From whn at lopi.com Sun Feb 1 23:52:26 2015 From: whn at lopi.com (Bill Nugent) Date: Sun, 01 Feb 2015 07:52:26 -0500 Subject: Filtering which identities are forwarded by ssh-agent to a given host Message-ID: <38456115.BgVG85xq9M@psycho-grande> Howdy, I'm looking for a way to restrict which ssh keys are forwarded to a given remote host because we have several ssh domains. That is, I have two keys which I use throughout the day: .ssh/network-a-2014-10-12 .ssh/network-b-2014-11-22 I need to forward my network A key to the ssh gateway host for Network A to allow me to log into hosts on the other side of the gateway but I can't have the key for Network B to be forwarded. Similar thing for Network B. Deleting and adding is painful at best. I've experimented with IdentiesOnly=yes and IdentityFiles but on the network A gateway I still see all of my loaded keys including Network B. Is there a way to do this already? If not, would a Buzilla enhancement request be welcome? Perhaps requesting something along the lines of: Host network-a-gateway.example.com ForwardIdentity .ssh/network-a-2014-10-12 and allow additional ForwardIndenty to allow additional keys. Thank you, Bill From alon.barlev at gmail.com Mon Feb 2 00:05:07 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 1 Feb 2015 15:05:07 +0200 Subject: Filtering which identities are forwarded by ssh-agent to a given host In-Reply-To: <38456115.BgVG85xq9M@psycho-grande> References: <38456115.BgVG85xq9M@psycho-grande> Message-ID: On Sun, Feb 1, 2015 at 2:52 PM, Bill Nugent wrote: > > Howdy, > > I'm looking for a way to restrict which ssh keys are forwarded to a > given remote host because we have several ssh domains. That is, I have > two keys which I use throughout the day: > .ssh/network-a-2014-10-12 > .ssh/network-b-2014-11-22 I think best is to run two agents, load keys of each network to each agent and at that context use ssh. > > I need to forward my network A key to the ssh gateway host for Network A > to allow me to log into hosts on the other side of the gateway but I > can't have the key for Network B to be forwarded. Similar thing for > Network B. Deleting and adding is painful at best. I've experimented > with IdentiesOnly=yes and IdentityFiles but on the network A gateway I > still see all of my loaded keys including Network B. Is there a way to > do this already? If not, would a Buzilla enhancement request be > welcome? Perhaps requesting something along the lines of: > > Host network-a-gateway.example.com > ForwardIdentity .ssh/network-a-2014-10-12 > and allow additional ForwardIndenty to allow additional keys. Maybe a simpler and more secure alternative can be having AgentEnvironmentKey or something similar to enable ssh to use multiple agents based on the Host's ssh_config, so you actually refer to agent and not specific keys that are shared within single agent. > > Thank you, > Bill > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From keisial at gmail.com Mon Feb 2 06:15:01 2015 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Sun, 01 Feb 2015 20:15:01 +0100 Subject: Filtering which identities are forwarded by ssh-agent to a given host In-Reply-To: <38456115.BgVG85xq9M@psycho-grande> References: <38456115.BgVG85xq9M@psycho-grande> Message-ID: <54CE7B35.8060805@gmail.com> On 01/02/15 13:52, Bill Nugent wrote: > Howdy, > > I'm looking for a way to restrict which ssh keys are forwarded to a > given remote host because we have several ssh domains. That is, I have > two keys which I use throughout the day: > .ssh/network-a-2014-10-12 > .ssh/network-b-2014-11-22 > > I need to forward my network A key to the ssh gateway host for Network A > to allow me to log into hosts on the other side of the gateway but I > can't have the key for Network B to be forwarded. Similar thing for > Network B. Deleting and adding is painful at best. I've experimented > with IdentiesOnly=yes and IdentityFiles but on the network A gateway I > still see all of my loaded keys including Network B. Is there a way to > do this already? If not, would a Buzilla enhancement request be > welcome? Perhaps requesting something along the lines of: In addition of using two agents, you can stop forwarding your keys to the gateway. Instead, use a ProxyCommand to locally establish the connection to the hosts inside (you will pass through the gateway, but the ssh process is local, and will honor your IdentityFile setting). The problem was that the IdentityFile was being honored by the ssh at the gateway host, the agent doesn't have that knowledge. Cheers From djm at mindrot.org Mon Feb 2 10:18:54 2015 From: djm at mindrot.org (Damien Miller) Date: Mon, 2 Feb 2015 10:18:54 +1100 (AEDT) Subject: Filtering which identities are forwarded by ssh-agent to a given host In-Reply-To: <38456115.BgVG85xq9M@psycho-grande> References: <38456115.BgVG85xq9M@psycho-grande> Message-ID: On Sun, 1 Feb 2015, Bill Nugent wrote: > Howdy, > > I'm looking for a way to restrict which ssh keys are forwarded to a > given remote host because we have several ssh domains. That is, I have > two keys which I use throughout the day: > .ssh/network-a-2014-10-12 > .ssh/network-b-2014-11-22 > > I need to forward my network A key to the ssh gateway host for Network A > to allow me to log into hosts on the other side of the gateway but I > can't have the key for Network B to be forwarded. Similar thing for > Network B. Deleting and adding is painful at best. I've experimented > with IdentiesOnly=yes and IdentityFiles but on the network A gateway I > still see all of my loaded keys including Network B. Is there a way to > do this already? If not, would a Buzilla enhancement request be > welcome? Perhaps requesting something along the lines of: > > Host network-a-gateway.example.com > ForwardIdentity .ssh/network-a-2014-10-12 > and allow additional ForwardIndenty to allow additional keys. It's not possible to do this unfortunately, but is a feature that I've wanted for a long time. Implementing it required teaching ssh enough of the agent protocol to filter requests sent through it, and doing it exactly right so that users' agents aren't exposed when they connect to a malicious server - so it's not without risk. I'd still like to implement it one day, but I'm not likely to get to it any time soon (I can't speak for the other developers). OTOH you could probably write an "agent proxy" pretty easily that presented it's own SSH_AUTH_SOCK to ssh and massaged the requests and replies going through it to the real agent. E.g. agentproxy -i ~/.ssh/id_rsa_xyzzy.pub ssh -tt xyzzy-bastion ssh xyzzy This way you get to write it in the language of your choice :) The agent protocol is pretty simple and is documented in the PROTOCOL.agent file in the OpenSSH distribution, or at https://anongit.mindrot.org/openssh.git/plain/PROTOCOL.agent -d From keisial at gmail.com Mon Feb 2 10:48:30 2015 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Mon, 02 Feb 2015 00:48:30 +0100 Subject: Filtering which identities are forwarded by ssh-agent to a given host In-Reply-To: References: <38456115.BgVG85xq9M@psycho-grande> Message-ID: <54CEBB4E.5000009@gmail.com> On 02/02/15 00:18, Damien Miller wrote: > On Sun, 1 Feb 2015, Bill Nugent wrote: >> Host network-a-gateway.example.com >> ForwardIdentity .ssh/network-a-2014-10-12 >> and allow additional ForwardIndenty to allow additional keys. > It's not possible to do this unfortunately, but is a feature that I've > wanted for a long time. Implementing it required teaching ssh enough > of the agent protocol to filter requests sent through it, and doing > it exactly right so that users' agents aren't exposed when they connect > to a malicious server - so it's not without risk. IMHO the way to go is not teach ssh the agent protocol, but modify the agent protocol so that each request gets prepended the hostname requesting it (forwarded connections would contain the full chain) Then the agent itself would decide which keys to expose to such host. "foo is available for any host", "Provide network-a-key only to ssh.network-a.com and anything that passed through ssh.network-a.com." "Key bar is shown to all hosts but a confirmation dialog will be shown to the user pointing at the host requesting it.", and so on. Regards From djm at mindrot.org Mon Feb 2 13:53:44 2015 From: djm at mindrot.org (Damien Miller) Date: Mon, 2 Feb 2015 13:53:44 +1100 (AEDT) Subject: Filtering which identities are forwarded by ssh-agent to a given host In-Reply-To: <54CEBB4E.5000009@gmail.com> References: <38456115.BgVG85xq9M@psycho-grande> <54CEBB4E.5000009@gmail.com> Message-ID: On Mon, 2 Feb 2015, ?ngel Gonz?lez wrote: > IMHO the way to go is not teach ssh the agent protocol, but modify the agent > protocol so that each request gets prepended the hostname requesting it > (forwarded connections would contain the full chain) Then you have to modify all of ssh, sshd and ssh-agent and doesn't work until they are all upgraded. Moreover, unless you include signing (by the hostkey) for forwarded hops and verification of same at the agent side, then you can't trust anything past the first hop. That doesn't seem any easier to deploy or to get right (the hostkey signing would be particularly scary). -d From de.techno at gmail.com Tue Feb 3 01:58:00 2015 From: de.techno at gmail.com (dE) Date: Mon, 02 Feb 2015 20:28:00 +0530 Subject: Fwd: sftp buggy put command In-Reply-To: <54CC8632.1010602@gmail.com> References: <54CC8632.1010602@gmail.com> Message-ID: <54CF9078.4000007@gmail.com> Hi! I was tying out the put command with version 6.7_p1 of OpenSSH. If I use recursive copying, sftp expects the last directory in the exists in the destination (on the server), otherwise ?Couldn't canonicalize: No such file or directory?. I would've taken this to be the expected behavior, but get command does not have this problem. It makes the destination directory in the client like with cp. So kindly take a look at this. From kinnalru at gmail.com Tue Feb 3 04:22:10 2015 From: kinnalru at gmail.com (Yuri Samoilenko) Date: Mon, 2 Feb 2015 21:22:10 +0400 Subject: pkcs11 C_Login improvements Message-ID: Hello. I'am using openssh with custom pkcs11 library and I have reach a little issue in result code handling. C_Login function from pkcs11 specification can return CKR_USER_ALREADY_LOGGED_IN code which is not an error, but openssh expects only CKA_OK. There is an patch to fix this. diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index c49cbf4..1b236a6 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -263,8 +263,9 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, pin = read_passphrase(prompt, RP_ALLOW_EOF); if (pin == NULL) return (-1); /* bail out */ - if ((rv = f->C_Login(si->session, CKU_USER, - (u_char *)pin, strlen(pin))) != CKR_OK) { + rv = f->C_Login(si->session, CKU_USER, + (u_char *)pin, strlen(pin)); + if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { free(pin); error("C_Login failed: %lu", rv); return (-1); From imorgan at nas.nasa.gov Tue Feb 3 08:13:33 2015 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Mon, 2 Feb 2015 13:13:33 -0800 Subject: Fwd: sftp buggy put command In-Reply-To: <54CF9078.4000007@gmail.com> References: <54CC8632.1010602@gmail.com> <54CF9078.4000007@gmail.com> Message-ID: <20150202211333.GA6608@linux124.nas.nasa.gov> On Mon, Feb 02, 2015 at 20:28:00 +0530, dE wrote: > Hi! > > I was tying out the put command with version 6.7_p1 of OpenSSH. > > If I use recursive copying, sftp expects the last directory in the > exists in the destination (on the server), otherwise ?Couldn't > canonicalize: No such file or directory?. > > I would've taken this to be the expected behavior, but get command does > not have this problem. It makes the destination directory in the client > like with cp. > > So kindly take a look at this. > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev This has already been noted as a bug[1][2], but hasn't been addresed yet. I filed the original bug, but had other priorites, and then forgot about the issue. I'll take another look at this when I get some time. [1] https://bugzilla.mindrot.org/show_bug.cgi?id=2150 [2] https://bugzilla.mindrot.org/show_bug.cgi?id=2230 -- Iain Morgan From djm at mindrot.org Tue Feb 3 09:31:25 2015 From: djm at mindrot.org (Damien Miller) Date: Tue, 3 Feb 2015 09:31:25 +1100 (AEDT) Subject: pkcs11 C_Login improvements In-Reply-To: References: Message-ID: On Mon, 2 Feb 2015, Yuri Samoilenko wrote: > Hello. > I'am using openssh with custom pkcs11 library and I have reach a little > issue in result code handling. C_Login function from pkcs11 specification > can return CKR_USER_ALREADY_LOGGED_IN code which is not an error, but > openssh expects only CKA_OK. There is an patch to fix this. Thanks, that looks reasonable. There's actually one more place where this could conceivably happen: diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index 1d8135d..4ee948f 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -254,8 +254,9 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, pin = read_passphrase(prompt, RP_ALLOW_EOF); if (pin == NULL) return (-1); /* bail out */ - if ((rv = f->C_Login(si->session, CKU_USER, - (u_char *)pin, strlen(pin))) != CKR_OK) { + rv = f->C_Login(si->session, CKU_USER, + (u_char *)pin, strlen(pin)); + if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { free(pin); error("C_Login failed: %lu", rv); return (-1); @@ -357,8 +358,9 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin) return (-1); } if (login_required && pin) { - if ((rv = f->C_Login(session, CKU_USER, - (u_char *)pin, strlen(pin))) != CKR_OK) { + rv = f->C_Login(session, CKU_USER, + (u_char *)pin, strlen(pin)) + if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { error("C_Login failed: %lu", rv); if ((rv = f->C_CloseSession(session)) != CKR_OK) error("C_CloseSession failed: %lu", rv); From keisial at gmail.com Wed Feb 4 09:27:28 2015 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Tue, 03 Feb 2015 23:27:28 +0100 Subject: Filtering which identities are forwarded by ssh-agent to a given host In-Reply-To: References: <38456115.BgVG85xq9M@psycho-grande> <54CEBB4E.5000009@gmail.com> Message-ID: <54D14B50.20006@gmail.com> On 02/02/15 03:53, Damien Miller wrote: > On Mon, 2 Feb 2015, ?ngel Gonz?lez wrote: > >> IMHO the way to go is not teach ssh the agent protocol, but modify the agent >> protocol so that each request gets prepended the hostname requesting it >> (forwarded connections would contain the full chain) > Then you have to modify all of ssh, sshd and ssh-agent and doesn't > work until they are all upgraded. Only ssh-agent and ssh (and the change to the former could be trivial) > Moreover, unless you include signing (by the hostkey) for forwarded hops > and verification of same at the agent side, then you can't trust anything > past the first hop. I wasn't attempting to go that far. Just accountability, similar to how Received: headers work in SMTP. And yes, you can't trust anything past the first evil hop. Still, I see many benefits compared to the current all-or-nothing agent trust. (Of course, to be really sure that nobody intercepts the agent request, you MUST perform the ssh connection locally, with a ProxyCommand. Full Stop) From brian.carpenter at gmail.com Wed Feb 4 12:26:58 2015 From: brian.carpenter at gmail.com (Brian Carpenter) Date: Tue, 3 Feb 2015 19:26:58 -0600 Subject: ssh-pkcs11.c patch Message-ID: Hi, I just cloned the git repo and found a missing ; in ssh-pkcs11.c which was inhibiting the compilation process. Looks like it was introduced with https://anongit.mindrot.org/openssh.git/patch/?id=cb3bde373e80902c7d5d0db429f85068d19b2918 and the patch I'm attaching brings back the missing ; and I'm once again able to compile openssh. --- ../ssh-pkcs11.c 2015-02-03 19:20:22.445706257 -0600 +++ ssh-pkcs11.c 2015-02-03 19:04:31.861698263 -0600 @@ -368,7 +368,7 @@ } if (login_required && pin) { rv = f->C_Login(session, CKU_USER, - (u_char *)pin, strlen(pin)) + (u_char *)pin, strlen(pin)); if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { error("C_Login failed: %lu", rv); if ((rv = f->C_CloseSession(session)) != CKR_OK) Regards, Brian 'geeknik' Carpenter From de.techno at gmail.com Thu Feb 5 13:38:47 2015 From: de.techno at gmail.com (dE) Date: Thu, 05 Feb 2015 08:08:47 +0530 Subject: Fwd: sftp buggy put command In-Reply-To: <20150202211333.GA6608@linux124.nas.nasa.gov> References: <54CC8632.1010602@gmail.com> <54CF9078.4000007@gmail.com> <20150202211333.GA6608@linux124.nas.nasa.gov> Message-ID: <54D2D7B7.50909@gmail.com> On 02/03/15 02:43, Iain Morgan wrote: > On Mon, Feb 02, 2015 at 20:28:00 +0530, dE wrote: >> Hi! >> >> I was tying out the put command with version 6.7_p1 of OpenSSH. >> >> If I use recursive copying, sftp expects the last directory in the >> exists in the destination (on the server), otherwise ?Couldn't >> canonicalize: No such file or directory?. >> >> I would've taken this to be the expected behavior, but get command does >> not have this problem. It makes the destination directory in the client >> like with cp. >> >> So kindly take a look at this. >> >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > This has already been noted as a bug[1][2], but hasn't been addresed > yet. I filed the original bug, but had other priorites, and then forgot > about the issue. I'll take another look at this when I get some time. > > [1] https://bugzilla.mindrot.org/show_bug.cgi?id=2150 > [2] https://bugzilla.mindrot.org/show_bug.cgi?id=2230 > Thanks. From scott_n at xypro.com Sat Feb 7 02:41:00 2015 From: scott_n at xypro.com (Scott Neugroschl) Date: Fri, 6 Feb 2015 15:41:00 +0000 Subject: Make tests on a cross compile? Message-ID: I may have asked this before ... my memory is bad. Is it possible to run "make tests" on a cross-compile build? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 | From cary.fitzhugh at gmail.com Sat Feb 7 04:41:38 2015 From: cary.fitzhugh at gmail.com (Cary FitzHugh) Date: Fri, 6 Feb 2015 12:41:38 -0500 Subject: Creating users "on - the - fly" Message-ID: Hi all. I have a situation that I wonder someone may have run into - or has a direction I should dig / develop in. Let's say I have a system with 1M "users". Their public keys are stored in a database, and I can access them via a web call. I have a few servers which should allow those users access. Some constraints to make it non-crazy. The users can only reverse tunnel. They need no state / home directories, etc. I've set the command in sshd_config to just echo "Nyet". All they do is try to connect with ssh -R *:0:localhost: user at server -N (while I have you - is there any other way to know what port was allocated, except for parsing stderr?) Some great help was in this url: http://askubuntu.com/questions/48129/how-to-create-a-restricted-ssh-user-for-port-forwarding (for anyone looking for info about reverse forwarding). I was planning on just having the AuthorizedKeysCommand take the username, look up the keys from the webservice, and return them. Easy! The trouble is that the user isn't created on the machine beforehand. But I actually don't want the user created, b/c I don't want to litter all these servers with little user directories. Users may be transient as well - so littering the directories of these machines with tons of data just causes many other problems (running out of inodes, disk-space, etc). Any ideas? Thanks! Cary From dkg at fifthhorseman.net Sat Feb 7 04:52:46 2015 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 06 Feb 2015 12:52:46 -0500 Subject: Creating users "on - the - fly" In-Reply-To: References: Message-ID: <87386jyljl.fsf@alice.fifthhorseman.net> On Fri 2015-02-06 12:41:38 -0500, Cary FitzHugh wrote: > The trouble is that the user isn't created on the machine beforehand. > But I actually don't want the user created, b/c I don't want to litter > all these servers with little user directories. Users may be > transient as well - so littering the directories of these machines > with tons of data just causes many other problems (running out of > inodes, disk-space, etc). If this is your only concern, most systems don't require that a user have a unique home directory at all. You could create a /home/nobody which is unusable by anyone, and populate the systems's user table with users (maybe via some sensible nameservice switch module) pointing at that directory as their homedir. In other words, i don't think this is an ssh problem, it can be solved directly in other parts of your OS. --dkg From cary.fitzhugh at gmail.com Sat Feb 7 05:10:10 2015 From: cary.fitzhugh at gmail.com (Cary FitzHugh) Date: Fri, 6 Feb 2015 13:10:10 -0500 Subject: Creating users "on - the - fly" In-Reply-To: <87386jyljl.fsf@alice.fifthhorseman.net> References: <87386jyljl.fsf@alice.fifthhorseman.net> Message-ID: I guess I didn't want to litter the users table either - it just seems "wrong" to be actually adding things to the host when it is really so transient. It feels like it should be LDAP-ish. Just ask the server for the keys and do a one-off authentication. But I've seen even LDAP creates the user directories. I see that 2.6 kernels can have some 4B users, which should last me a while. But it is a bit more work and plumbing to try to keep things in sync. I'm a bit / very idealistic though - so I guess I'll keep rooting around. I'm ok writing a PAM module if that's what I needed. But I have a feeling there's a good bit more to it. And without someone know "knows " - that can be a very long rabbit trail :) Hrm.... On Fri, Feb 6, 2015 at 12:52 PM, Daniel Kahn Gillmor wrote: > On Fri 2015-02-06 12:41:38 -0500, Cary FitzHugh wrote: >> The trouble is that the user isn't created on the machine beforehand. >> But I actually don't want the user created, b/c I don't want to litter >> all these servers with little user directories. Users may be >> transient as well - so littering the directories of these machines >> with tons of data just causes many other problems (running out of >> inodes, disk-space, etc). > > If this is your only concern, most systems don't require that a user > have a unique home directory at all. You could create a /home/nobody > which is unusable by anyone, and populate the systems's user table with > users (maybe via some sensible nameservice switch module) pointing at > that directory as their homedir. > > In other words, i don't think this is an ssh problem, it can be solved > directly in other parts of your OS. > > --dkg From david-bronder at uiowa.edu Sat Feb 7 05:21:42 2015 From: david-bronder at uiowa.edu (David Bronder) Date: Fri, 6 Feb 2015 12:21:42 -0600 Subject: [openssh-unix-dev] Re: Creating users "on - the - fly" In-Reply-To: References: <87386jyljl.fsf@alice.fifthhorseman.net> Message-ID: <54D50636.9020008@uiowa.edu> What about doing something like is popular on some git services, where instead of having actual accounts for each user, all the users log in with a single account but different keys? You then govern their access/behavior based on which key is used to authenticate. =Dave On 02/06/2015 12:10 PM, Cary FitzHugh wrote: > I guess I didn't want to litter the users table either - it just seems > "wrong" to be actually adding things to the host when it is really so > transient. It feels like it should be LDAP-ish. Just ask the server > for the keys and do a one-off authentication. But I've seen even LDAP > creates the user directories. > > I see that 2.6 kernels can have some 4B users, which should last me a > while. But it is a bit more work and plumbing to try to keep things > in sync. > > I'm a bit / very idealistic though - so I guess I'll keep rooting > around. I'm ok writing a PAM module if that's what I needed. But I > have a feeling there's a good bit more to it. And without someone know > "knows " - that can be a very long rabbit trail :) > > Hrm.... > > > > On Fri, Feb 6, 2015 at 12:52 PM, Daniel Kahn Gillmor > wrote: >> On Fri 2015-02-06 12:41:38 -0500, Cary FitzHugh wrote: >>> The trouble is that the user isn't created on the machine beforehand. >>> But I actually don't want the user created, b/c I don't want to litter >>> all these servers with little user directories. Users may be >>> transient as well - so littering the directories of these machines >>> with tons of data just causes many other problems (running out of >>> inodes, disk-space, etc). >> >> If this is your only concern, most systems don't require that a user >> have a unique home directory at all. You could create a /home/nobody >> which is unusable by anyone, and populate the systems's user table with >> users (maybe via some sensible nameservice switch module) pointing at >> that directory as their homedir. >> >> In other words, i don't think this is an ssh problem, it can be solved >> directly in other parts of your OS. >> >> --dkg > -- Hello World. David Bronder - Systems Architect Segmentation Fault ITS-EI, Univ. of Iowa Core dumped, disk trashed, quota filled, soda warm. david-bronder at uiowa.edu From cary.fitzhugh at gmail.com Sat Feb 7 05:38:29 2015 From: cary.fitzhugh at gmail.com (Cary FitzHugh) Date: Fri, 6 Feb 2015 13:38:29 -0500 Subject: [openssh-unix-dev] Re: Creating users "on - the - fly" In-Reply-To: <54D50636.9020008@uiowa.edu> References: <87386jyljl.fsf@alice.fifthhorseman.net> <54D50636.9020008@uiowa.edu> Message-ID: This is a good suggestion - and maybe I'm not totally clear on the restrictions... So - in these situations gitolite will actually append things to your authorized_keys file. Which can get very long. And after a while - it gets *very* long. I think I saw comments that it should be limited to about 20k or so. And around 20k the look up times are in the seconds. So that wouldn't be enough for me. I have another service in my system which uses gitolite, and it works fine - but it doesn't seem to be able to authenticate a ginormous number of users. So - I figured that I could use the ssh-keys command to request only a subset of keys (from a service or something) and that would enable ssh to auth much faster. However - as I got into that - I realized that I have no way to "find" just the keys for a single user. Since the only argument to that ssh keys command, is the username. It's not HTTP so I couldn't point at a subdomain and use that to look up the information. Hence my current (potential dead-end) path of trying to let users access via their username , which then lets me look up their authorized_keys. Of course, now I run into the "user doesn't exist" issue.. :( On Fri, Feb 6, 2015 at 1:21 PM, David Bronder wrote: > What about doing something like is popular on some git services, where > instead of having actual accounts for each user, all the users log in with a > single account but different keys? You then govern their access/behavior > based on which key is used to authenticate. > > =Dave > > > On 02/06/2015 12:10 PM, Cary FitzHugh wrote: >> I guess I didn't want to litter the users table either - it just seems >> "wrong" to be actually adding things to the host when it is really so >> transient. It feels like it should be LDAP-ish. Just ask the server >> for the keys and do a one-off authentication. But I've seen even LDAP >> creates the user directories. >> >> I see that 2.6 kernels can have some 4B users, which should last me a >> while. But it is a bit more work and plumbing to try to keep things >> in sync. >> >> I'm a bit / very idealistic though - so I guess I'll keep rooting >> around. I'm ok writing a PAM module if that's what I needed. But I >> have a feeling there's a good bit more to it. And without someone know >> "knows " - that can be a very long rabbit trail :) >> >> Hrm.... >> >> >> >> On Fri, Feb 6, 2015 at 12:52 PM, Daniel Kahn Gillmor >> wrote: >>> On Fri 2015-02-06 12:41:38 -0500, Cary FitzHugh wrote: >>>> The trouble is that the user isn't created on the machine beforehand. >>>> But I actually don't want the user created, b/c I don't want to litter >>>> all these servers with little user directories. Users may be >>>> transient as well - so littering the directories of these machines >>>> with tons of data just causes many other problems (running out of >>>> inodes, disk-space, etc). >>> >>> If this is your only concern, most systems don't require that a user >>> have a unique home directory at all. You could create a /home/nobody >>> which is unusable by anyone, and populate the systems's user table with >>> users (maybe via some sensible nameservice switch module) pointing at >>> that directory as their homedir. >>> >>> In other words, i don't think this is an ssh problem, it can be solved >>> directly in other parts of your OS. >>> >>> --dkg >> > > -- > Hello World. David Bronder - Systems Architect > Segmentation Fault ITS-EI, Univ. of Iowa > Core dumped, disk trashed, quota filled, soda warm. david-bronder at uiowa.edu From dkg at fifthhorseman.net Sat Feb 7 05:47:48 2015 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 06 Feb 2015 13:47:48 -0500 Subject: Creating users "on - the - fly" In-Reply-To: References: <87386jyljl.fsf@alice.fifthhorseman.net> Message-ID: <87vbjeyizv.fsf@alice.fifthhorseman.net> On Fri 2015-02-06 13:10:10 -0500, Cary FitzHugh wrote: > I guess I didn't want to litter the users table either - it just seems > "wrong" to be actually adding things to the host when it is really so > transient. It feels like it should be LDAP-ish. Just ask the server > for the keys and do a one-off authentication. But I've seen even LDAP > creates the user directories. you can use libnss-ldap to have a dynamic user table pulled from LDAP, if that's what you want. You don't need to touch any local file on the host if you just want to look up your users over the network. Or you can write your own name service switch extension that does the same. for GNU systems, see: https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html --dkg From dkg at fifthhorseman.net Sat Feb 7 06:01:16 2015 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 06 Feb 2015 14:01:16 -0500 Subject: [openssh-unix-dev] Re: Creating users "on - the - fly" In-Reply-To: References: <87386jyljl.fsf@alice.fifthhorseman.net> <54D50636.9020008@uiowa.edu> Message-ID: <87oap6yidf.fsf@alice.fifthhorseman.net> On Fri 2015-02-06 13:38:29 -0500, Cary FitzHugh wrote: > However - as I got into that - I realized that I have no way to "find" > just the keys for a single user. Since the only argument to that ssh > keys command, is the username. It's not HTTP so I couldn't point at a > subdomain and use that to look up the information. You may be interested in the bug report "extend the parameters to the AuthorizedKeysCommand": https://bugzilla.mindrot.org/show_bug.cgi?id=2081 hth, --dkg From scott_n at xypro.com Sat Feb 7 05:57:13 2015 From: scott_n at xypro.com (Scott Neugroschl) Date: Fri, 6 Feb 2015 18:57:13 +0000 Subject: Creating users "on - the - fly" In-Reply-To: <87vbjeyizv.fsf@alice.fifthhorseman.net> References: <87386jyljl.fsf@alice.fifthhorseman.net> <87vbjeyizv.fsf@alice.fifthhorseman.net> Message-ID: Just jumping in, from following the discussion... So store the public key as an attribute in the LDAP database? -----Original Message----- From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On Behalf Of Daniel Kahn Gillmor Sent: Friday, February 06, 2015 10:48 AM To: Cary FitzHugh Cc: openssh-unix-dev at mindrot.org Subject: Re: Creating users "on - the - fly" On Fri 2015-02-06 13:10:10 -0500, Cary FitzHugh wrote: > I guess I didn't want to litter the users table either - it just seems > "wrong" to be actually adding things to the host when it is really so > transient. It feels like it should be LDAP-ish. Just ask the server > for the keys and do a one-off authentication. But I've seen even LDAP > creates the user directories. you can use libnss-ldap to have a dynamic user table pulled from LDAP, if that's what you want. You don't need to touch any local file on the host if you just want to look up your users over the network. Or you can write your own name service switch extension that does the same. for GNU systems, see: https://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html --dkg _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From cary.fitzhugh at gmail.com Sat Feb 7 06:30:13 2015 From: cary.fitzhugh at gmail.com (Cary FitzHugh) Date: Fri, 6 Feb 2015 14:30:13 -0500 Subject: [openssh-unix-dev] Re: Creating users "on - the - fly" In-Reply-To: References: <87386jyljl.fsf@alice.fifthhorseman.net> <54D50636.9020008@uiowa.edu> <87oap6yidf.fsf@alice.fifthhorseman.net> Message-ID: Thanks for the tip on name service switch extensions -- I shall look.. Maybe adding something that lets you query the users there is all I need... we'll see. The AuthorizedKeysCommand could be a script - and figures out everything - the ssh connection doesn't' get that far when the user doesn't exist on the system yet :( Hence - maybe a NSS User Database extension which looks for the public keys from a webservice (and then maybe writes them to /tmp/. The AuthorzedKeysCommand could then just return the tmp/username information.. Hoping the NSS shows some promise.. Wow , thanks for all the help! On Fri, Feb 6, 2015 at 2:26 PM, Scott Neugroschl wrote: > >>> However - as I got into that - I realized that I have no way to "find" >>> just the keys for a single user. Since the only argument to that ssh >>> keys command, is the username. It's not HTTP so I couldn't point at a >>> subdomain and use that to look up the information. > >>You may be interested in the bug report "extend the parameters to the >>AuthorizedKeysCommand": > > > https://bugzilla.mindrot.org/show_bug.cgi?id=2081 > > > Why not have the Authorized Keys Command be a script that figures out the domain from the username? > > From scott_n at xypro.com Sat Feb 7 06:26:49 2015 From: scott_n at xypro.com (Scott Neugroschl) Date: Fri, 6 Feb 2015 19:26:49 +0000 Subject: [openssh-unix-dev] Re: Creating users "on - the - fly" In-Reply-To: <87oap6yidf.fsf@alice.fifthhorseman.net> References: <87386jyljl.fsf@alice.fifthhorseman.net> <54D50636.9020008@uiowa.edu> <87oap6yidf.fsf@alice.fifthhorseman.net> Message-ID: >> However - as I got into that - I realized that I have no way to "find" >> just the keys for a single user. Since the only argument to that ssh >> keys command, is the username. It's not HTTP so I couldn't point at a >> subdomain and use that to look up the information. >You may be interested in the bug report "extend the parameters to the >AuthorizedKeysCommand": > https://bugzilla.mindrot.org/show_bug.cgi?id=2081 Why not have the Authorized Keys Command be a script that figures out the domain from the username? From dkg at fifthhorseman.net Sat Feb 7 07:02:58 2015 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 06 Feb 2015 15:02:58 -0500 Subject: [openssh-unix-dev] Re: Creating users "on - the - fly" In-Reply-To: References: <87386jyljl.fsf@alice.fifthhorseman.net> <54D50636.9020008@uiowa.edu> <87oap6yidf.fsf@alice.fifthhorseman.net>

Message-ID: <87bnl6yfil.fsf@alice.fifthhorseman.net> On Fri 2015-02-06 14:30:13 -0500, Cary FitzHugh wrote: > Hence - maybe a NSS User Database extension which looks for the > public keys from a webservice (and then maybe writes them to > /tmp/. No, i'm suggesting that when you want to look up the user, use NSS to find the username and map it to a numeric user ID and the other information that is typically found in /etc/passwd. this doesn't write anything to the local disk. > The AuthorzedKeysCommand could then just return the tmp/username information.. Then the AuthorizedKeysCommand can return the proper key material. --dkg From cary.fitzhugh at gmail.com Sat Feb 7 06:58:59 2015 From: cary.fitzhugh at gmail.com (Cary FitzHugh) Date: Fri, 6 Feb 2015 14:58:59 -0500 Subject: [openssh-unix-dev] Re: Creating users "on - the - fly" In-Reply-To: References: <87386jyljl.fsf@alice.fifthhorseman.net> <54D50636.9020008@uiowa.edu> <87oap6yidf.fsf@alice.fifthhorseman.net>

Message-ID: Someone wrote this for NSS - https://github.com/donapieppo/libnss-ato And this seems to be doing sortof what I'm hoping to do, just doing it with hosts, not User database stuff. https://github.com/troxor/libnss_consul So - maybe a combination of these two things will work! Thanks again. we'll see how it goes :) Cary On Fri, Feb 6, 2015 at 2:30 PM, Cary FitzHugh wrote: > Thanks for the tip on name service switch extensions -- I shall look.. > Maybe adding something that lets you query the users there is all I > need... we'll see. > > The AuthorizedKeysCommand could be a script - and figures out > everything - the ssh connection doesn't' get that far when the user > doesn't exist on the system yet :( > > Hence - maybe a NSS User Database extension which looks for the > public keys from a webservice (and then maybe writes them to > /tmp/. > > The AuthorzedKeysCommand could then just return the tmp/username information.. > > Hoping the NSS shows some promise.. Wow , thanks for all the help! > > On Fri, Feb 6, 2015 at 2:26 PM, Scott Neugroschl wrote: >> >>>> However - as I got into that - I realized that I have no way to "find" >>>> just the keys for a single user. Since the only argument to that ssh >>>> keys command, is the username. It's not HTTP so I couldn't point at a >>>> subdomain and use that to look up the information. >> >>>You may be interested in the bug report "extend the parameters to the >>>AuthorizedKeysCommand": >> >> > https://bugzilla.mindrot.org/show_bug.cgi?id=2081 >> >> >> Why not have the Authorized Keys Command be a script that figures out the domain from the username? >> >> From michael at stroeder.com Sun Feb 8 07:06:44 2015 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sat, 07 Feb 2015 21:06:44 +0100 Subject: Filtering which identities are forwarded by ssh-agent to a given host In-Reply-To: References: <38456115.BgVG85xq9M@psycho-grande> <54CEBB4E.5000009@gmail.com> Message-ID: <54D67054.40108@stroeder.com> Damien Miller wrote: > On Mon, 2 Feb 2015, ?ngel Gonz?lez wrote: > >> IMHO the way to go is not teach ssh the agent protocol, but modify the agent >> protocol so that each request gets prepended the hostname requesting it >> (forwarded connections would contain the full chain) > > Then you have to modify all of ssh, sshd and ssh-agent and doesn't > work until they are all upgraded. Disclaimer: I don't consider myself to be an expert in this field. I'm using ssh-add -c to be asked each time the key is requested. At least it would be helpful if the hostname is displayed for which the key is requested. Because sometimes things happen concurrently and one cannot decide anymore for which action the dialogue pops up. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4252 bytes Desc: S/MIME Cryptographic Signature URL: From djm at mindrot.org Mon Feb 9 09:12:25 2015 From: djm at mindrot.org (Damien Miller) Date: Mon, 9 Feb 2015 09:12:25 +1100 (AEDT) Subject: Make tests on a cross compile? In-Reply-To: References: Message-ID: On Fri, 6 Feb 2015, Scott Neugroschl wrote: > I may have asked this before ... my memory is bad. > > Is it possible to run "make tests" on a cross-compile build? Where would you be running the tests? You couldn't run them on the host compiler. They should work fine if you copy the build directory to the target platform and run them there. From scott_n at xypro.com Tue Feb 10 03:31:30 2015 From: scott_n at xypro.com (Scott Neugroschl) Date: Mon, 9 Feb 2015 16:31:30 +0000 Subject: Make tests on a cross compile? In-Reply-To: References: Message-ID: Thanks, Damien. -----Original Message----- From: Damien Miller [mailto:djm at mindrot.org] Sent: Sunday, February 08, 2015 2:12 PM To: Scott Neugroschl Cc: OpenSSH Unix Dev Mailing List (openssh-unix-dev at mindrot.org) Subject: Re: Make tests on a cross compile? On Fri, 6 Feb 2015, Scott Neugroschl wrote: > I may have asked this before ... my memory is bad. > > Is it possible to run "make tests" on a cross-compile build? Where would you be running the tests? You couldn't run them on the host compiler. They should work fine if you copy the build directory to the target platform and run them there. From meta at pobox.com Tue Feb 10 04:09:18 2015 From: meta at pobox.com (mathew) Date: Mon, 09 Feb 2015 17:09:18 +0000 Subject: Connection stalls at debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP Message-ID: Trying to connect from Fedora 21 to CentOS 6.6, OpenSSH on both ends. Connection is via a VPN. Initially the connection seems good, but OpenSSH stalls at debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP. Software version on servers: openssh-server-5.3p1-104.el6_6.1.x86_64 openssh-5.3p1-104.el6_6.1.x86_64 Software version on client: openssh-6.6.1p1-11.1.fc21.x86_64 also duplicated problem using local build of openssh-6.7p1.tar.gz Connections to other CentOS 6 servers with identical SSH versions and configurations are successful. (Configs are managed by Puppet so I'm confident they really are identical, and I rebooted the server before the test below.) Connections to the problem server using Windows PuTTY SSH are successful! (Using a Windows VM running on the same Fedora 21 client machine, inside VirtualBox.) VPN MTU is 1400. Ping check for packet size: % ping -M do -s 1372 10.77.16.71 PING 10.77.16.71 (10.77.16.71) 1372(1400) bytes of data. 1380 bytes from 10.77.16.71: icmp_seq=1 ttl=61 time=69.4 ms Server MTU is 1500, and I've confirmed that 1472-byte packets ping successfully from other servers to the problem server. Here's a transcript using ssh -vvv and a build of OpenSSH from openssh-6.7p1 sources: % ./ssh -vvv docs.rtp.tecnet OpenSSH_6.7p1, OpenSSL 1.0.1k-fips 8 Jan 2015 debug1: Reading configuration data /home/meta/.ssh/config /home/meta/.ssh/config line 1: Unsupported option "gssapiauthentication" debug2: ssh_connect: needpriv 0 debug1: Connecting to docs.rtp.tecnet [10.77.16.71] port 22. debug1: Connection established. debug1: identity file /home/meta/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/meta/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/meta/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/meta/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/meta/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/meta/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/meta/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/meta/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.7 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "docs.rtp.tecnet" from file "/home/meta/.ssh/known_hosts" debug3: load_hostkeys: loaded 0 keys debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01 at openssh.com, ecdsa-sha2-nistp384-cert-v01 at openssh.com, ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com, ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com, ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com ,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com ,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com, hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com, hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com, hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com, hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160, hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com, hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com, hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com, hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com, hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160, hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160 debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: setup hmac-sha1 debug1: kex: server->client aes128-ctr hmac-sha1 none debug2: mac_setup: setup hmac-sha1 debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP [hangs] Here's the config output from building OpenSSH as used above: OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: seccomp_filter Host: x86_64-unknown-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE Preprocessor flags: Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie Libraries: -lcrypto -ldl -lutil -lz -lnsl -lcrypt -lresolv So... Any ideas what I can try next to track down the source of the problem? mathew From cary.fitzhugh at gmail.com Tue Feb 10 04:59:41 2015 From: cary.fitzhugh at gmail.com (Cary FitzHugh) Date: Mon, 9 Feb 2015 12:59:41 -0500 Subject: [openssh-unix-dev] Re: Creating users "on - the - fly" In-Reply-To: <87bnl6yfil.fsf@alice.fifthhorseman.net> References: <87386jyljl.fsf@alice.fifthhorseman.net> <54D50636.9020008@uiowa.edu> <87oap6yidf.fsf@alice.fifthhorseman.net>

<87bnl6yfil.fsf@alice.fifthhorseman.net> Message-ID: Morning everyone, I have put into place the lbnns extension https://github.com/hivewing/libnss-ato It seems to always resolve every username to the same uid, with no password. I've set the shell to bin/false, and put the home dir to /dev/null as well. And it actually seems to work! On a connection request, the AuthorzedKeysCommand script is called with the right username, letting me look up the username in my webservice, and return the list of authorized_keys. Wonderful. I spent a good bit of time banging my head on the wall, trying to figure out why I could only get one connection through the sshd server before it would crash. It would accept one connection, every other connection request would be ignored. And once that one connection was closed, sshd would exit. I was running it like so: /usr/sbin/sshd -D -e -d -d -d And life was sad. very sad. I now run it just with /usr/sbin/sshd -D and it all seems to work. I'm not sure if anyone cares that it doesn't work with the three '-d's on there. but if anyone did care, I could try to help them get a reproducible case. Thanks to everyone who helped with suggestions! Cary On Fri, Feb 6, 2015 at 3:02 PM, Daniel Kahn Gillmor wrote: > On Fri 2015-02-06 14:30:13 -0500, Cary FitzHugh wrote: >> Hence - maybe a NSS User Database extension which looks for the >> public keys from a webservice (and then maybe writes them to >> /tmp/. > > No, i'm suggesting that when you want to look up the user, use NSS to > find the username and map it to a numeric user ID and the other > information that is typically found in /etc/passwd. this doesn't write > anything to the local disk. > >> The AuthorzedKeysCommand could then just return the tmp/username information.. > > Then the AuthorizedKeysCommand can return the proper key material. > > --dkg From plautrba at redhat.com Tue Feb 10 06:23:26 2015 From: plautrba at redhat.com (Petr Lautrbach) Date: Mon, 09 Feb 2015 20:23:26 +0100 Subject: Connection stalls at debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP In-Reply-To: References: Message-ID: <54D9092E.1060500@redhat.com> On 02/09/2015 06:09 PM, mathew wrote: > Trying to connect from Fedora 21 to CentOS 6.6, OpenSSH on both ends. > Connection is via a VPN. > > Initially the connection seems good, but OpenSSH stalls at > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP. > > Software version on servers: > openssh-server-5.3p1-104.el6_6.1.x86_64 > openssh-5.3p1-104.el6_6.1.x86_64 > > Software version on client: > openssh-6.6.1p1-11.1.fc21.x86_64 > also duplicated problem using local build of openssh-6.7p1.tar.gz > > Connections to other CentOS 6 servers with identical SSH versions and > configurations are successful. (Configs are managed by Puppet so I'm > confident they really are identical, and I rebooted the server before the > test below.) > > Connections to the problem server using Windows PuTTY SSH are successful! > (Using a Windows VM running on the same Fedora 21 client machine, inside > VirtualBox.) > > VPN MTU is 1400. Ping check for packet size: > % ping -M do -s 1372 10.77.16.71 > PING 10.77.16.71 (10.77.16.71) 1372(1400) bytes of data. > 1380 bytes from 10.77.16.71: icmp_seq=1 ttl=61 time=69.4 ms > Server MTU is 1500, and I've confirmed that 1472-byte packets ping > successfully from other servers to the problem server. It seems to be the same problem as described and discussed in this [1] thread. MTU 1400 is not enough for packet sent by openssh-6.6.1p1-11.1.fc21 with default settings. The size of one of initial packets could be even 1968. Your VPN probably makes a fragmentation but doesn't do the correct defragmentation. As a workaround you can set shorter lists of MACs used by your client, eg: $ ssh -m hmac-sha1 ... [1] https://lists.mindrot.org/pipermail/openssh-unix-dev/2013-November/031775.html > > Here's a transcript using ssh -vvv and a build of OpenSSH from > openssh-6.7p1 sources: > > % ./ssh -vvv docs.rtp.tecnet > OpenSSH_6.7p1, OpenSSL 1.0.1k-fips 8 Jan 2015 > debug1: Reading configuration data /home/meta/.ssh/config > /home/meta/.ssh/config line 1: Unsupported option "gssapiauthentication" > debug2: ssh_connect: needpriv 0 > debug1: Connecting to docs.rtp.tecnet [10.77.16.71] port 22. > debug1: Connection established. > debug1: identity file /home/meta/.ssh/id_rsa type 1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/meta/.ssh/id_rsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/meta/.ssh/id_dsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/meta/.ssh/id_dsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/meta/.ssh/id_ecdsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/meta/.ssh/id_ecdsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/meta/.ssh/id_ed25519 type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/meta/.ssh/id_ed25519-cert type -1 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_6.7 > debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 > debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000 > debug2: fd 3 setting O_NONBLOCK > debug3: load_hostkeys: loading entries for host "docs.rtp.tecnet" from file > "/home/meta/.ssh/known_hosts" > debug3: load_hostkeys: loaded 0 keys > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org > ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01 at openssh.com, > ecdsa-sha2-nistp384-cert-v01 at openssh.com, > ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com, > ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com, > ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com > ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr, > aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com > ,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, > rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr, > aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com > ,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, > rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com, > hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com, > hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com > ,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com, > hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com, > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160, > hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at openssh.com, > hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com, > hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com > ,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com, > hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com, > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160, > hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour > debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour > debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160 > debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160 > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: setup hmac-sha1 > debug1: kex: server->client aes128-ctr hmac-sha1 none > debug2: mac_setup: setup hmac-sha1 > debug1: kex: client->server aes128-ctr hmac-sha1 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > [hangs] > > Here's the config output from building OpenSSH as used above: > > OpenSSH has been configured with the following options: > User binaries: /usr/local/bin > System binaries: /usr/local/sbin > Configuration files: /usr/local/etc > Askpass program: /usr/local/libexec/ssh-askpass > Manual pages: /usr/local/share/man/manX > PID file: /var/run > Privilege separation chroot path: /var/empty > sshd default user PATH: > /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin > Manpage format: doc > PAM support: no > OSF SIA support: no > KerberosV support: no > SELinux support: no > Smartcard support: > S/KEY support: no > MD5 password support: no > libedit support: no > Solaris process contract support: no > Solaris project support: no > IP address in $DISPLAY hack: no > Translate v4 in v6 hack: yes > BSD Auth support: no > Random number source: OpenSSL internal ONLY > Privsep sandbox style: seccomp_filter > > Host: x86_64-unknown-linux-gnu > Compiler: gcc > Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized > -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess > -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing > -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong > -fPIE > Preprocessor flags: > Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack > -fstack-protector-strong -pie > Libraries: -lcrypto -ldl -lutil -lz -lnsl -lcrypt -lresolv > > So... Any ideas what I can try next to track down the source of the problem? > > > mathew > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Petr Lautrbach From dtucker at zip.com.au Tue Feb 10 06:28:48 2015 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 9 Feb 2015 14:28:48 -0500 Subject: Connection stalls at debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP In-Reply-To: <54D9092E.1060500@redhat.com> References: <54D9092E.1060500@redhat.com> Message-ID: On Mon, Feb 9, 2015 at 2:23 PM, Petr Lautrbach wrote: > [...] > It seems to be the same problem as described and discussed in this [1] > thread. MTU 1400 is not enough for packet sent by > openssh-6.6.1p1-11.1.fc21 with default settings. The size of one of > initial packets could be even 1968. Your VPN probably makes a > fragmentation but doesn't do the correct defragmentation. As a > workaround you can set shorter lists of MACs used by your client, eg: > I wrote an FAQ entry for this a long time ago: http://www.snailbook.com/faq/mtu-mismatch.auto.html I'd add "if you run netstat on both ends and see "SendQ" non-zero and not decreasing then this is likely your problem. I should add this to the openssh.com faq.... -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From meta at pobox.com Tue Feb 10 08:50:56 2015 From: meta at pobox.com (mathew) Date: Mon, 09 Feb 2015 21:50:56 +0000 Subject: Connection stalls at debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP References: <54D9092E.1060500@redhat.com> Message-ID: On Mon Feb 09 2015 at 1:23:37 PM Petr Lautrbach wrote: > It seems to be the same problem as described and discussed in this > [1] thread. MTU 1400 is not enough for packet sent by > openssh-6.6.1p1-11.1.fc21 with default settings. The size of one > of initial packets could be even 1968. Your VPN probably makes > a fragmentation but doesn't do the correct defragmentation. Connections to other servers across the same VPN, using the same OpenSSH versions, succeed. However, I've located a second server on the same subnet that's running OpenSSH 5.9p1 -- would you expect the same problem with that version? Seems like everything on that particular subnet/at that particular site is affected. > As a workaround you can set shorter lists of MACs used by your client, eg: > > $ ssh -m hmac-sha1 ... > I already checked the FAQ and tried that, but it doesn't seem to help. % ./ssh -vvv -m hmac-sha1 docs.rtp.tecnet OpenSSH_6.7p1, OpenSSL 1.0.1k-fips 8 Jan 2015 debug1: Reading configuration data /home/meta/.ssh/config [...] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP On Mon Feb 09 2015 at 1:29:17 PM Darren Tucker wrote: > I'd add "if you run netstat on both ends and see "SendQ" non-zero and not > decreasing then this is likely your problem. > With the -m parameter as above, running ss on the client, I see Send-Q go to 1208 and then sit there until I Ctrl-C out the client, when it increases by 1. On the server side, I see nothing. Is that plausible, that the client would proceed all the way through to DH_GEX_GROUP without seeing any data? Without the -m parameter Send-Q goes to 1992. 1208 bytes shouldn't need any fragmentation; I can definitely ping unfragmented packets that large. So I'm thinking firewall problem now, but I'm at a loss as to why OpenSSH is triggering the problem but PuTTY isn't, given that reducing packet size below the MTU limit doesn't seem to help. Any ideas? Thanks, mathew From dtucker at zip.com.au Tue Feb 10 09:11:20 2015 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 9 Feb 2015 17:11:20 -0500 Subject: Connection stalls at debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP In-Reply-To: References: <54D9092E.1060500@redhat.com> Message-ID: On Mon, Feb 9, 2015 at 4:50 PM, mathew wrote: [...] > > Connections to other servers across the same VPN, using the same OpenSSH > versions, succeed. > The ciphers offered by a given version of OpenSSH can also vary based on the version of OpenSSL they were compiled against. > However, I've located a second server on the same subnet that's running > OpenSSH 5.9p1 -- would you expect the same problem with that version? > It depends. > With the -m parameter as above, running ss on the client, I see Send-Q go > to 1208 and then sit there until I Ctrl-C out the client, when it increases > by 1. On the server side, I see nothing. Is that plausible, that the client > would proceed all the way through to DH_GEX_GROUP without seeing any data? > No, but the size of the packets sent before that point can be small enough to not trigger MTU problems. Without the -m parameter Send-Q goes to 1992. > What's -m? my netstat doesn't have it. > 1208 bytes shouldn't need any fragmentation; I can definitely ping > unfragmented packets that large. > > So I'm thinking firewall problem now, but I'm at a loss as to why OpenSSH > is triggering the problem but PuTTY isn't, given that reducing packet size > below the MTU limit doesn't seem to help. Any ideas? > There's 3 things that get negotiated: key exchange algorithms (KexAlgorithms), message authentication codes (MACs) and encryption ciphers (Cipers). These vary by SSH implementation and version (and in the case of OpenSSH, the version of libcrypto too). In OpenSSH, the cipher selected also influences the size of the Diffie-Hellman group requested (this is controlled by the client, and was increased in a recent OpenSSH release) Try: ssh -vvv -o KexAlgorithms=diffie-hellman-group14-sha1 yoursever ssh -vvv -o Ciphers=aes128-ctr yoursever In particular, make a note of this line in the debug output: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent This is the lower, preferred and upper sizes requested. Exactly which size gets sent will depend on the content of the servers "moduli" file. debug2: bits set: 1531/3072 The 2nd number is the size the server actually sent (you'll probably need to either run the server in debug mode or kick its loglevel to debug2 to see this for the failure case, though, since it's not making it through). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From meta at pobox.com Tue Feb 10 09:42:26 2015 From: meta at pobox.com (mathew) Date: Mon, 09 Feb 2015 22:42:26 +0000 Subject: Connection stalls at debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP References: <54D9092E.1060500@redhat.com> Message-ID: More info: We've checked firewall logs, and it seems to be a firewall rule designed to prevent sessions which are subject to the bug detailed at < http://archives.neohapsis.com/archives/bugtraq/2002-06/0294.html>. I've tried explicitly setting PAMAuthenticationViaKBDInt no, KbdInteractiveAuthentication no and UsePrivilegeSeparation yes in sshd_config, but the problem still occurs, so I think the firewall rule is buggy. So, doesn't seem to be an OpenSSH problem per se, but I'll follow up with anything more I discover in case other people encounter the issue -- it's possible that the rule in question is deployed quite widely. mathew From sshuserga at gmail.com Tue Feb 10 20:02:44 2015 From: sshuserga at gmail.com (sshuser GA) Date: Tue, 10 Feb 2015 14:32:44 +0530 Subject: Why there is a difference in MaxAuthTries behavior ? Message-ID: Hi, I understand MaxAuthTries is a parameter used to restrict the maximum number of authentication attempts. But I notice a difference in behavior when run from different client versions. The MaxAuthTries at the server side is 6. The server side is running OpenSSH 6.6 version. When wrong password is given from an openssh client 6.1 version, it disconnects after 3 attempts. When wrong password is given from an openssh client 6.6 version, it disconnects after 5 attempts. What is the reason for this difference ? Shouldn't the behavior be the same, across both the clients, since MaxAuthTries is a server side parameter? Regards Opensshuser From jjelen at redhat.com Tue Feb 10 23:29:07 2015 From: jjelen at redhat.com (Jakub Jelen) Date: Tue, 10 Feb 2015 13:29:07 +0100 Subject: [openssh-unix-dev] Re: Creating users "on - the - fly" In-Reply-To: References: <87386jyljl.fsf@alice.fifthhorseman.net> <54D50636.9020008@uiowa.edu> <87oap6yidf.fsf@alice.fifthhorseman.net>

<87bnl6yfil.fsf@alice.fifthhorseman.net> Message-ID: <54D9F993.10001@redhat.com> Hello Cary, just for your information to the topic of problem you wanted to describe: When you run sshd with -d argument, it will accept only one connection and exists, as you can read in man pages (man sshd): -d Debug mode. The server sends verbose debug output to standard error, and does not put itself in the background. The server also will not fork and will only process one connection. This option is only intended for debugging for the server. Multiple -d options increase the debugging level. Maximum is 3. It is not a bug. It is feature Best Regards, Jakub Jelen On 02/09/2015 06:59 PM, Cary FitzHugh wrote: > Morning everyone, > > I have put into place the lbnns extension https://github.com/hivewing/libnss-ato > It seems to always resolve every username to the same uid, with no password. > I've set the shell to bin/false, and put the home dir to /dev/null as well. > > And it actually seems to work! > > On a connection request, the AuthorzedKeysCommand script is called > with the right username, letting me look up the username in my > webservice, and return the list of authorized_keys. > Wonderful. > > I spent a good bit of time banging my head on the wall, trying to > figure out why I could only get one connection through the sshd server > before it would crash. It would accept one connection, every other > connection request would be ignored. And once that one connection was > closed, sshd would exit. > > I was running it like so: /usr/sbin/sshd -D -e -d -d -d > > And life was sad. very sad. > > I now run it just with /usr/sbin/sshd -D > and it all seems to work. > > I'm not sure if anyone cares that it doesn't work with the three '-d's > on there. but if anyone did care, I could try to help them get a > reproducible case. > > Thanks to everyone who helped with suggestions! > > Cary > > On Fri, Feb 6, 2015 at 3:02 PM, Daniel Kahn Gillmor > wrote: >> On Fri 2015-02-06 14:30:13 -0500, Cary FitzHugh wrote: >>> Hence - maybe a NSS User Database extension which looks for the >>> public keys from a webservice (and then maybe writes them to >>> /tmp/. >> No, i'm suggesting that when you want to look up the user, use NSS to >> find the username and map it to a numeric user ID and the other >> information that is typically found in /etc/passwd. this doesn't write >> anything to the local disk. >> >>> The AuthorzedKeysCommand could then just return the tmp/username information.. >> Then the AuthorizedKeysCommand can return the proper key material. >> >> --dkg > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From crrodriguez at opensuse.org Thu Feb 12 04:46:50 2015 From: crrodriguez at opensuse.org (=?UTF-8?q?Cristian=20Rodr=C3=ADguez?=) Date: Wed, 11 Feb 2015 14:46:50 -0300 Subject: [PATCH] seccomp: allow the getrandom system call. Message-ID: <1423676810-21460-1-git-send-email-crrodriguez@opensuse.org> *SSL libraries or the C library may/will require it. --- sandbox-seccomp-filter.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index b6f6258..846bc08 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -129,6 +129,9 @@ static const struct sock_filter preauth_insns[] = { #else SC_ALLOW(sigprocmask), #endif +#ifdef __NR_getrandom + SC_ALLOW(getrandom), +#endif BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), }; -- 2.2.2 From crrodriguez at opensuse.org Thu Feb 12 04:51:23 2015 From: crrodriguez at opensuse.org (=?UTF-8?q?Cristian=20Rodr=C3=ADguez?=) Date: Wed, 11 Feb 2015 14:51:23 -0300 Subject: [PATCH] configure: Fix b64_ntop, b64_pton detection on linux systems Message-ID: <1423677083-21671-1-git-send-email-crrodriguez@opensuse.org> These functions are available in libresolv and the public declarations are macros. --- configure.ac | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/configure.ac b/configure.ac index cb66f54..818b652 100644 --- a/configure.ac +++ b/configure.ac @@ -1605,6 +1605,10 @@ if test "x$use_pie" != "xno"; then fi fi +AC_CHECK_DECLS([b64_ntop, b64_pton], [], [], [#include ]) +AC_SEARCH_LIBS([__b64_ntop], [resolv]) +AC_SEARCH_LIBS([__b64_pton], [resolv]) + dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS([ \ Blowfish_initstate \ -- 2.2.2 From imorgan at nas.nasa.gov Thu Feb 12 05:59:44 2015 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Wed, 11 Feb 2015 10:59:44 -0800 Subject: Why there is a difference in MaxAuthTries behavior ? In-Reply-To: References: Message-ID: <20150211185944.GB6608@linux124.nas.nasa.gov> On Tue, Feb 10, 2015 at 14:32:44 +0530, sshuser GA wrote: > Hi, > > I understand MaxAuthTries is a parameter used to restrict the maximum > number of authentication attempts. But I notice a difference in behavior > when run from different client versions. > The MaxAuthTries at the server side is 6. The server side is running > OpenSSH 6.6 version. > When wrong password is given from an openssh client 6.1 version, it > disconnects after 3 attempts. > When wrong password is given from an openssh client 6.6 version, it > disconnects after 5 attempts. > > What is the reason for this difference ? Shouldn't the behavior be the > same, across both the clients, since MaxAuthTries is a server side > parameter? > Keep in mind that MaxAuthTries is applied against _all_ authentication methods -- not just password authentication. If you use ssh -v, I expect that you will see that the apparent discrepancy is due to public-key or hostbased authentication attempts. Also, it may be that your clients have NumberOfPasswordPrompts set inconsistently. -- Iain Morgan From ldv at altlinux.org Thu Feb 12 06:08:12 2015 From: ldv at altlinux.org (Dmitry V. Levin) Date: Wed, 11 Feb 2015 22:08:12 +0300 Subject: [PATCH] seccomp: allow the getrandom system call. In-Reply-To: <1423676810-21460-1-git-send-email-crrodriguez@opensuse.org> References: <1423676810-21460-1-git-send-email-crrodriguez@opensuse.org> Message-ID: <20150211190812.GA28660@altlinux.org> On Wed, Feb 11, 2015 at 02:46:50PM -0300, Cristian Rodr?guez wrote: > *SSL libraries or the C library may/will require it. In what circumstances do they need it? Do they need it with GRND_RANDOM bit set? Note that this system call equivalents to opening (with subsequent reading) of /dev/random and /dev/urandom, which is not allowed by this seccomp filter. > --- a/sandbox-seccomp-filter.c > +++ b/sandbox-seccomp-filter.c > @@ -129,6 +129,9 @@ static const struct sock_filter preauth_insns[] = { > #else > SC_ALLOW(sigprocmask), > #endif > +#ifdef __NR_getrandom > + SC_ALLOW(getrandom), > +#endif > BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), > }; > -- ldv -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: not available URL: From djm at mindrot.org Thu Feb 12 08:47:42 2015 From: djm at mindrot.org (Damien Miller) Date: Thu, 12 Feb 2015 08:47:42 +1100 (AEDT) Subject: Why there is a difference in MaxAuthTries behavior ? In-Reply-To: <20150211185944.GB6608@linux124.nas.nasa.gov> References: <20150211185944.GB6608@linux124.nas.nasa.gov> Message-ID: On Wed, 11 Feb 2015, Iain Morgan wrote: > On Tue, Feb 10, 2015 at 14:32:44 +0530, sshuser GA wrote: > > Hi, > > > > I understand MaxAuthTries is a parameter used to restrict the maximum > > number of authentication attempts. But I notice a difference in behavior > > when run from different client versions. > > The MaxAuthTries at the server side is 6. The server side is running > > OpenSSH 6.6 version. > > When wrong password is given from an openssh client 6.1 version, it > > disconnects after 3 attempts. > > When wrong password is given from an openssh client 6.6 version, it > > disconnects after 5 attempts. > > > > What is the reason for this difference ? Shouldn't the behavior be the > > same, across both the clients, since MaxAuthTries is a server side > > parameter? > > > > Keep in mind that MaxAuthTries is applied against _all_ authentication > methods -- not just password authentication. If you use ssh -v, I expect > that you will see that the apparent discrepancy is due to public-key or > hostbased authentication attempts. > > Also, it may be that your clients have NumberOfPasswordPrompts set > inconsistently. Or your server was patched to ignore public key queries (also in HEAD). From djm at mindrot.org Thu Feb 12 21:45:21 2015 From: djm at mindrot.org (Damien Miller) Date: Thu, 12 Feb 2015 21:45:21 +1100 (AEDT) Subject: [PATCH] seccomp: allow the getrandom system call. In-Reply-To: <20150211190812.GA28660@altlinux.org> References: <1423676810-21460-1-git-send-email-crrodriguez@opensuse.org> <20150211190812.GA28660@altlinux.org> Message-ID: On Wed, 11 Feb 2015, Dmitry V. Levin wrote: > On Wed, Feb 11, 2015 at 02:46:50PM -0300, Cristian Rodr?guez wrote: > > *SSL libraries or the C library may/will require it. > > In what circumstances do they need it? > Do they need it with GRND_RANDOM bit set? > > Note that this system call equivalents to opening (with subsequent > reading) of /dev/random and /dev/urandom, which is not allowed by this > seccomp filter. IMO they shouldn't need it - we take care to prime both the arc4random and libcrypto pools before sandboxing. I don't mind adding it though, and don't think it hurts. -d From shinose at gmail.com Thu Feb 12 23:42:24 2015 From: shinose at gmail.com (Shinose) Date: Thu, 12 Feb 2015 18:12:24 +0530 Subject: SSH_MSG_SERVICE_ACCEPT is not received at the sftp client Message-ID: Hi All, I am currently trying to port sshd and sftpserver to an embedded OS which is having a Single Monolith Process Space. Hence I have converted the whole openssh code re-entrant for the RTOS tasks. The re-entrant code is tested and is working under Linux. But once I started the sshd running on the target, it looks like the sshd sends the SSH_MSG_SERVICE_ACCEPT but is NOT received by the sftp client. Hence the client infinitely waits after sending SSH2_MSG_SERVICE_REQUEST and no further communication is happening. The sshd is in the select() loop as normal after sending the SSH_MSG_SERVICE_ACCEPT packet. It would be highly helpful if you could put some pointers to overcome this issue. Following is the client and server logs. sftp client log (Ubuntu) : http://pastebin.com/9697H7Y7 ... debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent sshd log (RTOS) : http://pastebin.com/3U3Mw2d9 ... I/O: debug2: set_newkeys: mode 1 I/O: debug2: cipher_init_context: 1 I/O: debug2: packet_send done I/O: debug2: SSH2_MSG_NEWKEYS sent I/O: debug2: expecting SSH2_MSG_NEWKEYS I/O: debug2: packet_read() I/O: debug2: input: packet len 16 I/O: debug2: partial packet: block 8, need 8, maclen 0, authlen 0, aadlen 0 I/O: read_poll enc/full: 0000 0000 0000 0000 I/O: debug2: input: padlen 10 I/O: debug2: input: len before de-compress 1 I/O: debug2: set_newkeys: mode 0 I/O: debug2: cipher_init_context: 0 I/O: read/plain[21]: I/O: I/O: debug2: received packet type 21 I/O: debug2: SSH2_MSG_NEWKEYS received I/O: debug2: KEX done I/O: debug2: packet_read() I/O: debug2: input: packet len 32 I/O: debug2: partial packet: block 16, need 16, maclen 16, authlen 0, aadlen 0 I/O: read_poll enc/full: 80e5 0ff5 e0c5 6f48 62cb 4383 6c43 2e98 I/O: b28a 3677 5765 5d81 fc18 b389 9f5d e203 I/O: I/O: debug2: MAC #4 ok I/O: debug2: input: padlen 10 I/O: debug2: input: len before de-compress 17 I/O: read/plain[5]: I/O: 0000 000c 7373 682d 7573 6572 6175 7468 I/O: I/O: debug2: received packet type 5 I/O: debug2: packet_start[6] I/O: plain: 0000 0000 0006 0000 000c 7373 682d 7573 I/O: 6572 6175 7468 I/O: debug2: send: len 32 (includes padlen 10, aadlen 0) I/O: debug2: done calc MAC out #4 I/O: encrypted: 77c1 c72a 976c 4e1e 0461 8a11 5391 9d0d I/O: d85d db30 73f1 0286 11a4 add3 8e07 4b5b I/O: I/O: debug2: packet_send done I/O: debug2: packet_read() Thanks, Shinose. From ldv at altlinux.org Fri Feb 13 05:40:58 2015 From: ldv at altlinux.org (Dmitry V. Levin) Date: Thu, 12 Feb 2015 21:40:58 +0300 Subject: [PATCH] seccomp: allow the getrandom system call. In-Reply-To: References: <1423676810-21460-1-git-send-email-crrodriguez@opensuse.org> <20150211190812.GA28660@altlinux.org> Message-ID: <20150212184058.GA1530@altlinux.org> On Thu, Feb 12, 2015 at 09:45:21PM +1100, Damien Miller wrote: > On Wed, 11 Feb 2015, Dmitry V. Levin wrote: > > On Wed, Feb 11, 2015 at 02:46:50PM -0300, Cristian Rodr?guez wrote: > > > *SSL libraries or the C library may/will require it. > > > > In what circumstances do they need it? > > Do they need it with GRND_RANDOM bit set? > > > > Note that this system call equivalents to opening (with subsequent > > reading) of /dev/random and /dev/urandom, which is not allowed by this > > seccomp filter. > > IMO they shouldn't need it - we take care to prime both the arc4random > and libcrypto pools before sandboxing. They definitely don't need it now as neither /dev/random nor /dev/urandom is available in _PATH_PRIVSEP_CHROOT_DIR. > I don't mind adding it though, and don't think it hurts. Unlimited access to /dev/random could be used to cause system entropy starvation, so please don't add it. -- ldv -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 181 bytes Desc: not available URL: From meta at pobox.com Sat Feb 14 05:35:47 2015 From: meta at pobox.com (mathew) Date: Fri, 13 Feb 2015 18:35:47 +0000 Subject: Connection stalls at debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP References: <54D9092E.1060500@redhat.com> Message-ID: Root cause established: A firewall appliance was replaced, and an error installing the replacement meant it wasn't receiving rule updates. So, no action at all needed by OpenSSH. Thanks, and sorry for the false alarm. mathew On Mon Feb 09 2015 at 4:42:25 PM mathew wrote: > More info: We've checked firewall logs, and it seems to be a firewall rule > designed to prevent sessions which are subject to the bug detailed at < > http://archives.neohapsis.com/archives/bugtraq/2002-06/0294.html>. > > I've tried explicitly setting PAMAuthenticationViaKBDInt no, > KbdInteractiveAuthentication no and UsePrivilegeSeparation yes in > sshd_config, but the problem still occurs, so I think the firewall rule is > buggy. > > So, doesn't seem to be an OpenSSH problem per se, but I'll follow up with > anything more I discover in case other people encounter the issue -- it's > possible that the rule in question is deployed quite widely. > > > mathew > From johandewolff at outlook.com Sun Feb 15 06:27:05 2015 From: johandewolff at outlook.com (Johan De Wolff) Date: Sat, 14 Feb 2015 20:27:05 +0100 Subject: Logging input Message-ID: Hey, I'm currently trying to add some extra logging functionalities to OpenSSH. However, I'd like to log all commands the client sends to the server. But I'm unable to find where exactly this happens in the OpenSSH source. I've tried the do_child() function but that did not work. Am I forgetting something? Thank you, Johan. From peter at stuge.se Sun Feb 15 06:38:03 2015 From: peter at stuge.se (Peter Stuge) Date: Sat, 14 Feb 2015 20:38:03 +0100 Subject: Logging input In-Reply-To: References: Message-ID: <20150214193803.4176.qmail@stuge.se> Johan De Wolff wrote: > I'm currently trying to add some extra logging functionalities to OpenSSH. > However, I'd like to log all commands the client sends to the server. > > But I'm unable to find where exactly this happens in the OpenSSH source. OpenSSH is not really involved in commands that the client's terminal emulator sends to the shell running on the server. //Peter From jbasney at illinois.edu Tue Feb 17 03:12:50 2015 From: jbasney at illinois.edu (Basney, Jim) Date: Mon, 16 Feb 2015 16:12:50 +0000 Subject: Logging input In-Reply-To: References: Message-ID: On 2/14/15, 2:27 PM, Johan De Wolff wrote: >I'm currently trying to add some extra logging functionalities to >OpenSSH. However, I'd like to log all commands the client sends to the >server. > >But I'm unable to find where exactly this happens in the OpenSSH source. >I've tried the do_child() function but that did not work. https://code.google.com/p/auditing-sshd/ may provide a helpful example. -Jim From igor at mir2.org Tue Feb 17 17:51:27 2015 From: igor at mir2.org (Igor Bukanov) Date: Tue, 17 Feb 2015 07:51:27 +0100 Subject: matching on client public key Message-ID: As I understand currently there is no way in sshd_config to match based on the client public key so different configuration for the same username can be applied depending on the key, right? My case is a backup login that needs to run as a root to access all the files and where I want to use ForceCommand to allow the login only to execute a particular command and yet still allow normal root logins. As a workaround currently I have a dummy account with ForceCommand that executes a setuid wrapper for the backup where the wrapper can only run from that account. It works, but it would be nice to avoid this error-prone extra-account+setuid combination and allow in sshd_config either to match based on public keys or to support custom mapping of ssh accounts into system ones. From gert at greenie.muc.de Tue Feb 17 20:01:44 2015 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 17 Feb 2015 10:01:44 +0100 Subject: matching on client public key In-Reply-To: References: Message-ID: <20150217090144.GD8134@greenie.muc.de> Hi, On Tue, Feb 17, 2015 at 07:51:27AM +0100, Igor Bukanov wrote: > My case is a backup login that needs to run as a root to access all > the files and where I want to use ForceCommand to allow the login only > to execute a particular command and yet still allow normal root > logins. You can put command="..." in $HOME/.ssh/authorized_keys gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From igor at mir2.org Tue Feb 17 21:06:17 2015 From: igor at mir2.org (Igor Bukanov) Date: Tue, 17 Feb 2015 11:06:17 +0100 Subject: matching on client public key In-Reply-To: <20150217090144.GD8134@greenie.muc.de> References: <20150217090144.GD8134@greenie.muc.de> Message-ID: Thanks, I missed that authorized_keys can contain all the configuration I need. On 17 February 2015 at 10:01, Gert Doering wrote: > Hi, > > On Tue, Feb 17, 2015 at 07:51:27AM +0100, Igor Bukanov wrote: >> My case is a backup login that needs to run as a root to access all >> the files and where I want to use ForceCommand to allow the login only >> to execute a particular command and yet still allow normal root >> logins. > > You can put command="..." in $HOME/.ssh/authorized_keys > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From mthode at mthode.org Wed Feb 18 12:38:50 2015 From: mthode at mthode.org (Matthew Thode) Date: Tue, 17 Feb 2015 19:38:50 -0600 Subject: should openssh close sockets when closing a socket forwarded connection? Message-ID: <54E3ED2A.40505@mthode.org> Openssh doesn't seem to close sockets on disconnect when forwarding sockets. Should openssh handle the close of the remote side of the forwarded socket? Openssh also does not overwrite a socket file if forwarding. This makes forwarding sockets a bit hard. -- Matthew Thode -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From hvjunk at gmail.com Thu Feb 19 04:07:57 2015 From: hvjunk at gmail.com (Hendrik Visage) Date: Wed, 18 Feb 2015 19:07:57 +0200 Subject: ssh_config "database"/"sort"able format? Message-ID: Hi there, I'm in a situation where some of my clients have all these obscurity things with ssh, like putting it on a different port, or a different user to login for this specific host not mention several don't have proper DNS names and and and. Life is to short to debate it with the client so rather get in line, use ssh_config, and continue to serve the client. However, now I have the case that the ssh_config file on the desktop, is out of sync with the laptop, is out of sync with the jump is out of sync with the helping hand and generally it's out of sync. Yes, considering git/etc. but still, I'm stuck with some specific other settings that's different from the laptop from the desktop etc. Now my first solution would be: sort < ssh_config > laptop.conf; diff latop.conf desktop.conf, but the file layout just doesn't work with that :( Questions: - Is there anybody that see a value in a format/parser/matcher for ssh_config files to be able to merge/"diff"/sort these files? - Any other ideas/solutions I could consider to manage these ssh_config files? From ag4ve.us at gmail.com Thu Feb 19 09:11:38 2015 From: ag4ve.us at gmail.com (shawn wilson) Date: Wed, 18 Feb 2015 17:11:38 -0500 Subject: ssh_config "database"/"sort"able format? In-Reply-To: References: Message-ID: On Feb 18, 2015 2:53 PM, "Hendrik Visage" wrote: > > > Questions: > - Is there anybody that see a value in a format/parser/matcher for > ssh_config files to be able to merge/"diff"/sort these files? I've started on a perl module to go through an ssh config and compile what ssh should do for a given host (mainly to only ssh-add a key when a host is configured to use it). I would prefer an abstract config backend though. > - Any other ideas/solutions I could consider to manage these ssh_config files? > You can make a compile script that takes ordered parts of a config and builds an ssh_config and then you're only checking in and/or comparing project specific bits. From ismail at donmez.ws Fri Feb 20 00:24:08 2015 From: ismail at donmez.ws (=?UTF-8?B?xLBzbWFpbCBEw7ZubWV6?=) Date: Thu, 19 Feb 2015 15:24:08 +0200 Subject: [PATCH] Unbreak compilation with --without-ssh1 Message-ID: Hi, Patch attached for $SUBJECT. ismail From charles at dyfis.net Fri Feb 20 05:37:03 2015 From: charles at dyfis.net (Charles Duffy) Date: Thu, 19 Feb 2015 12:37:03 -0600 Subject: Proposal: Allow HostKeyAlias to be used in hostname check against certificate principal. Message-ID: Howdy -- I have a number of servers with host keys validated by certificates. These systems are behind a load-balanced frontend, and the certificates are signed as valid for the DNS name used by that common frontend address. This works well for the primary use case of the systems; however, when wishing to address only a single unit within the pool, the certificate cannot be used to validate that host's legitimacy, as the individual address of that host does not match against the name listed in the principal. >From the perspective of the end user, wishing to connect against a specific address (as specified in the HostName option), but perform validation against a user-specified name that differs from that address seems a legitimate request -- one may also have a situation where name resolution is not available, for instance, and wish to connect to a system whose name is known by IP without the situation posited above. I'd like to propose that if HostKeyAlias is set, this be used as a second name against which a certificate may be considered valid, should it match. A trivial patch implementing this behavior is attached. From scott_n at xypro.com Fri Feb 20 06:13:46 2015 From: scott_n at xypro.com (Scott Neugroschl) Date: Thu, 19 Feb 2015 19:13:46 +0000 Subject: Make tests on a cross compile? In-Reply-To: References: Message-ID: On Sunday, February 08, 2015, Damien wrote: >On Fri, 6 Feb 2015, Scott Neugroschl wrote: >> I may have asked this before ... my memory is bad. >> >> Is it possible to run "make tests" on a cross-compile build? >Where would you be running the tests? You couldn't run them on the host compiler. >They should work fine if you copy the build directory to the target platform and run them there. With some minor tweaks -- bulding modpipe and disabling some dependencies in the makefile --transferring the build directory did in fact work. Thanks again, Damien! From dtucker at zip.com.au Fri Feb 20 08:05:38 2015 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 19 Feb 2015 16:05:38 -0500 Subject: [PATCH] Unbreak compilation with --without-ssh1 In-Reply-To: References: Message-ID: Unfortunately the patch didn't make it (the list server strips out all attachments that are not text/plain). Could you please resend either inline or as text/plain? If not, the other alternative is to attach it to a bug at https://bugzilla.mindrot.org. Thanks. On Thu, Feb 19, 2015 at 8:24 AM, ?smail D?nmez wrote: > Hi, > > Patch attached for $SUBJECT. > > ismail > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From keisial at gmail.com Fri Feb 20 08:30:24 2015 From: keisial at gmail.com (=?UTF-8?B?w4FuZ2VsIEdvbnrDoWxleg==?=) Date: Thu, 19 Feb 2015 22:30:24 +0100 Subject: [PATCH] Unbreak compilation with --without-ssh1 In-Reply-To: References: Message-ID: <54E655F0.8000002@gmail.com> On 19/02/15 14:24, ?smail D?nmez wrote: > Hi, > > Patch attached for $SUBJECT. > > ismail SSH/2.0 404 Patch not found X-Content-Filtered-By: Mailman/MimeDel 2.1.17 From keisial at gmail.com Fri Feb 20 08:32:01 2015 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Thu, 19 Feb 2015 22:32:01 +0100 Subject: Proposal: Allow HostKeyAlias to be used in hostname check against certificate principal. In-Reply-To: References: Message-ID: <54E65651.4040807@gmail.com> On 19/02/15 19:37, Charles Duffy wrote: > A trivial patch implementing this behavior is attached. Also stripped by the mailing list. Make sure you are attaching it with the proper mime type. PS: That seems a good idea. From charles at dyfis.net Fri Feb 20 08:39:28 2015 From: charles at dyfis.net (Charles Duffy) Date: Thu, 19 Feb 2015 15:39:28 -0600 Subject: Proposal: Allow HostKeyAlias to be used in hostname check against certificate principal. In-Reply-To: <54E65651.4040807@gmail.com> References: <54E65651.4040807@gmail.com> Message-ID: The note is appreciated. This patch is now available from github, as https://github.com/charles-dyfis-net/openssh-portable/compare/openssh:773dda2...charles-dyfis-net:host-key-alias-cert-check and as inline plaintext below. >From 367fd8323d864daaf486047850f93c2167c66f37 Mon Sep 17 00:00:00 2001 From: Charles Duffy Date: Tue, 17 Feb 2015 09:49:32 -0600 Subject: [PATCH] Allow HostKeyAlias to match a host certificate principal if HostName does not --- sshconnect.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sshconnect.c b/sshconnect.c index df921be..666c3ff 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -902,7 +902,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, debug("Found %s in %s:%lu", want_cert ? "CA key" : "key", host_found->file, host_found->line); if (want_cert && !check_host_cert(hostname, host_key)) - goto fail; + if (options.host_key_alias == NULL || !check_host_cert(options.host_key_alias, host_key)) + goto fail; if (options.check_host_ip && ip_status == HOST_NEW) { if (readonly || want_cert) logit("%s host key for IP address " -- 2.0.0 On Thu, Feb 19, 2015 at 3:32 PM, ?ngel Gonz?lez wrote: > On 19/02/15 19:37, Charles Duffy wrote: >> >> A trivial patch implementing this behavior is attached. > > Also stripped by the mailing list. Make sure you are attaching it with the > proper mime type. > > > PS: That seems a good idea. > > > From scott_n at xypro.com Fri Feb 20 09:01:29 2015 From: scott_n at xypro.com (Scott Neugroschl) Date: Thu, 19 Feb 2015 22:01:29 +0000 Subject: Privsep question Message-ID: Is there a reason that the Privsep user is defined at compile time instead of in sshd_config? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 | From djm at mindrot.org Fri Feb 20 09:21:10 2015 From: djm at mindrot.org (Damien Miller) Date: Fri, 20 Feb 2015 09:21:10 +1100 (AEDT) Subject: Call for testing: OpenSSH 6.8 Message-ID: Hi, OpenSSH 6.8 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains some substantial new features and a number of bugfixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via anonymous CVS using the instructions at http://www.openssh.com/portable.html#cvs or via Git at https://anongit.mindrot.org/openssh.git/ Running the regression tests supplied with Portable OpenSSH does not require installation and is a simply: $ ./configure && make tests Live testing on suitable non-production systems is also appreciated. Please send reports of success or failure to openssh-unix-dev at mindrot.org. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. Changes since OpenSSH 6.7 ========================= This is a major release, containing a number of new features as well as a large internal re-factoring. Potentially-incompatible changes -------------------------------- * sshd(8): UseDNS now defaults to 'no'. Configurations that match against the client host name (via sshd_config or authorized_keys) may need to re-enable it or convert to matching against addresses. New Features ------------ * Much of OpenSSH's internal code has been re-factored to be more library-like. These changes are mostly not user-visible, but have greatly improved OpenSSH's testability and internal layout. * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent command-line flags to the other tools to control algorithm used for key fingerprints. The default changes from MD5 to SHA256 and format from hex to base64. Fingerprints now have the hash algorithm prepended. An example of the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE Please note that visual host keys will also be different. * ssh(1), sshd(8): Host key rotation support. Add a protocol extension for a server to inform a client of all its available host keys after authentication has completed. The client may record the keys in known_hosts, allowing it to upgrade to better host key algorithms and a server to gracefully rotate its keys. The client side of this is controlled by a UpdateHostkeys config option (default on). * ssh(1): Add a ssh_config HostbasedKeyType option to control which host public key types are tried during host-based authentication. * ssh(1), sshd(8): fix connection-killing host key mismatch errors when sshd offers multiple ECDSA keys of different lengths. * ssh(1): when host name canonicalisation is enabled, try to parse host names as addresses before looking them up for canonicalisation. fixes bz#2074 and avoiding needless DNS lookups in some cases. * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer require OpenSSH to be compiled with OpenSSL support. * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based authentication. * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, Bleichenbacher Side Channel Attack. Fake up a bignum key before RSA decryption. * sshd(8): Remember which public keys have been used for authentication and refuse to accept previously-used keys. This allows AuthenticationMethods=publickey,publickey to require that users authenticate using two _different_ public keys. * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes options to allow sshd to control what public key types will be accepted. Currently defaults to all. * sshd(8): Don't count partial authentication success as a failure against MaxAuthTries. * ssh(1): Add RevokedHostKeys option for the client to allow text-file or KRL-based revocation of host keys. * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by serial number or key ID without scoping to a particular CA. * ssh(1): Add a "Match canonical" criteria that allows ssh_config Match blocks to trigger only in the second config pass. * ssh(1): Add a -G option to ssh that causes it to parse its configuration and dump the result to stdout, similar to "sshd -T". * ssh(1): Allow Match criteria to be negated. E.g. "Match !host". * The regression test suite has been extended to cover more OpenSSH features. The unit tests have been expanded and now cover key exchange. Bugfixes -------- * ssh-keyscan(1): ssh-keyscan has been made much more robust again servers that hang or violate the SSH protocol. * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were being lost as comment fields. * ssh(1): Allow ssh_config Port options set in the second config parse phase to be applied (they were being ignored). bz#2286 * ssh(1): Tweak config re-parsing with host canonicalisation - make the second pass through the config files always run when host name canonicalisation is enabled (and not whenever the host name changes) bz#2267 * ssh(1): Fix passing of wildcard forward bind addresses when connection multiplexing is in use; bz#2324; * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH formats; bz#2345. * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in use. * Various fixed to manual pages: bz#2288, bz#2316, bz#2273 Portable OpenSSH ---------------- * Support --without-openssl at configure time Disables and removes dependency on OpenSSL. Many features, including SSH protocol 1 are not supported and the set of crypto options is greatly restricted. This will only work on system with native arc4random or /dev/urandom. Considered highly experimental for now. * Support --without-ssh1 option at configure time Allows disabling support for SSH protocol 1. Still experimental - not all regression and unit tests have been been adapted for the absence of SSH protocol 1. * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296 * Allow custom service name for sshd on Cygwin. Permits the use of multiple sshd running with different service names. Reporting Bugs: =============== - Please read http://www.openssh.com/report.html Security bugs should be reported directly to openssh at openssh.com OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and Ben Lindstrom. From djm at mindrot.org Fri Feb 20 09:45:59 2015 From: djm at mindrot.org (Damien Miller) Date: Fri, 20 Feb 2015 09:45:59 +1100 (AEDT) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: On Fri, 20 Feb 2015, Damien Miller wrote: > Hi, > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. ... > * ssh(1), sshd(8): Host key rotation support. Add a protocol > extension for a server to inform a client of all its available > host keys after authentication has completed. The client may > record the keys in known_hosts, allowing it to upgrade to better > host key algorithms and a server to gracefully rotate its keys. > > The client side of this is controlled by a UpdateHostkeys config > option (default on). Actually, the default is off. You can enable it using UpdateHostKeys=yes or UpdateHostKeys=ask -d From Herb.Goldman at ssh.com Fri Feb 20 12:38:32 2015 From: Herb.Goldman at ssh.com (Herb.Goldman at ssh.com) Date: Fri, 20 Feb 2015 01:38:32 +0000 Subject: SUCCESS: OpenSSH_6.7p1-snap20150220 Message-ID: Compiled OK, and operating nicely on CentOS 6.6, both 32/64 bit. Really appreciate the UpdateHostkeys feature! One issue I noticed, the screen output gets garbled if the user has been "asked" to "Accept" the new hostkeys. Looks like the screen output is missing the CR's, and only LF's get presented. [root at be2 .ssh]# ssh be1 ls -l Warning: Permanently added 'be1,fec0::ffff:0:1:c0a8:415' (ECDSA) to the list of known hosts. total 12 -rw-r--r-- 1 root root 1829 Jan 23 17:43 authorized_keys -rw-r--r-- 1 root root 575 Jan 21 17:24 sshd.pam drwxr-xr-x 2 root root 4096 Feb 9 14:17 tmp [root at be2 .ssh]# ssh -o UpdateHostkeys=yes be1 ls -l Learned new hostkey: RSA SHA256:Alc84pvwkLVLIyRC7Z5HUpYeySwK+aMykv9cw6LCark Learned new hostkey: DSA SHA256:4RFtn0pMD4/AiKANWn6K3ODT66Jw8CE4SXOnAbOBXgQ Learned new hostkey: ED25519 SHA256:OzKAhPkHQDfk7GTvSZRKIHIv+25inWKy2n0PF8HbIhY Learned new hostkey: RSA SHA256:ZaHa2K0aOv6zzVTNviT08xk/ZY8xeML9uz62OiHAxOM Learned new hostkey: DSA SHA256:yYtO6dUL0cATSEBAyOyQApxehlhliWY5t5Z0p1CplpY Learned new hostkey: ECDSA SHA256:70rXiF+VgchFSvKmBQ/sXw+iANmwVTnmzQzlytaBpx4 Learned new hostkey: ED25519 SHA256:n/qAw/sTr+4KnQ1okNg/s3tgV9wRjXULbP/a9Jy++oA Accept updated hostkeys? (yes/no): yes total 12 -rw-r--r-- 1 root root 1829 Jan 23 17:43 authorized_keys -rw-r--r-- 1 root root 575 Jan 21 17:24 sshd.pam drwxr-xr-x 2 root root 4096 Feb 9 14:17 tmp [root at be2 .ssh]# Herb Goldman Customer Advocate SSH Communications Security Takomotie 8, 00380 Helsinki, Finland +1 302 690-7607 | +358 9 2316-7168 herb.goldman at ssh.com | Skype: "sshherb" From calestyo at scientia.net Fri Feb 20 12:51:29 2015 From: calestyo at scientia.net (Christoph Anton Mitterer) Date: Fri, 20 Feb 2015 02:51:29 +0100 Subject: which are the exact effects of MaxSessions Message-ID: <1424397089.4564.82.camel@scientia.net> Hey. I wondered a bit which the exact effects of MaxSessions are. The documentation says: Specifies the maximum number of open sessions permitted per net? work connection. The default is 10. And it apparently seems that setting e.g. the following in sshd_config: MaxSessions 0 => no logins possible at all MaxSessions 1 => control channel muxing basically forbidden from the server side MaxSessions n => at most n sessions may use a mux, including the one which initiated it but further muxes (with again n session) may be created by that client Is it just that? Or are there any other side effects which I can't see? Thanks, Chris. btw: Would be nice if something like the above could be added to the manpage for clraification :) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5313 bytes Desc: not available URL: From jjelen at redhat.com Fri Feb 20 18:09:27 2015 From: jjelen at redhat.com (Jakub Jelen) Date: Fri, 20 Feb 2015 08:09:27 +0100 Subject: which are the exact effects of MaxSessions In-Reply-To: <1424397089.4564.82.camel@scientia.net> References: <1424397089.4564.82.camel@scientia.net> Message-ID: <54E6DDA7.4010903@redhat.com> Hello, According my observation, MaxSessions 1 works for opening only one session through multiplexed channel, which degrades multiplexed connection back to only one session. MaxSessions 0 doesn't make much sense. I don't know if you use openssh from some distribution, but in RHEL we had recently one bug in audit which looks similar like your issue -- with MaxSessions 1 sshd was preventing to log you in. On 02/20/2015 02:51 AM, Christoph Anton Mitterer wrote: > Hey. > > I wondered a bit which the exact effects of MaxSessions are. > > The documentation says: > Specifies the maximum number of open sessions permitted per net? > work connection. The default is 10. > > > And it apparently seems that setting e.g. the following in sshd_config: > MaxSessions 0 > => no logins possible at all > > MaxSessions 1 > => control channel muxing basically forbidden from the server side > > MaxSessions n > => at most n sessions may use a mux, including the one which > initiated it > but further muxes (with again n session) may be created by that > client > > > Is it just that? Or are there any other side effects which I can't see? Yes, it should be like this. Basically it is meant to have max N interactive sessions in that connection initiated by mux. If you try to connect using "ssh -T", pty is not allocated and this doesn't count as a session (not sure if it is bug or feature -- reproducible with vanilla sources). Damien? Greetings, Jakub > > > Thanks, > Chris. > > btw: Would be nice if something like the above could be added to the > manpage for clraification :) > > > > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From ismail at donmez.ws Fri Feb 20 18:20:45 2015 From: ismail at donmez.ws (=?UTF-8?B?xLBzbWFpbCBEw7ZubWV6?=) Date: Fri, 20 Feb 2015 09:20:45 +0200 Subject: [PATCH] Unbreak compilation with --without-ssh1 In-Reply-To: References:

Message-ID: Oh sorry for that! Hope this works better. diff --git a/opacket.c b/opacket.c index 7618eae..17eb889 100644 --- a/opacket.c +++ b/opacket.c @@ -75,6 +75,7 @@ ssh_packet_put_raw(struct ssh *ssh, const void *buf, u_int len) } #ifdef WITH_OPENSSL +#ifdef WITH_SSH1 void ssh_packet_put_bignum(struct ssh *ssh, BIGNUM * value) { @@ -83,6 +84,7 @@ ssh_packet_put_bignum(struct ssh *ssh, BIGNUM * value) if ((r = sshpkt_put_bignum1(ssh, value)) != 0) fatal("%s: %s", __func__, ssh_err(r)); } +#endif void ssh_packet_put_bignum2(struct ssh *ssh, BIGNUM * value) @@ -147,6 +149,7 @@ ssh_packet_get_int64(struct ssh *ssh) } #ifdef WITH_OPENSSL +#ifdef WITH_SSH1 void ssh_packet_get_bignum(struct ssh *ssh, BIGNUM * value) { @@ -155,6 +158,7 @@ ssh_packet_get_bignum(struct ssh *ssh, BIGNUM * value) if ((r = sshpkt_get_bignum1(ssh, value)) != 0) fatal("%s: %s", __func__, ssh_err(r)); } +#endif void ssh_packet_get_bignum2(struct ssh *ssh, BIGNUM * value) On Thu, Feb 19, 2015 at 11:05 PM, Darren Tucker wrote: > Unfortunately the patch didn't make it (the list server strips out all > attachments that are not text/plain). Could you please resend either inline > or as text/plain? If not, the other alternative is to attach it to a bug at > https://bugzilla.mindrot.org. > > Thanks. > > On Thu, Feb 19, 2015 at 8:24 AM, ?smail D?nmez wrote: >> >> Hi, >> >> Patch attached for $SUBJECT. >> >> ismail >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From ismail at donmez.ws Fri Feb 20 20:25:01 2015 From: ismail at donmez.ws (=?UTF-8?B?xLBzbWFpbCBEw7ZubWV6?=) Date: Fri, 20 Feb 2015 11:25:01 +0200 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: Hi, On Fri, Feb 20, 2015 at 12:21 AM, Damien Miller wrote: > Hi, > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. All tests pass on my Linux box. But https://bugzilla.mindrot.org/show_bug.cgi?id=2342 is a notable regression. Regards, ismail From roshanr.nair at gmail.com Fri Feb 20 23:16:42 2015 From: roshanr.nair at gmail.com (Roshan Nair) Date: Fri, 20 Feb 2015 17:46:42 +0530 Subject: SCP fails with read failure on openssh6.5. Message-ID: Hi, Wanted to know if there is a work around or a fix available for the scp failure issue we are seeing in atomicio6 func ? SCP code transfer starts but in between gets stuck with read failure. The linux version we have on our system is Linux (none) 2.6.34.6 and open ssh version is OpenSSH_6.5p1, OpenSSL 1.0.1j. Since its not possible for us to move to the latest linux kernel I am trying to find a way for a fix. The code flow is as below : main() -> ..->sink()->atomicio6()->read() In func atomicio6() returns response -1 with error number EAGAIN during the course of the transfer. Error number EAGAIN leads to a poll() being called which I believe never returns and hence the scp transfer hangs. I have tried enabling the macro BROKEN_READ_COMPARISION but no help. I tried a solution mentioned in the thread below but that too didnt quiet help. https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032080.html Anything else I can try to fix this or any workaround anyone can suggest ? -- --------------------------------------------------------------------------------- Roshan Nair --whatever you end up doing ... love it! --------------------------------------------------------------------------------- From roshanr.nair at gmail.com Fri Feb 20 23:16:42 2015 From: roshanr.nair at gmail.com (Roshan Nair) Date: Fri, 20 Feb 2015 17:46:42 +0530 Subject: SCP fails with read failure on openssh6.5. Message-ID: Hi, Wanted to know if there is a work around or a fix available for the scp failure issue we are seeing in atomicio6 func ? SCP code transfer starts but in between gets stuck with read failure. The linux version we have on our system is Linux (none) 2.6.34.6 and open ssh version is OpenSSH_6.5p1, OpenSSL 1.0.1j. Since its not possible for us to move to the latest linux kernel I am trying to find a way for a fix. The code flow is as below : main() -> ..->sink()->atomicio6()->read() In func atomicio6() returns response -1 with error number EAGAIN during the course of the transfer. Error number EAGAIN leads to a poll() being called which I believe never returns and hence the scp transfer hangs. I have tried enabling the macro BROKEN_READ_COMPARISION but no help. I tried a solution mentioned in the thread below but that too didnt quiet help. https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032080.html Anything else I can try to fix this or any workaround anyone can suggest ? -- --------------------------------------------------------------------------------- Roshan Nair --whatever you end up doing ... love it! --------------------------------------------------------------------------------- From nkadel at gmail.com Sat Feb 21 02:11:36 2015 From: nkadel at gmail.com (Nico Kadel-Garcia) Date: Fri, 20 Feb 2015 10:11:36 -0500 Subject: ssh_config "database"/"sort"able format? In-Reply-To: References: Message-ID: This approach works well, and can scale. A critical part is to sanity check the result for compatibility. Nico Kadel-Garcia Email: nkadel at gmail.com Sent from iPhone > On Feb 18, 2015, at 17:11, shawn wilson wrote: > >> On Feb 18, 2015 2:53 PM, "Hendrik Visage" wrote: > >> >> Questions: >> - Is there anybody that see a value in a format/parser/matcher for >> ssh_config files to be able to merge/"diff"/sort these files? > > I've started on a perl module to go through an ssh config and compile what > ssh should do for a given host (mainly to only ssh-add a key when a host is > configured to use it). I would prefer an abstract config backend though. > >> - Any other ideas/solutions I could consider to manage these ssh_config > files? > > You can make a compile script that takes ordered parts of a config and > builds an ssh_config and then you're only checking in and/or comparing > project specific bits. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From nkadel at gmail.com Sat Feb 21 02:09:00 2015 From: nkadel at gmail.com (Nico Kadel-Garcia) Date: Fri, 20 Feb 2015 10:09:00 -0500 Subject: SCP fails with read failure on openssh6.5. In-Reply-To: References: Message-ID: <83529F30-1468-4100-A35E-1E86BE601FD0@gmail.com> Use rsync instead of scp? Nico Kadel-Garcia Email: nkadel at gmail.com Sent from iPhone > On Feb 20, 2015, at 7:16, Roshan Nair wrote: > > Hi, > > Wanted to know if there is a work around or a fix available for the scp > failure issue we are seeing in atomicio6 func ? SCP code transfer starts > but in between gets stuck with read failure. > > The linux version we have on our system is Linux (none) 2.6.34.6 and open > ssh version is OpenSSH_6.5p1, OpenSSL 1.0.1j. > Since its not possible for us to move to the latest linux kernel I am > trying to find a way for a fix. > > The code flow is as below : > > > > main() -> ..->sink()->atomicio6()->read() > > > In func atomicio6() returns response -1 with error number EAGAIN during the > course of the transfer. > > Error number EAGAIN leads to a poll() being called which I believe never > returns and hence the scp transfer hangs. > > I have tried enabling the macro BROKEN_READ_COMPARISION but no help. > > I tried a solution mentioned in the thread below but that too didnt quiet > help. > > https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-January/032080.html > > Anything else I can try to fix this or any workaround anyone can suggest ? > > -- > --------------------------------------------------------------------------------- > Roshan Nair > > --whatever you end up doing ... love it! > --------------------------------------------------------------------------------- > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From djm at mindrot.org Sat Feb 21 08:57:43 2015 From: djm at mindrot.org (Damien Miller) Date: Sat, 21 Feb 2015 08:57:43 +1100 (AEDT) Subject: SUCCESS: OpenSSH_6.7p1-snap20150220 In-Reply-To: References: Message-ID: On Fri, 20 Feb 2015, Herb.Goldman at ssh.com wrote: > Compiled OK, and operating nicely on CentOS 6.6, both 32/64 bit. > Really appreciate the UpdateHostkeys feature! > One issue I noticed, the screen output gets garbled if the user has been "asked" to "Accept" the new hostkeys. > Looks like the screen output is missing the CR's, and only LF's get presented. > > [root at be2 .ssh]# ssh be1 ls -l > Warning: Permanently added 'be1,fec0::ffff:0:1:c0a8:415' (ECDSA) to the list of known hosts. > total 12 > -rw-r--r-- 1 root root 1829 Jan 23 17:43 authorized_keys > -rw-r--r-- 1 root root 575 Jan 21 17:24 sshd.pam > drwxr-xr-x 2 root root 4096 Feb 9 14:17 tmp > > [root at be2 .ssh]# ssh -o UpdateHostkeys=yes be1 ls -l > Learned new hostkey: RSA SHA256:Alc84pvwkLVLIyRC7Z5HUpYeySwK+aMykv9cw6LCark > Learned new hostkey: DSA SHA256:4RFtn0pMD4/AiKANWn6K3ODT66Jw8CE4SXOnAbOBXgQ > Learned new hostkey: ED25519 SHA256:OzKAhPkHQDfk7GTvSZRKIHIv+25inWKy2n0PF8HbIhY > Learned new hostkey: RSA SHA256:ZaHa2K0aOv6zzVTNviT08xk/ZY8xeML9uz62OiHAxOM > Learned new hostkey: DSA SHA256:yYtO6dUL0cATSEBAyOyQApxehlhliWY5t5Z0p1CplpY > Learned new hostkey: ECDSA SHA256:70rXiF+VgchFSvKmBQ/sXw+iANmwVTnmzQzlytaBpx4 > Learned new hostkey: ED25519 SHA256:n/qAw/sTr+4KnQ1okNg/s3tgV9wRjXULbP/a9Jy++oA > Accept updated hostkeys? (yes/no): yes That's strange - your commandline doesn't indicate you are using 'ask'. Are you using ControlPersist? I'm just fixing a bug between ControlPersist and UpdateHostkeys=ask -d From djm at mindrot.org Sat Feb 21 09:01:52 2015 From: djm at mindrot.org (Damien Miller) Date: Sat, 21 Feb 2015 09:01:52 +1100 (AEDT) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: On Fri, 20 Feb 2015, ?smail D?nmez wrote: > Hi, > > On Fri, Feb 20, 2015 at 12:21 AM, Damien Miller wrote: > > Hi, > > > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This release contains > > some substantial new features and a number of bugfixes. > > All tests pass on my Linux box. But > https://bugzilla.mindrot.org/show_bug.cgi?id=2342 is a notable > regression. hm, I can't replicate this problem: [djm at fuyu openssh]$ mkdir x [djm at fuyu openssh]$ cd x [djm at fuyu x]$ ../ssh-keygen -t ed25519 -f key -N '' -q [djm at fuyu x]$ ../ssh-keygen -lf ^C [djm at fuyu x]$ rm key ; mv key.pub key [djm at fuyu x]$ ../ssh-keygen -lf key 256 SHA256:0UH+G0Bw+ZP3rqTwxsio5CUTrKkS/kcJ26RwV3Twbyw djm at fuyu (ED25519) -d From calestyo at scientia.net Sat Feb 21 10:42:50 2015 From: calestyo at scientia.net (Christoph Anton Mitterer) Date: Sat, 21 Feb 2015 00:42:50 +0100 Subject: which are the exact effects of MaxSessions In-Reply-To: <54E6DDA7.4010903@redhat.com> References: <1424397089.4564.82.camel@scientia.net> <54E6DDA7.4010903@redhat.com> Message-ID: <1424475770.4823.64.camel@scientia.net> On Fri, 2015-02-20 at 08:09 +0100, Jakub Jelen wrote: > According my observation, MaxSessions 1 works for opening only one > session through multiplexed channel, which degrades multiplexed > connection back to only one session. Well one get's still a mux process and also the messages (when debugging is on) on the "master sesssion" that others try to re-use it... but then they're blocked. > I don't know if you use openssh from some distribution Debian. > , but in RHEL we > had recently one bug in audit which looks similar like your issue -- > with MaxSessions 1 sshd was preventing to log you in. Well I don't really think I have any issues... I just wondered whether there are any other side-effects than having influence on the channel muxing ... perhaps something like "only accept 1 session from the same IP, even when not muxing". What is the issue you guys found? Cheers, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5313 bytes Desc: not available URL: From igor at mir2.org Sat Feb 21 10:55:28 2015 From: igor at mir2.org (Igor Bukanov) Date: Sat, 21 Feb 2015 00:55:28 +0100 Subject: curve25519-sha256 key exchange at lest 50% times slower than DHE Message-ID: Hello, I tried to optimize ssh server and client config to minimize the ssh connection time while keeping things resonably secure. I observed that timing of `ssh vm true` when running against a VM on my laptop was at least 50% times slower when using curve25519-sha256 compared with diffie-hellman-group-exchange-sha256. With openssh 6.6p1 on both a client and server the best timing when running ssh -o Ciphers=aes128-gcm at openssh.com -o KexAlgorithms=diffie-hellman-group-exchange-sha256 vm-name true was 95ms while the best result for ssh -o Ciphers=aes128-gcm at openssh.com -o KexAlgorithms=curve25519-sha256 at libssh.org vm-name true was 140ms with much greater deviation among results so on average it run 2 times slower. Is it just an artifact of less optimized implementation or is this inherited in 25519 design? Also, could rather significant variation in results be used to learn how busy the box is or this is normal as key exchange timing is variable by design? From calestyo at scientia.net Sat Feb 21 13:09:14 2015 From: calestyo at scientia.net (calestyo at scientia.net) Date: Sat, 21 Feb 2015 03:09:14 +0100 Subject: [PATCH] document evaluation of {Allow|Deny}{Users|Groups} Message-ID: <1424484554-31968-1-git-send-email-calestyo@scientia.net> From: Christoph Anton Mitterer ? Document what the evaluation order of AllowUsers, DenyUsers, AllowGroups and DenyGroups actually means. Fixes bug #2292. Signed-off-by: Christoph Anton Mitterer --- sshd_config.5 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/sshd_config.5 b/sshd_config.5 index fd44abe..a10b113 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -116,6 +116,8 @@ The allow/deny directives are processed in the following order: .Cm DenyGroups , and finally .Cm AllowGroups . +The first one that matches determines whether the login is allowed or +denied, with the later processed directives being ignored. .Pp See PATTERNS in .Xr ssh_config 5 @@ -176,6 +178,8 @@ The allow/deny directives are processed in the following order: .Cm DenyGroups , and finally .Cm AllowGroups . +The first one that matches determines whether the login is allowed or +denied, with the later processed directives being ignored. .Pp See PATTERNS in .Xr ssh_config 5 @@ -460,6 +464,8 @@ The allow/deny directives are processed in the following order: .Cm DenyGroups , and finally .Cm AllowGroups . +The first one that matches determines whether the login is allowed or +denied, with the later processed directives being ignored. .Pp See PATTERNS in .Xr ssh_config 5 @@ -479,6 +485,8 @@ The allow/deny directives are processed in the following order: .Cm DenyGroups , and finally .Cm AllowGroups . +The first one that matches determines whether the login is allowed or +denied, with the later processed directives being ignored. .Pp See PATTERNS in .Xr ssh_config 5 -- 2.1.4 From calestyo at scientia.net Sat Feb 21 13:53:04 2015 From: calestyo at scientia.net (calestyo at scientia.net) Date: Sat, 21 Feb 2015 03:53:04 +0100 Subject: [PATCH] mention ClientAlive as alternative at TCPKeepAlive Message-ID: <1424487184-2068-1-git-send-email-calestyo@scientia.net> From: Christoph Anton Mitterer ? Mention the ClientAliveInterval and ClientAliveCountMax at the description of the TCPKeepAlive directive in sshd_config(5) as an alternative to reach similar effects. Signed-off-by: Christoph Anton Mitterer --- sshd_config.5 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sshd_config.5 b/sshd_config.5 index fd44abe..d13dd96 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -1271,6 +1271,12 @@ sessions may hang indefinitely on the server, leaving .Dq ghost users and consuming server resources. .Pp +Alternatively (or additionally) client alive messages can be used by +setting +.Cm ClientAliveInterval +and +.Cm ClientAliveCountMax . +.Pp The default is .Dq yes (to send TCP keepalive messages), and the server will notice -- 2.1.4 From calestyo at scientia.net Sat Feb 21 13:54:18 2015 From: calestyo at scientia.net (calestyo at scientia.net) Date: Sat, 21 Feb 2015 03:54:18 +0100 Subject: [PATCH] improve documentation of ForwardX11 options Message-ID: <1424487258-2200-1-git-send-email-calestyo@scientia.net> From: Christoph Anton Mitterer ? Improve the documentation of the X11 forwarding options in ssh_config(5): ? Document that another timeout than 20m will be used if the ForwardX11Timeout directive has been set. ? Minor spelling mistakes and improvements. Signed-off-by: Christoph Anton Mitterer --- ssh_config.5 | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/ssh_config.5 b/ssh_config.5 index b702e32..11c1fd5 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -673,14 +673,14 @@ if the .Cm ForwardX11Trusted option is also enabled. .It Cm ForwardX11Timeout -Specify a timeout for untrusted X11 forwarding +Specifies a timeout for untrusted X11 forwarding using the format described in the TIME FORMATS section of .Xr sshd_config 5 . X11 connections received by .Xr ssh 1 after this time will be refused. -The default is to disable untrusted X11 forwarding after twenty minutes has +The default is to disable untrusted X11 forwarding after twenty minutes have elapsed. .It Cm ForwardX11Trusted If this option is set to @@ -694,8 +694,10 @@ from stealing or tampering with data belonging to trusted X11 clients. Furthermore, the .Xr xauth 1 -token used for the session will be set to expire after 20 minutes. -Remote clients will be refused access after this time. +token used for the session will be set to expire after +20 minutes (unless something else has been set via +.Cm ForwardX11Timeout ) +and remote clients will be refused access after this time. .Pp The default is .Dq no . -- 2.1.4 From calestyo at scientia.net Sat Feb 21 13:51:02 2015 From: calestyo at scientia.net (calestyo at scientia.net) Date: Sat, 21 Feb 2015 03:51:02 +0100 Subject: [PATCH] clarify how IgnoreUserKnownHosts works Message-ID: <1424487062-1822-1-git-send-email-calestyo@scientia.net> From: Christoph Anton Mitterer Based on the previous documentation of the IgnoreUserKnownHosts directive, the average user could easily think that the default value ?no? is the more secure choice (in the sense of ?do not even check in ~/.ssh/known_hosts?). ? Clarify in sshd_config(5), that a value of ?yes? in the IgnoreUserKnownHosts directive, makes sshd(8) only trust the global known hosts list (/etc/ssh/ ssh_known_hosts). Signed-off-by: Christoph Anton Mitterer --- sshd_config.5 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sshd_config.5 b/sshd_config.5 index 43cc826..4ed3afc 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -627,7 +627,9 @@ should ignore the user's during .Cm RhostsRSAAuthentication or -.Cm HostbasedAuthentication . +.Cm HostbasedAuthentication +and instead only trust the systemwide +.Pa /etc/ssh/ssh_known_hosts . The default is .Dq no . .It Cm IPQoS -- 2.1.4 From calestyo at scientia.net Sat Feb 21 14:03:21 2015 From: calestyo at scientia.net (calestyo at scientia.net) Date: Sat, 21 Feb 2015 04:03:21 +0100 Subject: [PATCH] clarify doc of NoHostAuthenticationForLocalhost Message-ID: <1424487801-13254-1-git-send-email-calestyo@scientia.net> From: Christoph Anton Mitterer Clarify the documentation of the NoHostAuthenticationForLocalhost directive in ssh_config(5): ? Document, that it works on any hostname that resolves to the loopback device. ? Demote the ?use case? to being just one example of how it can be used. Fixes bug #2293. Signed-off-by: Christoph Anton Mitterer --- ssh_config.5 | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/ssh_config.5 b/ssh_config.5 index b702e32..f79a17d 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -1041,15 +1041,19 @@ hmac-md5,hmac-sha1,hmac-ripemd160, hmac-sha1-96,hmac-md5-96 .Ed .It Cm NoHostAuthenticationForLocalhost -This option can be used if the home directory is shared across machines. -In this case localhost will refer to a different machine on each of -the machines and the user will get many warnings about changed host keys. -However, this option disables host authentication for localhost. -The argument to this keyword must be -.Dq yes -or -.Dq no . -The default is to check the host key for localhost. +If set to +.Dq yes , +then no host authentication will be performed for any target +.Ar hostname +(for example localhost or ip6-localhost) that resolves to a +loopback network interface (that is addresses 127.0.0.0/8 for IPv4 +respectively ::1/128 for IPv6). The default of +.Dq no +is to always check the host key of all SSH servers. +.Pp +This option can for example be used when the home directory is shared across +machines. In this case the name localhost will refer to a different machine +on each of the machines and the user will get many warnings about changed host keys. .It Cm NumberOfPasswordPrompts Specifies the number of password prompts before giving up. The argument to this keyword must be an integer. -- 2.1.4 From calestyo at scientia.net Sat Feb 21 14:15:58 2015 From: calestyo at scientia.net (calestyo at scientia.net) Date: Sat, 21 Feb 2015 04:15:58 +0100 Subject: [PATCH] remove unused symbols Message-ID: <1424488558-14425-1-git-send-email-calestyo@scientia.net> From: Christoph Anton Mitterer ? Removed the no longer used symbol ?sKerberosTgtPassing?. Signed-off-by: Christoph Anton Mitterer --- servconf.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/servconf.c b/servconf.c index 3185462..b59b657 100644 --- a/servconf.c +++ b/servconf.c @@ -376,8 +376,7 @@ typedef enum { sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, - sKerberosGetAFSToken, - sKerberosTgtPassing, sChallengeResponseAuthentication, + sKerberosGetAFSToken, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, sPrintMotd, sPrintLastLog, sIgnoreRhosts, -- 2.1.4 From calestyo at scientia.net Sat Feb 21 14:29:33 2015 From: calestyo at scientia.net (calestyo at scientia.net) Date: Sat, 21 Feb 2015 04:29:33 +0100 Subject: [PATCH] improve documentation of control channel options Message-ID: <1424489373-15893-1-git-send-email-calestyo@scientia.net> From: Christoph Anton Mitterer ? Improve the documentation of the control channel options in ssh_config(5): ? Clarify what happens at ControlMaster=ask, when the connection trial of another ssh(1) is rejected. ? Document that a non-backgrounded master control channel process will remain open until the last connection has been closed, even after its session has ended. And also that in the meantime new clients can start using the master control channel. ? Document the default values of the ControlPath and ControlPersist directives. ? Minor spelling mistakes and improvements. Signed-off-by: Christoph Anton Mitterer --- ssh_config.5 | 49 +++++++++++++++++++++++++++++++++---------------- 1 file changed, 33 insertions(+), 16 deletions(-) diff --git a/ssh_config.5 b/ssh_config.5 index b702e32..30a4a47 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -487,10 +487,10 @@ to listen for control connections, but require confirmation using the program before they are accepted (see .Xr ssh-add 1 for details). -If the -.Cm ControlPath -cannot be opened, -ssh will continue without connecting to a master instance. +If another +.Xr ssh 1 +is rejected to use the master instance, it will continue normally without +using it. .Pp X11 and .Xr ssh-agent 1 @@ -508,25 +508,32 @@ and The latter requires confirmation like the .Dq ask option. +.Pp +Unless +.Cm ControlPersist +is set to have the master connection backrounded, it will remain open (and thus +the master +.Xr ssh 1 +process will not terminate even after its session has ended) until all other +instances using it have been closed. .It Cm ControlPath -Specify the path to the control socket used for connection sharing as described +Specifies the path to the control socket used for connection sharing as described in the .Cm ControlMaster section above or the string .Dq none -to disable connection sharing. +(the default) to disable connection sharing. In the path, .Ql %L will be substituted by the first component of the local host name, .Ql %l -will be substituted by the local host name (including any domain name), +by the local host name (including any domain name), .Ql %h -will be substituted by the target host name, +by the target host name, .Ql %n -will be substituted by the original target host name -specified on the command line, +by the original target host name specified on the command line, .Ql %p -the destination port, +by the destination port, .Ql %r by the remote login username, .Ql %u @@ -536,19 +543,28 @@ by the username of the user running by a hash of the concatenation: %l%h%p%r. It is recommended that any .Cm ControlPath -used for opportunistic connection sharing include +used for opportunistic connection sharing includes at least %h, %p, and %r (or alternatively %C). This ensures that shared connections are uniquely identified. .It Cm ControlPersist When used in conjunction with .Cm ControlMaster , -specifies that the master connection should remain open +specifies whether and how the master connection should remain open in the background (waiting for future client connections) after the initial client connection has been closed. +.Pp If set to -.Dq no , -then the master connection will not be placed into the background, -and will close as soon as the initial client connection is closed. +.Dq no +(the default), then the master connection will not be placed into the +background and will close as soon as it is no longer used by any client +connection (both, the initial or later ones). Thus the master +.Xr ssh 1 +process will not terminate (even after its session has ended) until all other +instances using it have been closed. Even after the master +.Xr ssh 1 +process? session has ended, new clients can still connect to the master +connection as long as it is open. +.Pp If set to .Dq yes , then the master connection will remain in the background indefinitely @@ -556,6 +572,7 @@ then the master connection will remain in the background indefinitely .Xr ssh 1 .Dq Fl O No exit option). +.Pp If set to a time in seconds, or a time in any of the formats documented in .Xr sshd_config 5 , then the backgrounded master connection will automatically terminate -- 2.1.4 From calestyo at scientia.net Sat Feb 21 14:52:20 2015 From: calestyo at scientia.net (calestyo at scientia.net) Date: Sat, 21 Feb 2015 04:52:20 +0100 Subject: [PATCH 2/2] mention the other argument of ssh -Q In-Reply-To: <1424490740-19020-1-git-send-email-calestyo@scientia.net> References: <1424490740-19020-1-git-send-email-calestyo@scientia.net> Message-ID: <1424490740-19020-2-git-send-email-calestyo@scientia.net> From: Christoph Anton Mitterer --- sshd_config.5 | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sshd_config.5 b/sshd_config.5 index 8033c01..dd8f46f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -430,8 +430,10 @@ The list of available ciphers may also be obtained using the .Fl Q option of .Xr ssh 1 -with an argument of -.Dq cipher . +with an argument of either +.Dq cipher +or +.Dq cipher-auth . .It Cm ClientAliveCountMax Sets the number of client alive messages (see below) which may be sent without -- 2.1.4 From calestyo at scientia.net Sat Feb 21 14:52:19 2015 From: calestyo at scientia.net (calestyo at scientia.net) Date: Sat, 21 Feb 2015 04:52:19 +0100 Subject: [PATCH 1/2] add missing algorithms to manpages Message-ID: <1424490740-19020-1-git-send-email-calestyo@scientia.net> From: Christoph Anton Mitterer ? Add ?rijndael-cbc at lysator.liu.se? to list of algorithms in the description of the Cipher directive within sshd_config(5). Partially fixes bug #2290. ? Add ?hmac-ripemd160 at openssh.com? to list of algorithms in the description of the MACs directive within sshd_config(5). Partially fixes bug #2290. Signed-off-by: Christoph Anton Mitterer --- sshd_config.5 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sshd_config.5 b/sshd_config.5 index 5cf72f1..8033c01 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -415,6 +415,8 @@ blowfish-cbc cast128-cbc .It chacha20-poly1305 at openssh.com +.It +rijndael-cbc at lysator.liu.se .El .Pp The default is: @@ -877,6 +879,8 @@ hmac-sha2-256 .It hmac-sha2-512 .It +hmac-ripemd160 at openssh.com +.It umac-64 at openssh.com .It umac-128 at openssh.com -- 2.1.4 From vinschen at redhat.com Sat Feb 21 23:09:55 2015 From: vinschen at redhat.com (Corinna Vinschen) Date: Sat, 21 Feb 2015 13:09:55 +0100 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: <20150221120955.GA24328@calimero.vinschen.de> Hi Damien, On Feb 20 09:21, Damien Miller wrote: > Hi, > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests Building on 64 bit Cygwin works out of the box. However, I have trouble with the testsuite. As usual, I'm building outside the source tree: - Building the testsuite fails: Assembler messages: Fatal error: can't create regress/unittests/bitmap/tests.o: No such file or directory Makefile:152: recipe for target 'regress/unittests/bitmap/tests.o' failed The testsuite apparently misses creating the regress/unittests/bitmap subdir prior to running the test. Same for the "hostkeys" and "kex" subdirs. If I create these dirs by hand, the build succeeds. Some mkdir -p calls for these three dirs would probably help. - The failing last loop in the "forwarding" script as reported back during 6.7 testing is still failing for me more often than not. It's always the same reason, the script tries to use in-use port numbers. Reducing the forwarding script to only this last test loop succeeds every time, but is quite a hack for testing. - Last but not least, all tests in hostkey-agent.sh fail and I don't understand what's the problem here. I attached the log files for this problem to this mail. Maybe you see what's going wrong? Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: hostkey-agent-logs.tgz Type: application/gzip Size: 5476 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From htodd at twofifty.com Sun Feb 22 04:26:23 2015 From: htodd at twofifty.com (Hisashi T Fujinaka) Date: Sat, 21 Feb 2015 09:26:23 -0800 (PST) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: On Fri, 20 Feb 2015, Damien Miller wrote: > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > $ ./configure && make tests NetBSD-current on amd64, NetBSD-7 on amd64 and i386 seem to work fine. MacOS X Yosemite required "--without-openssl-header-check". -- Hisashi T Fujinaka - htodd at twofifty.com BSEE + BSChem + BAEnglish + MSCS + $2.50 = coffee From openssh at roumenpetrov.info Sun Feb 22 05:44:57 2015 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Sat, 21 Feb 2015 20:44:57 +0200 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: <20150221120955.GA24328@calimero.vinschen.de> References: <20150221120955.GA24328@calimero.vinschen.de> Message-ID: <54E8D229.6030709@roumenpetrov.info> Corinna Vinschen wrote: > [SNIP] > - Last but not least, all tests in hostkey-agent.sh fail and I don't > understand what's the problem here. I attached the log files for this > problem to this mail. Maybe you see what's going wrong? Test cannot load host keys .... please see attached file Roumen -- Get SSH with X.509 certificate support http://roumenpetrov.info/openssh/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-test-regress-hostkey-agent.sh-outside-source-tree.patch Type: text/x-diff Size: 923 bytes Desc: not available URL: From tot-to at tot-to.com Sun Feb 22 07:39:35 2015 From: tot-to at tot-to.com (tot-to) Date: Sat, 21 Feb 2015 21:39:35 +0100 Subject: "PermitRootLogin no" should not proceed with root login Message-ID: <20150221213935.4e0696f1@localhost> Steps to reproduce: 1) PermitRootLogin no in sshd_config 2) login with "root" user from other host Present behaviour: 1) it asks for password 3 times and only then close the connection. 2) cpu consumption during bruteforce "attacks". Expected behaviour: Immediate disconnect/login fail Workaround is to change ssh port, or ban IP after some login fails, or limit IP that can connect to this port or number of connections per IP per unit of time using firewall. All of them have disadvantages. I use patched version 6.7_p1-r3 from Gentoo portage. But I guess it's unlikely that this behaviour is affected by patches. From djm at mindrot.org Sun Feb 22 07:54:05 2015 From: djm at mindrot.org (Damien Miller) Date: Sun, 22 Feb 2015 07:54:05 +1100 (AEDT) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: <54E8D229.6030709@roumenpetrov.info> References: <20150221120955.GA24328@calimero.vinschen.de> <54E8D229.6030709@roumenpetrov.info> Message-ID: On Sat, 21 Feb 2015, Roumen Petrov wrote: > Corinna Vinschen wrote: > > [SNIP] > > - Last but not least, all tests in hostkey-agent.sh fail and I don't > > understand what's the problem here. I attached the log files for this > > problem to this mail. Maybe you see what's going wrong? > > Test cannot load host keys .... please see attached file Thanks - applied. From djm at mindrot.org Sun Feb 22 07:59:40 2015 From: djm at mindrot.org (Damien Miller) Date: Sun, 22 Feb 2015 07:59:40 +1100 (AEDT) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: <20150221120955.GA24328@calimero.vinschen.de> References: <20150221120955.GA24328@calimero.vinschen.de> Message-ID: On Sat, 21 Feb 2015, Corinna Vinschen wrote: > Building on 64 bit Cygwin works out of the box. However, I have trouble > with the testsuite. As usual, I'm building outside the source tree: > > - Building the testsuite fails: > > Assembler messages: > Fatal error: can't create regress/unittests/bitmap/tests.o: No such file or directory > Makefile:152: recipe for target 'regress/unittests/bitmap/tests.o' failed > > The testsuite apparently misses creating the regress/unittests/bitmap > subdir prior to running the test. Same for the "hostkeys" and "kex" > subdirs. If I create these dirs by hand, the build succeeds. Some > mkdir -p calls for these three dirs would probably help. Done - thanks. > - The failing last loop in the "forwarding" script as reported back > during 6.7 testing is still failing for me more often than not. It's > always the same reason, the script tries to use in-use port numbers. > Reducing the forwarding script to only this last test loop succeeds > every time, but is quite a hack for testing. Is it colliding with itself or with other services running on your test host? (especially with ones windows starts itself) > - Last but not least, all tests in hostkey-agent.sh fail and I don't > understand what's the problem here. I attached the log files for this > problem to this mail. Maybe you see what's going wrong? Did Roumen's config fix (applied to HEAD already) unbreak this? -d From djm at mindrot.org Sun Feb 22 08:02:11 2015 From: djm at mindrot.org (Damien Miller) Date: Sun, 22 Feb 2015 08:02:11 +1100 (AEDT) Subject: "PermitRootLogin no" should not proceed with root login In-Reply-To: <20150221213935.4e0696f1@localhost> References: <20150221213935.4e0696f1@localhost> Message-ID: On Sat, 21 Feb 2015, tot-to wrote: > Steps to reproduce: > 1) PermitRootLogin no in sshd_config > 2) login with "root" user from other host > > Present behaviour: > 1) it asks for password 3 times and only then close the connection. > 2) cpu consumption during bruteforce "attacks". This is intentional behaviour. The intention is to not give clues as to which accounts may be valid for login. > Expected behaviour: > Immediate disconnect/login fail If you want this, then use: Match user root MaxAuthTries 0 From tot-to at tot-to.com Sun Feb 22 08:21:50 2015 From: tot-to at tot-to.com (tot-to) Date: Sat, 21 Feb 2015 22:21:50 +0100 Subject: "PermitRootLogin no" should not proceed with root login In-Reply-To: References: <20150221213935.4e0696f1@localhost> Message-ID: <20150221222150.499ce173@localhost> Hi Damien, Thank you for the explanation and suggesting the option that does exactly what I want. The intention looks reasonable to me. I aclually have a related question about the reasoning: Why "PermitRootLogin no" is not a default option? That would be much secure and would make such kind of bruteforce attacks useless or at least much less effective for most of the users. On Sun, 22 Feb 2015 08:02:11 +1100 (AEDT) Damien Miller wrote: > On Sat, 21 Feb 2015, tot-to wrote: > > > Steps to reproduce: > > 1) PermitRootLogin no in sshd_config > > 2) login with "root" user from other host > > > > Present behaviour: > > 1) it asks for password 3 times and only then close the connection. > > 2) cpu consumption during bruteforce "attacks". > > This is intentional behaviour. The intention is to not give clues as > to which accounts may be valid for login. > > > Expected behaviour: > > Immediate disconnect/login fail > > If you want this, then use: > > Match user root > MaxAuthTries 0 > From phil at hands.com Sun Feb 22 10:36:10 2015 From: phil at hands.com (Philip Hands) Date: Sat, 21 Feb 2015 23:36:10 +0000 Subject: PermitRootLogin default (was: "PermitRootLogin no" should not proceed with root login) In-Reply-To: <20150221222150.499ce173@localhost> References: <20150221213935.4e0696f1@localhost> <20150221222150.499ce173@localhost> Message-ID: <87ioeuet1x.fsf@hands.com> tot-to writes: ... > I aclually have a related question about the reasoning: > Why "PermitRootLogin no" is not a default option? "without-password" is the right default IMO, as suggested some time ago: https://bugzilla.mindrot.org/show_bug.cgi?id=2164 (and considerably earlier in Debian circles ;-) ) I'm glad to say that the default for the Debian package has finally switched to "without-pasword" for new installs in our upcoming release. I'd suggest it is pretty irresponsible allowing the default to remain as "yes" here upstream, especially given how popular brute-force attacks are these days. Given that nobody came up with any argument to maintain "Yes" as the default in response to that bug it seems a bit of a shame that inertia is apparently the controlling factor here. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From calestyo at scientia.net Sun Feb 22 10:53:24 2015 From: calestyo at scientia.net (Christoph Anton Mitterer) Date: Sun, 22 Feb 2015 00:53:24 +0100 Subject: PermitRootLogin default (was: "PermitRootLogin no" should not proceed with root login) In-Reply-To: <87ioeuet1x.fsf@hands.com> References: <20150221213935.4e0696f1@localhost> <20150221222150.499ce173@localhost> <87ioeuet1x.fsf@hands.com> Message-ID: <1424562804.15539.68.camel@scientia.net> On Sat, 2015-02-21 at 23:36 +0000, Philip Hands wrote: > I'm glad to say that the default for the Debian package Unfortunately, Debian overdid it quite a lot and also set a number of not so smart (respectively security-critical) defaults: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765632 So it's like 1:1 ;-) Cheers, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5313 bytes Desc: not available URL: From jjelen at redhat.com Sun Feb 22 23:50:06 2015 From: jjelen at redhat.com (Jakub Jelen) Date: Sun, 22 Feb 2015 13:50:06 +0100 Subject: which are the exact effects of MaxSessions In-Reply-To: <1424475770.4823.64.camel@scientia.net> References: <1424397089.4564.82.camel@scientia.net> <54E6DDA7.4010903@redhat.com> <1424475770.4823.64.camel@scientia.net> Message-ID: <54E9D07E.9060904@redhat.com> On 02/21/2015 12:42 AM, Christoph Anton Mitterer wrote: > On Fri, 2015-02-20 at 08:09 +0100, Jakub Jelen wrote: >> According my observation, MaxSessions 1 works for opening only one >> session through multiplexed channel, which degrades multiplexed >> connection back to only one session. > Well one get's still a mux process and also the messages (when debugging > is on) on the "master sesssion" that others try to re-use it... but then > they're blocked. Yes, the debugging is quite tricky, if you use -ddd you see more temporary sessions allocated and cleaned (to make sure there will be place to accommodate and to store some ongoing data?), but they do not persist through all your connection. > >> I don't know if you use openssh from some distribution > Debian. > >> , but in RHEL we >> had recently one bug in audit which looks similar like your issue -- >> with MaxSessions 1 sshd was preventing to log you in. > Well I don't really think I have any issues... I just wondered whether > there are any other side-effects than having influence on the channel > muxing ... perhaps something like "only accept 1 session from the same > IP, even when not muxing". It should be only for mux (if I'm wrong, correct me). From man: >> ... sessions permitted per network connection which is use case of multiplexed connection. > > What is the issue you guys found? It was combination of (forced)command, pty and auditing. This combination was using 2 sessions instead of one and if there was MaxSessions 2, second connection took down even the first one. Best regards, Jakub > > > Cheers, > Chris. > > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From jjelen at redhat.com Sun Feb 22 23:55:35 2015 From: jjelen at redhat.com (Jakub Jelen) Date: Sun, 22 Feb 2015 13:55:35 +0100 Subject: [PATCH] document evaluation of {Allow|Deny}{Users|Groups} In-Reply-To: <1424484554-31968-1-git-send-email-calestyo@scientia.net> References: <1424484554-31968-1-git-send-email-calestyo@scientia.net> Message-ID: <54E9D1C7.6070304@redhat.com> On 02/21/2015 03:09 AM, calestyo at scientia.net wrote: > +The first one that matches determines whether the login is allowed or > +denied, with the later processed directives being ignored. This is actually not true. You can specify {Allow|Deny}{Users|Groups} multiple times and all of the rows are applied. Greetings, Jakub From alon.barlev at gmail.com Mon Feb 23 08:56:21 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sun, 22 Feb 2015 23:56:21 +0200 Subject: PKI host based principal Message-ID: Hello, Maybe I did not understand correctly the PKI trust, so forgive me if I am wrong. For example, I have multiple hosts that all serves as monitoring server, I would like to trust only these hosts, so I enrol a certificate for these using "monitoring" principal, so I can connect only to these. At first I thought we can do Match statement at ssh_config, however, the Match is being evaluated before connection, so remove principal name is not available at this stage. >From what I do understand the known_hosts format enables CA key and DNS mask of matched hosts. There is no way to match against the certificate principal name. I thought about something like: @cert-authority *.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy If the above cannot be done, do you think it will be helpful? BTW: It would also be handy to allow specify CA key within separate file, something like the following: @cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub Regards, Alon Bar-Lev. From phil at hands.com Mon Feb 23 09:33:31 2015 From: phil at hands.com (Philip Hands) Date: Sun, 22 Feb 2015 22:33:31 +0000 Subject: PermitRootLogin default (was: "PermitRootLogin no" should not proceed with root login) In-Reply-To: <1424562804.15539.68.camel@scientia.net> References: <20150221213935.4e0696f1@localhost> <20150221222150.499ce173@localhost> <87ioeuet1x.fsf@hands.com> <1424562804.15539.68.camel@scientia.net> Message-ID: <87d251efus.fsf@hands.com> Christoph Anton Mitterer writes: > On Sat, 2015-02-21 at 23:36 +0000, Philip Hands wrote: >> I'm glad to say that the default for the Debian package > Unfortunately, Debian overdid it quite a lot and also set a number of > not so smart (respectively security-critical) defaults: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765632 > > So it's like 1:1 ;-) Having looked at the bug you mention, I have to agree that the ForwardX11Trusted seems to have been misguided at the time it was applied, and now (over a decade later) seems just plain wrong. I've followed up on the bug to that effect, Cc-ing you, so you should have seen that. Cheers, Phil. P.S. I take it that you were not trying to say that there's anything you object to about the proposal to use "without-password" as the default? -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: From calestyo at scientia.net Mon Feb 23 09:53:36 2015 From: calestyo at scientia.net (Christoph Anton Mitterer) Date: Sun, 22 Feb 2015 23:53:36 +0100 Subject: PermitRootLogin default (was: "PermitRootLogin no" should not proceed with root login) In-Reply-To: <87d251efus.fsf@hands.com> References: <20150221213935.4e0696f1@localhost> <20150221222150.499ce173@localhost> <87ioeuet1x.fsf@hands.com> <1424562804.15539.68.camel@scientia.net> <87d251efus.fsf@hands.com> Message-ID: <1424645616.7188.17.camel@scientia.net> On Sun, 2015-02-22 at 22:33 +0000, Philip Hands wrote: > P.S. I take it that you were not trying to say that there's anything you > object to about the proposal to use "without-password" as the default? Yes,... the upstream default should be either without-password or simply no, actually, for security reasons I'd even prefer the later. In the days of fully automated installation, puppet and Co. it can't be so hard for sysadmins to change that value to something != no when this is what they really want. Distros, IMHO, can overwrite the defaults (if there's really good reason),... but only in the config files, where everyone sees this. Really changing the defaults in code is basically in most if not all cases plain wrong (the only exceptions I could think of is, when upstream would really set defaults which are horribly security critical or may cause data corruption or things like that). Cheers, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5313 bytes Desc: not available URL: From alon.barlev at gmail.com Mon Feb 23 11:08:16 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon, 23 Feb 2015 02:08:16 +0200 Subject: PKI host based principal In-Reply-To: References: Message-ID: I guess [1] is the answer, and it is not merged yet. [1] http://serverfault.com/questions/669718/connecting-to-a-pool-member-over-ssh-w-a-host-certificate-good-for-the-pool-nam On Sun, Feb 22, 2015 at 11:56 PM, Alon Bar-Lev wrote: > Hello, > > Maybe I did not understand correctly the PKI trust, so forgive me if I am wrong. > > For example, I have multiple hosts that all serves as monitoring > server, I would like to trust only these hosts, so I enrol a > certificate for these using "monitoring" principal, so I can connect > only to these. > > At first I thought we can do Match statement at ssh_config, however, > the Match is being evaluated before connection, so remove principal > name is not available at this stage. > > From what I do understand the known_hosts format enables CA key and > DNS mask of matched hosts. > > There is no way to match against the certificate principal name. > > I thought about something like: > > @cert-authority > *.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy > > If the above cannot be done, do you think it will be helpful? > > BTW: It would also be handy to allow specify CA key within separate > file, something like the following: > > @cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub > > Regards, > Alon Bar-Lev. From djm at mindrot.org Mon Feb 23 18:27:14 2015 From: djm at mindrot.org (Damien Miller) Date: Mon, 23 Feb 2015 18:27:14 +1100 (AEDT) Subject: SUCCESS: OpenSSH_6.7p1-snap20150220 In-Reply-To: References: Message-ID: On Fri, 20 Feb 2015, Herb.Goldman at ssh.com wrote: > Compiled OK, and operating nicely on CentOS 6.6, both 32/64 bit. > Really appreciate the UpdateHostkeys feature! > One issue I noticed, the screen output gets garbled if the user has been "asked" to "Accept" the new hostkeys. > Looks like the screen output is missing the CR's, and only LF's get presented. > > [root at be2 .ssh]# ssh be1 ls -l > Warning: Permanently added 'be1,fec0::ffff:0:1:c0a8:415' (ECDSA) to the list of known hosts. > total 12 > -rw-r--r-- 1 root root 1829 Jan 23 17:43 authorized_keys > -rw-r--r-- 1 root root 575 Jan 21 17:24 sshd.pam > drwxr-xr-x 2 root root 4096 Feb 9 14:17 tmp > > [root at be2 .ssh]# ssh -o UpdateHostkeys=yes be1 ls -l > Learned new hostkey: RSA SHA256:Alc84pvwkLVLIyRC7Z5HUpYeySwK+aMykv9cw6LCark > Learned new hostkey: DSA SHA256:4RFtn0pMD4/AiKANWn6K3ODT66Jw8CE4SXOnAbOBXgQ > Learned new hostkey: ED25519 SHA256:OzKAhPkHQDfk7GTvSZRKIHIv+25inWKy2n0PF8HbIhY > Learned new hostkey: RSA SHA256:ZaHa2K0aOv6zzVTNviT08xk/ZY8xeML9uz62OiHAxOM > Learned new hostkey: DSA SHA256:yYtO6dUL0cATSEBAyOyQApxehlhliWY5t5Z0p1CplpY > Learned new hostkey: ECDSA SHA256:70rXiF+VgchFSvKmBQ/sXw+iANmwVTnmzQzlytaBpx4 > Learned new hostkey: ED25519 SHA256:n/qAw/sTr+4KnQ1okNg/s3tgV9wRjXULbP/a9Jy++oA > Accept updated hostkeys? (yes/no): yes > total 12 > -rw-r--r-- 1 root root 1829 Jan 23 17:43 authorized_keys > -rw-r--r-- 1 root root 575 Jan 21 17:24 sshd.pam > drwxr-xr-x 2 root root 4096 Feb 9 14:17 tmp > [root at be2 .ssh]# I think this patch should solve this problem - can you confirm? diff --git a/clientloop.c b/clientloop.c index 644a1f2..0a58db7 100644 --- a/clientloop.c +++ b/clientloop.c @@ -2176,7 +2176,8 @@ update_known_hosts(struct hostkeys_update_ctx *ctx) free(fp); } if (options.update_hostkeys == SSH_UPDATE_HOSTKEYS_ASK) { - leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); + if (have_pty) + leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); response = NULL; for (i = 0; !quit_pending && i < 3; i++) { free(response); @@ -2196,7 +2197,8 @@ update_known_hosts(struct hostkeys_update_ctx *ctx) if (quit_pending || i >= 3 || response == NULL) options.update_hostkeys = 0; free(response); - enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); + if (have_pty) + enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); } /* From vinschen at redhat.com Mon Feb 23 20:13:48 2015 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 23 Feb 2015 10:13:48 +0100 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: <54E8D229.6030709@roumenpetrov.info> References: <20150221120955.GA24328@calimero.vinschen.de> <54E8D229.6030709@roumenpetrov.info> Message-ID: <20150223091348.GC437@calimero.vinschen.de> Hi Roumen, On Feb 21 20:44, Roumen Petrov wrote: > Corinna Vinschen wrote: > >[SNIP] > >- Last but not least, all tests in hostkey-agent.sh fail and I don't > > understand what's the problem here. I attached the log files for this > > problem to this mail. Maybe you see what's going wrong? > > Test cannot load host keys .... please see attached file > [...] > @@ -22,7 +22,7 @@ for k in `${SSH} -Q key-plain | grep -v "^x509v3-"` ; do > ) >> $OBJ/known_hosts.orig > ${SSHADD} $OBJ/agent-key.$k >/dev/null 2>&1 || \ > fatal "couldn't load key $OBJ/agent-key.$k" > - echo "Hostkey $OBJ/agent-key.${k}" >> sshd_proxy.orig > + echo "Hostkey $OBJ/agent-key.${k}" >> $OBJ/sshd_proxy.orig Oh, wow, I missed that. With this patch the testcase works nicely. Thanks! Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From vinschen at redhat.com Mon Feb 23 20:28:51 2015 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 23 Feb 2015 10:28:51 +0100 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: <20150221120955.GA24328@calimero.vinschen.de> Message-ID: <20150223092851.GD437@calimero.vinschen.de> Hi Damien, On Feb 22 07:59, Damien Miller wrote: > On Sat, 21 Feb 2015, Corinna Vinschen wrote: > > > Building on 64 bit Cygwin works out of the box. However, I have trouble > > with the testsuite. As usual, I'm building outside the source tree: > > > > - Building the testsuite fails: > > > > Assembler messages: > > Fatal error: can't create regress/unittests/bitmap/tests.o: No such file or directory > > Makefile:152: recipe for target 'regress/unittests/bitmap/tests.o' failed > > > > The testsuite apparently misses creating the regress/unittests/bitmap > > subdir prior to running the test. Same for the "hostkeys" and "kex" > > subdirs. If I create these dirs by hand, the build succeeds. Some > > mkdir -p calls for these three dirs would probably help. > > Done - thanks. > > > - The failing last loop in the "forwarding" script as reported back > > during 6.7 testing is still failing for me more often than not. It's > > always the same reason, the script tries to use in-use port numbers. > > Reducing the forwarding script to only this last test loop succeeds > > every time, but is quite a hack for testing. > > Is it colliding with itself or with other services running on your > test host? (especially with ones windows starts itself) It's colliding with itself, afaics. It tries to use ports 3301/3302 again after it already used it in a former test in the script, and with a high probability they are still taken. The same ports are used for earlier tests in the same script. On the testmachine, only very few ports are taken by Windows processes and only one of them (RDP, port 3389) in the range used by the tests. Note that this is still the same as described in http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-August/032842.html See also http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-August/032854.html And this workaround still lets the test succeed: http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-August/032862.html > > - Last but not least, all tests in hostkey-agent.sh fail and I don't > > understand what's the problem here. I attached the log files for this > > problem to this mail. Maybe you see what's going wrong? > > Did Roumen's config fix (applied to HEAD already) unbreak this? Yes it did. Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From ismail at donmez.ws Mon Feb 23 21:06:29 2015 From: ismail at donmez.ws (=?UTF-8?B?xLBzbWFpbCBEw7ZubWV6?=) Date: Mon, 23 Feb 2015 12:06:29 +0200 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: Hi, On Sat, Feb 21, 2015 at 12:01 AM, Damien Miller wrote: > On Fri, 20 Feb 2015, ?smail D?nmez wrote: > >> Hi, >> >> On Fri, Feb 20, 2015 at 12:21 AM, Damien Miller wrote: >> > Hi, >> > >> > OpenSSH 6.8 is almost ready for release, so we would appreciate testing >> > on as many platforms and systems as possible. This release contains >> > some substantial new features and a number of bugfixes. >> >> All tests pass on my Linux box. But >> https://bugzilla.mindrot.org/show_bug.cgi?id=2342 is a notable >> regression. > > hm, I can't replicate this problem: > > [djm at fuyu openssh]$ mkdir x > [djm at fuyu openssh]$ cd x > [djm at fuyu x]$ ../ssh-keygen -t ed25519 -f key -N '' -q > [djm at fuyu x]$ ../ssh-keygen -lf ^C > [djm at fuyu x]$ rm key ; mv key.pub key > [djm at fuyu x]$ ../ssh-keygen -lf key > 256 SHA256:0UH+G0Bw+ZP3rqTwxsio5CUTrKkS/kcJ26RwV3Twbyw djm at fuyu (ED25519) Please see my followup comment. From vinschen at redhat.com Mon Feb 23 21:33:44 2015 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 23 Feb 2015 11:33:44 +0100 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: <20150223092851.GD437@calimero.vinschen.de> References: <20150221120955.GA24328@calimero.vinschen.de> <20150223092851.GD437@calimero.vinschen.de> Message-ID: <20150223103344.GA5204@calimero.vinschen.de> Hi Damien, On Feb 23 10:28, Corinna Vinschen wrote: > On Feb 22 07:59, Damien Miller wrote: > > On Sat, 21 Feb 2015, Corinna Vinschen wrote: > > > - The failing last loop in the "forwarding" script as reported back > > > during 6.7 testing is still failing for me more often than not. It's > > > always the same reason, the script tries to use in-use port numbers. > > > Reducing the forwarding script to only this last test loop succeeds > > > every time, but is quite a hack for testing. > > > > Is it colliding with itself or with other services running on your > > test host? (especially with ones windows starts itself) > > It's colliding with itself, afaics. It tries to use ports 3301/3302 > again after it already used it in a former test in the script, and with > a high probability they are still taken. The same ports are used for > earlier tests in the same script. On the testmachine, only very few > ports are taken by Windows processes and only one of them (RDP, port > 3389) in the range used by the tests. > > Note that this is still the same as described in > http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-August/032842.html > > See also > http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-August/032854.html > > And this workaround still lets the test succeed: > http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-August/032862.html I think I'm a step closer to a solution. I just added debug output to the forwarding.sh script and it turns out that the test prior to the "transfer over chained unix domain socket forwards ..." test, namely echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config for p in 1 2; do trace "config file: start forwarding, fork to background" ${SSH} -$p -F $OBJ/ssh_config -f somehost sleep 10 trace "config file: transfer over forwarded channels and check result" ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \ somehost cat ${DATA} > ${COPY} test -s ${COPY} || fail "failed copy of ${DATA}" cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" wait done leaves the ports 3301/3302 in TIME_WAIT state (as is 4242 from some earlier test). Here are the relevant excerpts from ps -e and (Windows) netstat output. The first group is the output prior to the above test: PID PPID PGID WINPID TTY UID STIME COMMAND 1320 3632 1320 3964 ? 1049577 11:19:26 /home/corinna/sshbuild/bin/sshd 3512 3632 3512 3444 ? 1049577 11:19:27 /home/corinna/sshbuild/bin/sshd 3632 1 3632 3632 ? 1049577 11:17:49 /home/corinna/sshbuild/bin/sshd Active Connections Proto Local Address Foreign Address State PID TCP 127.0.0.1:4242 0.0.0.0:0 LISTENING 3632 TCP 127.0.0.1:61665 127.0.0.1:4242 TIME_WAIT 0 TCP 127.0.0.1:61666 127.0.0.1:61667 TIME_WAIT 0 TCP 127.0.0.1:61668 127.0.0.1:61669 TIME_WAIT 0 TCP 127.0.0.1:61673 127.0.0.1:4242 TIME_WAIT 0 TCP 127.0.0.1:61674 127.0.0.1:61675 TIME_WAIT 0 TCP 127.0.0.1:61676 127.0.0.1:61677 TIME_WAIT 0 TCP 127.0.0.1:61679 127.0.0.1:4242 TIME_WAIT 0 TCP 127.0.0.1:61680 127.0.0.1:61681 TIME_WAIT 0 TCP 127.0.0.1:61682 127.0.0.1:61683 TIME_WAIT 0 TCP 127.0.0.1:61686 127.0.0.1:4242 TIME_WAIT 0 TCP 127.0.0.1:61687 127.0.0.1:61688 TIME_WAIT 0 TCP 127.0.0.1:61689 127.0.0.1:61690 TIME_WAIT 0 TCP 127.0.0.1:61691 127.0.0.1:4242 TIME_WAIT 0 TCP 127.0.0.1:61692 127.0.0.1:61693 TIME_WAIT 0 TCP 127.0.0.1:61694 127.0.0.1:61695 TIME_WAIT 0 the second group is the output from right between the above test and the "transfer over chained unix domain socket forwards..." PID PPID PGID WINPID TTY UID STIME COMMAND 3112 376 376 3212 ? 1049577 11:19:29 /usr/bin/sleep 3520 388 388 3716 ? 1049577 11:19:32 /usr/bin/sleep 3056 3632 3056 2100 ? 1049577 11:19:31 /home/corinna/sshbuild/bin/sshd 4048 1 4048 4048 ? 1049577 11:19:31 /home/corinna/sshbuild/bin/ssh 2372 3632 2372 4024 ? 1049577 11:19:33 /home/corinna/sshbuild/bin/sshd 2728 1 2728 2728 ? 1049577 11:19:28 /home/corinna/sshbuild/bin/ssh 2908 3632 2908 328 ? 1049577 11:19:28 /home/corinna/sshbuild/bin/sshd 3632 1 3632 3632 ? 1049577 11:17:49 /home/corinna/sshbuild/bin/sshd Active Connections Proto Local Address Foreign Address State PID TCP 127.0.0.1:3301 0.0.0.0:0 LISTENING 2640 TCP 127.0.0.1:3301 127.0.0.1:61714 CLOSE_WAIT 2640 TCP 127.0.0.1:3302 0.0.0.0:0 LISTENING 328 TCP 127.0.0.1:3302 127.0.0.1:61713 CLOSE_WAIT 328 TCP 127.0.0.1:4242 0.0.0.0:0 LISTENING 3632 TCP 127.0.0.1:4242 127.0.0.1:61696 ESTABLISHED 3632 TCP 127.0.0.1:4242 127.0.0.1:61708 ESTABLISHED 3632 TCP 127.0.0.1:4242 127.0.0.1:61715 CLOSE_WAIT 3632 TCP 127.0.0.1:61673 127.0.0.1:4242 TIME_WAIT 0 TCP 127.0.0.1:61679 127.0.0.1:4242 TIME_WAIT 0 TCP 127.0.0.1:61680 127.0.0.1:61681 TIME_WAIT 0 TCP 127.0.0.1:61682 127.0.0.1:61683 TIME_WAIT 0 TCP 127.0.0.1:61686 127.0.0.1:4242 TIME_WAIT 0 TCP 127.0.0.1:61687 127.0.0.1:61688 TIME_WAIT 0 TCP 127.0.0.1:61689 127.0.0.1:61690 TIME_WAIT 0 TCP 127.0.0.1:61691 127.0.0.1:4242 TIME_WAIT 0 TCP 127.0.0.1:61692 127.0.0.1:61693 TIME_WAIT 0 TCP 127.0.0.1:61694 127.0.0.1:61695 TIME_WAIT 0 TCP 127.0.0.1:61696 127.0.0.1:4242 ESTABLISHED 2640 TCP 127.0.0.1:61697 127.0.0.1:61698 TIME_WAIT 0 TCP 127.0.0.1:61699 127.0.0.1:61700 TIME_WAIT 0 TCP 127.0.0.1:61701 127.0.0.1:3302 TIME_WAIT 0 TCP 127.0.0.1:61702 127.0.0.1:3301 TIME_WAIT 0 TCP 127.0.0.1:61703 127.0.0.1:4242 TIME_WAIT 0 TCP 127.0.0.1:61704 127.0.0.1:61705 TIME_WAIT 0 TCP 127.0.0.1:61706 127.0.0.1:61707 TIME_WAIT 0 TCP 127.0.0.1:61708 127.0.0.1:4242 ESTABLISHED 2988 TCP 127.0.0.1:61709 127.0.0.1:61710 TIME_WAIT 0 TCP 127.0.0.1:61711 127.0.0.1:61712 TIME_WAIT 0 TCP 127.0.0.1:61713 127.0.0.1:3302 FIN_WAIT_2 3380 TCP 127.0.0.1:61714 127.0.0.1:3301 FIN_WAIT_2 2728 TCP 127.0.0.1:61715 127.0.0.1:4242 FIN_WAIT_2 328 TCP 127.0.0.1:61716 127.0.0.1:61717 TIME_WAIT 0 TCP 127.0.0.1:61718 127.0.0.1:61719 TIME_WAIT 0 This may well be a problem local to Windows. Btw., the large number of AF_INET sockets is a result of the way how Cygwin implements AF_LOCAL sockets: They are emulated by local AF_INET sockets since WIndows doesn't know the concept of AF_LOCAL sockets. Note that there are still sleep processes running. So on a hunch I just added a `sleep 30' between the two tests and, lo and behold, the forwarding.sh test completes successfully every time: diff --git a/regress/forwarding.sh b/regress/forwarding.sh index f799d49..1489407 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh @@ -120,6 +120,8 @@ for p in 1 2; do wait done +sleep 30 + for p in 2; do trace "transfer over chained unix domain socket forwards and check result" rm -f $OBJ/unix-[123].fwd Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From djm at mindrot.org Tue Feb 24 03:47:53 2015 From: djm at mindrot.org (Damien Miller) Date: Tue, 24 Feb 2015 03:47:53 +1100 (AEDT) Subject: SUCCESS: OpenSSH_6.7p1-snap20150220 In-Reply-To: References: Message-ID: On Mon, 23 Feb 2015, Damien Miller wrote: > I think this patch should solve this problem - can you confirm? I managed to reproduce the problem (which was incorrectly setting TTY "raw" mode) and have committed a fix. -d From djm at mindrot.org Tue Feb 24 03:59:32 2015 From: djm at mindrot.org (Damien Miller) Date: Tue, 24 Feb 2015 03:59:32 +1100 (AEDT) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: On Mon, 23 Feb 2015, ?smail D?nmez wrote: > > On Fri, 20 Feb 2015, ?smail D?nmez wrote: > > > >> Hi, > >> > >> On Fri, Feb 20, 2015 at 12:21 AM, Damien Miller wrote: > >> > Hi, > >> > > >> > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > >> > on as many platforms and systems as possible. This release contains > >> > some substantial new features and a number of bugfixes. > >> > >> All tests pass on my Linux box. But > >> https://bugzilla.mindrot.org/show_bug.cgi?id=2342 is a notable > >> regression. > > > > hm, I can't replicate this problem: > > > > [djm at fuyu openssh]$ mkdir x > > [djm at fuyu openssh]$ cd x > > [djm at fuyu x]$ ../ssh-keygen -t ed25519 -f key -N '' -q > > [djm at fuyu x]$ ../ssh-keygen -lf ^C > > [djm at fuyu x]$ rm key ; mv key.pub key > > [djm at fuyu x]$ ../ssh-keygen -lf key > > 256 SHA256:0UH+G0Bw+ZP3rqTwxsio5CUTrKkS/kcJ26RwV3Twbyw djm at fuyu (ED25519) > > Please see my followup comment. Thanks - that helped me figure it out. I've committed a fix. -d From djm at mindrot.org Tue Feb 24 04:26:37 2015 From: djm at mindrot.org (Damien Miller) Date: Tue, 24 Feb 2015 04:26:37 +1100 (AEDT) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: <20150223103344.GA5204@calimero.vinschen.de> References: <20150221120955.GA24328@calimero.vinschen.de> <20150223092851.GD437@calimero.vinschen.de> <20150223103344.GA5204@calimero.vinschen.de> Message-ID: On Mon, 23 Feb 2015, Corinna Vinschen wrote: > leaves the ports 3301/3302 in TIME_WAIT state (as is 4242 from some > earlier test). Here are the relevant excerpts from ps -e and (Windows) > netstat output. The first group is the output prior to the above test: [snip] > This may well be a problem local to Windows. Btw., the large number of > AF_INET sockets is a result of the way how Cygwin implements AF_LOCAL > sockets: They are emulated by local AF_INET sockets since WIndows > doesn't know the concept of AF_LOCAL sockets. Does CYGWIN implement setsockopt(s, SOL_SOCKET, SO_REUSEADDR, ...)? We set this for (AFAIK) all forwarding listeners to prevent TIME_WAIT collisions. > Note that there are still sleep processes running. So on a hunch I just > added a `sleep 30' between the two tests and, lo and behold, the > forwarding.sh test completes successfully every time: IMO it's probably a simple race condition rather than a TCP thing, and the test before the "transfer over chained unix domain socket" one does look like it fails to wait for the backgrounded ssh to finish (the wait doesn't wait for the background ssh, but the one following it). Does the following help? Index: forwarding.sh =================================================================== RCS file: /cvs/src/regress/usr.bin/ssh/forwarding.sh,v retrieving revision 1.13 diff -u -p -r1.13 forwarding.sh --- forwarding.sh 21 Feb 2015 20:51:02 -0000 1.13 +++ forwarding.sh 23 Feb 2015 17:25:40 -0000 @@ -8,6 +8,9 @@ start_sshd base=33 last=$PORT fwd="" +CTL=$OBJ/ctl-sock +rm -f $CTL + for j in 0 1 2; do for i in 0 1 2; do a=$base$j$i @@ -107,7 +110,7 @@ echo "LocalForward ${base}01 127.0.0.1:$ echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config for p in 1 2; do trace "config file: start forwarding, fork to background" - ${SSH} -$p -F $OBJ/ssh_config -f somehost sleep 10 + ${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f somehost sleep 10 trace "config file: transfer over forwarded channels and check result" ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \ @@ -115,7 +118,7 @@ for p in 1 2; do test -s ${COPY} || fail "failed copy of ${DATA}" cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" - wait + ${SSH} -S $CTL -O exit somehost done for p in 2; do From djm at mindrot.org Tue Feb 24 04:35:44 2015 From: djm at mindrot.org (Damien Miller) Date: Tue, 24 Feb 2015 04:35:44 +1100 (AEDT) Subject: PKI host based principal In-Reply-To: References: Message-ID: On Sun, 22 Feb 2015, Alon Bar-Lev wrote: > Hello, > > Maybe I did not understand correctly the PKI trust, so forgive me if I > am wrong. > > For example, I have multiple hosts that all serves as monitoring > server, I would like to trust only these hosts, so I enrol a > certificate for these using "monitoring" principal, so I can connect > only to these. > > At first I thought we can do Match statement at ssh_config, however, > the Match is being evaluated before connection, so remove principal > name is not available at this stage. > > From what I do understand the known_hosts format enables CA key and > DNS mask of matched hosts. > > There is no way to match against the certificate principal name. > > I thought about something like: > > @cert-authority > *.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy I don't think I wasnt to add more indirection to known_hosts; the file is already a mess of tangled, overlapping features and I'm terrified to add more :/ Someone sent me a patch to allow certificate hostname principal matching against HostkeyAlias if matching against the exact hostname failed. This might be an alternative way for you to achieve what you want. What do you think? > If the above cannot be done, do you think it will be helpful? > > BTW: It would also be handy to allow specify CA key within separate > file, something like the following: > > @cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub I'm not sure it's worth the extra complexity in known_hosts parsing, given that it's already possible to specify multiple user/system known_hosts files. E.g. you could do: UserKnownHostsFile ~/.ssh/known_hosts ~/.ssh/known_hosts_mydomain with the latter listing the CA keys. -d From alon.barlev at gmail.com Tue Feb 24 04:42:39 2015 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon, 23 Feb 2015 19:42:39 +0200 Subject: PKI host based principal In-Reply-To: References: Message-ID: On Mon, Feb 23, 2015 at 7:35 PM, Damien Miller wrote: > > On Sun, 22 Feb 2015, Alon Bar-Lev wrote: > > > Hello, > > > > Maybe I did not understand correctly the PKI trust, so forgive me if I > > am wrong. > > > > For example, I have multiple hosts that all serves as monitoring > > server, I would like to trust only these hosts, so I enrol a > > certificate for these using "monitoring" principal, so I can connect > > only to these. > > > > At first I thought we can do Match statement at ssh_config, however, > > the Match is being evaluated before connection, so remove principal > > name is not available at this stage. > > > > From what I do understand the known_hosts format enables CA key and > > DNS mask of matched hosts. > > > > There is no way to match against the certificate principal name. > > > > I thought about something like: > > > > @cert-authority > > *.mydomain.org,*.mydomain.com,principal=xxx,principal=yyy > > I don't think I wasnt to add more indirection to known_hosts; the file > is already a mess of tangled, overlapping features and I'm terrified to > add more :/ > > Someone sent me a patch to allow certificate hostname principal matching > against HostkeyAlias if matching against the exact hostname failed. > This might be an alternative way for you to achieve what you want. > What do you think? yes, I found this patch after I posted this :) it would be a solution. > > > If the above cannot be done, do you think it will be helpful? > > > > BTW: It would also be handy to allow specify CA key within separate > > file, something like the following: > > > > @cert-authority-file *.mydomain.org,*.mydomain.com,principal=xxx /etc/.../ca.pub > > I'm not sure it's worth the extra complexity in known_hosts parsing, > given that it's already possible to specify multiple user/system > known_hosts files. > > E.g. you could do: > > UserKnownHostsFile ~/.ssh/known_hosts ~/.ssh/known_hosts_mydomain > > with the latter listing the CA keys. I am thinking of avoiding specify the ca key over and over within the file. I mean, instead of having one large selection of valid principal enable principal per line, while simplify the ca key. Another issue is that unlike the sshd_config which can point to a file, I cannot have static configuration for the ssh client side because I must generate the known_hosts based on the CA key that I receive during setup. Not critical, for this I have a solution. Thanks! Alon From mikep at noc.utoronto.ca Tue Feb 24 04:41:08 2015 From: mikep at noc.utoronto.ca (mikep at noc.utoronto.ca) Date: Mon, 23 Feb 2015 12:41:08 -0500 (EST) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: openssh-SNAP-20150224, Solaris 10, GCC Configure command line: ./configure CC=gcc --prefix=/opt/local --sysconfdir=/etc/ssh --with-prngd-socket=/var/run/egd-pool --with-zlib=/opt/local --with-rpath Have to manually edit 'config.h': diff config.h.orig config.h 783c783 < #define HAVE_MKDTEMP 1 --- > /* #undef HAVE_MKDTEMP */ as Solaris does not have 'mkdtemp'. Compile fails at: gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -I. -I. -I/opt/local/include -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/opt/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/opt/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/opt/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/opt/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c canohost.c -o canohost.o In file included from packet.h:45, from canohost.c:33: dispatch.h:46: warning: type defaults to `int' in declaration of `sig_atomic_t' dispatch.h:46: error: syntax error before '*' token dispatch.h:47: warning: type defaults to `int' in declaration of `sig_atomic_t' dispatch.h:47: error: syntax error before '*' token make: *** [canohost.o] Error 1 Mike -- Mike Peterson Information Security Analyst - Audit E-mail: mikep at noc.utoronto.ca WWW: http://www.noc.utoronto.ca/ Tel: 416-978-5230 Fax: 416-978-6620 From djm at mindrot.org Tue Feb 24 05:00:43 2015 From: djm at mindrot.org (Damien Miller) Date: Tue, 24 Feb 2015 05:00:43 +1100 (AEDT) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: On Mon, 23 Feb 2015, mikep at noc.utoronto.ca wrote: > openssh-SNAP-20150224, Solaris 10, GCC Thanks for testing. > Configure command line: > > ./configure CC=gcc --prefix=/opt/local --sysconfdir=/etc/ssh > --with-prngd-socket=/var/run/egd-pool --with-zlib=/opt/local --with-rpath > > Have to manually edit 'config.h': > > diff config.h.orig config.h > 783c783 > < #define HAVE_MKDTEMP 1 > --- > > /* #undef HAVE_MKDTEMP */ > > as Solaris does not have 'mkdtemp'. That's strange - it's finding it somewhere. Could I ask you to rummage through config.log to see what it is detecting? > Compile fails at: > > gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare > -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv > -fno-builtin-memset -I. -I. -I/opt/local/include -DSSHDIR=\"/etc/ssh\" > -D_PATH_SSH_PROGRAM=\"/opt/local/bin/ssh\" > -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/local/libexec/ssh-askpass\" > -D_PATH_SFTP_SERVER=\"/opt/local/libexec/sftp-server\" > -D_PATH_SSH_KEY_SIGN=\"/opt/local/libexec/ssh-keysign\" > -D_PATH_SSH_PKCS11_HELPER=\"/opt/local/libexec/ssh-pkcs11-helper\" > -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" > -DHAVE_CONFIG_H -c canohost.c -o canohost.o > In file included from packet.h:45, > from canohost.c:33: > dispatch.h:46: warning: type defaults to `int' in declaration of > `sig_atomic_t' > dispatch.h:46: error: syntax error before '*' token > dispatch.h:47: warning: type defaults to `int' in declaration of > `sig_atomic_t' > dispatch.h:47: error: syntax error before '*' token > make: *** [canohost.o] Error 1 Does this help? diff --git a/dispatch.h b/dispatch.h index cd51dbc..2bcdc91 100644 --- a/dispatch.h +++ b/dispatch.h @@ -27,6 +27,8 @@ #ifndef DISPATCH_H #define DISPATCH_H +#include /* for sig_atomic_t */ + #define DISPATCH_MAX 255 enum { From tgc at jupiterrise.com Tue Feb 24 06:21:50 2015 From: tgc at jupiterrise.com (Tom G. Christensen) Date: Mon, 23 Feb 2015 20:21:50 +0100 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: <54EB7DCE.5080708@jupiterrise.com> On 19/02/15 23:21, Damien Miller wrote: > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > I tried building openssh-SNAP-20150224.tar.gz on Solaris 2.6, 7, 8 and 9. All failed because they do not have . Here's how it looks on Solaris 9/SPARC with gcc 4.9.2: ... In file included from ssh_api.c:21:0: ssh_api.h:21:23: fatal error: sys/queue.h: No such file or directory #include ^ compilation terminated. gmake: *** [ssh_api.o] Error 1 -tgc From djm at mindrot.org Tue Feb 24 06:31:17 2015 From: djm at mindrot.org (Damien Miller) Date: Tue, 24 Feb 2015 06:31:17 +1100 (AEDT) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: <54EB7DCE.5080708@jupiterrise.com> References: <54EB7DCE.5080708@jupiterrise.com> Message-ID: On Mon, 23 Feb 2015, Tom G. Christensen wrote: > On 19/02/15 23:21, Damien Miller wrote: > > Snapshot releases for portable OpenSSH are available from > > http://www.mindrot.org/openssh_snap/ > > > > I tried building openssh-SNAP-20150224.tar.gz on Solaris 2.6, 7, 8 and 9. > All failed because they do not have . > Here's how it looks on Solaris 9/SPARC with gcc 4.9.2: > ... > In file included from ssh_api.c:21:0: > ssh_api.h:21:23: fatal error: sys/queue.h: No such file or directory > #include Thanks - I just committed a fix: diff --git a/ssh_api.h b/ssh_api.h index a7e14e0..642acd5 100644 --- a/ssh_api.h +++ b/ssh_api.h @@ -18,10 +18,11 @@ #ifndef API_H #define API_H -#include #include #include +#include "openbsd-compat/sys-queue.h" + #include "cipher.h" #include "sshkey.h" #include "kex.h" From mail at ojkastl.de Tue Feb 24 06:45:46 2015 From: mail at ojkastl.de (Johannes Kastl) Date: Mon, 23 Feb 2015 20:45:46 +0100 Subject: Using confirmation of key usage per-host? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all, bear with me, I know the SUBJECT sounds pretty unclear. I'll clarify in a minute. And please excuse that due to the keywords being unclear no usable help was found on google & Co... Assume there is a workstation, which connects to multiple machines, one of which is considered potentially unsafe. So, it would be nice to have agent forwarding to that machine combined with the confirmation option of ssh-add (-c). If the 'forwarded key' is used on this machine, the user is prompted on the workstation. An intruder cannot use the authentication information without the user knowing (at least that is how I understood the idea of agent confirmation). Using ssh-add -c on the workstation together with setting 'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour. Unfortunately, this means the user is asked for confirmation, each time the keys is used. Even if it is just to connect to a safe machine or without agent forwarding. Question: Is it possible to just get asked for confirmation, when the key is used on a machine, to which agent forwarding is used? Can this be set on a per-host-basis, like enabling/disabling agent forwarding in .ssh/config? One workaround I could think if would be to use a separate ssh key just for that machine, and just add that one with the ssh-add -c option. Any hints? Thanks in advance, Johannes - -- `Voldemort himself created his worst enemy, just as tyrants everywhere do! Have you any idea how much tyrants fear the people they oppress? All of them realise that, one day [...]there is sure to be one who rises against them and strikes back.? (Harry Potter 6) -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlTrg2MACgkQzi3gQ/xETbLqQACdG0fpMXJQPku9yiTj1tVnDMfY BpEAn1hIqIPsuWKSbgXwCd8djmITATMH =esSH -----END PGP SIGNATURE----- From djm at mindrot.org Tue Feb 24 06:56:36 2015 From: djm at mindrot.org (Damien Miller) Date: Tue, 24 Feb 2015 06:56:36 +1100 (AEDT) Subject: Using confirmation of key usage per-host? In-Reply-To: References: Message-ID: On Mon, 23 Feb 2015, Johannes Kastl wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dear all, > > bear with me, I know the SUBJECT sounds pretty unclear. I'll clarify > in a minute. And please excuse that due to the keywords being unclear > no usable help was found on google & Co... > > Assume there is a workstation, which connects to multiple machines, > one of which is considered potentially unsafe. So, it would be nice to > have agent forwarding to that machine combined with the confirmation > option of ssh-add (-c). If the 'forwarded key' is used on this > machine, the user is prompted on the workstation. An intruder cannot > use the authentication information without the user knowing (at least > that is how I understood the idea of agent confirmation). > > Using ssh-add -c on the workstation together with setting > 'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour. > > Unfortunately, this means the user is asked for confirmation, each > time the keys is used. Even if it is just to connect to a safe machine > or without agent forwarding. > > Question: > Is it possible to just get asked for confirmation, when the key is > used on a machine, to which agent forwarding is used? Can this be set > on a per-host-basis, like enabling/disabling agent forwarding in > .ssh/config? No and no. You might want to check the mailing list archive for the thread "Filtering which identities are forwarded by ssh-agent to a given host" a couple of weeks ago for a related discussion. -d From carson at taltos.org Tue Feb 24 07:02:47 2015 From: carson at taltos.org (Carson Gaspar) Date: Mon, 23 Feb 2015 12:02:47 -0800 Subject: Using confirmation of key usage per-host? In-Reply-To: References: Message-ID: <54EB8767.2000601@taltos.org> On 2/23/15 11:45 AM, Johannes Kastl wrote: > Assume there is a workstation, which connects to multiple machines, > one of which is considered potentially unsafe. So, it would be nice to > have agent forwarding to that machine combined with the confirmation > option of ssh-add (-c). If the 'forwarded key' is used on this > machine, the user is prompted on the workstation. An intruder cannot > use the authentication information without the user knowing (at least > that is how I understood the idea of agent confirmation). > > Using ssh-add -c on the workstation together with setting > 'ForwardAgent=yes' in the .ssh/config achieves the desired behaviour. > > Unfortunately, this means the user is asked for confirmation, each > time the keys is used. Even if it is just to connect to a safe machine > or without agent forwarding. > > Question: > Is it possible to just get asked for confirmation, when the key is > used on a machine, to which agent forwarding is used? Can this be set > on a per-host-basis, like enabling/disabling agent forwarding in > .ssh/config? You'll need to run 2 agents if you want different agent behaviour. Sadly I don't know of any way to select which agent gets used in ssh_config - you'd also have to wrap ssh to flip the SSH_AUTH_SOCK env var. -- Carson From dtucker at zip.com.au Tue Feb 24 07:16:39 2015 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 23 Feb 2015 15:16:39 -0500 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: I've found the following problem with really old gccs (definitely 2.7.2.1 and 2.95.3 but possibly others). I believe it's due to variadic macros when given only 1 arg. channels.c: In function `channel_input_port_forward_request?: channels.c:3442: parse error before `;? The line is pretty simple: if (fwd.connect_port == 0) packet_disconnect("Dynamic forwarding denied."); As part of the new API, packet_disconnect() became a macro: #define packet_disconnect(fmt, args...) \ ssh_packet_disconnect(active_state, (fmt), ##args) If I do -save-temps, the preprocessed source is (note unbalanced parens): if (fwd.connect_port == 0) ssh_packet_disconnect(active_state, ( "Dynamic forwarding denied." ) ; If I change the source to: if (fwd.connect_port == 0) packet_disconnect("%s", "Dynamic forwarding denied."); then it'll work. Question is: what to do? a) nothing. I'll either retire the affected test platforms or upgrade the compiler depending on how enthusiastic I get. b) add the "%s" c) make packet_disconnect a real function. d) ??? Comments? On Thu, Feb 19, 2015 at 5:21 PM, Damien Miller wrote: > Hi, > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.7 > ========================= > > This is a major release, containing a number of new features as > well as a large internal re-factoring. > > Potentially-incompatible changes > -------------------------------- > > * sshd(8): UseDNS now defaults to 'no'. Configurations that match > against the client host name (via sshd_config or authorized_keys) > may need to re-enable it or convert to matching against addresses. > > New Features > ------------ > > * Much of OpenSSH's internal code has been re-factored to be more > library-like. These changes are mostly not user-visible, but > have greatly improved OpenSSH's testability and internal layout. > > * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent > command-line flags to the other tools to control algorithm used > for key fingerprints. The default changes from MD5 to SHA256 and > format from hex to base64. > > Fingerprints now have the hash algorithm prepended. An example of > the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE > Please note that visual host keys will also be different. > > * ssh(1), sshd(8): Host key rotation support. Add a protocol > extension for a server to inform a client of all its available > host keys after authentication has completed. The client may > record the keys in known_hosts, allowing it to upgrade to better > host key algorithms and a server to gracefully rotate its keys. > > The client side of this is controlled by a UpdateHostkeys config > option (default on). > > * ssh(1): Add a ssh_config HostbasedKeyType option to control which > host public key types are tried during host-based authentication. > > * ssh(1), sshd(8): fix connection-killing host key mismatch errors > when sshd offers multiple ECDSA keys of different lengths. > > * ssh(1): when host name canonicalisation is enabled, try to > parse host names as addresses before looking them up for > canonicalisation. fixes bz#2074 and avoiding needless DNS > lookups in some cases. > > * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer > require OpenSSH to be compiled with OpenSSL support. > > * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based > authentication. > > * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, > Bleichenbacher Side Channel Attack. Fake up a bignum key before > RSA decryption. > > * sshd(8): Remember which public keys have been used for > authentication and refuse to accept previously-used keys. > This allows AuthenticationMethods=publickey,publickey to require > that users authenticate using two _different_ public keys. > > * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and > PubkeyAcceptedKeyTypes options to allow sshd to control what > public key types will be accepted. Currently defaults to all. > > * sshd(8): Don't count partial authentication success as a failure > against MaxAuthTries. > > * ssh(1): Add RevokedHostKeys option for the client to allow > text-file or KRL-based revocation of host keys. > > * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by > serial number or key ID without scoping to a particular CA. > > * ssh(1): Add a "Match canonical" criteria that allows ssh_config > Match blocks to trigger only in the second config pass. > > * ssh(1): Add a -G option to ssh that causes it to parse its > configuration and dump the result to stdout, similar to "sshd -T". > > * ssh(1): Allow Match criteria to be negated. E.g. "Match !host". > > * The regression test suite has been extended to cover more OpenSSH > features. The unit tests have been expanded and now cover key > exchange. > > Bugfixes > -------- > > * ssh-keyscan(1): ssh-keyscan has been made much more robust again > servers that hang or violate the SSH protocol. > > * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were > being lost as comment fields. > > * ssh(1): Allow ssh_config Port options set in the second config > parse phase to be applied (they were being ignored). bz#2286 > > * ssh(1): Tweak config re-parsing with host canonicalisation - make > the second pass through the config files always run when host name > canonicalisation is enabled (and not whenever the host name > changes) bz#2267 > > * ssh(1): Fix passing of wildcard forward bind addresses when > connection multiplexing is in use; bz#2324; > > * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH > formats; bz#2345. > > * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in > use. > > * Various fixed to manual pages: bz#2288, bz#2316, bz#2273 > > Portable OpenSSH > ---------------- > > * Support --without-openssl at configure time > > Disables and removes dependency on OpenSSL. Many features, > including SSH protocol 1 are not supported and the set of crypto > options is greatly restricted. This will only work on system with > native arc4random or /dev/urandom. > > Considered highly experimental for now. > > * Support --without-ssh1 option at configure time > > Allows disabling support for SSH protocol 1. > > Still experimental - not all regression and unit tests have been > been adapted for the absence of SSH protocol 1. > > * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296 > > * Allow custom service name for sshd on Cygwin. Permits the use of > multiple sshd running with different service names. > > Reporting Bugs: > =============== > > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > > -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mikep at noc.utoronto.ca Tue Feb 24 07:18:11 2015 From: mikep at noc.utoronto.ca (mikep at noc.utoronto.ca) Date: Mon, 23 Feb 2015 15:18:11 -0500 (EST) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: On Tue, 24 Feb 2015, Damien Miller wrote: > On Mon, 23 Feb 2015, mikep at noc.utoronto.ca wrote: > >> openssh-SNAP-20150224, Solaris 10, GCC > > Thanks for testing. > >> Configure command line: >> >> ./configure CC=gcc --prefix=/opt/local --sysconfdir=/etc/ssh >> --with-prngd-socket=/var/run/egd-pool --with-zlib=/opt/local --with-rpath >> >> Have to manually edit 'config.h': >> >> diff config.h.orig config.h >> 783c783 >> < #define HAVE_MKDTEMP 1 >> --- >>> /* #undef HAVE_MKDTEMP */ >> >> as Solaris does not have 'mkdtemp'. > > That's strange - it's finding it somewhere. Could I ask you to rummage > through config.log to see what it is detecting? All I see is: configure:10439: checking for mkdtemp configure:10439: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -I/opt/local/include -L/opt/local/lib -R/opt/local/lib -Wl,-z,now conftest.c -lz -lsocket -lnsl >&5 configure:10439: $? = 0 configure:10439: result: yes I've done some testing, and while there is no 'man' page, the function does seem to exist, and works as expected in a small test program. I've had to make this manual change since at least OpenSSH 6.6 (can't remember what failed but must have been 'make tests' somewhere). Re-running build with '#define HAVE_MKDTEMP 1'. >> Compile fails at: >> >> gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare >> -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv >> -fno-builtin-memset -I. -I. -I/opt/local/include -DSSHDIR=\"/etc/ssh\" >> -D_PATH_SSH_PROGRAM=\"/opt/local/bin/ssh\" >> -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/local/libexec/ssh-askpass\" >> -D_PATH_SFTP_SERVER=\"/opt/local/libexec/sftp-server\" >> -D_PATH_SSH_KEY_SIGN=\"/opt/local/libexec/ssh-keysign\" >> -D_PATH_SSH_PKCS11_HELPER=\"/opt/local/libexec/ssh-pkcs11-helper\" >> -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" >> -DHAVE_CONFIG_H -c canohost.c -o canohost.o >> In file included from packet.h:45, >> from canohost.c:33: >> dispatch.h:46: warning: type defaults to `int' in declaration of >> `sig_atomic_t' >> dispatch.h:46: error: syntax error before '*' token >> dispatch.h:47: warning: type defaults to `int' in declaration of >> `sig_atomic_t' >> dispatch.h:47: error: syntax error before '*' token >> make: *** [canohost.o] Error 1 > > Does this help? > > diff --git a/dispatch.h b/dispatch.h > index cd51dbc..2bcdc91 100644 > --- a/dispatch.h > +++ b/dispatch.h > @@ -27,6 +27,8 @@ > #ifndef DISPATCH_H > #define DISPATCH_H > > +#include /* for sig_atomic_t */ > + > #define DISPATCH_MAX 255 > > enum { That's got it - build now completes. 'make tests' fails at: gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -I. -I. -I/opt/local/include -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/opt/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/opt/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/opt/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/opt/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -o regress/netcat regress/netcat.c \ -L. -Lopenbsd-compat/ -L/opt/local/lib -R/opt/local/lib -Wl,-z,now -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lresolv -lcrypto -lrt -lz -lsocket -lnsl regress/netcat.c:47:17: err.h: No such file or directory regress/netcat.c: In function `main': regress/netcat.c:166: warning: implicit declaration of function `errx' regress/netcat.c:232: warning: implicit declaration of function `err' regress/netcat.c: In function `unix_bind': regress/netcat.c:503: error: syntax error before numeric constant regress/netcat.c:511: error: invalid lvalue in unary `&' regress/netcat.c:512: error: request for member `sun_family' in something not a structure or union regress/netcat.c:514: error: request for member `sun_path' in something not a structure or union regress/netcat.c:514: error: request for member `sun_path' in something not a structure or union regress/netcat.c:515: error: request for member `sun_path' in something not a structure or union regress/netcat.c:521: error: invalid lvalue in unary `&' regress/netcat.c:521: error: invalid lvalue in unary `&' regress/netcat.c:521: error: invalid lvalue in unary `&' regress/netcat.c:521: error: invalid lvalue in unary `&' regress/netcat.c: In function `unix_connect': regress/netcat.c:535: error: syntax error before numeric constant regress/netcat.c:547: error: invalid lvalue in unary `&' regress/netcat.c:548: error: request for member `sun_family' in something not a structure or union regress/netcat.c:550: error: request for member `sun_path' in something not a structure or union regress/netcat.c:550: error: request for member `sun_path' in something not a structure or union regress/netcat.c:551: error: request for member `sun_path' in something not a structure or union regress/netcat.c:556: error: invalid lvalue in unary `&' regress/netcat.c:556: error: invalid lvalue in unary `&' regress/netcat.c:556: error: invalid lvalue in unary `&' regress/netcat.c:556: error: invalid lvalue in unary `&' regress/netcat.c: In function `remote_connect': regress/netcat.c:637: warning: implicit declaration of function `warn' regress/netcat.c: In function `local_listen': regress/netcat.c:695: warning: unused variable `ret' regress/netcat.c:695: warning: unused variable `x' regress/netcat.c: In function `fdpass': regress/netcat.c:997: error: structure has no member named `msg_control' regress/netcat.c:998: error: structure has no member named `msg_controllen' regress/netcat.c:999: error: structure has no member named `msg_controllen' regress/netcat.c:999: error: structure has no member named `msg_control' make: *** [regress/netcat] Error 1 The only 'err.h' include file on the system is '/usr/local/include/openssl/err.h'. Mike -- Mike Peterson Information Security Analyst - Audit E-mail: mikep at noc.utoronto.ca WWW: http://www.noc.utoronto.ca/ Tel: 416-978-5230 Fax: 416-978-6620 From mail at ojkastl.de Tue Feb 24 07:26:04 2015 From: mail at ojkastl.de (Johannes Kastl) Date: Mon, 23 Feb 2015 21:26:04 +0100 Subject: Using confirmation of key usage per-host? In-Reply-To: References: Message-ID: <2E3EECE2-184B-4195-A2CA-70E5376E53D6@ojkastl.de> Hi Damien, Am 23. Februar 2015 20:56:36 MEZ, schrieb Damien Miller : > > >No and no. > >You might want to check the mailing list archive for the thread >"Filtering which identities are forwarded by ssh-agent to a given host" >a couple of weeks ago for a related discussion. > >-d Thanks for the quick answer. I'll have a look at this thread. So only the different key workaround might help, right? Regards, Johannes -- This mail has been sent from my mobile phone. Please excuse the briefness. This mail is not signed cryptographically. From vinschen at redhat.com Tue Feb 24 07:23:02 2015 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 23 Feb 2015 21:23:02 +0100 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: <20150221120955.GA24328@calimero.vinschen.de> <20150223092851.GD437@calimero.vinschen.de> <20150223103344.GA5204@calimero.vinschen.de> Message-ID: <20150223202302.GA6750@calimero.vinschen.de> Hi Damien, On Feb 24 04:26, Damien Miller wrote: > On Mon, 23 Feb 2015, Corinna Vinschen wrote: > > > leaves the ports 3301/3302 in TIME_WAIT state (as is 4242 from some > > earlier test). Here are the relevant excerpts from ps -e and (Windows) > > netstat output. The first group is the output prior to the above test: > > [snip] > > > This may well be a problem local to Windows. Btw., the large number of > > AF_INET sockets is a result of the way how Cygwin implements AF_LOCAL > > sockets: They are emulated by local AF_INET sockets since WIndows > > doesn't know the concept of AF_LOCAL sockets. > > Does CYGWIN implement setsockopt(s, SOL_SOCKET, SO_REUSEADDR, ...)? > We set this for (AFAIK) all forwarding listeners to prevent TIME_WAIT > collisions. Yes, it does. But given how screwed up this part of the Windows sockets implementation is, I'm not at all sure this works 100% reliable. > > Note that there are still sleep processes running. So on a hunch I just > > added a `sleep 30' between the two tests and, lo and behold, the > > forwarding.sh test completes successfully every time: > > IMO it's probably a simple race condition rather than a TCP thing, and > the test before the "transfer over chained unix domain socket" one does > look like it fails to wait for the backgrounded ssh to finish (the wait > doesn't wait for the background ssh, but the one following it). > > Does the following help? It does! Thanks, that looks much neater than a 30 seconds sleep :) Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From djm at mindrot.org Tue Feb 24 07:32:56 2015 From: djm at mindrot.org (Damien Miller) Date: Tue, 24 Feb 2015 07:32:56 +1100 (AEDT) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: <20150223202302.GA6750@calimero.vinschen.de> References: <20150221120955.GA24328@calimero.vinschen.de> <20150223092851.GD437@calimero.vinschen.de> <20150223103344.GA5204@calimero.vinschen.de> <20150223202302.GA6750@calimero.vinschen.de> Message-ID: On Mon, 23 Feb 2015, Corinna Vinschen wrote: > > IMO it's probably a simple race condition rather than a TCP thing, and > > the test before the "transfer over chained unix domain socket" one does > > look like it fails to wait for the backgrounded ssh to finish (the wait > > doesn't wait for the background ssh, but the one following it). > > > > Does the following help? > > It does! Thanks, that looks much neater than a 30 seconds sleep :) Committed - thanks. -d From peter at stuge.se Tue Feb 24 07:36:15 2015 From: peter at stuge.se (Peter Stuge) Date: Mon, 23 Feb 2015 21:36:15 +0100 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: <20150223203615.28784.qmail@stuge.se> Darren Tucker wrote: > Question is: what to do? > c) make packet_disconnect a real function. I say c. //Peter From djm at mindrot.org Tue Feb 24 07:44:23 2015 From: djm at mindrot.org (Damien Miller) Date: Tue, 24 Feb 2015 07:44:23 +1100 (AEDT) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: <20150223203615.28784.qmail@stuge.se> References: <20150223203615.28784.qmail@stuge.se> Message-ID: On Mon, 23 Feb 2015, Peter Stuge wrote: > Darren Tucker wrote: > > Question is: what to do? > > c) make packet_disconnect a real function. > > I say c. yeah, stick it in opacket.c From tgc at jupiterrise.com Tue Feb 24 08:22:40 2015 From: tgc at jupiterrise.com (Tom G. Christensen) Date: Mon, 23 Feb 2015 22:22:40 +0100 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: <54EB7DCE.5080708@jupiterrise.com> Message-ID: <54EB9A20.4080102@jupiterrise.com> On 23/02/15 20:31, Damien Miller wrote: > Thanks - I just committed a fix: > Thanks, unfortunately you missed the one in packet.h. In file included from ssh_api.h:31:0, from ssh_api.c:21: packet.h:38:23: fatal error: sys/queue.h: No such file or directory #include ^ compilation terminated. gmake: *** [ssh_api.o] Error 1 Fixing that I run into the missing sig_atomic_t that I see you posted a patch for earlier. Next issue is unconditional include of in xmalloc.c: xmalloc.c:19:20: error: stdint.h: No such file or directory Solaris < 10 does not have stdint.h, it actually only fails on Solaris 2.6 because it is limited to gcc 4.3.6 which does not provide a stdint.h replacement (this was introduced with gcc 4.4). -tgc From kevin.brott at gmail.com Tue Feb 24 08:28:54 2015 From: kevin.brott at gmail.com (Kevin Brott) Date: Mon, 23 Feb 2015 13:28:54 -0800 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: Stock - Debian GNU/Linux 7.8 (wheezy) - all tests passed build failure on: * AIX 6.1 (6100-09-03-1415) IBM XL C/C++ Compiler (11.1.0.16) * AIX 7.1 (7100-03-04-1441) IBM XL C/C++ Compiler (12.1.0.6) ./configure && make tests ... xlc_r -g -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh_api.c -o ssh_api.o "ssh_api.c", line 143.19: 1506-068 (W) Operation between types "struct key_entry*" and "int" is not allowed. "ssh_api.c", line 149.19: 1506-068 (W) Operation between types "struct key_entry*" and "int" is not allowed. "ssh_api.c", line 440.45: 1506-045 (S) Undeclared identifier next. "ssh_api.c", line 440.51: 1506-277 (S) Syntax error: possible missing ';' or ','? "ssh_api.c", line 455.46: 1506-045 (S) Undeclared identifier next. "ssh_api.c", line 455.52: 1506-277 (S) Syntax error: possible missing ';' or ','? "ssh_api.c", line 470.45: 1506-045 (S) Undeclared identifier next. "ssh_api.c", line 470.51: 1506-277 (S) Syntax error: possible missing ';' or ','? "ssh_api.c", line 505.53: 1506-045 (S) Undeclared identifier next. "ssh_api.c", line 505.59: 1506-277 (S) Syntax error: possible missing ';' or ','? make: 1254-004 The error code from the last command is 1. On Thu, Feb 19, 2015 at 2:21 PM, Damien Miller wrote: > Hi, > > OpenSSH 6.8 is almost ready for release, so we would appreciate testing > on as many platforms and systems as possible. This release contains > some substantial new features and a number of bugfixes. > > Snapshot releases for portable OpenSSH are available from > http://www.mindrot.org/openssh_snap/ > > The OpenBSD version is available in CVS HEAD: > http://www.openbsd.org/anoncvs.html > > Portable OpenSSH is also available via anonymous CVS using the > instructions at http://www.openssh.com/portable.html#cvs or > via Git at https://anongit.mindrot.org/openssh.git/ > > Running the regression tests supplied with Portable OpenSSH does not > require installation and is a simply: > > $ ./configure && make tests > > Live testing on suitable non-production systems is also > appreciated. Please send reports of success or failure to > openssh-unix-dev at mindrot.org. > > Below is a summary of changes. More detail may be found in the ChangeLog > in the portable OpenSSH tarballs. > > Thanks to the many people who contributed to this release. > > Changes since OpenSSH 6.7 > ========================= > > This is a major release, containing a number of new features as > well as a large internal re-factoring. > > Potentially-incompatible changes > -------------------------------- > > * sshd(8): UseDNS now defaults to 'no'. Configurations that match > against the client host name (via sshd_config or authorized_keys) > may need to re-enable it or convert to matching against addresses. > > New Features > ------------ > > * Much of OpenSSH's internal code has been re-factored to be more > library-like. These changes are mostly not user-visible, but > have greatly improved OpenSSH's testability and internal layout. > > * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent > command-line flags to the other tools to control algorithm used > for key fingerprints. The default changes from MD5 to SHA256 and > format from hex to base64. > > Fingerprints now have the hash algorithm prepended. An example of > the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE > Please note that visual host keys will also be different. > > * ssh(1), sshd(8): Host key rotation support. Add a protocol > extension for a server to inform a client of all its available > host keys after authentication has completed. The client may > record the keys in known_hosts, allowing it to upgrade to better > host key algorithms and a server to gracefully rotate its keys. > > The client side of this is controlled by a UpdateHostkeys config > option (default on). > > * ssh(1): Add a ssh_config HostbasedKeyType option to control which > host public key types are tried during host-based authentication. > > * ssh(1), sshd(8): fix connection-killing host key mismatch errors > when sshd offers multiple ECDSA keys of different lengths. > > * ssh(1): when host name canonicalisation is enabled, try to > parse host names as addresses before looking them up for > canonicalisation. fixes bz#2074 and avoiding needless DNS > lookups in some cases. > > * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer > require OpenSSH to be compiled with OpenSSL support. > > * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based > authentication. > > * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, > Bleichenbacher Side Channel Attack. Fake up a bignum key before > RSA decryption. > > * sshd(8): Remember which public keys have been used for > authentication and refuse to accept previously-used keys. > This allows AuthenticationMethods=publickey,publickey to require > that users authenticate using two _different_ public keys. > > * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and > PubkeyAcceptedKeyTypes options to allow sshd to control what > public key types will be accepted. Currently defaults to all. > > * sshd(8): Don't count partial authentication success as a failure > against MaxAuthTries. > > * ssh(1): Add RevokedHostKeys option for the client to allow > text-file or KRL-based revocation of host keys. > > * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by > serial number or key ID without scoping to a particular CA. > > * ssh(1): Add a "Match canonical" criteria that allows ssh_config > Match blocks to trigger only in the second config pass. > > * ssh(1): Add a -G option to ssh that causes it to parse its > configuration and dump the result to stdout, similar to "sshd -T". > > * ssh(1): Allow Match criteria to be negated. E.g. "Match !host". > > * The regression test suite has been extended to cover more OpenSSH > features. The unit tests have been expanded and now cover key > exchange. > > Bugfixes > -------- > > * ssh-keyscan(1): ssh-keyscan has been made much more robust again > servers that hang or violate the SSH protocol. > > * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were > being lost as comment fields. > > * ssh(1): Allow ssh_config Port options set in the second config > parse phase to be applied (they were being ignored). bz#2286 > > * ssh(1): Tweak config re-parsing with host canonicalisation - make > the second pass through the config files always run when host name > canonicalisation is enabled (and not whenever the host name > changes) bz#2267 > > * ssh(1): Fix passing of wildcard forward bind addresses when > connection multiplexing is in use; bz#2324; > > * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH > formats; bz#2345. > > * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in > use. > > * Various fixed to manual pages: bz#2288, bz#2316, bz#2273 > > Portable OpenSSH > ---------------- > > * Support --without-openssl at configure time > > Disables and removes dependency on OpenSSL. Many features, > including SSH protocol 1 are not supported and the set of crypto > options is greatly restricted. This will only work on system with > native arc4random or /dev/urandom. > > Considered highly experimental for now. > > * Support --without-ssh1 option at configure time > > Allows disabling support for SSH protocol 1. > > Still experimental - not all regression and unit tests have been > been adapted for the absence of SSH protocol 1. > > * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296 > > * Allow custom service name for sshd on Cygwin. Permits the use of > multiple sshd running with different service names. > > Reporting Bugs: > =============== > > - Please read http://www.openssh.com/report.html > Security bugs should be reported directly to openssh at openssh.com > > OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, > Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and > Ben Lindstrom. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- # include /* Kevin Brott */ From kevin.brott at gmail.com Tue Feb 24 08:31:26 2015 From: kevin.brott at gmail.com (Kevin Brott) Date: Mon, 23 Feb 2015 13:31:26 -0800 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: Neglected to mention - this is using openssh-SNAP-20150224.tar.gz On Mon, Feb 23, 2015 at 1:28 PM, Kevin Brott wrote: > Stock - Debian GNU/Linux 7.8 (wheezy) - all tests passed > > > build failure on: > * AIX 6.1 (6100-09-03-1415) IBM XL C/C++ Compiler (11.1.0.16) > * AIX 7.1 (7100-03-04-1441) IBM XL C/C++ Compiler (12.1.0.6) > > ./configure && make tests > > ... > > xlc_r -g -I. -I. -DSSHDIR=\"/usr/local/etc\" > -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" > -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" > -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" > -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" > -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" > -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" > -DHAVE_CONFIG_H -c ssh_api.c -o ssh_api.o > "ssh_api.c", line 143.19: 1506-068 (W) Operation between types "struct > key_entry*" and "int" is not allowed. > "ssh_api.c", line 149.19: 1506-068 (W) Operation between types "struct > key_entry*" and "int" is not allowed. > "ssh_api.c", line 440.45: 1506-045 (S) Undeclared identifier next. > "ssh_api.c", line 440.51: 1506-277 (S) Syntax error: possible missing ';' > or ','? > "ssh_api.c", line 455.46: 1506-045 (S) Undeclared identifier next. > "ssh_api.c", line 455.52: 1506-277 (S) Syntax error: possible missing ';' > or ','? > "ssh_api.c", line 470.45: 1506-045 (S) Undeclared identifier next. > "ssh_api.c", line 470.51: 1506-277 (S) Syntax error: possible missing ';' > or ','? > "ssh_api.c", line 505.53: 1506-045 (S) Undeclared identifier next. > "ssh_api.c", line 505.59: 1506-277 (S) Syntax error: possible missing ';' > or ','? > make: 1254-004 The error code from the last command is 1. > > > > On Thu, Feb 19, 2015 at 2:21 PM, Damien Miller wrote: > >> Hi, >> >> OpenSSH 6.8 is almost ready for release, so we would appreciate testing >> on as many platforms and systems as possible. This release contains >> some substantial new features and a number of bugfixes. >> >> Snapshot releases for portable OpenSSH are available from >> http://www.mindrot.org/openssh_snap/ >> >> The OpenBSD version is available in CVS HEAD: >> http://www.openbsd.org/anoncvs.html >> >> Portable OpenSSH is also available via anonymous CVS using the >> instructions at http://www.openssh.com/portable.html#cvs or >> via Git at https://anongit.mindrot.org/openssh.git/ >> >> Running the regression tests supplied with Portable OpenSSH does not >> require installation and is a simply: >> >> $ ./configure && make tests >> >> Live testing on suitable non-production systems is also >> appreciated. Please send reports of success or failure to >> openssh-unix-dev at mindrot.org. >> >> Below is a summary of changes. More detail may be found in the ChangeLog >> in the portable OpenSSH tarballs. >> >> Thanks to the many people who contributed to this release. >> >> Changes since OpenSSH 6.7 >> ========================= >> >> This is a major release, containing a number of new features as >> well as a large internal re-factoring. >> >> Potentially-incompatible changes >> -------------------------------- >> >> * sshd(8): UseDNS now defaults to 'no'. Configurations that match >> against the client host name (via sshd_config or authorized_keys) >> may need to re-enable it or convert to matching against addresses. >> >> New Features >> ------------ >> >> * Much of OpenSSH's internal code has been re-factored to be more >> library-like. These changes are mostly not user-visible, but >> have greatly improved OpenSSH's testability and internal layout. >> >> * Add FingerprintHash option to ssh(1) and sshd(8), and equivalent >> command-line flags to the other tools to control algorithm used >> for key fingerprints. The default changes from MD5 to SHA256 and >> format from hex to base64. >> >> Fingerprints now have the hash algorithm prepended. An example of >> the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE >> Please note that visual host keys will also be different. >> >> * ssh(1), sshd(8): Host key rotation support. Add a protocol >> extension for a server to inform a client of all its available >> host keys after authentication has completed. The client may >> record the keys in known_hosts, allowing it to upgrade to better >> host key algorithms and a server to gracefully rotate its keys. >> >> The client side of this is controlled by a UpdateHostkeys config >> option (default on). >> >> * ssh(1): Add a ssh_config HostbasedKeyType option to control which >> host public key types are tried during host-based authentication. >> >> * ssh(1), sshd(8): fix connection-killing host key mismatch errors >> when sshd offers multiple ECDSA keys of different lengths. >> >> * ssh(1): when host name canonicalisation is enabled, try to >> parse host names as addresses before looking them up for >> canonicalisation. fixes bz#2074 and avoiding needless DNS >> lookups in some cases. >> >> * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer >> require OpenSSH to be compiled with OpenSSL support. >> >> * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based >> authentication. >> >> * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, >> Bleichenbacher Side Channel Attack. Fake up a bignum key before >> RSA decryption. >> >> * sshd(8): Remember which public keys have been used for >> authentication and refuse to accept previously-used keys. >> This allows AuthenticationMethods=publickey,publickey to require >> that users authenticate using two _different_ public keys. >> >> * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and >> PubkeyAcceptedKeyTypes options to allow sshd to control what >> public key types will be accepted. Currently defaults to all. >> >> * sshd(8): Don't count partial authentication success as a failure >> against MaxAuthTries. >> >> * ssh(1): Add RevokedHostKeys option for the client to allow >> text-file or KRL-based revocation of host keys. >> >> * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by >> serial number or key ID without scoping to a particular CA. >> >> * ssh(1): Add a "Match canonical" criteria that allows ssh_config >> Match blocks to trigger only in the second config pass. >> >> * ssh(1): Add a -G option to ssh that causes it to parse its >> configuration and dump the result to stdout, similar to "sshd -T". >> >> * ssh(1): Allow Match criteria to be negated. E.g. "Match !host". >> >> * The regression test suite has been extended to cover more OpenSSH >> features. The unit tests have been expanded and now cover key >> exchange. >> >> Bugfixes >> -------- >> >> * ssh-keyscan(1): ssh-keyscan has been made much more robust again >> servers that hang or violate the SSH protocol. >> >> * ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names were >> being lost as comment fields. >> >> * ssh(1): Allow ssh_config Port options set in the second config >> parse phase to be applied (they were being ignored). bz#2286 >> >> * ssh(1): Tweak config re-parsing with host canonicalisation - make >> the second pass through the config files always run when host name >> canonicalisation is enabled (and not whenever the host name >> changes) bz#2267 >> >> * ssh(1): Fix passing of wildcard forward bind addresses when >> connection multiplexing is in use; bz#2324; >> >> * ssh-keygen(1): Fix broken private key conversion from non-OpenSSH >> formats; bz#2345. >> >> * ssh-keygen(1): Fix KRL generation bug when multiple CAs are in >> use. >> >> * Various fixed to manual pages: bz#2288, bz#2316, bz#2273 >> >> Portable OpenSSH >> ---------------- >> >> * Support --without-openssl at configure time >> >> Disables and removes dependency on OpenSSL. Many features, >> including SSH protocol 1 are not supported and the set of crypto >> options is greatly restricted. This will only work on system with >> native arc4random or /dev/urandom. >> >> Considered highly experimental for now. >> >> * Support --without-ssh1 option at configure time >> >> Allows disabling support for SSH protocol 1. >> >> Still experimental - not all regression and unit tests have been >> been adapted for the absence of SSH protocol 1. >> >> * sshd(8): Fix compilation on systems with IPv6 support in utmpx; bz#2296 >> >> * Allow custom service name for sshd on Cygwin. Permits the use of >> multiple sshd running with different service names. >> >> Reporting Bugs: >> =============== >> >> - Please read http://www.openssh.com/report.html >> Security bugs should be reported directly to openssh at openssh.com >> >> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt, >> Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and >> Ben Lindstrom. >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > > > > -- > # include > /* Kevin Brott */ > > -- # include /* Kevin Brott */ From djm at mindrot.org Tue Feb 24 09:05:37 2015 From: djm at mindrot.org (Damien Miller) Date: Tue, 24 Feb 2015 09:05:37 +1100 (AEDT) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: <54EB9A20.4080102@jupiterrise.com> References: <54EB7DCE.5080708@jupiterrise.com> <54EB9A20.4080102@jupiterrise.com> Message-ID: On Mon, 23 Feb 2015, Tom G. Christensen wrote: > On 23/02/15 20:31, Damien Miller wrote: > > Thanks - I just committed a fix: > > > > > Thanks, unfortunately you missed the one in packet.h. > > In file included from ssh_api.h:31:0, > from ssh_api.c:21: > packet.h:38:23: fatal error: sys/queue.h: No such file or directory > #include > ^ > compilation terminated. > gmake: *** [ssh_api.o] Error 1 > > Fixing that I run into the missing sig_atomic_t that I see you posted a patch > for earlier. > > Next issue is unconditional include of in xmalloc.c: > xmalloc.c:19:20: error: stdint.h: No such file or directory > > Solaris < 10 does not have stdint.h, it actually only fails on Solaris 2.6 > because it is limited to gcc 4.3.6 which does not provide a stdint.h > replacement (this was introduced with gcc 4.4). Thanks - I just committed fixes for both of these -d From djm at mindrot.org Tue Feb 24 09:07:01 2015 From: djm at mindrot.org (Damien Miller) Date: Tue, 24 Feb 2015 09:07:01 +1100 (AEDT) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: On Mon, 23 Feb 2015, Kevin Brott wrote: > Stock - Debian GNU/Linux 7.8 (wheezy) - all tests passed > > > build failure on: > * AIX 6.1 (6100-09-03-1415) IBM XL C/C++ Compiler (11.1.0.16) > * AIX 7.1 (7100-03-04-1441) IBM XL C/C++ Compiler (12.1.0.6) > > ./configure && make tests > > -DHAVE_CONFIG_H -c ssh_api.c -o ssh_api.o > "ssh_api.c", line 143.19: 1506-068 (W) Operation between types "struct The last lot of include fixes (sys/queue.h -> local sys-queue.h) should fix this. Thanks -d From kevin.brott at gmail.com Tue Feb 24 09:27:52 2015 From: kevin.brott at gmail.com (Kevin Brott) Date: Mon, 23 Feb 2015 14:27:52 -0800 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References: Message-ID: Just as an FYI - the whole sys/queue.h issue is impacting HP-UX 11.23 and 11.31 as well - so we'll see how the latest fixes flush out. And, not to play the fool overmuch - but is there a quick howto on how you're expecting we get the git clone pulls into a buildable state? When I do my usual ... $ aclocal && automake --gnu --add-missing && autoconf I get this: configure.ac: no proper invocation of AM_INIT_AUTOMAKE was found. configure.ac: You should verify that configure.ac invokes AM_INIT_AUTOMAKE, configure.ac: that aclocal.m4 is present in the top-level directory, configure.ac: and that aclocal.m4 was recently regenerated (using aclocal). automake: no `Makefile.am' found for any configure output On Mon, Feb 23, 2015 at 2:07 PM, Damien Miller wrote: > On Mon, 23 Feb 2015, Kevin Brott wrote: > > > Stock - Debian GNU/Linux 7.8 (wheezy) - all tests passed > > > > > > build failure on: > > * AIX 6.1 (6100-09-03-1415) IBM XL C/C++ Compiler (11.1.0.16) > > * AIX 7.1 (7100-03-04-1441) IBM XL C/C++ Compiler (12.1.0.6) > > > > ./configure && make tests > > > > -DHAVE_CONFIG_H -c ssh_api.c -o ssh_api.o > > "ssh_api.c", line 143.19: 1506-068 (W) Operation between types "struct > > The last lot of include fixes (sys/queue.h -> local sys-queue.h) should > fix this. > > Thanks > > -d > -- # include /* Kevin Brott */ From djm at mindrot.org Tue Feb 24 09:33:31 2015 From: djm at mindrot.org (Damien Miller) Date: Tue, 24 Feb 2015 09:33:31 +1100 (AEDT) Subject: Call for testing: OpenSSH 6.8 In-Reply-To: References:

Message-ID: On Mon, 23 Feb 2015, Kevin Brott wrote: > > Just as an FYI - the whole sys/queue.h issue is impacting HP-UX 11.23 and > 11.31 as well - so we'll see how the latest fixes flush out. > > And, not to play the fool overmuch - but is there a quick howto on how > you're expecting we get the git clone pulls into a buildable state? When I > do my usual ... > > $ aclocal && automake --gnu --add-missing && autoconf we don't use automake - I just run "autoreconf" From dtucker at zip.com.au Tue Feb 24 09:32:18 2015 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 23 Feb 2015 17:32:18 -0500 Subject: Call for testing: OpenSSH 6.8 In-Reply-To: