From djm at mindrot.org Mon Dec 1 08:22:53 2014 From: djm at mindrot.org (Damien Miller) Date: Mon, 1 Dec 2014 08:22:53 +1100 (EST) Subject: can compression be safely used with SSH? In-Reply-To: References: Message-ID: On Sun, 30 Nov 2014, Philippe Cerfon wrote: > > It's theoretically possible to force a rekeying after authentication > > with new options, but this is slow: several client/server round-trips > > plus the potentially very slow key exchange crypto. IMO it's too slow > > and confusing to be worth implementing. > > Would it be difficult to implement? I guess it's the only clean way > then to restrict compression to certain users (if killing the > connection isn't an option). > And the slowness would probably not really matter, since it's only > necessary to work like that, when being used in a Match section, which > most people will never do. > > Shall I open a wishlist ticket about that? Sure, if you like. As I said though, I don't plan on working on it but someone else might think it worthwhile. -d From hvjrs2kqwzl5t6qalsquw at gmail.com Mon Dec 1 16:06:05 2014 From: hvjrs2kqwzl5t6qalsquw at gmail.com (Bsdafiwweoewn Dsadooweknciasdlfkew) Date: Mon, 1 Dec 2014 13:06:05 +0800 Subject: Would you please merge obfuscated-openssh? Message-ID: Would you please merge obfuscated-openssh? We using ssh tcp forward to against GOV firewall blocked. But only Obfuscated ssh can broken the wall. Would you please merge this feature? https://github.com/brl/obfuscated-openssh If you can help people free to surfing the internet. people can have the ability to reach openssh community, and donate more than now. Thanks jw From plautrba at redhat.com Tue Dec 2 02:40:03 2014 From: plautrba at redhat.com (Petr Lautrbach) Date: Mon, 01 Dec 2014 16:40:03 +0100 Subject: [patch] postauth processes to log via monitor In-Reply-To: <542C02B6.2050802@redhat.com> References: <542C02B6.2050802@redhat.com> Message-ID: <547C8BD3.9090307@redhat.com> On 10/01/2014 03:33 PM, Petr Lautrbach wrote: > Hi, > > there is a long standing problem with logging in chroots. Especially, > when you use %u in ChrootDirectory, it is nearly impossible to have > /dev/log in every possible chroot for all users. > > It seems to be important mainly for sftp-internal session which are > simply configurable to be chrooted and where admins would like to log > sftp session commands. > > I have put together a patch which introduces a new configuration option > LogViaMonitor. When this option is 'yes', then postauth unprivileged > processes log via their monitor process instead of via standard channels > (syslog, stderr). > > I've removed closefrom() from close_child_fds() in order not to close > m_log_send_fd socket before sftp_server_main() is called. And I've put > it to a part of code where it's clear that there will be exec(). > > I'd appreciate any comment or suggestion. > Ping? Do you have any comments, objections or hints? Thanks, Petr -- Petr Lautrbach From keisial at gmail.com Tue Dec 2 12:01:59 2014 From: keisial at gmail.com (=?UTF-8?B?w4FuZ2VsIEdvbnrDoWxleg==?=) Date: Tue, 02 Dec 2014 02:01:59 +0100 Subject: [PATCH] Early request for comments: U2F authentication In-Reply-To: References: Message-ID: <547D0F87.2010206@gmail.com> Michael Stapelberg wrote: > Thank you very much for any replies :). > I haven?t seen any replies yet, and it?s been almost a week. It could > just be that none of you care, or all who care are incredibly busy. > Still, I?d appreciate a ?don?t know about the details, but we?ll most > likely merge your patch? so that I know any further work on this is > not in vain :). > > Thank you! Now it has been almost a month. :) In case it is helpful, here are my 2 cents: 1) It looks cool to support U2F in openssh. 2-3) No, sshd writing the users authorized_keys file doesn't seem a good idea :) I would put the client registration process in ssh-copy-id 4) For the server to identify itself, the only think it knows about its identity is its own [set of] host key. The hostname or gethostid(2) can be quite useless. Perhaps a sshd_config param? :/ 5) Looks good. From the client point of view, I would use hostname[:port], as currently checked by ssh in known_hosts. That seems more consistent with ssh way. I also suspect that using the server fingerprint would allow some attacks, in addition of avoiding possible issues with multiple hosts with the same key (shared fs, cloned machines?). Note that if the server is exposed to the origin value, it may deserve to be hidden (hashed?) first (I understand the server shall treat the origin as an opaque value) 7) Wouldn't ERR_load_crypto_strings() be enough? > +// TODO: use auth_info() so that in log messages about accepted auths we will see a message that identifies the key. perhaps we can just use the human readable suffix that you can specify in the authorized_keys file(s)? Just that suffix won't help root to figure things out. A fingerprint -like it's now provided for public keys- could help here. And a few u2f questions: What is the purpose of the challenge provided by the server on registration? What is a u2f key expected to do if asked to register an system it already has already registered? Should it be appended or replaced? Regards From calestyo at scientia.net Tue Dec 2 15:44:54 2014 From: calestyo at scientia.net (Christoph Anton Mitterer) Date: Tue, 02 Dec 2014 05:44:54 +0100 Subject: SSH via redundant login-nodes (with and without control channel multiplexing) Message-ID: <1417495494.13722.5.camel@scientia.net> Hi. I'm recently playing a lot with control channel multiplexing and how it can be used to improve our local setup (ideally safe and automatically for all users). What we have here at the faculty are many nodes (thousands), all of them which are not directly reachable via SSH but only hopping over a login node, a setup which brings several advantages. Of these login nodes we have several (for availability reasons), e.g.: login-1.example.org login-2.example.org and all of them are reachable via a round-robin domain containing all the A and AAAA RRs of the above nodes: login.example.org. Because of the round robin domain name, all these nodes have the same SSH host key pair. What I now ideally want is, that SSH automatically picks one of the login nodes (ideally also in a round robin fashion), and that all this just works gracefully if one isn't reachable or becomes unresponsive. I'd give something like this to the user's ssh_config: ---------------------- Host login.example.org login-1.example.org login-2.example.org ProxyCommand none ControlMaster auto ControlPersist 1m Host *.example.org ControlPath ~/.ssh/control-mux/%h #1# ProxyCommand sh -c "ssh -W %h:%p login-1.example.org || ssh -W %h:%p login-2.example.org" #2# ProxyCommand ssh -W %h:%p login.example.org #3# ProxyCommand sh -c "ssh -o ConnectTimeout=10s -W %h:%p login-1.example.org || ssh -o ConnectTimeout=10s -W %h:%p login-2.example.org" #4# ProxyCommand ssh -o ConnectTimeout=10s -W %h:%p login.example.org ---------------------- So I played around a bit with all that (both with and without control channel multiplexing) and here are the results, questions and issues I've encountered: 1) without control channel multiplexing (just strip any Control* options from above's config) At first I've used a ProxyCommand sh -c "ssh -W %h:%p login-1.example.org || ssh -W %h:%p login-2.example.org", which works more or less fine, if SSH to login-1 doesn't work (for whichever reason, node down, authentication issue, sshd not running) login-2 will be tried. Great, but the downside is: one always have to add all the login nodes to the command, no load balancing due to the strict ordering and the extra sh that is run. By chance I found out that it actually also works with the round-robin domain name (i.e. ProxyCommand ssh -W %h:%p login.example.org), well at least I've tried it with 2 A RRs (and in my tests I've used -4 to ssh). I tested via DROPing or REJECTing[1] packets to on or the other login nodes via iptables. Apparently, ssh picks the first A RR given by the resolver, and if that "doesn't work", it tries the next. One can see it in the counters of iptables, that on some connections, the DROP or REJECT rule was hit (i.e. ssh tried the "down" node first) and sometimes not (i.e. it immediately chose the "up" node). Fine, but: This behaviour (of trying more than one A/AAAA RR) is nowhere really documented in OpenSSH (which would be really nice): - Does it work only for 2 RRs (as in my test)? Does it really try both all A and AAAA RRs? - In which cases does it try other address RRs? Only when the node wasn't reachable (i.e. negative ICMP answer), or also in cases of timeout, authentication or any other errors? - Doesn't this somehow contradict the default of ConnectionAttempts=1, since it actually makes more than just one attempt? I mean what if some domain name contains 1 million A RRs? Actually it seems that it sends even two packages *per* address, is this simply needed for the tried handshake or is this a bug? Another open question is probably, whether using the round-robin name can be made working if the login-* nodes do *not* use the same host key pair. So what one want's is something like this: Host login.example.org HostKeyAlias login-1.example.org HostKeyAlias login-2.example.org in the sense that either key would be accepted. Does that work or could it be implemented? 2) with control channel multiplexing Here things get of course much more tricky. The first thing one notices is, that the control socket is always created based on the names of the host. In the case of the round-robin domain this means, that again only one login node will actually be used, that one where the socket was opened to, thus all load balancing efforts are basically destroyed again. Any ideas to solve that? Perhaps by adding %X symbols which are not the hostname but the v4 or v6 address that was used to connect? This would have the other advantage that it then also works for same hosts reached by different names (CNAMEs and that like). Apart from that, the different ways above (#1# and #2#) work just as one would expect... if I REJECT access, then it immediately tries the other one, if I DROP access it takes ages till TCP times out. Another question one could ask is: How does all that behave if an existing socket becomes unresponsive? The first thing I've noted is, that if I use REJECT to block any further accesses to the socket server (sshd) the socket/mux process aren't terminated immediately (even though this should probably the way to go?). If one uses DROP then it takes whatever time it needs to time out depending on TCP keep alives and/or ServerAlives*. Now the mux connections seem to behave just like a normal SSH connection, with respect to ServerAlives* - i.e. after the timeout, the mux is killed, and any ssh processes using it as well. I've disabled TCP keep alives and my ServerAlives are set to allow at most 2 mins of no reply (which is desired in order not to kill of hanging connections too early. So basically lowering the timeout is not an alternative if one wants to give hanging sessions the chance to recover. Another thing I've observed during DROP//REJECT of the already existing mux: OpenSSH's documentation basically says "if there is a mux path configured and the sockets exists, we try to use it, if that doesn't work we connect normally". But what's apparently happen is: as soon as the socket exists and ssh can connect to the socket it won't fall back to "normal" even if the socket's connection is already dead. So what I did was: ssh to the same host using the existing socket (whose connection is however iptables blocked, either with DROP or REJECT)... the new ssh connects happily to the socket and after it (or the mux process) times out... it fails and does *not* connect normally :-( Now, even though I would want to keep my (probably just hanging muxes and their sessions) for my long timeout period, I still want any *new* connections trying the other login nodes first (maybe they work immediately). If the old one recovers, fine, continue to use that one for the old connections, use the new one for the new connections.[0] Of course I cannot solve this with ServerAlives* or TCP keep alives timeouts... even if it would work technically, then any such new connection would then have a lower timeout (which I no longer want, once the connection was established). I hoped ConnectionTimeout could do the job for me. So I tried #3# and #4# in the config example above,... but unfortunately: ConnectionTimeout seems to not apply when an existing control mux socket is used :-( Question here basically: Can it be implemented that ConnectionTimeout also works for sockets - in the sense of time that it needs to open the socket, talk to his socket server (the mux process) and finally get the okay answer from the remote sshd that a new sessions is there? Cause if that would work (and also for the round robin thingy) one would basically have a way that *completely established* connection retain their long timeouts (via ServerAlives*), but trying to establish such connection has the short timeout from ConnectionTimeout - thus, if my existing socket just hangs for a while on login-1, I get a new one on login-2 (which may be not haning). Obviously, a tricky portion of the whole thing is still how to use a round robin name, with multiple sockets... as described in [0]. Especially while not accidentally opening up any tricky ways to exploit this in terms of security. Cheers, Chris. [0] Here a problem in my suggestion to use the v4/v6 address as the socket name becomes clear: As the resolver gives back different names, both would sooner or later be used which somehow destroys the idea of muxing... not sure whether there is a easy (and especially secure) way around this. Maybe ssh could check whether a socket already exists that matches the name of one of the hostname's addresses,... but this seems to be security prone (what if DNS changes in the meantime,... then perhaps ssh tricks itself into using the wrong host). So maybe another way could be to not use the address, but a hash of the host's host key + the address family? [1] DROP / REJECT in the sense of Linux' netfilter, respectively iptables keywords. DROP just silently discards (i.e. one can only run into the (possibly long) timeouts of SSH),... REJECT sends some ICMP packet to the client (i.e. one can time out quite fast). -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5313 bytes Desc: not available URL: From junk at private.rw-gs.net Wed Dec 3 18:26:48 2014 From: junk at private.rw-gs.net (Junk) Date: Tue, 02 Dec 2014 23:26:48 -0800 Subject: SSH Tunnel nonexistent channel error Message-ID: <547EBB38.9090508@private.rw-gs.net> Every time I open an SSH Tunnel to my server after visiting a few sites over it I get the following error: channel_by_id: 3: bad id: channel free Disconnecting: Received ieof for nonexistent channel 3. The channel number varies but it's always the same issue. Any help would be appreciated. The server I'm using is for FreeSSHd for Windows. I'm connecting to the tunnel with ssh -N User at host -D 1080. Thanks. Verbose: OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to port 22. debug1: Connection established. debug1: identity file /home/user/.ssh/id_rsa type -1 debug1: identity file /home/user/.ssh/id_rsa-cert type -1 debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: identity file /home/user/.ssh/id_dsa-cert type -1 debug1: identity file /home/user/.ssh/id_ecdsa type -1 debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/user/.ssh/id_ed25519 type -1 debug1: identity file /home/user/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 debug1: Remote protocol version 2.0, remote software version WeOnlyDo 2.1.3 debug1: no match: WeOnlyDo 2.1.3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: sending SSH2_MSG_KEXDH_INIT debug1: expecting SSH2_MSG_KEXDH_REPLY debug1: Server host key: RSA key debug1: Host '' is known and matches the RSA host key. debug1: Found key in /home/user/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: password,publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/user/.ssh/id_rsa debug1: Trying private key: /home/user/.ssh/id_dsa debug1: Trying private key: /home/user/.ssh/id_ecdsa debug1: Trying private key: /home/user/.ssh/id_ed25519 debug1: Next authentication method: password User at host's password: debug1: Authentication succeeded (password). Authenticated to . debug1: Local connections to LOCALHOST:1080 forwarded to remote address socks:0 debug1: Local forwarding listening on ::1 port 1080. debug1: channel 0: new [port listener] debug1: Local forwarding listening on 127.0.0.1 port 1080. debug1: channel 1: new [port listener] debug1: Entering interactive session. debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 2: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 3: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 4: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 5: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 6: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 7: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 8: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 9: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 10: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 11: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 12: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 13: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 14: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 15: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 16: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 17: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 18: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 19: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 20: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 21: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 22: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 23: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 24: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 25: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 26: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 27: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 28: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 29: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 30: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 31: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 32: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 33: new [dynamic-tcpip] debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 34: new [dynamic-tcpip] debug1: channel 10: free: direct-tcpip: listening port 1080 for connect.facebook.net port 80, connect from 127.0.0.1 port 51036 to 127.0.0.1 port 1080, nchannels 35 debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 10: new [dynamic-tcpip] debug1: channel 11: free: direct-tcpip: listening port 1080 for connect.facebook.net port 80, connect from 127.0.0.1 port 51037 to 127.0.0.1 port 1080, nchannels 35 debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 11: new [dynamic-tcpip] debug1: channel 33: free: direct-tcpip: listening port 1080 for cdn.syndication.twitter.com port 80, connect from 127.0.0.1 port 51059 to 127.0.0.1 port 1080, nchannels 35 debug1: Connection to port 1080 forwarding to socks port 0 requested. debug1: channel 33: new [dynamic-tcpip] debug1: client_input_channel_req: channel 10 rtype exit-status reply 0 debug1: client_input_channel_req: no sink for exit-status on channel 10 debug1: channel 10: free: direct-tcpip: listening port 1080 for webchat.freenode.net port 80, connect from 127.0.0.1 port 51061 to 127.0.0.1 port 1080, nchannels 35 channel_by_id: 10: bad id: channel free Disconnecting: Received ieof for nonexistent channel 10. From dtucker at zip.com.au Wed Dec 3 19:25:07 2014 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 3 Dec 2014 19:25:07 +1100 Subject: SSH Tunnel nonexistent channel error In-Reply-To: <547EBB38.9090508@private.rw-gs.net> References: <547EBB38.9090508@private.rw-gs.net> Message-ID: On Wed, Dec 3, 2014 at 6:26 PM, Junk wrote: > Every time I open an SSH Tunnel to my server after visiting a few sites > over it I get the following error: channel_by_id: 3: bad id: channel free > Disconnecting: Received ieof for nonexistent channel 3. The channel number > varies but it's always the same issue. Any help would be appreciated. The > server I'm using is for FreeSSHd for Windows. I'm connecting to the tunnel > with ssh -N User at host -D 1080. Thanks. > > > Verbose: > Looks like this is only debug level 1, debug level 3 (ssh -vvv) might provide more information. [...] > debug1: Local connections to LOCALHOST:1080 forwarded to remote address > socks:0 > debug1: Local forwarding listening on ::1 port 1080. > debug1: channel 0: new [port listener] > channel 0 is a port forward channel. Note that there is not shell channel because you used -N to not ask for one. This should be fine. [...] > debug1: Connection to port 1080 forwarding to socks port 0 requested. > debug1: channel 10: new [dynamic-tcpip] > channel 10 is assigned to a port forward channel. this should also be fine. [...] > debug1: channel 10: free: direct-tcpip: listening port 1080 for > connect.facebook.net port 80, connect from 127.0.0.1 port 51036 to > 127.0.0.1 port 1080, nchannels 35 > channel 10 is freed by the server. also fine. > debug1: Connection to port 1080 forwarding to socks port 0 requested. > debug1: channel 10: new [dynamic-tcpip] > channel 10 is reused. also fine. [...] > debug1: client_input_channel_req: channel 10 rtype exit-status reply 0 > debug1: client_input_channel_req: no sink for exit-status on channel 10 channel 10 gets an exit-status message. This is not fine: channel 10 is a port forward (direct-tcpip) ssh channel, so this should not happen (see rfc4254 section 6.10). I suspect it also causes the client to tear the channel down, although I have not checked this. > debug1: channel 10: free: direct-tcpip: listening port 1080 for > webchat.freenode.net port 80, connect from 127.0.0.1 port 51061 to > 127.0.0.1 port 1080, nchannels 35 > channel_by_id: 10: bad id: channel free > Disconnecting: Received ieof for nonexistent channel 10. > The client receives a channel free for channel 10, but as per the previous comment I suspect it's already torn down at this point. This goes off the rails when the server sends an exit-status message for something that's not a shell command. This is probably a server bug, but maybe the openssh client could ignore these (it's a protocol violation, though). Depending on exactly what's going on in the server, you may be able to work around the problem by specifying a long-running command (eg "sleep 999999" or similar) instead of -N. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From qralston+ml.openssh-unix-dev at andrew.cmu.edu Thu Dec 4 10:22:23 2014 From: qralston+ml.openssh-unix-dev at andrew.cmu.edu (James Ralston) Date: Wed, 03 Dec 2014 18:22:23 -0500 Subject: support for Kerberos credential cache locations other than FILE:? Message-ID: The MIT Kerberos library has supported credential cache locations other than "FILE:" for a while now: http://web.mit.edu/kerberos/krb5-devel/doc/basic/ccache_def.html In fact, RHEL7 sets the default credential cache to use the kernel keyring, via the new(ish) "default_ccache_name" option in /etc/krb5.conf: [libdefaults] default_ccache_name = KEYRING:persistent:%{uid} However, this will break forwarding Kerberos credentials via GSSAPIDelegateCredentials. But I'm not sure why, since openssh hardcodes the location of the Kerberos credential cache in auth-krb5.c: ret = snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); tmpfd = mkstemp(ccname + strlen("FILE:")); ... return (krb5_cc_resolve(ctx, ccname, ccache)); Based on this, I would expect openssh to blast over the library default, but when I test, I see $KRB5CCNAME set to (e.g.) KEYRING:persistent:12345, but without credentials in it. (And tracing the sshd process shows that it never attempted to create any file-based credential cache.) So, two questions: First, does anyone know what happens to the credential cache openssh creates when the library default location is a keyring? Openssh isn't logging any errors, so I don't think the various krb5 library functions are failing. Has anyone else already played around with this? Second, is there a reason why openssh hardcodes the ccname location, instead of using krb5_cc_default_name() to obtain the library default? The only reason I can see for doing this is because if the library default starts with FILE: or DIR:, then you need to append "XXXXXXXXXX" (if necessary) and then use mkstemp() to get a non-predictable location. So that would be a little more effort than what openssh currently does. However, this would enable openssh to support Kerberos credential types other than "FILE:", so I'd argue it's worth it. Am I missing something? Is there a specific reason why openssh doesn't already do this? From vissu.itin at gmail.com Thu Dec 4 17:25:15 2014 From: vissu.itin at gmail.com (Visweswara Rao Polisetti) Date: Thu, 4 Dec 2014 11:55:15 +0530 Subject: How to block weak ciphers and MACs in 6.2p2 Message-ID: Hi, It seems in openssh 6.7, all the weak ciphers and MAC algorithms got deprecated. What is the best way to do the same for 6.2p2 version? Adding following entries in sshd_config file causing sshd process crash whenever the client tries to connect. So, could you please suggest any other methods to achieve the same? # Secure Ciphers and MACs Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128 MACs hmac-sha1,umac-64 at openssh.com,hmac-ripemd160 Thanks, Vissu. From imorgan at nas.nasa.gov Fri Dec 5 06:54:44 2014 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Thu, 4 Dec 2014 11:54:44 -0800 Subject: How to block weak ciphers and MACs in 6.2p2 In-Reply-To: References: Message-ID: <20141204195444.GB17258@linux124.nas.nasa.gov> On Thu, Dec 04, 2014 at 11:55:15 +0530, Visweswara Rao Polisetti wrote: > Hi, > > It seems in openssh 6.7, all the weak ciphers and MAC algorithms got > deprecated. What is the best way to do the same for 6.2p2 version? Adding > following entries in sshd_config file causing sshd process crash whenever > the client tries to connect. So, could you please suggest any other methods > to achieve the same? > > # Secure Ciphers and MACs > Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128 > MACs hmac-sha1,umac-64 at openssh.com,hmac-ripemd160 > That sounds like a bug to me. Could you send sshd -ddd and ssh -vvv output? -- Iain Morgan From gary.winiger at oracle.com Fri Dec 5 08:23:34 2014 From: gary.winiger at oracle.com (Gary Winiger) Date: Thu, 04 Dec 2014 13:23:34 -0800 Subject: Adding Solaris Audit to sshd (and sftp-server) Message-ID: <5480D0D6.5090005@oracle.com> Hi Damien, I'm working with the Solaris team that is integrating openssh into upcoming Solaris releases. I'm looking for advice from the upstream community. You were suggested for that advice. If there are other mailing lists you'd like me to ask, I'm happy to do so, or if you'd like to forward, please feel free to do so. The --with-audit=bsm (audit-bsm.c) configuration uses interfaces that were never officially stable in Solaris. Public support and documentation has been withdrawn from Solaris 11 for libbsm. The various interfaces can and have both changed incompatibly and been withdrawn. While it isn't publically documented, a new Solaris Audit interface has been created. For various build related reasons libbsm has been retained and contains the interface for use from Solaris 11 (parts of it were there from Solaris 9). I'm partially done with a Skunk works project that when finished is expected to be contributed upstream. My current prototype adds configuration --with-audit=solaris, which defines USE_SOLARIS_AUDIT and adds an audit-solaris.c file. The plan is for similar style changes to add auditing to sftp-server as well as extend to my current prototype to have parity with the SunSSH implementation. Does such configuration seem acceptable? The Solaris openssh team hasn't been using autoconf, and has been changing configure, config.h.in, Makefile.in by patches. For illustrative purposes I've updated configure.ac. I also have suggested wording for ChangeLog, INSTALL, README.platform. Thank you for your consideration and advice. Cheers, Gary.. configure.ac ============ AUDIT_MODULE=none AC_ARG_WITH([audit], ! [ --with-audit=module Enable audit support (modules=debug,bsm,linux,solaris)], + solaris) + AC_MSG_RESULT([solaris]) + AUDIT_MODULE=solaris + dnl Checks for headers, libs and functions + AC_CHECK_HEADERS([bsm/adt.h], [], + [AC_MSG_ERROR([Solaris Audit enabled and bsm/adt.h not found])], + SSHDLIBS="$SSHDLIBS -lbsm" + AC_DEFINE([USE_SOLARIS_AUDIT], [1], [Use Solaris audit module]) + ;; ChangeLog ========= + - (gww) The BSM (bsm) interfaces are obsolete and internal from Solaris 11. + The previously documented interfaces may change or be removed at any time. + From Solaris 11, the --with-audit=solaris option should be used. INSTALL ======= There are a few other options to the configure script: --with-audit=[module] enable additional auditing via the specified module. ! Currently, drivers for "debug" (additional info via syslog), and "bsm" ! (Sun's Legacy Basic Security Module prior to Solaris 11), and "solaris" ! (Sun's Audit infrastructure from Solaris 11) are supported. README.platform =============== ! Solaris ! ------- ! Prior to Solaris 11 ! ------------------- If you enable BSM auditing on Solaris, you need to update audit_event(4) for praudit(1m) to give sensible output. The following line needs to be added to /etc/security/audit_event: 32800:AUE_openssh:OpenSSH login:lo The BSM audit event range available for third party TCB applications is 32768 - 65535. Event number 32800 has been choosen for AUE_openssh. There is no official registry of 3rd party event numbers, so if this number is already in use on your system, you may change it at build time by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. From Solaris 11 --------------- Solaris Audit is supported by configuring --with-audit=solaris. From plautrba at redhat.com Wed Dec 10 00:38:19 2014 From: plautrba at redhat.com (Petr Lautrbach) Date: Tue, 09 Dec 2014 14:38:19 +0100 Subject: build problems on the latest portable tree Message-ID: <5486FB4B.1070007@redhat.com> Hello, I've hit 2 build issues on rhel-7 using the latest portable tree - HEAD 3dfd8d93dfcc69261f5af99df56f3ff598581979 - rijndael.c:1104:7: error: ?Td4? undeclared (first use in this function) (Td4[(t0 >> 24) ] << 24) ^ ^ introduced in commit a1f8110cd5ed818d59b3a2964fab7de76e92c18e - ./libssh.a(krl.o): In function `ssh_krl_from_blob': krl.c:1007: undefined reference to `reallocarray' introduced in commit in 74de254bb92c684cf53461da97f52d5ba34ded80 - reallocarray() seems to only part of openbsd-5.6 stdlib Petr -- Petr Lautrbach From dtucker at zip.com.au Wed Dec 10 01:41:13 2014 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 10 Dec 2014 01:41:13 +1100 Subject: build problems on the latest portable tree In-Reply-To: <5486FB4B.1070007@redhat.com> References: <5486FB4B.1070007@redhat.com> Message-ID: Thanks for the report. On Wed, Dec 10, 2014 at 12:38 AM, Petr Lautrbach wrote: > Hello, > > I've hit 2 build issues on rhel-7 using the latest portable tree - HEAD > 3dfd8d93dfcc69261f5af99df56f3ff598581979 > > - rijndael.c:1104:7: error: ?Td4? undeclared (first use in this function) > (Td4[(t0 >> 24) ] << 24) ^ > ^ > I'll look at this one shortly. > introduced in commit a1f8110cd5ed818d59b3a2964fab7de76e92c18e > > - ./libssh.a(krl.o): In function `ssh_krl_from_blob': krl.c:1007: > undefined reference to `reallocarray' > > introduced in commit in 74de254bb92c684cf53461da97f52d5ba34ded80 - > reallocarray() seems to only part of openbsd-5.6 stdlib > This one should be fixed by commit 642652d280499691c8212ec6b79724b50008ce09 which adds reallocarray to the compat library. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Dec 10 02:16:37 2014 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 10 Dec 2014 02:16:37 +1100 Subject: build problems on the latest portable tree In-Reply-To: References: <5486FB4B.1070007@redhat.com> Message-ID: On Wed, Dec 10, 2014 at 1:41 AM, Darren Tucker wrote: > Thanks for the report. > > On Wed, Dec 10, 2014 at 12:38 AM, Petr Lautrbach > wrote: > >> Hello, >> >> I've hit 2 build issues on rhel-7 using the latest portable tree - HEAD >> 3dfd8d93dfcc69261f5af99df56f3ff598581979 >> >> - rijndael.c:1104:7: error: ?Td4? undeclared (first use in this function) >> (Td4[(t0 >> 24) ] << 24) ^ >> ^ >> > > I'll look at this one shortly. > Looks like this one was in some unused code that is #if 0'ed out in OpenBSD but wasn't in -portable. Should be fixed by 4bfad14ca56f8ae04f418997816b4ba84e2cfc3c which resyncs those parts. Thanks! -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Dec 10 22:19:37 2014 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 10 Dec 2014 06:19:37 -0500 Subject: Adding Solaris Audit to sshd (and sftp-server) In-Reply-To: <5480D0D6.5090005@oracle.com> References: <5480D0D6.5090005@oracle.com> Message-ID: Hi Gary. On Thu, Dec 4, 2014 at 4:23 PM, Gary Winiger wrote: > Hi Damien, > [...] I'm not Damien, but I did much of the work integrating the original BSM patches. Firstly, I'm a little concerned about adding a dependency on an(other) undocumented API. Is it planned to publicly document this interface? As for the structure, what you propose sounds reasonable. Note that we can only accept code with license compatible with the 2-term BSD license (ISC style[1] preferred, 2-term BSD acceptable, see the policy [2] for more information). For the code itself, please follow the style guide [3], use unified diffs (diff -u) and break patches into small, discrete pieces. I'd also suggest opening a bug at bugzilla.mindrot.org to track the work and attach patches and such. > "bsm" (Sun's Legacy Basic Security Module prior to Solaris 11) Sun's is not the only BSM implementation these days, FreeBSD also has one. [1] http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/misc/license.template?rev=HEAD [2] http://www.openbsd.org/policy.html [3] http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man9/style.9 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From plautrba at redhat.com Wed Dec 10 22:39:34 2014 From: plautrba at redhat.com (Petr Lautrbach) Date: Wed, 10 Dec 2014 12:39:34 +0100 Subject: build problems on the latest portable tree In-Reply-To: References: <5486FB4B.1070007@redhat.com> Message-ID: <548830F6.2060800@redhat.com> On 12/09/2014 04:16 PM, Darren Tucker wrote: > On Wed, Dec 10, 2014 at 1:41 AM, Darren Tucker wrote: > >> Thanks for the report. >> >> On Wed, Dec 10, 2014 at 12:38 AM, Petr Lautrbach >> wrote: >> >>> Hello, >>> >>> I've hit 2 build issues on rhel-7 using the latest portable tree - HEAD >>> 3dfd8d93dfcc69261f5af99df56f3ff598581979 >>> >>> - rijndael.c:1104:7: error: ?Td4? undeclared (first use in this function) >>> (Td4[(t0 >> 24) ] << 24) ^ >>> ^ >>> >> >> I'll look at this one shortly. >> > > Looks like this one was in some unused code that is #if 0'ed out in OpenBSD > but wasn't in -portable. Should be fixed > by 4bfad14ca56f8ae04f418997816b4ba84e2cfc3c which resyncs those parts. > I confirm that both issues are fixed, thanks. Petr -- Petr Lautrbach -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From plautrba at redhat.com Thu Dec 11 06:02:14 2014 From: plautrba at redhat.com (Petr Lautrbach) Date: Wed, 10 Dec 2014 20:02:14 +0100 Subject: support for Kerberos credential cache locations other than FILE:? In-Reply-To: References: Message-ID: <548898B6.60803@redhat.com> On 12/04/2014 12:22 AM, James Ralston wrote: > The MIT Kerberos library has supported credential cache locations > other than "FILE:" for a while now: > > http://web.mit.edu/kerberos/krb5-devel/doc/basic/ccache_def.html > > In fact, RHEL7 sets the default credential cache to use the kernel > keyring, via the new(ish) "default_ccache_name" option in > /etc/krb5.conf: > > [libdefaults] > default_ccache_name = KEYRING:persistent:%{uid} > > However, this will break forwarding Kerberos credentials via > GSSAPIDelegateCredentials. It seems to work for me using rhel-7's openssh sshd: tom at ipa-server $ klist Ticket cache: DIR::/tmp/597000004/tkthx4K48 Default principal: tom at VIRT Valid starting Expires Service principal 12/10/2014 19:08:41 12/11/2014 19:08:41 krbtgt/VIRT at VIRT 12/10/2014 19:08:50 12/11/2014 19:08:41 host/rhel-7-devel.virt at VIRT tom at ipa-server $ ssh -o GSSAPIDelegateCredentials=yes tom at rhel-7-devel.virt Last login: Wed Dec 10 19:29:31 2014 from master.virt tom at rhel-7-devel $ klist Ticket cache: KEYRING:persistent:597000004:krb_ccache_t0MhS7l Default principal: tom at VIRT Valid starting Expires Service principal 12/10/2014 19:29:50 12/11/2014 19:08:41 krbtgt/VIRT at VIRT And using sshd from stock openssh, it works for me too: tom at ipa-server $ ssh -o GSSAPIDelegateCredentials=yes -o GSSAPIAuthentication=yes tom at rhel-7-devel.virt Last login: Wed Dec 10 19:35:22 2014 from ipa-server.virt tom at rhel-7-devel $ klist Ticket cache: FILE:/tmp/krb5cc_597000004_rubDAg07mz Default principal: tom at VIRT Valid starting Expires Service principal 12/10/2014 19:44:19 12/11/2014 19:08:41 krbtgt/VIRT at VIRT and sshd logs show: sshd[27716]: debug1: Setting KRB5CCNAME to FILE:/tmp/krb5cc_597000004_rubDAg07mz > ... > Based on this, I would expect openssh to blast over the library > default, but when I test, I see $KRB5CCNAME set to (e.g.) > KEYRING:persistent:12345, but without credentials in it. (And tracing > the sshd process shows that it never attempted to create any > file-based credential cache.) > > So, two questions: > > First, does anyone know what happens to the credential cache openssh > creates when the library default location is a keyring? Openssh isn't > logging any errors, so I don't think the various krb5 library > functions are failing. Has anyone else already played around with > this? Is it possible that you don't use GSSAPIAuthentication but e.g. PublicKeyAuthentication? Can you see an attempt to send credentials in ssh client logs? Using 'ssh -vv ...' might help. > > Second, is there a reason why openssh hardcodes the ccname location, > instead of using krb5_cc_default_name() to obtain the library default? > > The only reason I can see for doing this is because if the library > default starts with FILE: or DIR:, then you need to append > "XXXXXXXXXX" (if necessary) and then use mkstemp() to get a > non-predictable location. So that would be a little more effort than > what openssh currently does. > > However, this would enable openssh to support Kerberos credential > types other than "FILE:", so I'd argue it's worth it. > Please try attached patch or krb5_cc_default_name branch at [1]. It adds support for using Kerberos credential cache locations based on system wide configuration in /etc/krb5.conf. It tries to read a value of: [libdefaults] default_ccache_name = KEYRING:persistent:%{uid} and parse it. If it's not able to get the value or parse it, it falls back to the original FILE: template. The patch also adds support for DIR and KEYRING types. [1] https://github.com/bachradsusi/openssh-portable/tree/krb5_cc_default_name Petr -- Petr Lautrbach -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-support-for-using-kerberos-credential-location-s.patch Type: text/x-patch Size: 8237 bytes Desc: not available URL: From gary.winiger at oracle.com Thu Dec 11 07:07:17 2014 From: gary.winiger at oracle.com (Gary Winiger) Date: Wed, 10 Dec 2014 12:07:17 -0800 Subject: Adding Solaris Audit to sshd (and sftp-server) In-Reply-To: References: <5480D0D6.5090005@oracle.com> Message-ID: <5488A7F5.5050102@oracle.com> On 12/10/14 03:19, Darren Tucker wrote: > Hi Gary. > > On Thu, Dec 4, 2014 at 4:23 PM, Gary Winiger > wrote: > >> Hi Damien, >> > [...] > > I'm not Damien, but I did much of the work integrating the original BSM > patches. Great to meet you Darren. Thanks for the BSM work. > Firstly, I'm a little concerned about adding a dependency on an(other) > undocumented API. Is it planned to publicly document this interface? Yes, that has always been the plan. Unfortunately, the API currently requires tools and files that are only part of the core Solaris build process. Work has been slow to separate things out. IMO, it is in Solaris's best interests to maintain Solaris audit in OpenSSH. > As for the structure, what you propose sounds reasonable. Note that we can > only accept code with license compatible with the 2-term BSD license (ISC > style[1] preferred, 2-term BSD acceptable, see the policy [2] for more > information). Thanks for the "sounds reasonable." I'll move ahead that way. As for the license stuff, I'm not a lawyer, nor do I play one on TV. Oracle (which acquired Sun) seems to have many of them. I'll have to see what Oracle requires. Hopefully it is acceptable. I know that an Oracle copyright will be required. As I'm paid by Oracle when writing code, that seems reasonable to me. A CDDL may be required https://solaris.java.net/license.html > For the code itself, please follow the style guide [3], use unified diffs > (diff -u) and break patches into small, discrete pieces. I'd also suggest > opening a bug at bugzilla.mindrot.org to track the work and attach patches > and such. I'll review the style guide. As you may know Solaris has a style guide. This is the first hit google found http://www.cis.upenn.edu/~lee/06cse480/data/cstyle.ms.pdf I'm pretty sure it was also a Usenix paper. I'll open a bug/rfe when I get a little farther along. That probably won't be until 2015. If there's a compelling reason to do so sooner, I could probably squeeze it in. >> "bsm" (Sun's Legacy Basic Security Module prior to Solaris 11) > > Sun's is not the only BSM implementation these days, FreeBSD also has one. Point taken. I'll reword before asking for a patch to be accepted. A number of folk choose to "borrow" the audit stuff Sun did a couple decades ago. MacOS X also seems to be using the BSM style interfaces. I expect imported from FreeBSD. I've not looked closely at Darwin, other than as a MacOS user. (Since 1984 ;-) Thanks and Cheers, Gary.. > > [1] > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/misc/license.template?rev=HEAD > [2] http://www.openbsd.org/policy.html > [3] http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man9/style.9 > From dtucker at zip.com.au Thu Dec 11 07:41:32 2014 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 10 Dec 2014 15:41:32 -0500 Subject: Adding Solaris Audit to sshd (and sftp-server) In-Reply-To: <5488A7F5.5050102@oracle.com> References: <5480D0D6.5090005@oracle.com> <5488A7F5.5050102@oracle.com> Message-ID: On Wed, Dec 10, 2014 at 3:07 PM, Gary Winiger wrote: [...] > I'll have to see what Oracle requires. Hopefully it is > acceptable. I know that an Oracle copyright will be required. > As I'm paid by Oracle when writing code, that seems reasonable > to me. A CDDL may be required > Oracle copyright would be OK (there are already examples of non-individual-entity copyrights, including Sun Microsystems). CDDL, however, introduces additional restrictions and code under a CDDL license would definitely not be merged. Using a license different to any of the ones that already exist (ISC, 2-term BSD, MIT) would be a serious impediment. > I'll review the style guide. As you may know Solaris has a > style guide. This would be OpenSSH code not Solaris code. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From chaser at cryptolab.net Thu Dec 11 08:26:06 2014 From: chaser at cryptolab.net (chaser at cryptolab.net) Date: Wed, 10 Dec 2014 23:26:06 +0200 Subject: URL path match in ssh config Message-ID: <2623693.pYGAj0vYag@andromeda> Hi. I have few different gitorious' accounts (for different workplaces and my personal), like git at gitorious.org:foo/foo.git git at gitorious.org:bar/bar.git I want to configure ssh to use different ssh keys for different repos. I try to do it with ~/.ssh/config. How I can match path? I want to get something like this: Match path foo/foo.git HostName gitorious.org User git IdentityFile ~/.ssh/foo.key Match path bar/bar.git HostName gitorious.org User git IdentityFile ~/.ssh/bar.key Thanks. From mouring at eviladmin.org Thu Dec 11 09:53:14 2014 From: mouring at eviladmin.org (Ben Lindstrom) Date: Wed, 10 Dec 2014 16:53:14 -0600 Subject: URL path match in ssh config In-Reply-To: <2623693.pYGAj0vYag@andromeda> References: <2623693.pYGAj0vYag@andromeda> Message-ID: <16BE38AD-BEE0-421E-B58F-A84DA5021F90@eviladmin.org> > On Dec 10, 2014, at 3:26 PM, chaser at cryptolab.net wrote: > > Hi. I have few different gitorious' accounts (for different workplaces and my personal), like > > git at gitorious.org:foo/foo.git > git at gitorious.org:bar/bar.git > > I want to configure ssh to use different ssh keys for different repos. I try to do it with ~/.ssh/config. > > How I can match path? I want to get something like this: > > Match path foo/foo.git > HostName gitorious.org > User git > IdentityFile ~/.ssh/foo.key > > Match path bar/bar.git > HostName gitorious.org > User git > IdentityFile ~/.ssh/bar.key Why not do: host gitwork HostName gitorious.org User git IdentityFile ~/.ssh/foo.key host githome HostName gitorious.org User git IdentityFile ~/.ssh/bar.key As "Match" is a server side feature not a client feature. And the above would mean you'd do: $ ssh gitwork:foo/foo.git or $ ssh githome:bar/bar.git I do this trick a lot when I have the same machine with multiple login (think one web server with multi-virtual hosts all with different chroot/sftp locations). - Ben From djm at mindrot.org Thu Dec 11 18:18:51 2014 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 Dec 2014 18:18:51 +1100 (EST) Subject: Adding Solaris Audit to sshd (and sftp-server) In-Reply-To: <5480D0D6.5090005@oracle.com> References: <5480D0D6.5090005@oracle.com> Message-ID: On Thu, 4 Dec 2014, Gary Winiger wrote: > The --with-audit=bsm (audit-bsm.c) configuration uses interfaces > that were never officially stable in Solaris. Public support and > documentation has been withdrawn from Solaris 11 for libbsm. That's a pity, because BSM is supported on other operating systems too. This makes it the closest thing to a cross-platform audit API around. It's disappointing and bit strange for Oracle to be going the opposite way now. -d From chaser at cryptolab.net Thu Dec 11 18:32:08 2014 From: chaser at cryptolab.net (chaser at cryptolab.net) Date: Thu, 11 Dec 2014 09:32:08 +0200 Subject: URL path match in ssh config In-Reply-To: <16BE38AD-BEE0-421E-B58F-A84DA5021F90@eviladmin.org> References: <2623693.pYGAj0vYag@andromeda> <16BE38AD-BEE0-421E-B58F-A84DA5021F90@eviladmin.org> Message-ID: <1762302.u66lTIsst3@andromeda> ??????, 10-???-2014 16:53:14 Ben Lindstrom ????????: > Why not do: > > host gitwork > HostName gitorious.org > User git > IdentityFile ~/.ssh/foo.key > > > host githome > HostName gitorious.org > User git > IdentityFile ~/.ssh/bar.key > > > As "Match" is a server side feature not a client feature. And the above > would mean you'd do: > > $ ssh gitwork:foo/foo.git > or > $ ssh githome:bar/bar.git > > I do this trick a lot when I have the same machine with multiple login > (think one web server with multi-virtual hosts all with different > chroot/sftp locations). > > - Ben Thank you! That's what I need. BTW is it possible to make configuration without hostname modification? From djm at mindrot.org Thu Dec 11 19:28:15 2014 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 Dec 2014 19:28:15 +1100 (EST) Subject: URL path match in ssh config In-Reply-To: <1762302.u66lTIsst3@andromeda> References: <2623693.pYGAj0vYag@andromeda> <16BE38AD-BEE0-421E-B58F-A84DA5021F90@eviladmin.org> <1762302.u66lTIsst3@andromeda> Message-ID: On Thu, 11 Dec 2014, chaser at cryptolab.net wrote: > Thank you! That's what I need. BTW is it possible to make configuration > without hostname modification? No, because the path isn't presented to ssh in any way it can easily use From chaser at cryptolab.net Fri Dec 12 08:53:55 2014 From: chaser at cryptolab.net (chaser at cryptolab.net) Date: Thu, 11 Dec 2014 23:53:55 +0200 Subject: URL path match in ssh config In-Reply-To: References: <2623693.pYGAj0vYag@andromeda> <1762302.u66lTIsst3@andromeda> Message-ID: <2560343.33abmnm2Ce@andromeda> ??????, 11-???-2014 19:28:15 Damien Miller ????????: > On Thu, 11 Dec 2014, chaser at cryptolab.net wrote: > > Thank you! That's what I need. BTW is it possible to make configuration > > without hostname modification? > > No, because the path isn't presented to ssh in any way it can easily use So... is this can't be implemented/fixed? I think that confuguration should be more logical and easier for end user. And hostname modification is not very clear form of configuration. From keisial at gmail.com Fri Dec 12 09:37:07 2014 From: keisial at gmail.com (=?UTF-8?B?w4FuZ2VsIEdvbnrDoWxleg==?=) Date: Thu, 11 Dec 2014 23:37:07 +0100 Subject: URL path match in ssh config In-Reply-To: <2560343.33abmnm2Ce@andromeda> References: <2623693.pYGAj0vYag@andromeda> <1762302.u66lTIsst3@andromeda> <2560343.33abmnm2Ce@andromeda> Message-ID: <548A1C93.9060906@gmail.com> On 11/12/14 22:53, chaser at cryptolab.net wrote: > ??????, 11-???-2014 19:28:15 Damien Miller ????????: >> On Thu, 11 Dec 2014, chaser at cryptolab.net wrote: >>> Thank you! That's what I need. BTW is it possible to make configuration >>> without hostname modification? >> No, because the path isn't presented to ssh in any way it can easily use > So... is this can't be implemented/fixed? I think that confuguration should be more logical and easier for end user. And hostname modification is not very clear form of configuration. I don't think so. You give git at gitorious.org:bar/bar.git to git, but it actually will be doing: ssh git at gitorious.org "/usr/bin/git-upload-pack bar/bar.git" You could add an option to match on command, but such matching seems risky. From kk at keppler-it.de Mon Dec 15 09:42:01 2014 From: kk at keppler-it.de (Klaus Keppler) Date: Sun, 14 Dec 2014 23:42:01 +0100 Subject: [PATCH] Early request for comments: U2F authentication Message-ID: <548E1239.6020306@keppler-it.de> > I?ve spent some time (together with Christian and Thomas) hacking on > U2F support in OpenSSH, and I?m happy to provide a first patch ? it?s > not complete, but it should be good enough to get the discussion going > :). Please see the two attached files for the patch. This is great - I'm looking forward to it! :) I've implemented U2F into another (C-based) application these days. While searching for some relevant OpenSSL-specific "help" I stumbled upon your OpenSSH patch. I think there's a small bug: > + if ((err = EVP_VerifyInit(&mdctx, EVP_ecdsa())) != 1) { > + ERR_error_string(ERR_get_error(), errorbuf); > + fatal("EVP_VerifyInit() failed: %s (reason: %s)", > + errorbuf, ERR_reason_error_string(err)); You should use "EVP_sha256()" instead of "EVP_ecdsa()" here (we have a ECDSA signature on the SHA256 hash) > + if ((err = EVP_VerifyFinal(&mdctx, walk, restlen, pkey)) == -1) { > + ERR_error_string(ERR_get_error(), errorbuf); > + error("Verifying the U2F registration signature failed: %s (reason: %s)", > + errorbuf, ERR_reason_error_string(err)); > + goto out; > + } You test EVP_VerifyFinal() only against "-1". This catches OpenSSL library errors and such. But if the signature check itself fails, you get "0". So, the only valid result here should be "1". When you change EVP_ecdsa() to EVP_sha256() above, EVP_VerifyFinal() should return "1" on valid data. Best regards -Klaus From stapelberg+openssh at google.com Tue Dec 16 06:25:51 2014 From: stapelberg+openssh at google.com (Michael Stapelberg) Date: Mon, 15 Dec 2014 20:25:51 +0100 Subject: [PATCH] Early request for comments: U2F authentication In-Reply-To: <547D0F87.2010206@gmail.com> References: <547D0F87.2010206@gmail.com> Message-ID: Thanks a lot for your feedback, and sorry for the late reply (been quite busy). I?ll update this thread once I?ve got a new version of the patch to share :). On Tue, Dec 2, 2014 at 2:01 AM, ?ngel Gonz?lez wrote: > Michael Stapelberg wrote: > >> Thank you very much for any replies :). >> I haven?t seen any replies yet, and it?s been almost a week. It could >> just be that none of you care, or all who care are incredibly busy. >> Still, I?d appreciate a ?don?t know about the details, but we?ll most >> likely merge your patch? so that I know any further work on this is >> not in vain :). >> >> Thank you! >> > Now it has been almost a month. :) > > In case it is helpful, here are my 2 cents: > 1) It looks cool to support U2F in openssh. > 2-3) No, sshd writing the users authorized_keys file doesn't seem a good > idea :) > I would put the client registration process in ssh-copy-id > > 4) For the server to identify itself, the only think it knows about its > identity is its own [set of] host key. The hostname or gethostid(2) can be > quite useless. Perhaps a sshd_config param? :/ > > 5) Looks good. From the client point of view, I would use hostname[:port], > as currently checked by ssh in known_hosts. That seems more consistent with > ssh way. I also suspect that using the server fingerprint would allow some > attacks, in addition of avoiding possible issues with multiple hosts with > the same key (shared fs, cloned machines?). Note that if the server is > exposed to the origin value, it may deserve to be hidden (hashed?) first > (I understand the server shall treat the origin as an opaque value) > > 7) Wouldn't ERR_load_crypto_strings() be enough? > No, it?s unfortunately not enough. > > +// TODO: use auth_info() so that in log messages about accepted auths we >> will see a message that identifies the key. perhaps we can just use the >> human readable suffix that you can specify in the authorized_keys file(s)? >> > Just that suffix won't help root to figure things out. A fingerprint -like > it's now provided for public keys- could help here. > > > And a few u2f questions: What is the purpose of the challenge provided by > the server on I think throughout the protocol (not only when registering), the challenges are used to ensure nobody is capturing and replaying these messages, as they get hashed by the security key (and that signed hash is verified by the server). > registration? What is a u2f key expected to do if asked to register an > system it already has already registered? Should it be appended or replaced? > I think it gets replaced, but I don?t recall the spec being explicit about that. From stapelberg+openssh at google.com Tue Dec 16 07:30:14 2014 From: stapelberg+openssh at google.com (Michael Stapelberg) Date: Mon, 15 Dec 2014 21:30:14 +0100 Subject: [PATCH] Early request for comments: U2F authentication In-Reply-To: <548E1239.6020306@keppler-it.de> References: <548E1239.6020306@keppler-it.de> Message-ID: Thanks for pointing this out. Comments inline: On Sun, Dec 14, 2014 at 11:42 PM, Klaus Keppler wrote: > I?ve spent some time (together with Christian and Thomas) hacking on >> U2F support in OpenSSH, and I?m happy to provide a first patch ? it?s >> not complete, but it should be good enough to get the discussion going >> :). Please see the two attached files for the patch. >> > > This is great - I'm looking forward to it! :) > > I've implemented U2F into another (C-based) application these days. While > searching for some relevant OpenSSL-specific "help" I stumbled upon your > OpenSSH patch. > I think there's a small bug: > > + if ((err = EVP_VerifyInit(&mdctx, EVP_ecdsa())) != 1) { >> + ERR_error_string(ERR_get_error(), errorbuf); >> + fatal("EVP_VerifyInit() failed: %s (reason: %s)", >> + errorbuf, ERR_reason_error_string(err)); >> > > You should use "EVP_sha256()" instead of "EVP_ecdsa()" here (we have a > ECDSA signature on the SHA256 hash) > If I do that, EVP_VerifyFinal() will result in EVP_R_WRONG_PUBLIC_KEY_TYPE. Looking at the OpenSSL source, I can see that in crypto/evp/m_sha1.c, the sha* digests are defined with EVP_PKEY_RSA_method, which requires an RSA publickey, but we have an ECDSA publickey. The only digest working with ECDSA publickeys is crypto/evp/m_ecdsa.c AFAICT. > > + if ((err = EVP_VerifyFinal(&mdctx, walk, restlen, pkey)) == -1) { >> + ERR_error_string(ERR_get_error(), errorbuf); >> + error("Verifying the U2F registration signature failed: >> %s (reason: %s)", >> + errorbuf, ERR_reason_error_string(err)); >> + goto out; >> + } >> > > You test EVP_VerifyFinal() only against "-1". This catches OpenSSL library > errors and such. But if the signature check itself fails, you get "0". So, > the only valid result here should be "1". > You?re correct, good catch. > > When you change EVP_ecdsa() to EVP_sha256() above, EVP_VerifyFinal() > should return "1" on valid data. > Unfortunately not. Could you share the code that you have please? Or is it not yet working? From kk at keppler-it.de Tue Dec 16 09:23:16 2014 From: kk at keppler-it.de (Klaus Keppler) Date: Mon, 15 Dec 2014 23:23:16 +0100 Subject: [PATCH] Early request for comments: U2F authentication In-Reply-To: References: <548E1239.6020306@keppler-it.de> Message-ID: <548F5F54.8040205@keppler-it.de> > If I do that, EVP_VerifyFinal() will result in EVP_R_WRONG_PUBLIC_KEY_TYPE. This is strange... I don't get any error here, though I use the (same?) ECDSA public key from the attestation certificate (using OpenSSL 1.0.1i, but that shouldn't matter). > Looking at the OpenSSL source, I can see that in crypto/evp/m_sha1.c, the > sha* digests are defined with EVP_PKEY_RSA_method, which requires an RSA > publickey, but we have an ECDSA publickey. The only digest working with > ECDSA publickeys is crypto/evp/m_ecdsa.c AFAICT. Both EVP_PKEY_RSA_method and EVP_PKEY_ECDSA_method are #defined there as "EVP_PKEY_NULL_method". (don't ask me why... I don't understand most of that macro mess...) > Unfortunately not. Could you share the code that you have please? Or is it > not yet working? Voila: https://github.com/keppler/fido-u2f/blob/master/fido-example.c It uses the example messages from the official specs, so should be easy to reproduce. If I'm wrong at any point there, please let me know. Best regards -Klaus From opsdmt at gmail.com Thu Dec 18 12:55:49 2014 From: opsdmt at gmail.com (Dmt Ops) Date: Wed, 17 Dec 2014 17:55:49 -0800 Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ Message-ID: I have sshd server sshd -V ... OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 ... running on linux/64 with cat sshd_config ... PubkeyAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication no GSSAPIAuthentication no GSSAPICleanupCredentials no HostbasedAuthentication no RhostsRSAAuthentication no RSAAuthentication no UseLogin no PermitEmptyPasswords no UsePrivilegeSeparation yes ... I can ssh in with pubkey auth. I want to ADD a 2nd factor authentication step; specifically Google Authenticator I installed pam-google-authenticator package. At shell, I exec google-authenticator and create the key I edit vi /etc/pam.d/sshd ... + auth required pam_google_authenticator.so ... and vi /etc/ssh/sshd_config ... - ChallengeResponseAuthentication no + ChallengeResponseAuthentication yes + KbdInteractiveAuthentication yes ... and restart the daemon systemctl restart sshd ... Dec 7 14:05:59 server systemd[1]: Stopping OpenSSH Daemon... Dec 7 14:05:59 server sshd[4821]: Received signal 15; terminating. Dec 7 14:05:59 server systemd[1]: Starting OpenSSH Daemon... Dec 7 14:05:59 server systemd[1]: Started OpenSSH Daemon. Dec 7 14:05:59 server sshd[5112]: Server listening on 127.0.0.1 port 22. Dec 7 14:05:59 server sshd[5112]: Server listening on 10.10.16.92 port 22. ... In the client's ssh_config I added ... Host server.DOMAIN.com User root ChallengeResponseAuthentication yes PreferredAuthentications publickey,keyboard-interactive ForwardX11 yes ForwardX11Trusted yes Compression no ... IIUC, now, when I login from the client to the server, I should ALWAYS be prompted for the Google Authenticator code after a successful pubkey auth. But when I ssh in to the machine, I still get only the pubkey auth -- never get asked for the GA code, and I can login. ssh -v -l root server sshr_server -4v OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 89: Applying options for *.DOMAIN.com debug1: /etc/ssh/ssh_config line 147: Applying options for * debug1: Connecting to server.DOMAIN.com [10.10.16.92] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /etc/ssh/ssh.desktop.rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.7 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7 debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client chacha20-poly1305 at openssh.com none debug1: kex: client->server chacha20-poly1305 at openssh.com none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ED25519 2f:... debug1: Host 'server.DOMAIN.com' is known and matches the ED25519 host key. debug1: Found key in /etc/ssh/ssh_known_hosts:1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering RSA public key: /etc/ssh/ssh.desktop.rsa debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: Authentication succeeded (publickey). Authenticated to server.DOMAIN.com ([10.10.16.92]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug1: Requesting X11 forwarding with authentication spoofing. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug1: Sending env DISPLAY = :0 I'm not sure where to look for WHY this isn't working. How do I get the 2nd-factor step turned on? config change? add'l packages required? etc? Dan From djm at mindrot.org Thu Dec 18 16:59:52 2014 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Dec 2014 16:59:52 +1100 (EST) Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: On Wed, 17 Dec 2014, Dmt Ops wrote: > But when I ssh in to the machine, I still get only the pubkey auth -- never > get asked for the GA code, and I can login. Could you please post a debug log from the server? /path/to/sshd -ddd should produce one. -d From shinji at elite-systems.org Thu Dec 18 17:25:15 2014 From: shinji at elite-systems.org (Robert Pendell) Date: Thu, 18 Dec 2014 01:25:15 -0500 Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: On Thu, Dec 18, 2014 at 12:59 AM, Damien Miller <...> wrote: > On Wed, 17 Dec 2014, Dmt Ops wrote: > >> But when I ssh in to the machine, I still get only the pubkey auth -- never >> get asked for the GA code, and I can login. > > Could you please post a debug log from the server? > > /path/to/sshd -ddd > > should produce one. Based on what I've seen the reason is because SSH is handling pub-key auth and bypasses PAM for it. Google Authenticator however is done via PAM so it only works for keyboard interactive logins. Now then from what I've seen you can try to do force command instead and use a different 2-factor provider that runs using a system executable but that provides its own headaches. From djm at mindrot.org Thu Dec 18 18:00:16 2014 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Dec 2014 18:00:16 +1100 (EST) Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: On Thu, 18 Dec 2014, Robert Pendell wrote: > Based on what I've seen the reason is because SSH is handling pub-key > auth and bypasses PAM for it. Google Authenticator however is done > via PAM so it only works for keyboard interactive logins. No, this isn't correct. Pubkey authentication doesn't bypass PAM in any way that would affect other authentication methods. From djm at mindrot.org Thu Dec 18 18:01:59 2014 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Dec 2014 18:01:59 +1100 (EST) Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: On Wed, 17 Dec 2014, Dmt Ops wrote: > vi /etc/ssh/sshd_config > ... > - ChallengeResponseAuthentication no > + ChallengeResponseAuthentication yes > + KbdInteractiveAuthentication yes > ... > > and restart the daemon You've missed the crucial part to require multiple authentication methods succeed before the user is considered authenticated: AuthenticationMethods publickey,keyboard-interactive -d From shinji at elite-systems.org Thu Dec 18 18:35:39 2014 From: shinji at elite-systems.org (Robert Pendell) Date: Thu, 18 Dec 2014 02:35:39 -0500 Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: On Thu, Dec 18, 2014 at 2:01 AM, Damien Miller <...> wrote: > On Wed, 17 Dec 2014, Dmt Ops wrote: > >> vi /etc/ssh/sshd_config >> ... >> - ChallengeResponseAuthentication no >> + ChallengeResponseAuthentication yes >> + KbdInteractiveAuthentication yes >> ... >> >> and restart the daemon > > You've missed the crucial part to require multiple authentication > methods succeed before the user is considered authenticated: > > AuthenticationMethods publickey,keyboard-interactive > Ahh... I wasn't even aware of that option. Robert Pendell shinji at elite-systems.org A perfect world is one of chaos. From stapelberg+openssh at google.com Fri Dec 19 21:17:42 2014 From: stapelberg+openssh at google.com (Michael Stapelberg) Date: Fri, 19 Dec 2014 02:17:42 -0800 Subject: [PATCH] Early request for comments: U2F authentication In-Reply-To: <548F5F54.8040205@keppler-it.de> References: <548E1239.6020306@keppler-it.de> <548F5F54.8040205@keppler-it.de> Message-ID: Thanks for the demo program, that helps. Turns out the OpenSSL version I was using was too old, and when upgrading to 1.0.1j, your suggestion (and demo program) work fine. I?ve attached a patch to fix my code. On Mon, Dec 15, 2014 at 2:23 PM, Klaus Keppler wrote: > > If I do that, EVP_VerifyFinal() will result in EVP_R_WRONG_PUBLIC_KEY_TYPE. >> > > This is strange... I don't get any error here, though I use the (same?) > ECDSA public key from the attestation certificate (using OpenSSL 1.0.1i, > but that shouldn't matter). > > Looking at the OpenSSL source, I can see that in crypto/evp/m_sha1.c, the >> sha* digests are defined with EVP_PKEY_RSA_method, which requires an RSA >> publickey, but we have an ECDSA publickey. The only digest working with >> ECDSA publickeys is crypto/evp/m_ecdsa.c AFAICT. >> > > Both EVP_PKEY_RSA_method and EVP_PKEY_ECDSA_method are #defined there as > "EVP_PKEY_NULL_method". (don't ask me why... I don't understand most of > that macro mess...) > > Unfortunately not. Could you share the code that you have please? Or is it >> not yet working? >> > > Voila: https://github.com/keppler/fido-u2f/blob/master/fido-example.c > It uses the example messages from the official specs, so should be easy to > reproduce. > > If I'm wrong at any point there, please let me know. > > Best regards > > -Klaus > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Bugfix-use-EVP_sha256-properly-check-verification-re.patch Type: text/x-patch Size: 2083 bytes Desc: not available URL: From opsdmt at gmail.com Sat Dec 20 01:04:20 2014 From: opsdmt at gmail.com (Dmt Ops) Date: Fri, 19 Dec 2014 06:04:20 -0800 Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: >> AuthenticationMethods publickey,keyboard-interactive > I wasn't even aware of that option. Neither was I. I had PreferredAuthentications publickey,keyboard-interactive in ssh_config ... and thought that that, plus ChallengeResponseAuthentication yes in sshd_config was sufficient. Adding ChallengeResponseAuthentication yes KbdInteractiveAuthentication yes + AuthenticationMethods publickey,keyboard-interactive to sshd_config, now, after sshd restart I can no longer ssh in at all. I simply get Permission denied (keyboard-interactive). Once I get in front of the machine, I'll grab an "sshd -ddd" ... From opsdmt at gmail.com Sat Dec 20 01:39:52 2014 From: opsdmt at gmail.com (Dmt Ops) Date: Fri, 19 Dec 2014 06:39:52 -0800 Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: I added an EXPLICIT AuthenticationMethods publickey,keyboard-interactive + UsePam yes to sshd_config. Now, at connect attempt I get Password: Verification code: Password: Verification code: Password: ... I.e., It's asking for Password, not accepting pubkey AND when given the password (which is correct), and the GA VerificationCode, it simply repeats the credentials request. From djm at mindrot.org Sat Dec 20 09:05:24 2014 From: djm at mindrot.org (Damien Miller) Date: Sat, 20 Dec 2014 09:05:24 +1100 (EST) Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: On Fri, 19 Dec 2014, Dmt Ops wrote: > to sshd_config, now, after sshd restart I can no longer ssh in at all. > > I simply get > > Permission denied (keyboard-interactive). > > Once I get in front of the machine, I'll grab an "sshd -ddd" ... You might need UsePam=yes too if you are using PAM and haven't already turned it on. From opsdmt at gmail.com Sat Dec 20 09:33:32 2014 From: opsdmt at gmail.com (Dmt Ops) Date: Fri, 19 Dec 2014 14:33:32 -0800 Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: That's what my previous post said I just did > I added an EXPLICIT > > AuthenticationMethods publickey,keyboard-interactive > + UsePam yes From klolik79 at gmail.com Mon Dec 22 08:34:42 2014 From: klolik79 at gmail.com (=?UTF-8?Q?Bart=C5=82omiej_Korupczynski?=) Date: Sun, 21 Dec 2014 22:34:42 +0100 Subject: [PATCH] LocalPreCommand: Support for executing command before ssh connection (like port knock before ssh) Message-ID: Hi guys, I've made a patch adding LocalPreCommand to ssh_config. It mimics behaviour of LocalCommand, but is executed right before the connection is opened. This makes possible e.g. to integrate ssh with port knocking. It also removes "-oPermitLocalCommand=no" from scp allowing the same functionality to be used for file transfers. Applies cleanly on vanilla OpenSSH 6.7p1. http://software.klolik.org/patches/openssh+localprecommand.diff Best regards, Bartlomiej Korupczynski From djm at mindrot.org Mon Dec 22 12:25:12 2014 From: djm at mindrot.org (Damien Miller) Date: Mon, 22 Dec 2014 12:25:12 +1100 (EST) Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: On Fri, 19 Dec 2014, Dmt Ops wrote: > I added an EXPLICIT > > AuthenticationMethods publickey,keyboard-interactive > + UsePam yes > > to sshd_config. Now, at connect attempt I get > > Password: > Verification code: > Password: > Verification code: > Password: figuring out what is happening is pretty hard without logs from the client and server. From madduck at madduck.net Mon Dec 22 20:26:49 2014 From: madduck at madduck.net (martin f krafft) Date: Mon, 22 Dec 2014 10:26:49 +0100 Subject: Dealing with roaming machines Message-ID: <20141222092649.GA22023@albatross.lehel.madduck.net> Hey folks, As most of everyone, I use OpenSSH for almost everything and whenever I can: backups, sync, Git, configuration management, and of course console sessions. So much for an intro ;) My laptop and I roam between three networks, though sometimes I leave the laptop at the office overnight, or hop over to the third site for an hour or two. I'd like to find a way to configure OpenSSH (or Linux in general) to try the other networks if the machine cannot be found locally. Unfortunately, DNS "search" in /etc/resolv.conf and CanonicalizeHostname in ssh_config both don't work since they only iterate the network DNS zones until a record is found, and my laptop has an entry in all three zones. Short of creating a single DNS entry and adding all possible IPs for my laptop, I am wondering if there's a way to configure OpenSSH (or Linux) to try multiple DNS names until a connection can be made. For extra bonus special points, this should obviously happen all at once to reduce wait times. Assuming that this isn't currently possible ? I did search and investigate ? would this be a worthwhile feature to look into? Thanks, -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ for years, we have thought that a million monkeys typing at a million typewriters would eventually produce the complete works of shakespeare. today, thanks to the internet, we know this is not true. spamtraps: madduck.bogus at madduck.net -------------- next part -------------- A non-text attachment was scrubbed... Name: digital_signature_gpg.asc Type: application/pgp-signature Size: 1107 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current) URL: From nkadel at gmail.com Tue Dec 23 00:43:06 2014 From: nkadel at gmail.com (Nico Kadel-Garcia) Date: Mon, 22 Dec 2014 08:43:06 -0500 Subject: Dealing with roaming machines In-Reply-To: <20141222092649.GA22023@albatross.lehel.madduck.net> References: <20141222092649.GA22023@albatross.lehel.madduck.net> Message-ID: On Mon, Dec 22, 2014 at 4:26 AM, martin f krafft wrote: > Hey folks, > > As most of everyone, I use OpenSSH for almost everything and > whenever I can: backups, sync, Git, configuration management, and of > course console sessions. So much for an intro ;) > > My laptop and I roam between three networks, though sometimes > I leave the laptop at the office overnight, or hop over to the third > site for an hour or two. > > I'd like to find a way to configure OpenSSH (or Linux in general) to > try the other networks if the machine cannot be found locally. > Unfortunately, DNS "search" in /etc/resolv.conf and > CanonicalizeHostname in ssh_config both don't work since they only > iterate the network DNS zones until a record is found, and my laptop > has an entry in all three zones. The problem, I think, isn't that you have an entry in all three. It's that you have a *shortened* hostname that is identical in all 3 DNS domains. If your DNS admins have gracefully set the local environments to each be on their own subdomain, and that subdomain is *first* in DHCP configured DNS, you should be golden. laptop.internal.domain.com # when inside the building, internaldomain.domain.com is first, then domain.com laptop.vpn.domain.com # when VPN connected, vpn.domain.com is first, then domain.com laptop.machineroom.domain.com It's extra work in DNS and security policies to do this, especially if you're using dynamic DNS through AD. If instead, your admins have set up all these environments to share "domain.com", well, then you start getting into DNS "views" for a small domain called "laptop.domain.com" and different DNS "views" in each envirornment. Then you need quite short DNS TTL's, and various other requirements to avoid servers in the same domain having their DNS expire. Good luck with that: I deal with that kind of integration challenge a *lot*. > Short of creating a single DNS entry and adding all possible IPs for > my laptop, I am wondering if there's a way to configure OpenSSH > (or Linux) to try multiple DNS names until a connection can be > made. For extra bonus special points, this should obviously happen > all at once to reduce wait times. I've seen nothing, but had to deal with peculiar setups when people start trying to "simplify" their DNS into one master zone and not realizing the consequences of multiple A records. Don't get me *started* on people who use multiple CNAME's for the same primary hostname, pointing to multiple other A records or CNAME's!!! And do *not* get me going on how people think that having multiple A records will automatically load balance their traffic. You might personally consider a wrapper, to process "nslookup" or other DNS for your particular setup. But personally, I'd review the concept of having identical hostnames in all environments. It can be very helpful to deal with FQDN's and segregate your laptop's name in the internal environment from its name in the external or other environments. > Assuming that this isn't currently possible ? I did search and > investigate ? would this be a worthwhile feature to look into? > > Thanks, > > -- > @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ It sounds intriguing. The basic C library funcitons are From dan at doxpara.com Tue Dec 23 00:47:52 2014 From: dan at doxpara.com (Dan Kaminsky) Date: Mon, 22 Dec 2014 05:47:52 -0800 Subject: Dealing with roaming machines In-Reply-To: <20141222092649.GA22023@albatross.lehel.madduck.net> References: <20141222092649.GA22023@albatross.lehel.madduck.net> Message-ID: Generally the way people manage mobility like this is to have a client on the mobile device that updates the DNS entry, which otherwise has a small TTL. The laptop is in the position to have onwakeup events, to interrogate its environment, and to make the required changes. There's any number of ways to implement this, from Dynamic DNS to scripted ssh into a name server to some funky "if this then that" Node thing. On Monday, December 22, 2014, martin f krafft wrote: > Hey folks, > > As most of everyone, I use OpenSSH for almost everything and > whenever I can: backups, sync, Git, configuration management, and of > course console sessions. So much for an intro ;) > > My laptop and I roam between three networks, though sometimes > I leave the laptop at the office overnight, or hop over to the third > site for an hour or two. > > I'd like to find a way to configure OpenSSH (or Linux in general) to > try the other networks if the machine cannot be found locally. > Unfortunately, DNS "search" in /etc/resolv.conf and > CanonicalizeHostname in ssh_config both don't work since they only > iterate the network DNS zones until a record is found, and my laptop > has an entry in all three zones. > > Short of creating a single DNS entry and adding all possible IPs for > my laptop, I am wondering if there's a way to configure OpenSSH > (or Linux) to try multiple DNS names until a connection can be > made. For extra bonus special points, this should obviously happen > all at once to reduce wait times. > > Assuming that this isn't currently possible ? I did search and > investigate ? would this be a worthwhile feature to look into? > > Thanks, > > -- > @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ > > for years, we have thought that a million monkeys typing at a million > typewriters would eventually produce the complete works of shakespeare. > today, thanks to the internet, we know this is not true. > > spamtraps: madduck.bogus at madduck.net > From madduck at madduck.net Tue Dec 23 07:41:06 2014 From: madduck at madduck.net (martin f krafft) Date: Mon, 22 Dec 2014 21:41:06 +0100 Subject: Dealing with roaming machines In-Reply-To: References: <20141222092649.GA22023@albatross.lehel.madduck.net> Message-ID: <20141222204106.GB27212@fishbowl.rw.madduck.net> also sprach Nico Kadel-Garcia [2014-12-22 14:43 +0100]: > The problem, I think, isn't that you have an entry in all three. It's > that you have a *shortened* hostname that is identical in all 3 DNS > domains. If your DNS admins have gracefully set the local environments > to each be on their own subdomain, and that subdomain is *first* in > DHCP configured DNS, you should be golden. No, because the problem is that the short name always resolves to the IP the machine would have in the local network, and hence this is the IP that OpenSSH tries. However, if the machine is not in the local network, then I'd like OpenSSH to ask for the same hostname in the next CanonicalDomain and try it there. Does this make sense? -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ "politicians and diapers should be changed often, and for the same reason." -- mark twain spamtraps: madduck.bogus at madduck.net -------------- next part -------------- A non-text attachment was scrubbed... Name: digital_signature_gpg.asc Type: application/pgp-signature Size: 1107 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current) URL: From madduck at madduck.net Tue Dec 23 07:38:54 2014 From: madduck at madduck.net (martin f krafft) Date: Mon, 22 Dec 2014 21:38:54 +0100 Subject: Dealing with roaming machines In-Reply-To: References: <20141222092649.GA22023@albatross.lehel.madduck.net> Message-ID: <20141222203854.GA27212@fishbowl.rw.madduck.net> also sprach Dan Kaminsky [2014-12-22 14:47 +0100]: > Generally the way people manage mobility like this is to have > a client on the mobile device that updates the DNS entry, which > otherwise has a small TTL. You're probably right, this seems like the clean approach ? except of course we don't offer dynamic DNS (yet) and we also don't have a classic master-slave architecture, but multiple masters (nsd4) all with the same configuration managed in Git? Thanks, -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ "... alle s?tze der logik sagen aber dasselbe. n?mlich nichts." -- wittgenstein spamtraps: madduck.bogus at madduck.net -------------- next part -------------- A non-text attachment was scrubbed... Name: digital_signature_gpg.asc Type: application/pgp-signature Size: 1107 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current) URL: From djm at mindrot.org Tue Dec 23 12:15:02 2014 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Dec 2014 12:15:02 +1100 (EST) Subject: [PATCH] LocalPreCommand: Support for executing command before ssh connection (like port knock before ssh) In-Reply-To: References: Message-ID: On Sun, 21 Dec 2014, Bart?omiej Korupczynski wrote: > Hi guys, > > I've made a patch adding LocalPreCommand to ssh_config. It mimics > behaviour of LocalCommand, but is executed right before the connection > is opened. This makes possible e.g. to integrate ssh with port > knocking. It also removes "-oPermitLocalCommand=no" from scp allowing This can be done using a shell script, shell alias, shell function or other wrapper without touching ssh. -d From nkadel at gmail.com Tue Dec 23 17:50:17 2014 From: nkadel at gmail.com (Nico Kadel-Garcia) Date: Tue, 23 Dec 2014 01:50:17 -0500 Subject: Dealing with roaming machines In-Reply-To: <20141222204106.GB27212@fishbowl.rw.madduck.net> References: <20141222092649.GA22023@albatross.lehel.madduck.net> <20141222204106.GB27212@fishbowl.rw.madduck.net> Message-ID: On Mon, Dec 22, 2014 at 3:41 PM, martin f krafft wrote: > also sprach Nico Kadel-Garcia [2014-12-22 14:43 +0100]: >> The problem, I think, isn't that you have an entry in all three. It's >> that you have a *shortened* hostname that is identical in all 3 DNS >> domains. If your DNS admins have gracefully set the local environments >> to each be on their own subdomain, and that subdomain is *first* in >> DHCP configured DNS, you should be golden. > > No, because the problem is that the short name always resolves to > the IP the machine would have in the local network, and hence this > is the IP that OpenSSH tries. > > However, if the machine is not in the local network, then I'd like > OpenSSH to ask for the same hostname in the next CanonicalDomain and > try it there. Does this make sense? If it's not "in the local network", then it shouldn't get the subdomain of the internal network, and you've got a DNS "views" or DHCP configuration issue. I'm now assuming that you now have fully qualified hostnames that differ in each environment? From klolik79 at gmail.com Tue Dec 23 23:02:53 2014 From: klolik79 at gmail.com (=?UTF-8?Q?Bart=C5=82omiej_Korupczynski?=) Date: Tue, 23 Dec 2014 13:02:53 +0100 Subject: [PATCH] LocalPreCommand: Support for executing command before ssh connection (like port knock before ssh) In-Reply-To: References: Message-ID: 2014-12-23 2:15 GMT+01:00 Damien Miller : > On Sun, 21 Dec 2014, Bart?omiej Korupczynski wrote: > >> Hi guys, >> >> I've made a patch adding LocalPreCommand to ssh_config. It mimics >> behaviour of LocalCommand, but is executed right before the connection >> is opened. This makes possible e.g. to integrate ssh with port >> knocking. It also removes "-oPermitLocalCommand=no" from scp allowing > > This can be done using a shell script, shell alias, shell function or > other wrapper without touching ssh. Well, not exactly. When using ControlMaster, connection is setup once, thus the LocalPreCommand is also called only once. Having mixed ControlMaster for some hosts and not for others makes headache. Been there, done that. Wrapping with functions/aliases make unnecessary mess around, especially having many hosts with different setups. To be really transparent, it would require parsing ssh command line to search for host name. From madduck at madduck.net Wed Dec 24 00:51:11 2014 From: madduck at madduck.net (martin f krafft) Date: Tue, 23 Dec 2014 14:51:11 +0100 Subject: Dealing with roaming machines In-Reply-To: References: <20141222092649.GA22023@albatross.lehel.madduck.net> <20141222204106.GB27212@fishbowl.rw.madduck.net> Message-ID: <20141223135111.GB3862@fishbowl.rw.madduck.net> also sprach Nico Kadel-Garcia [2014-12-23 07:50 +0100]: > If it's not "in the local network", then it shouldn't get the > subdomain of the internal network, and you've got a DNS "views" or > DHCP configuration issue. While the machine is not at the office, other machines can resolve fishbowl.office to a valid IP? that's the same as resolving the hostname of a machine that's turned off. > I'm now assuming that you now have fully qualified hostnames that > differ in each environment? fishbowl.office ? 192.168.17.33 fishbowl.home ? 192.168.14.33 fishbowl.lab ? 192.168.15.33 The three /24 networks are connected via a VPN. All three names resolve to the appropriate IP, and obviously when at the office, a request for "fishbowl" will yield 192.168.17.33 while it would yield 192.168.14.33 at home (due to DNS search). I'd kinda like OpenSSH to connect to all three IPs at once, since only one will ever be answered at any one time. Or it should try them in quick succession. I realise that this is not really an OpenSSH question anymore and I am sorry about that. The dynamic DNS solution is probably the cleanest solution anyway. But the topic seems to have struck some interest? -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ "the sick do not ask if the hand that smoothes their pillow is pure, nor the dying care if the lips that touch their brow have known the kiss of sin." -- oscar wilde spamtraps: madduck.bogus at madduck.net -------------- next part -------------- A non-text attachment was scrubbed... Name: digital_signature_gpg.asc Type: application/pgp-signature Size: 1107 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current) URL: From opsdmt at gmail.com Wed Dec 24 02:22:32 2014 From: opsdmt at gmail.com (Dmt Ops) Date: Tue, 23 Dec 2014 07:22:32 -0800 Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: On Sun, Dec 21, 2014 at 5:25 PM, Damien Miller wrote: > On Fri, 19 Dec 2014, Dmt Ops wrote: > > > I added an EXPLICIT > > > > AuthenticationMethods publickey,keyboard-interactive > > + UsePam yes > > > > to sshd_config. Now, at connect attempt I get > > > > Password: > > Verification code: > > Password: > > Verification code: > > Password: > > figuring out what is happening is pretty hard without logs from the client > and server. > @ client ssh server.MYDOMAIN.com -vv OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 debug1: Reading configuration data /usr/local/etc/ssh/ssh_config debug1: /usr/local/etc/ssh/ssh_config line 88: Applying options for server.MYDOMAIN.com debug1: /usr/local/etc/ssh/ssh_config line 100: Applying options for *.MYDOMAIN.com debug1: /usr/local/etc/ssh/ssh_config line 158: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to server.MYDOMAIN.com [2001:xxx:xxxx:xxx::108] port 22. debug2: fd 3 setting O_NONBLOCK debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: key_load_public: No such file or directory debug1: identity file /usr/local/etc/ssh/ssh.CLIENT.ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /usr/local/etc/ssh/ssh.CLIENT.ed25519-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /usr/local/etc/ssh/ssh.CLIENT.ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /usr/local/etc/ssh/ssh.CLIENT.ecdsa-cert type -1 debug1: identity file /usr/local/etc/ssh/ssh.CLIENT.rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /usr/local/etc/ssh/ssh.CLIENT.rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.7 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7 debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org ,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ssh-dss,ssh-rsa debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com, aes256-gcm at openssh.com,aes128-gcm at openssh.com ,aes256-ctr,aes192-ctr,aes128-ctr,arcfour debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com, aes256-gcm at openssh.com,aes128-gcm at openssh.com ,aes256-ctr,aes192-ctr,aes128-ctr,arcfour debug2: kex_parse_kexinit: hmac-sha2-512-etm at openssh.com, hmac-sha2-256-etm at openssh.com,umac-128-etm at openssh.com ,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-64 at openssh.com debug2: kex_parse_kexinit: hmac-sha2-512-etm at openssh.com, hmac-sha2-256-etm at openssh.com,umac-128-etm at openssh.com ,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-64 at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org ,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 debug2: kex_parse_kexinit: ssh-ed25519,ecdsa-sha2-nistp521,ssh-rsa debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com, aes256-gcm at openssh.com,aes128-gcm at openssh.com ,aes256-ctr,aes192-ctr,aes128-ctr,arcfour debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com, aes256-gcm at openssh.com,aes128-gcm at openssh.com ,aes256-ctr,aes192-ctr,aes128-ctr,arcfour debug2: kex_parse_kexinit: hmac-sha2-512-etm at openssh.com, hmac-sha2-256-etm at openssh.com,umac-128-etm at openssh.com ,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-64 at openssh.com debug2: kex_parse_kexinit: hmac-sha2-512-etm at openssh.com, hmac-sha2-256-etm at openssh.com,umac-128-etm at openssh.com ,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-64 at openssh.com debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug1: kex: server->client chacha20-poly1305 at openssh.com none debug1: kex: client->server chacha20-poly1305 at openssh.com none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ED25519 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx debug1: Host 'server.MYDOMAIN.com' is known and matches the ED25519 host key. debug1: Found key in /usr/local/etc/ssh/ssh_known_hosts:1 debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /usr/local/etc/ssh/ssh.CLIENT.ed25519 ((nil)), explicit debug2: key: /usr/local/etc/ssh/ssh.CLIENT.ecdsa ((nil)), explicit debug2: key: /usr/local/etc/ssh/ssh.CLIENT.rsa (0x7ff343d79620), explicit debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: /usr/local/etc/ssh/ssh.CLIENT.ed25519 debug2: we sent a publickey packet, wait for reply Authenticated with partial success. debug2: key: /usr/local/etc/ssh/ssh.CLIENT.ed25519 ((nil)), explicit debug2: key: /usr/local/etc/ssh/ssh.CLIENT.ecdsa ((nil)), explicit debug2: key: /usr/local/etc/ssh/ssh.CLIENT.rsa ((nil)), explicit debug1: Authentications that can continue: keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Verification code: debug1: Authentications that can continue: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: @ server, level 'DEBUG2' Dec 23 07:05:21 server sshd[23102]: debug1: Forked child 23109. Dec 23 07:05:21 server sshd[23109]: Set /proc/self/oom_score_adj to 0 Dec 23 07:05:21 server sshd[23109]: debug1: rexec start in 7 out 7 newsock 7 pipe 9 sock 10 Dec 23 07:05:21 server sshd[23109]: debug1: inetd sockets after dupping: 3, 3 Dec 23 07:05:21 server sshd[23109]: Connection from 2001:xxx:xxxx:xxx::107 port 48866 on 2001:xxx:xxxx:xxx::108 port 22 Dec 23 07:05:21 server sshd[23109]: debug1: Client protocol version 2.0; client software version OpenSSH_6.7 Dec 23 07:05:21 server sshd[23109]: debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000 Dec 23 07:05:21 server sshd[23109]: debug1: Enabling compatibility mode for protocol 2.0 Dec 23 07:05:21 server sshd[23109]: debug1: Local version string SSH-2.0-OpenSSH_6.7 Dec 23 07:05:21 server sshd[23109]: debug2: fd 3 setting O_NONBLOCK Dec 23 07:05:21 server sshd[23109]: debug2: Network child is on pid 23110 Dec 23 07:05:21 server sshd[23109]: debug1: permanently_set_uid: 100/101 [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: list_hostkey_types: ssh-ed25519,ecdsa-sha2-nistp521,ssh-rsa [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: SSH2_MSG_KEXINIT sent [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: SSH2_MSG_KEXINIT received [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: ssh-ed25519,ecdsa-sha2-nistp521,ssh-rsa [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,arcfour [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,arcfour [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com, umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160, umac-64 at openssh.com [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com, umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160, umac-64 at openssh.com [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: none [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: none [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: reserved 0 [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ssh-dss,ssh-rsa [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,arcfour [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,arcfour [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com, umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160, umac-64 at openssh.com [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com, umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160, umac-64 at openssh.com [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: none, zlib at openssh.com,zlib [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: none, zlib at openssh.com,zlib [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kex_parse_kexinit: reserved 0 [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: kex: client->server chacha20-poly1305 at openssh.com none [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: kex: server->client chacha20-poly1305 at openssh.com none [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: monitor_read: 6 used once, disabling now Dec 23 07:05:21 server sshd[23109]: debug2: kex_derive_keys [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: set_newkeys: mode 1 [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: SSH2_MSG_NEWKEYS sent [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: expecting SSH2_MSG_NEWKEYS [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: set_newkeys: mode 0 [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: SSH2_MSG_NEWKEYS received [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: KEX done [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: userauth-request for user root service ssh-connection method none [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: attempt 0 failures 0 [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: parse_server_config: config reprocess config len 2927 Dec 23 07:05:21 server sshd[23109]: debug1: user root does not match group list sftp-chroot at line 83 Dec 23 07:05:21 server sshd[23109]: debug1: authentication methods list 0: publickey,keyboard-interactive:pam Dec 23 07:05:21 server sshd[23109]: debug2: monitor_read: 8 used once, disabling now Dec 23 07:05:21 server sshd[23109]: debug2: input_userauth_request: setting up authctxt for root [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: authentication methods list 0: publickey,keyboard-interactive:pam [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: Unrecognized authentication method name: none [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: PAM: initializing for "root" Dec 23 07:05:21 server sshd[23109]: debug1: PAM: setting PAM_RHOST to "2001:xxx:xxxx:xxx::107" Dec 23 07:05:21 server sshd[23109]: debug1: PAM: setting PAM_TTY to "ssh" Dec 23 07:05:21 server sshd[23109]: debug2: monitor_read: 100 used once, disabling now Dec 23 07:05:21 server sshd[23109]: debug1: userauth-request for user root service ssh-connection method publickey [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: attempt 1 failures 0 [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: input_userauth_request: try method publickey [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: monitor_read: 4 used once, disabling now Dec 23 07:05:21 server sshd[23109]: debug1: temporarily_use_uid: 0/0 (e=0/0) Dec 23 07:05:21 server sshd[23109]: debug1: trying public key file /usr/local/etc/ssh/authorized_keys2 Dec 23 07:05:21 server sshd[23109]: debug1: fd 4 clearing O_NONBLOCK Dec 23 07:05:21 server sshd[23109]: debug1: matching key found: file /usr/local/etc/ssh/authorized_keys2, line 2 ED25519 yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy Dec 23 07:05:21 server sshd[23109]: debug1: restore_uid: 0/0 Dec 23 07:05:21 server sshd[23109]: Partial publickey for root from 2001:xxx:xxxx:xxx::107 port 48866 ssh2: ED25519 yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy Dec 23 07:05:21 server sshd[23109]: debug2: userauth_pubkey: authenticated 1 pkalg ssh-ed25519 [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: userauth-request for user root service ssh-connection method keyboard-interactive [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: attempt 2 failures 1 [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: input_userauth_request: try method keyboard-interactive [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: keyboard-interactive devs [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: auth2_challenge: user=root devs= [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: kbdint_alloc: devices 'pam' [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: auth2_challenge_start: devices pam [preauth] Dec 23 07:05:21 server sshd[23109]: debug2: kbdint_next_device: devices [preauth] Dec 23 07:05:21 server sshd[23109]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] Dec 23 07:05:21 server sshd[23109]: Postponed keyboard-interactive for root from 2001:xxx:xxxx:xxx::107 port 48866 ssh2: ED25519 yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy [preauth] Dec 23 07:05:27 server sshd[23109]: debug2: PAM: sshpam_respond entering, 1 responses Dec 23 07:05:27 server sshd[23109]: Postponed keyboard-interactive/pam for root from 2001:xxx:xxxx:xxx::107 port 48866 ssh2 [preauth] Dec 23 07:05:34 server sshd[23109]: debug2: PAM: sshpam_respond entering, 1 responses Dec 23 07:05:34 server sshd(pam_google_authenticator)[23111]: Invalid verification code Dec 23 07:05:34 server sshd[23109]: error: PAM: Authentication failure for root from 2001:xxx:xxxx:xxx::107 Dec 23 07:05:34 server sshd[23109]: debug2: auth2_challenge_start: devices [preauth] Dec 23 07:05:34 server sshd[23109]: debug2: monitor_read: 110 used once, disabling now Dec 23 07:05:34 server sshd[23109]: Failed keyboard-interactive/pam for root from 2001:xxx:xxxx:xxx::107 port 48866 ssh2 Dec 23 07:05:34 server sshd[23109]: debug1: userauth-request for user root service ssh-connection method keyboard-interactive [preauth] Dec 23 07:05:34 server sshd[23109]: debug1: attempt 3 failures 2 [preauth] Dec 23 07:05:34 server sshd[23109]: debug2: input_userauth_request: try method keyboard-interactive [preauth] Dec 23 07:05:34 server sshd[23109]: debug1: keyboard-interactive devs [preauth] Dec 23 07:05:34 server sshd[23109]: debug1: auth2_challenge: user=root devs= [preauth] Dec 23 07:05:34 server sshd[23109]: debug1: kbdint_alloc: devices 'pam' [preauth] Dec 23 07:05:34 server sshd[23109]: debug2: auth2_challenge_start: devices pam [preauth] Dec 23 07:05:34 server sshd[23109]: debug2: kbdint_next_device: devices [preauth] Dec 23 07:05:34 server sshd[23109]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] Dec 23 07:05:34 server sshd[23109]: Postponed keyboard-interactive for root from 2001:xxx:xxxx:xxx::107 port 48866 ssh2 [preauth] From opsdmt at gmail.com Wed Dec 24 05:51:23 2014 From: opsdmt at gmail.com (Dmt Ops) Date: Tue, 23 Dec 2014 10:51:23 -0800 Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: testing goole-authenticator's standalone functionality, it > cd google-authenticator/libpam/ > ./demo Verification code: 123456 Login failed Invalid verification code > fails with an INVALID code, and > ./demo Verification code: XXXXXX > succeeds with a VALID code. turning up the sshd server debug level to DEBUG3, entering a similarly VALID GA verification code, the code is declared "invalid", Dec 23 10:37:24 server sshd[22322]: debug3: mm_sshpam_respond [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_send entering: type 108 [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_sshpam_respond: waiting for MONITOR_ANS_PAM_RESPOND [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_receive_expect entering: type 109 [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_receive entering [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_receive entering Dec 23 10:37:24 server sshd[22322]: debug3: monitor_read: checking request 108 Dec 23 10:37:24 server sshd[22322]: debug3: mm_answer_pam_respond Dec 23 10:37:24 server sshd[22322]: debug2: PAM: sshpam_respond entering, 1 responses Dec 23 10:37:24 server sshd[22322]: debug3: ssh_msg_send: type 6 Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_send entering: type 109 >>> Dec 23 10:37:24 server sshd(pam_google_authenticator)[22326]: Invalid verification code Dec 23 10:37:24 server sshd[22326]: debug3: ssh_msg_send: type 7 Dec 23 10:37:24 server sshd[22322]: debug3: mm_sshpam_respond: pam_respond returned 1 [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_sshpam_query [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_send entering: type 106 [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_receive_expect entering: type 107 [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_receive entering [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_receive entering Dec 23 10:37:24 server sshd[22322]: debug3: monitor_read: checking request 106 Dec 23 10:37:24 server sshd[22322]: debug3: mm_answer_pam_query Dec 23 10:37:24 server sshd[22322]: debug3: PAM: sshpam_query entering Dec 23 10:37:24 server sshd[22322]: debug3: ssh_msg_recv entering Dec 23 10:37:24 server sshd[22322]: debug3: PAM: Authentication failure Dec 23 10:37:24 server sshd[22322]: error: PAM: Cannot make/remove an entry for the specified session for root from 2001:xxx:xxxx:xxx::107 Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_send entering: type 107 Dec 23 10:37:24 server sshd[22322]: debug3: mm_sshpam_query: pam_query returned -1 [preauth] Dec 23 10:37:24 server sshd[22322]: debug2: auth2_challenge_start: devices [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_sshpam_free_ctx [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_send entering: type 110 [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_sshpam_free_ctx: waiting for MONITOR_ANS_PAM_FREE_CTX [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_receive_expect entering: type 111 [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_receive entering [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_receive entering Dec 23 10:37:24 server sshd[22322]: debug3: monitor_read: checking request 110 Dec 23 10:37:24 server sshd[22322]: debug3: mm_answer_pam_free_ctx Dec 23 10:37:24 server sshd[22322]: debug3: PAM: sshpam_free_ctx entering Dec 23 10:37:24 server sshd[22322]: debug3: PAM: sshpam_thread_cleanup entering Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_send entering: type 111 Dec 23 10:37:24 server sshd[22322]: debug2: monitor_read: 110 used once, disabling now Dec 23 10:37:24 server sshd[22322]: Failed keyboard-interactive/pam for root from 2001:xxx:xxxx:xxx::107 port 49831 ssh2 Dec 23 10:37:24 server sshd[22322]: debug3: userauth_finish: failure partial=0 next methods="keyboard-interactive" [preauth] Dec 23 10:37:24 server sshd[22322]: debug1: userauth-request for user root service ssh-connection method keyboard-interactive [preauth] Dec 23 10:37:24 server sshd[22322]: debug1: attempt 3 failures 2 [preauth] Dec 23 10:37:24 server sshd[22322]: debug2: input_userauth_request: try method keyboard-interactive [preauth] Dec 23 10:37:24 server sshd[22322]: debug1: keyboard-interactive devs [preauth] Dec 23 10:37:24 server sshd[22322]: debug1: auth2_challenge: user=root devs= [preauth] Dec 23 10:37:24 server sshd[22322]: debug1: kbdint_alloc: devices 'pam' [preauth] Dec 23 10:37:24 server sshd[22322]: debug2: auth2_challenge_start: devices pam [preauth] Dec 23 10:37:24 server sshd[22322]: debug2: kbdint_next_device: devices [preauth] Dec 23 10:37:24 server sshd[22322]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_sshpam_init_ctx [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_send entering: type 104 [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_receive_expect entering: type 105 [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_receive entering [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_receive entering Dec 23 10:37:24 server sshd[22322]: debug3: monitor_read: checking request 104 Dec 23 10:37:24 server sshd[22322]: debug3: mm_answer_pam_init_ctx Dec 23 10:37:24 server sshd[22322]: debug3: PAM: sshpam_init_ctx entering Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_send entering: type 105 Dec 23 10:37:24 server sshd[22322]: debug3: mm_sshpam_query [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_send entering: type 106 [preauth] Dec 23 10:37:24 server sshd[22327]: debug3: PAM: sshpam_thread_conv entering, 1 messages Dec 23 10:37:24 server sshd[22322]: debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth] Dec 23 10:37:24 server sshd[22327]: debug3: ssh_msg_send: type 1 Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_receive_expect entering: type 107 [preauth] Dec 23 10:37:24 server sshd[22327]: debug3: ssh_msg_recv entering Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_receive entering [preauth] Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_receive entering Dec 23 10:37:24 server sshd[22322]: debug3: monitor_read: checking request 106 Dec 23 10:37:24 server sshd[22322]: debug3: mm_answer_pam_query Dec 23 10:37:24 server sshd[22322]: debug3: PAM: sshpam_query entering Dec 23 10:37:24 server sshd[22322]: debug3: ssh_msg_recv entering Dec 23 10:37:24 server sshd[22322]: debug3: mm_request_send entering: type 107 Dec 23 10:37:24 server sshd[22322]: debug3: mm_sshpam_query: pam_query returned 0 [preauth] Dec 23 10:37:24 server sshd[22322]: Postponed keyboard-interactive for root from 2001:xxx:xxxx:xxx::107 port 49831 ssh2 [preauth] From dan at doxpara.com Wed Dec 24 06:52:49 2014 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 23 Dec 2014 11:52:49 -0800 Subject: Dealing with roaming machines In-Reply-To: References: <20141222092649.GA22023@albatross.lehel.madduck.net> Message-ID: That's a good point. DHCP allows you to set DNS search parameters. So as long as each location sets different search, "ssh fishbowl" will in fact resolve to the proper local FQDN. On Monday, December 22, 2014, Nico Kadel-Garcia wrote: > On Mon, Dec 22, 2014 at 4:26 AM, martin f krafft > wrote: > > Hey folks, > > > > As most of everyone, I use OpenSSH for almost everything and > > whenever I can: backups, sync, Git, configuration management, and of > > course console sessions. So much for an intro ;) > > > > My laptop and I roam between three networks, though sometimes > > I leave the laptop at the office overnight, or hop over to the third > > site for an hour or two. > > > > I'd like to find a way to configure OpenSSH (or Linux in general) to > > try the other networks if the machine cannot be found locally. > > Unfortunately, DNS "search" in /etc/resolv.conf and > > CanonicalizeHostname in ssh_config both don't work since they only > > iterate the network DNS zones until a record is found, and my laptop > > has an entry in all three zones. > > The problem, I think, isn't that you have an entry in all three. It's > that you have a *shortened* hostname that is identical in all 3 DNS > domains. If your DNS admins have gracefully set the local environments > to each be on their own subdomain, and that subdomain is *first* in > DHCP configured DNS, you should be golden. > > laptop.internal.domain.com # when inside the building, > internaldomain.domain.com is first, then domain.com > laptop.vpn.domain.com # when VPN connected, vpn.domain.com is > first, then domain.com > laptop.machineroom.domain.com > > It's extra work in DNS and security policies to do this, especially if > you're using dynamic DNS through AD. If instead, your admins have set > up all these environments to share "domain.com", well, then you start > getting into DNS "views" for a small domain called "laptop.domain.com" > and different DNS "views" in each envirornment. Then you need quite > short DNS TTL's, and various other requirements to avoid servers in > the same domain having their DNS expire. > > Good luck with that: I deal with that kind of integration challenge a > *lot*. > > > Short of creating a single DNS entry and adding all possible IPs for > > my laptop, I am wondering if there's a way to configure OpenSSH > > (or Linux) to try multiple DNS names until a connection can be > > made. For extra bonus special points, this should obviously happen > > all at once to reduce wait times. > > I've seen nothing, but had to deal with peculiar setups when people > start trying to "simplify" their DNS into one master zone and not > realizing the consequences of multiple A records. Don't get me > *started* on people who use multiple CNAME's for the same primary > hostname, pointing to multiple other A records or CNAME's!!! And do > *not* get me going on how people think that having multiple A records > will automatically load balance their traffic. > > You might personally consider a wrapper, to process "nslookup" or > other DNS for your particular setup. But personally, I'd review the > concept of having identical hostnames in all environments. It can be > very helpful to deal with FQDN's and segregate your laptop's name in > the internal environment from its name in the external or other > environments. > > > Assuming that this isn't currently possible ? I did search and > > investigate ? would this be a worthwhile feature to look into? > > > > Thanks, > > > > -- > > @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ > > It sounds intriguing. The basic C library funcitons are > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From madduck at madduck.net Wed Dec 24 07:04:36 2014 From: madduck at madduck.net (martin f krafft) Date: Tue, 23 Dec 2014 21:04:36 +0100 Subject: Dealing with roaming machines In-Reply-To: References: <20141222092649.GA22023@albatross.lehel.madduck.net> Message-ID: <20141223200436.GA8924@fishbowl.rw.madduck.net> also sprach Dan Kaminsky [2014-12-23 20:52 +0100]: > That's a good point. DHCP allows you to set DNS search parameters. So as > long as each location sets different search, "ssh fishbowl" will in fact > resolve to the proper local FQDN. Yeah, and this works, but it's *not* what I want, because the machine is not reachable at the local FQDN; it is reachable at a remote location, so the (correct) DNS search setup is actually *preventing* me from accessing the machine without manual intervention. -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ "politics is the entertainment branch of industry." -- frank zappa spamtraps: madduck.bogus at madduck.net -------------- next part -------------- A non-text attachment was scrubbed... Name: digital_signature_gpg.asc Type: application/pgp-signature Size: 1107 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current) URL: From djm at mindrot.org Wed Dec 24 07:40:36 2014 From: djm at mindrot.org (Damien Miller) Date: Wed, 24 Dec 2014 07:40:36 +1100 (EST) Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: On Tue, 23 Dec 2014, Dmt Ops wrote: > > @ client > > debug1: Authentications that can continue: publickey Server offers the first mandatory authentication method > debug1: Trying private key: /usr/local/etc/ssh/ssh.CLIENT.ed25519 > debug2: we sent a publickey packet, wait for reply > Authenticated with partial success. Client successfully completes pubkey > debug1: Authentications that can continue: keyboard-interactive > debug1: Next authentication method: keyboard-interactive Server offers the next mandatory authentication method > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > Password: > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > Verification code: > debug1: Authentications that can continue: keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > Password: Client is not successful at kdb-int authentication. > @ server, level 'DEBUG2' > > disabling now > Dec 23 07:05:21 server sshd[23109]: debug2: input_userauth_request: > setting up authctxt for root [preauth] > Dec 23 07:05:21 server sshd[23109]: debug1: authentication methods list > 0: publickey,keyboard-interactive:pam [preauth] Server is configured with multiple authentication > [preauth] > Dec 23 07:05:21 server sshd[23109]: debug2: input_userauth_request: try > method publickey [preauth] client attempts pubkey > Dec 23 07:05:21 server sshd[23109]: Partial publickey for root from > 2001:xxx:xxxx:xxx::107 port 48866 ssh2: ED25519 > yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy > Dec 23 07:05:21 server sshd[23109]: debug2: userauth_pubkey: > authenticated 1 pkalg ssh-ed25519 [preauth] Client succeeds pubkey > Dec 23 07:05:21 server sshd[23109]: debug1: userauth-request for user > root service ssh-connection method keyboard-interactive [preauth] > Dec 23 07:05:21 server sshd[23109]: debug1: attempt 2 failures 1 > [preauth] > Dec 23 07:05:21 server sshd[23109]: debug2: input_userauth_request: try > method keyboard-interactive [preauth] > Dec 23 07:05:21 server sshd[23109]: debug1: keyboard-interactive devs > [preauth] > Dec 23 07:05:21 server sshd[23109]: debug1: auth2_challenge: user=root > devs= [preauth] > Dec 23 07:05:21 server sshd[23109]: debug1: kbdint_alloc: devices 'pam' > [preauth] > Dec 23 07:05:21 server sshd[23109]: debug2: auth2_challenge_start: > devices pam [preauth] > Dec 23 07:05:21 server sshd[23109]: debug2: kbdint_next_device: devices > [preauth] > Dec 23 07:05:21 server sshd[23109]: debug1: auth2_challenge_start: > trying authentication method 'pam' [preauth] > Dec 23 07:05:21 server sshd[23109]: Postponed keyboard-interactive for > root from 2001:xxx:xxxx:xxx::107 port 48866 ssh2: ED25519 > yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy:yy [preauth] server sends the password and verification code prompts to the client > Dec 23 07:05:27 server sshd[23109]: debug2: PAM: sshpam_respond > entering, 1 responses > Dec 23 07:05:27 server sshd[23109]: Postponed keyboard-interactive/pam > for root from 2001:xxx:xxxx:xxx::107 port 48866 ssh2 [preauth] > Dec 23 07:05:34 server sshd[23109]: debug2: PAM: sshpam_respond > entering, 1 responses > Dec 23 07:05:34 server sshd(pam_google_authenticator)[23111]: Invalid > verification code Client replies with credentials that are rejected by the PAM stack. Have you got keyboard-interactive working on its own with Google authenticator? It seems like a good first step... Also, if you provide any further logs then please use debug3 (ssh -vvv / sshd -ddd). -d From djm at mindrot.org Wed Dec 24 07:48:17 2014 From: djm at mindrot.org (Damien Miller) Date: Wed, 24 Dec 2014 07:48:17 +1100 (EST) Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: On Tue, 23 Dec 2014, Dmt Ops wrote: > testing goole-authenticator's standalone functionality, it > > > cd google-authenticator/libpam/ > > ./demo > Verification code: 123456 > Login failed > Invalid verification code > > > > fails with an INVALID code, and > > > ./demo > Verification code: XXXXXX > > > > succeeds with a VALID code. > > turning up the sshd server debug level to DEBUG3, entering a similarly > VALID GA verification code, the code is declared "invalid", This section of debug log is incomplete. Please try to get kbd-int auth working alone. I've used google authenticator via PAM before, so I know this works... -d From opsdmt at gmail.com Wed Dec 24 07:51:20 2014 From: opsdmt at gmail.com (Dmt Ops) Date: Tue, 23 Dec 2014 12:51:20 -0800 Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: > This section of debug log is incomplete. Please try to get kbd-int auth > working alone. I've used google authenticator via PAM before, so I know > this works... good to know. lots of trouble with it for others I'm findig online. setting up for GA keyboard-interactive only cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_google_authenticator.so cat /usr/local/etc/ssh/sshd_config ... AuthenticationMethods keyboard-interactive ChallengeResponseAuthentication yes PasswordAuthentication no PubkeyAuthentication yes KbdInteractiveAuthentication yes UsePAM yes ... @ client > ssh server.MYDOMAIN.com Verification code: Verification code: Verification code: Permission denied (keyboard-interactive). > @ server (DEBUG3) ... Dec 23 12:44:49 server sshd[29987]: debug3: fd 7 is not O_NONBLOCK Dec 23 12:44:49 server sshd[29987]: debug1: Forked child 29995. Dec 23 12:44:49 server sshd[29987]: debug3: send_rexec_state: entering fd = 10 config len 2962 Dec 23 12:44:49 server sshd[29987]: debug3: ssh_msg_send: type 0 Dec 23 12:44:49 server sshd[29987]: debug3: send_rexec_state: done Dec 23 12:44:49 server sshd[29995]: debug3: oom_adjust_restore Dec 23 12:44:49 server sshd[29995]: Set /proc/self/oom_score_adj to 0 Dec 23 12:44:49 server sshd[29995]: debug1: rexec start in 7 out 7 newsock 7 pipe 9 sock 10 Dec 23 12:44:49 server sshd[29995]: debug1: inetd sockets after dupping: 3, 3 Dec 23 12:44:49 server sshd[29995]: Connection from 2001:xxx:xxxx:xxx::107 port 50338 on 2001:xxx:xxxx:xxx::108 port 22 Dec 23 12:44:49 server sshd[29995]: debug1: Client protocol version 2.0; client software version OpenSSH_6.7 Dec 23 12:44:49 server sshd[29995]: debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000 Dec 23 12:44:49 server sshd[29995]: debug1: Enabling compatibility mode for protocol 2.0 Dec 23 12:44:49 server sshd[29995]: debug1: Local version string SSH-2.0-OpenSSH_6.7 Dec 23 12:44:49 server sshd[29995]: debug2: fd 3 setting O_NONBLOCK Dec 23 12:44:49 server sshd[29995]: debug2: Network child is on pid 29996 Dec 23 12:44:49 server sshd[29995]: debug3: preauth child monitor started Dec 23 12:44:49 server sshd[29995]: debug3: privsep user:group 100:101 [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: permanently_set_uid: 100/101 [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: list_hostkey_types: ssh-ed25519,ecdsa-sha2-nistp521,ssh-rsa [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: SSH2_MSG_KEXINIT sent [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: SSH2_MSG_KEXINIT received [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: ssh-ed25519,ecdsa-sha2-nistp521,ssh-rsa [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,arcfour [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,arcfour [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com, umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160, umac-64 at openssh.com [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com, umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160, umac-64 at openssh.com [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: none [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: none [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: reserved 0 [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ssh-dss,ssh-rsa [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,arcfour [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,arcfour [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com, umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160, umac-64 at openssh.com [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com, umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160, umac-64 at openssh.com [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: none, zlib at openssh.com,zlib [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: none, zlib at openssh.com,zlib [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kex_parse_kexinit: reserved 0 [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: kex: client->server chacha20-poly1305 at openssh.com none [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: kex: server->client chacha20-poly1305 at openssh.com none [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_key_sign entering [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_send entering: type 6 [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_receive_expect entering: type 7 [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:49 server sshd[29995]: debug3: monitor_read: checking request 6 Dec 23 12:44:49 server sshd[29995]: debug3: mm_answer_sign Dec 23 12:44:49 server sshd[29995]: debug3: mm_answer_sign: signature 0x7fe81db0e600(83) Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_send entering: type 7 Dec 23 12:44:49 server sshd[29995]: debug2: monitor_read: 6 used once, disabling now Dec 23 12:44:49 server sshd[29995]: debug2: kex_derive_keys [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: set_newkeys: mode 1 [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: SSH2_MSG_NEWKEYS sent [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: expecting SSH2_MSG_NEWKEYS [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: set_newkeys: mode 0 [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: SSH2_MSG_NEWKEYS received [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: KEX done [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: userauth-request for user root service ssh-connection method none [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: attempt 0 failures 0 [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_getpwnamallow entering [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_send entering: type 8 [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_receive_expect entering: type 9 [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:49 server sshd[29995]: debug3: monitor_read: checking request 8 Dec 23 12:44:49 server sshd[29995]: debug3: mm_answer_pwnamallow Dec 23 12:44:49 server sshd[29995]: debug2: parse_server_config: config reprocess config len 2962 Dec 23 12:44:49 server sshd[29995]: debug3: checking match for 'group sftp-chroot' user root host 2001:xxx:xxxx:xxx::107 addr 2001:xxx:xxxx:xxx::107 laddr 2001:xxx:xxxx:xxx::108 lport 22 Dec 23 12:44:49 server sshd[29995]: debug1: user root does not match group list sftp-chroot at line 92 Dec 23 12:44:49 server sshd[29995]: debug3: match not found Dec 23 12:44:49 server sshd[29995]: debug3: auth2_setup_methods_lists: checking methods Dec 23 12:44:49 server sshd[29995]: debug1: authentication methods list 0: keyboard-interactive Dec 23 12:44:49 server sshd[29995]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_send entering: type 9 Dec 23 12:44:49 server sshd[29995]: debug2: monitor_read: 8 used once, disabling now Dec 23 12:44:49 server sshd[29995]: debug2: input_userauth_request: setting up authctxt for root [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_start_pam entering [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_send entering: type 100 [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_inform_authserv entering [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_send entering: type 4 [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: auth2_setup_methods_lists: checking methods [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: authentication methods list 0: keyboard-interactive [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: Unrecognized authentication method name: none [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: userauth_finish: failure partial=0 next methods="keyboard-interactive" [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: userauth-request for user root service ssh-connection method keyboard-interactive [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: attempt 1 failures 0 [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: input_userauth_request: try method keyboard-interactive [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: keyboard-interactive devs [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: auth2_challenge: user=root devs= [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: kbdint_alloc: devices 'pam' [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: auth2_challenge_start: devices pam [preauth] Dec 23 12:44:49 server sshd[29995]: debug2: kbdint_next_device: devices [preauth] Dec 23 12:44:49 server sshd[29995]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_sshpam_init_ctx [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_send entering: type 104 [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_receive_expect entering: type 105 [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:49 server sshd[29995]: debug3: monitor_read: checking request 100 Dec 23 12:44:49 server sshd[29995]: debug1: PAM: initializing for "root" Dec 23 12:44:49 server sshd[29995]: debug1: PAM: setting PAM_RHOST to "2001:xxx:xxxx:xxx::107" Dec 23 12:44:49 server sshd[29995]: debug1: PAM: setting PAM_TTY to "ssh" Dec 23 12:44:49 server sshd[29995]: debug2: monitor_read: 100 used once, disabling now Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:49 server sshd[29995]: debug3: monitor_read: checking request 4 Dec 23 12:44:49 server sshd[29995]: debug3: mm_answer_authserv: service=ssh-connection, style= Dec 23 12:44:49 server sshd[29995]: debug2: monitor_read: 4 used once, disabling now Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:49 server sshd[29995]: debug3: monitor_read: checking request 104 Dec 23 12:44:49 server sshd[29995]: debug3: mm_answer_pam_init_ctx Dec 23 12:44:49 server sshd[29995]: debug3: PAM: sshpam_init_ctx entering Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_send entering: type 105 Dec 23 12:44:49 server sshd[29995]: debug3: mm_sshpam_query [preauth] Dec 23 12:44:49 server sshd[29997]: debug3: PAM: sshpam_thread_conv entering, 1 messages Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_send entering: type 106 [preauth] Dec 23 12:44:49 server sshd[29997]: debug3: ssh_msg_send: type 1 Dec 23 12:44:49 server sshd[29995]: debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth] Dec 23 12:44:49 server sshd[29997]: debug3: ssh_msg_recv entering Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_receive_expect entering: type 107 [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:49 server sshd[29995]: debug3: monitor_read: checking request 106 Dec 23 12:44:49 server sshd[29995]: debug3: mm_answer_pam_query Dec 23 12:44:49 server sshd[29995]: debug3: PAM: sshpam_query entering Dec 23 12:44:49 server sshd[29995]: debug3: ssh_msg_recv entering Dec 23 12:44:49 server sshd[29995]: debug3: mm_request_send entering: type 107 Dec 23 12:44:49 server sshd[29995]: debug3: mm_sshpam_query: pam_query returned 0 [preauth] Dec 23 12:44:49 server sshd[29995]: Postponed keyboard-interactive for root from 2001:xxx:xxxx:xxx::107 port 50338 ssh2 [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_sshpam_respond [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_send entering: type 108 [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_sshpam_respond: waiting for MONITOR_ANS_PAM_RESPOND [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_receive_expect entering: type 109 [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:54 server sshd[29995]: debug3: monitor_read: checking request 108 Dec 23 12:44:54 server sshd[29995]: debug3: mm_answer_pam_respond Dec 23 12:44:54 server sshd[29995]: debug2: PAM: sshpam_respond entering, 1 responses Dec 23 12:44:54 server sshd[29995]: debug3: ssh_msg_send: type 6 Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_send entering: type 109 Dec 23 12:44:54 server sshd(pam_google_authenticator)[29997]: Invalid verification code Dec 23 12:44:54 server sshd[29997]: debug3: ssh_msg_send: type 7 Dec 23 12:44:54 server sshd[29995]: debug3: mm_sshpam_respond: pam_respond returned 1 [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_sshpam_query [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_send entering: type 106 [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_receive_expect entering: type 107 [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:54 server sshd[29995]: debug3: monitor_read: checking request 106 Dec 23 12:44:54 server sshd[29995]: debug3: mm_answer_pam_query Dec 23 12:44:54 server sshd[29995]: debug3: PAM: sshpam_query entering Dec 23 12:44:54 server sshd[29995]: debug3: ssh_msg_recv entering Dec 23 12:44:54 server sshd[29995]: debug3: PAM: Authentication failure Dec 23 12:44:54 server sshd[29995]: error: PAM: Cannot make/remove an entry for the specified session for root from 2001:xxx:xxxx:xxx::107 Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_send entering: type 107 Dec 23 12:44:54 server sshd[29995]: debug3: mm_sshpam_query: pam_query returned -1 [preauth] Dec 23 12:44:54 server sshd[29995]: debug2: auth2_challenge_start: devices [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_sshpam_free_ctx [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_send entering: type 110 [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_sshpam_free_ctx: waiting for MONITOR_ANS_PAM_FREE_CTX [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_receive_expect entering: type 111 [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:54 server sshd[29995]: debug3: monitor_read: checking request 110 Dec 23 12:44:54 server sshd[29995]: debug3: mm_answer_pam_free_ctx Dec 23 12:44:54 server sshd[29995]: debug3: PAM: sshpam_free_ctx entering Dec 23 12:44:54 server sshd[29995]: debug3: PAM: sshpam_thread_cleanup entering Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_send entering: type 111 Dec 23 12:44:54 server sshd[29995]: debug2: monitor_read: 110 used once, disabling now Dec 23 12:44:54 server sshd[29995]: Failed keyboard-interactive/pam for root from 2001:xxx:xxxx:xxx::107 port 50338 ssh2 Dec 23 12:44:54 server sshd[29995]: debug3: userauth_finish: failure partial=0 next methods="keyboard-interactive" [preauth] Dec 23 12:44:54 server sshd[29995]: debug1: userauth-request for user root service ssh-connection method keyboard-interactive [preauth] Dec 23 12:44:54 server sshd[29995]: debug1: attempt 2 failures 1 [preauth] Dec 23 12:44:54 server sshd[29995]: debug2: input_userauth_request: try method keyboard-interactive [preauth] Dec 23 12:44:54 server sshd[29995]: debug1: keyboard-interactive devs [preauth] Dec 23 12:44:54 server sshd[29995]: debug1: auth2_challenge: user=root devs= [preauth] Dec 23 12:44:54 server sshd[29995]: debug1: kbdint_alloc: devices 'pam' [preauth] Dec 23 12:44:54 server sshd[29995]: debug2: auth2_challenge_start: devices pam [preauth] Dec 23 12:44:54 server sshd[29995]: debug2: kbdint_next_device: devices [preauth] Dec 23 12:44:54 server sshd[29995]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_sshpam_init_ctx [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_send entering: type 104 [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_receive_expect entering: type 105 [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:54 server sshd[29995]: debug3: monitor_read: checking request 104 Dec 23 12:44:54 server sshd[29995]: debug3: mm_answer_pam_init_ctx Dec 23 12:44:54 server sshd[29995]: debug3: PAM: sshpam_init_ctx entering Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_send entering: type 105 Dec 23 12:44:54 server sshd[29995]: debug3: mm_sshpam_query [preauth] Dec 23 12:44:54 server sshd[29998]: debug3: PAM: sshpam_thread_conv entering, 1 messages Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_send entering: type 106 [preauth] Dec 23 12:44:54 server sshd[29998]: debug3: ssh_msg_send: type 1 Dec 23 12:44:54 server sshd[29995]: debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth] Dec 23 12:44:54 server sshd[29998]: debug3: ssh_msg_recv entering Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_receive_expect entering: type 107 [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:54 server sshd[29995]: debug3: monitor_read: checking request 106 Dec 23 12:44:54 server sshd[29995]: debug3: mm_answer_pam_query Dec 23 12:44:54 server sshd[29995]: debug3: PAM: sshpam_query entering Dec 23 12:44:54 server sshd[29995]: debug3: ssh_msg_recv entering Dec 23 12:44:54 server sshd[29995]: debug3: mm_request_send entering: type 107 Dec 23 12:44:54 server sshd[29995]: debug3: mm_sshpam_query: pam_query returned 0 [preauth] Dec 23 12:44:54 server sshd[29995]: Postponed keyboard-interactive for root from 2001:xxx:xxxx:xxx::107 port 50338 ssh2 [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_sshpam_respond [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_send entering: type 108 [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_sshpam_respond: waiting for MONITOR_ANS_PAM_RESPOND [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_receive_expect entering: type 109 [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:58 server sshd[29995]: debug3: monitor_read: checking request 108 Dec 23 12:44:58 server sshd[29995]: debug3: mm_answer_pam_respond Dec 23 12:44:58 server sshd[29995]: debug2: PAM: sshpam_respond entering, 1 responses Dec 23 12:44:58 server sshd[29995]: debug3: ssh_msg_send: type 6 Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_send entering: type 109 Dec 23 12:44:58 server sshd(pam_google_authenticator)[29998]: Invalid verification code Dec 23 12:44:58 server sshd[29995]: debug3: mm_sshpam_respond: pam_respond returned 1 [preauth] Dec 23 12:44:58 server sshd[29998]: debug3: ssh_msg_send: type 7 Dec 23 12:44:58 server sshd[29995]: debug3: mm_sshpam_query [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_send entering: type 106 [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_receive_expect entering: type 107 [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:58 server sshd[29995]: debug3: monitor_read: checking request 106 Dec 23 12:44:58 server sshd[29995]: debug3: mm_answer_pam_query Dec 23 12:44:58 server sshd[29995]: debug3: PAM: sshpam_query entering Dec 23 12:44:58 server sshd[29995]: debug3: ssh_msg_recv entering Dec 23 12:44:58 server sshd[29995]: debug3: PAM: Authentication failure Dec 23 12:44:58 server sshd[29995]: error: PAM: Cannot make/remove an entry for the specified session for root from 2001:xxx:xxxx:xxx::107 Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_send entering: type 107 Dec 23 12:44:58 server sshd[29995]: debug3: mm_sshpam_query: pam_query returned -1 [preauth] Dec 23 12:44:58 server sshd[29995]: debug2: auth2_challenge_start: devices [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_sshpam_free_ctx [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_send entering: type 110 [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_sshpam_free_ctx: waiting for MONITOR_ANS_PAM_FREE_CTX [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_receive_expect entering: type 111 [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:58 server sshd[29995]: debug3: monitor_read: checking request 110 Dec 23 12:44:58 server sshd[29995]: debug3: mm_answer_pam_free_ctx Dec 23 12:44:58 server sshd[29995]: debug3: PAM: sshpam_free_ctx entering Dec 23 12:44:58 server sshd[29995]: debug3: PAM: sshpam_thread_cleanup entering Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_send entering: type 111 Dec 23 12:44:58 server sshd[29995]: debug2: monitor_read: 110 used once, disabling now Dec 23 12:44:58 server sshd[29995]: Failed keyboard-interactive/pam for root from 2001:xxx:xxxx:xxx::107 port 50338 ssh2 Dec 23 12:44:58 server sshd[29995]: debug3: userauth_finish: failure partial=0 next methods="keyboard-interactive" [preauth] Dec 23 12:44:58 server sshd[29995]: debug1: userauth-request for user root service ssh-connection method keyboard-interactive [preauth] Dec 23 12:44:58 server sshd[29995]: debug1: attempt 3 failures 2 [preauth] Dec 23 12:44:58 server sshd[29995]: debug2: input_userauth_request: try method keyboard-interactive [preauth] Dec 23 12:44:58 server sshd[29995]: debug1: keyboard-interactive devs [preauth] Dec 23 12:44:58 server sshd[29995]: debug1: auth2_challenge: user=root devs= [preauth] Dec 23 12:44:58 server sshd[29995]: debug1: kbdint_alloc: devices 'pam' [preauth] Dec 23 12:44:58 server sshd[29995]: debug2: auth2_challenge_start: devices pam [preauth] Dec 23 12:44:58 server sshd[29995]: debug2: kbdint_next_device: devices [preauth] Dec 23 12:44:58 server sshd[29995]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_sshpam_init_ctx [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_send entering: type 104 [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_receive_expect entering: type 105 [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:58 server sshd[29995]: debug3: monitor_read: checking request 104 Dec 23 12:44:58 server sshd[29995]: debug3: mm_answer_pam_init_ctx Dec 23 12:44:58 server sshd[29995]: debug3: PAM: sshpam_init_ctx entering Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_send entering: type 105 Dec 23 12:44:58 server sshd[29995]: debug3: mm_sshpam_query [preauth] Dec 23 12:44:58 server sshd[29999]: debug3: PAM: sshpam_thread_conv entering, 1 messages Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_send entering: type 106 [preauth] Dec 23 12:44:58 server sshd[29999]: debug3: ssh_msg_send: type 1 Dec 23 12:44:58 server sshd[29995]: debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth] Dec 23 12:44:58 server sshd[29999]: debug3: ssh_msg_recv entering Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_receive_expect entering: type 107 [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:44:58 server sshd[29995]: debug3: monitor_read: checking request 106 Dec 23 12:44:58 server sshd[29995]: debug3: mm_answer_pam_query Dec 23 12:44:58 server sshd[29995]: debug3: PAM: sshpam_query entering Dec 23 12:44:58 server sshd[29995]: debug3: ssh_msg_recv entering Dec 23 12:44:58 server sshd[29995]: debug3: mm_request_send entering: type 107 Dec 23 12:44:58 server sshd[29995]: debug3: mm_sshpam_query: pam_query returned 0 [preauth] Dec 23 12:44:58 server sshd[29995]: Postponed keyboard-interactive for root from 2001:xxx:xxxx:xxx::107 port 50338 ssh2 [preauth] Dec 23 12:45:01 server cron[30000]: pam_unix(crond:session): session opened for user root by (uid=0) Dec 23 12:45:01 server cron[30001]: pam_unix(crond:session): session opened for user root by (uid=0) Dec 23 12:45:01 server CRON[30001]: pam_unix(crond:session): session closed for user root Dec 23 12:45:01 server CRON[30000]: pam_unix(crond:session): session closed for user root Dec 23 12:45:01 server sshd[21866]: debug1: server_input_global_request: rtype keepalive at openssh.com want_reply 1 Dec 23 12:45:07 server sshd[21736]: debug1: server_input_global_request: rtype keepalive at openssh.com want_reply 1 Dec 23 12:45:08 server sshd[29995]: debug3: mm_sshpam_respond [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_send entering: type 108 [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_sshpam_respond: waiting for MONITOR_ANS_PAM_RESPOND [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_receive_expect entering: type 109 [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:45:08 server sshd[29995]: debug3: monitor_read: checking request 108 Dec 23 12:45:08 server sshd[29995]: debug3: mm_answer_pam_respond Dec 23 12:45:08 server sshd[29995]: debug2: PAM: sshpam_respond entering, 1 responses Dec 23 12:45:08 server sshd[29995]: debug3: ssh_msg_send: type 6 Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_send entering: type 109 Dec 23 12:45:08 server sshd(pam_google_authenticator)[29999]: Invalid verification code Dec 23 12:45:08 server sshd[29995]: debug3: mm_sshpam_respond: pam_respond returned 1 [preauth] Dec 23 12:45:08 server sshd[29999]: debug3: ssh_msg_send: type 7 Dec 23 12:45:08 server sshd[29995]: debug3: mm_sshpam_query [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_send entering: type 106 [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_receive_expect entering: type 107 [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:45:08 server sshd[29995]: debug3: monitor_read: checking request 106 Dec 23 12:45:08 server sshd[29995]: debug3: mm_answer_pam_query Dec 23 12:45:08 server sshd[29995]: debug3: PAM: sshpam_query entering Dec 23 12:45:08 server sshd[29995]: debug3: ssh_msg_recv entering Dec 23 12:45:08 server sshd[29995]: debug3: PAM: Authentication failure Dec 23 12:45:08 server sshd[29995]: error: PAM: Cannot make/remove an entry for the specified session for root from 2001:xxx:xxxx:xxx::107 Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_send entering: type 107 Dec 23 12:45:08 server sshd[29995]: debug3: mm_sshpam_query: pam_query returned -1 [preauth] Dec 23 12:45:08 server sshd[29995]: debug2: auth2_challenge_start: devices [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_sshpam_free_ctx [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_send entering: type 110 [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_sshpam_free_ctx: waiting for MONITOR_ANS_PAM_FREE_CTX [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_receive_expect entering: type 111 [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_receive entering [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:45:08 server sshd[29995]: debug3: monitor_read: checking request 110 Dec 23 12:45:08 server sshd[29995]: debug3: mm_answer_pam_free_ctx Dec 23 12:45:08 server sshd[29995]: debug3: PAM: sshpam_free_ctx entering Dec 23 12:45:08 server sshd[29995]: debug3: PAM: sshpam_thread_cleanup entering Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_send entering: type 111 Dec 23 12:45:08 server sshd[29995]: debug2: monitor_read: 110 used once, disabling now Dec 23 12:45:08 server sshd[29995]: Failed keyboard-interactive/pam for root from 2001:xxx:xxxx:xxx::107 port 50338 ssh2 Dec 23 12:45:08 server sshd[29995]: debug3: userauth_finish: failure partial=0 next methods="keyboard-interactive" [preauth] Dec 23 12:45:08 server sshd[29995]: Connection closed by 2001:xxx:xxxx:xxx::107 [preauth] Dec 23 12:45:08 server sshd[29995]: debug1: do_cleanup [preauth] Dec 23 12:45:08 server sshd[29995]: debug3: PAM: sshpam_thread_cleanup entering [preauth] Dec 23 12:45:08 server sshd[29995]: debug1: monitor_read_log: child log fd closed Dec 23 12:45:08 server sshd[29995]: debug3: mm_request_receive entering Dec 23 12:45:08 server sshd[29995]: debug1: do_cleanup Dec 23 12:45:08 server sshd[29995]: debug1: PAM: cleanup Dec 23 12:45:08 server sshd[29995]: debug3: PAM: sshpam_thread_cleanup entering Dec 23 12:45:08 server sshd[29995]: debug1: Killing privsep child 29996 From opsdmt at gmail.com Wed Dec 24 08:51:17 2014 From: opsdmt at gmail.com (Dmt Ops) Date: Tue, 23 Dec 2014 13:51:17 -0800 Subject: chaining AUTH methods -- adding GoogleAuthenticator 2nd Factor to pubkey auth? can't get the GA prompt :-/ In-Reply-To: References: Message-ID: > I've used google authenticator via PAM before Digging further, doing a clean install of GA-libpam, even though the `make` shows no errors, and the "./demo" app appears to work without error too, running `make test` returns an Error, cd google-authenticator/libpam make test ./pam_google_authenticator_unittest Testing base32 encoding Testing base32 decoding Testing HMAC_SHA1 Loading PAM module Running tests, querying for verification code Testing failed login attempt Testing required number of digits Testing a blank response Test handling of missing state files Testing successful login Testing WINDOW_SIZE option Testing DISALLOW_REUSE option Testing RATE_LIMIT option Testing TIME_SKEW pam_google_authenticator_unittest: pam_google_authenticator_unittest.c:137: verify_prompts_shown: Assertion `num_prompts_shown == expected_prompts_shown' failed. >>> Invalid verification code Makefile:36: recipe for target 'test' failed make: *** [test] Error 1 with the same "Invalid verification code" seen in the SSHD logs. I tracked that message down to one prior post, as yet unanswered, unfortunately. [CentOS] CentOS 5.9 and google-authenticator http://lists.centos.org/pipermail/centos/2013-June/135586.html In that post it suggests that the FAIL is OS-dependent, or at least os-VERSION-dependent. Question -- on the system that you have GA-pam+sshd working on, are you able to get at the GA-libpam source to run the `make test` and see if your test passes? From gert at greenie.muc.de Wed Dec 24 10:08:40 2014 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 24 Dec 2014 00:08:40 +0100 Subject: Dealing with roaming machines In-Reply-To: References: <20141222092649.GA22023@albatross.lehel.madduck.net> Message-ID: <20141223230839.GV17158@greenie.muc.de> Hi, On Tue, Dec 23, 2014 at 11:52:49AM -0800, Dan Kaminsky wrote: > That's a good point. DHCP allows you to set DNS search parameters. So as > long as each location sets different search, "ssh fishbowl" will in fact > resolve to the proper local FQDN. Nico isn't understanding the original question :-) Martin's laptop is travelling, and he want to be able to SSH *to* the laptop. So "DHCP telling the laptop where it is" is not the answer to "how does the outside world know where to reach the laptop". DynDNS is one approach, or "have OpenSSH query 3 different FQDNs and try to connect to them in sequence" (which was the original question). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From stapelberg+openssh at google.com Thu Dec 25 05:57:52 2014 From: stapelberg+openssh at google.com (Michael Stapelberg) Date: Wed, 24 Dec 2014 19:57:52 +0100 Subject: [PATCH] U2F support in OpenSSH Message-ID: Hey, Judging from the (private) responses I?ve got, there is quite a bit of interest in the U2F feature I proposed a while ago. Therefore, I?ve taken some time to resolve the remaining issues, and I think the resulting patch (attached to this email) is in quite a good state now. I also posted the new version of the patch to https://bugzilla.mindrot.org/show_bug.cgi?id=2319 (which I?ve opened based on Damien Miller?s request). In case you?re interested, please feel free to try the patch. I?m happy for any feedback. All you need is libu2f-host installed and a clean copy of OpenSSH 6.7p1. Apply the attached patch, delete configure, use autoreconf -i to regenerate it, then run ./configure --with-u2f and compile OpenSSH. Afterwards, follow the patch description/manpages to see how it works. Quote from the description follows: ------------------------------------------------------------------------------- Recently, the FIDO alliance announced U2F [1], and Google announced that it supports U2F tokens (?security keys?) for Google accounts [2]. As the spec is not a very short read, I gave a presentation last week about U2F which may be a good quick introduction to the details [3]. For the rest of this description, I?ll assume that you read either my presentation or the U2F spec. (side note: I?m not working on U2F, playing around with it and implementing it in OpenSSH is my private fun project :)) This commit adds U2F support to OpenSSH. More specifically, it adds an authentication mechanism called ?u2f?, together with the ssh-u2f key format. The new u2f authentication mechanism can operate in two modes, specified by the client with the U2FMode option: registration (necessary once per U2F security key) or authentication (the default). Since U2F is a two-factor authentication mechanism, you should never use it as the sole AuthenticationMethod. Therefore, whenever you enable U2FAuthentication, please also set AuthenticationMethods on the server. As an example, add the following to your sshd_config: U2FAuthentication yes AuthenticationMethods publickey,u2f (This assumes that you always enter your passphrase for the pubkey, otherwise perhaps AuthenticationMethods password,u2f would be a better choice ? YMMV.) For users without an ssh-u2f key in their authorized_keys file, this is a noop and will not change behavior ? the u2f authentication method will just always report success in this case. For users with at least one ssh-u2f key in their authorized_keys, the user must have the U2F security key in order to login. The server will send a challenge, and ssh(1) on the user?s machine will ask the user to touch the U2F security key. Upon being touched, the U2F security key cryptographically signs the challenge, and the server can verify that the registered security key is indeed present. To register a U2F security key, use: ssh -o U2FMode=registration my.server.example > /tmp/u2f-key.pub Now append the contents of /tmp/u2f-key.pub to your authorized_keys file on the server. >From now on, you should be prompted to touch the registered U2F security key after successful publickey authentication. In case you want to register another U2F security key, just repeat the process. Thanks to Thomas Habets, Christian Svensson and Axel Wagner for their support in implementing/discussing/testing this feature. [1] https://fidoalliance.org/ [2] http://googleonlinesecurity.blogspot.ch/2014/10/strengthening-2-step-verification-with.html [3] https://www.noname-ev.de/w/File:C14h-u2f-how-security-keys-work.pdf ------------------------------------------------------------------------------- Best regards, Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Implement-U2F-support-with-u2f-requires-libu2f-host.patch Type: text/x-patch Size: 58460 bytes Desc: not available URL: From bob at proulx.com Thu Dec 25 19:20:40 2014 From: bob at proulx.com (Bob Proulx) Date: Thu, 25 Dec 2014 01:20:40 -0700 Subject: Dealing with roaming machines In-Reply-To: <20141222092649.GA22023@albatross.lehel.madduck.net> References: <20141222092649.GA22023@albatross.lehel.madduck.net> Message-ID: <20141225011355298347073@bob.proulx.com> martin f krafft wrote: > My laptop and I roam between three networks, though sometimes > I leave the laptop at the office overnight, or hop over to the third > site for an hour or two. > > I'd like to find a way to configure OpenSSH (or Linux in general) to > try the other networks if the machine cannot be found locally. I am sure you have already thought of this and didn't prefer it but the way I handle this is by using OpenVPN. My mobile laptop always "calls back home" with OpenVPN. I always access the laptop using the VPN address no matter where it is located. When I ssh it means that the connection is encrypted both by OpenVPN and by SSH. But it is always over WiFi so the performance bottleneck is the WiFi and the double encryption is insignificant then. Having a stable VPN address for the mobile laptop no matter where it exists in the network is quite nice. Also this gives my laptop secure access to the private side of my network for all services not just ssh. The solution works well for me. Good luck! Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: Digital signature URL: From gert at greenie.muc.de Thu Dec 25 21:27:33 2014 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 25 Dec 2014 11:27:33 +0100 Subject: Dealing with roaming machines In-Reply-To: <20141225011355298347073@bob.proulx.com> References: <20141222092649.GA22023@albatross.lehel.madduck.net> <20141225011355298347073@bob.proulx.com> Message-ID: <20141225102733.GC17158@greenie.muc.de> Hi, On Thu, Dec 25, 2014 at 01:20:40AM -0700, Bob Proulx wrote: > When I ssh it means that the connection is encrypted both by OpenVPN > and by SSH. But it is always over WiFi so the performance bottleneck > is the WiFi and the double encryption is insignificant then. If all you ever do is SSH, and double ecryption bothers you, you could run openvpn with "--cipher none" (and still get HMAC, FWIW). Which, of course, is strictly non-recommended for the general use case :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From neil.n.carlson at gmail.com Fri Dec 26 02:19:53 2014 From: neil.n.carlson at gmail.com (Neil Carlson) Date: Thu, 25 Dec 2014 08:19:53 -0700 Subject: What occurs at the point of this ssh hang? Message-ID: Judging from the following 'ssh -vvv' output, what process might be happening and causing the hang at the indicated point? OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 51: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to git.code.sf.net [216.34.181.155] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "/***/.ssh/id_rsa" as a RSA1 public key debug1: identity file /***/.ssh/id_rsa type 1 debug1: identity file /***/.ssh/id_rsa-cert type -1 debug3: Incorrect RSA1 identifier debug3: Could not load "/***/.ssh/id_dsa" as a RSA1 public key debug1: identity file /***/.ssh/id_dsa type 2 debug1: identity file /***/.ssh/id_dsa-cert type -1 ... debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.4 ------ ssh hangs at this point ----- debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* debug2: fd 3 setting O_NONBLOCK ... From dtucker at zip.com.au Fri Dec 26 03:05:15 2014 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 25 Dec 2014 11:05:15 -0500 Subject: What occurs at the point of this ssh hang? In-Reply-To: References: Message-ID: On Thu, Dec 25, 2014 at 10:19 AM, Neil Carlson wrote: > Judging from the following 'ssh -vvv' output, what process might be > happening and causing the hang at the indicated point? > My guess would be reverse DNS resolution of the client's address plus forward resolution of that address. If you have access to the server, running the server in debug mode (/path/to/sshd -ddd) would likely give you a better idea. If it is DNS timing out, setting "UseDNS no" in sshd_config will likely help. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Dec 26 03:19:30 2014 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 25 Dec 2014 11:19:30 -0500 Subject: Dealing with roaming machines In-Reply-To: <20141223135111.GB3862@fishbowl.rw.madduck.net> References: <20141222092649.GA22023@albatross.lehel.madduck.net> <20141222204106.GB27212@fishbowl.rw.madduck.net> <20141223135111.GB3862@fishbowl.rw.madduck.net> Message-ID: On Tue, Dec 23, 2014 at 8:51 AM, martin f krafft wrote: [...] > I'd kinda like OpenSSH to connect to all three IPs at once, since > only one will ever be answered at any one time. You could do that with a ProxyCommand: have it connect() to all addresses returned by DNS, use the first one to return and close the others. Writing such a tool would be fair simple, and I would be surprised if something like that doesn't already exist. > Or it should try them in quick succession. > Try "ConnectTimeout 1s" or similar in your config for that host. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From nkadel at gmail.com Fri Dec 26 03:43:51 2014 From: nkadel at gmail.com (Nico Kadel-Garcia) Date: Thu, 25 Dec 2014 11:43:51 -0500 Subject: Dealing with roaming machines In-Reply-To: <20141223200436.GA8924@fishbowl.rw.madduck.net> References: <20141222092649.GA22023@albatross.lehel.madduck.net> <20141223200436.GA8924@fishbowl.rw.madduck.net> Message-ID: <17FC680C-6C5C-45EB-8D06-F9932C563614@gmail.com> > On Dec 23, 2014, at 15:04, martin f krafft wrote: > > also sprach Dan Kaminsky [2014-12-23 20:52 +0100]: >> That's a good point. DHCP allows you to set DNS search parameters. So as >> long as each location sets different search, "ssh fishbowl" will in fact >> resolve to the proper local FQDN. > > Yeah, and this works, but it's *not* what I want, because the > machine is not reachable at the local FQDN; it is reachable at > a remote location, so the (correct) DNS search setup is actually > *preventing* me from accessing the machine without manual > intervention. Then it sounds like you really need to use the FQDN, or have a distinctive CNAME for each subdimain. The underlying C libraries for "gethostbyname" or similar, more modern lookups don't support what you're looking for. > > -- > @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ > > "politics is the entertainment branch of industry." > -- frank zappa > > spamtraps: madduck.bogus at madduck.net > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From madduck at madduck.net Fri Dec 26 03:39:39 2014 From: madduck at madduck.net (martin f krafft) Date: Thu, 25 Dec 2014 17:39:39 +0100 Subject: Dealing with roaming machines In-Reply-To: Message-ID: <20141225163939.GA7506@fishbowl.rw.madduck.net> also sprach Darren Tucker [2014-12-25 17:19 +0100]: > You could do that with a ProxyCommand: have it connect() to all > addresses returned by DNS, use the first one to return and close > the others. Writing such a tool would be fair simple, and I would > be surprised if something like that doesn't already exist. This is precisely what I am currently working on and I will share my results once I finish. If only all this Christmas stuff didn't keep one from getting work done! ;) -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ "it is impossible to foresee the consequences of being clever." -- cristopher strachey spamtraps: madduck.bogus at madduck.net -------------- next part -------------- A non-text attachment was scrubbed... Name: digital_signature_gpg.asc Type: application/pgp-signature Size: 1103 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current) URL: From madduck at madduck.net Fri Dec 26 08:13:03 2014 From: madduck at madduck.net (martin f krafft) Date: Thu, 25 Dec 2014 22:13:03 +0100 Subject: Dealing with roaming machines In-Reply-To: <20141225163939.GA7506@fishbowl.rw.madduck.net> References: <20141225163939.GA7506@fishbowl.rw.madduck.net> Message-ID: <20141225211303.GA27187@fishbowl.rw.madduck.net> also sprach martin f krafft [2014-12-25 17:39 +0100]: > This is precisely what I am currently working on and I will share my > results once I finish. If only all this Christmas stuff didn't keep > one from getting work done! ;) ProxyCommand nc $( (TRIES=%h.{gern,lehel,rw}.madduck.net; eval fping -aAC1 \ -t100 $TRIES; eval fping6 -aAC1 -t100 $TRIES; wait) 2>&1 | sed -rne \ 's, : ([[:digit:]]), @\1,p' | sort -t@ -k2n | sed -ne '1s, .*,,p') %p Comments and improvements welcome! -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ "i worked myself up from nothing to a state of extreme poverty." -- groucho marx spamtraps: madduck.bogus at madduck.net -------------- next part -------------- A non-text attachment was scrubbed... Name: digital_signature_gpg.asc Type: application/pgp-signature Size: 1107 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current) URL: From madduck at madduck.net Fri Dec 26 08:31:36 2014 From: madduck at madduck.net (martin f krafft) Date: Thu, 25 Dec 2014 22:31:36 +0100 Subject: Dealing with roaming machines In-Reply-To: <20141225011355298347073@bob.proulx.com> References: <20141222092649.GA22023@albatross.lehel.madduck.net> <20141225011355298347073@bob.proulx.com> Message-ID: <20141225213136.GA29047@fishbowl.rw.madduck.net> also sprach Bob Proulx [2014-12-25 09:20 +0100]: > I am sure you have already thought of this and didn't prefer it but > the way I handle this is by using OpenVPN. My mobile laptop always > "calls back home" with OpenVPN. I always access the laptop using the > VPN address no matter where it is located. If I were to do this, then while at the office, the laptop would "call home", meaning that transfer between my desktop and the laptop would not go directly over gigabit, but have to traverse ADSL twice on both ends, office?home?home?office. > Having a stable VPN address for the mobile laptop no matter where > it exists in the network is quite nice. Also this gives my laptop > secure access to the private side of my network for all services > not just ssh. The solution works well for me. My laptop an "call in" to the VPN any time, and if it does, then it'll be found. Cf. the ProxyCommand I just sent, subdomain rw.madduck.net. Thanks everyone for their help and ideas, and Luca Filipozzi for the fping hint. -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ drink canada dry! you might not succeed, but it *is* fun trying. spamtraps: madduck.bogus at madduck.net -------------- next part -------------- A non-text attachment was scrubbed... Name: digital_signature_gpg.asc Type: application/pgp-signature Size: 1107 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current) URL: From nkadel at gmail.com Sat Dec 27 08:22:40 2014 From: nkadel at gmail.com (Nico Kadel-Garcia) Date: Fri, 26 Dec 2014 16:22:40 -0500 Subject: Dealing with roaming machines In-Reply-To: <20141225011355298347073@bob.proulx.com> References: <20141222092649.GA22023@albatross.lehel.madduck.net> <20141225011355298347073@bob.proulx.com> Message-ID: On Thu, Dec 25, 2014 at 3:20 AM, Bob Proulx wrote: > martin f krafft wrote: >> My laptop and I roam between three networks, though sometimes >> I leave the laptop at the office overnight, or hop over to the third >> site for an hour or two. >> >> I'd like to find a way to configure OpenSSH (or Linux in general) to >> try the other networks if the machine cannot be found locally. > > I am sure you have already thought of this and didn't prefer it but > the way I handle this is by using OpenVPN. My mobile laptop always > "calls back home" with OpenVPN. I always access the laptop using the > VPN address no matter where it is located. > > When I ssh it means that the connection is encrypted both by OpenVPN > and by SSH. But it is always over WiFi so the performance bottleneck > is the WiFi and the double encryption is insignificant then. > > Having a stable VPN address for the mobile laptop no matter where it > exists in the network is quite nice. Also this gives my laptop secure > access to the private side of my network for all services not just > ssh. The solution works well for me. > > Good luck! > Bob Oh, for pete's sake: just use the FQDN, including the "laptop.int.domain.com" when the laptop is inside the internal network, "laptop.ext.domain.com", when it's external, etc., Stop trying to use the unqualified hostname: extending with search domains to get and discover all the potential names and try then is really *not* how DNS was written. This is underlying DNS behavior in "gethostbyname" or "getaddrinfo" C library functions, not really SSH behavior. From thomas at habets.se Sat Dec 27 20:53:49 2014 From: thomas at habets.se (Thomas Habets) Date: Sat, 27 Dec 2014 09:53:49 +0000 Subject: [PATCH] U2F support in OpenSSH In-Reply-To: References: Message-ID: On 24 December 2014 at 18:57, Michael Stapelberg wrote: > In case you?re interested, please feel free to try the patch. I?m happy for > any feedback. All you need is libu2f-host installed and a clean copy of > OpenSSH 6.7p1. Apply the attached patch, delete configure, use autoreconf > -i to regenerate it, then run ./configure --with-u2f and compile OpenSSH. Transferring my notes from the other thread: 1) PAM doesn't work (--with-pam, then UsePAM yes and ChallengeResponseAuthentication yes) Fix: detect loops in ssh2connect:userauth_u2f in some other way, such as a dedicated variable in authctxt. (but also see point 5) 2) origin doesn't seem to be respected by YubiKeys (if I understand the spec correctly) Is AppID a better choice for this reason? 3) Include paths (probably bug in libu2f-host) This is https://github.com/Yubico/libu2f-host/issues/13 that you filed. 4) What happened to 51? MONITOR_REQ_TERM = 50, + MONITOR_REQ_READUSERU2FKEY = 52, MONITOR_ANS_READUSERU2FKEY = 53, 5) Why does registration connect to the server anyway, if the server doesn't keep state and origin is not tied to the server pubkey? Indeed, without AuthenticationMethods registration returns the blob before password prompt is shown. Registration only makes sense if server writes the key handle to ~/.ssh/authorized_keys, right? Hmm, unless authorized_keys is signed by the server, the registration process will never be "online" asyway, as U2F intends, so it may as well be generated on the client and copy-pasted into the server's authorized_keys. Enforced origin (but point 2) should prevent accidentally pasting the same blob to multiple servers). Tested on: Ubunty Trusty OpenSSH 6.7p1 Yubikey Security key -- typedef struct me_s { char name[] = { "Thomas Habets" }; char email[] = { "thomas at habets.pp.se" }; char kernel[] = { "Linux" }; char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" }; char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" }; char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; } me_t; From boris.lenin123 at gmail.com Mon Dec 29 00:12:38 2014 From: boris.lenin123 at gmail.com (Boris Lenin) Date: Sun, 28 Dec 2014 15:12:38 +0200 Subject: Compiling a static openssh server Message-ID: Hello, I'm trying to compile a static openssh-server, simply by running: export LDFLAGS=-static ./configure make sshd but the linker shows the warnings I've quoted on the bottom of this mail. The warnings say that I cannot use NSS functions when statically compiling. This makes sshd not work because at runtime, every call to getpwnam returns 0. Do you know a way to compile openssh statically? Thank you. the warnings: (.text+0x11): warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking groupaccess.o: In function `ga_init': /home/john/Downloads/openssh-6.6p1/groupaccess.c:67: warning: Using 'getgrouplist' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking session.o: In function `do_setusercontext': /home/john/Downloads/openssh-6.6p1/session.c:1535: warning: Using 'initgroups' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking groupaccess.o: In function `ga_init': /home/john/Downloads/openssh-6.6p1/groupaccess.c:70: warning: Using 'getgrgid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking sshpty.o: In function `pty_setowner': /home/john/Downloads/openssh-6.6p1/sshpty.c:211: warning: Using 'getgrnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking session.o: In function `do_setusercontext': /home/john/Downloads/openssh-6.6p1/session.c:1539: warning: Using 'endgrent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking ./libssh.a(misc.o): In function `secure_permissions': /home/john/Downloads/openssh-6.6p1/misc.c:686: warning: Using 'getpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking sshd.o: In function `main': /home/john/Downloads/openssh-6.6p1/sshd.c:1666: warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking loginrec.o: In function `login_get_lastlog': /home/john/Downloads/openssh-6.6p1/loginrec.c:308: warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking sshd.o: In function `main': /home/john/Downloads/openssh-6.6p1/sshd.c:1677: warning: Using 'endpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking servconf.o: In function `add_one_listen_addr': /home/john/Downloads/openssh-6.6p1/servconf.c:582: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking auth.o: In function `allowed_user': /home/john/Downloads/openssh-6.6p1/auth.c:112: warning: Using 'getspnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking ./libssh.a(canohost.o): In function `check_ip_options': /home/john/Downloads/openssh-6.6p1/canohost.c:161: warning: Using 'getprotobyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking From johannes at kyriasis.com Mon Dec 29 01:12:51 2014 From: johannes at kyriasis.com (Johannes =?utf-8?B?TMO2dGhiZXJn?=) Date: Sun, 28 Dec 2014 15:12:51 +0100 Subject: pubkey fingerprint and krb princ name in environment Message-ID: <20141228141251.GA9815@leeloo.kyriasis.com> Hey, I use gitolite for git hosting on my server, and because I want to use kerberos authentication I patched OpenSSH to put the name of the kerberos principal name or the ssh fingerprint as environment variables so my ForceCommand script can use them to actually authorize the user by the principal/fingerprint. It?s a bit annoying to keep my own patch and I thought it might be something that others might find useful too, so I thought I?d send an email to see if there would be any interest in including this upstream. Both patches are attached, the kerberos principal being made by Sven Geggus, an the pubkey fingerprint one being written by me. Any comments on both would be well appreciated. -- Sincerely, Johannes L?thberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/ -------------- next part -------------- --- gss-serv-krb5.c.orig 2012-07-12 14:33:31.117551679 +0200 +++ gss-serv-krb5.c 2012-07-12 14:34:30.319020970 +0200 @@ -104,6 +104,11 @@ } else retval = 0; +#ifdef USE_PAM + if (options.use_pam) + do_pam_putenv("GSS_AUTH_KRB5_PRINC", (char *)client->displayname.value); +#endif + krb5_free_principal(krb_context, princ); return retval; } -------------- next part -------------- A non-text attachment was scrubbed... Name: pubkey_fingerprint.patch Type: text/x-diff Size: 361 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 1495 bytes Desc: not available URL: From dtucker at zip.com.au Mon Dec 29 03:27:46 2014 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 28 Dec 2014 11:27:46 -0500 Subject: Compiling a static openssh server In-Reply-To: References: Message-ID: On Sun, Dec 28, 2014 at 8:12 AM, Boris Lenin wrote: [...] > Do you know a way to compile openssh statically? > Link against a libc that better supports static compiling? I've use uclibc for this in the past. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From boris.lenin123 at gmail.com Mon Dec 29 03:41:20 2014 From: boris.lenin123 at gmail.com (Boris Lenin) Date: Sun, 28 Dec 2014 18:41:20 +0200 Subject: Compiling a static openssh server In-Reply-To: References: Message-ID: Thanks for the answer! This means I also have to re-compile zlib and openssl right? On Sun, Dec 28, 2014 at 6:27 PM, Darren Tucker wrote: > On Sun, Dec 28, 2014 at 8:12 AM, Boris Lenin > wrote: > [...] > >> Do you know a way to compile openssh statically? >> > > Link against a libc that better supports static compiling? I've use > uclibc for this in the past. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > From dtucker at zip.com.au Mon Dec 29 04:23:31 2014 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 28 Dec 2014 12:23:31 -0500 Subject: Compiling a static openssh server In-Reply-To: References: Message-ID: On Sun, Dec 28, 2014 at 11:41 AM, Boris Lenin wrote: > Thanks for the answer! > > This means I also have to re-compile zlib and openssl right? > Probably yes. When I used uclibc I had a little embedded system whose base was entirely uclibc and zlib and openssl were compiled against it. I never tried mixing and matching. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From djm at mindrot.org Tue Dec 30 12:09:30 2014 From: djm at mindrot.org (Damien Miller) Date: Tue, 30 Dec 2014 12:09:30 +1100 (EST) Subject: pubkey fingerprint and krb princ name in environment In-Reply-To: <20141228141251.GA9815@leeloo.kyriasis.com> References: <20141228141251.GA9815@leeloo.kyriasis.com> Message-ID: On Sun, 28 Dec 2014, Johannes L?thberg wrote: > Hey, > > I use gitolite for git hosting on my server, and because I want to use > kerberos authentication I patched OpenSSH to put the name of the kerberos > principal name or the ssh fingerprint as environment variables so my > ForceCommand script can use them to actually authorize the user by the > principal/fingerprint. Nice - I've written something similar for private use in the past. The main reason why something like this isn't in sshd already is that I haven't reworked it to handle multiple authentication. As of last week, sshd keeps a list of the user public keys that were used in authentication. This should make implementing the pubkey bit of this easier... -d From sb at plzk.de Wed Dec 31 05:13:00 2014 From: sb at plzk.de (=?utf-8?Q?Stefan_Bauer?=) Date: Tue, 30 Dec 2014 19:13:00 +0100 Subject: CVE-2002-0083 - whats the problem? beginners question Message-ID: Hi, I'm not a programmer nor able to fully understand the code of openssh in detail - hence my question here. Out of curiosity I was looking at the patch for CVE-2002-0083 and tried to understand what the actual problem is, but failed: --- channels_old.c?? ?Mon Mar? 4 02:07:06 2002 +++ channels.c?? ?Mon Mar? 4 02:07:16 2002 @@ -151,7 +151,7 @@ ?channel_lookup(int id) ?{ ??? ?Channel *c; -?? ?if (id < 0 || id > channels_alloc) { +?? ?if (id < 0 || id >= channels_alloc) { ??? ??? ?log("channel_lookup: %d: bad id", id); ??? ??? ?return NULL; ??? ?} What does that mean? If id is less than 0 (are we talking about the unix uid?) or id greater than channels_alloc - log & return null) Is this check for detecting users (not root) trying to do something nasty? Thank you. Stefan From dkg at fifthhorseman.net Wed Dec 31 05:24:40 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 30 Dec 2014 13:24:40 -0500 Subject: CVE-2002-0083 - whats the problem? beginners question In-Reply-To: References: Message-ID: <54A2EDE8.4030109@fifthhorseman.net> On 12/30/2014 01:13 PM, Stefan Bauer wrote: > I'm not a programmer nor able to fully understand the code of openssh in detail - hence my question here. > > Out of curiosity I was looking at the patch for CVE-2002-0083 and tried to understand what the actual problem is, but failed: > > --- channels_old.c Mon Mar 4 02:07:06 2002 > +++ channels.c Mon Mar 4 02:07:16 2002 > @@ -151,7 +151,7 @@ > channel_lookup(int id) > { > Channel *c; > - if (id < 0 || id > channels_alloc) { > + if (id < 0 || id >= channels_alloc) { > log("channel_lookup: %d: bad id", id); > return NULL; > } > > > What does that mean? > If id is less than 0 (are we talking about the unix uid?) This code is working with the concept of separated channels of traffic within a single ssh connection. for more details, see: https://tools.ietf.org/html/rfc4254#section-5 The id is the number of the channel being looked up. > or id greater than channels_alloc - log & return null) > > Is this check for detecting users (not root) trying to do something nasty? in C, like many programming languages, arrays are 0-indexed. This means that if you have 4 channels allocated, they are numbers 0, 1, 2, and 3, but there is no "channel 4". The patch above ensures that someone calling channel_lookup(4) when 4 channels are allocated will get the appropriate response (an error response), instead of trying trying to return information about a channel that doesn't exist. hth, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: OpenPGP digital signature URL: From sb at plzk.de Wed Dec 31 08:05:00 2014 From: sb at plzk.de (Stefan Bauer) Date: Tue, 30 Dec 2014 22:05:00 +0100 Subject: CVE-2002-0083 - whats the problem? beginners question In-Reply-To: <54A2EDE8.4030109@fifthhorseman.net> References: <54A2EDE8.4030109@fifthhorseman.net> Message-ID: <1419973500.1782.1.camel@plzk.de> On Tue, 2014-12-30 at 13:24 -0500, Daniel Kahn Gillmor wrote: > This means that if you have 4 channels allocated, they are numbers 0, 1, > 2, and 3, but there is no "channel 4". > > The patch above ensures that someone calling channel_lookup(4) when 4 > channels are allocated will get the appropriate response (an error > response), instead of trying trying to return information about a > channel that doesn't exist. Thank you! Now all is clear to me. Stefan