a wedged or spinning agent. bz#1633 * Flush stdio before exec() to ensure that everying (motd in particular) has made it out before the streams go away. bz#1596 * Set FD_CLOEXEC on in/out sockets in sshd(8). bz#1706 Portable OpenSSH Bugfixes: * Use system's kerberos principal name on AIX if it's available. bz#1583 * Disable OOM-killing of the listening sshd on Linux. bz#1470 * Use pkg-config for opensc config if it's available. bz#1160 * Unbreak Redhat spec to allow building without askpass. bz#1677 * If PidFile is set in sshd_config, use it in SMF init file. bz#1628 * Print error and usage() when ssh-rand-helper is passed command- line arguments as none are supported. bz#1568 * Add missing setsockopt() to set IPV6_V6ONLY for local forwarding with GatwayPorts=yes. bz#1648 * Make GNOME 2 askpass dialog desktop-modal. bz#1645 * If SELinux is enabled set the security context to "sftpd_t" before running the internal sftp server. bz#1637 * Correctly check libselinux for necessary SELinux functions; bz#1713 * Unbreak builds on Redhat using the supplied openssh.spec; bz#1731 * Fix incorrect privilege dropping order on AIX that prevented chroot operation; bz#1567 * Call aix_setauthdb/aix_restoredb at the correct times on AIX to prevent authentication failure; bz#1710 Checksums: ========== - SHA1 (openssh-5.4.tar.gz) = 1776832d902f7b4c7863afd41a5ec7a14efe95d6 - SHA1 (openssh-5.4p1.tar.gz) = 2a3042372f08afb1415ceaec8178213276a36302 Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom. From philipp at employees.org Sun Mar 7 14:03:28 2010 From: philipp at employees.org (Philip A. Prindeville) Date: Sat, 06 Mar 2010 20:03:28 -0700 Subject: QoS marking for Openssh Message-ID: <4B931780.9010200@employees.org> I've been going over various services (sendmail, apache, thunderbird, proftpd, cyrus, etc) trying to add QoS support. I'm wondering if its worth doing for Openssh, also. Setting different priorities for ssh and scp make sense... but port-forwarding complicates things. Should the QoS be copied out of the tunneled connection? Anyone have a good idea how a connection carrying tty session traffic (ssh itself), plus (for example) forwarded X and LPR connections should label all 3 traffic types on the same connection? Thanks, -Philip P.S. I'm not on this list so please Cc: me. From djm at mindrot.org Tue Mar 9 10:55:41 2010 From: djm at mindrot.org (Damien Miller) Date: Tue, 9 Mar 2010 10:55:41 +1100 (EST) Subject: QoS marking for Openssh In-Reply-To: <4B931780.9010200@employees.org> References: <4B931780.9010200@employees.org> Message-ID: On Sat, 6 Mar 2010, Philip A. Prindeville wrote: > I've been going over various services (sendmail, apache, thunderbird, > proftpd, cyrus, etc) trying to add QoS support. > > I'm wondering if its worth doing for Openssh, also. OpenSSH has labeled different ToS on interactive (IPTOS_LOWDELAY) and non-interactive (IPTOS_THROUGHPUT) sessions for many years. > Setting different priorities for ssh and scp make sense... but > port-forwarding complicates things. > > Should the QoS be copied out of the tunneled connection? No, that isn't really possible (forwarding traffic occurs on the same TCP connection as session traffic) and probably would be pointless since some devices look at the QoS on the first packet of a flow only. > Anyone have a good idea how a connection carrying tty session traffic > (ssh itself), plus (for example) forwarded X and LPR connections > should label all 3 traffic types on the same connection? Thanks to what I described above, there is no good answer for this. -d From philipp at employees.org Tue Mar 9 12:05:02 2010 From: philipp at employees.org (Philip A. Prindeville) Date: Mon, 08 Mar 2010 18:05:02 -0700 Subject: QoS marking for Openssh In-Reply-To: References: <4B931780.9010200@employees.org> Message-ID: <4B959EBE.7020100@employees.org> On 03/08/2010 04:55 PM, Damien Miller wrote: > On Sat, 6 Mar 2010, Philip A. Prindeville wrote: > > >> I've been going over various services (sendmail, apache, thunderbird, >> proftpd, cyrus, etc) trying to add QoS support. >> >> I'm wondering if its worth doing for Openssh, also. >> > OpenSSH has labeled different ToS on interactive (IPTOS_LOWDELAY) > and non-interactive (IPTOS_THROUGHPUT) sessions for many years. > Yeah... about that... At least on linux 2.6.20 and later, I see: case IP_TOS: /* This sets both TOS and Precedence */ if (sk->sk_type == SOCK_STREAM) { val &= ~3; val |= inet->tos & 3; } if (inet->tos != val) { inet->tos = val; sk->sk_priority = rt_tos2priority(val); sk_dst_reset(sk); } break; in net/ip4v/ip_sockglue.c. The reason for this is that the two low-order bits have been superseded by ECN (explicit congestion notification... see RFC-3168, Section 5). So the value 0x02, which was previously IPTOS_LOWCOST, is no longer valid. Which implies that the rest of the IPTOS_xxxx values LOWDELAY, THROUGHPUT, and RELIABILITY are no longer used. In any case, RFC's 2474, 2497, and 2598 redefine the use of the bits 0xfc... which obviously clashes with 0x1e (the previous TOS mask). What is needed to allow users to explicitly configure QoS values for interactive and non-interactive values? Or perhaps, what's involved in adding an option to support this (for both ssh and sshd)? >> Setting different priorities for ssh and scp make sense... but >> port-forwarding complicates things. >> >> Should the QoS be copied out of the tunneled connection? >> > No, that isn't really possible (forwarding traffic occurs on the same > TCP connection as session traffic) and probably would be pointless since > some devices look at the QoS on the first packet of a flow only. > This is true... alas. Which is why IPsec typically performs better in QoS sensitive scenarios, I guess. >> Anyone have a good idea how a connection carrying tty session traffic >> (ssh itself), plus (for example) forwarded X and LPR connections >> should label all 3 traffic types on the same connection? >> > Thanks to what I described above, there is no good answer for this. > > -d > True that. Well, having "ssh myhost" mark it's traffic differently than "scp -p foo myhost:/tmp" is still worth doing. I'll do some digging. Thanks, -Philip From vinschen at redhat.com Wed Mar 10 01:01:05 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 9 Mar 2010 15:01:05 +0100 Subject: [PATCH/cygwin]: Fix Makefiles Message-ID: <20100309140105.GI6505@calimero.vinschen.de> Hi, below is a patch which only affects Cygwin. It adds the $(EXEEXT) suffix in calls to install, and it fixes the list of documentation files to install into /usr/share/doc/openssh in a Cygwin installation. Thanks, Corinna Index: Makefile.in =================================================================== RCS file: /cvs/openssh/Makefile.in,v retrieving revision 1.306 diff -u -p -r1.306 Makefile.in --- Makefile.in 24 Feb 2010 07:18:51 -0000 1.306 +++ Makefile.in 9 Mar 2010 13:33:06 -0000 @@ -255,20 +255,20 @@ install-files: $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH)) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh $(DESTDIR)$(bindir)/ssh - $(INSTALL) -m 0755 $(STRIP_OPT) scp $(DESTDIR)$(bindir)/scp - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-add $(DESTDIR)$(bindir)/ssh-add - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent $(DESTDIR)$(bindir)/ssh-agent - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan - $(INSTALL) -m 0755 $(STRIP_OPT) sshd $(DESTDIR)$(sbindir)/sshd a+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) if test ! -z "$(INSTALL_SSH_RAND_HELPER)" ; then \ - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper ; \ + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-rand-helper$(EXEEXT) ; \ fi - $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper $(DESTDIR)$(SSH_PKCS11_HELPER) - $(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp - $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER) + $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 Index: contrib/cygwin/Makefile =================================================================== RCS file: /cvs/openssh/contrib/cygwin/Makefile,v retrieving revision 1.5 diff -u -p -r1.5 Makefile --- contrib/cygwin/Makefile 26 Dec 2009 23:40:47 -0000 1.5 +++ contrib/cygwin/Makefile 9 Mar 2010 13:33:06 -0000 @@ -42,11 +42,13 @@ install-sshdoc: $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW $(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL $(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent + $(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.agent + $(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.agent $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns $(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep - $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard + $(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.privsep $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From philipp at employees.org Wed Mar 10 11:43:52 2010 From: philipp at employees.org (Philip A. Prindeville) Date: Tue, 09 Mar 2010 17:43:52 -0700 Subject: QoS marking for Openssh In-Reply-To: References: <4B931780.9010200@employees.org> Message-ID: <4B96EB48.3030204@employees.org> Ok, so started banging on the code... Here's what I have. I'll try out the client... If someone could test the server as well that would be great. Everything builds except ssh-keyscan, which apparently doesn't define (or populate?) "options". Would be nice to not have to duplicate parse_qos().... is there someone that we can put this and share it between readconf.o and servconf.o ? For that matter, it would be nice to have readconf.o and servconf.o be able to share common code... Also wanted to update the documentation, but couldn't figure out what the source file was that generates it... I'm thinking though that what when packet.o is linked with readconf.o, then it should be: extern Options options; but when packet.o is linked with servconf.o, then it should be: extern ServerOptions options; am I wrong? Do I need to copy the value of options->use_qos[] into a static in packet.c as: u_char qos[2]; instead and use those? Thanks, -Philip P.S. Are you ever on IRC? This might go quicker over IRC... I'm philipp64 on freenode. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-qos.patch URL: From djm at mindrot.org Wed Mar 10 11:49:25 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 10 Mar 2010 11:49:25 +1100 (EST) Subject: QoS marking for Openssh In-Reply-To: <4B96EB48.3030204@employees.org> References: <4B931780.9010200@employees.org> <4B96EB48.3030204@employees.org> Message-ID: Thanks, could you please create an enhancement bug on https://bugzilla.mindrot.org and attach your patch there? I won't have a chance to do much OpenSSH hacking for a few weeks (after the mad rush of the release) so this will ensure that it doesn't get dropped. -d On Tue, 9 Mar 2010, Philip A. Prindeville wrote: > Ok, so started banging on the code... > > Here's what I have. I'll try out the client... > > If someone could test the server as well that would be great. > > Everything builds except ssh-keyscan, which apparently doesn't define > (or populate?) "options". > > Would be nice to not have to duplicate parse_qos().... is there someone > that we can put this and share it between readconf.o and servconf.o ? For that matter, it would be nice to have readconf.o and servconf.o be > able to share common code... > > Also wanted to update the documentation, but couldn't figure out what > the source file was that generates it... > > I'm thinking though that what when packet.o is linked with readconf.o, > then it should be: > > extern Options options; > > but when packet.o is linked with servconf.o, then it should be: > > extern ServerOptions options; > > am I wrong? > > Do I need to copy the value of options->use_qos[] into a static in > packet.c as: > > u_char qos[2]; > > instead and use those? > > Thanks, > > -Philip > > P.S. Are you ever on IRC? This might go quicker over IRC... I'm > philipp64 on freenode. > > > From philipp at employees.org Wed Mar 10 12:25:26 2010 From: philipp at employees.org (Philip A. Prindeville) Date: Tue, 09 Mar 2010 18:25:26 -0700 Subject: QoS marking for Openssh In-Reply-To: References: <4B931780.9010200@employees.org> <4B96EB48.3030204@employees.org> Message-ID: <4B96F506.7060106@employees.org> Well, I'll attach a fix when it's working a bit better. For now, there's no way to get code in packet.c to see the "options", and indeed packet.c is shared by sshd, ssh, and ssh-keyscan amongst other objects... So how do I get the values in "ServerOptions options" or "Options options" to be visible to packet.c cleanly? Thanks, -Philip On 03/09/2010 05:49 PM, Damien Miller wrote: > Thanks, could you please create an enhancement bug on > https://bugzilla.mindrot.org and attach your patch there? I won't have a > chance to do much OpenSSH hacking for a few weeks (after the mad rush of > the release) so this will ensure that it doesn't get dropped. > > -d > > On Tue, 9 Mar 2010, Philip A. Prindeville wrote: > > >> Ok, so started banging on the code... >> >> Here's what I have. I'll try out the client... >> >> If someone could test the server as well that would be great. >> >> Everything builds except ssh-keyscan, which apparently doesn't define >> (or populate?) "options". >> >> Would be nice to not have to duplicate parse_qos().... is there someone >> that we can put this and share it between readconf.o and servconf.o ? For that matter, it would be nice to have readconf.o and servconf.o be >> able to share common code... >> >> Also wanted to update the documentation, but couldn't figure out what >> the source file was that generates it... >> >> I'm thinking though that what when packet.o is linked with readconf.o, >> then it should be: >> >> extern Options options; >> >> but when packet.o is linked with servconf.o, then it should be: >> >> extern ServerOptions options; >> >> am I wrong? >> >> Do I need to copy the value of options->use_qos[] into a static in >> packet.c as: >> >> u_char qos[2]; >> >> instead and use those? >> >> Thanks, >> >> -Philip >> >> P.S. Are you ever on IRC? This might go quicker over IRC... I'm >> philipp64 on freenode. >> >> >> >> From djm at mindrot.org Wed Mar 10 12:35:42 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 10 Mar 2010 12:35:42 +1100 (EST) Subject: QoS marking for Openssh In-Reply-To: <4B96F506.7060106@employees.org> References: <4B931780.9010200@employees.org> <4B96EB48.3030204@employees.org> <4B96F506.7060106@employees.org> Message-ID: On Tue, 9 Mar 2010, Philip A. Prindeville wrote: > Well, I'll attach a fix when it's working a bit better. > > For now, there's no way to get code in packet.c to see the "options", > and indeed packet.c is shared by sshd, ssh, and ssh-keyscan amongst > other objects... > > So how do I get the values in "ServerOptions options" or "Options > options" to be visible to packet.c cleanly? perhaps make the desired QoS a second argument to packet_set_interactive() -d From philipp at employees.org Wed Mar 10 14:41:06 2010 From: philipp at employees.org (Philip A. Prindeville) Date: Tue, 09 Mar 2010 20:41:06 -0700 Subject: QoS marking for Openssh In-Reply-To: References: <4B931780.9010200@employees.org> <4B96EB48.3030204@employees.org> <4B96F506.7060106@employees.org> Message-ID: <4B9714D2.70703@employees.org> On 03/09/2010 06:35 PM, Damien Miller wrote: > On Tue, 9 Mar 2010, Philip A. Prindeville wrote: > > >> Well, I'll attach a fix when it's working a bit better. >> >> For now, there's no way to get code in packet.c to see the "options", >> and indeed packet.c is shared by sshd, ssh, and ssh-keyscan amongst >> other objects... >> >> So how do I get the values in "ServerOptions options" or "Options >> options" to be visible to packet.c cleanly? >> > perhaps make the desired QoS a second argument to packet_set_interactive() > > -d > Yeah, that's what I concluded too... I was hoping there was a simpler way which I was missing, but there wasn't. https://bugzilla.mindrot.org/show_bug.cgi?id=1733 https://bugzilla.mindrot.org/attachment.cgi?id=1808 I've confirmed 'ssh', but not 'sshd' or 'ssh-keyscan'... From openssh at leledy.fr Tue Mar 9 20:44:17 2010 From: openssh at leledy.fr (=?ISO-8859-1?Q?Philippe_Lel=E9dy?=) Date: Tue, 09 Mar 2010 09:44:17 +0000 Subject: sshd version OpenSSH_5.4p1 fails on OpenBSD 4.2 GENERIC macppc Message-ID: <4B961871.2010208@leledy.fr> Because OpenSSH_5.4 doesn't build on my OpenBSD 4.2 box, I tried OpenSSH_5.4p1 which builds and installs fine. After starting server with sudo /opt/sbin/sshd -p 2222 -d, my ssh client can connect, but the session is closed by server as soon as it is started: [...] User child is on pid 10318 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_global_request: rtype no-more-sessions at openssh.com want_reply 0 debug1: server_input_channel_req: channel 0 request pty-req reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_new: session 0 mm_send_fd: sendmsg(7): Invalid argument mm_answer_pty: send fds failed debug1: do_cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp2 I acknowledge that OpenSSH_5.4p1 is for every thing but OpenBSD and that I'd better upgrade to last OpenBSD version. Ph.L. From djm at mindrot.org Wed Mar 10 21:58:10 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 10 Mar 2010 21:58:10 +1100 (EST) Subject: sshd version OpenSSH_5.4p1 fails on OpenBSD 4.2 GENERIC macppc In-Reply-To: <4B961871.2010208@leledy.fr> References: <4B961871.2010208@leledy.fr> Message-ID: On Tue, 9 Mar 2010, Philippe Lel?dy wrote: > Because OpenSSH_5.4 doesn't build on my OpenBSD 4.2 box, I tried OpenSSH_5.4p1 > which builds and installs fine. > > After starting server with sudo /opt/sbin/sshd -p 2222 -d, my ssh client can > connect, but the session is closed by server as soon as it is started: > > [...] > User child is on pid 10318 > debug1: Entering interactive session for SSH2. > debug1: server_init_dispatch_20 > debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384 > debug1: input_session_request > debug1: channel 0: new [server-session] > debug1: session_new: session 0 > debug1: session_open: channel 0 > debug1: session_open: session 0: link with channel 0 > debug1: server_input_channel_open: confirm session > debug1: server_input_global_request: rtype no-more-sessions at openssh.com > want_reply 0 > debug1: server_input_channel_req: channel 0 request pty-req reply 1 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req pty-req > debug1: Allocating pty. > debug1: session_new: session 0 > mm_send_fd: sendmsg(7): Invalid argument > mm_answer_pty: send fds failed Older OpenBSD have a kernel bug in fd passing, you might try this patch to work around it: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openbsd43_4.9.patch -d From imorgan at nas.nasa.gov Thu Mar 11 06:21:33 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Wed, 10 Mar 2010 11:21:33 -0800 Subject: Wrong version number in contrib/suse/openssh/.spec Message-ID: <20100310192133.GM17027@linux55.nas.nasa.gov> Hi, It's a bit last since the release has already been cut, but I just noticed that the version number in contrib/suse/openssh.spec did not get cranked. The other .spec files look okay. -- Iain Morgan From tim at multitalents.net Thu Mar 11 11:14:23 2010 From: tim at multitalents.net (Tim Rice) Date: Wed, 10 Mar 2010 16:14:23 -0800 (PST) Subject: Wrong version number in contrib/suse/openssh/.spec In-Reply-To: <20100310192133.GM17027@linux55.nas.nasa.gov> References: <20100310192133.GM17027@linux55.nas.nasa.gov> Message-ID: On Wed, 10 Mar 2010, Iain Morgan wrote: > Hi, > > It's a bit last since the release has already been cut, but I just > noticed that the version number in contrib/suse/openssh.spec did not get > cranked. The other .spec files look okay. Thanks for the report. I see how Damian missed it. I almost didn't find it. Updated in CVS. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From vinschen at redhat.com Fri Mar 12 01:56:36 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 11 Mar 2010 15:56:36 +0100 Subject: Announce: OpenSSH 5.4 released In-Reply-To: <201003080205.o2825w7s012853@cvs.openbsd.org> References: <201003080205.o2825w7s012853@cvs.openbsd.org> Message-ID: <20100311145636.GA31811@calimero.vinschen.de> On Mar 7 19:05, Damien Miller wrote: > > OpenSSH 5.4 has just been released. It will be available from the > mirrors listed at http://www.openssh.com/ shortly. There appears to be a new bug in OpenSSH affecting the sshd_config setting AuthorizedKeysFile. The default entry in sshd_config is commented out: #AuthorizedKeysFile .ssh/authorized_keys Now, if you remove the # and restart sshd, it's suddenly impossible to login with public key authentication. Running sshd in debugging mode shows entries like these: temporarily_use_uid: 500/513 (e=1105/513) trying public key file //.ssh/authorized_keys restore_uid: 1105/513 temporarily_use_uid: 500/513 (e=1105/513) trying public key file //.ssh/authorized_keys restore_uid: 1105/513 Failed publickey for some_user from 192.168.77.88 port 2864 ssh2 Note the paths to the authorized_keys file, which is not the user home directory, but the root directory instead. Either commenting out the AuthorizedKeysFile directive in sshd_config, or replacing it with AuthorizedKeysFile %h/.ssh/authorized_keys fixes the issue. It seems that the handling of the path as relative to the user's home directory has gone missing. I don't see any comment in the release announcement, nor is there a change in the sshd_config man page which points to a planned change in AuthorizedKeysFile semantics. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From vinschen at redhat.com Fri Mar 12 03:17:37 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 11 Mar 2010 17:17:37 +0100 Subject: Announce: OpenSSH 5.4 released In-Reply-To: <12FF1C857C510C43BA8B1B028B69AD520E5AA469@HICGWSEX01.ad.harman.com> References: <20100311145636.GA31811@calimero.vinschen.de> <12FF1C857C510C43BA8B1B028B69AD520E5AA469@HICGWSEX01.ad.harman.com> Message-ID: <20100311161737.GA10000@calimero.vinschen.de> On Mar 11 10:12, Hu, Eric wrote: > Another complication (also possibly related, but also possibly not) > I'm seeing is different behavior when using public key authentication > and password authentication. The former results in a very limited > bash shell. PATH is set, but programs can't be executed, arrow and > backspace keys don't work, things like that. Password authentication > works just as it had before. On version 5.1, both methods yielded the > same shell. Works fine for me. This is rather a Cygwin problem due to the setup using the latest Cygwin 1.7.1. Please move the discussion to the Cygwin mailing list. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From eric.hu at harman.com Fri Mar 12 03:12:17 2010 From: eric.hu at harman.com (Hu, Eric) Date: Thu, 11 Mar 2010 10:12:17 -0600 Subject: Announce: OpenSSH 5.4 released In-Reply-To: <20100311145636.GA31811@calimero.vinschen.de> Message-ID: <12FF1C857C510C43BA8B1B028B69AD520E5AA469@HICGWSEX01.ad.harman.com> > -----Original Message----- > From: openssh-unix-dev-bounces+eric.hu=harman.com at mindrot.org > [mailto:openssh-unix-dev-bounces+eric.hu=harman.com at mindrot.org] On Behalf > Of Corinna Vinschen > Sent: Thursday, March 11, 2010 6:57 AM > To: openssh-unix-dev at mindrot.org > Subject: Re: Announce: OpenSSH 5.4 released > > On Mar 7 19:05, Damien Miller wrote: > > > > OpenSSH 5.4 has just been released. It will be available from the > > mirrors listed at http://www.openssh.com/ shortly. > > There appears to be a new bug in OpenSSH affecting the sshd_config > setting AuthorizedKeysFile. > > The default entry in sshd_config is commented out: > > #AuthorizedKeysFile .ssh/authorized_keys > > Now, if you remove the # and restart sshd, it's suddenly impossible > to login with public key authentication. Running sshd in debugging > mode shows entries like these: > > temporarily_use_uid: 500/513 (e=1105/513) > trying public key file //.ssh/authorized_keys > restore_uid: 1105/513 > temporarily_use_uid: 500/513 (e=1105/513) > trying public key file //.ssh/authorized_keys > restore_uid: 1105/513 > Failed publickey for some_user from 192.168.77.88 port 2864 ssh2 > > Note the paths to the authorized_keys file, which is not the > user home directory, but the root directory instead. Either > commenting out the AuthorizedKeysFile directive in sshd_config, > or replacing it with > > AuthorizedKeysFile %h/.ssh/authorized_keys > > fixes the issue. It seems that the handling of the path as relative to > the user's home directory has gone missing. I don't see any comment in > the release announcement, nor is there a change in the sshd_config man > page which points to a planned change in AuthorizedKeysFile semantics. > > > Corinna > > -- > Corinna Vinschen > Cygwin Project Co-Leader > Red Hat > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev I saw this and was able to fix by prepending "%h" as well. In addition, a possibly related odd behavior with respect to ForceCommand that I'm seeing is that a command that was working is now showing the following on the server side in debug mode: debug1: Forced command (config) './tunnel.sh' debug2: fd 3 setting TCP_NODELAY debug2: channel 0: rfd 8 isatty debug2: fd 8 setting O_NONBLOCK debug2: fd 6 setting O_NONBLOCK debug1: Received SIGCHLD. debug1: session_by_pid: pid 1328 debug1: session_exit_message: session 0 channel 0 pid 1328 and telling the client "./tunnel.sh: No such file or directory." This was working fine with 5.1 (previously used version, hadn't upgraded in awhile). The file "tunnel.sh" is in the user's home directory and the privileges have not changed from when it worked. Another complication (also possibly related, but also possibly not) I'm seeing is different behavior when using public key authentication and password authentication. The former results in a very limited bash shell. PATH is set, but programs can't be executed, arrow and backspace keys don't work, things like that. Password authentication works just as it had before. On version 5.1, both methods yielded the same shell. Eric From philipp at employees.org Fri Mar 12 06:51:14 2010 From: philipp at employees.org (Philip A. Prindeville) Date: Thu, 11 Mar 2010 12:51:14 -0700 Subject: QoS marking for Openssh In-Reply-To: References: <4B931780.9010200@employees.org> <4B96EB48.3030204@employees.org> Message-ID: <4B9949B2.6040708@employees.org> BTW: there are certain options that should only appear "system-wide" (i.e. in /etc/ssh/ssh_config or sshd_config)... but should not be allowed in ~/.ssh config files. Should read_config_file() and process_config_line() take an extra argument that specifies whether they are processing _PATH_HOST_CONFIG_FILE or the user's config file? Should "keywords[]" in readconf.c also contain a flag that tells us whether this option is permissible in both the system-wide and per-user profiles? On 03/09/2010 05:49 PM, Damien Miller wrote: > Thanks, could you please create an enhancement bug on > https://bugzilla.mindrot.org and attach your patch there? I won't have a > chance to do much OpenSSH hacking for a few weeks (after the mad rush of > the release) so this will ensure that it doesn't get dropped. > > -d > > On Tue, 9 Mar 2010, Philip A. Prindeville wrote: > > >> Ok, so started banging on the code... >> >> Here's what I have. I'll try out the client... >> >> If someone could test the server as well that would be great. >> >> Everything builds except ssh-keyscan, which apparently doesn't define >> (or populate?) "options". >> >> Would be nice to not have to duplicate parse_qos().... is there someone >> that we can put this and share it between readconf.o and servconf.o ? For that matter, it would be nice to have readconf.o and servconf.o be >> able to share common code... >> >> Also wanted to update the documentation, but couldn't figure out what >> the source file was that generates it... >> >> I'm thinking though that what when packet.o is linked with readconf.o, >> then it should be: >> >> extern Options options; >> >> but when packet.o is linked with servconf.o, then it should be: >> >> extern ServerOptions options; >> >> am I wrong? >> >> Do I need to copy the value of options->use_qos[] into a static in >> packet.c as: >> >> u_char qos[2]; >> >> instead and use those? >> >> Thanks, >> >> -Philip >> >> P.S. Are you ever on IRC? This might go quicker over IRC... I'm >> philipp64 on freenode. >> >> >> >> From djm at mindrot.org Fri Mar 12 10:45:48 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 12 Mar 2010 10:45:48 +1100 (EST) Subject: Announce: OpenSSH 5.4 released In-Reply-To: <20100311145636.GA31811@calimero.vinschen.de> References: <201003080205.o2825w7s012853@cvs.openbsd.org> <20100311145636.GA31811@calimero.vinschen.de> Message-ID: On Thu, 11 Mar 2010, Corinna Vinschen wrote: > On Mar 7 19:05, Damien Miller wrote: > > > > OpenSSH 5.4 has just been released. It will be available from the > > mirrors listed at http://www.openssh.com/ shortly. > > There appears to be a new bug in OpenSSH affecting the sshd_config > setting AuthorizedKeysFile. > > The default entry in sshd_config is commented out: > > #AuthorizedKeysFile .ssh/authorized_keys > > Now, if you remove the # and restart sshd, it's suddenly impossible > to login with public key authentication. Running sshd in debugging > mode shows entries like these: > > temporarily_use_uid: 500/513 (e=1105/513) > trying public key file //.ssh/authorized_keys > restore_uid: 1105/513 > temporarily_use_uid: 500/513 (e=1105/513) > trying public key file //.ssh/authorized_keys > restore_uid: 1105/513 > Failed publickey for some_user from 192.168.77.88 port 2864 ssh2 Confirmed. Here is a patch: Index: servconf.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/servconf.c,v retrieving revision 1.204 diff -u -p -r1.204 servconf.c --- servconf.c 4 Mar 2010 10:36:03 -0000 1.204 +++ servconf.c 11 Mar 2010 23:45:26 -0000 @@ -1180,7 +1180,17 @@ process_server_config_line(ServerOptions charptr = (opcode == sAuthorizedKeysFile) ? &options->authorized_keys_file : &options->authorized_keys_file2; - goto parse_filename; + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing file name.", + filename, linenum); + if (*activep && *charptr == NULL) { + *charptr = derelativise_path(arg); + /* increase optional counter */ + if (intptr != NULL) + *intptr = *intptr + 1; + } + break; case sClientAliveInterval: intptr = &options->client_alive_interval; From tim at multitalents.net Fri Mar 12 17:36:32 2010 From: tim at multitalents.net (Tim Rice) Date: Thu, 11 Mar 2010 22:36:32 -0800 (PST) Subject: [PATCH/cygwin]: Fix Makefiles In-Reply-To: <20100309140105.GI6505@calimero.vinschen.de> References: <20100309140105.GI6505@calimero.vinschen.de> Message-ID: On Tue, 9 Mar 2010, Corinna Vinschen wrote: > Hi, > > below is a patch which only affects Cygwin. It adds the $(EXEEXT) > suffix in calls to install, and it fixes the list of documentation files > to install into /usr/share/doc/openssh in a Cygwin installation. Patch applied. Thanks. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From vinschen at redhat.com Fri Mar 12 21:29:36 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 12 Mar 2010 11:29:36 +0100 Subject: Announce: OpenSSH 5.4 released In-Reply-To: References: <201003080205.o2825w7s012853@cvs.openbsd.org> <20100311145636.GA31811@calimero.vinschen.de> Message-ID: <20100312102936.GA23426@calimero.vinschen.de> Hi Damien, On Mar 12 10:45, Damien Miller wrote: > On Thu, 11 Mar 2010, Corinna Vinschen wrote: > > There appears to be a new bug in OpenSSH affecting the sshd_config > > setting AuthorizedKeysFile. > > > > The default entry in sshd_config is commented out: > > > > #AuthorizedKeysFile .ssh/authorized_keys > > > > Now, if you remove the # and restart sshd, it's suddenly impossible > > to login with public key authentication. Running sshd in debugging > > mode shows entries like these: > > > > temporarily_use_uid: 500/513 (e=1105/513) > > trying public key file //.ssh/authorized_keys > > restore_uid: 1105/513 > > temporarily_use_uid: 500/513 (e=1105/513) > > trying public key file //.ssh/authorized_keys > > restore_uid: 1105/513 > > Failed publickey for some_user from 192.168.77.88 port 2864 ssh2 > > Confirmed. Here is a patch: Thanks for the patch, but, erm... is that really the right patch you send me there? The code which replaces the `goto parse_filename', is *exactly* identical to the code running after the parse_filename label. It would have been a surprise if that had actually changed the behaviour and, in fact, it didn't. I'm also a bit puizzled about the revision number of servconf.c. It's 1.204, but `cvs stat servconf.c' shows a revision number of 1.199 for me. Do you work in a repository with changes not in the public repository? Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From vinschen at redhat.com Fri Mar 12 21:29:53 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 12 Mar 2010 11:29:53 +0100 Subject: [PATCH/cygwin]: Fix Makefiles In-Reply-To: References: <20100309140105.GI6505@calimero.vinschen.de> Message-ID: <20100312102953.GB23426@calimero.vinschen.de> On Mar 11 22:36, Tim Rice wrote: > On Tue, 9 Mar 2010, Corinna Vinschen wrote: > > > Hi, > > > > below is a patch which only affects Cygwin. It adds the $(EXEEXT) > > suffix in calls to install, and it fixes the list of documentation files > > to install into /usr/share/doc/openssh in a Cygwin installation. > > Patch applied. > Thanks. Thank you! Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From 1.41421 at gmail.com Sat Mar 13 04:11:09 2010 From: 1.41421 at gmail.com (JCA) Date: Fri, 12 Mar 2010 10:11:09 -0700 Subject: Is this a bug in 5.4p1? Message-ID: I am testing with a 5.4p1 client and have noticed, on the server side, that sometimes an SSH_MSG_DISCONNECT message is received with the following 28-byte long payload: 0x00 0x00 0x00 0x0b Reason: SSH_DISCONNECT_BY_APPLICATION 0x00 0x00 0x00 0x14 Description string length: 20 bytes 0x64 0x69 0x73 0x63 0x6f 0x6e 0x6e 0x65 Description string: disconnected by user 0x63 0x74 0x65 0x64 0x20 0x62 0x79 0x20 0x75 0x73 0x65 0x72 Is this not incomplete? In RFC 4253, section 11.1, the payload for this message is defined to be uint32 reason code string description in ISO-10646 UTF-8 encoding [RFC3629] string language tag [RFC3066] Is it the case that if the sender does not want to use a language tag it can omit the language string altogether, or must one still send an empty string - i.e. a sequence of four bytes all set to zero? From djm at mindrot.org Sat Mar 13 07:23:05 2010 From: djm at mindrot.org (Damien Miller) Date: Sat, 13 Mar 2010 07:23:05 +1100 (EST) Subject: Is this a bug in 5.4p1? In-Reply-To: References: Message-ID: On Fri, 12 Mar 2010, JCA wrote: > I am testing with a 5.4p1 client and have noticed, on the server > side, that sometimes an SSH_MSG_DISCONNECT message is received with > the following 28-byte long payload: > > 0x00 0x00 0x00 0x0b > Reason: SSH_DISCONNECT_BY_APPLICATION > 0x00 0x00 0x00 0x14 > Description string length: 20 bytes > 0x64 0x69 0x73 0x63 0x6f 0x6e 0x6e 0x65 > Description string: disconnected by user > 0x63 0x74 0x65 0x64 0x20 0x62 0x79 0x20 > 0x75 0x73 0x65 0x72 > > Is this not incomplete? Yes, this is a bug. Here's a patch: Index: clientloop.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v retrieving revision 1.218 diff -u -p -r1.218 clientloop.c --- clientloop.c 28 Jan 2010 00:21:18 -0000 1.218 +++ clientloop.c 12 Mar 2010 20:22:14 -0000 @@ -1472,6 +1472,7 @@ client_loop(int have_pty, int escape_cha packet_start(SSH2_MSG_DISCONNECT); packet_put_int(SSH2_DISCONNECT_BY_APPLICATION); packet_put_cstring("disconnected by user"); + packet_put_cstring(""); /* language tag */ packet_send(); packet_write_wait(); } From philipp at employees.org Sun Mar 14 04:56:57 2010 From: philipp at employees.org (Philip A. Prindeville) Date: Sat, 13 Mar 2010 10:56:57 -0700 Subject: QoS marking for Openssh In-Reply-To: <4B9949B2.6040708@employees.org> References: <4B931780.9010200@employees.org> <4B96EB48.3030204@employees.org> <4B9949B2.6040708@employees.org> Message-ID: <4B9BD1E9.9000906@employees.org> Ok, fixed. This stops the user from having UseQoS directives in his ~/.ssh/config file. On 03/11/2010 12:51 PM, Philip A. Prindeville wrote: > BTW: there are certain options that should only appear "system-wide" > (i.e. in /etc/ssh/ssh_config or sshd_config)... but should not be > allowed in ~/.ssh config files. > > Should read_config_file() and process_config_line() take an extra > argument that specifies whether they are processing > _PATH_HOST_CONFIG_FILE or the user's config file? > > Should "keywords[]" in readconf.c also contain a flag that tells us > whether this option is permissible in both the system-wide and per-user > profiles? > -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-qos.patch URL: From yingyuan.cheng at gmail.com Sun Mar 14 19:48:10 2010 From: yingyuan.cheng at gmail.com (yingyuan cheng) Date: Sun, 14 Mar 2010 16:48:10 +0800 Subject: Is there any way to hook the point when channel port listener accepts a new connection? In-Reply-To: <74C3A21052A4C5B3A199791B@nimrod.local> References: <1c2183ae1001211718t7c962cb8w894e59939a09bdb3@mail.gmail.com> <20100122062435.3450.qmail@stuge.se> <1c2183ae1001212315n399121d1p7cd5814278d176b9@mail.gmail.com> <20100122072233.11781.qmail@stuge.se> <1c2183ae1001212332i18361135t7d5cf879f5950634@mail.gmail.com> <74C3A21052A4C5B3A199791B@nimrod.local> Message-ID: <1c2183ae1003140048x1fdfa25che76c85fb9f3dcdb5@mail.gmail.com> I think one system account for hundreds of virtual users maybe useful, so I made some modifications to source code, now it seems working. To setup it up, add the following line to your sshd_config: AuthUserFile /path/to/virtual/user/file Then in the file /path/to/virtual/user/file, add your favorite users: virtual_username_1:sys_username_1:md5_hashed_password virtual_username_2:sys_username_1:md5_hashed_password virtual_username_3:sys_username_1:md5_hashed_password ... What about my idea? 2010/1/22 Alex Bligh : > I think the easiest way to do this is to give them all the same > system account (UID), but to give them all different public My modifications: diff -ru openssh-5.3p1/auth-passwd.c openssh-5.3p1.new/auth-passwd.c --- openssh-5.3p1/auth-passwd.c 2009-03-08 08:40:28.000000000 +0800 +++ openssh-5.3p1.new/auth-passwd.c 2010-03-14 14:51:09.000000000 +0800 @@ -44,6 +44,7 @@ #include #include #include +#include #include "packet.h" #include "buffer.h" @@ -86,6 +87,21 @@ static int expire_checked = 0; #endif + if (authctxt->ruser) { /* auth from user file */ + const char *hexes = "0123456789abcdef"; + unsigned char digest[16]; + char md5str[32]; + int i; + + MD5(password, strlen(password), digest); + for (i = 0; i < 16; i++) { + md5str[2*i] = hexes[digest[i]>>4]; + md5str[2*i+1] = hexes[digest[i]&0xF]; + } + md5str[2*i] = '\0'; + return (0 == strcmp(md5str, pw->pw_passwd)); + } + #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ok = 0; diff -ru openssh-5.3p1/auth.c openssh-5.3p1.new/auth.c --- openssh-5.3p1/auth.c 2008-11-05 13:12:54.000000000 +0800 +++ openssh-5.3p1.new/auth.c 2010-03-14 13:13:18.000000000 +0800 @@ -81,6 +81,8 @@ Buffer auth_debug; int auth_debug_init; +static struct passwd* getpwnam_from_file(const char *user, const char *file); + /* * Check if the user is allowed to log in via ssh. If user is listed * in DenyUsers or one of user's groups is listed in DenyGroups, false @@ -526,6 +528,8 @@ get_canonical_hostname(options.use_dns), get_remote_ipaddr()); pw = getpwnam(user); + if (pw == NULL && options.auth_user_file) + pw = getpwnam_from_file(user, options.auth_user_file); if (pw == NULL) { logit("Invalid user %.100s from %.100s", user, get_remote_ipaddr()); @@ -620,3 +624,55 @@ return (&fake); } + +static struct passwd* getpwnam_from_file(const char *user, const char *file) +{ +#define LINELEN 1024 + char line[LINELEN]; + char *u, *ru, *p, *ptr; + int s, lineno; + FILE *fp; + struct passwd *pw = NULL; + + if ((fp = fopen(file, "rb")) == NULL) { + logit("cannot open auth user file '%s'", file); + return 0; + } + s = strlen(user); + lineno = 0; + while (fgets(line, LINELEN, fp)) { + lineno++; + + /* ruser:user:passwd */ + ru = line; + while (*ru && isspace(*ru)) ru++; + if (0 == strncmp(ru,user,s) && *(ru+s) == ':') + { + u = ru + s; + *u++ = '\0'; + p = u; + while (*p && *p!=':') p++; + if (*p != ':') { + logit("cannot get user delim in '%s' line %d",file,lineno); + break; + } + *p++ = '\0'; + ptr = p; + while (*ptr && !isspace(*ptr)) ptr++; + *ptr = '\0'; + + pw = getpwnam(u); + if (!pw) { + logit("cannot get pw of user '%s'", u); + break; + } + debug("ruser '%s',user '%s',passwd '%s'", ru, u, p); + break; + } + } + fclose(fp); + if (pw) { + pw->pw_passwd = xstrdup(p); + } + return pw; +} diff -ru openssh-5.3p1/auth.h openssh-5.3p1.new/auth.h --- openssh-5.3p1/auth.h 2008-11-05 13:20:46.000000000 +0800 +++ openssh-5.3p1.new/auth.h 2010-03-13 12:30:07.000000000 +0800 @@ -55,6 +55,7 @@ int failures; int force_pwchange; char *user; /* username sent by the client */ + char *ruser; /* real username */ char *service; struct passwd *pw; /* set if 'valid' */ char *style; diff -ru openssh-5.3p1/auth2.c openssh-5.3p1.new/auth2.c --- openssh-5.3p1/auth2.c 2009-06-22 14:11:07.000000000 +0800 +++ openssh-5.3p1.new/auth2.c 2010-03-14 13:05:59.000000000 +0800 @@ -233,7 +233,13 @@ if (authctxt->attempt++ == 0) { /* setup auth context */ authctxt->pw = PRIVSEP(getpwnamallow(user)); - authctxt->user = xstrdup(user); + if (authctxt->pw && 0 != strcmp(user, authctxt->pw->pw_name)) { + authctxt->user = xstrdup(authctxt->pw->pw_name); + authctxt->ruser = xstrdup(user); + } else { + authctxt->user = xstrdup(user); + } + if (authctxt->pw && strcmp(service, "ssh-connection")==0) { authctxt->valid = 1; debug2("input_userauth_request: setting up authctxt for %s", user); @@ -255,7 +261,8 @@ if (use_privsep) mm_inform_authserv(service, style); userauth_banner(); - } else if (strcmp(user, authctxt->user) != 0 || + } else if ((strcmp(user, authctxt->user) != 0 && authctxt->ruser && + strcmp(user, authctxt->ruser) != 0) || strcmp(service, authctxt->service) != 0) { packet_disconnect("Change of username or service not allowed: " "(%s,%s) -> (%s,%s)", @@ -279,6 +286,7 @@ m = authmethod_lookup(method); if (m != NULL && authctxt->failures < options.max_authtries) { debug2("input_userauth_request: try method %s", method); + debug2("pw %s", authctxt->pw->pw_passwd); authenticated = m->userauth(authctxt); } userauth_finish(authctxt, authenticated, method); @@ -404,4 +412,3 @@ name ? name : "NULL"); return NULL; } - diff -ru openssh-5.3p1/monitor.c openssh-5.3p1.new/monitor.c --- openssh-5.3p1/monitor.c 2009-06-21 16:58:46.000000000 +0800 +++ openssh-5.3p1.new/monitor.c 2010-03-14 12:58:37.000000000 +0800 @@ -641,8 +641,13 @@ username = buffer_get_string(m, NULL); pwent = getpwnamallow(username); + if (pwent && 0 != strcmp(username,pwent->pw_name)) { + authctxt->user = xstrdup(pwent->pw_name); + authctxt->ruser = xstrdup(username); + } else { + authctxt->user = xstrdup(username); + } - authctxt->user = xstrdup(username); setproctitle("%s [priv]", pwent ? username : "unknown"); xfree(username); diff -ru openssh-5.3p1/servconf.c openssh-5.3p1.new/servconf.c --- openssh-5.3p1/servconf.c 2009-06-21 18:26:17.000000000 +0800 +++ openssh-5.3p1.new/servconf.c 2010-03-14 09:09:18.000000000 +0800 @@ -60,6 +60,7 @@ options->use_pam = -1; /* Standard Options */ + options->auth_user_file = NULL; options->num_ports = 0; options->ports_from_cmdline = 0; options->listen_addrs = NULL; @@ -283,6 +284,7 @@ /* Portable-specific options */ sUsePAM, /* Standard Options */ + sAuthUserFile, sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, @@ -327,6 +329,7 @@ #endif { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ + { "authuserfile", sAuthUserFile, SSHCFG_GLOBAL }, { "port", sPort, SSHCFG_GLOBAL }, { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ @@ -684,6 +687,11 @@ /* Standard Options */ case sBadOption: return -1; + + case sAuthUserFile: + charptr = &options->auth_user_file; + goto parse_filename; + case sPort: /* ignore ports from configfile if cmdline specifies ports */ if (options->ports_from_cmdline) diff -ru openssh-5.3p1/servconf.h openssh-5.3p1.new/servconf.h --- openssh-5.3p1/servconf.h 2009-01-28 13:31:23.000000000 +0800 +++ openssh-5.3p1.new/servconf.h 2010-03-13 12:36:11.000000000 +0800 @@ -151,6 +151,9 @@ int num_permitted_opens; char *chroot_directory; + + char *auth_user_file; + } ServerOptions; void initialize_server_options(ServerOptions *); diff -ru openssh-5.3p1/sshd.c openssh-5.3p1.new/sshd.c --- openssh-5.3p1/sshd.c 2009-06-21 18:26:17.000000000 +0800 +++ openssh-5.3p1.new/sshd.c 2010-03-14 11:43:26.000000000 +0800 @@ -1728,6 +1728,7 @@ if (startup_pipe != -1) close(startup_pipe); + debug("rexec '%s'", rexec_argv[0]); execv(rexec_argv[0], rexec_argv); /* Reexec has failed, fall back and continue */ From alex at alex.org.uk Sun Mar 14 21:24:31 2010 From: alex at alex.org.uk (Alex Bligh) Date: Sun, 14 Mar 2010 10:24:31 +0000 Subject: Is there any way to hook the point when channel port listener accepts a new connection? In-Reply-To: <1c2183ae1003140048x1fdfa25che76c85fb9f3dcdb5@mail.gmail.com> References: <1c2183ae1001211718t7c962cb8w894e59939a09bdb3@mail.gmail.com> <20100122062435.3450.qmail@stuge.se> <1c2183ae1001212315n399121d1p7cd5814278d176b9@mail.gmail.com> <20100122072233.11781.qmail@stuge.se> <1c2183ae1001212332i18361135t7d5cf879f5950634@mail.gmail.com> <74C3A21052A4C5B3A199791B@nimrod.local> <1c2183ae1003140048x1fdfa25che76c85fb9f3dcdb5@mail.gmail.com> Message-ID: <6FA7A17086A25D7D1D9A8F99@nimrod.local> --On 14 March 2010 16:48:10 +0800 yingyuan cheng wrote: > I think one system account for hundreds of virtual users maybe useful, > so I made some modifications to source code, now it seems working. I would have found something like this very useful. Using some pluggable authentication method so it could talk to (e.g.) mysql would have been yet more useful. As it was, I had to make all my users use keys. I've wanted a patch like this before for something entirely different (ssh in support to implement a CLI on a router like thing). -- Alex Bligh From francois.perou at free.fr Tue Mar 16 03:39:15 2010 From: francois.perou at free.fr (=?ISO-8859-1?Q?Fran=E7ois_P=E9rou?=) Date: Mon, 15 Mar 2010 17:39:15 +0100 Subject: Donation of 5 FEITIAN PKI smart cards to OpenSSH project Message-ID: <1268671155.9970.3.camel@acer> Dear friends, We are aware that OpenSSH recently supports smart cards. FEITIAN and Gooze http://www.gooze.eu kindly offers 5 FEITIAN PKI smart cards to OpenSSH developers interested with smart card support. If you are interested, please apply here: http://www.gooze.eu/feitian-pki-free-software-developer-card The FEITIAN PKI card is completely compliant with GNU/Linux. Kind regards, Jean-Michel From keisial at gmail.com Tue Mar 16 03:50:11 2010 From: keisial at gmail.com (Keisial) Date: Mon, 15 Mar 2010 17:50:11 +0100 Subject: Allow utf-8 usernames in scp Message-ID: <4B9E6543.9020306@gmail.com> Hello, scp(1) doesn't allow copying files to a remote host with a username containing utf-8 characters. It just returns "invalid user name". While traditionally usernames were restricted to printable us-ascii, nowadays there's little problem in allowing them. In fact, it is allowed by ssh, and even scp when copying _from_ such username. The limitation seems to lie on the if (c & 0200) goto bad; check on okname() at scp.c, which automatically rejects usernames with the high bit set. Can you please remove such limitation? Thanks, From brakeb at gmail.com Tue Mar 16 04:31:39 2010 From: brakeb at gmail.com (Bryan) Date: Mon, 15 Mar 2010 12:31:39 -0500 Subject: 5.4p1 and FIPS 140-2 Message-ID: <4B9E6EFB.90407@gmail.com> My office is working with government contracts, and it appears that they are wanting FIPS enabled OpenSSL and OpenSSH is coming in the next year. We have been able to compile OpenSSL to create the container, but all the diffs to enable FIPS 140-2 in OpenSSH are for 5.3p1. Will the diffs from: https://bugzilla.mindrot.org/attachment.cgi?id=1789&action=edit build in 5.4p1 will a little find/replace version magic? Any chance that this will show up in the OpenBSD snaps, as I just found out you have PKI integration. Thank you Bryan Brake From openssh at roumenpetrov.info Tue Mar 16 07:41:54 2010 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Mon, 15 Mar 2010 22:41:54 +0200 Subject: 5.4p1 and FIPS 140-2 In-Reply-To: <4B9E6EFB.90407@gmail.com> References: <4B9E6EFB.90407@gmail.com> Message-ID: <4B9E9B92.6010806@roumenpetrov.info> Bryan wrote: > My office is working with government contracts, and it appears that they > are wanting FIPS enabled OpenSSL and OpenSSH is coming in the next year. > We have been able to compile OpenSSL to create the container, but all > the diffs to enable FIPS 140-2 in OpenSSH are for 5.3p1. Will the diffs > from: > > https://bugzilla.mindrot.org/attachment.cgi?id=1789&action=edit > > build in 5.4p1 will a little find/replace version magic? Any chance that > this will show up in the OpenBSD snaps, as I just found out you have PKI > integration. No OpenSSH don't support PKI. > Thank you > Bryan Brake Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/ From dkg at fifthhorseman.net Tue Mar 16 07:53:08 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 15 Mar 2010 16:53:08 -0400 Subject: 5.4p1 and FIPS 140-2 In-Reply-To: <4B9E9B92.6010806@roumenpetrov.info> References: <4B9E6EFB.90407@gmail.com> <4B9E9B92.6010806@roumenpetrov.info> Message-ID: <4B9E9E34.7020908@fifthhorseman.net> On 03/15/2010 04:41 PM, Roumen Petrov wrote: > Bryan wrote: >> build in 5.4p1 will a little find/replace version magic? Any chance that >> this will show up in the OpenBSD snaps, as I just found out you have PKI >> integration. > > No OpenSSH don't support PKI. Technically, version 5.4 *does* support a PKI, but it supports a novel, OpenSSH-specific PKI, not a PKI that would already be in use by any other systems (or specified in any existing standard). In particular, OpenSSH does not natively support the PKI known as X.509, though Roumen's patches [0] provide X.509 support. And OpenSSH also does not internally support the PKI known as OpenPGP, though the Monkeysphere project [1] can be used with any recent stock/unpatched SSH to provide OpenPGP support. --dkg [0] http://www.roumenpetrov.info/openssh/ [1] http://web.monkeysphere.info/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 891 bytes Desc: OpenPGP digital signature URL: From brakeb at gmail.com Tue Mar 16 07:55:49 2010 From: brakeb at gmail.com (Bryan) Date: Mon, 15 Mar 2010 15:55:49 -0500 Subject: 5.4p1 and FIPS 140-2 In-Reply-To: <4B9E9E34.7020908@fifthhorseman.net> References: <4B9E6EFB.90407@gmail.com> <4B9E9B92.6010806@roumenpetrov.info> <4B9E9E34.7020908@fifthhorseman.net> Message-ID: <4B9E9ED5.6050003@gmail.com> On 3/15/2010 3:53 PM, Daniel Kahn Gillmor wrote: > On 03/15/2010 04:41 PM, Roumen Petrov wrote: >> Bryan wrote: >>> build in 5.4p1 will a little find/replace version magic? Any chance that >>> this will show up in the OpenBSD snaps, as I just found out you have PKI >>> integration. >> >> No OpenSSH don't support PKI. > > Technically, version 5.4 *does* support a PKI, but it supports a novel, > OpenSSH-specific PKI, not a PKI that would already be in use by any > other systems (or specified in any existing standard). > > In particular, OpenSSH does not natively support the PKI known as X.509, > though Roumen's patches [0] provide X.509 support. > > And OpenSSH also does not internally support the PKI known as OpenPGP, > though the Monkeysphere project [1] can be used with any recent > stock/unpatched SSH to provide OpenPGP support. > Alright, I'm not really caring about x509 right now, my original question was about FIPS. Will it make new releases? Will the patches I found on bugzilla build with 5.4p1? From djm at mindrot.org Wed Mar 17 04:07:59 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Mar 2010 04:07:59 +1100 (EST) Subject: 5.4p1 and FIPS 140-2 In-Reply-To: <4B9E9ED5.6050003@gmail.com> References: <4B9E6EFB.90407@gmail.com> <4B9E9B92.6010806@roumenpetrov.info> <4B9E9E34.7020908@fifthhorseman.net> <4B9E9ED5.6050003@gmail.com> Message-ID: On Mon, 15 Mar 2010, Bryan wrote: > Alright, I'm not really caring about x509 right now, my original question was > about FIPS. Will it make new releases? Will the patches I found on bugzilla > build with 5.4p1? The best way would be to try to apply the patches and attempt compilation. I can immediately think of any crypto that has changed between 5.3 and 5.4, so there is a reasonable chance they will work without modification. Otherwise, I'm sure the developer of the patches will update them to 5.4p1 in the near future. -d From francois.perou at free.fr Wed Mar 17 04:13:09 2010 From: francois.perou at free.fr (=?ISO-8859-1?Q?Fran=E7ois_P=E9rou?=) Date: Tue, 16 Mar 2010 18:13:09 +0100 Subject: 5.4p1 and FIPS 140-2 In-Reply-To: References: <4B9E6EFB.90407@gmail.com> <4B9E9B92.6010806@roumenpetrov.info> <4B9E9E34.7020908@fifthhorseman.net> <4B9E9ED5.6050003@gmail.com> Message-ID: <1268759589.8500.3.camel@acer> Le mercredi 17 mars 2010 ? 04:07 +1100, Damien Miller a ?crit : > The best way would be to try to apply the patches and attempt > compilation. > I can immediately think of any crypto that has changed between 5.3 and > 5.4, > so there is a reasonable chance they will work without modification. > > Otherwise, I'm sure the developer of the patches will update them to > 5.4p1 > in the near future. As I posted before, Gooze.eu is ready to donate FEITIAN PKI cards to OpenSSH developers to fasten adoption of PKI cards. Just request a free card here: http://www.gooze.eu/feitian-pki-free-software-developer-card This is my last post, to avoid filling the list. I can easily ship five card to OpenSSH developers. The only limitation is that I can only ship to European-Union countries. Kind regards, Fran?ois P?rou From djm at mindrot.org Wed Mar 17 06:04:26 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Mar 2010 06:04:26 +1100 (EST) Subject: openssh-5.5p1 Message-ID: Hi, We will probably do an openssh-5.5p1 release soon, mainly for the sshd_config:AuthorizedKeysFile bug, but containing a few other small patches too. If you have any portability fixes that need to go in then please send them through at once. -d From vinschen at redhat.com Wed Mar 17 06:26:32 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 16 Mar 2010 20:26:32 +0100 Subject: openssh-5.5p1 In-Reply-To: References: Message-ID: <20100316192631.GD6505@calimero.vinschen.de> Hi Damien, On Mar 17 06:04, Damien Miller wrote: > Hi, > > We will probably do an openssh-5.5p1 release soon, mainly for the > sshd_config:AuthorizedKeysFile bug, but containing a few other small > patches too. If you have any portability fixes that need to go in then > please send them through at once. That's good to know, but I don't see a matching patch for the AuthorizedKeysFile bug in the portable openssh repository, nor any reply to my mail concerning this problem: http://marc.info/?l=openssh-unix-dev&m=126838983321733&w=2 If there has been anything going on behind the scenes, it would be nice to learn about it. Thanks, Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From djm at mindrot.org Wed Mar 17 06:57:16 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Mar 2010 06:57:16 +1100 (EST) Subject: openssh-5.5p1 In-Reply-To: <20100316192631.GD6505@calimero.vinschen.de> References: <20100316192631.GD6505@calimero.vinschen.de> Message-ID: On Tue, 16 Mar 2010, Corinna Vinschen wrote: > Hi Damien, > > On Mar 17 06:04, Damien Miller wrote: > > Hi, > > > > We will probably do an openssh-5.5p1 release soon, mainly for the > > sshd_config:AuthorizedKeysFile bug, but containing a few other small > > patches too. If you have any portability fixes that need to go in then > > please send them through at once. > > That's good to know, but I don't see a matching patch for the > AuthorizedKeysFile bug in the portable openssh repository, nor > any reply to my mail concerning this problem: > http://marc.info/?l=openssh-unix-dev&m=126838983321733&w=2 > > If there has been anything going on behind the scenes, it would > be nice to learn about it. yes, the patch (with a correction to the problem you pointed out) was committed to OpenBSD but I haven't synced it to the portable repository yet. -d From imorgan at nas.nasa.gov Wed Mar 17 07:49:44 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Tue, 16 Mar 2010 13:49:44 -0700 Subject: openssh-5.5p1 In-Reply-To: References: Message-ID: <20100316204944.GN17027@linux55.nas.nasa.gov> On Tue, Mar 16, 2010 at 14:04:26 -0500, Damien Miller wrote: > Hi, > > We will probably do an openssh-5.5p1 release soon, mainly for the > sshd_config:AuthorizedKeysFile bug, but containing a few other small > patches too. If you have any portability fixes that need to go in then > please send them through at once. > > -d > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev Hi Damien, I just stumbled across an issue today building 5.4p1 on SLES 10 with libedit support. When --with-libedit is used, configure will use -lcurses when testing for a functional libedit. On SLES 10 (and perhaps other OS's) there is no libcurses.so (evan as a symlink) so the test fails. It may be best to check for -lcurses and -lncurses, and then use the appropriate library when checking for -ledit. I'm not an autoconf wizard and thus don't have an actual patch to submit. I'm just working around the issue by hacking the configure script. -- Iain Morgan From vinschen at redhat.com Wed Mar 17 08:49:08 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 16 Mar 2010 22:49:08 +0100 Subject: openssh-5.5p1 In-Reply-To: References: <20100316192631.GD6505@calimero.vinschen.de> Message-ID: <20100316214908.GE6505@calimero.vinschen.de> On Mar 17 06:57, Damien Miller wrote: > On Tue, 16 Mar 2010, Corinna Vinschen wrote: > > > Hi Damien, > > > > On Mar 17 06:04, Damien Miller wrote: > > > Hi, > > > > > > We will probably do an openssh-5.5p1 release soon, mainly for the > > > sshd_config:AuthorizedKeysFile bug, but containing a few other small > > > patches too. If you have any portability fixes that need to go in then > > > please send them through at once. > > > > That's good to know, but I don't see a matching patch for the > > AuthorizedKeysFile bug in the portable openssh repository, nor > > any reply to my mail concerning this problem: > > http://marc.info/?l=openssh-unix-dev&m=126838983321733&w=2 > > > > If there has been anything going on behind the scenes, it would > > be nice to learn about it. > > yes, the patch (with a correction to the problem you pointed out) was > committed to OpenBSD but I haven't synced it to the portable repository > yet. Ok, thanks. It's just that I'd like to test it. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From brakeb at gmail.com Wed Mar 17 04:50:02 2010 From: brakeb at gmail.com (Bryan) Date: Tue, 16 Mar 2010 12:50:02 -0500 Subject: 5.4p1 and FIPS 140-2 In-Reply-To: References: <4B9E6EFB.90407@gmail.com> <4B9E9B92.6010806@roumenpetrov.info> <4B9E9E34.7020908@fifthhorseman.net> <4B9E9ED5.6050003@gmail.com> Message-ID: <4B9FC4CA.9010507@gmail.com> On 3/16/2010 12:07 PM, Damien Miller wrote: > On Mon, 15 Mar 2010, Bryan wrote: > >> Alright, I'm not really caring about x509 right now, my original question was >> about FIPS. Will it make new releases? Will the patches I found on bugzilla >> build with 5.4p1? > > The best way would be to try to apply the patches and attempt compilation. > I can immediately think of any crypto that has changed between 5.3 and 5.4, > so there is a reasonable chance they will work without modification. > > Otherwise, I'm sure the developer of the patches will update them to 5.4p1 > in the near future. > > -d Thanks Damien... I did try to apply the patch but not all of it completed... Here is the output from 5.4p1 and the patch from my e-mail earlier. I replaced all instances of "5.3p1" with "5.4p1" applied thusly: mliu openssl # tar -zxf openssh-5.4p1.tar.gz mliu openssl # pwd /home/openssl mliu openssl # patch -p0 < openssh_changes patching file openssh-5.4p1/auth2-pubkey.c Hunk #1 FAILED at 54. Hunk #2 succeeded at 191 (offset 4 lines). Hunk #3 succeeded at 272 (offset 30 lines). 1 out of 3 hunks FAILED -- saving rejects to file openssh-5.4p1/auth2-pubkey.c.rej patching file openssh-5.4p1/auth-rsa.c Hunk #3 succeeded at 92 with fuzz 1. Hunk #4 succeeded at 109 (offset 3 lines). Hunk #5 succeeded at 166 (offset 3 lines). Hunk #6 succeeded at 188 (offset 3 lines). Hunk #7 succeeded at 324 (offset 3 lines). Hunk #8 succeeded at 358 (offset 3 lines). patching file openssh-5.4p1/buffer.c patching file openssh-5.4p1/buildpkg.sh.in patching file openssh-5.4p1/cipher.c patching file openssh-5.4p1/configure.ac Hunk #4 succeeded at 1880 (offset 13 lines). Hunk #5 succeeded at 2234 (offset 13 lines). patching file openssh-5.4p1/contrib/redhat/sshd.init patching file openssh-5.4p1/fips.h patching file openssh-5.4p1/mac.c patching file openssh-5.4p1/Makefile.in Hunk #2 succeeded at 31 (offset 1 line). Hunk #3 succeeded at 258 (offset 1 line). patching file openssh-5.4p1/myproposal.h Hunk #1 FAILED at 41. Hunk #2 succeeded at 54 (offset 2 lines). 1 out of 2 hunks FAILED -- saving rejects to file openssh-5.4p1/myproposal.h.rej patching file openssh-5.4p1/openbsd-compat/bsd-arc4random.c patching file openssh-5.4p1/readconf.c Hunk #2 succeeded at 230 (offset 2 lines). Hunk #3 succeeded at 915 (offset 2 lines). Hunk #4 succeeded at 1076 (offset 2 lines). Hunk #5 succeeded at 1147 with fuzz 2 (offset 2 lines). Hunk #6 succeeded at 1214 (offset 2 lines). patching file openssh-5.4p1/readconf.h patching file openssh-5.4p1/servconf.c Hunk #1 succeeded at 108 (offset 1 line). Hunk #2 succeeded at 132 with fuzz 1 (offset 1 line). Hunk #3 succeeded at 269 (offset 4 lines). Hunk #4 FAILED at 317. Hunk #5 succeeded at 437 with fuzz 2 (offset 5 lines). Hunk #6 succeeded at 1346 with fuzz 2 (offset 42 lines). 1 out of 6 hunks FAILED -- saving rejects to file openssh-5.4p1/servconf.c.rej patching file openssh-5.4p1/servconf.h Hunk #1 succeeded at 153 with fuzz 2 (offset 3 lines). patching file openssh-5.4p1/ssh-add.c Hunk #2 succeeded at 367 (offset 22 lines). patching file openssh-5.4p1/ssh-agent.c Hunk #1 succeeded at 75 with fuzz 2. Hunk #2 succeeded at 1085 (offset 14 lines). patching file openssh-5.4p1/ssh.c Hunk #2 succeeded at 107 with fuzz 2 (offset 1 line). Hunk #3 succeeded at 195 with fuzz 2 (offset 5 lines). Hunk #4 FAILED at 300. Hunk #5 succeeded at 691 (offset 32 lines). 1 out of 5 hunks FAILED -- saving rejects to file openssh-5.4p1/ssh.c.rej patching file openssh-5.4p1/sshconnect2.c Hunk #1 succeeded at 71 (offset 1 line). Hunk #2 succeeded at 498 (offset 22 lines). Hunk #3 succeeded at 537 (offset 22 lines). patching file openssh-5.4p1/sshconnect.c Hunk #1 succeeded at 60 with fuzz 2 (offset 2 lines). Hunk #2 succeeded at 619 (offset 22 lines). Hunk #3 succeeded at 804 (offset 30 lines). Hunk #4 succeeded at 1159 (offset 76 lines). Hunk #5 succeeded at 1222 (offset 76 lines). patching file openssh-5.4p1/sshd.c Hunk #3 succeeded at 429 (offset 2 lines). Hunk #4 succeeded at 602 (offset 7 lines). Hunk #5 succeeded at 648 (offset 7 lines). Hunk #6 succeeded at 686 (offset 7 lines). Hunk #7 succeeded at 707 (offset 7 lines). Hunk #8 succeeded at 725 (offset 7 lines). Hunk #9 succeeded at 746 (offset 7 lines). Hunk #10 succeeded at 1126 (offset 37 lines). Hunk #11 succeeded at 1262 (offset 37 lines). Hunk #12 succeeded at 1286 (offset 37 lines). Hunk #13 succeeded at 1597 (offset 46 lines). Hunk #14 succeeded at 1826 (offset 86 lines). patching file openssh-5.4p1/ssh-keygen.c Hunk #1 FAILED at 48. Hunk #2 succeeded at 1525 (offset 424 lines). Hunk #3 succeeded at 1930 (offset 450 lines). 1 out of 3 hunks FAILED -- saving rejects to file openssh-5.4p1/ssh-keygen.c.rej patching file openssh-5.4p1/ssh-keyscan.c patching file openssh-5.4p1/ssh-keysign.c patching file openssh-5.4p1/ssh-rand-helper.c Hunk #2 succeeded at 829 with fuzz 1 (offset 1 line). ------------------------------------------------------------------- There are some differences... Should I pull from CVS and try to build, or am I not doing something right? Thanks to all. Bryan Brake From openssh at roumenpetrov.info Wed Mar 17 09:47:30 2010 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Wed, 17 Mar 2010 00:47:30 +0200 Subject: openssh-5.5p1 In-Reply-To: <20100316204944.GN17027@linux55.nas.nasa.gov> References: <20100316204944.GN17027@linux55.nas.nasa.gov> Message-ID: <4BA00A82.5020604@roumenpetrov.info> Iain Morgan wrote: > On Tue, Mar 16, 2010 at 14:04:26 -0500, Damien Miller wrote: >> Hi, >> >> We will probably do an openssh-5.5p1 release soon, mainly for the >> sshd_config:AuthorizedKeysFile bug, but containing a few other small >> patches too. If you have any portability fixes that need to go in then >> please send them through at once. >> >> -d >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > Hi Damien, > > I just stumbled across an issue today building 5.4p1 on SLES 10 with > libedit support. When --with-libedit is used, configure will use > -lcurses when testing for a functional libedit. On SLES 10 (and perhaps > other OS's) there is no libcurses.so (evan as a symlink) so the test > fails. May be yes may no. If ncurses is used as replacement it could be ncurses and ncursesw. Also the library could be termcap ! > It may be best to check for -lcurses and -lncurses, and then use the > appropriate library when checking for -ledit. The internet is full with script how to test for curses compatible libraries > I'm not an autoconf wizard and thus don't have an actual patch to > submit. I'm just working around the issue by hacking the configure > script. Its not necessary to be autoconf guru to write a simple test and to test how a GNU readline replacement will be linked correctly against a list of possible termcap compatible libraries. You could adapt may patch posted here http://bugs.python.org/issue1204 - replace readline/READLINE with edit/EDIT py with ssh or with ac(name space collision). As you have a system with libedit you could try to adapt. For now I don't have enough time nor environment to test. Another case are reports that libedit don't work well on some platforms. One of this platforms is Mac OS X but it seems to me OpenSSH portable drop it as configure is created with autoconf 2.61 instead openbsd patched (?) 2.62 or newer . I'm sure that issue is posted in the past and may be a bug is opened. Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/ From openssh at roumenpetrov.info Wed Mar 17 09:48:29 2010 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Wed, 17 Mar 2010 00:48:29 +0200 Subject: openssh-5.5p1 In-Reply-To: References: Message-ID: <4BA00ABD.7050005@roumenpetrov.info> Damien Miller wrote: > Hi, > > We will probably do an openssh-5.5p1 release soon, mainly for the > sshd_config:AuthorizedKeysFile bug, but containing a few other small > patches too. If you have any portability fixes that need to go in then > please send them through at once. In past you create p2 version. What is new functionality for 5.5 (except bug fixes ) ? Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/ From djm at mindrot.org Wed Mar 17 09:54:04 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Mar 2010 09:54:04 +1100 (EST) Subject: openssh-5.5p1 In-Reply-To: <4BA00ABD.7050005@roumenpetrov.info> References: <4BA00ABD.7050005@roumenpetrov.info> Message-ID: On Wed, 17 Mar 2010, Roumen Petrov wrote: > Damien Miller wrote: > > Hi, > > > > We will probably do an openssh-5.5p1 release soon, mainly for the > > sshd_config:AuthorizedKeysFile bug, but containing a few other small > > patches too. If you have any portability fixes that need to go in then > > please send them through at once. > > In past you create p2 version. What is new functionality for 5.5 (except bug > fixes ) ? We have created p2 versions whem the changes have been to portable OpenSSH only. In this case there are changes to the OpenBSD version too. -d From jchadima at redhat.com Wed Mar 17 19:37:11 2010 From: jchadima at redhat.com (Jan Chadima) Date: Wed, 17 Mar 2010 04:37:11 -0400 (EDT) Subject: openssh-5.5p1 In-Reply-To: Message-ID: <835879815.906091268815031099.JavaMail.root@zmail04.collab.prod.int.phx2.redhat.com> ----- "Damien Miller" wrote: > Hi, > > > > We will probably do an openssh-5.5p1 release soon, mainly for the > > sshd_config:AuthorizedKeysFile bug, but containing a few other small > > patches too. If you have any portability fixes that need to go in then > > please send them through at once. > > Damien, please have a look at https://bugzilla.mindrot.org/show_bug.cgi?id=1663 I still think that it's useful and safe. It's useful for creation small centralized domains without ldap... simply using ssh to transport the keys. -- JFCh From kai_yang2008 at 163.com Thu Mar 18 20:24:18 2010 From: kai_yang2008 at 163.com (kai_yang2008) Date: Thu, 18 Mar 2010 17:24:18 +0800 (CST) Subject: problem of adding a new option of sshd Message-ID: <18db38c.12110.12770966c25.Coremail.kai_yang2008@163.com> Dear all, I want to add a new option "newoption" to the sshd server, I have just add some codes in servconf.h and servconf.c like the other options. But it seems that the "newoption" can not be enable,when i set the "newoption" to "yes" in sshd_config file. I have add a debug message in main function of sshd.c .... debug("main sshd %d",options->newoption); ... debug1: main sshd 0 >From the debug message, it seems that the "newoption" is not enable. So could anyone give me some advise about it? Kevin, kai_yang2008 at 163.com From peter at stuge.se Thu Mar 18 23:09:53 2010 From: peter at stuge.se (Peter Stuge) Date: Thu, 18 Mar 2010 13:09:53 +0100 Subject: problem of adding a new option of sshd In-Reply-To: <18db38c.12110.12770966c25.Coremail.kai_yang2008@163.com> References: <18db38c.12110.12770966c25.Coremail.kai_yang2008@163.com> Message-ID: <20100318120953.12975.qmail@stuge.se> kai_yang2008 wrote: > I want to add a new option "newoption" to the sshd server, .. > So could anyone give me some advise about it? Please send a patch showing what you have added. Then you can get comments on what you would need to fix. //Peter From imorgan at nas.nasa.gov Fri Mar 19 09:17:31 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 18 Mar 2010 15:17:31 -0700 Subject: Question about host certificates Message-ID: <20100318221731.GA16369@linux55.nas.nasa.gov> Hi, I'm experimenting with host certificates in 5.4p1 and seem to have hit a usability issue. I've generated a host certificate, added the HostCertificate option to the sshd_config and restarted sshd. I've replaced the system's ssh_known_hosts file with one that has a single entry of the form: @cert-authority *.example.domain ssh-rsa ... This works provided that I use the host's FQDn when I ssh to it. If I use an unqualified name, the connection is made but the certificate verification fails. I suppose an entry like @cert-authority *,*.example.domain ssh-rsa ... would work, but it doesn't seem prudent. How are you supposed to specify that the cert-authority is for the local domain? It seem like the name of the target host should be resolved to a FQDN prior to checking whether or not the cert-authority is applicable. I know this issue _could_ be addressed by listing the unqualified name as well as the globbed domain name, but that doesn't seem like a very scalable solution. Thanks -- Iain Morgan From djm at mindrot.org Fri Mar 19 09:55:02 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 19 Mar 2010 09:55:02 +1100 (EST) Subject: Question about host certificates In-Reply-To: <20100318221731.GA16369@linux55.nas.nasa.gov> References: <20100318221731.GA16369@linux55.nas.nasa.gov> Message-ID: On Thu, 18 Mar 2010, Iain Morgan wrote: > Hi, > > I'm experimenting with host certificates in 5.4p1 and seem to have hit a > usability issue. I've generated a host certificate, added the > HostCertificate option to the sshd_config and restarted sshd. I've > replaced the system's ssh_known_hosts file with one that has a single > entry of the form: > > @cert-authority *.example.domain ssh-rsa ... > > This works provided that I use the host's FQDn when I ssh to it. If I > use an unqualified name, the connection is made but the certificate > verification fails. I suppose an entry like > > @cert-authority *,*.example.domain ssh-rsa ... > > would work, but it doesn't seem prudent. How are you supposed to specify > that the cert-authority is for the local domain? It seem like the name > of the target host should be resolved to a FQDN prior to checking > whether or not the cert-authority is applicable. > > I know this issue _could_ be addressed by listing the unqualified name > as well as the globbed domain name, but that doesn't seem like a very > scalable solution. Yes, it would be good if we could get feedback from the resolver as to which effective FQDN was used for resolution so we could canonicalise the name without an unsafe reverse lookup step. I haven't yet looked into how to do this. Two more alternatives: have some way of expressing wildcards that match only unqualified domains (e.g. rtr-syd-*[^.]*) or allow CIDR address matching in the host list so you could specify something like: @cert-authority 10.0.0.0/8 ssh-rsa ... Though we would need to think through the consequences first. -d From imorgan at nas.nasa.gov Fri Mar 19 10:49:55 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 18 Mar 2010 16:49:55 -0700 Subject: Question about host certificates In-Reply-To: References: <20100318221731.GA16369@linux55.nas.nasa.gov> Message-ID: <20100318234955.GE16367@linux55.nas.nasa.gov> On Thu, Mar 18, 2010 at 17:55:02 -0500, Damien Miller wrote: > On Thu, 18 Mar 2010, Iain Morgan wrote: > > > Hi, > > > > I'm experimenting with host certificates in 5.4p1 and seem to have hit a > > usability issue. I've generated a host certificate, added the > > HostCertificate option to the sshd_config and restarted sshd. I've > > replaced the system's ssh_known_hosts file with one that has a single > > entry of the form: > > > > @cert-authority *.example.domain ssh-rsa ... > > > > This works provided that I use the host's FQDn when I ssh to it. If I > > use an unqualified name, the connection is made but the certificate > > verification fails. I suppose an entry like > > > > @cert-authority *,*.example.domain ssh-rsa ... > > > > would work, but it doesn't seem prudent. How are you supposed to specify > > that the cert-authority is for the local domain? It seem like the name > > of the target host should be resolved to a FQDN prior to checking > > whether or not the cert-authority is applicable. > > > > I know this issue _could_ be addressed by listing the unqualified name > > as well as the globbed domain name, but that doesn't seem like a very > > scalable solution. > > Yes, it would be good if we could get feedback from the resolver as to > which effective FQDN was used for resolution so we could canonicalise the > name without an unsafe reverse lookup step. I haven't yet looked into > how to do this. > > Two more alternatives: have some way of expressing wildcards that match > only unqualified domains (e.g. rtr-syd-*[^.]*) or allow CIDR address > matching in the host list so you could specify something like: > > @cert-authority 10.0.0.0/8 ssh-rsa ... > > Though we would need to think through the consequences first. > > -d Right. Of the two alternatives you mention, I would prefer the CIDR approach. On a related topic, I notice that when key_cert_check_authority() is called from sshconnect.c the principal is not cheked. Shouldn't the list of principals for a host cert be the various names (qualified and, perhaps, unqualified) by which the host is known and shouldn't that list be checked to confirm that the cert belongs to the right host? -- Iain Morgan From djm at mindrot.org Fri Mar 19 11:16:11 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 19 Mar 2010 11:16:11 +1100 (EST) Subject: Question about host certificates In-Reply-To: <20100318234955.GE16367@linux55.nas.nasa.gov> References: <20100318221731.GA16369@linux55.nas.nasa.gov> <20100318234955.GE16367@linux55.nas.nasa.gov> Message-ID: On Thu, 18 Mar 2010, Iain Morgan wrote: > Right. Of the two alternatives you mention, I would prefer the CIDR > approach. > > On a related topic, I notice that when key_cert_check_authority() is > called from sshconnect.c the principal is not cheked. Shouldn't the list > of principals for a host cert be the various names (qualified and, > perhaps, unqualified) by which the host is known and shouldn't that list > be checked to confirm that the cert belongs to the right host? I'm pretty sure it passes the hostname: 572 check_host_cert(const char *host, const Key *host_key) 573 { 574 const char *reason; 575 576 if (key_cert_check_authority(host_key, 1, 0, host, &reason) != 0) { 577 error("%s", reason); 578 return 0; 579 } and 730 if (want_cert && !check_host_cert(hostname, host_key)) 731 goto fail; The 3rd argument to key_cert_check_authority() doesn't _require_ that there be a principal (host) name in the cert, so if a CA wants to issue wildcard certs then it can. -d From imorgan at nas.nasa.gov Fri Mar 19 11:47:35 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 18 Mar 2010 17:47:35 -0700 Subject: Question about host certificates In-Reply-To: References: <20100318221731.GA16369@linux55.nas.nasa.gov> <20100318234955.GE16367@linux55.nas.nasa.gov> Message-ID: <20100319004735.GG16367@linux55.nas.nasa.gov> On Thu, Mar 18, 2010 at 19:16:11 -0500, Damien Miller wrote: > On Thu, 18 Mar 2010, Iain Morgan wrote: > > > Right. Of the two alternatives you mention, I would prefer the CIDR > > approach. > > > > On a related topic, I notice that when key_cert_check_authority() is > > called from sshconnect.c the principal is not cheked. Shouldn't the list > > of principals for a host cert be the various names (qualified and, > > perhaps, unqualified) by which the host is known and shouldn't that list > > be checked to confirm that the cert belongs to the right host? > > I'm pretty sure it passes the hostname: > > 572 check_host_cert(const char *host, const Key *host_key) > 573 { > 574 const char *reason; > 575 > 576 if (key_cert_check_authority(host_key, 1, 0, host, &reason) != 0) { > 577 error("%s", reason); > 578 return 0; > 579 } > > and > > 730 if (want_cert && !check_host_cert(hostname, host_key)) > 731 goto fail; > > The 3rd argument to key_cert_check_authority() doesn't _require_ that there > be a principal (host) name in the cert, so if a CA wants to issue wildcard > certs then it can. > > -d My mistake. I was focusing on the fact that require_principal is not set. But you are correct tha the hostname is passed and would be checked against the list of principals, if any. And I see now why we are not requiring a principal. That 'wildcarding' could be useful in a cluster environment. Thanks -- Iain Morgan From kai_yang2008 at 163.com Fri Mar 19 19:18:39 2010 From: kai_yang2008 at 163.com (kai_yang2008) Date: Fri, 19 Mar 2010 16:18:39 +0800 (CST) Subject: problem of adding a new option of sshd In-Reply-To: <18db38c.12110.12770966c25.Coremail.kai_yang2008@163.com> References: <18db38c.12110.12770966c25.Coremail.kai_yang2008@163.com> Message-ID: <124ecc9.6ac6.1277580ad62.Coremail.kai_yang2008@163.com> Dear all, Here I attached the diff file for you to review: diff file of servconf.h : --- ssh5.3p1/ssh/servconf.h 2009-11-12 10:53:10 +0800 +++ ssh5.3p1_new_version5/ssh/servconf.h 2010-03-19 15:58:52 +0800 @@ -251,6 +251,10 @@ #endif /* HP_HPN_RCVBUF_PATCH */ #endif /* HP_HPN_PATCH */ +#ifdef NEWOPTION + int newoption, +#endif /* NEWOPTION */ + int permit_tun; int num_permitted_opens; diff file of servconf.c: --- ssh5.3p1/ssh/servconf.c 2009-11-12 10:53:10 +0800 +++ ssh5.3p1_new_version5/ssh/servconf.c 2010-03-19 15:58:52 +0800 @@ -156,6 +156,9 @@ options->hpn_rcvbuf_size = -1; #endif /* HP_HPN_RCVBUF_PATCH */ #endif /* HP_HPN_PATCH */ +#ifdef NEWOPTION + options->newoption = -1; +#endif /* NEWOPTION */ @@ -338,6 +341,10 @@ options->permit_tun = SSH_TUNMODE_NO; if (options->zero_knowledge_password_authentication == -1) options->zero_knowledge_password_authentication = 0; +#ifdef NEWOPTION + if (options->newoption == -1) + options->newoption = 0; +#endif /* NEWOPTION */ #ifdef HP_HPN_PATCH if (options->hpn_disabled == -1) @@ -483,6 +490,9 @@ sTcpRcvBuf, #endif /* HP_HPN_RCVBUF_PATCH */ #endif /* HP_HPN_PATCH */ +#ifdef NEWOPTION + sNewOption, +#endif /* NEWOPTION */ +#ifdef NEWOPTION + { "newoption", sNewOption}, +#endif /* NEWOPTION */ @@ -1155,6 +1168,12 @@ #endif /* HP_HPN_PATCH */ +#ifdef NEWOPTION + case sNewOption: + intptr = &options->newoption; + goto parse_int; +#endif /* NEWOPTION */ + case sIgnoreUserKnownHosts: intptr = &options->ignore_user_known_hosts; goto parse_flag; So could anybody give some advise? Please cc me. Thanks! Kevin, kai_yang2008 at 163.com ?2010-03-18 17:24:18?kai_yang2008 ??? Dear all, I want to add a new option "newoption" to the sshd server, I have just add some codes in servconf.h and servconf.c like the other options. But it seems that the "newoption" can not be enable,when i set the "newoption" to "yes" in sshd_config file. I have add a debug message in main function of sshd.c .... debug("main sshd %d",options->newoption); ... debug1: main sshd 0 From the debug message, it seems that the "newoption" is not enable. So could anyone give me some advise about it? Kevin, kai_yang2008 at 163.com From gert at greenie.muc.de Fri Mar 19 21:17:31 2010 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 19 Mar 2010 11:17:31 +0100 Subject: problem of adding a new option of sshd In-Reply-To: <124ecc9.6ac6.1277580ad62.Coremail.kai_yang2008@163.com> References: <18db38c.12110.12770966c25.Coremail.kai_yang2008@163.com> <124ecc9.6ac6.1277580ad62.Coremail.kai_yang2008@163.com> Message-ID: <20100319101731.GM25238@greenie.muc.de> Hi, On Fri, Mar 19, 2010 at 04:18:39PM +0800, kai_yang2008 wrote: [..] > +#ifdef NEWOPTION > + case sNewOption: > + intptr = &options->newoption; > + goto parse_int; > +#endif /* NEWOPTION */ [..] > But it seems that the "newoption" can not be enable,when i set > the "newoption" to "yes" in sshd_config file. You have told the code that you want an *integer*. "yes" is not an integer. To parse yes/no, use "goto parse_flag". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From eitanadlerlist at gmail.com Sun Mar 21 08:41:42 2010 From: eitanadlerlist at gmail.com (Eitan Adler) Date: Sat, 20 Mar 2010 23:41:42 +0200 Subject: specific Host not overriding global Host Message-ID: My config file contains Host * VisualHostKey yes Host app VisualHostKey no however when I ssh into app I still see the VisualHostKey. It is my understanding that the more specific host should override the global defaults. When I asked on IRC they told me to report the issue to this mailing list. I know my version of OpenSSH is old, but I checked bugzilla and did not see any bug reports about this. OpenSSH_5.2p1 FreeBSD-20090522, OpenSSL 0.9.8k 25 Mar 2009 From mouring at eviladmin.org Sun Mar 21 08:43:37 2010 From: mouring at eviladmin.org (Ben Lindstrom) Date: Sat, 20 Mar 2010 16:43:37 -0500 Subject: specific Host not overriding global Host In-Reply-To: References: Message-ID: <766BB7F8-9E82-478E-B2A9-4FBA009EE896@eviladmin.org> It is a first match system.. Put all your specialized Host entries BEFORE this one. - Ben On Mar 20, 2010, at 4:41 PM, Eitan Adler wrote: > My config file contains > > Host * > VisualHostKey yes > Host app > VisualHostKey no > > however when I ssh into app I still see the VisualHostKey. > > It is my understanding that the more specific host should override the > global defaults. When I asked on IRC they told me to report the issue > to this mailing list. > > I know my version of OpenSSH is old, but I checked bugzilla and did > not see any bug reports about this. > OpenSSH_5.2p1 FreeBSD-20090522, OpenSSL 0.9.8k 25 Mar 2009 > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From eitanadlerlist at gmail.com Sun Mar 21 08:45:07 2010 From: eitanadlerlist at gmail.com (Eitan Adler) Date: Sat, 20 Mar 2010 23:45:07 +0200 Subject: specific Host not overriding global Host In-Reply-To: <766BB7F8-9E82-478E-B2A9-4FBA009EE896@eviladmin.org> References: <766BB7F8-9E82-478E-B2A9-4FBA009EE896@eviladmin.org> Message-ID: I just inverted the config file - but I still see the VisualHostKey On Sat, Mar 20, 2010 at 11:43 PM, Ben Lindstrom wrote: > > It is a first match system.. Put all your specialized Host entries BEFORE this one. > > - Ben > > On Mar 20, 2010, at 4:41 PM, Eitan Adler wrote: > >> My config file contains >> >> Host * >> VisualHostKey yes >> Host app >> VisualHostKey no >> >> however when I ssh into app I still see the VisualHostKey. >> >> It is my understanding that the more specific host should override the >> global defaults. When I asked on IRC they told me to report the issue >> to this mailing list. >> >> I know my version of OpenSSH is old, but I checked bugzilla and did >> not see any bug reports about this. >> OpenSSH_5.2p1 FreeBSD-20090522, OpenSSL 0.9.8k 25 Mar 2009 >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > From mouring at eviladmin.org Sun Mar 21 09:45:07 2010 From: mouring at eviladmin.org (Ben Lindstrom) Date: Sat, 20 Mar 2010 17:45:07 -0500 Subject: specific Host not overriding global Host In-Reply-To: References: <766BB7F8-9E82-478E-B2A9-4FBA009EE896@eviladmin.org> Message-ID: <5D6EA05F-8A2F-4B6C-B7B6-7487EB3DA0F7@eviladmin.org> You're going to have to give us an example of your file and what you're typing then. Mind you the Host command is pretty pick. IF you stated: Host foo and you are typing "ssh foo.bar.com" there will be no match. - Ben On Mar 20, 2010, at 4:45 PM, Eitan Adler wrote: > I just inverted the config file - but I still see the VisualHostKey > > On Sat, Mar 20, 2010 at 11:43 PM, Ben Lindstrom wrote: >> >> It is a first match system.. Put all your specialized Host entries BEFORE this one. >> >> - Ben >> >> On Mar 20, 2010, at 4:41 PM, Eitan Adler wrote: >> >>> My config file contains >>> >>> Host * >>> VisualHostKey yes >>> Host app >>> VisualHostKey no >>> >>> however when I ssh into app I still see the VisualHostKey. >>> >>> It is my understanding that the more specific host should override the >>> global defaults. When I asked on IRC they told me to report the issue >>> to this mailing list. >>> >>> I know my version of OpenSSH is old, but I checked bugzilla and did >>> not see any bug reports about this. >>> OpenSSH_5.2p1 FreeBSD-20090522, OpenSSL 0.9.8k 25 Mar 2009 >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev at mindrot.org >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> >> From eitanadlerlist at gmail.com Sun Mar 21 19:09:10 2010 From: eitanadlerlist at gmail.com (Eitan Adler) Date: Sun, 21 Mar 2010 10:09:10 +0200 Subject: specific Host not overriding global Host In-Reply-To: <5D6EA05F-8A2F-4B6C-B7B6-7487EB3DA0F7@eviladmin.org> References: <766BB7F8-9E82-478E-B2A9-4FBA009EE896@eviladmin.org> <5D6EA05F-8A2F-4B6C-B7B6-7487EB3DA0F7@eviladmin.org> Message-ID: On Sun, Mar 21, 2010 at 12:45 AM, Ben Lindstrom wrote: > > You're going to have to give us an example of your file and what you're typing then. ?Mind you the Host command is pretty pick. ?IF you stated: > > Host foo > > and you are typing "ssh foo.bar.com" ?there will be no match. === config file === Host example.com VisualHostKey no Host * VisualHostKey yes === end config file === command I use to connect: ssh user at example.com And I still see the VisualHostKey From djm at mindrot.org Sun Mar 21 20:28:33 2010 From: djm at mindrot.org (Damien Miller) Date: Sun, 21 Mar 2010 20:28:33 +1100 (EST) Subject: specific Host not overriding global Host In-Reply-To: References: <766BB7F8-9E82-478E-B2A9-4FBA009EE896@eviladmin.org> <5D6EA05F-8A2F-4B6C-B7B6-7487EB3DA0F7@eviladmin.org> Message-ID: On Sun, 21 Mar 2010, Eitan Adler wrote: > On Sun, Mar 21, 2010 at 12:45 AM, Ben Lindstrom wrote: > > > > You're going to have to give us an example of your file and what you're typing then. Mind you the Host command is pretty pick. IF you stated: > > > > Host foo > > > > and you are typing "ssh foo.bar.com" there will be no match. > > > === config file === > Host example.com > VisualHostKey no > > Host * > VisualHostKey yes I can't replicate this. Using 5.4 and localhost instead of example.com, "ssh -ouserknownhostsfile=/dev/null localhost" shows no visual hostkey, while "ssh -ouserknownhostsfile=/dev/null 127.0.0.1" does. Nothing else uncommented in /etc/ssh_config. -d From eitanadlerlist at gmail.com Mon Mar 22 01:09:44 2010 From: eitanadlerlist at gmail.com (Eitan Adler) Date: Sun, 21 Mar 2010 16:09:44 +0200 Subject: specific Host not overriding global Host In-Reply-To: References: <766BB7F8-9E82-478E-B2A9-4FBA009EE896@eviladmin.org> <5D6EA05F-8A2F-4B6C-B7B6-7487EB3DA0F7@eviladmin.org> Message-ID: > I can't replicate this. Using 5.4 and localhost instead of example.com, > "ssh -ouserknownhostsfile=/dev/null localhost" shows no visual hostkey, > while "ssh -ouserknownhostsfile=/dev/null 127.0.0.1" does. OK - so I'll assume its been fixed. (I searched bugzilla but couldn't find any report) Sorry for the noise. From djm at mindrot.org Mon Mar 22 05:46:17 2010 From: djm at mindrot.org (Damien Miller) Date: Mon, 22 Mar 2010 05:46:17 +1100 (EST) Subject: specific Host not overriding global Host In-Reply-To: References: <766BB7F8-9E82-478E-B2A9-4FBA009EE896@eviladmin.org> <5D6EA05F-8A2F-4B6C-B7B6-7487EB3DA0F7@eviladmin.org> Message-ID: On Sun, 21 Mar 2010, Eitan Adler wrote: > > I can't replicate this. Using 5.4 and localhost instead of example.com, > > "ssh -ouserknownhostsfile=/dev/null localhost" shows no visual hostkey, > > while "ssh -ouserknownhostsfile=/dev/null 127.0.0.1" does. > > OK - so I'll assume its been fixed. (I searched bugzilla but couldn't > find any report) I don't think it was ever broken; that code has hardly changed in a decade. -d From eitanadlerlist at gmail.com Mon Mar 22 06:52:04 2010 From: eitanadlerlist at gmail.com (Eitan Adler) Date: Sun, 21 Mar 2010 21:52:04 +0200 Subject: specific Host not overriding global Host In-Reply-To: References: <766BB7F8-9E82-478E-B2A9-4FBA009EE896@eviladmin.org> <5D6EA05F-8A2F-4B6C-B7B6-7487EB3DA0F7@eviladmin.org> Message-ID: > I don't think it was ever broken; that code has hardly changed in a decade. In that case why does it happen with me (on 5.2p1) but not on 5.4? From djm at mindrot.org Mon Mar 22 07:17:28 2010 From: djm at mindrot.org (Damien Miller) Date: Mon, 22 Mar 2010 07:17:28 +1100 (EST) Subject: specific Host not overriding global Host In-Reply-To: References: <766BB7F8-9E82-478E-B2A9-4FBA009EE896@eviladmin.org> <5D6EA05F-8A2F-4B6C-B7B6-7487EB3DA0F7@eviladmin.org> Message-ID: On Sun, 21 Mar 2010, Eitan Adler wrote: > > I don't think it was ever broken; that code has hardly changed in a decade. > > In that case why does it happen with me (on 5.2p1) but not on 5.4? I have no idea, and you haven't posted enough details of either your config, what you are trying to do or the debug output of ssh to determine what is going on. -d From mohanni at onid.orst.edu Mon Mar 22 13:06:30 2010 From: mohanni at onid.orst.edu (Nitin Mohan) Date: Sun, 21 Mar 2010 19:06:30 -0700 Subject: Help required for Research Message-ID: <20100321190630.19281a2xvuvbbzq8@webmail.oregonstate.edu> Hi, I am a graduate student at Oregon State University pursuing my Masters degree in Computer Science. I am interested in conducting research on the bug reports in many open source projects. I would like to study how the projects manage their bug reports and identifying how Bugzilla and similar bug repository systems could be improved to facilitate this process. I have a bunch of Perl scripts which parses the XML format of bug reports from the Bugzilla repository. In order to do this research, I need access to your bug repository. Instead of downloading your bug reports through Bugzilla or your web interface, I was hoping you might instead send me the bug files (in XML format) in a zip file instead if you have access to these. This will reduce the load on your servers, and save me a great deal of work. You could use this email address for sending the zipped bug files. Your help is greatly appreciated. Thanks. Sincerely, Nitin From djm at mindrot.org Tue Mar 23 03:40:41 2010 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Mar 2010 03:40:41 +1100 (EST) Subject: Help required for Research In-Reply-To: <20100321190630.19281a2xvuvbbzq8@webmail.oregonstate.edu> References: <20100321190630.19281a2xvuvbbzq8@webmail.oregonstate.edu> Message-ID: On Sun, 21 Mar 2010, Nitin Mohan wrote: > Hi, > > I am a graduate student at Oregon State University pursuing my Masters > degree in Computer Science. I am interested in conducting research on > the bug reports in many open source projects. I would like to study how > the projects manage their bug reports and identifying how Bugzilla and > similar bug repository systems could be improved to facilitate this > process. I have a bunch of Perl scripts which parses the XML format of > bug reports from the Bugzilla repository. In order to do this research, > I need access to your bug repository. Instead of downloading your bug > reports through Bugzilla or your web interface, I was hoping you might > instead send me the bug files (in XML format) in a zip file instead if > you have access to these. This will reduce the load on your servers, and > save me a great deal of work. You could use this email address for > sending the zipped bug files. Your help is greatly appreciated. Do you have some instructions on how to generate these extracts? -d From mohanni at onid.orst.edu Tue Mar 23 06:20:44 2010 From: mohanni at onid.orst.edu (Nitin Mohan) Date: Mon, 22 Mar 2010 12:20:44 -0700 Subject: Help required for Research In-Reply-To: References: <20100321190630.19281a2xvuvbbzq8@webmail.oregonstate.edu> Message-ID: <20100322122044.21217fh3ync3pa80@webmail.oregonstate.edu> Quoting Damien Miller : > On Sun, 21 Mar 2010, Nitin Mohan wrote: > >> In order to do this research, >> I need access to your bug repository. Instead of downloading your bug >> reports through Bugzilla or your web interface, I was hoping you might >> instead send me the bug files (in XML format) in a zip file instead if >> you have access to these. This will reduce the load on your servers, and >> save me a great deal of work. You could use this email address for >> sending the zipped bug files. Your help is greatly appreciated. > > Do you have some instructions on how to generate these extracts? > As far as I know, Bugzilla has a link at the bottom of every bug description which gives us an option to convert that bug desc page into a XML. So, going through every bug in the Bugzilla repository and then convert them into XML should do the job, but its too laborious. Thats why I wanted to ask for your suggestion whether some other way exists to retrieve the bugs as XML. Thanks for your reply. Nitin From keisial at gmail.com Tue Mar 23 07:32:08 2010 From: keisial at gmail.com (Keisial) Date: Mon, 22 Mar 2010 21:32:08 +0100 Subject: Help required for Research In-Reply-To: <20100322122044.21217fh3ync3pa80@webmail.oregonstate.edu> References: <20100321190630.19281a2xvuvbbzq8@webmail.oregonstate.edu> <20100322122044.21217fh3ync3pa80@webmail.oregonstate.edu> Message-ID: <4BA7D3C8.3020107@gmail.com> Nitin Mohan wrote: > As far as I know, Bugzilla has a link at the bottom of every bug > description which gives us an option to convert that bug desc page > into a XML. So, going through every bug in the Bugzilla repository and > then convert them into XML should do the job, but its too laborious. > Thats why I wanted to ask for your suggestion whether some other way > exists to retrieve the bugs as XML. > > Thanks for your reply. > > Nitin Laborious? for n in `seq 1 100`; do wget "https://bugzilla.mindrot.org/show_bug.cgi?ctype=xml&id=$n" -O bug_$n.xml done Replace 100 with the number of bugs to parse, bugzilla.mindrot.org with the bugzilla you want to crawl. You can speed it up reusing the same connection: (for n in `seq 1 100`; do echo "https://bugzilla.mindrot.org/show_bug.cgi?ctype=xml&id=$n" done) | wget -i - -O bugs.xml (that generates a concatenation of xmls, may work for your scripts or may need some preprocessing) From mohanni at onid.orst.edu Tue Mar 23 07:41:26 2010 From: mohanni at onid.orst.edu (Nitin Mohan) Date: Mon, 22 Mar 2010 13:41:26 -0700 Subject: Help required for Research In-Reply-To: <4BA7D3C8.3020107@gmail.com> References: <20100321190630.19281a2xvuvbbzq8@webmail.oregonstate.edu> <20100322122044.21217fh3ync3pa80@webmail.oregonstate.edu> <4BA7D3C8.3020107@gmail.com> Message-ID: <20100322134126.14258il2z2fj1ywo@webmail.oregonstate.edu> Quoting Keisial : > > Laborious? > > for n in `seq 1 100`; do > wget "https://bugzilla.mindrot.org/show_bug.cgi?ctype=xml&id=$n" -O > bug_$n.xml > done > > Replace 100 with the number of bugs to parse, bugzilla.mindrot.org with > the bugzilla you want to crawl. > > You can speed it up reusing the same connection: > (for n in `seq 1 100`; do > echo "https://bugzilla.mindrot.org/show_bug.cgi?ctype=xml&id=$n" > done) | wget -i - -O bugs.xml > > (that generates a concatenation of xmls, may work for your scripts or > may need some preprocessing) > Wow! Thats a great suggestion. Will definitely try that out. Just the kind of suggestion I was looking for. Thanks for the help. Nitin From dan at doxpara.com Tue Mar 23 07:42:38 2010 From: dan at doxpara.com (Dan Kaminsky) Date: Mon, 22 Mar 2010 16:42:38 -0400 Subject: Help required for Research In-Reply-To: <20100322134126.14258il2z2fj1ywo@webmail.oregonstate.edu> References: <20100321190630.19281a2xvuvbbzq8@webmail.oregonstate.edu> <20100322122044.21217fh3ync3pa80@webmail.oregonstate.edu> <4BA7D3C8.3020107@gmail.com> <20100322134126.14258il2z2fj1ywo@webmail.oregonstate.edu> Message-ID: On Mon, Mar 22, 2010 at 4:41 PM, Nitin Mohan wrote: > Quoting Keisial : > > >> Laborious? >> >> for n in `seq 1 100`; do >> wget "https://bugzilla.mindrot.org/show_bug.cgi?ctype=xml&id=$n" -O >> bug_$n.xml >> done >> >> Replace 100 with the number of bugs to parse, bugzilla.mindrot.org with >> the bugzilla you want to crawl. >> >> You can speed it up reusing the same connection: >> (for n in `seq 1 100`; do >> echo "https://bugzilla.mindrot.org/show_bug.cgi?ctype=xml&id=$n" >> done) | wget -i - -O bugs.xml >> >> (that generates a concatenation of xmls, may work for your scripts or >> may need some preprocessing) >> >> > Wow! Thats a great suggestion. Will definitely try that out. Just the kind > of suggestion I was looking for. > > Thanks for the help. Well, I wouldn't let that go too fast, might kill the server :) From eitanadlerlist at gmail.com Tue Mar 23 07:03:22 2010 From: eitanadlerlist at gmail.com (Eitan Adler) Date: Mon, 22 Mar 2010 22:03:22 +0200 Subject: specific Host not overriding global Host In-Reply-To: References: <766BB7F8-9E82-478E-B2A9-4FBA009EE896@eviladmin.org> <5D6EA05F-8A2F-4B6C-B7B6-7487EB3DA0F7@eviladmin.org> Message-ID: I have no idea, and you haven't posted enough details of either your config, what you are trying to do or the debug output of ssh to determine what is going on. I posted my entire config file (with the names changed) ssh example.com Host key fingerprint is AA:7f:AA:2c:AA:86:AA:95:AA:4d:AA:f9:AA:ac:AA:96 +--[ RSA 2048]----+ | A.| | A+| | A.*| | . A AA| | A .A A A A| | . + = | | o =| | + | | | +-----------------+ From mohanni at onid.orst.edu Tue Mar 23 09:54:24 2010 From: mohanni at onid.orst.edu (Nitin Mohan) Date: Mon, 22 Mar 2010 15:54:24 -0700 Subject: Help required for Research In-Reply-To: <20100322222650.GA19435@merit.edu> References: <20100321190630.19281a2xvuvbbzq8@webmail.oregonstate.edu> <20100322122044.21217fh3ync3pa80@webmail.oregonstate.edu> <4BA7D3C8.3020107@gmail.com> <20100322134126.14258il2z2fj1ywo@webmail.oregonstate.edu> <20100322222650.GA19435@merit.edu> Message-ID: <20100322155424.114952l29qwz9xj4@webmail.oregonstate.edu> Quoting Jim Rees : > Dan Kaminsky wrote: > > Well, I wouldn't let that go too fast, might kill the server :) > > Add "-w 60" to the wget options and let it run overnight. Hi, Thanks a lot for both of you. Very nice suggestions which worked like a gem... I felt so stupid about myself after finding such an easy solution to the problem. You guys have done a big help for me... Thanks. Nitin From rees at umich.edu Tue Mar 23 09:26:50 2010 From: rees at umich.edu (Jim Rees) Date: Mon, 22 Mar 2010 18:26:50 -0400 Subject: Help required for Research In-Reply-To: References: <20100321190630.19281a2xvuvbbzq8@webmail.oregonstate.edu> <20100322122044.21217fh3ync3pa80@webmail.oregonstate.edu> <4BA7D3C8.3020107@gmail.com> <20100322134126.14258il2z2fj1ywo@webmail.oregonstate.edu> Message-ID: <20100322222650.GA19435@merit.edu> Dan Kaminsky wrote: Well, I wouldn't let that go too fast, might kill the server :) Add "-w 60" to the wget options and let it run overnight. From bob at proulx.com Tue Mar 23 14:52:21 2010 From: bob at proulx.com (Bob Proulx) Date: Mon, 22 Mar 2010 21:52:21 -0600 Subject: specific Host not overriding global Host In-Reply-To: References: <766BB7F8-9E82-478E-B2A9-4FBA009EE896@eviladmin.org> <5D6EA05F-8A2F-4B6C-B7B6-7487EB3DA0F7@eviladmin.org> Message-ID: <20100323035221.GB28730@dementia.proulx.com> Eitan Adler wrote: > Damien Miller wrote: > > I don't think it was ever broken; that code has hardly changed in a decade. > > In that case why does it happen with me (on 5.2p1) but not on 5.4? Just fyi but I just tested this on 5.1p1 and it works okay there. The more specific first match overrode the more general match later in the file. It seems strange that your version would behave so much different from other versions of ssh. In other words, this is hard to believe actually being a code problem in ssh. You posted the contents of your personal ssh config file in your $HOME/.ssh/config. What do you have in your /etc/ssh/ssh_config file? Although that should be lower priority. Do you have any aliases or script wrappers that might be overriding your options? If you invoke ssh with -v it should say what configuration files it is reading. Maybe that will turn up something interesting. Bob From vinschen at redhat.com Wed Mar 24 03:03:47 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 23 Mar 2010 17:03:47 +0100 Subject: [PATCH] Cygwin: ssh-host-config script broken on casesensitive systems (was Re: openssh-5.5p1) In-Reply-To: References: Message-ID: <20100323160347.GN32321@calimero.vinschen.de> Hi Damien, On Mar 17 06:04, Damien Miller wrote: > Hi, > > We will probably do an openssh-5.5p1 release soon, mainly for the > sshd_config:AuthorizedKeysFile bug, but containing a few other small > patches too. If you have any portability fixes that need to go in then > please send them through at once. I hope I'm not too late. I just stumbled over a problem with the Cygwin-specific ssh-host-config script. The script uses the Windows pathname to the directory holding the (/etc/)services file in a case-insensitive manner. However, the latest Cygwin allows to use case-sensitive paths and on systems supporting it (depends on a registry key) the default mount mode is case-sensitive. Unfortunately this breaks the script! So, it would be really nice if the below patch could still go into OpenSSH 5.5p1. It mounts the Windows directory containing the services file explicitely case-insensitive. This allows to tweak the Windows services file reliably, which *still* does not contain the "ssh 22/tcp" entry, even in the latest Windows 7 :( Thanks, Corinna Index: contrib/cygwin/ssh-host-config =================================================================== RCS file: /cvs/openssh/contrib/cygwin/ssh-host-config,v retrieving revision 1.28 diff -u -p -r1.28 ssh-host-config --- contrib/cygwin/ssh-host-config 12 Jul 2009 11:58:42 -0000 1.28 +++ contrib/cygwin/ssh-host-config 23 Mar 2010 16:02:26 -0000 @@ -90,7 +90,7 @@ update_services_file() { fi _serv_tmp="${_my_etcdir}/srv.out.$$" - mount -o text -f "${_win_etcdir}" "${_my_etcdir}" + mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" # Depends on the above mount _wservices=`cygpath -w "${_services}"` -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From imorgan at nas.nasa.gov Wed Mar 24 07:56:51 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Tue, 23 Mar 2010 13:56:51 -0700 Subject: openssh-5.5p1 In-Reply-To: References: Message-ID: <20100323205651.GA1314@linux55.nas.nasa.gov> On Tue, Mar 16, 2010 at 14:04:26 -0500, Damien Miller wrote: > Hi, > > We will probably do an openssh-5.5p1 release soon, mainly for the > sshd_config:AuthorizedKeysFile bug, but containing a few other small > patches too. If you have any portability fixes that need to go in then > please send them through at once. > > -d > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev Hi Damien, One minor issue that I just spotted with the -L option with ssh-keygen is that it can yield a misleading error message if the cert is not readable due to filesystem permissions. $ ls -l /etc/ssh/ssh_host_rsa_key-cert.pub -rw------- 1 root root 1151 Mar 23 13:36 /etc/ssh/ssh_host_rsa_key-cert.pub $ ssh-keygen -Lf /etc/ssh/ssh_host_rsa_key-cert.pub /etc/ssh/ssh_host_rsa_key-cert.pub is not a public key $ (This was with the 5.4p1 release, but I assume it also holds for recent snapshots.) -- Iain Morgan From philipp at employees.org Wed Mar 24 11:17:42 2010 From: philipp at employees.org (Philip A. Prindeville) Date: Tue, 23 Mar 2010 18:17:42 -0600 Subject: QoS marking for Openssh In-Reply-To: References: <4B931780.9010200@employees.org> <4B96EB48.3030204@employees.org> <4B96F506.7060106@employees.org> Message-ID: <4BA95A26.1070803@employees.org> On 03/09/2010 06:35 PM, Damien Miller wrote: > On Tue, 9 Mar 2010, Philip A. Prindeville wrote: > > >> Well, I'll attach a fix when it's working a bit better. >> >> For now, there's no way to get code in packet.c to see the "options", >> and indeed packet.c is shared by sshd, ssh, and ssh-keyscan amongst >> other objects... >> >> So how do I get the values in "ServerOptions options" or "Options >> options" to be visible to packet.c cleanly? >> > perhaps make the desired QoS a second argument to packet_set_interactive() > > -d > Fixed. Opened a bug and submitted a patch. Can I please get an up/down code review? Thanks. https://bugzilla.mindrot.org/show_bug.cgi?id=1733 From philipp_subx at redfish-solutions.com Thu Mar 25 05:45:39 2010 From: philipp_subx at redfish-solutions.com (Philip A. Prindeville) Date: Wed, 24 Mar 2010 12:45:39 -0600 Subject: QoS marking for Openssh In-Reply-To: References: <4B931780.9010200@employees.org> <4B96EB48.3030204@employees.org> <4B96F506.7060106@employees.org> Message-ID: <4BAA5DD3.6020004@redfish-solutions.com> Anyone want to code review: https://bugzilla.mindrot.org/show_bug.cgi?id=1733 There's a patch attached. We're currently using it on astlinux. Thanks. From djm at mindrot.org Fri Mar 26 08:53:45 2010 From: djm at mindrot.org (Damien Miller) Date: Fri, 26 Mar 2010 08:53:45 +1100 (EST) Subject: openssh-5.5p1 In-Reply-To: <20100323205651.GA1314@linux55.nas.nasa.gov> References: <20100323205651.GA1314@linux55.nas.nasa.gov> Message-ID: On Tue, 23 Mar 2010, Iain Morgan wrote: > Hi Damien, > > One minor issue that I just spotted with the -L option with ssh-keygen > is that it can yield a misleading error message if the cert is not > readable due to filesystem permissions. > > $ ls -l /etc/ssh/ssh_host_rsa_key-cert.pub > -rw------- 1 root root 1151 Mar 23 13:36 > /etc/ssh/ssh_host_rsa_key-cert.pub > $ ssh-keygen -Lf /etc/ssh/ssh_host_rsa_key-cert.pub > /etc/ssh/ssh_host_rsa_key-cert.pub is not a public key > > (This was with the 5.4p1 release, but I assume it also holds for recent > snapshots.) I think that is a more general problem for public key loading in ssh-keygen. Please file a bug and I will factor all of the offending cases out and fix them in one go after 5.5p1. -d From imorgan at nas.nasa.gov Fri Mar 26 09:23:16 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 25 Mar 2010 15:23:16 -0700 Subject: openssh-5.5p1 In-Reply-To: References: <20100323205651.GA1314@linux55.nas.nasa.gov> Message-ID: <20100325222316.GU1313@linux55.nas.nasa.gov> On Thu, Mar 25, 2010 at 16:53:45 -0500, Damien Miller wrote: > On Tue, 23 Mar 2010, Iain Morgan wrote: > > > Hi Damien, > > > > One minor issue that I just spotted with the -L option with ssh-keygen > > is that it can yield a misleading error message if the cert is not > > readable due to filesystem permissions. > > > > $ ls -l /etc/ssh/ssh_host_rsa_key-cert.pub > > -rw------- 1 root root 1151 Mar 23 13:36 > > /etc/ssh/ssh_host_rsa_key-cert.pub > > $ ssh-keygen -Lf /etc/ssh/ssh_host_rsa_key-cert.pub > > /etc/ssh/ssh_host_rsa_key-cert.pub is not a public key > > > > (This was with the 5.4p1 release, but I assume it also holds for recent > > snapshots.) > > I think that is a more general problem for public key loading in > ssh-keygen. Please file a bug and I will factor all of the offending cases > out and fix them in one go after 5.5p1. > > -d Sounds good. It looks like Jan Chadima filed a similar bug, though due to a different cause. I can either add this to that existing bug or file a new one, which would be easier for you? -- Iain Morgan From vinschen at redhat.com Fri Mar 26 20:47:53 2010 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 26 Mar 2010 10:47:53 +0100 Subject: Potential problem in derelativise_path Message-ID: <20100326094753.GT7718@calimero.vinschen.de> Hi, I just saw the latest patches to the portable OpenSSH repository and stumbled over this one: [servconf.c] from portable: getcwd(NULL, 0) doesn't work on all platforms, so use a stack buffer; The stack buffer has a size of MAXPATHLEN. However, on many systems the absolute path can exceed MAXPATHLEN, for instance on Linux or Cygwin. In that case, the derelativise_path function will fail with a fatal error. So on these systems it would be better if the function would stick to getcwd(NULL, 0). Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From scottmc2 at gmail.com Sat Mar 27 07:26:18 2010 From: scottmc2 at gmail.com (scott mc) Date: Fri, 26 Mar 2010 13:26:18 -0700 Subject: openssh directories on Haiku Message-ID: First off, I'd like to say thanks for applying the patch we recently submitted on the bug tracker to allow openssh to build on Haiku. In our current port of openssh for Haiku it's creating a directory ~/.ssh, we'd like to have this moved to ~/config/settings/ssh (without a dot in front of ssh). Haiku (and BeOS before that) has a function available to determine the location of a directory, called find_directory(). Under Haiku it is considered rude, when programs dump their configuration (or cache) files/directories directly in the the user's home directory. There's a dedicated subdirectory (~/config/settings) for that purpose, which for future compatibility reasons should be looked up at run-time via find_directory(B_USER_SETTINGS_DIRECTORY). http://www.haiku-os.org/legacy-docs/bebook/BDirectory.html#find_directory I haven't looked at the openssh source code long enough to have located where this change would need to be made, perhaps someone could point me in the right direction? -Scott McCreary HaikuPorts From markus.r.friedl at arcor.de Sat Mar 27 09:36:37 2010 From: markus.r.friedl at arcor.de (Markus Friedl) Date: Fri, 26 Mar 2010 23:36:37 +0100 Subject: openssh directories on Haiku In-Reply-To: References: Message-ID: <20100326223637.GA16569@folly> pathnames.h On Fri, Mar 26, 2010 at 01:26:18PM -0700, scott mc wrote: > First off, I'd like to say thanks for applying the patch we recently > submitted on the bug tracker to allow openssh to build on Haiku. > > In our current port of openssh for Haiku it's creating a directory > ~/.ssh, we'd like to have this moved to ~/config/settings/ssh (without > a dot in front of ssh). Haiku (and BeOS before that) has a function > available to determine the location of a directory, called > find_directory(). Under Haiku it is considered rude, when programs > dump their configuration (or cache) files/directories directly in the > the user's home directory. There's a dedicated subdirectory > (~/config/settings) for that purpose, which for future compatibility > reasons should be looked up at run-time via > find_directory(B_USER_SETTINGS_DIRECTORY). > http://www.haiku-os.org/legacy-docs/bebook/BDirectory.html#find_directory > > I haven't looked at the openssh source code long enough to have > located where this change would need to be made, perhaps someone could > point me in the right direction? > > -Scott McCreary > HaikuPorts > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From staylo10 at staffmail.ed.ac.uk Wed Mar 31 20:48:58 2010 From: staylo10 at staffmail.ed.ac.uk (Stuart Taylor) Date: Wed, 31 Mar 2010 10:48:58 +0100 Subject: Sending PATH using SendEnv Message-ID: <26E10875-54FA-41D4-9230-1B3364D2FAAB@staffmail.ed.ac.uk> Hi I thought this was something that might concern the developers so I thought I'd post here. Apologies in advance if that's not the case. I'm setting up a CentOS cluster with OpenSSH_4.3p2 which uses ssh to launch processes on the remote nodes. I'm trying to use the SendEnv/AcceptEnv functionality to send the PATH environment variable from the headnode when users are launching jobs on remote nodes, since everything is cross-mounted and therefore in the same place. However, for some reason it's being overwritten on the remote nodes with some kind of default value, which I assume is compiled into the shell. Using verbose output I can see the client sending the vars, and if I create some test vars on the client and add them to the SendEnv/AcceptEnv statements in ssh_config/sshd_config, they are preserved in the remote environment, but PATH is not, and defaults to /usr/local/bin:/bin:/usr/bin, which is not very useful in this case. This occurs whether it's a login/non-login, interactive or non-interactive shell. At first I thought it might be an issue with PAM since I'm using LDAP to authenticate users, but it occurs with the root account also, which is obviously local. Can anyone shed any light on this? Many thanks Stuart Stuart Taylor School of Biological Sciences The University of Edinburgh Swann Building 3-34 Mayfield Road Edinburgh EH9 3JR -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. From headset001 at yahoo.com Tue Mar 30 01:23:35 2010 From: headset001 at yahoo.com (Doru Georgescu) Date: Mon, 29 Mar 2010 07:23:35 -0700 (PDT) Subject: please decrypt your manuals Message-ID: <234751.12182.qm@web52308.mail.re2.yahoo.com> I. most of ssh manual and all sshd manual present server and client as one machine, called host. All files mentioned are placed on one machine. This is incorrect, and makes the explanation unclear. For example, man sshd SSH_KNOWN_HOSTS FILE FORMAT suggests to copy keys from /etc/ssh/ssh_host_key.pub into /etc/ssh/ssh_known_hosts, as if those files are on the same machine. II. a general presentation of ssh workings is missing, and makes the decryption of those manuals even more difficult. i suppose, but i am not sure that: both encrypt their messages with the encryption keys in: /etc/ssh/ssh_host_[rd]sa_key /etc/ssh/ssh_host_[rd]sa_key.pub both can memorize known hosts' public encryption keys in /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts only the server is protected through authentication. this happens in two ways: 1. server side: a. the client provides an authentication key: + public part in //server/~/.ssh/authorized_keys with chmod 700 .ssh; chmod 600 authorized_keys + private part in //client/~/.ssh/id_rsa the authentication key is created with: ssh-keygen -t rsa ll gives: -rw------- 1 dave dave 526 Nov 3 01:21 id_rsa -rw-r--r-- 1 dave dave 330 Nov 3 01:21 id_rsa.pub and can be copied with (just a direct copy from //client/~/.ssh/id_rsa.pub to //server/~/.ssh/authorized_keys, or append to preserve other keys): ssh-copy-id username at host b. the client provides its password 2. client side: the client verifies that it has the server's public encryption key: a. with a stupid question to the unknowing human at the client's console b. verifying the server's public encryption key against the lists of servers' public encryption keys in: //client/etc/ssh/ssh_known_hosts and //client/~/.ssh/known_hosts you can copy and paste the key from //server/etc/ssh/ssh_host_rsa_key.pub to //client/~/.ssh/known_hosts, minus username at server at the end, plus username at server at the beginning, with blanks as separators. ssh-keygen -H to hash names. //server/etc/ssh/ssh_known_hosts and //server/~/.ssh/known_hosts are not used habitually, because other authentication means are preferred. see mans ssh, sshd, ssh_config, sshd_config These few lines took me three frustating days of hard work, instead of two easy hours of learning, and I am still not sure I guessed rightly. I believe that this attitude makes Linux lose market in favour of Windows servers. I hope that the author of sshd manual will correct his writing. Please verify my "discoveries" above and publish them somewhere. Less important: I still don't know if the encryption keys can be regenerated, and I am not sure that every line sent from client to server is authenticated, as it should. Also, I was surprised to see that I can not limit the number of tries for passwords. That config option is about logging of tries, not limiting them. From christophe.lyon at st.com Wed Mar 31 23:05:52 2010 From: christophe.lyon at st.com (Christophe LYON) Date: Wed, 31 Mar 2010 14:05:52 +0200 Subject: scp reject remote users with space in username Message-ID: <4BB33AA0.7080009@st.com> Hello, I have noticed that since release 5.x of openssh, the scp command rejects remote user names with white spaces. (We have such user names on Windows hosts) For instance: $ scp myfile "my user"@machine:. used to work with openssh-4.2p1 and fails with 5.2p1 and 5.3p1: my user: invalid user name. I have traced this down to revision 1.129 of scp.c which now calls okname(). OTOH, ssh "my user"@machine works. Is this a bug, or a feature, and if so is there a workaround? Thanks. Christophe.