openssh-unix-dev Digest, Vol 100, Issue 3
Loganaden Velvindron
loganaden at gmail.com
Wed Aug 17 21:11:05 EST 2011
Works on my netbsd tinkerbox.
NetBSD 5.0.2 NetBSD 5.0.2 (GENERIC)
It uses rlimit.
Privsep sandbox style: rlimit
I also get warnings during make.
fmt_scaled.c: In function 'scan_scaled':
fmt_scaled.c:84: warning: array subscript has type 'char'
fmt_scaled.c:111: warning: array subscript has type 'char'
fmt_scaled.c:155: warning: array subscript has type 'char'
fmt_scaled.c:158: warning: array subscript has type 'char'
readpassphrase.c: In function 'readpassphrase':
readpassphrase.c:134: warning: array subscript has type 'char'
readpassphrase.c:136: warning: array subscript has type 'char'
readpassphrase.c:138: warning: array subscript has type 'char'
/usr/bin/ar: creating libopenbsd-compat.a
canohost.c: In function 'get_remote_hostname':
canohost.c:107: warning: array subscript has type 'char'
canohost.c:108: warning: array subscript has type 'char'
match.c: In function 'match_pattern_list':
match.c:143: warning: array subscript has type 'char'
match.c:144: warning: array subscript has type 'char'
/usr/bin/ar: creating libssh.a
ssh.c: In function 'main':
ssh.c:760: warning: array subscript has type 'char'
ssh.c:761: warning: array subscript has type 'char'
If you need any more info, let me know.
//Logan
C-x-C-c
On Sun, Aug 14, 2011 at 4:30 AM, <openssh-unix-dev-request at mindrot.org>wrote:
> Send openssh-unix-dev mailing list submissions to
> openssh-unix-dev at mindrot.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> or, via email, send a message with subject or body 'help' to
> openssh-unix-dev-request at mindrot.org
>
> You can reach the person managing the list at
> openssh-unix-dev-owner at mindrot.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of openssh-unix-dev digest..."
>
>
> Today's Topics:
>
> 1. Re: openssh PTY allocation (Gert Doering)
> 2. Typo in sftp.1 manpage (Laurent GAUTROT)
> 3. Re: Typo in sftp.1 manpage (Darren Tucker)
> 4. Re: Typo in a manpage (Darren Tucker)
> 5. configure bug for HAVE_RES_EXTERN check (FELLIN, JEFFREY K (JEFF))
> 6. Re: openssh PTY allocation (Morty Abzug)
> 7. Re: openssh PTY allocation (Damien Miller)
> 8. Re: openssh PTY allocation (Morty Abzug)
> 9. Call for testing: OpenSSH-5.9 (Damien Miller)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 6 Aug 2011 10:47:07 +0200
> From: Gert Doering <gert at greenie.muc.de>
> To: Damien Miller <djm at mindrot.org>
> Cc: Morty Abzug <morty at frakir.org>, Gert Doering
> <gert at greenie.muc.de>, openssh-unix-dev at mindrot.org
> Subject: Re: openssh PTY allocation
> Message-ID: <20110806084707.GL8496 at greenie.muc.de>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> On Sat, Aug 06, 2011 at 02:26:09PM +1000, Damien Miller wrote:
> > FYI here is a diff that installs workarounds for all of the problems
> > with ScreenOS that I'm aware of. These are:
> >
> > - PTY allocation
> > - scp -- thing
> > - keepalives killing the connection
> > - multiplexing requests killing the connection
> >
> > Not sure whether I want to commit these.
>
> As a pure user, not speaking for the developers, but having to SSH (and
> SCP!) to Netscreens regularily - these look quite reasonable to me, and
> I'd like to see something like this in the general code base.
>
> (Otherwise I'm happy that you have provided the patch and will use that
> to patch our local ssh installation)
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> //
> www.muc.de/~gert/ <http://www.muc.de/%7Egert/>
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert at net.informatik.tu-muenchen.de
>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 07 Aug 2011 14:39:53 +0200
> From: Laurent GAUTROT <laurent at gautrot.org>
> To: <openssh-unix-dev at mindrot.org>
> Subject: Typo in sftp.1 manpage
> Message-ID: <7c4c2e4312e3ba2c74fe1d0418bb9c23 at mail.gautrot.org>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Hello,
>
> Just found a typo in sftp.1 manpage:
>
> s/ether/either/
>
> Regards
>
> --
> ^L.
>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 7 Aug 2011 22:55:54 +1000
> From: Darren Tucker <dtucker at zip.com.au>
> To: Laurent GAUTROT <laurent at gautrot.org>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: Typo in sftp.1 manpage
> Message-ID:
> <CALDDTe2bYVsEeCzSC88HfzP0xBeX6pii1Ck+by+_ohCxQbgurA at mail.gmail.com
> >
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Sun, Aug 7, 2011 at 10:39 PM, Laurent GAUTROT <laurent at gautrot.org>
> wrote:
> > Hello,
> >
> > Just found a typo in sftp.1 manpage:
> >
> > s/ether/either/
>
> Applies, thanks.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69
> ? ? Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
>
> ------------------------------
>
> Message: 4
> Date: Sun, 7 Aug 2011 23:03:55 +1000
> From: Darren Tucker <dtucker at zip.com.au>
> To: Laurent GAUTROT <l.gautrot at free.fr>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: Typo in a manpage
> Message-ID:
> <CALDDTe0KhLL8YiKN63iXBndjayfY3zuu6Ub1WuexyDmuQ3_zGA at mail.gmail.com
> >
> Content-Type: text/plain; charset=ISO-8859-1
>
> On Sat, Aug 6, 2011 at 3:03 AM, Laurent GAUTROT <l.gautrot at free.fr> wrote:
> > There's a typo in moduli.5 manpage.
> > s/primaility/primality/
>
> Thanks, this had previously been fixed on openbsd's page[1], we'll
> pull those changes in.
>
> [1]
> http://www.openbsd.org/cgi-bin/cvsweb/src/share/man/man5/moduli.5.diff?r1=1.12;r2=1.13;f=h
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69
> ? ? Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 8 Aug 2011 14:17:37 -0400
> From: "FELLIN, JEFFREY K (JEFF)" <jkf at research.att.com>
> To: "openssh-unix-dev at mindrot.org" <openssh-unix-dev at mindrot.org>
> Subject: configure bug for HAVE_RES_EXTERN check
> Message-ID:
> <
> DE13570BD8A23F4FA2139E596105E040DBDA8F2D9D at njfpsrvexg1.research.att.com>
>
> Content-Type: text/plain; charset="us-ascii"
>
> The code used in configure.ac to check for struct __res_state _res is an
> extern, can fail. I'm porting the code to UWIN, (Unix on Windows, available
> at http://www2.research.att.com/~gsf/download) using Microsoft Visual
> Studio for the cc compiler. The code in lines 3483 - 3491 should include a
> reference to _res, to verify the compiler doesn't ignore non-referenced
> variables.
>
> I suggest line 3491 should be changed from:
> Int main() { return 0; }
> To
> Int main() { _res.retrans=0; return 0; }
>
> Thank you for your consideration.
>
> Jeff Fellin
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 8 Aug 2011 18:30:17 -0400
> From: Morty Abzug <morty at frakir.org>
> To: Damien Miller <djm at mindrot.org>
> Cc: Gert Doering <gert at greenie.muc.de>, openssh-unix-dev at mindrot.org
> Subject: Re: openssh PTY allocation
> Message-ID: <20110808223017.GD6596 at red-sonja>
> Content-Type: text/plain; charset=us-ascii
>
> On Sat, Aug 06, 2011 at 02:26:09PM +1000, Damien Miller wrote:
> > FYI here is a diff that installs workarounds for all of the problems
> > with ScreenOS that I'm aware of. These are:
> >
> > - PTY allocation
> > - scp -- thing
> > - keepalives killing the connection
> > - multiplexing requests killing the connection
>
> Thanks for the patch. In my testing, it has the following issues:
>
> (1) ssh still doesn't work for some of our devices. I think this is
> because the ttymodes.c portion of your patch has "256" when it should
> be "128".
>
> (2) scp didn't actually work to any of my test netscreens for scp
> $device:ns_sys_config /tmp. I tried scp -v $device:ns_sys_config /tmp
> to see what the command was. I got:
>
> debug1: Sending command: scp -v -f -- ns_sys_config
>
> As you can see, "--" is still there.
>
> - Morty
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 9 Aug 2011 16:17:05 +1000 (EST)
> From: Damien Miller <djm at mindrot.org>
> To: Morty Abzug <morty at frakir.org>
> Cc: Gert Doering <gert at greenie.muc.de>, openssh-unix-dev at mindrot.org
> Subject: Re: openssh PTY allocation
> Message-ID: <alpine.BSO.2.00.1108091610090.19066 at natsu.mindrot.org>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> On Mon, 8 Aug 2011, Morty Abzug wrote:
>
> > On Sat, Aug 06, 2011 at 02:26:09PM +1000, Damien Miller wrote:
> > > FYI here is a diff that installs workarounds for all of the problems
> > > with ScreenOS that I'm aware of. These are:
> > >
> > > - PTY allocation
> > > - scp -- thing
> > > - keepalives killing the connection
> > > - multiplexing requests killing the connection
> >
> > Thanks for the patch. In my testing, it has the following issues:
> >
> > (1) ssh still doesn't work for some of our devices. I think this is
> > because the ttymodes.c portion of your patch has "256" when it should
> > be "128".
>
> Even if I do commit something like this diff (which is not guaranteed),
> it certainly won't truncate the ttymodes at 128 bytes - fixed versions
> of ScreenOS already exist for this problem and chopping so much off is
> likely to leave a messed up TTY anyway.
>
> > (2) scp didn't actually work to any of my test netscreens for scp
> > $device:ns_sys_config /tmp. I tried scp -v $device:ns_sys_config /tmp
> > to see what the command was. I got:
> >
> > debug1: Sending command: scp -v -f -- ns_sys_config
> >
> > As you can see, "--" is still there.
>
> oops, I missed a case:
>
> Index: scp.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/scp.c,v
> retrieving revision 1.170
> diff -u -p -r1.170 scp.c
> --- scp.c 9 Dec 2010 14:13:33 -0000 1.170
> +++ scp.c 9 Aug 2011 06:10:08 -0000
> @@ -580,12 +580,14 @@ toremote(char *targ, int argc, char **ar
> host = cleanhostname(argv[i]);
> suser = NULL;
> }
> - xasprintf(&bp, "%s -f -- %s", cmd, src);
> + xasprintf(&bp, "%s -f %s%s", cmd,
> + *src == '-' ? "-- " : "", src);
> if (do_cmd(host, suser, bp, &remin, &remout) < 0)
> exit(1);
> (void) xfree(bp);
> host = cleanhostname(thost);
> - xasprintf(&bp, "%s -t -- %s", cmd, targ);
> + xasprintf(&bp, "%s -t %s%s", cmd,
> + *targ == '-' ? "-- " : "", targ);
> if (do_cmd2(host, tuser, bp, remin, remout) < 0)
> exit(1);
> (void) xfree(bp);
> @@ -631,7 +633,8 @@ toremote(char *targ, int argc, char **ar
> errs = 1;
> } else { /* local to remote */
> if (remin == -1) {
> - xasprintf(&bp, "%s -t -- %s", cmd, targ);
> + xasprintf(&bp, "%s -t %s%s", cmd,
> + *targ == '-' ? "-- " : "", targ);
> host = cleanhostname(thost);
> if (do_cmd(host, tuser, bp, &remin,
> &remout) < 0)
> @@ -664,7 +667,8 @@ tolocal(int argc, char **argv)
> addargs(&alist, "-r");
> if (pflag)
> addargs(&alist, "-p");
> - addargs(&alist, "--");
> + if (*(argv[i]) == '-' || *(argv[argc-1]) == '-')
> + addargs(&alist, "--");
> addargs(&alist, "%s", argv[i]);
> addargs(&alist, "%s", argv[argc-1]);
> if (do_local_cmd(&alist))
> @@ -684,7 +688,8 @@ tolocal(int argc, char **argv)
> suser = pwd->pw_name;
> }
> host = cleanhostname(host);
> - xasprintf(&bp, "%s -f -- %s", cmd, src);
> + xasprintf(&bp, "%s -f %s%s",
> + cmd, *src == '-' ? "-- " : "", src);
> if (do_cmd(host, suser, bp, &remin, &remout) < 0) {
> (void) xfree(bp);
> ++errs;
>
>
> ------------------------------
>
> Message: 8
> Date: Tue, 9 Aug 2011 20:50:50 -0400
> From: Morty Abzug <morty at frakir.org>
> To: Damien Miller <djm at mindrot.org>
> Cc: Gert Doering <gert at greenie.muc.de>, openssh-unix-dev at mindrot.org
> Subject: Re: openssh PTY allocation
> Message-ID: <20110810005050.GG6596 at red-sonja>
> Content-Type: text/plain; charset=us-ascii
>
> On Tue, Aug 09, 2011 at 04:17:05PM +1000, Damien Miller wrote:
>
> > Even if I do commit something like this diff (which is not
> > guaranteed), it certainly won't truncate the ttymodes at 128 bytes -
> > fixed versions of ScreenOS already exist for this problem and
> > chopping so much off is likely to leave a messed up TTY anyway.
>
> In my testing, setting the threshold to 128 didn't cause any TTY
> problems in practice. A lot of the older versions are in the field.
> Is there any chance that you could set the number to 128?
>
> > > As you can see, "--" is still there.
>
> > oops, I missed a case:
>
> Thanks!
>
> - Morty
>
>
> ------------------------------
>
> Message: 9
> Date: Sun, 14 Aug 2011 10:30:10 +1000 (EST)
> From: Damien Miller <djm at mindrot.org>
> To: openssh-unix-dev at mindrot.org
> Subject: Call for testing: OpenSSH-5.9
> Message-ID: <alpine.BSO.2.00.1108141014180.23174 at natsu.mindrot.org>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> Hi,
>
> OpenSSH 5.9 is almost ready for release, so we would appreciate testing
> on as many platforms and systems as possible. This release contains a
> couple of new features and changes and bug fixes. Testing of the new
> sandboxed privilege separation mode (see below) would be particularly
> appreciated.
>
> Snapshot releases for portable OpenSSH are available from
> http://www.mindrot.org/openssh_snap/
>
> The OpenBSD version is available in CVS HEAD:
> http://www.openbsd.org/anoncvs.html
>
> Portable OpenSSH is also available via anonymous CVS using the
> instructions at http://www.openssh.com/portable.html#cvs or
> via Mercurial at http://hg.mindrot.org/openssh
>
> Running the regression tests supplied with Portable OpenSSH does not
> require installation and is a simply:
>
> $ ./configure && make tests
>
> Live testing on suitable non-production systems is also
> appreciated. Please send reports of success or failure to
> openssh-unix-dev at mindrot.org.
>
> Below is a summary of changes. More detail may be found in the ChangeLog
> in the portable OpenSSH tarballs.
>
> Thanks to the many people who contributed to this release.
>
> -------------------------------
>
> Features:
>
> * Introduce sandboxing of the pre-auth privsep child using a new
> sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables
> mandatory restrictions on the syscalls the privsep child can perform.
> This intention is to prevent a compromised privsep child from being
> used to attack other hosts (by opening sockets and proxying) or probing
> local kernel attack surface.
>
> Three concrete sandbox implementation are provided (selected at
> configure time): systrace, seatbelt and rlimit.
>
> The systrace sandbox uses systrace(4) in unsupervised "fast-path"
> mode, where a list of permitted syscalls is supplied. Any syscall not
> on the list results in SIGKILL being sent to the privsep child. Note
> that this requires a kernel with the new SYSTR_POLICY_KILL option
> (only OpenBSD has this mode at present).
>
> The seatbelt sandbox uses OS X/Darwin sandbox(7) facilities with a
> strict (kSBXProfilePureComputation) policy that disables access to
> filesystem and network resources.
>
> The rlimit sandbox is a fallback choice for platforms that don't
> support a better one; it uses setrlimit() to reset the hard-limit
> of file descriptors and processes to zero, which should prevent
> the privsep child from forking or opening new network connections.
>
> Sandboxing of the privilege separated child process will become the
> default in a future release. We'd also like to include native
> sandboxes for other platforms.
>
> * Add new SHA256-based HMAC transport integrity modes from
> http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
> These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512,
> and hmac-sha2-512-96, and are available by default in ssh(1) and
> sshd(8)
>
> * The pre-authentication sshd(8) privilege separation slave process
> now logs via a socket shared with the master process, avoiding the
> need to maintain /dev/log inside the chroot.
>
> * ssh(1) now warns when a server refuses X11 forwarding
>
> * sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths,
> separated by space. The undocumented AuthorizedKeysFile2 option is
> deprecated (though the default for AuthorizedKeysFile includes
> .ssh/authorized_keys2)
>
> * sshd_config(5): similarly deprecate UserKnownHostsFile2 and
> GlobalKnownHostsFile2 by making UserKnownHostsFile and
> GlobalKnownHostsFile accept multiple options and default to include
> known_hosts2
>
> * retain key comments when loading v.2 keys. These will be visible in
> "ssh-add -l" and other places. bz#439
>
> * ssh(1) and sshd(8): set IPv6 traffic class from IPQoS (as well as
> IPv4 ToS/DSCP). bz#1855
>
> * ssh_config(5)'s ControlPath option now expands %L to the host
> portion of the destination host name.
>
> * ssh_config(5) "Host" options now support negated Host matching, e.g.
>
> Host *.example.org !c.example.org
> User mekmitasdigoat
>
> Will match "a.example.org", "b.example.org", but not "c.example.org"
>
> * ssh_config(5): a new RequestTTY option provides control over when a
> TTY is requested for a connection, similar to the existing -t/-tt/-T
> ssh(1) commandline options.
>
> * sshd(8): allow GSSAPI authentication to detect when a server-side
> failure causes authentication failure and don't count such failures
> against MaxAuthTries; bz#1244
>
> * ssh-keygen(1): Add -A option. For each of the key types (rsa1, rsa,
> dsa and ecdsa) for which host keys do not exist, generate the host
> keys with the default key file path, an empty passphrase, default
> bits for the key type, and default comment. This is useful for
> system initialisation scripts.
>
> * ssh(1): Allow graceful shutdown of multiplexing: request that a mux
> server removes its listener socket and refuse future multiplexing
> requests but don't kill existing connections. This may be requested
> using "ssh -O stop ..."
>
> * ssh-add(1) now accepts keys piped from standard input. E.g.
> "ssh-add - < /path/to/key"
>
> * ssh-keysign(8) now signs hostbased authentication
> challenges correctly using ECDSA keys; bz#1858
>
> Portable OpenSSH Bugfixes:
>
> * Fix a compilation error in the SELinux support code. bz#1851
>
> * This release removes support for ssh-rand-helper. OpenSSH now
> obtains its random numbers directly from OpenSSL or from
> a PRNGd/EGD instance specified at configure time.
>
> * sshd(8) now resets the SELinux process execution context before
> executing passwd for password changes; bz#1891
>
> * Since gcc >= 4.x ignores all -Wno-options options, test only the
> corresponding -W-option when trying to determine whether it is
> accepted. bz#1900, bz#1901
> selinux code. Patch from Leonardo Chiquitto
>
> * Add ECDSA key generation to the Cygwin ssh-{host,user}-config
> scripts.
>
> Reporting Bugs:
> ===============
>
> - Please read http://www.openssh.com/report.html
> Security bugs should be reported directly to openssh at openssh.com
>
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
> Ben Lindstrom.
>
>
> ------------------------------
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
> End of openssh-unix-dev Digest, Vol 100, Issue 3
> ************************************************
>
--
`` Real men run current !''
More information about the openssh-unix-dev
mailing list