From rac at tenzing.org Wed Sep 1 04:55:18 2010 From: rac at tenzing.org (Roger Cornelius) Date: Tue, 31 Aug 2010 14:55:18 -0400 Subject: 5.5p1/5.6p1 fails tests on SCO Openserver 5.0.7 Message-ID: <20100831185518.GA3295@tenzing.org> Openssh 5.5p1 and 5.6p1 SCO OpenServer 5.0.7 I've built various versions of openssh on SCO OSR5.0.7 over the years without much of a problem. Beginning with 5.5p1 however, I have been unable to get a working install. I'm building with gcc 2.95.3. The build completes normally, but 'make tests' fails on several tests: sftp-cmds.sh failures (get command fails on both): - get filename with spaces - get filename with glob metacharacters sftp-batch.sh failures: - bad commands sftp-glob.sh failures: - file glob - escaped space - quoted space cert-hostkey.sh and cert-userkey.sh failures: - ssh-keygen seems to generate the keys, but is unable to sign them, and when attempting to do so, complains: debug3: Not a RSA1 key file /u/home/rac/src/openssh/openssh-5.6p1/regress/host_ca_key. debug1: read PEM private key done: type RSA debug3: Not a RSA1 key file /u/home/rac/src/openssh/openssh-5.6p1/regress/cert_host_key_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype do_ca_sign: unable to open "/u/home/rac/src/openssh/openssh-5.6p1/regress/cert_host_key_rsa" couldn't sign cert_host_key_rsa I haven't pursued beyond this since the cert- scripts are show stoppers. I've perused the mailing list archives and don't see anything similar. I've also tried building without optimization on the off chance it was something to do with gcc. Does anyone have any suggestions? From imorgan at nas.nasa.gov Thu Sep 2 05:24:08 2010 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Wed, 1 Sep 2010 12:24:08 -0700 Subject: anoncvs.mindrot.org Message-ID: <20100901192408.GR23900@linux55.nas.nasa.gov> Hi, Is anyone else having problems with anoncvs.mindrot.org? I do a cvs update on a semi-regular basis and it has been failing for the past few days. $ cvs up Connection closed by 116.66.166.109 cvs [update aborted]: end of file from server (consult above messages if any) $ It looks like ssh gets to the point of receiving SSH2_MSG_SERVICE_ACCEPT and then the connection is closed. I'm wondering if this might be a side-effect of bz#1638. Regards, -- Iain Morgan From tim at multitalents.net Thu Sep 2 06:10:01 2010 From: tim at multitalents.net (Tim Rice) Date: Wed, 1 Sep 2010 13:10:01 -0700 (PDT) Subject: 5.5p1/5.6p1 fails tests on SCO Openserver 5.0.7 In-Reply-To: <20100831185518.GA3295@tenzing.org> References: <20100831185518.GA3295@tenzing.org> Message-ID: Hi Roger, On Tue, 31 Aug 2010, Roger Cornelius wrote: > Openssh 5.5p1 and 5.6p1 > SCO OpenServer 5.0.7 > > I've built various versions of openssh on SCO OSR5.0.7 over the years > without much of a problem. Beginning with 5.5p1 however, I have been > unable to get a working install. I'm building with gcc 2.95.3. The > build completes normally, but 'make tests' fails on several tests: > [snip] OpenServer 5 is strange. You'll probably find these tests will pass if you copy your tree to /usr/tmp and test there. I've had to do this for a long time on OpenServer 5. My normal build dir (for 5.6) is /usr/local/src/networking/openssh-5.6 testing there fails. ....... $ tail x.tst sftp commands: rmdir sftp commands: lmkdir sftp commands: lchdir rm: cannot remove . rm: cannot remove .. rm: .cvsignore not removed: Read-only file system (error 30) failed sftp commands gmake[1]: *** [t-exec] Error 1 gmake[1]: Leaving directory `/tmp_mnt/opt/src/networking/openssh/openssh-5.6/regress' gmake: *** [tests] Error 2 ....... But copying it all to /usr/tmp/openssh-5.6 gets me ...... $ tail x.tst2 certified user keys: principals key option principals auth authorized_keys expect success rsa_v00 certified user keys: principals key option no principals auth authorized_keys expect failure rsa certified user keys: principals key option no principals auth authorized_keys expect failure rsa_v00 certified user keys: user rsa connect wrong cert certified user keys: user dsa connect wrong cert certified user keys: user rsa_v00 connect wrong cert certified user keys: user dsa_v00 connect wrong cert ok certified user keys gmake[1]: Leaving directory `/tmp_mnt/opt/src/networking/openssh/openssh-5.6/regress' all tests passed ...... > I haven't pursued beyond this since the cert- scripts are show stoppers. > I've perused the mailing list archives and don't see anything similar. > I've also tried building without optimization on the off chance it was > something to do with gcc. > > Does anyone have any suggestions? One other tip, on 5.0.7 you can put this CPPFLAGS="-Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf" in front of your configure command to use the native POSIX vsnprintf/snprintf instead of the ones in openbsd-compat. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Thu Sep 2 10:03:57 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 2 Sep 2010 10:03:57 +1000 (EST) Subject: anoncvs.mindrot.org In-Reply-To: <20100901192408.GR23900@linux55.nas.nasa.gov> References: <20100901192408.GR23900@linux55.nas.nasa.gov> Message-ID: should be fixed now - sorry for the hassle. On Wed, 1 Sep 2010, Iain Morgan wrote: > Hi, > > Is anyone else having problems with anoncvs.mindrot.org? I do a cvs > update on a semi-regular basis and it has been failing for the past few > days. > > $ cvs up > Connection closed by 116.66.166.109 > cvs [update aborted]: end of file from server (consult above messages if any) > $ > > It looks like ssh gets to the point of receiving SSH2_MSG_SERVICE_ACCEPT > and then the connection is closed. > > I'm wondering if this might be a side-effect of bz#1638. > > Regards, > > -- > Iain Morgan > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From damon.mcmahon at gmail.com Thu Sep 2 23:34:20 2010 From: damon.mcmahon at gmail.com (Damon McMahon) Date: Thu, 2 Sep 2010 23:04:20 +0930 Subject: OpenSSH rocks! OK, you know that already, but I just wanted to say it... Message-ID: Greetings, For a while I've been pondering how to enable the business owner of my former employer (whose network I established and maintained before I left) to have webmail access to his email. The internal mail server is an old MacOS X 10.4 Tiger server protected behind an OpenBSD gateway (naturally). I commissioned it many years ago before hosted mail services were as cheap and competent as they are now. It's still doing a fine job, but I'm paranoid enough to say "no way" to exposing the ports of the +current+ version of MacOS X Server to the internet, nevermind one not even supported by Apple anymore. There were several potential solutions, but all were inelegant, expensive or needlessly complex for one reason or another. And then I remembered port forwarding using ssh -L. I'd never had a use for it until now. A few minutes testing...yes, this just might do the trick. All I need to do now is to pre-roll putty on a USB and there we go: a secure method to access a somewhat-less-than-secure mail server anywhere via a web browser. Did I mention you guys rock? Mental note: add a donation to my next OpenBSD CD purchase ;-) Best wishes to all you talented developers! Damon From brakeb at gmail.com Fri Sep 3 01:52:34 2010 From: brakeb at gmail.com (Bryan) Date: Thu, 2 Sep 2010 10:52:34 -0500 Subject: OpenSSH rocks! OK, you know that already, but I just wanted to say it... In-Reply-To: References: Message-ID: On Thu, Sep 2, 2010 at 08:34, Damon McMahon wrote: > Greetings, > > Did I mention you guys rock? > > Mental note: add a donation to my next OpenBSD CD purchase ;-) > Actually, I think that you can make a donation to OpenSSH specifically. Bryan From dwmw2 at infradead.org Fri Sep 3 08:14:12 2010 From: dwmw2 at infradead.org (David Woodhouse) Date: Thu, 02 Sep 2010 23:14:12 +0100 Subject: anoncvs.mindrot.org In-Reply-To: <20100901192408.GR23900@linux55.nas.nasa.gov> References: <20100901192408.GR23900@linux55.nas.nasa.gov> Message-ID: <1283465652.21928.165.camel@macbook.infradead.org> On Wed, 2010-09-01 at 12:24 -0700, Iain Morgan wrote: > Is anyone else having problems with anoncvs.mindrot.org? I do a cvs > update on a semi-regular basis and it has been failing for the past > few > days. FWIW if you want to pretend you're in the 21st century, there's a git mirror at git://git.infradead.org/openssh.git -- although it was failing to update while anoncvs.mindrot.org was inaccessible, of course. -- dwmw2 From rac at tenzing.org Fri Sep 3 11:24:40 2010 From: rac at tenzing.org (Roger Cornelius) Date: Thu, 2 Sep 2010 21:24:40 -0400 Subject: 5.5p1/5.6p1 fails tests on SCO Openserver 5.0.7 In-Reply-To: References: <20100831185518.GA3295@tenzing.org> Message-ID: <20100903012440.GA26733@tenzing.org> That's bizarre, but yes, it did allow the tests to complete successfully. Thanks for the tips. As an exercise, I made all directories in the path to my original build location 777, did a umask 0, then tried building again and it still failed. Roger On 09/01/2010 13:10, Tim Rice wrote: > > Hi Roger, > > On Tue, 31 Aug 2010, Roger Cornelius wrote: > > > Openssh 5.5p1 and 5.6p1 > > SCO OpenServer 5.0.7 > > > > I've built various versions of openssh on SCO OSR5.0.7 over the years > > without much of a problem. Beginning with 5.5p1 however, I have been > > unable to get a working install. I'm building with gcc 2.95.3. The > > build completes normally, but 'make tests' fails on several tests: > > > [snip] > > OpenServer 5 is strange. You'll probably find these tests will pass > if you copy your tree to /usr/tmp and test there. I've had to do this > for a long time on OpenServer 5. > My normal build dir (for 5.6) is /usr/local/src/networking/openssh-5.6 > testing there fails. > ....... > $ tail x.tst > sftp commands: rmdir > sftp commands: lmkdir > sftp commands: lchdir > rm: cannot remove . > rm: cannot remove .. > rm: .cvsignore not removed: Read-only file system (error 30) > failed sftp commands > gmake[1]: *** [t-exec] Error 1 > gmake[1]: Leaving directory `/tmp_mnt/opt/src/networking/openssh/openssh-5.6/regress' > gmake: *** [tests] Error 2 > ....... > > But copying it all to /usr/tmp/openssh-5.6 gets me > ...... > $ tail x.tst2 > certified user keys: principals key option principals auth authorized_keys expect success rsa_v00 > certified user keys: principals key option no principals auth authorized_keys expect failure rsa > certified user keys: principals key option no principals auth authorized_keys expect failure rsa_v00 > certified user keys: user rsa connect wrong cert > certified user keys: user dsa connect wrong cert > certified user keys: user rsa_v00 connect wrong cert > certified user keys: user dsa_v00 connect wrong cert > ok certified user keys > gmake[1]: Leaving directory `/tmp_mnt/opt/src/networking/openssh/openssh-5.6/regress' > all tests passed > ...... > > > > I haven't pursued beyond this since the cert- scripts are show stoppers. > > I've perused the mailing list archives and don't see anything similar. > > I've also tried building without optimization on the off chance it was > > something to do with gcc. > > > > Does anyone have any suggestions? > > One other tip, on 5.0.7 you can put this > CPPFLAGS="-Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf" > in front of your configure command to use the native POSIX vsnprintf/snprintf > instead of the ones in openbsd-compat. > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > From tim at multitalents.net Fri Sep 3 13:41:30 2010 From: tim at multitalents.net (Tim Rice) Date: Thu, 2 Sep 2010 20:41:30 -0700 (PDT) Subject: 5.5p1/5.6p1 fails tests on SCO Openserver 5.0.7 In-Reply-To: <20100903012440.GA26733@tenzing.org> References: <20100831185518.GA3295@tenzing.org> <20100903012440.GA26733@tenzing.org> Message-ID: On Thu, 2 Sep 2010, Roger Cornelius wrote: > That's bizarre, but yes, it did allow the tests to complete successfully. > Thanks for the tips. As an exercise, I made all directories in the path > to my original build location 777, did a umask 0, then tried building > again and it still failed. It seems to be a path length issue. > > Roger > > On 09/01/2010 13:10, Tim Rice wrote: [snip] > > > > OpenServer 5 is strange. You'll probably find these tests will pass > > if you copy your tree to /usr/tmp and test there. I've had to do this > > for a long time on OpenServer 5. > > My normal build dir (for 5.6) is /usr/local/src/networking/openssh-5.6 > > testing there fails. > > But copying it all to /usr/tmp/openssh-5.6 gets me > > all tests passed -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dpal at redhat.com Thu Sep 9 10:44:27 2010 From: dpal at redhat.com (Dmitri Pal) Date: Wed, 08 Sep 2010 20:44:27 -0400 Subject: Proposal for collaboration Message-ID: <4C882DEB.7020007@redhat.com> Hello, My is Dmitri Pal and for the last two years I have been working on SSSD and IPA open source projects. SSSD is effectively a replacement for PAM/NSS combination with offline caching. The details about the project can be read here: https://fedorahosted.org/sssd/ Quick overview of features is here: https://fedorahosted.org/sssd/attachment/wiki/Contribute/sssd%20overview%20slides.2.pdf SSSD has been actively developed during last two years. It is a part of several Linux distributions and is pretty stable now. IPA is a project that combines MIT KDC with 389 DS. Its v2 is due to be released later this year. http://www.freeipa.org/page/Main_Page https://fedorahosted.org/freeipa/ IPA as a server (though in the context of the discussion below can be replaced with any other LDAP server) together with SSSD provide a powerful central management solution for different security and identity aspects of the UNIX/Linux systems. We think that SSSD and IPA projects are mature enough to start thinking about integrating more tightly with different much more well established utilities and security solutions as sudo and openssh. Here are several ideas about how SSSD and IPA can be integrated with openssh to provide better management capabilities to the users. 1) Centrally managing the user public keys. Instead of having user public keys in a key file on each system the appropriate key(s) can be delivered to the server host via SSSD and IPA (or other LDAP server). It is similar to openssh-lpk effort but a bit different (see below). 2) Centrally managing fingerprints of the server keys. If the server host fingerprint is loaded into the central server like IPA the SSSD would be able to get and cache it. openssh in turn can fetch it from SSSD on as needed basis and do a silent fingerprint verification without requiring user interaction. I see that there is a DNS option supported but this lacks caching that SSSD will be able to provide. 3) IPA introduces concept of hosts and host groups. SSSD has/will have a capability to take advantage of such functionality. This means that SSSD would be able to help openssh with .shosts and .rhosts contents too. I do not know the design and code of the openssh, sorry, to the extent of starting to talk about specific functions but what I wanted to suggest is defining some kind of pluggable interface in openssh that would abstract the source of the public keys, fingerprints and access checks (may be something else we can help with too). Such pluggable interface would allow projects like openssh-lpk and SSSD to build pluggable providers for those crucial pieces of information. Is there any interest of pursuing such path together? I see it as creating an interface that can be enabled through a specific config value. For example "SecurityProvider". This option would have to be a path to a .so that should provide a defined agreed to interface. If the configuration option is not given the current rules are respected. If it is given then the openssh will call API functions to get keys, fingerprints or do host checks implemented by this .so. This can definitely be designed in some other way more suitable for the openssh project and aligned to its vision but I hope it is clear what we want to try to accomplish. Would be glad to discuss any options of mutual long and short term collaboration. Thank you, Dmitri Pal From kozsoo33 at gmail.com Thu Sep 9 16:45:39 2010 From: kozsoo33 at gmail.com (=?ISO-8859-1?Q?Zsolt_Kov=E1cs?=) Date: Thu, 9 Sep 2010 08:45:39 +0200 Subject: ssh hangs up Message-ID: Hi All, I set a cron to connect to a a server in every 10 minutes. Sometimes it hangs up and I can not find why. (Once or twice a day) I tried to set ServerAliveCountMax 3 and ServerAliveInterval 15 in ssh_config without any success. The only way to continue is killing the ssh process. How can I solve this? Any other ssh option that could help? What happens or should happen when it hangs? Log of a freezed connection: debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to server [x.x.x.x] port 22. debug1: Connection established. debug1: identity file /home/cdr/.ssh/identity type -1 debug3: Not a RSA1 key file /home/cdr/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/cdr/.ssh/id_rsa type 1 debug1: identity file /home/cdr/.ssh/id_dsa type -1 Successful connection: debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to server [x.x.x.x] port 22. debug1: Connection established. debug1: identity file /home/cdr/.ssh/identity type -1 debug3: Not a RSA1 key file /home/cdr/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/cdr/.ssh/id_rsa type 1 debug1: identity file /home/cdr/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1 Debian-8.sarge.6 debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.6 pat OpenSSH_3.* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.2 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com ,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com ,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc, rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc, rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160, hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160, hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 121/256 debug2: bits set: 507/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/cdr/.ssh/known_hosts debug3: check_host_in_hostfile: match line 7 debug3: check_host_in_hostfile: filename /home/cdr/.ssh/known_hosts debug3: check_host_in_hostfile: match line 7 debug1: Host 'server' is known and matches the RSA host key. debug1: Found key in /home/cdr/.ssh/known_hosts:7 debug2: bits set: 516/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/cdr/.ssh/identity ((nil)) debug2: key: /home/cdr/.ssh/id_rsa (0x7f006630d2b0) debug2: key: /home/cdr/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,keyboard-interactive debug3: start over, passed a different list publickey,keyboard-interactive debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/cdr/.ssh/identity debug3: no such identity: /home/cdr/.ssh/identity debug1: Offering public key: /home/cdr/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 277 debug2: input_userauth_pk_ok: SHA1 fp c1:e5:27:e0:26:38:a2:f4:7b:44:3f:10:8b:a8:92:94:44:40:c3:8c debug3: sign_and_send_pubkey debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug3: fd 6 is O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: client_session2_setup: id 0 debug1: Sending environment. debug3: Ignored env SHELL debug3: Ignored env OLDPWD debug3: Ignored env USER debug3: Ignored env PATH debug3: Ignored env PWD debug3: Ignored env SHLVL debug3: Ignored env HOME debug3: Ignored env LOGNAME debug3: Ignored env _ debug1: Sending command: date 2>/dev/null debug2: channel 0: request exec confirm 1 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 debug2: channel_input_status_confirm: type 99 id 0 debug2: exec request accepted on channel 0 debug2: channel 0: read<=0 rfd 4 len 0 debug2: channel 0: read failed debug2: channel 0: close_read debug2: channel 0: input open -> drain debug2: channel 0: ibuf empty debug2: channel 0: send eof debug2: channel 0: input drain -> closed Tue Sep 7 18:25:10 CEST 2010 debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1) debug3: channel 0: close_fds r -1 w -1 e 6 c -1 debug1: fd 0 clearing O_NONBLOCK debug1: fd 1 clearing O_NONBLOCK debug3: fd 2 is not O_NONBLOCK Transferred: sent 2160, received 1832 bytes, in 0.1 seconds Bytes per second: sent 41860.5, received 35503.9 debug1: Exit status 0 Thnaks in advance. br, kozsoo From groupwest at yahoo.com Thu Sep 9 17:09:28 2010 From: groupwest at yahoo.com (igoh) Date: Thu, 9 Sep 2010 17:09:28 +1000 Subject: chroot directory must be root owned Message-ID: Hi Team, I am just a curious individual user who reviewed the OpenSSH;not working for a company. I was just wondering why there is a restriction for chroot directory to be owned by root. The line of code below in session.c show them. The basic UNIX security permissions provide a sufficient access control. Have you guys found a way to bypass security if the directory is not owned by root? - * Descend the path, checking that each component is a - * root-owned directory with strict permissions. - */ - for (cp = path; cp != NULL;) { - if ((cp = strchr(cp, '/')) == NULL) - strlcpy(component, path, sizeof(component)); - else { - cp++; - memcpy(component, path, cp - path); - component[cp - path] = '\0'; - } - - debug3("%s: checking '%s'", __func__, component); - - if (stat(component, &st) != 0) - fatal("%s: stat(\"%s\"): %s", __func__, - component, strerror(errno)); - * if (st.st_uid != 0 || (st.st_mode & 022) != 0)* - fatal("bad ownership or modes for chroot " - "directory %s\"%s\"", - cp == NULL ? "" : "component ", component); Many Thanks, Indra G From bob at proulx.com Thu Sep 9 18:04:40 2010 From: bob at proulx.com (Bob Proulx) Date: Thu, 9 Sep 2010 02:04:40 -0600 Subject: chroot directory must be root owned In-Reply-To: References: Message-ID: <20100909080440.GA18296@hysteria.proulx.com> igoh wrote: > Have you guys found a way to bypass security if the directory is not owned > by root? https://bugzilla.redhat.com/show_bug.cgi?id=522141 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904 http://unixwiz.net/techtips/chroot-practices.html Bob From peter at stuge.se Sat Sep 11 10:02:46 2010 From: peter at stuge.se (Peter Stuge) Date: Sat, 11 Sep 2010 02:02:46 +0200 Subject: ssh hangs up In-Reply-To: References: Message-ID: <20100911000246.1246.qmail@stuge.se> Zsolt Kov?cs wrote: > I set a cron to connect to a a server in every 10 minutes. > Sometimes it hangs up and I can not find why. (Once or twice a day) .. > Log of a freezed connection: .. > debug2: key_type_from_name: unknown key type '-----END' > debug3: key_read: missing keytype > debug1: identity file /home/cdr/.ssh/id_rsa type 1 > debug1: identity file /home/cdr/.ssh/id_dsa type -1 > Successful connection: .. > debug2: key_type_from_name: unknown key type '-----END' > debug3: key_read: missing keytype > debug1: identity file /home/cdr/.ssh/id_rsa type 1 > debug1: identity file /home/cdr/.ssh/id_dsa type -1 > debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1 Debian-8.sarge.6 The failed connection does not receive a greeting from the remote server. This is a problem on the server side. Maybe it is overloaded. Oh, and you should update that server. 3.8.1p1 is very old. //Peter From keefe.hayes at sas.com Tue Sep 14 06:35:31 2010 From: keefe.hayes at sas.com (Keefe Hayes) Date: Mon, 13 Sep 2010 20:35:31 +0000 (UTC) Subject: Posting request References: <29A7A091E6164FC89EAC118B0EC00D0A@JohnMullPC> Message-ID: The folks at dovetail.com have a Co:Z SFTP package that supplements ported tools OpenSSH with features such as using MVS data sets. I also believe that Tectia's SSH server for z/OS supports MVS data sets. From mike.collet at wipro.com Thu Sep 23 22:55:18 2010 From: mike.collet at wipro.com (mike.collet at wipro.com) Date: Thu, 23 Sep 2010 18:25:18 +0530 Subject: RSA_public_decrypt failed: error:8106A072:lib(129):func(106):reason(114) Message-ID: Dear Group, I'm having a problem connecting Solaris 10 Server to a Redhat Enterprise Linux 5.4 and meanwhile pretty clueless on that issue. Hopefully I get at least a hint, from your group, where to look at. key-length is 2048, permissions are correct on .ssh-directory and the files itself, keygen is done manually. On the Linuxserver we're using openssh-4.3p2-36.el5, on Solaris the standard pkg which comes in Solaris 10/07 and all packages are installed correct. id_rsa.pub keys are the same on all servers. Same construct works perfect with other Servers. Real server-names are changed in following debug-output: -bash-3.00$ ssh -v backup at logserver Sun_SSH_1.1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to logserver [****.156] port 22. debug1: Connection established. debug1: identity file /export/backup/.ssh/identity type -1 debug1: identity file /export/backup/.ssh/id_rsa type 1 debug1: identity file /export/backup/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-Sun_SSH_1.1.1 otherserver 08:17:46 WARNING: Module #1: Module has failed debug1: csserver engine initialized, now setting it as default for RSA, DSA, and symmetric ciphers debug1: csserver engine initialization complete debug1: Failed to acquire GSS-API credentials for any mechanisms (An unsupported mechanism was requested Unknown code 0 ) debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: Peer sent proposed langtags, ctos: debug1: Peer sent proposed langtags, stoc: debug1: We proposed langtags, ctos: i-default debug1: We proposed langtags, stoc: i-default debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 125/256 debug1: bits set: 1046/2048 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'logserver' is known and matches the RSA host key. debug1: Found key in /export/backup/.ssh/known_hosts:1 debug1: bits set: 1059/2048 RSA_public_decrypt failed: error:8106A072:lib(129):func(106):reason(114) debug1: ssh_rsa_verify: signature incorrect key_verify failed for server_host_key debug1: Calling cleanup 0x348a4(0x0) -bash-3.00$ Best regards, Mike Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com From martin at paljak.pri.ee Thu Sep 23 23:51:57 2010 From: martin at paljak.pri.ee (Martin Paljak) Date: Thu, 23 Sep 2010 16:51:57 +0300 Subject: OpenSSH developers @ FOSDEM 2011 Message-ID: Hello, I'm writing from OpenSC project (OpenSSH used to include OpenSC support for smart cards, it has been removed now and PKCS#11 is used instead, whish is nice), we're planning to have a "Security / hardware crypto keys" themed devroom at FOSDEM next year. Are people on this list interested in participating, and trying to tackle the problem of "Why OpenSSH does not work with my smart card the way I want" or "If SSH client can work with PKCS#11, why can't I keep my server keys in a dongle or HSM for sshd as well?" http://www.opensc-project.org/opensc/wiki/FOSDEM2011 -- @MartinPaljak.net +3725156495 From jmpoure at gooze.eu Fri Sep 24 15:42:21 2010 From: jmpoure at gooze.eu (Jean-Michel =?ISO-8859-1?Q?Pour=E9?= - GOOZE) Date: Fri, 24 Sep 2010 07:42:21 +0200 Subject: OpenSSH developers @ FOSDEM 2011 In-Reply-To: References: Message-ID: <1285306941.3678.10.camel@acer> > Are people on this list interested in participating > http://www.opensc-project.org/opensc/wiki/FOSDEM2011 Furthermore, I would like to say that OpenSC would be highly interested to meet OpenSSH developers and establish a direct and friendly collaboration. Kind regards, -- Jean-Michel Pour? - Gooze - http://www.gooze.eu -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6022 bytes Desc: not available URL: From aris.adamantiadis at belnet.be Fri Sep 24 16:58:28 2010 From: aris.adamantiadis at belnet.be (Aris Adamantiadis) Date: Fri, 24 Sep 2010 08:58:28 +0200 Subject: OpenSSH developers @ FOSDEM 2011 In-Reply-To: References: Message-ID: <4C9C4C14.3030105@belnet.be> Hi Martin, I'm interested to participate as well on behalf of the libssh (www.libssh.org) project. Aris Le 23/09/10 15:51, Martin Paljak a ?crit : > Hello, > > I'm writing from OpenSC project (OpenSSH used to include OpenSC support for smart cards, it has been removed now and PKCS#11 is used instead, whish is nice), we're planning to have a "Security / hardware crypto keys" themed devroom at FOSDEM next year. Are people on this list interested in participating, and trying to tackle the problem of "Why OpenSSH does not work with my smart card the way I want" or "If SSH client can work with PKCS#11, why can't I keep my server keys in a dongle or HSM for sshd as well?" > > http://www.opensc-project.org/opensc/wiki/FOSDEM2011 -- Aris Adamantiadis BELNET, Customer Relations Technical Advisor t: +32 2 790 33 33 Dept: customer at belnet.be Contact: http://www.belnet.be/fr/content/contact -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5610 bytes Desc: S/MIME Cryptographic Signature URL: From seifer1983 at gmail.com Sat Sep 25 16:58:24 2010 From: seifer1983 at gmail.com (Nan) Date: Sat, 25 Sep 2010 14:58:24 +0800 Subject: ssh-keygen with libpkcs11.so can't work Message-ID: Hi, I'm trying the new feature "ssh-keygen(1) now supports signing certificate using a CA key that has been stored in a PKCS#11 token". According to the manpage, I should use "-D" option. And I had a problem with this option. root at ubuntu-desktop[/home/adam/temp7]#ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id id_rsa.pub dlopen libpkcs11.so failed: libpkcs11.so: cannot open shared object file: No such file or directory cannot read public key from pkcs11 I searched on my ubuntu server but found no libpkcs11.so. Also, I searched online, and didn't find too much help. Do I need to download the source of pkcs11, then compile and install on my mahine? If yes, where could I get the source. Or I misunderstood the new feature, and it should not be used in this way? Thanks in advance. Regards, Seifer From jmpoure at gooze.eu Sun Sep 26 00:27:44 2010 From: jmpoure at gooze.eu (Jean-Michel =?ISO-8859-1?Q?Pour=E9?= - GOOZE) Date: Sat, 25 Sep 2010 16:27:44 +0200 Subject: ssh-keygen with libpkcs11.so can't work In-Reply-To: References: Message-ID: <1285424864.3085.1.camel@acer> Le samedi 25 septembre 2010 ? 14:58 +0800, Nan a ?crit : > I'm trying the new feature "ssh-keygen(1) now supports signing > certificate > using a CA key that has been stored in a PKCS#11 token". > According to the manpage, I should use "-D" option. And I had a > problem > with this option. Please read this HOWTO covering most aspects of PKCS#11 token in OpenSSH: http://www.gooze.eu/howto/using-openssh-with-smartcards -- Jean-Michel Pour? - Gooze - http://www.gooze.eu -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6022 bytes Desc: not available URL: From martin at paljak.pri.ee Sun Sep 26 02:16:31 2010 From: martin at paljak.pri.ee (Martin Paljak) Date: Sat, 25 Sep 2010 19:16:31 +0300 Subject: ssh-keygen with libpkcs11.so can't work (Nan) Message-ID: > ? 4. ssh-keygen with libpkcs11.so can't work (Nan) > I searched on my ubuntu server but found no libpkcs11.so. ?Also, I searched > online, and didn't find too much help. > Do I need to download the source of pkcs11, then compile and install on my > mahine? ?If yes, where could I get the source. > Or I misunderstood the new feature, and it should not be used in this way? You need to specify the path to your token PKCS#11, instead of specifying the CA key in the file system, the token based key is used. If you don't have a smart card, you should not use -D but use -s with a file based key instead. From philipp_subx at redfish-solutions.com Sun Sep 26 10:26:44 2010 From: philipp_subx at redfish-solutions.com (Philip Prindeville) Date: Sat, 25 Sep 2010 18:26:44 -0600 Subject: Reversing milking machine (console server) Message-ID: <4C9E9344.5050409@redfish-solutions.com> Hi. I have a box (a net5501 with a Perle serial octal RS-232 card in it) that I want to use as a console server for a bunch of headless computers. I was wondering if there's a trivial app that I can run as the shell that ssh (or telnet) would run, example: #!/bin/bash port=$(echo "$SSH_CONNECT" | cut -d' ' -f4) let -i tty=$port-2000 ttyname=$(printf "/dev/ttyS%02d" $tty) (stty 19200 ; \ termserv) <$ttyname >$ttyname exit I could write one from scratch, but if someone already has, that would be even better. Thanks, -Philip From danm at prime.gushi.org Sun Sep 26 12:12:20 2010 From: danm at prime.gushi.org (Dan Mahoney, System Admin) Date: Sat, 25 Sep 2010 22:12:20 -0400 (EDT) Subject: Reversing milking machine (console server) In-Reply-To: <4C9E9344.5050409@redfish-solutions.com> References: <4C9E9344.5050409@redfish-solutions.com> Message-ID: On Sat, 25 Sep 2010, Philip Prindeville wrote: Look at rtty or conserver. > Hi. > > I have a box (a net5501 with a Perle serial octal RS-232 card in it) that I > want to use as a console server for a bunch of headless computers. > > I was wondering if there's a trivial app that I can run as the shell that ssh > (or telnet) would run, example: > > #!/bin/bash > > port=$(echo "$SSH_CONNECT" | cut -d' ' -f4) > > let -i tty=$port-2000 > > ttyname=$(printf "/dev/ttyS%02d" $tty) > > (stty 19200 ; \ > termserv) <$ttyname >$ttyname > > exit > > I could write one from scratch, but if someone already has, that would be > even better. > > Thanks, > > -Philip > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- ha. you have not met me. ha. but i have sene pictures thanks but uh., seen dammit! SEEN! I don't know who dammit! is. so anyway -Undernet #reboot, October 2nd, 2000, 3AM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- From dan at doxpara.com Sun Sep 26 12:56:59 2010 From: dan at doxpara.com (Dan Kaminsky) Date: Sat, 25 Sep 2010 22:56:59 -0400 Subject: Reversing milking machine (console server) In-Reply-To: References: <4C9E9344.5050409@redfish-solutions.com> Message-ID: <006035C0-8C56-42BC-BC35-2CF9C1963CE2@doxpara.com> Little known feature of GNU Screen is it'll talk straight to serial ports. Could be useful. On Sep 25, 2010, at 10:12 PM, "Dan Mahoney, System Admin" wrote: > On Sat, 25 Sep 2010, Philip Prindeville wrote: > > > Look at rtty or conserver. > >> Hi. >> >> I have a box (a net5501 with a Perle serial octal RS-232 card in >> it) that I want to use as a console server for a bunch of headless >> computers. >> >> I was wondering if there's a trivial app that I can run as the >> shell that ssh (or telnet) would run, example: >> >> #!/bin/bash >> >> port=$(echo "$SSH_CONNECT" | cut -d' ' -f4) >> >> let -i tty=$port-2000 >> >> ttyname=$(printf "/dev/ttyS%02d" $tty) >> >> (stty 19200 ; \ >> termserv) <$ttyname >$ttyname >> >> exit >> >> I could write one from scratch, but if someone already has, that >> would be even better. >> >> Thanks, >> >> -Philip >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > > -- > > ha. you have not met me. > ha. but i have sene pictures > thanks but uh., > seen dammit! SEEN! > I don't know who dammit! is. > so anyway > > -Undernet #reboot, October 2nd, 2000, 3AM > > --------Dan Mahoney-------- > Techie, Sysadmin, WebGeek > Gushi on efnet/undernet IRC > ICQ: 13735144 AIM: LarpGM > Site: http://www.gushi.org > --------------------------- > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From jrollins at finestructure.net Sun Sep 26 15:32:34 2010 From: jrollins at finestructure.net (Jameson Rollins) Date: Sun, 26 Sep 2010 01:32:34 -0400 Subject: Reversing milking machine (console server) In-Reply-To: <006035C0-8C56-42BC-BC35-2CF9C1963CE2@doxpara.com> References: <4C9E9344.5050409@redfish-solutions.com> <006035C0-8C56-42BC-BC35-2CF9C1963CE2@doxpara.com> Message-ID: <87lj6p5atp.fsf@servo.finestructure.net> On Sat, 25 Sep 2010 22:56:59 -0400, Dan Kaminsky wrote: > Little known feature of GNU Screen is it'll talk straight to serial > ports. Could be useful. In that vein there is also cereal*, which is a serial terminal management system that uses screen as a back end: http://cmrg.fifthhorseman.net/wiki/cereal Works great for terminal servers that are only available via ssh. jamie. * disclosure: I am a developer -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From rein at basefarm.no Thu Sep 30 02:23:36 2010 From: rein at basefarm.no (Rein Tollevik) Date: Wed, 29 Sep 2010 18:23:36 +0200 Subject: AuthorizedKeysFile in Match block causes seg. fault Message-ID: <4CA36808.2070109@basefarm.no> OpenSSH 5.6p1 will attempt to free static storage and seg. fault if AuthorizedKeysFile is used within a Match block without any global specification of that option. A simple fix is to xstrdup the defined pathnames as in the attached patch. -- Rein Tollevik Basefarm AS -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh.patch Type: text/x-patch Size: 1102 bytes Desc: not available URL: From peter at stuge.se Thu Sep 30 07:24:41 2010 From: peter at stuge.se (Peter Stuge) Date: Wed, 29 Sep 2010 23:24:41 +0200 Subject: AuthorizedKeysFile in Match block causes seg. fault In-Reply-To: <4CA36808.2070109@basefarm.no> References: <4CA36808.2070109@basefarm.no> Message-ID: <20100929212442.14877.qmail@stuge.se> Rein Tollevik wrote: > OpenSSH 5.6p1 will attempt to free static storage and seg. fault if > AuthorizedKeysFile is used within a Match block without any global > specification of that option. A simple fix is to xstrdup the defined > pathnames as in the attached patch. Will the memory really be freed in every case? //Peter From philipp_subx at redfish-solutions.com Thu Sep 30 08:00:11 2010 From: philipp_subx at redfish-solutions.com (Philip Prindeville) Date: Wed, 29 Sep 2010 15:00:11 -0700 Subject: Problems connecting to bugzilla Message-ID: <4CA3B6EB.5070002@redfish-solutions.com> Anyone else having issues connecting to bugzilla on bugzilla.mindrot.org? I keep getting: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, webmaster at mindrot.org and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. From rbachwan at eden.rutgers.edu Thu Sep 30 13:51:56 2010 From: rbachwan at eden.rutgers.edu (Rekha Bachwani) Date: Wed, 29 Sep 2010 23:51:56 -0400 Subject: Problems connecting to bugzilla In-Reply-To: <4CA3B6EB.5070002@redfish-solutions.com> References: <4CA3B6EB.5070002@redfish-solutions.com> Message-ID: <4CA4095C.5050002@eden.rutgers.edu> Yes, I am facing the same problem since yesterday. Rekha On 9/29/2010 6:00 PM, Philip Prindeville wrote: > Anyone else having issues connecting to bugzilla on > bugzilla.mindrot.org? I keep getting: > > > Internal Server Error > > The server encountered an internal error or misconfiguration and was > unable to complete your request. > > Please contact the server administrator, webmaster at mindrot.org and > inform them of the time the error occurred, and anything you might > have done that may have caused the error. > > More information about this error may be available in the server error > log. > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From djm at mindrot.org Thu Sep 30 21:07:01 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 30 Sep 2010 21:07:01 +1000 (EST) Subject: AuthorizedKeysFile in Match block causes seg. fault In-Reply-To: <4CA36808.2070109@basefarm.no> References: <4CA36808.2070109@basefarm.no> Message-ID: On Wed, 29 Sep 2010, Rein Tollevik wrote: > OpenSSH 5.6p1 will attempt to free static storage and seg. fault if > AuthorizedKeysFile is used within a Match block without any global > specification of that option. A simple fix is to xstrdup the defined > pathnames as in the attached patch. Applied - thanks. -d From djm at mindrot.org Thu Sep 30 21:07:11 2010 From: djm at mindrot.org (Damien Miller) Date: Thu, 30 Sep 2010 21:07:11 +1000 (EST) Subject: Problems connecting to bugzilla In-Reply-To: <4CA4095C.5050002@eden.rutgers.edu> References: <4CA3B6EB.5070002@redfish-solutions.com> <4CA4095C.5050002@eden.rutgers.edu> Message-ID: On Wed, 29 Sep 2010, Rekha Bachwani wrote: > Yes, I am facing the same problem since yesterday. Fixed - sorry about that.