From rbachwan at eden.rutgers.edu Fri Oct 1 15:33:36 2010 From: rbachwan at eden.rutgers.edu (Rekha Bachwani) Date: Fri, 01 Oct 2010 01:33:36 -0400 Subject: ProxyCommand not working if $SHELL not defined In-Reply-To: References: <4AAABF5E.4010207@zip.com.au> Message-ID: <4CA572B0.7060605@eden.rutgers.edu> Could somebody please let me know which version the below patch was put in? Or was this even put in ? thanks, Rekha On 9/17/2009 8:28 AM, Damien Miller wrote: > On Thu, 17 Sep 2009, Antonio Mignolli wrote: > >> Maybe the mailing list cuts the attachments. > Yes, we strip pretty much everything but text/plain to avoid spam and > malware. > >> patch.openssh-5.2p1.SHELLfix: >> >> 8<----------------------------------------------------------------- >> Common subdirectories: openssh-5.2p1/contrib and openssh-5.2p1.new/contrib >> diff -NupwB openssh-5.2p1/misc.c openssh-5.2p1.new/misc.c >> --- openssh-5.2p1/misc.c 2009-02-21 22:47:02.000000000 +0100 >> +++ openssh-5.2p1.new/misc.c 2009-09-16 02:21:11.000000000 +0200 >> @@ -849,3 +849,29 @@ ms_to_timeval(struct timeval *tv, int ms >> tv->tv_usec = (ms % 1000) * 1000; >> } >> >> +/* >> + * Get shell from env or use default '/bin/sh' >> + */ >> +char * >> +get_shell_from_env() > ... > > I think that this is quite overcomplicated. This is probably sufficient. > > Index: sftp.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/sftp.c,v > retrieving revision 1.111 > diff -u -p -r1.111 sftp.c > --- sftp.c 18 Aug 2009 18:36:21 -0000 1.111 > +++ sftp.c 17 Sep 2009 12:26:04 -0000 > @@ -236,7 +236,7 @@ local_do_shell(const char *args) > if (!*args) > args = NULL; > > - if ((shell = getenv("SHELL")) == NULL) > + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') > shell = _PATH_BSHELL; > > if ((pid = fork()) == -1) > Index: sshconnect.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/sshconnect.c,v > retrieving revision 1.214 > diff -u -p -r1.214 sshconnect.c > --- sshconnect.c 28 May 2009 16:50:16 -0000 1.214 > +++ sshconnect.c 17 Sep 2009 12:26:05 -0000 > @@ -76,7 +76,7 @@ ssh_proxy_connect(const char *host, u_sh > pid_t pid; > char *shell, strport[NI_MAXSERV]; > > - if ((shell = getenv("SHELL")) == NULL) > + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') > shell = _PATH_BSHELL; > > /* Convert the port number into a string. */ > @@ -1148,7 +1148,7 @@ ssh_local_cmd(const char *args) > args == NULL || !*args) > return (1); > > - if ((shell = getenv("SHELL")) == NULL) > + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') > shell = _PATH_BSHELL; > > pid = fork(); > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From bert.wesarg at googlemail.com Sun Oct 3 08:31:21 2010 From: bert.wesarg at googlemail.com (Bert Wesarg) Date: Sat, 2 Oct 2010 23:31:21 +0200 Subject: %h and %n in LocalCommand Message-ID: Hi, looking at the code %h and %n expand to the same value. But shouldn't %h expand to options.hostname? Also I think that the host name provided on the command line is always lost because of the line 698 in ssh.c (thats from 5.6p1). Do I miss read something here? Bert From karfi.nci at gmail.com Mon Oct 4 14:45:38 2010 From: karfi.nci at gmail.com (Arief Karfianto) Date: Mon, 4 Oct 2010 10:45:38 +0700 Subject: Metropolis: Implementation of Interlock Protocol using Linux Shell Programming, OpenSSH, and GPG Message-ID: I have wrote a small Linux Shell command for implementing Interlock Protocol which is known as a cryptographic protocol that resistant to man-in-the-middle attack. Here is the steps of interlock protocol: *(1)* Alice send her public key to Bob *(2)* Bob send his public key to Alice. *(3)* Alice encrypts her message using Bob's public key. Then she sends half of that encrypted message to Bob. *(4)* After receiving Alice's half of encrypted message, Bob encrypts his message using Alice's public key. Then she sends half of that encrypted message to Alice. *(5)* After receiving Bob's half of encrypted message, Then she sends half rest of encrypted message to Bob. *(6)* Bob combines the two parts of Alice's encrypted message and decrypts it with his Private key. Then Bob sends half rest of encrypted message to Alice. *(7)* Alice combines the two parts of Bob's encrypted message and decrypts it with her Private key. Here is the Code (running well in my Slackware Linux). I named this program as Metropolis, consist of two parties, the Miracle and the Sleeper. It's assumed that you have exchange your public key to your partner in secure way: SOURCE CODE METROPOLIS (Also attached) #################################################################### # Implementation of Interlock Protocol in Shell Script # # Writen by Arief Karfianto, karfi.nci at gmail.com # # September 2010 # # GNU Public Licensed # ######################## THE MIRACLE AND THE SLEEPER ############## clear echo " ++++++++++++++++++++ INTERLOCK PROTOCOL VERSION 1.0 ++++++++++++++++++++++" #Validate Number of Arguments if [ "$#" -ne 4 ] then echo "" echo "Incorrect number of arguments." echo "Usage : ./metropolis [infile] [active home directory] [recipient] [mode : m | s]" echo "" exit 1 fi if [ -e "$1" ] then #Encryption Process echo "" echo "Program will send this file : " du -b $1 else echo "" echo "The file doesn't exist !!" echo "Program exit now." echo "" exit 1 fi if test "$4" = m then echo "mode : miracle" elif test "$4" = s then echo "mode : sleeper" else echo "invalid mode argument : $4" echo "" exit 1 fi echo "Encrypting infile with Public Key" gpg -o sent.gpg --recipient $3 -e $1 if [ -e "sent.gpg" ] then #Splitting file echo "Splitting infile into two files" line=10 csplit -f sent $line rm sent.gpg else echo "Encryption failed !!" echo "Program exit now." echo "" exit 1 fi ################### THE MIRACLE ############################ #Sending 1-st File echo "send 1-st file to recipient " trap "echo send 1-st file to recipient " 1 2 scp sent00 $3:received00 rm sent00 echo "Waiting for 1-st file from recipient" until ls | grep "^received00" > /dev/null do sleep 5 done #Sending 2-nd File echo "send 2-nd file to recipient" trap "echo send 2-nd file to recipient " 1 2 scp sent01 $3:received01 rm sent01 echo "Waiting for 2-nd file from recipient" until ls | grep "^received01" > /dev/null do sleep 5 done ######################### THE SLEEPER ############################# echo "Waiting for 1-st file from recipient" until ls | grep "^received00" > /dev/null do sleep 5 done #Sending 1-st File echo "send 1-st file to recipient " trap "echo send 1-st file to recipient " 1 2 scp sent00 $3:received00 rm sent00 echo "Waiting for 2-nd file from recipient" until ls | grep "^received01" > /dev/null do sleep 5 done #Sending 2-nd File echo "send 2-nd file to recipient" trap "echo send 2-nd file to recipient " 1 2 scp sent01 $3:received01 rm sent01 ######################## THE MIRACLE AND THE SLEEPER ############## #Merging Received files # echo "Press Enter to Process Received Files.. " echo "Merging two files into one" cat $2/received00 $2/received01 >> ./received.gpg rm $2/received00 $2/received01 #Decrypting file echo "Decrypting outfile with Private Key" gpg -o Received_file -d received.gpg trap "gpg -o Received_file -d received.gpg " 1 2 rm received.gpg if [ -e "Received_file" ] then echo "Process Complete..Now you have Received_file" else echo "Decryption failed !!" echo "Program exit now." echo "" exit 1 fi echo "++++++++++++++++++++++++++++++++++ FINISH +++++++++++++++++++++++++++++++++++" echo And here is the command to run: 1. From Blackbox as Miracle root at blackbox:~# metropolis snapshot1.png /root/ root at whitebox m 2. From Whitebox as Sleeper root at whitebox:~# metropolis snapshot2.png /root/ root at blackbox s -------------- next part -------------- A non-text attachment was scrubbed... Name: metropolis.sh Type: application/x-sh Size: 3245 bytes Desc: not available URL: From keisial at gmail.com Tue Oct 5 08:41:21 2010 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Mon, 04 Oct 2010 23:41:21 +0200 Subject: Metropolis: Implementation of Interlock Protocol using Linux Shell Programming, OpenSSH, and GPG In-Reply-To: References: Message-ID: <4CAA4A01.9040103@gmail.com> Don't use things like ls | grep ^received00 That will fail if there's a file listed before (eg. "foo received00"), ls -l | grep received00 may work (with false positives) but it's much easier to do it right: test -f received00 Arief Karfianto wrote: > I have wrote a small Linux Shell command I don't think that bash programming is an appropiate language for security protocols (other than as proof of concept). For instance, I think your code will be subject to some race conditions which would have been trivial were all of this transmitted on one tcp connection. > for implementing Interlock Protocol > which is known as a cryptographic protocol that resistant to > man-in-the-middle attack. Here is the steps of interlock protocol: Take that resistant with a grain of salt. Simply splitting the files in two pieces doesn't assure you won't be MITMed. In your implementation seem that Alice discards Bob message. That allows a full MITM attack (impersonate Bob, then Alice). If Alice was somehow able to determine that the received file was not from the Real Bob, it would still have transferred to the attacker (but at least would be aware of it). If you had strict timeouts on the process, only began the transactions at a specified time and would be able to detect bogus messages (how?). Then you could at least detect after the fact the attack. In fact, the scp and gpg utilities that you use as mere transport, have their own trust mechanisms. I find this off topic for this mailing list, btw. From scott_n at xypro.com Tue Oct 5 09:51:03 2010 From: scott_n at xypro.com (Scott Neugroschl) Date: Mon, 4 Oct 2010 15:51:03 -0700 Subject: Metropolis: Implementation of Interlock Protocol using LinuxShell Programming, OpenSSH, and GPG In-Reply-To: <4CAA4A01.9040103@gmail.com> References: <4CAA4A01.9040103@gmail.com> Message-ID: <78DD71C304F38B41885A242996B96F73026595D9@xyservd.XYPRO-23.LOCAL> Quoth ?ngel Gonz?lez > Don't use things like ls | grep ^received00 > That will fail if there's a file listed before (eg. "foo received00"), > ls -l | grep received00 may work (with false positives) but > it's much easier to do it right: test -f received00 > ls checks to see if its stdout is a tty. If not, then it outputs one file per line. So there is no problem with Arief's original. However, "test -f" is still better, as it's lower overhead and more clear as to the intent. From antonio.mignolli at yahoo.it Tue Oct 5 20:42:54 2010 From: antonio.mignolli at yahoo.it (Antonio Mignolli) Date: Tue, 5 Oct 2010 10:42:54 +0100 Subject: ProxyCommand not working if $SHELL not defined In-Reply-To: <4CA572B0.7060605@eden.rutgers.edu> References: <4AAABF5E.4010207@zip.com.au> <4CA572B0.7060605@eden.rutgers.edu> Message-ID: For all I know, it has never been put in. I checked the source occasionally. On 1 October 2010 06:33, Rekha Bachwani wrote: > Could somebody please let me know which version the below patch was put > in? > Or was this even put in ? > > thanks, > Rekha > > > On 9/17/2009 8:28 AM, Damien Miller wrote: > >> On Thu, 17 Sep 2009, Antonio Mignolli wrote: >> >> Maybe the mailing list cuts the attachments. >>> >> Yes, we strip pretty much everything but text/plain to avoid spam and >> malware. >> >> patch.openssh-5.2p1.SHELLfix: >>> >>> 8<----------------------------------------------------------------- >>> Common subdirectories: openssh-5.2p1/contrib and >>> openssh-5.2p1.new/contrib >>> diff -NupwB openssh-5.2p1/misc.c openssh-5.2p1.new/misc.c >>> --- openssh-5.2p1/misc.c 2009-02-21 22:47:02.000000000 +0100 >>> +++ openssh-5.2p1.new/misc.c 2009-09-16 02:21:11.000000000 +0200 >>> @@ -849,3 +849,29 @@ ms_to_timeval(struct timeval *tv, int ms >>> tv->tv_usec = (ms % 1000) * 1000; >>> } >>> >>> +/* >>> + * Get shell from env or use default '/bin/sh' >>> + */ >>> +char * >>> +get_shell_from_env() >>> >> ... >> >> I think that this is quite overcomplicated. This is probably sufficient. >> >> Index: sftp.c >> =================================================================== >> RCS file: /cvs/src/usr.bin/ssh/sftp.c,v >> retrieving revision 1.111 >> diff -u -p -r1.111 sftp.c >> --- sftp.c 18 Aug 2009 18:36:21 -0000 1.111 >> +++ sftp.c 17 Sep 2009 12:26:04 -0000 >> @@ -236,7 +236,7 @@ local_do_shell(const char *args) >> if (!*args) >> args = NULL; >> >> - if ((shell = getenv("SHELL")) == NULL) >> + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') >> shell = _PATH_BSHELL; >> >> if ((pid = fork()) == -1) >> Index: sshconnect.c >> =================================================================== >> RCS file: /cvs/src/usr.bin/ssh/sshconnect.c,v >> retrieving revision 1.214 >> diff -u -p -r1.214 sshconnect.c >> --- sshconnect.c 28 May 2009 16:50:16 -0000 1.214 >> +++ sshconnect.c 17 Sep 2009 12:26:05 -0000 >> @@ -76,7 +76,7 @@ ssh_proxy_connect(const char *host, u_sh >> pid_t pid; >> char *shell, strport[NI_MAXSERV]; >> >> - if ((shell = getenv("SHELL")) == NULL) >> + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') >> shell = _PATH_BSHELL; >> >> /* Convert the port number into a string. */ >> @@ -1148,7 +1148,7 @@ ssh_local_cmd(const char *args) >> args == NULL || !*args) >> return (1); >> >> - if ((shell = getenv("SHELL")) == NULL) >> + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') >> shell = _PATH_BSHELL; >> >> pid = fork(); >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > From djm at mindrot.org Wed Oct 6 08:50:35 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 6 Oct 2010 08:50:35 +1100 (EST) Subject: ProxyCommand not working if $SHELL not defined In-Reply-To: References: <4AAABF5E.4010207@zip.com.au> <4CA572B0.7060605@eden.rutgers.edu> Message-ID: I just committed it, it will be in OpenSSH 5.7 On Tue, 5 Oct 2010, Antonio Mignolli wrote: > For all I know, it has never been put in. > I checked the source occasionally. > > On 1 October 2010 06:33, Rekha Bachwani wrote: > Could somebody please let me know which version the below patch > was put in? > Or was this even put in ? > > thanks, > Rekha > > > On 9/17/2009 8:28 AM, Damien Miller wrote: > On Thu, 17 Sep 2009, Antonio Mignolli wrote: > > Maybe the mailing list cuts the attachments. > > Yes, we strip pretty much everything but text/plain to avoid > spam and > malware. > > patch.openssh-5.2p1.SHELLfix: > > 8<----------------------------------------------------------------- > Common subdirectories: openssh-5.2p1/contrib and > openssh-5.2p1.new/contrib > diff -NupwB openssh-5.2p1/misc.c > openssh-5.2p1.new/misc.c > --- openssh-5.2p1/misc.c 2009-02-21 > 22:47:02.000000000 +0100 > +++ openssh-5.2p1.new/misc.c 2009-09-16 > 02:21:11.000000000 +0200 > @@ -849,3 +849,29 @@ ms_to_timeval(struct timeval > *tv, int ms > tv->tv_usec = (ms % 1000) * 1000; > } > > +/* > + * Get shell from env or use default '/bin/sh' > + */ > +char * > +get_shell_from_env() > > ... > > I think that this is quite overcomplicated. This is probably > sufficient. > > Index: sftp.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/sftp.c,v > retrieving revision 1.111 > diff -u -p -r1.111 sftp.c > --- sftp.c 18 Aug 2009 18:36:21 -0000 1.111 > +++ sftp.c 17 Sep 2009 12:26:04 -0000 > @@ -236,7 +236,7 @@ local_do_shell(const char *args) > if (!*args) > args = NULL; > > - if ((shell = getenv("SHELL")) == NULL) > + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') > shell = _PATH_BSHELL; > > if ((pid = fork()) == -1) > Index: sshconnect.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/sshconnect.c,v > retrieving revision 1.214 > diff -u -p -r1.214 sshconnect.c > --- sshconnect.c 28 May 2009 16:50:16 -0000 1.214 > +++ sshconnect.c 17 Sep 2009 12:26:05 -0000 > @@ -76,7 +76,7 @@ ssh_proxy_connect(const char *host, u_sh > pid_t pid; > char *shell, strport[NI_MAXSERV]; > > - if ((shell = getenv("SHELL")) == NULL) > + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') > shell = _PATH_BSHELL; > > /* Convert the port number into a string. */ > @@ -1148,7 +1148,7 @@ ssh_local_cmd(const char *args) > args == NULL || !*args) > return (1); > > - if ((shell = getenv("SHELL")) == NULL) > + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') > shell = _PATH_BSHELL; > > pid = fork(); > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > From rbachwan at eden.rutgers.edu Wed Oct 6 09:12:55 2010 From: rbachwan at eden.rutgers.edu (Rekha Bachwani) Date: Tue, 05 Oct 2010 18:12:55 -0400 Subject: ProxyCommand not working if $SHELL not defined In-Reply-To: References: <4AAABF5E.4010207@zip.com.au> <4CA572B0.7060605@eden.rutgers.edu> Message-ID: <4CABA2E7.7090107@eden.rutgers.edu> Thanks! On 10/5/2010 5:50 PM, Damien Miller wrote: > I just committed it, it will be in OpenSSH 5.7 > > On Tue, 5 Oct 2010, Antonio Mignolli wrote: > >> For all I know, it has never been put in. >> I checked the source occasionally. >> >> On 1 October 2010 06:33, Rekha Bachwani wrote: >> Could somebody please let me know which version the below patch >> was put in? >> Or was this even put in ? >> >> thanks, >> Rekha >> >> >> On 9/17/2009 8:28 AM, Damien Miller wrote: >> On Thu, 17 Sep 2009, Antonio Mignolli wrote: >> >> Maybe the mailing list cuts the attachments. >> >> Yes, we strip pretty much everything but text/plain to avoid >> spam and >> malware. >> >> patch.openssh-5.2p1.SHELLfix: >> >> 8<----------------------------------------------------------------- >> Common subdirectories: openssh-5.2p1/contrib and >> openssh-5.2p1.new/contrib >> diff -NupwB openssh-5.2p1/misc.c >> openssh-5.2p1.new/misc.c >> --- openssh-5.2p1/misc.c 2009-02-21 >> 22:47:02.000000000 +0100 >> +++ openssh-5.2p1.new/misc.c 2009-09-16 >> 02:21:11.000000000 +0200 >> @@ -849,3 +849,29 @@ ms_to_timeval(struct timeval >> *tv, int ms >> tv->tv_usec = (ms % 1000) * 1000; >> } >> >> +/* >> + * Get shell from env or use default '/bin/sh' >> + */ >> +char * >> +get_shell_from_env() >> >> ... >> >> I think that this is quite overcomplicated. This is probably >> sufficient. >> >> Index: sftp.c >> =================================================================== >> RCS file: /cvs/src/usr.bin/ssh/sftp.c,v >> retrieving revision 1.111 >> diff -u -p -r1.111 sftp.c >> --- sftp.c 18 Aug 2009 18:36:21 -0000 1.111 >> +++ sftp.c 17 Sep 2009 12:26:04 -0000 >> @@ -236,7 +236,7 @@ local_do_shell(const char *args) >> if (!*args) >> args = NULL; >> >> - if ((shell = getenv("SHELL")) == NULL) >> + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') >> shell = _PATH_BSHELL; >> >> if ((pid = fork()) == -1) >> Index: sshconnect.c >> =================================================================== >> RCS file: /cvs/src/usr.bin/ssh/sshconnect.c,v >> retrieving revision 1.214 >> diff -u -p -r1.214 sshconnect.c >> --- sshconnect.c 28 May 2009 16:50:16 -0000 1.214 >> +++ sshconnect.c 17 Sep 2009 12:26:05 -0000 >> @@ -76,7 +76,7 @@ ssh_proxy_connect(const char *host, u_sh >> pid_t pid; >> char *shell, strport[NI_MAXSERV]; >> >> - if ((shell = getenv("SHELL")) == NULL) >> + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') >> shell = _PATH_BSHELL; >> >> /* Convert the port number into a string. */ >> @@ -1148,7 +1148,7 @@ ssh_local_cmd(const char *args) >> args == NULL || !*args) >> return (1); >> >> - if ((shell = getenv("SHELL")) == NULL) >> + if ((shell = getenv("SHELL")) == NULL || *shell == '\0') >> shell = _PATH_BSHELL; >> >> pid = fork(); >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> >> >> >> From nunojpg at gmail.com Wed Oct 6 09:12:22 2010 From: nunojpg at gmail.com (=?UTF-8?Q?Nuno_Gon=C3=A7alves?=) Date: Tue, 5 Oct 2010 23:12:22 +0100 Subject: -R tunnels In-Reply-To: References: Message-ID: After a connection issue, sometimes I get "Warning: remote port forwarding failed for listen port" when trying to establish -R tunnels, and that is because sshd didn't clear the port binding when the connection droped. Restarting sshd on the server *doesn't* clear this issue, the port remains binded. ?Shouldn't a sshd restart solve this? Also wouldn't it be reasonable to add a tunnel timeout option to sshd? Regards, Nuno -- + Nuno Gon?alves + nunojpg at gmail.com + http://nunoassimassim.blogspot.com/ + PORTUGAL E-mail sent directly from Google Mail webmail using HTTPS on behalf of Nuno Jo?o Pinto Gon?alves, birth date 1986-11-16. E-mail headers provide good assurance that this message was not tampered and originates from nunojpg at gmail.com. If you require additional security, I may provide on request X509 electronic signature under Portuguese government chain. Se precisar de assinatura digital do Cart?o de Cidad?o, de uma apitadela. From tomten at tomten.hopto.org Thu Oct 7 04:46:42 2010 From: tomten at tomten.hopto.org (=?ISO-8859-1?Q?Thomas_Marcks_von_W=FCrtemberg?=) Date: Wed, 06 Oct 2010 19:46:42 +0200 Subject: Port forwarding and logs Message-ID: <4CACB602.1060002@tomten.hopto.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! So, before a start to code a patch for this, i thught that it whud be a good ide to ask you guys if this feture exists (and if not, is there any reson whay). I was looking in my sshd logs the other day, and found that a user had failed to do a port forwarding, but i can not find any evidence of sucessful port forwarding... This consernes me, i whud like to know when and where to a port are forwarded. I tryed to turn on VERBOSE, but that just gave me more useless information. So, whay do a only see anything about the port forwarding when it fails, and not when it is succesd? So, like i said in the begining, i am about to write a patch for this, so if it whud be intresting for the project i will submit the patch to you :-) Best Regards //Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJMrLYCAAoJEK2yAPEY+Ha0lNsP/179WkWh9bWYKFo05OJ47L2H nw6dyzgr/GJ+KR39BZdmiOaLh+CgeHwmhm8r8MdnkSroxNB7VT8ND+Yj29tbaL6j 0rIMjlnbOUClMXrDS0c3T5tDMf6DeR2g373IxnxSoWWjV/UnUFb/GIVXXxqxuXMu TTaXs06ZqwCYfiHAW5ngvt4zqtNOray2UU7QeKvwlfmvYeeDCAy+oJckNSE4g0Tn hYxwLM6Ily+gihEdZsXkvyF/FuSUycBUWXTWPQjAAmLEcUGQfvKAJS6Fa2XSNiqZ Td6TUWkTMSl+ULiI0urP4AEiXuzPpf7ZblYbkOZPHjgCwT+R0FFJenZR7E2SnIjX uuXv47MOmHyqzOHgrhj5Sei9ZmZfQNkTIATCGNEL6533wbUzH4YQgulz8xni75c3 N5uzs5ylbJwJA77CCrHrsftHj8mtinRJHvCSBjZQgvJYYGGJONK6EMsAZIdVjlog Jd4JA0YjsAAmgQMilGe2TXBT5Tq7CDPtxAWMZS1qmrNSxEzNspLh/1bnL1wz/Q74 AGS9/p1OOZ3Xf4dNh4hgfxLTXe6LfOB3JYw6zFxYUtWW8ZY0B0O/7fT0tVcIOH4k 6vilVToWdvoMxXm4mDNSJk4XLHHZK+pdEC6+qiXAF8rir73QI+xSrGdF9VA9DXsf pTftlHHjsb/KwCzbxx7H =FOaW -----END PGP SIGNATURE----- From wagle at mac.com Thu Oct 7 10:07:29 2010 From: wagle at mac.com (Perry Wagle) Date: Wed, 06 Oct 2010 16:07:29 -0700 Subject: Logging Login Attempts Message-ID: <4DF9A0D3-C617-42B7-ACC9-FA096A73F7FC@mac.com> I have passwords turned off, and require keys to match. The zombie armies swarming outside are trying brute force attacks that in part involve guessing login NAMES. If they guess the wrong NAME, this is logged in syslog. If they guess a working user name, then the attack has PARTIALLY SUCCEEDED, but this information is IGNORED. That is, it is not logged. If the zombie army has tell when it has found a working user name, then it might concentrate on finding its key, and I will be none the wiser. I will not see that happening. I can get this info by turning logging to DEBUG, but then it is very noisy. I do not understand why failed attempts to login to my account are not logged. Why is this, and how do I get it fixed? Thanks! -- Perry From imorgan at nas.nasa.gov Fri Oct 8 03:51:43 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 7 Oct 2010 09:51:43 -0700 Subject: Logging Login Attempts In-Reply-To: <4DF9A0D3-C617-42B7-ACC9-FA096A73F7FC@mac.com> References: <4DF9A0D3-C617-42B7-ACC9-FA096A73F7FC@mac.com> Message-ID: <20101007165143.GA13611@linux55.nas.nasa.gov> On Wed, Oct 06, 2010 at 18:07:29 -0500, Perry Wagle wrote: > I have passwords turned off, and require keys to match. The zombie armies swarming outside are trying brute force attacks that in part involve guessing login NAMES. If they guess the wrong NAME, this is logged in syslog. If they guess a working user name, then the attack has PARTIALLY SUCCEEDED, but this information is IGNORED. That is, it is not logged. If the zombie army has tell when it has found a working user name, then it might concentrate on finding its key, and I will be none the wiser. I will not see that happening. > > I can get this info by turning logging to DEBUG, but then it is very noisy. I do not understand why failed attempts to login to my account are not logged. > > Why is this, and how do I get it fixed? > > Thanks! > > -- Perry > > Try verbose rather than debug. -- Iain Morgan From keisial at gmail.com Fri Oct 8 07:40:18 2010 From: keisial at gmail.com (=?UTF-8?B?w4FuZ2VsIEdvbnrDoWxleg==?=) Date: Thu, 07 Oct 2010 22:40:18 +0200 Subject: -R tunnels In-Reply-To: References: Message-ID: <4CAE3032.1030502@gmail.com> Nuno Gon?alves wrote: > After a connection issue, sometimes I get "Warning: remote port > forwarding failed for listen port" when trying to establish -R > tunnels, and that is because sshd didn't clear the port binding when > the connection droped. > > Restarting sshd on the server *doesn't* clear this issue, the port > remains binded. Shouldn't a sshd restart solve this? > Also wouldn't it be reasonable to add a tunnel timeout option to sshd? > > Regards, > Nuno The port at the server side is probably in TIME_WAIT. If you wait a few minutes after the sshd restart, it should be solved. Bear in mind that it may be the full problem and not disconnection detection. Also, a restart is probably useless for closing ports forwardings since I think those are done after the fork and would thus be unaffected. From wagle at mac.com Fri Oct 8 06:39:13 2010 From: wagle at mac.com (Perry Wagle) Date: Thu, 07 Oct 2010 12:39:13 -0700 Subject: Logging Login Attempts In-Reply-To: <20101007165143.GA13611@linux55.nas.nasa.gov> References: <4DF9A0D3-C617-42B7-ACC9-FA096A73F7FC@mac.com> <20101007165143.GA13611@linux55.nas.nasa.gov> Message-ID: LogLevel VERBOSE logs the ipaddress of the attempt on a "signon that exists", but not which signon name. -- Perry On Oct 7, 2010, at 9:51 AM, Iain Morgan wrote: > On Wed, Oct 06, 2010 at 18:07:29 -0500, Perry Wagle wrote: >> I have passwords turned off, and require keys to match. The zombie armies swarming outside are trying brute force attacks that in part involve guessing login NAMES. If they guess the wrong NAME, this is logged in syslog. If they guess a working user name, then the attack has PARTIALLY SUCCEEDED, but this information is IGNORED. That is, it is not logged. If the zombie army has tell when it has found a working user name, then it might concentrate on finding its key, and I will be none the wiser. I will not see that happening. >> >> I can get this info by turning logging to DEBUG, but then it is very noisy. I do not understand why failed attempts to login to my account are not logged. >> >> Why is this, and how do I get it fixed? > > Try verbose rather than debug. From wagle at mac.com Fri Oct 8 09:47:50 2010 From: wagle at mac.com (Perry Wagle) Date: Thu, 07 Oct 2010 15:47:50 -0700 Subject: Logging Login Attempts In-Reply-To: <20101007223745.GK506@linux55.nas.nasa.gov> References: <4DF9A0D3-C617-42B7-ACC9-FA096A73F7FC@mac.com> <20101007165143.GA13611@linux55.nas.nasa.gov> <20101007223745.GK506@linux55.nas.nasa.gov> Message-ID: <91E20EBB-B7EB-4341-8142-CCD265D3823E@mac.com> I have PasswordAuthentication turned off, and all I get is: Oct 7 10:44:02 brainz sshd[5043]: Connection from 111.222.247.191 port 50912 >From a(n anonymized) host that doesn't have the key to login with. I do get hundreds or thousands of invalid users though: Oct 6 04:13:19 brainz sshd[7727]: Invalid user spam from 115.89.210.36 Maybe your path doesn't get used when you have passwords turned off? -- Perry On Oct 7, 2010, at 3:37 PM, Iain Morgan wrote: > On Thu, Oct 07, 2010 at 14:39:13 -0500, Perry Wagle wrote: >> >> LogLevel VERBOSE logs the ipaddress of the attempt on a "signon that >> exists", but not which signon name. >> >> -- Perry >> >> On Oct 7, 2010, at 9:51 AM, Iain Morgan wrote: >> >> On Wed, Oct 06, 2010 at 18:07:29 -0500, Perry Wagle wrote: >> >> I have passwords turned off, and require keys to match. The zombie >> armies swarming outside are trying brute force attacks that in part >> involve guessing login NAMES. If they guess the wrong NAME, this is >> logged in syslog. If they guess a working user name, then the >> attack has PARTIALLY SUCCEEDED, but this information is IGNORED. >> That is, it is not logged. If the zombie army has tell when it has >> found a working user name, then it might concentrate on finding its >> key, and I will be none the wiser. I will not see that happening. >> >> I can get this info by turning logging to DEBUG, but then it is very >> noisy. I do not understand why failed attempts to login to my >> account are not logged. >> >> Why is this, and how do I get it fixed? >> >> Try verbose rather than debug. > > Actually, the attempted username, source IP address, and source port are > logged. This is done in auth.c. At least that is the case in cvs HEAD > and looks like it goes back at least as far as 5.1p1. > > 273 > 274 authlog("%s %s for %s%.100s from %.200s port %d%s", > 275 authmsg, > 276 method, > 277 authctxt->valid ? "" : "invalid user ", > 278 authctxt->user, > 279 get_remote_ipaddr(), > 280 get_remote_port(), > 281 info); > 282 > > Note that in the case of password authentication, authlog is a pointer > to logit(), whereas for all other authentication methods it is a pointer > to verbose(). > > -- > Iain From imorgan at nas.nasa.gov Fri Oct 8 09:37:45 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 7 Oct 2010 15:37:45 -0700 Subject: Logging Login Attempts In-Reply-To: References: <4DF9A0D3-C617-42B7-ACC9-FA096A73F7FC@mac.com> <20101007165143.GA13611@linux55.nas.nasa.gov> Message-ID: <20101007223745.GK506@linux55.nas.nasa.gov> On Thu, Oct 07, 2010 at 14:39:13 -0500, Perry Wagle wrote: > > LogLevel VERBOSE logs the ipaddress of the attempt on a "signon that > exists", but not which signon name. > > -- Perry > > On Oct 7, 2010, at 9:51 AM, Iain Morgan wrote: > > On Wed, Oct 06, 2010 at 18:07:29 -0500, Perry Wagle wrote: > > I have passwords turned off, and require keys to match. The zombie > armies swarming outside are trying brute force attacks that in part > involve guessing login NAMES. If they guess the wrong NAME, this is > logged in syslog. If they guess a working user name, then the > attack has PARTIALLY SUCCEEDED, but this information is IGNORED. > That is, it is not logged. If the zombie army has tell when it has > found a working user name, then it might concentrate on finding its > key, and I will be none the wiser. I will not see that happening. > > I can get this info by turning logging to DEBUG, but then it is very > noisy. I do not understand why failed attempts to login to my > account are not logged. > > Why is this, and how do I get it fixed? > > Try verbose rather than debug. Actually, the attempted username, source IP address, and source port are logged. This is done in auth.c. At least that is the case in cvs HEAD and looks like it goes back at least as far as 5.1p1. 273 274 authlog("%s %s for %s%.100s from %.200s port %d%s", 275 authmsg, 276 method, 277 authctxt->valid ? "" : "invalid user ", 278 authctxt->user, 279 get_remote_ipaddr(), 280 get_remote_port(), 281 info); 282 Note that in the case of password authentication, authlog is a pointer to logit(), whereas for all other authentication methods it is a pointer to verbose(). -- Iain From imorgan at nas.nasa.gov Fri Oct 8 11:27:44 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 7 Oct 2010 17:27:44 -0700 Subject: Logging Login Attempts In-Reply-To: <91E20EBB-B7EB-4341-8142-CCD265D3823E@mac.com> References: <4DF9A0D3-C617-42B7-ACC9-FA096A73F7FC@mac.com> <20101007165143.GA13611@linux55.nas.nasa.gov> <20101007223745.GK506@linux55.nas.nasa.gov> <91E20EBB-B7EB-4341-8142-CCD265D3823E@mac.com> Message-ID: <20101008002744.GM506@linux55.nas.nasa.gov> On Thu, Oct 07, 2010 at 17:47:50 -0500, Perry Wagle wrote: > I have PasswordAuthentication turned off, and all I get is: > > Oct 7 10:44:02 brainz sshd[5043]: Connection from 111.222.247.191 port 50912 > > >From a(n anonymized) host that doesn't have the key to login with. > > I do get hundreds or thousands of invalid users though: > > Oct 6 04:13:19 brainz sshd[7727]: Invalid user spam from 115.89.210.36 > > Maybe your path doesn't get used when you have passwords turned off? > > -- Perry > I have only glanced at the relevant code, but the intent is that it is called for all authentication methods. That is why one of the arguments to authlog() is the authentication method. You should see messages of the form "Failed publickey for invalid user spam from 115.89.210.36 port ..." Alternatively, you should see something like "Accepted publickey for blah from ..." for successful logins. The code is there, and I can verify that it works for both 5.1p1 and 5.6p1. To eliminate any Debian-specific patches that might be inadvertently interfering, you could build a stock version of 5.3p1 and test it. -- Iain Morgan From wagle at mac.com Fri Oct 8 09:51:29 2010 From: wagle at mac.com (Perry Wagle) Date: Thu, 07 Oct 2010 15:51:29 -0700 Subject: Logging Login Attempts In-Reply-To: <91E20EBB-B7EB-4341-8142-CCD265D3823E@mac.com> References: <4DF9A0D3-C617-42B7-ACC9-FA096A73F7FC@mac.com> <20101007165143.GA13611@linux55.nas.nasa.gov> <20101007223745.GK506@linux55.nas.nasa.gov> <91E20EBB-B7EB-4341-8142-CCD265D3823E@mac.com> Message-ID: <372E106E-70AC-49F5-A12B-5E5EC5E53FF6@mac.com> PS: I'm running OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009 On Oct 7, 2010, at 3:47 PM, Perry Wagle wrote: >> Actually, the attempted username, source IP address, and source port are >> logged. This is done in auth.c. At least that is the case in cvs HEAD >> and looks like it goes back at least as far as 5.1p1. From hans at atbas.org Fri Oct 8 17:15:10 2010 From: hans at atbas.org (Hans Harder) Date: Fri, 8 Oct 2010 08:15:10 +0200 Subject: Logging Login Attempts In-Reply-To: <20101007223745.GK506@linux55.nas.nasa.gov> References: <4DF9A0D3-C617-42B7-ACC9-FA096A73F7FC@mac.com> <20101007165143.GA13611@linux55.nas.nasa.gov> <20101007223745.GK506@linux55.nas.nasa.gov> Message-ID: I rather see that it is logged whenever the last valid method fails. So if you disable the password method, you still want to have that log if the publickey method fails, even if it is not in verbose logging Its pretty simple to implement that, just above that add 1 line. if (authenticated == 1 || !authctxt->valid || authctxt->failures >= options.max_authtries / 2 || + strcmp(method, "publickey") == 0 || strcmp(method, "password") == 0) authlog = logit; Hans > Actually, the attempted username, source IP address, and source port are > logged. This is done in auth.c. At least that is the case in cvs HEAD > and looks like it goes back at least as far as 5.1p1. > > ? ?273 > ? ?274 ? ? ? ? authlog("%s %s for %s%.100s from %.200s port %d%s", > ? ?275 ? ? ? ? ? ? authmsg, > ? ?276 ? ? ? ? ? ? method, > ? ?277 ? ? ? ? ? ? authctxt->valid ? "" : "invalid user ", > ? ?278 ? ? ? ? ? ? authctxt->user, > ? ?279 ? ? ? ? ? ? get_remote_ipaddr(), > ? ?280 ? ? ? ? ? ? get_remote_port(), > ? ?281 ? ? ? ? ? ? info); > ? ?282 > > Note that in the case of password authentication, authlog is a pointer > to logit(), whereas for all other authentication methods it is a pointer > to verbose(). > > -- > Iain > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From scott_n at xypro.com Sat Oct 9 06:46:52 2010 From: scott_n at xypro.com (Scott Neugroschl) Date: Fri, 8 Oct 2010 12:46:52 -0700 Subject: IPV6_V6ONLY Message-ID: <78DD71C304F38B41885A242996B96F7302659C26@xyservd.XYPRO-23.LOCAL> Is there a particular reason that sshd sets IPV6_V6ONLY on listen sockets? ---- Scott Neugroschl XYPRO Technology Corporation scott_n at xypro.com 805-583-2874 From dwmw2 at infradead.org Thu Oct 14 01:45:25 2010 From: dwmw2 at infradead.org (David Woodhouse) Date: Wed, 13 Oct 2010 15:45:25 +0100 Subject: IPV6_V6ONLY In-Reply-To: <78DD71C304F38B41885A242996B96F7302659C26@xyservd.XYPRO-23.LOCAL> References: <78DD71C304F38B41885A242996B96F7302659C26@xyservd.XYPRO-23.LOCAL> Message-ID: <1286981125.29340.27.camel@i7.infradead.org> On Fri, 2010-10-08 at 12:46 -0700, Scott Neugroschl wrote: > Is there a particular reason that sshd sets IPV6_V6ONLY on listen > sockets? Because it listens separately on a Legacy IP socket, so it doesn't want its IPv6 socket accepting Legacy IP connections. -- dwmw2 From djm at mindrot.org Thu Oct 14 09:11:05 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 14 Oct 2010 09:11:05 +1100 (EST) Subject: IPV6_V6ONLY In-Reply-To: <1286981125.29340.27.camel@i7.infradead.org> References: <78DD71C304F38B41885A242996B96F7302659C26@xyservd.XYPRO-23.LOCAL> <1286981125.29340.27.camel@i7.infradead.org> Message-ID: On Wed, 13 Oct 2010, David Woodhouse wrote: > Because it listens separately on a Legacy IP socket, so it doesn't want > its IPv6 socket accepting Legacy IP connections. "Legacy", har har From bin.bai at hp.com Thu Oct 14 15:11:00 2010 From: bin.bai at hp.com (Bai, Bin) Date: Thu, 14 Oct 2010 04:11:00 +0000 Subject: about testing SSH5.6 new feature. Message-ID: Hi, all Congratulations for the latest OpenSSH release! Currently I'm writing the cases for testing the new feature. But this new feature is very complex for me: Ssh(1) connection multiplexing now supports remote forwarding with dynamic port allocation and can report the allocated port back to the user: LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost Can you tell me the way follow which I can basically test the new case on a Unix system(One connect to itself)? Thanks and Regards, Bin, Bai. From yuanlei0721 at gmail.com Thu Oct 14 17:02:04 2010 From: yuanlei0721 at gmail.com (lei yuan) Date: Thu, 14 Oct 2010 14:02:04 +0800 Subject: About new feature option AuthorizedPrincipalsFile in openssh5.6 Message-ID: hi,all i've read the openssh5.6 new feature document about new option AuthorizedPrincipalsFile,and tried to config the sshd_config for a lot times,but still not succeed. maybe i am still ambiguously about the document's meaning. The main problem is i don't know what's the content(or file format) in the file that specifed by the AuthorizedPrincipalsFile option. could you give me a example file of AuthorizedPrincipalsFile's specify file or explains the file content in details ? i would be appreciated if you could give me some help. From aris at 0xbadc0de.be Thu Oct 14 21:09:30 2010 From: aris at 0xbadc0de.be (Aris Adamantiadis) Date: Thu, 14 Oct 2010 12:09:30 +0200 Subject: IPV6_V6ONLY In-Reply-To: <1286981125.29340.27.camel@i7.infradead.org> References: <78DD71C304F38B41885A242996B96F7302659C26@xyservd.XYPRO-23.LOCAL> <1286981125.29340.27.camel@i7.infradead.org> Message-ID: <4CB6D6DA.3000705@0xbadc0de.be> Le 13/10/10 16:45, David Woodhouse a ?crit : > Because it listens separately on a Legacy IP socket, so it doesn't want > its IPv6 socket accepting Legacy IP connections. > Hi David, Is there a specific advantage of doing this this way ? It's normally possible to bind a single socket for both ipv6 and ipv4 sockets. Is there a disadvantage to this method ? thanks, Aris From djm at mindrot.org Thu Oct 14 21:42:23 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 14 Oct 2010 21:42:23 +1100 (EST) Subject: about testing SSH5.6 new feature. In-Reply-To: References: Message-ID: On Thu, 14 Oct 2010, Bai, Bin wrote: > Hi, all > Congratulations for the latest OpenSSH release! > Currently I'm writing the cases for testing the new feature. But this new feature is very complex for me: > Ssh(1) connection multiplexing now supports remote forwarding with dynamic port allocation and can report the allocated port back to the user: > LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost > Can you tell me the way follow which I can basically test the new case on a Unix system(One connect to itself)? ssh -Nnf -o ControlMaster=yes -o ControlPath=~/.ssh/_%r@%h:%p somehost LPORT=`ssh -oControlPath=~/.ssh/_%r@%h:%p -R0:localhost:25 -O forward somehost echo $LPORT In practise, you would put the ControlMaster and ControlPort options in ~/.ssh/config and probably use ExitOnForwardFailure=yes and ControlPersist too. -d From djm at mindrot.org Thu Oct 14 21:47:10 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 14 Oct 2010 21:47:10 +1100 (EST) Subject: About new feature option AuthorizedPrincipalsFile in openssh5.6 In-Reply-To: References: Message-ID: On Thu, 14 Oct 2010, lei yuan wrote: > hi,all > > i've read the openssh5.6 new feature document about new option > AuthorizedPrincipalsFile,and tried to config the sshd_config for a lot > times,but still not succeed. > maybe i am still ambiguously about the document's meaning. > The main problem is i don't know what's the content(or file format) in the > file that specifed by the AuthorizedPrincipalsFile option. > could you give me a example file of AuthorizedPrincipalsFile's specify file > or explains the file content in details ? > i would be appreciated if you could give me some help. Are you using certificate authentication? AuthorizedPrincipalsFile is only useful with certificates, so if you aren't using them then stop reading now :) The format of the file is one certificate principal name per line, optionally preceeded by key options similar to those in authorized_keys. For example, the following could be valid lines: djm djm at mindrot.org djm/rsync from="172.16.0.0/16" djm and so forth. If the certificate is valid, and any principal name in AuthorizedPrincipalsFile matches any principal name in the certificate and if the key options (if any) do not disallow the line, then the certificate will be accepted. -d From djm at mindrot.org Thu Oct 14 21:48:49 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 14 Oct 2010 21:48:49 +1100 (EST) Subject: IPV6_V6ONLY In-Reply-To: <4CB6D6DA.3000705@0xbadc0de.be> References: <78DD71C304F38B41885A242996B96F7302659C26@xyservd.XYPRO-23.LOCAL> <1286981125.29340.27.camel@i7.infradead.org> <4CB6D6DA.3000705@0xbadc0de.be> Message-ID: On Thu, 14 Oct 2010, Aris Adamantiadis wrote: > Le 13/10/10 16:45, David Woodhouse a ?crit : > > Because it listens separately on a Legacy IP socket, so it doesn't want > > its IPv6 socket accepting Legacy IP connections. > > > Hi David, > Is there a specific advantage of doing this this way ? It's normally > possible to bind a single socket for both ipv6 and ipv4 sockets. > Is there a disadvantage to this method ? Not all platforms support mapped address sockets (see [1] for a rationale), so using separate, explicit sockets makes for less code divergence between platforms. -d [1] http://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02 From gert at greenie.muc.de Thu Oct 14 21:23:01 2010 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 14 Oct 2010 12:23:01 +0200 Subject: IPV6_V6ONLY In-Reply-To: <4CB6D6DA.3000705@0xbadc0de.be> References: <78DD71C304F38B41885A242996B96F7302659C26@xyservd.XYPRO-23.LOCAL> <1286981125.29340.27.camel@i7.infradead.org> <4CB6D6DA.3000705@0xbadc0de.be> Message-ID: <20101014102301.GA10703@greenie.muc.de> Hi, On Thu, Oct 14, 2010 at 12:09:30PM +0200, Aris Adamantiadis wrote: > Le 13/10/10 16:45, David Woodhouse a ?crit : > > Because it listens separately on a Legacy IP socket, so it doesn't want > > its IPv6 socket accepting Legacy IP connections. > > Is there a specific advantage of doing this this way ? It's normally > possible to bind a single socket for both ipv6 and ipv4 sockets. Not on all operating system variants. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From aris at 0xbadc0de.be Thu Oct 14 22:18:31 2010 From: aris at 0xbadc0de.be (Aris Adamantiadis) Date: Thu, 14 Oct 2010 13:18:31 +0200 Subject: IPV6_V6ONLY In-Reply-To: References: <78DD71C304F38B41885A242996B96F7302659C26@xyservd.XYPRO-23.LOCAL> <1286981125.29340.27.camel@i7.infradead.org> <4CB6D6DA.3000705@0xbadc0de.be> Message-ID: <4CB6E707.8040008@0xbadc0de.be> > Not all platforms support mapped address sockets (see [1] for a rationale), > so using separate, explicit sockets makes for less code divergence between > platforms. > Damien, Gert, Thanks for your explanations, I understand better the how and the why. Aris From scott_n at xypro.com Fri Oct 15 07:43:30 2010 From: scott_n at xypro.com (Scott Neugroschl) Date: Thu, 14 Oct 2010 13:43:30 -0700 Subject: IPV6_V6ONLY In-Reply-To: References: <78DD71C304F38B41885A242996B96F7302659C26@xyservd.XYPRO-23.LOCAL> <1286981125.29340.27.camel@i7.infradead.org> Message-ID: <78DD71C304F38B41885A242996B96F73026BAEFC@xyservd.XYPRO-23.LOCAL> > From: Damien Miller [mailto:djm at mindrot.org] > On Wed, 13 Oct 2010, David Woodhouse wrote: > > > Because it listens separately on a Legacy IP socket, so it doesn't > want > > its IPv6 socket accepting Legacy IP connections. > > "Legacy", har har OK, it was causing some issues on my platform (HP Nonstop). I was. just making sure that taking it out wasn't going to cause security issues. From dwmw2 at infradead.org Fri Oct 15 08:07:20 2010 From: dwmw2 at infradead.org (David Woodhouse) Date: Thu, 14 Oct 2010 22:07:20 +0100 Subject: IPV6_V6ONLY In-Reply-To: <78DD71C304F38B41885A242996B96F73026BAEFC@xyservd.XYPRO-23.LOCAL> References: <78DD71C304F38B41885A242996B96F7302659C26@xyservd.XYPRO-23.LOCAL> <1286981125.29340.27.camel@i7.infradead.org> <78DD71C304F38B41885A242996B96F73026BAEFC@xyservd.XYPRO-23.LOCAL> Message-ID: <1287090440.2618.2.camel@macbook.infradead.org> On Thu, 2010-10-14 at 13:43 -0700, Scott Neugroschl wrote: > > From: Damien Miller [mailto:djm at mindrot.org] > > On Wed, 13 Oct 2010, David Woodhouse wrote: > > > > > Because it listens separately on a Legacy IP socket, so it doesn't > > > want its IPv6 socket accepting Legacy IP connections. > > > > "Legacy", har har > > OK, it was causing some issues on my platform (HP Nonstop). I was. > just making sure that taking it out wasn't going to cause security > issues. One potential issue to look out for if you do this is that you need to be sure that incoming Legacy IP connections to port 22 really are going to sshd. If you listen on an IPv6 socket without IPV6_V6ONLY, then you might *hope* that it's also accepting Legacy IP connections and nobody else is listening on INADDR_ANY:22. But are you sure? -- dwmw2 From flavien-ssh at lebarbe.net Thu Oct 21 20:07:18 2010 From: flavien-ssh at lebarbe.net (Flavien) Date: Thu, 21 Oct 2010 11:07:18 +0200 Subject: killing remote commands Message-ID: <20101021090718.GA18854@srv2.flavien.org> Dear ssh gurus, Here's the version I'm testing on : flavien :/$ ssh -V OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009 I launch a remote command : flavien$ ssh -o ControlMaster=yes -o ControlPath=/tmp/ssh-control localhost 'echo pid:$$ ...sleeping...; sleep 2803' flavien at localhost's password: pid:11565 ...sleeping... On another shell, I kill the ssh client : flavien$ ssh -o ControlPath=/tmp/ssh-control -O exit localhost Exit request sent. flavien$ The ssh client is killed in the original terminal. Fine. However, the shell at the other end is not killed : flavien$ ps -ef | grep 2803 flavien 11565 1 0 10:37 ? 00:00:00 bash -c echo pid:$$ ...sleeping...; sleep 2803 flavien 11566 11565 0 10:37 ? 00:00:00 sleep 2803 If the remote process is an interactive shell, however, it is killed once the ssh client terminates. I suspect that's because the shell gets an EOF on its stdin. Is this true ? For reading this ml for a few years, I have in mind some sort of "signal forwarding" feature that would send a SIGINT to the remote processes. Am I making this up ? TIA, Flavien. From matthieu.hautreux at cea.fr Thu Oct 21 21:09:06 2010 From: matthieu.hautreux at cea.fr (HAUTREUX Matthieu) Date: Thu, 21 Oct 2010 12:09:06 +0200 Subject: killing remote commands In-Reply-To: <20101021090718.GA18854@srv2.flavien.org> References: <20101021090718.GA18854@srv2.flavien.org> Message-ID: <4CC01142.90108@cea.fr> Flavien, you are right, this sounds like an old problem. I can redirect you to this thread http://www.derkeiler.com/Newsgroups/comp.security.ssh/2007-06/msg00139.html and this bug https://bugzilla.mindrot.org/show_bug.cgi?id=396 in which it is discussed and a patch proposed for 4.6p1. I think that modifying the proposed patch for the latest version should be straightforward. IMHO, having the proposed option "RemoteCommandCleanup" in the main branch would be really interesting/necessary. Regards, Matthieu Flavien a ?crit : > Dear ssh gurus, > > > Here's the version I'm testing on : > flavien :/$ ssh -V > OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009 > > I launch a remote command : > flavien$ ssh -o ControlMaster=yes -o ControlPath=/tmp/ssh-control localhost 'echo pid:$$ ...sleeping...; sleep 2803' > flavien at localhost's password: > pid:11565 ...sleeping... > > On another shell, I kill the ssh client : > flavien$ ssh -o ControlPath=/tmp/ssh-control -O exit localhost > Exit request sent. > flavien$ > > The ssh client is killed in the original terminal. Fine. However, the > shell at the other end is not killed : > flavien$ ps -ef | grep 2803 > flavien 11565 1 0 10:37 ? 00:00:00 bash -c echo pid:$$ ...sleeping...; sleep 2803 > flavien 11566 11565 0 10:37 ? 00:00:00 sleep 2803 > > If the remote process is an interactive shell, however, it is killed > once the ssh client terminates. I suspect that's because the shell > gets an EOF on its stdin. Is this true ? > > For reading this ml for a few years, I have in mind some sort of > "signal forwarding" feature that would send a SIGINT to the remote > processes. Am I making this up ? > > TIA, > > Flavien. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From mduft at gentoo.org Fri Oct 22 23:33:16 2010 From: mduft at gentoo.org (Markus Duft) Date: Fri, 22 Oct 2010 14:33:16 +0200 Subject: Interix Port Message-ID: <4CC1848C.2090402@gentoo.org> Hi! I recently updated my now long-standing patches for openssh 5.5p1 on interix, and wondered if i ever reported those here, and whether there would be any interest in it anyway. So just to make sure, i'm sending it here, so you may do with it however you like. It would be cool to see the changes go upstream though ;) Regards, markus -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-5.5_p1-interix.patch Type: text/x-patch Size: 15924 bytes Desc: not available URL: From peter at stuge.se Sat Oct 23 13:46:29 2010 From: peter at stuge.se (Peter Stuge) Date: Sat, 23 Oct 2010 04:46:29 +0200 Subject: Interix Port In-Reply-To: <4CC1848C.2090402@gentoo.org> References: <4CC1848C.2090402@gentoo.org> Message-ID: <20101023024629.16210.qmail@stuge.se> Just a quick review.. Markus Duft wrote: > +++ openssh-5.5p1/auth.c 2010-10-22 14:11:48 +0200 > @@ -541,6 +541,25 @@ > > pw = getpwnam(user); > > +#ifdef __INTERIX > + /* on windows, is there is no such user in the principal domain Typo: if there is > + * (which is checked by default), we also have a look at the > + * local accounts by prefixing the username with the hostname > + */ > + if (pw == NULL) { > + char tmp[MAXHOSTNAMELEN]; > + if(gethostname(tmp, MAXHOSTNAMELEN) == 0) { > + strcat(tmp, "+"); > + strcat(tmp, user); Buffer overflow. Do not create bugs like this!! Consider what it says about the rest of your code. > +++ openssh-5.5p1/openbsd-compat/bsd-misc.h 2010-10-22 14:11:48 +0200 .. > +#ifndef __INTERIX > +++ openssh-5.5p1/openbsd-compat/getrrsetbyname.c 2010-10-22 14:11:48 +0200 .. > +#if !defined(__INTERIX) Why mix the two styles? > int > getrrsetbyname(const char *hostname, unsigned int rdclass, > unsigned int rdtype, unsigned int flags, > struct rrsetinfo **res) > { > +#if defined(__INTERIX) > + return (ERRSET_FAIL); > +#else Maybe create functionality flags for this, rather than test system type everywhere in the code. > +++ openssh-5.5p1/session.c 2010-10-22 14:11:48 +0200 > @@ -91,6 +91,27 @@ > #include "monitor_wrap.h" > #include "sftp.h" > > +#ifdef __INTERIX > +# include > +# include > +char* InterixPwdToken = NULL; > + > +#define INTERIX_PWD_WARNING \ > + fprintf(stderr,"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n" \ > + "@ WARNING: Due to limitations in the POSIX Subsystem and Win32 @\n" \ > + "@ a Password is required to acquire a full authentication. @\n" \ > + "@ Without such an authentication token, certain things will @\n" \ > + "@ only be available in a very limited way (Visual Studio's @\n" \ > + "@ link.exe can only link without debug information, network @\n" \ > + "@ shares that require user authentication don't fully work, @\n" \ > + "@ etc.). However if you don't require those things to work, @\n" \ > + "@ you may be just fine without password (public-key, etc.). @\n" \ > + "@ To obtain a full authentication you need to use password @\n" \ > + "@ authentication at the moment. To do so, remove your public @\n" \ > + "@ key from your ~/.ssh/authorized_keys[2] file(s). @\n" \ > + "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n"); > +#endif Strongly suggest that you make the define contain only the string and nothing else. .. > +#ifdef __INTERIX > + /* on interix, to get a full env, we _need_ the plain text > + * password during this! */ > + if(InterixPwdToken) { > + debug2("re-setting user password"); > + strcpy(pw->pw_passwd, InterixPwdToken); > + } else { > + INTERIX_PWD_WARNING > + } > +#endif So that it is more obvious what this code actually does in the warning case. > @@ -1607,6 +1662,13 @@ > launch_login(struct passwd *pw, const char *hostname) > { > /* Launch login(1). */ > + #ifdef __INTERIX > + /* -f only works if the user is already autheticated as the requested user */ > + if (!InterixPwdToken) > + INTERIX_PWD_WARNING And this will of course fail miserably if the define gets expanded to have more than a single statement. You may have seen the use of do {} while(0) in macros with code. > + if(getuid() == 0) { > + struct passwd* _admin = getpwuid(getuid()); > + > + if(!_admin) { > + fprintf(stderr, "Cannot retrieve user information for current user!\n"); > + exit(2); > + } I think it's a no-no to use stderr directly. Why don't you consistently use the log infrastructure like the rest of the code. > +++ openssh-5.5p1/uidswap.c 2010-10-22 14:13:47 +0200 .. > @@ -220,6 +228,20 @@ > debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, > (u_int)pw->pw_gid); > > +#ifdef __INTERIX > + if (0) { > + fprintf(stderr, "WARNING: Your password will expire soon. This will make remote\n" > + "logins via ssh impossible without notice of the occured error!\n"); > + } What is this about? Don't produce dead code!! //Peter From michael at michaelmess.de Tue Oct 26 21:35:40 2010 From: michael at michaelmess.de (Michael Mess) Date: Tue, 26 Oct 2010 12:35:40 +0200 Subject: Suggestion for -G option for remote ports to be forwarded, analogous to -g option for local ports (-L) to be forwarded. Message-ID: <4CC6AEFC.3090301@michaelmess.de> When forwarding local ports with -L these ports can be made accessible to the local net with the -g option. For remote ports, forwarded with -R this option does not apply. It would be nice to have a -G option which does the same on the remote machine for the remote net, depending on the remote users rights. On the server site it should be configurable, on which networks/addresses the forwarded ports should be (un)available if the -G option is specified, this should default to the remote users rights: If the remote user (the user logged in on the remote site) can do a "ssh -g", the local user should be able to use the -G option. This would make sense, because a logged in remote user who can do "ssh -g" could login to itself with "ssh -g", forwarding another port, accessible by everywhere to the only local accessable port already forwarded by the ssh session created when logging in from local to remote. Cheers, Michael From djm at mindrot.org Wed Oct 27 16:57:14 2010 From: djm at mindrot.org (Damien Miller) Date: Wed, 27 Oct 2010 16:57:14 +1100 (EST) Subject: Suggestion for -G option for remote ports to be forwarded, analogous to -g option for local ports (-L) to be forwarded. In-Reply-To: <4CC6AEFC.3090301@michaelmess.de> References: <4CC6AEFC.3090301@michaelmess.de> Message-ID: search for "GatewayPorts" in man sshd_config. On Tue, 26 Oct 2010, Michael Mess wrote: > When forwarding local ports with -L these ports can be made accessible > to the local net with the -g option. > > For remote ports, forwarded with -R this option does not apply. It would > be nice to have a -G option which does the same on the remote machine > for the remote net, depending on the remote users rights. > > On the server site it should be configurable, on which > networks/addresses the forwarded ports should be (un)available if the -G > option is specified, this should default to the remote users rights: > If the remote user (the user logged in on the remote site) can do a "ssh > -g", the local user should be able to use the -G option. > This would make sense, because a logged in remote user who can do "ssh > -g" could login to itself with "ssh -g", forwarding another port, > accessible by everywhere to the only local accessable port already > forwarded by the ssh session created when logging in from local to remote. > > Cheers, > > Michael > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From mduft at gentoo.org Wed Oct 27 20:19:37 2010 From: mduft at gentoo.org (Markus Duft) Date: Wed, 27 Oct 2010 11:19:37 +0200 Subject: Interix Port Message-ID: <4CC7EEA9.20202@gentoo.org> Hi! Thanks for the suggestions. Attached is another version of the patch for the second review round ;) I tried to - as much as possible - use the same preprocessor syntax, and - again, as much as possible - use the log infrastructure. however the big fat INTERIX_PWD_WARNING must be written on stderr directly, as even with error(), it won't appear if the _server_ is not at least in verbose mode (one -v), which is not what i want. anything i missed there? the rest is pretty much the same, but without buffer overflow, with added configure check for res_query - and thus a feature flag, etc ;) (BTW: now subscribed to the list, so i should be able to reply on future mails - sorry for breaking the thread ... ) Regards, and thanks, Markus -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-5.5_p1-interix.patch Type: text/x-patch Size: 16135 bytes Desc: not available URL: From peter at stuge.se Thu Oct 28 17:56:16 2010 From: peter at stuge.se (Peter Stuge) Date: Thu, 28 Oct 2010 08:56:16 +0200 Subject: Suggestion for -G option for remote ports to be forwarded, analogous to -g option for local ports (-L) to be forwarded. In-Reply-To: <4CC6AEFC.3090301@michaelmess.de> References: <4CC6AEFC.3090301@michaelmess.de> <4CC6AEFC.3090301@michaelmess.de> Message-ID: <20101028065616.7157.qmail@stuge.se> Michael Mess wrote: > When forwarding local ports with -L these ports can be made accessible > to the local net with the -g option. > > For remote ports, forwarded with -R this option does not apply. It would > be nice to have a -G option which does the same on the remote machine > for the remote net, depending on the remote users rights. Damien Miller wrote: > search for "GatewayPorts" in man sshd_config. Also note that this is and should be a sshd setting. I don't think it's a very good idea to allow a client to specify the forwarding policy on the server. //Peter From paul.bradley.listmail at gmail.com Sat Oct 30 20:11:33 2010 From: paul.bradley.listmail at gmail.com (Paul Bradley) Date: Sat, 30 Oct 2010 10:11:33 +0100 Subject: x509 cert chain Message-ID: Hi, I am trying to set up OpenSSH with x509 certs and I'm getting nowhere. I've been at this on and off for days and doing all the googling I can but I'm still not making progress so any help would be very much appreciated. I believe the latest OpenSSH builds support x509 certificates - I'm running 5.5 on Ubuntu 10.04. What I want to do is have users on Windows boxes using PuttySC or similar (suggestions welcome) log in without needing to enter a username/password, using an x509 certificate stored on a smartcard / token. The user identities already exist (x509 certs + private keys) and there is a multi-level CA structure. It's a simple one though: ROOT CA -> POLICY CA -> ISSUING CA -> USER CERTIFICATE How do I configure OpenSSH to allow logins from users who have certificates signed by the trusted issuing CA at the end of the chain above. Presumably the server needs the whole CA chain and I've tried cat'ing the .pem files for the CA certificates together and copying the result to a file that I've pointed to with CACertificateFile in sshd_config. In the authorized_keys I've got: x509v3-sign-rsa subject= /C=COUNTRY/ST=STATE/O=ORGANIZATION/OU=OU/CN=CN ie. the DN of the ROOT CA certificate - should this instead be the issuing CA? Generally any pointers would be very helpful, I've found Roumen Petrovs patches and read some of his stuff but I find it a bit difficult to follow and in any case I'm not sure how relevant his implementation is to the mainline openssh 5.4/5.5 x509. Thanks Paul From paul.bradley.listmail at gmail.com Sat Oct 30 20:15:37 2010 From: paul.bradley.listmail at gmail.com (Paul Bradley) Date: Sat, 30 Oct 2010 10:15:37 +0100 Subject: x509 cert chain In-Reply-To: References: Message-ID: Sorry for the followup - I forgot something: I'd also like to know how I get an x509 certificate into the server for it to use as it's host key, so both the host and users can verify each other using the same CA. thanks Paul On Sat, Oct 30, 2010 at 10:11 AM, Paul Bradley < paul.bradley.listmail at gmail.com> wrote: > > Hi, > > I am trying to set up OpenSSH with x509 certs and I'm getting nowhere. I've > been at this on and off for days and doing all the googling I can but I'm > still not making progress so any help would be very much appreciated. I > believe the latest OpenSSH builds support x509 certificates - I'm running > 5.5 on Ubuntu 10.04. > > What I want to do is have users on Windows boxes using PuttySC or similar > (suggestions welcome) log in without needing to enter a username/password, > using an x509 certificate stored on a smartcard / token. > > The user identities already exist (x509 certs + private keys) and there is > a multi-level CA structure. It's a simple one though: ROOT CA -> POLICY > CA -> ISSUING CA -> USER CERTIFICATE > > How do I configure OpenSSH to allow logins from users who have certificates > signed by the trusted issuing CA at the end of the chain above. Presumably > the server needs the whole CA chain and I've tried cat'ing the .pem files > for the CA certificates together and copying the result to a file that I've > pointed to with CACertificateFile in sshd_config. > > In the authorized_keys I've got: > x509v3-sign-rsa subject= /C=COUNTRY/ST=STATE/O=ORGANIZATION/OU=OU/CN=CN ie. > the DN of the ROOT CA certificate - should this instead be the issuing CA? > > Generally any pointers would be very helpful, I've found Roumen Petrovs > patches and read some of his stuff but I find it a bit difficult to follow > and in any case I'm not sure how relevant his implementation is to the > mainline openssh 5.4/5.5 x509. > > Thanks > > Paul > > From peter at stuge.se Sat Oct 30 22:27:40 2010 From: peter at stuge.se (Peter Stuge) Date: Sat, 30 Oct 2010 13:27:40 +0200 Subject: x509 cert chain In-Reply-To: References: Message-ID: <20101030112740.22570.qmail@stuge.se> Paul Bradley wrote: > I believe the latest OpenSSH builds support x509 certificates Not at all. OpenSSH uses it's own certificate format. > I've found Roumen Petrovs patches and read some of his stuff but I > find it a bit difficult to follow and in any case I'm not sure how > relevant his implementation is to the mainline openssh 5.4/5.5 > x509. There is no x509 in OpenSSH mainline. You need the patches if that is what you want. //Peter From djm at mindrot.org Sun Oct 31 08:06:41 2010 From: djm at mindrot.org (Damien Miller) Date: Sun, 31 Oct 2010 08:06:41 +1100 (EST) Subject: x509 cert chain In-Reply-To: <20101030112740.22570.qmail@stuge.se> References: <20101030112740.22570.qmail@stuge.se> Message-ID: On Sat, 30 Oct 2010, Peter Stuge wrote: > Paul Bradley wrote: > > I believe the latest OpenSSH builds support x509 certificates > > Not at all. OpenSSH uses it's own certificate format. > > > > I've found Roumen Petrovs patches and read some of his stuff but I > > find it a bit difficult to follow and in any case I'm not sure how > > relevant his implementation is to the mainline openssh 5.4/5.5 > > x509. > > There is no x509 in OpenSSH mainline. You need the patches if that is > what you want. Yes, Roumen Petrov has maintained some for quite a few years: http://www.roumenpetrov.info/openssh/ -d From ehimawan at gmail.com Sun Oct 31 14:23:17 2010 From: ehimawan at gmail.com (Erwin Himawan) Date: Sat, 30 Oct 2010 22:23:17 -0500 Subject: x509 cert chain In-Reply-To: References: Message-ID: <58F774BBB3E7499A8810D3169F5D7D9F@d8400> I was able to patch openssh using Roumen Petrovs' I was able to perform x509 mutual authentication between the client and daemon. I was also able to perform CRL verfication/ However, My CA has oly one leve; I.e. RootCA issues certificate to openssh daemon and openSSH client. Due to time constraint, I have not tried multi-level CA like yours. I am still interested to try multi-level CA. So, If you want, send me your daemon config file, client config file, and client's known host and daeom's knowhost files. I can take a look into your config file and help you troubleshoot. Erwin -------------------------------------------------- From: "Paul Bradley" Sent: Saturday, October 30, 2010 4:15 AM To: Subject: Re: x509 cert chain > Sorry for the followup - I forgot something: > > I'd also like to know how I get an x509 certificate into the server for it > to use as it's host key, so both the host and users can verify each other > using the same CA. > > thanks > > Paul > > > On Sat, Oct 30, 2010 at 10:11 AM, Paul Bradley < > paul.bradley.listmail at gmail.com> wrote: > >> >> Hi, >> >> I am trying to set up OpenSSH with x509 certs and I'm getting nowhere. >> I've >> been at this on and off for days and doing all the googling I can but I'm >> still not making progress so any help would be very much appreciated. I >> believe the latest OpenSSH builds support x509 certificates - I'm running >> 5.5 on Ubuntu 10.04. >> >> What I want to do is have users on Windows boxes using PuttySC or similar >> (suggestions welcome) log in without needing to enter a >> username/password, >> using an x509 certificate stored on a smartcard / token. >> >> The user identities already exist (x509 certs + private keys) and there >> is >> a multi-level CA structure. It's a simple one though: ROOT CA -> >> POLICY >> CA -> ISSUING CA -> USER CERTIFICATE >> >> How do I configure OpenSSH to allow logins from users who have >> certificates >> signed by the trusted issuing CA at the end of the chain above. >> Presumably >> the server needs the whole CA chain and I've tried cat'ing the .pem files >> for the CA certificates together and copying the result to a file that >> I've >> pointed to with CACertificateFile in sshd_config. >> >> In the authorized_keys I've got: >> x509v3-sign-rsa subject= /C=COUNTRY/ST=STATE/O=ORGANIZATION/OU=OU/CN=CN >> ie. >> the DN of the ROOT CA certificate - should this instead be the issuing >> CA? >> >> Generally any pointers would be very helpful, I've found Roumen Petrovs >> patches and read some of his stuff but I find it a bit difficult to >> follow >> and in any case I'm not sure how relevant his implementation is to the >> mainline openssh 5.4/5.5 x509. >> >> Thanks >> >> Paul >> >> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From openssh at roumenpetrov.info Sun Oct 31 21:58:12 2010 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Sun, 31 Oct 2010 12:58:12 +0200 Subject: x509 cert chain In-Reply-To: <58F774BBB3E7499A8810D3169F5D7D9F@d8400> References: <58F774BBB3E7499A8810D3169F5D7D9F@d8400> Message-ID: <4CCD4BC4.1060004@roumenpetrov.info> Plau, Hostbased authentication require SSL Server in "Netscape Cert Type" for the server certificate. Otherwise user could update AllowedCertPurpose as default is sslserver. Please check for EnableSSHKeysign in user configuration. Roumen Erwin Himawan wrote: > I was able to patch openssh using Roumen Petrovs' > I was able to perform x509 mutual authentication between the client > and daemon. > I was also able to perform CRL verfication/ > However, My CA has oly one leve; I.e. RootCA issues certificate to > openssh daemon and openSSH client. > Due to time constraint, I have not tried multi-level CA like yours. I > am still interested to try multi-level CA. > > So, If you want, send me your daemon config file, client config file, > and client's known host and daeom's knowhost files. > I can take a look into your config file and help you troubleshoot. > > Erwin > > -------------------------------------------------- > From: "Paul Bradley" > Sent: Saturday, October 30, 2010 4:15 AM > To: > Subject: Re: x509 cert chain > >> Sorry for the followup - I forgot something: >> >> I'd also like to know how I get an x509 certificate into the server >> for it >> to use as it's host key, so both the host and users can verify each >> other >> using the same CA. >> >> thanks >> >> Paul >> >> >> On Sat, Oct 30, 2010 at 10:11 AM, Paul Bradley < >> paul.bradley.listmail at gmail.com> wrote: >> >>> >>> Hi, >>> >>> I am trying to set up OpenSSH with x509 certs and I'm getting >>> nowhere. I've >>> been at this on and off for days and doing all the googling I can >>> but I'm >>> still not making progress so any help would be very much appreciated. I >>> believe the latest OpenSSH builds support x509 certificates - I'm >>> running >>> 5.5 on Ubuntu 10.04. >>> >>> What I want to do is have users on Windows boxes using PuttySC or >>> similar >>> (suggestions welcome) log in without needing to enter a >>> username/password, >>> using an x509 certificate stored on a smartcard / token. >>> >>> The user identities already exist (x509 certs + private keys) and >>> there is >>> a multi-level CA structure. It's a simple one though: ROOT CA -> >>> POLICY >>> CA -> ISSUING CA -> USER CERTIFICATE >>> >>> How do I configure OpenSSH to allow logins from users who have >>> certificates >>> signed by the trusted issuing CA at the end of the chain above. >>> Presumably >>> the server needs the whole CA chain and I've tried cat'ing the .pem >>> files >>> for the CA certificates together and copying the result to a file >>> that I've >>> pointed to with CACertificateFile in sshd_config. >>> >>> In the authorized_keys I've got: >>> x509v3-sign-rsa subject= >>> /C=COUNTRY/ST=STATE/O=ORGANIZATION/OU=OU/CN=CN ie. >>> the DN of the ROOT CA certificate - should this instead be the >>> issuing CA? >>> >>> Generally any pointers would be very helpful, I've found Roumen Petrovs >>> patches and read some of his stuff but I find it a bit difficult to >>> follow >>> and in any case I'm not sure how relevant his implementation is to the >>> mainline openssh 5.4/5.5 x509. >>> >>> Thanks >>> >>> Paul >>> >>> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/