From openssh at mzpqnxow.com  Mon Aug  1 08:58:14 2016
From: openssh at mzpqnxow.com (AG)
Date: Sun, 31 Jul 2016 18:58:14 -0400
Subject: MaxDisplays for 7.3?
Message-ID: <CA+qPFc+aUrLbO2ft1-=myFJDQB0eN9v4rCtWtUoCFTazC5qA9A@mail.gmail.com>

Hello,

I noticed that the PermitOpen wildcard patch I submitted was merged into
7.3. Thanks for that, I've tested it and looks good. Red Hat is planning on
backporting it into their downstream OpenSSH RPMS for release in RHEL7.

Is it too late for the OpenSSH 7.3 release to also add the MaxDisplays
patch I submitted? This was backported into test RPMS by Red Hat and seemed
to work well in a test environment. It would be great to get these both
added in one release if only because of the timing. My interest is a bit
selfish of course- I need both features :D

Anyway, thanks for taking the time to look at and merge the first. If the
second has to be discussed further or added to 7.4 then we can worry about
that later- let me know if there's anything I can do to help with that.

The "second" patch I am referring to moves the #define MAX_DISPLAYS to
MaxDisplays in sshd_config and is available in the bug tracker as issue
#2580:

https://bugzilla.mindrot.org/show_bug.cgi?id=2580

Thanks,
AG

From dtucker at zip.com.au  Mon Aug  1 09:38:24 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Mon, 1 Aug 2016 09:38:24 +1000
Subject: MaxDisplays for 7.3?
In-Reply-To: <CA+qPFc+aUrLbO2ft1-=myFJDQB0eN9v4rCtWtUoCFTazC5qA9A@mail.gmail.com>
References: <CA+qPFc+aUrLbO2ft1-=myFJDQB0eN9v4rCtWtUoCFTazC5qA9A@mail.gmail.com>
Message-ID: <CALDDTe0jn=7G8Pi6QrAWzhwNQzAV06Y7HKZfQqcx8Y+TNK8Hnw@mail.gmail.com>

On Mon, Aug 1, 2016 at 8:58 AM, AG <openssh at mzpqnxow.com> wrote:
> Hello,
>
> I noticed that the PermitOpen wildcard patch I submitted was merged into
> 7.3. Thanks for that, I've tested it and looks good. Red Hat is planning on
> backporting it into their downstream OpenSSH RPMS for release in RHEL7.
>
> Is it too late for the OpenSSH 7.3 release to also add the MaxDisplays
> patch I submitted?

Yes, too late.  Sorry.  The permitopen wildcard patch was smaller and
requested by multiple people, so that got looked at first.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From dtucker at zip.com.au  Mon Aug  1 10:43:05 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Mon, 1 Aug 2016 10:43:05 +1000
Subject: Using -W with -L (Local Forwarding) and -D (Socks Forwarding)
In-Reply-To: <20160731113654.GB27172@glanzmann.de>
References: <20160731113654.GB27172@glanzmann.de>
Message-ID: <CALDDTe3aBBov4VVfvfeexZKKEnLe89yjpb2ty=NZMtFQagSyxQ@mail.gmail.com>

On Sun, Jul 31, 2016 at 9:36 PM, Thomas Glanzmann <thomas at glanzmann.de> wrote:
[...]
> My problem is that -W clears all forwardings.
> Is there another trick or option for example with -L that allows me to forward
> stdin using a bounce host but let me specify additional forwardings?

This was added in the about-to-be-released 7.3: ssh -W still sets
ClearAllForwardings but in a way that can be overridden by explicit
configuration:
https://bugzilla.mindrot.org/show_bug.cgi?id=2577

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From thomas at glanzmann.de  Mon Aug  1 16:05:30 2016
From: thomas at glanzmann.de (Thomas Glanzmann)
Date: Mon, 1 Aug 2016 08:05:30 +0200
Subject: Using -W with -L (Local Forwarding) and -D (Socks Forwarding)
In-Reply-To: <CALDDTe3aBBov4VVfvfeexZKKEnLe89yjpb2ty=NZMtFQagSyxQ@mail.gmail.com>
References: <20160731113654.GB27172@glanzmann.de>
 <CALDDTe3aBBov4VVfvfeexZKKEnLe89yjpb2ty=NZMtFQagSyxQ@mail.gmail.com>
Message-ID: <20160801060530.GC20571@glanzmann.de>

Hello Darren,

* Darren Tucker <dtucker at zip.com.au> [2016-08-01 02:48]:
> This was added in the about-to-be-released 7.3: ssh -W still sets
> ClearAllForwardings but in a way that can be overridden by explicit
> configuration:
> https://bugzilla.mindrot.org/show_bug.cgi?id=2577

thank you, I'll install this version on my main workstation for the time
being.

Cheers,
        Thomas

From djm at openbsd.org  Mon Aug  1 22:14:02 2016
From: djm at openbsd.org (Damien Miller)
Date: Mon, 1 Aug 2016 06:14:02 -0600 (MDT)
Subject: Announce: OpenSSH 7.3 released
Message-ID: <7e553bdf5d7fe31c@openbsd.org>

OpenSSH 7.3 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support. OpenSSH also includes
transitional support for the legacy SSH 1.3 and 1.5 protocols
that may be enabled at compile-time.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html

Future deprecation notice
=========================

We plan on retiring more legacy cryptography in a near-future
release, specifically:

 * Refusing all RSA keys smaller than 1024 bits (the current minimum
   is 768 bits)
 * Removing server-side support for the SSH v.1 protocol (currently
   compile-time disabled).
 * In approximately 1 year, removing all support for the SSH v.1
   protocol (currently compile-time disabled).

This list reflects our current intentions, but please check the final
release notes for future releases.

Changes since OpenSSH 7.2
=========================

This is primarily a bugfix release.

Security
--------

 * sshd(8): Mitigate a potential denial-of-service attack against
   the system's crypt(3) function via sshd(8). An attacker could
   send very long passwords that would cause excessive CPU use in
   crypt(3). sshd(8) now refuses to accept password authentication
   requests of length greater than 1024 characters. Independently
   reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.

 * sshd(8): Mitigate timing differences in password authentication
   that could be used to discern valid from invalid account names
   when long passwords were sent and particular password hashing
   algorithms are in use on the server. CVE-2016-6210, reported by
   EddieEzra.Harari at verint.com

 * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
   oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
   Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
   are disabled by default and only included for legacy compatibility.

 * ssh(1), sshd(8): Improve operation ordering of MAC verification for
   Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
   MAC before decrypting any ciphertext. This removes the possibility
   of timing differences leaking facts about the plaintext, though no
   such leakage has been observed.  Reported by Jean Paul Degabriele,
   Kenny Paterson, Torben Hansen and Martin Albrecht.
    
 * sshd(8): (portable only) Ignore PAM environment vars when
   UseLogin=yes. If PAM is configured to read user-specified
   environment variables and UseLogin=yes in sshd_config, then a
   hostile local user may attack /bin/login via LD_PRELOAD or
   similar environment variables set via PAM. CVE-2015-8325,
   found by Shayan Sadigh.

New Features
------------

 * ssh(1): Add a ProxyJump option and corresponding -J command-line
   flag to allow simplified indirection through a one or more SSH
   bastions or "jump hosts".

 * ssh(1): Add an IdentityAgent option to allow specifying specific
   agent sockets instead of accepting one from the environment.
    
 * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
   optionally overridden when using ssh -W. bz#2577

 * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as
   per draft-sgtatham-secsh-iutf8-00.
    
 * ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman
   2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.

 * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
   signatures in certificates;
    
 * ssh(1): Add an Include directive for ssh_config(5) files.

 * ssh(1): Permit UTF-8 characters in pre-authentication banners sent
   from the server. bz#2058

Bugfixes
--------

 * ssh(1), sshd(8): Reduce the syslog level of some relatively common
   protocol events from LOG_CRIT. bz#2585

 * sshd(8): Refuse AuthenticationMethods="" in configurations and
   accept AuthenticationMethods=any for the default behaviour of not
   requiring multiple authentication. bz#2398

 * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
   ATTEMPT!" message when forward and reverse DNS don't match. bz#2585

 * ssh(1): Close ControlPersist background process stderr except
   in debug mode or when logging to syslog. bz#1988

 * misc: Make PROTOCOL description for direct-streamlocal at openssh.com
   channel open messages match deployed code. bz#2529

 * ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
   failures when both ExitOnForwardFailure and hostname
   canonicalisation are enabled. bz#2562

 * sshd(8): Remove fallback from moduli to obsolete "primes" file
   that was deprecated in 2001. bz#2559.

 * sshd_config(5): Correct description of UseDNS: it affects ssh
   hostname processing for authorized_keys, not known_hosts; bz#2554
    
 * ssh(1): Fix authentication using lone certificate keys in an agent
   without corresponding private keys on the filesystem. bz#2550

 * sshd(8): Send ClientAliveInterval pings when a time-based
   RekeyLimit is set; previously keepalive packets were not being
   sent. bz#2252
    
Portability
-----------

 * ssh(1), sshd(8): Fix compilation by automatically disabling ciphers
   not supported by OpenSSL. bz#2466

 * misc: Fix compilation failures on some versions of AIX's compiler
   related to the definition of the VA_COPY macro. bz#2589

 * sshd(8): Whitelist more architectures to enable the seccomp-bpf
   sandbox. bz#2590

 * ssh-agent(1), sftp-server(8): Disable process tracing on Solaris
   using setpflags(__PROC_PROTECT, ...). bz#2584

 * sshd(8): On Solaris, don't call Solaris setproject() with
   UsePAM=yes it's PAM's responsibility. bz#2425

Checksums:
==========

 - SHA1 (openssh-7.3.tar.gz) = b1641e5265d9ec68a9a19decc3a7edd1203cbd33
 - SHA256 (openssh-7.3.tar.gz) = vS0X35qrX9OOPBkyDMYhOje/DBwHBVEV7nv5rkzw4vM=

 - SHA1 (openssh-7.3p1.tar.gz) = bfade84283fcba885e2084343ab19a08c7d123a5
 - SHA256 (openssh-7.3p1.tar.gz) = P/uYmm3KppWUw7VQ1IVaWi4XGMzd5/XjY4e0JCIPvsw=

Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available as RELEASE_KEY.asc from
the mirror sites.

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh at openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
Tim Rice and Ben Lindstrom.

From yvoinov at gmail.com  Mon Aug  1 22:54:40 2016
From: yvoinov at gmail.com (Yuri Voinov)
Date: Mon, 1 Aug 2016 18:54:40 +0600
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
Message-ID: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Solaris 10 x64 kernel 150401-35
LibreSSL 2.4.1
GCC 5.2

./configure --with-privsep-user=sshd --with-pam --with-pie
--with-ssl-dir=/usr/local 'CFLAGS=-O3 -m64 -mtune=native -pipe'
'LDFLAGS=-m64'

successful.

gmake produces error:

root @ khorne /patch/openssh-7.3p1 # gmake          
conffile=`echo sshd_config.out | sed 's/.out$//'`; \
/opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g'
-e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
./${conffile} > sshd_config.out
conffile=`echo ssh_config.out | sed 's/.out$//'`; \
/opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g'
-e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
./${conffile} > ssh_config.out
conffile=`echo moduli.out | sed 's/.out$//'`; \
/opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g'
-e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
./${conffile} > moduli.out
if test "man" = "cat"; then \
        manpage=./`echo moduli.5.out | sed 's/\.[1-9]\.out$/\.0/'`; \
else \
        manpage=./`echo moduli.5.out | sed 's/\.out$//'`; \
fi; \
if test "man" = "man"; then \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
            gawk -f ./mdoc2man.awk > moduli.5.out; \
else \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > moduli.5.out; \
fi
if test "man" = "cat"; then \
        manpage=./`echo scp.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \
else \
        manpage=./`echo scp.1.out | sed 's/\.out$//'`; \
fi; \
if test "man" = "man"; then \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
            gawk -f ./mdoc2man.awk > scp.1.out; \
else \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > scp.1.out; \
fi
if test "man" = "cat"; then \
        manpage=./`echo ssh-add.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \
else \
        manpage=./`echo ssh-add.1.out | sed 's/\.out$//'`; \
fi; \
if test "man" = "man"; then \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
            gawk -f ./mdoc2man.awk > ssh-add.1.out; \
else \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > ssh-add.1.out; \
fi
if test "man" = "cat"; then \
        manpage=./`echo ssh-agent.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \
else \
        manpage=./`echo ssh-agent.1.out | sed 's/\.out$//'`; \
fi; \
if test "man" = "man"; then \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
            gawk -f ./mdoc2man.awk > ssh-agent.1.out; \
else \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > ssh-agent.1.out; \
fi
if test "man" = "cat"; then \
        manpage=./`echo ssh-keygen.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \
else \
        manpage=./`echo ssh-keygen.1.out | sed 's/\.out$//'`; \
fi; \
if test "man" = "man"; then \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
            gawk -f ./mdoc2man.awk > ssh-keygen.1.out; \
else \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > ssh-keygen.1.out; \
fi
if test "man" = "cat"; then \
        manpage=./`echo ssh-keyscan.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \
else \
        manpage=./`echo ssh-keyscan.1.out | sed 's/\.out$//'`; \
fi; \
if test "man" = "man"; then \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
            gawk -f ./mdoc2man.awk > ssh-keyscan.1.out; \
else \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  >
ssh-keyscan.1.out; \
fi
if test "man" = "cat"; then \
        manpage=./`echo ssh.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \
else \
        manpage=./`echo ssh.1.out | sed 's/\.out$//'`; \
fi; \
if test "man" = "man"; then \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
            gawk -f ./mdoc2man.awk > ssh.1.out; \
else \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > ssh.1.out; \
fi
if test "man" = "cat"; then \
        manpage=./`echo sshd.8.out | sed 's/\.[1-9]\.out$/\.0/'`; \
else \
        manpage=./`echo sshd.8.out | sed 's/\.out$//'`; \
fi; \
if test "man" = "man"; then \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
            gawk -f ./mdoc2man.awk > sshd.8.out; \
else \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > sshd.8.out; \
fi
if test "man" = "cat"; then \
        manpage=./`echo sftp-server.8.out | sed 's/\.[1-9]\.out$/\.0/'`; \
else \
        manpage=./`echo sftp-server.8.out | sed 's/\.out$//'`; \
fi; \
if test "man" = "man"; then \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
            gawk -f ./mdoc2man.awk > sftp-server.8.out; \
else \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  >
sftp-server.8.out; \
fi
if test "man" = "cat"; then \
        manpage=./`echo sftp.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \
else \
        manpage=./`echo sftp.1.out | sed 's/\.out$//'`; \
fi; \
if test "man" = "man"; then \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
            gawk -f ./mdoc2man.awk > sftp.1.out; \
else \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > sftp.1.out; \
fi
if test "man" = "cat"; then \
        manpage=./`echo ssh-keysign.8.out | sed 's/\.[1-9]\.out$/\.0/'`; \
else \
        manpage=./`echo ssh-keysign.8.out | sed 's/\.out$//'`; \
fi; \
if test "man" = "man"; then \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
            gawk -f ./mdoc2man.awk > ssh-keysign.8.out; \
else \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  >
ssh-keysign.8.out; \
fi
if test "man" = "cat"; then \
        manpage=./`echo ssh-pkcs11-helper.8.out | sed
's/\.[1-9]\.out$/\.0/'`; \
else \
        manpage=./`echo ssh-pkcs11-helper.8.out | sed 's/\.out$//'`; \
fi; \
if test "man" = "man"; then \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
            gawk -f ./mdoc2man.awk > ssh-pkcs11-helper.8.out; \
else \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  >
ssh-pkcs11-helper.8.out; \
fi
if test "man" = "cat"; then \
        manpage=./`echo sshd_config.5.out | sed 's/\.[1-9]\.out$/\.0/'`; \
else \
        manpage=./`echo sshd_config.5.out | sed 's/\.out$//'`; \
fi; \
if test "man" = "man"; then \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
            gawk -f ./mdoc2man.awk > sshd_config.5.out; \
else \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  >
sshd_config.5.out; \
fi
if test "man" = "cat"; then \
        manpage=./`echo ssh_config.5.out | sed 's/\.[1-9]\.out$/\.0/'`; \
else \
        manpage=./`echo ssh_config.5.out | sed 's/\.out$//'`; \
fi; \
if test "man" = "man"; then \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
            gawk -f ./mdoc2man.awk > ssh_config.5.out; \
else \
        /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > ssh_config.5.out; \
fi
(cd openbsd-compat && gmake)
gmake[1]: Entering directory '/patch/openssh-7.3p1/openbsd-compat'
gcc -O3 -m64 -mtune=native -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE  -I. -I.. -I. -I./.. -I/usr/local/include  -DHAVE_CONFIG_H -c
arc4random.c
In file included from ../includes.h:171:0,
                 from arc4random.c:27:
../openbsd-compat/openbsd-compat.h:233:23: error: expected identifier or
'(' before numeric constant
 # define mblen(x, y) (1)
                       ^
Makefile:26: recipe for target 'arc4random.o' failed
gmake[1]: *** [arc4random.o] Error 1
gmake[1]: Leaving directory '/patch/openssh-7.3p1/openbsd-compat'
Makefile:156: recipe for target 'openbsd-compat/libopenbsd-compat.a' failed
gmake: *** [openbsd-compat/libopenbsd-compat.a] Error 2

Note: 7.2 builds without any problem on the same environment and server.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXn0aKAAoJENNXIZxhPexGcDwIAK+LipN8PCIMrG0Oe6gib74e
WWKkx6wd7QfZ29hrZ1d/2PRLpm/YfNSNYP+xDrt49vx0w4a6JGGJMrVPse4r7bZU
daPHZ4Irud/U7yi8lyaEpZvkTz/xf4FAvF5F2AgqyZstD0EbFn5doTUlDa+3Hs4b
sCwa+ckgRxjaAhfJx3XL2vHTN2I2ziMaTkOTKmaA4ATKw0CbMJjJ0Y6dF2FDb+ZZ
YWAH5d6orn0iFmzwUucxQ+qfeMzwTab2tAlpohRVG/o9HA5eUMeSe7mgHetxpvgA
ePZhkSeN0aXegVtfkxtj7qSthIS7hNzbUsoy66NY/b4b6uSJ2NxPfCfiQ8m4z4M=
=ZNYN
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160801/1d54d467/attachment-0001.bin>

From dtucker at zip.com.au  Mon Aug  1 23:18:22 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Mon, 1 Aug 2016 23:18:22 +1000
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
Message-ID: <CALDDTe0EzMamUTqxTupQGUfGYr3D7CHa3oWjN0SwzRfk-TpJCw@mail.gmail.com>

On Mon, Aug 1, 2016 at 10:54 PM, Yuri Voinov <yvoinov at gmail.com> wrote:
> Solaris 10 x64 kernel 150401-35
> LibreSSL 2.4.1
> GCC 5.2

It worked for me on Solaris 10 with "gcc version 3.4.3" and Solaris 11
"gcc version 4.5.2" (both on x86) so my guess it's something specific
to newer gcc versions.  Where did you get that gcc package?  I'd like
to try to reproduce it.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From yvoinov at gmail.com  Mon Aug  1 23:21:23 2016
From: yvoinov at gmail.com (Yuri Voinov)
Date: Mon, 1 Aug 2016 19:21:23 +0600
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <CALDDTe0EzMamUTqxTupQGUfGYr3D7CHa3oWjN0SwzRfk-TpJCw@mail.gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe0EzMamUTqxTupQGUfGYr3D7CHa3oWjN0SwzRfk-TpJCw@mail.gmail.com>
Message-ID: <e3c9d585-d4a2-8b91-1573-0da60331567e@gmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
GCC from opencsw.org


01.08.2016 19:18, Darren Tucker ?????:
> On Mon, Aug 1, 2016 at 10:54 PM, Yuri Voinov <yvoinov at gmail.com> wrote:
>> Solaris 10 x64 kernel 150401-35
>> LibreSSL 2.4.1
>> GCC 5.2
>
> It worked for me on Solaris 10 with "gcc version 3.4.3" and Solaris 11
> "gcc version 4.5.2" (both on x86) so my guess it's something specific
> to newer gcc versions.  Where did you get that gcc package?  I'd like
> to try to reproduce it.
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXn0zSAAoJENNXIZxhPexG9cEIAIr0M9UeXS+zvc7D2RYKnCkE
u+ZujA+7PxhG6AlAkPqzmLKQAU2sm2dH27YjbN1hBCpPuESI0VHf6RX9xX36Eatz
4GB2NnRKHigA77UWsbzjYjJ7eAv02CzMkfpSizWZJ0Q4F3GjntXfiDJwcJfXlEod
AbpcsDr/l45gKLKr4sjt3wCE3X9xZ0Y6mTvXIX/UngdSN8s1V8tXgXH0/Zc3GYEt
ud51S13F2g0Bf6nuOEiRv4lx5Ify6jmccWAkhNIn4ipYhcrfElqFBBOlDUAo35M4
ypPqEezk5c75jScv7pHRwl44w8OgZgZPYIQaFKCAz+efJLkyDSh1DQb1xvQJH4w=
=MDrV
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160801/60ddc81c/attachment.bin>

From dtucker at zip.com.au  Tue Aug  2 00:06:06 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Tue, 2 Aug 2016 00:06:06 +1000
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
Message-ID: <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>

On Mon, Aug 1, 2016 at 10:54 PM, Yuri Voinov <yvoinov at gmail.com> wrote:
> ../openbsd-compat/openbsd-compat.h:233:23: error: expected identifier or
> '(' before numeric constant
>  # define mblen(x, y) (1)

It sounds like you have mblen but configure didn't find it.  Did
configure detect mblen?  There should be some output from configure,
and if it didn't there should be a reason in config.log (although
it'll be buried in there somewhere).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From yvoinov at gmail.com  Tue Aug  2 00:42:11 2016
From: yvoinov at gmail.com (Yuri Voinov)
Date: Mon, 1 Aug 2016 20:42:11 +0600
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
Message-ID: <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
configure:17280: result: no
configure:17300: checking for mblen
configure:17356: gcc -o conftest -O3 -m64 -mtune=native -pipe -Wall
-Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security
-Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result
-fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset
-fstack-protector-strong -fPIE -D_XOPEN_SOURCE  -m64 -Wl,-z,now
-fstack-protector-strong -pie conftest.c -lnsl -lz -lsocket  >&5
In file included from /usr/include/limits.h:17:0,
                 from
/opt/csw/lib/gcc/i386-pc-solaris2.10/5.2.0/include-fixed/limits.h:168,
                 from
/opt/csw/lib/gcc/i386-pc-solaris2.10/5.2.0/include-fixed/syslimits.h:7,
                 from
/opt/csw/lib/gcc/i386-pc-solaris2.10/5.2.0/include-fixed/limits.h:34,
                 from conftest.c:162:
/opt/csw/lib/gcc/i386-pc-solaris2.10/5.2.0/include-fixed/sys/feature_tests.h:346:2:
error: #error "Compiler or options invalid for pre-UNIX 03 X/Open
applications     and pre-2001 POSIX applications"
 #error "Compiler or options invalid for pre-UNIX 03 X/Open applications \
  ^
configure:17362: $? = 1
configure: failed program was:
| /* confdefs.h.  */

ac_cv_func_mblen=no

Seems can't. But why? 7.2 does.


01.08.2016 20:06, Darren Tucker ?????:
> On Mon, Aug 1, 2016 at 10:54 PM, Yuri Voinov <yvoinov at gmail.com> wrote:
>> ../openbsd-compat/openbsd-compat.h:233:23: error: expected identifier or
>> '(' before numeric constant
>>  # define mblen(x, y) (1)
>
> It sounds like you have mblen but configure didn't find it.  Did
> configure detect mblen?  There should be some output from configure,
> and if it didn't there should be a reason in config.log (although
> it'll be buried in there somewhere).
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXn1/DAAoJENNXIZxhPexG23gH/1/hddo9ghHjCmLMaezFVt0S
tlOz7Z4+4GydDks3jytaR3tJrFGRD9eWkf0TegXblA19sDkoOaQV0tJtIBVQ8bpf
Iw137EyszCuJLNGNo+P664Altcmg1YrIJlhqCFh5hvCBT1UsVD9hBjJnQ/Vn37Vy
1atg+SXDBa6WO3bC2I8OmZjwwceIpEnyeCvCmWx3Hp7TEmkeNhGWUXEyibSVTa7k
hgcVEkrw4h+cUFxkWU9QhiSziiIdFr9vthX+N+ur2Oit95nSetendcmPR29WrMcH
852izW40NqpjBhHJqtdLhBkFpAKeFLrs9Fu0znBgkU/W0gYq2rWq7H/aBTWKktc=
=Mndg
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160801/04d63a82/attachment-0001.bin>

From dtucker at zip.com.au  Tue Aug  2 00:52:05 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Tue, 2 Aug 2016 00:52:05 +1000
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
 <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>
Message-ID: <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>

On Tue, Aug 2, 2016 at 12:42 AM, Yuri Voinov <yvoinov at gmail.com> wrote:
[...]
> /opt/csw/lib/gcc/i386-pc-solaris2.10/5.2.0/include-fixed/sys/feature_tests.h:346:2:
> error: #error "Compiler or options invalid for pre-UNIX 03 X/Open
> applications     and pre-2001 POSIX applications"

What's the code around line 364 of
/opt/csw/lib/gcc/i386-pc-solaris2.10/5.2.0/include-fixed/sys/feature_tests.h,
especially the enclosing ifdefs?

[..]
> Seems can't. But why? 7.2 does.

Dunno, I can't think of any obvious changes to compiler flags.  Maybe
try it without setting CFLAGS?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From yvoinov at gmail.com  Tue Aug  2 01:00:53 2016
From: yvoinov at gmail.com (Yuri Voinov)
Date: Mon, 1 Aug 2016 21:00:53 +0600
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
 <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>
 <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
Message-ID: <b65e8e64-5a7b-cdad-bf93-7b950d2e8c3b@gmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
/*
 * It is invalid to compile an XPG3, XPG4, XPG4v2, or XPG5 application
 * using c99.  The same is true for POSIX.1-1990, POSIX.2-1992, POSIX.1b,
 * and POSIX.1c applications. Likewise, it is invalid to compile an XPG6
 * or a POSIX.1-2001 application with anything other than a c99 or later
 * compiler.  Therefore, we force an error in both cases.
 */
#if defined(_STDC_C99) && (defined(__XOPEN_OR_POSIX) && !defined(_XPG6))
#error "Compiler or options invalid for pre-UNIX 03 X/Open applications \
    and pre-2001 POSIX applications"
#elif !defined(_STDC_C99) && \
    (defined(__XOPEN_OR_POSIX) && defined(_XPG6))
#error "Compiler or options invalid; UNIX 03 and POSIX.1-2001 applications \
    require the use of c99"
#endif



01.08.2016 20:52, Darren Tucker ?????:
> On Tue, Aug 2, 2016 at 12:42 AM, Yuri Voinov <yvoinov at gmail.com> wrote:
> [...]
>>
/opt/csw/lib/gcc/i386-pc-solaris2.10/5.2.0/include-fixed/sys/feature_tests.h:346:2:
>> error: #error "Compiler or options invalid for pre-UNIX 03 X/Open
>> applications     and pre-2001 POSIX applications"
>
> What's the code around line 364 of
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/5.2.0/include-fixed/sys/feature_tests.h,
> especially the enclosing ifdefs?
>
> [..]
>> Seems can't. But why? 7.2 does.
>
> Dunno, I can't think of any obvious changes to compiler flags.  Maybe
> try it without setting CFLAGS?
They required because I need sshd 64 bit exactly. This is Solaris, with
dual kernel, I can't mix 32 and 64 bit code in running executables due
to stability reasons. without -m64 code generates in 32 bit only mode.
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXn2QlAAoJENNXIZxhPexGlcUIALvgV2FGJ1UlB2Dt6Q5l80LT
GROZ9G8oeO1ibUK1exrsRtDnb4eewRWk6FvrlfL+wJ/6IzOMdgwj60W8h0C1Hk9A
P9LxG/01JMuyS3TBdVVw/SN9d2MwWgbJPkdzESXhBXun7lpbcV1F618D8Gqc5fmN
NmikEnSxL3y1LOM9cQBfoZqIckUrsPl3hTq0yw/NpEqia64X5n3+cQ8AGeAZSSzE
B3BDAuANKyrrHRCyibneNoKfSOmF4h5a7xX2g3KUcHhPdKgNqpbC9tfhnqM9dCI+
hDm7Bnf0OhoM6tJXJJSJFw89FfMdNPVVxqmGBtNOzo1wjgnShQYmc13m/oXtA0Y=
=wu4/
-----END PGP SIGNATURE-----

-------------- next part --------------
/*  DO NOT EDIT THIS FILE.

    It has been auto-edited by fixincludes from:

	"/usr/include/sys/feature_tests.h"

    This had to be done to correct non-standard usages in the
    original, manufacturer supplied header file.  */

/*
 * Copyright (c) 1993, 2011, Oracle and/or its affiliates. All rights reserved.
 */

#ifndef _SYS_FEATURE_TESTS_H
#define	_SYS_FEATURE_TESTS_H

#pragma ident	"@(#)feature_tests.h	1.26	11/04/12 SMI"

#include <sys/ccompile.h>
#include <sys/isa_defs.h>

#ifdef	__cplusplus
extern "C" {
#endif

/*
 * Values of _POSIX_C_SOURCE
 *
 *		undefined   not a POSIX compilation
 *		1	    POSIX.1-1990 compilation
 *		2	    POSIX.2-1992 compilation
 *		199309L	    POSIX.1b-1993 compilation (Real Time)
 *		199506L	    POSIX.1c-1995 compilation (POSIX Threads)
 *		200112L	    POSIX.1-2001 compilation (Austin Group Revision)
 */
#if defined(_POSIX_SOURCE) && !defined(_POSIX_C_SOURCE)
#define	_POSIX_C_SOURCE 1
#endif

/*
 * The feature test macros __XOPEN_OR_POSIX, _STRICT_STDC, and _STDC_C99
 * are Sun implementation specific macros created in order to compress
 * common standards specified feature test macros for easier reading.
 * These macros should not be used by the application developer as
 * unexpected results may occur. Instead, the user should reference
 * standards(5) for correct usage of the standards feature test macros.
 *
 * __XOPEN_OR_POSIX     Used in cases where a symbol is defined by both
 *                      X/Open or POSIX or in the negative, when neither
 *                      X/Open or POSIX defines a symbol.
 *
 * _STRICT_STDC         __STDC__ is specified by the C Standards and defined
 *                      by the compiler. For Sun compilers the value of
 *                      __STDC__ is either 1, 0, or not defined based on the
 *                      compilation mode (see cc(1)). When the value of
 *                      __STDC__ is 1 and in the absence of any other feature
 *                      test macros, the namespace available to the application
 *                      is limited to only those symbols defined by the C
 *                      Standard. _STRICT_STDC provides a more readable means
 *                      of identifying symbols defined by the standard, or in
 *                      the negative, symbols that are extensions to the C
 *                      Standard. See additional comments for GNU C differences.
 *
 * _STDC_C99            __STDC_VERSION__ is specified by the C standards and
 *                      defined by the compiler and indicates the version of
 *                      the C standard. A value of 199901L indicates a
 *                      compiler that complies with ISO/IEC 9899:1999, other-
 *                      wise known as the C99 standard.
 */

#if defined(_XOPEN_SOURCE) || defined(_POSIX_C_SOURCE)
#define	__XOPEN_OR_POSIX
#endif

/*
 * ISO/IEC 9899:1990 and it's revision, ISO/IEC 9899:1999 specify the
 * following predefined macro name:
 *
 * __STDC__	The integer constant 1, intended to indicate a conforming
 *		implementation.
 *
 * Furthermore, a strictly conforming program shall use only those features
 * of the language and library specified in these standards. A conforming
 * implementation shall accept any strictly conforming program.
 *
 * Based on these requirements, Sun's C compiler defines __STDC__ to 1 for
 * strictly conforming environments and __STDC__ to 0 for environments that
 * use ANSI C semantics but allow extensions to the C standard. For non-ANSI
 * C semantics, Sun's C compiler does not define __STDC__.
 *
 * The GNU C project interpretation is that __STDC__ should always be defined
 * to 1 for compilation modes that accept ANSI C syntax regardless of whether
 * or not extensions to the C standard are used. Violations of conforming
 * behavior are conditionally flagged as warnings via the use of the
 * -pedantic option. In addition to defining __STDC__ to 1, the GNU C
 * compiler also defines __STRICT_ANSI__ as a means of specifying strictly
 * conforming environments using the -ansi or -std=<standard> options.
 *
 * In the absence of any other compiler options, Sun and GNU set the value
 * of __STDC__ as follows when using the following options:
 *
 *				Value of __STDC__  __STRICT_ANSI__
 *
 * cc -Xa (default)			0	      undefined
 * cc -Xt (transitional)		0             undefined
 * cc -Xc (strictly conforming)		1	      undefined
 * cc -Xs (K&R C)		    undefined	      undefined
 *
 * gcc (default)			1	      undefined
 * gcc -ansi, -std={c89, c99,...)  	1              defined
 * gcc -traditional (K&R)	    undefined	      undefined
 *
 * The default compilation modes for Sun C compilers versus GNU C compilers
 * results in a differing value for __STDC__ which results in a more
 * restricted namespace when using Sun compilers. To allow both GNU and Sun
 * interpretations to peacefully co-exist, we use the following Sun
 * implementation _STRICT_STDC_ macro:
 */

#if ( defined(__STRICT_ANSI__) && !defined(__GNUC__)) || \
	(defined(__GNUC__) && defined(__STRICT_ANSI__))
#define	_STRICT_STDC
#else
#undef	_STRICT_STDC
#endif

/*
 * Compiler complies with ISO/IEC 9899:1999
 */

#if __STDC_VERSION__ - 0 >= 199901L
#define	_STDC_C99
#endif

/*
 * Large file interfaces:
 *
 *	_LARGEFILE_SOURCE
 *		1		large file-related additions to POSIX
 *				interfaces requested (fseeko, etc.)
 *	_LARGEFILE64_SOURCE
 *		1		transitional large-file-related interfaces
 *				requested (seek64, stat64, etc.)
 *
 * The corresponding announcement macros are respectively:
 *	_LFS_LARGEFILE
 *	_LFS64_LARGEFILE
 * (These are set in <unistd.h>.)
 *
 * Requesting _LARGEFILE64_SOURCE implies requesting _LARGEFILE_SOURCE as
 * well.
 *
 * The large file interfaces are made visible regardless of the initial values
 * of the feature test macros under certain circumstances:
 *    -	If no explicit standards-conforming environment is requested (neither
 *	of _POSIX_SOURCE nor _XOPEN_SOURCE is defined and the value of
 *	__STDC__ does not imply standards conformance).
 *    -	Extended system interfaces are explicitly requested (__EXTENSIONS__
 * 	is defined).
 *    -	Access to in-kernel interfaces is requested (_KERNEL or _KMEMUSER is
 *	defined).  (Note that this dependency is an artifact of the current
 *	kernel implementation and may change in future releases.)
 */
#if	(!defined(_STRICT_STDC) && !defined(__XOPEN_OR_POSIX)) || \
		defined(_KERNEL) || defined(_KMEMUSER) || \
		defined(__EXTENSIONS__)
#undef	_LARGEFILE64_SOURCE
#define	_LARGEFILE64_SOURCE	1
#endif
#if	_LARGEFILE64_SOURCE - 0 == 1
#undef	_LARGEFILE_SOURCE
#define	_LARGEFILE_SOURCE	1
#endif

/*
 * Large file compilation environment control:
 *
 * The setting of _FILE_OFFSET_BITS controls the size of various file-related
 * types and governs the mapping between file-related source function symbol
 * names and the corresponding binary entry points.
 *
 * In the 32-bit environment, the default value is 32; if not set, set it to
 * the default here, to simplify tests in other headers.
 *
 * In the 64-bit compilation environment, the only value allowed is 64.
 */
#if defined(_LP64)
#ifndef _FILE_OFFSET_BITS
#define	_FILE_OFFSET_BITS	64
#endif
#if	_FILE_OFFSET_BITS - 0 != 64
#error	"invalid _FILE_OFFSET_BITS value specified"
#endif
#else	/* _LP64 */
#ifndef	_FILE_OFFSET_BITS
#define	_FILE_OFFSET_BITS	32
#endif
#if	_FILE_OFFSET_BITS - 0 != 32 && _FILE_OFFSET_BITS - 0 != 64
#error	"invalid _FILE_OFFSET_BITS value specified"
#endif
#endif	/* _LP64 */

/*
 * Use of _XOPEN_SOURCE
 *
 * The following X/Open specifications are supported:
 *
 * X/Open Portability Guide, Issue 3 (XPG3)
 * X/Open CAE Specification, Issue 4 (XPG4)
 * X/Open CAE Specification, Issue 4, Version 2 (XPG4v2)
 * X/Open CAE Specification, Issue 5 (XPG5)
 * Open Group Technical Standard, Issue 6 (XPG6), also referred to as
 *    IEEE Std. 1003.1-2001 and ISO/IEC 9945:2002.
 *
 * XPG4v2 is also referred to as UNIX 95 (SUS or SUSv1).
 * XPG5 is also referred to as UNIX 98 or the Single Unix Specification,
 *     Version 2 (SUSv2)
 * XPG6 is the result of a merge of the X/Open and POSIX specifications
 *     and as such is also referred to as IEEE Std. 1003.1-2001 in
 *     addition to UNIX 03 and SUSv3.
 *
 * When writing a conforming X/Open application, as per the specification
 * requirements, the appropriate feature test macros must be defined at
 * compile time. These are as follows. For more info, see standards(5).
 *
 * Feature Test Macro				     Specification
 * ------------------------------------------------  -------------
 * _XOPEN_SOURCE                                         XPG3
 * _XOPEN_SOURCE && _XOPEN_VERSION = 4                   XPG4
 * _XOPEN_SOURCE && _XOPEN_SOURCE_EXTENDED = 1           XPG4v2
 * _XOPEN_SOURCE = 500                                   XPG5
 * _XOPEN_SOURCE = 600  (or POSIX_C_SOURCE=200112L)      XPG6
 *
 * In order to simplify the guards within the headers, the following
 * implementation private test macros have been created. Applications
 * must NOT use these private test macros as unexpected results will
 * occur.
 *
 * Note that in general, the use of these private macros is cumulative.
 * For example, the use of _XPG3 with no other restrictions on the X/Open
 * namespace will make the symbols visible for XPG3 through XPG6
 * compilation environments. The use of _XPG4_2 with no other X/Open
 * namespace restrictions indicates that the symbols were introduced in
 * XPG4v2 and are therefore visible for XPG4v2 through XPG6 compilation
 * environments, but not for XPG3 or XPG4 compilation environments.
 *
 * _XPG3    X/Open Portability Guide, Issue 3 (XPG3)
 * _XPG4    X/Open CAE Specification, Issue 4 (XPG4)
 * _XPG4_2  X/Open CAE Specification, Issue 4, Version 2 (XPG4v2/UNIX 95/SUS)
 * _XPG5    X/Open CAE Specification, Issue 5 (XPG5/UNIX 98/SUSv2)
 * _XPG6    Open Group Technical Standard, Issue 6 (XPG6/UNIX 03/SUSv3)
 */

/* X/Open Portability Guide, Issue 3 */
#if defined(_XOPEN_SOURCE) && (_XOPEN_SOURCE - 0 < 500) && \
	(_XOPEN_VERSION - 0 < 4) && !defined(_XOPEN_SOURCE_EXTENDED)
#define	_XPG3
/* X/Open CAE Specification, Issue 4 */
#elif	(defined(_XOPEN_SOURCE) && _XOPEN_VERSION - 0 == 4)
#define	_XPG4
#define	_XPG3
/* X/Open CAE Specification, Issue 4, Version 2 */
#elif (defined(_XOPEN_SOURCE) && _XOPEN_SOURCE_EXTENDED - 0 == 1)
#define	_XPG4_2
#define	_XPG4
#define	_XPG3
/* X/Open CAE Specification, Issue 5 */
#elif	(_XOPEN_SOURCE - 0 == 500)
#define	_XPG5
#define	_XPG4_2
#define	_XPG4
#define	_XPG3
#undef	_POSIX_C_SOURCE
#define	_POSIX_C_SOURCE			199506L
/* Open Group Technical Standard , Issue 6 */
#elif	(_XOPEN_SOURCE - 0 == 600) || (_POSIX_C_SOURCE - 0 == 200112L)
#define	_XPG6
#define	_XPG5
#define	_XPG4_2
#define	_XPG4
#define	_XPG3
#undef	_POSIX_C_SOURCE
#define	_POSIX_C_SOURCE			200112L
#undef	_XOPEN_SOURCE
#define	_XOPEN_SOURCE			600
#endif

/*
 * _XOPEN_VERSION is defined by the X/Open specifications and is not
 * normally defined by the application, except in the case of an XPG4
 * application.  On the implementation side, _XOPEN_VERSION defined with
 * the value of 3 indicates an XPG3 application. _XOPEN_VERSION defined
 * with the value of 4 indicates an XPG4 or XPG4v2 (UNIX 95) application.
 * _XOPEN_VERSION  defined with a value of 500 indicates an XPG5 (UNIX 98)
 * application and with a value of 600 indicates an XPG6 (UNIX 03)
 * application.  The appropriate version is determined by the use of the
 * feature test macros described earlier.  The value of _XOPEN_VERSION
 * defaults to 3 otherwise indicating support for XPG3 applications.
 */
#ifndef _XOPEN_VERSION
#ifdef	_XPG6
#define	_XOPEN_VERSION 600
#elif defined(_XPG5)
#define	_XOPEN_VERSION 500
#elif	defined(_XPG4_2)
#define	_XOPEN_VERSION  4
#else
#define	_XOPEN_VERSION  3
#endif
#endif

/* Workaround for detecting the 32-bit version of Rational's compiler */
#if	defined(__rational__) && defined(__sparcv8)
#define	_RATIONAL32
#endif

/*
 * ANSI C and ISO 9899:1990 say the type long long doesn't exist in strictly
 * conforming environments.  ISO 9899:1999 says it does.
 *
 * The presence of _LONGLONG_TYPE says "long long exists" which is therefore
 * defined in all but strictly conforming environments that disallow it.
 */
#if !defined(_STDC_C99) && defined(_STRICT_STDC) && !defined(__GNUC__) || \
	defined(_RATIONAL32)
/*
 * Resist attempts to force the definition of long long in this case.
 */
#if defined(_LONGLONG_TYPE)
#error	"No long long in strictly conforming ANSI C & 1990 ISO C environments"
#endif
#else
#if !defined(_LONGLONG_TYPE)
#define	_LONGLONG_TYPE
#endif
#endif

/*
 * It is invalid to compile an XPG3, XPG4, XPG4v2, or XPG5 application
 * using c99.  The same is true for POSIX.1-1990, POSIX.2-1992, POSIX.1b,
 * and POSIX.1c applications. Likewise, it is invalid to compile an XPG6
 * or a POSIX.1-2001 application with anything other than a c99 or later
 * compiler.  Therefore, we force an error in both cases.
 */
#if defined(_STDC_C99) && (defined(__XOPEN_OR_POSIX) && !defined(_XPG6))
#error "Compiler or options invalid for pre-UNIX 03 X/Open applications \
	and pre-2001 POSIX applications"
#elif !defined(_STDC_C99) && \
	(defined(__XOPEN_OR_POSIX) && defined(_XPG6))
#error "Compiler or options invalid; UNIX 03 and POSIX.1-2001 applications \
	require the use of c99"
#endif

/*
 * The following macro defines a value for the ISO C99 restrict
 * keyword so that _RESTRICT_KYWD resolves to "restrict" if
 * an ISO C99 compiler is used and "" (null string) if any other
 * compiler is used. This allows for the use of single prototype
 * declarations regardless of compiler version.
 */
#if (defined(__STDC__) && defined(_STDC_C99))
#ifdef __cplusplus
#define	_RESTRICT_KYWD	__restrict
#else
#define	_RESTRICT_KYWD	restrict
#endif
#else
#define	_RESTRICT_KYWD
#endif

/*
 * The following macro indicates header support for the ANSI C++
 * standard.  The ISO/IEC designation for this is ISO/IEC FDIS 14882.
 */
#define	_ISO_CPP_14882_1998

/*
 * The following macro indicates header support for the C99 standard,
 * ISO/IEC 9899:1999, Programming Languages - C.
 */
#define	_ISO_C_9899_1999

/*
 * The following macro indicates header support for DTrace. The value is an
 * integer that corresponds to the major version number for DTrace.
 */
#define	_DTRACE_VERSION	1

#ifdef	__cplusplus
}
#endif

#endif	/* _SYS_FEATURE_TESTS_H */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160801/33a11792/attachment-0001.bin>

From yvoinov at gmail.com  Tue Aug  2 01:03:57 2016
From: yvoinov at gmail.com (Yuri Voinov)
Date: Mon, 1 Aug 2016 21:03:57 +0600
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
 <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>
 <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
Message-ID: <005a5df6-2bf4-93ff-c01f-6e0008c6723b@gmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
The same result without CFLAGS:

configure:17300: checking for mblen
configure:17356: gcc -o conftest -g -O2 -Wall -Wpointer-arith
-Wuninitialized -Wsign-compare -Wformat-security
-Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result
-fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset
-fstack-protector-strong -fPIE -D_XOPEN_SOURCE   -Wl,-z,now
-fstack-protector-strong -pie conftest.c -lnsl -lz -lsocket  >&5
In file included from /usr/include/limits.h:17:0,
                 from
/opt/csw/lib/gcc/i386-pc-solaris2.10/5.2.0/include-fixed/limits.h:168,
                 from
/opt/csw/lib/gcc/i386-pc-solaris2.10/5.2.0/include-fixed/syslimits.h:7,
                 from
/opt/csw/lib/gcc/i386-pc-solaris2.10/5.2.0/include-fixed/limits.h:34,
                 from conftest.c:163:
/opt/csw/lib/gcc/i386-pc-solaris2.10/5.2.0/include-fixed/sys/feature_tests.h:346:2:
error: #error "Compiler or options invalid for pre-UNIX 03 X/Open
applications     and pre-2001 POSIX applications"
 #error "Compiler or options invalid for pre-UNIX 03 X/Open applications \
  ^
configure:17362: $? = 1
configure: failed program was:


01.08.2016 20:52, Darren Tucker ?????:
> On Tue, Aug 2, 2016 at 12:42 AM, Yuri Voinov <yvoinov at gmail.com> wrote:
> [...]
>>
/opt/csw/lib/gcc/i386-pc-solaris2.10/5.2.0/include-fixed/sys/feature_tests.h:346:2:
>> error: #error "Compiler or options invalid for pre-UNIX 03 X/Open
>> applications     and pre-2001 POSIX applications"
>
> What's the code around line 364 of
>
/opt/csw/lib/gcc/i386-pc-solaris2.10/5.2.0/include-fixed/sys/feature_tests.h,
> especially the enclosing ifdefs?
>
> [..]
>> Seems can't. But why? 7.2 does.
>
> Dunno, I can't think of any obvious changes to compiler flags.  Maybe
> try it without setting CFLAGS?
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXn2TdAAoJENNXIZxhPexGYmUH+gLxj08Xmva5sPYxIJ164wEH
mHarbrR9l+mwaH7HDWYDxsCPTSzcF67lwFfT3xmXxSPUnNEwgvT6QRmzlOzL0BEH
ely6nTnFoJYjfon/w9dny2eQLLaBHkg0BmgPIe+ljrIiV05LRDNUz7IBFfHsMtgp
edeAGI1shJPAud52u/FMFX/uxyjsAFH88dw4VeBI4EO4DlrkFgW8SYznqRHbubq5
Qk9AfHQqZUwGIsgnmiiwiZmXjn1nQcK/E4a2fiEiiU/Uwg+1OhhFSmXFxQUiiIXR
wxWfF/H3ldUHkovVW+xwO8agJnm9/bVAeVYDVULwwUtgnTdIwwOSQUEP3wlNiZg=
=UipS
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160801/fed965a2/attachment.bin>

From doctor at doctor.nl2k.ab.ca  Tue Aug  2 01:16:53 2016
From: doctor at doctor.nl2k.ab.ca (The Doctor)
Date: Mon, 1 Aug 2016 09:16:53 -0600
Subject: Announce: OpenSSH 7.3 released
In-Reply-To: <7e553bdf5d7fe31c@openbsd.org>
References: <7e553bdf5d7fe31c@openbsd.org>
Message-ID: <20160801151653.apwgcn7xmwvvnikw@doctor.nl2k.ab.ca>

On Mon, Aug 01, 2016 at 06:14:02AM -0600, Damien Miller wrote:
> OpenSSH 7.3 has just been released. It will be available from the
> mirrors listed at http://www.openssh.com/ shortly.
> 
> OpenSSH is a 100% complete SSH protocol 2.0 implementation and
> includes sftp client and server support. OpenSSH also includes
> transitional support for the legacy SSH 1.3 and 1.5 protocols
> that may be enabled at compile-time.
> 
> Once again, we would like to thank the OpenSSH community for their
> continued support of the project, especially those who contributed
> code or patches, reported bugs, tested snapshots or donated to the
> project. More information on donations may be found at:
> http://www.openssh.com/donations.html
> 
> Future deprecation notice
> =========================
> 
> We plan on retiring more legacy cryptography in a near-future
> release, specifically:
> 
>  * Refusing all RSA keys smaller than 1024 bits (the current minimum
>    is 768 bits)
>  * Removing server-side support for the SSH v.1 protocol (currently
>    compile-time disabled).
>  * In approximately 1 year, removing all support for the SSH v.1
>    protocol (currently compile-time disabled).
> 
> This list reflects our current intentions, but please check the final
> release notes for future releases.
> 
> Changes since OpenSSH 7.2
> =========================
> 
> This is primarily a bugfix release.
> 
> Security
> --------
> 
>  * sshd(8): Mitigate a potential denial-of-service attack against
>    the system's crypt(3) function via sshd(8). An attacker could
>    send very long passwords that would cause excessive CPU use in
>    crypt(3). sshd(8) now refuses to accept password authentication
>    requests of length greater than 1024 characters. Independently
>    reported by Tomas Kuthan (Oracle), Andres Rojas and Javier Nieto.
> 
>  * sshd(8): Mitigate timing differences in password authentication
>    that could be used to discern valid from invalid account names
>    when long passwords were sent and particular password hashing
>    algorithms are in use on the server. CVE-2016-6210, reported by
>    EddieEzra.Harari at verint.com
> 
>  * ssh(1), sshd(8): Fix observable timing weakness in the CBC padding
>    oracle countermeasures. Reported by Jean Paul Degabriele, Kenny
>    Paterson, Torben Hansen and Martin Albrecht. Note that CBC ciphers
>    are disabled by default and only included for legacy compatibility.
> 
>  * ssh(1), sshd(8): Improve operation ordering of MAC verification for
>    Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the
>    MAC before decrypting any ciphertext. This removes the possibility
>    of timing differences leaking facts about the plaintext, though no
>    such leakage has been observed.  Reported by Jean Paul Degabriele,
>    Kenny Paterson, Torben Hansen and Martin Albrecht.
>     
>  * sshd(8): (portable only) Ignore PAM environment vars when
>    UseLogin=yes. If PAM is configured to read user-specified
>    environment variables and UseLogin=yes in sshd_config, then a
>    hostile local user may attack /bin/login via LD_PRELOAD or
>    similar environment variables set via PAM. CVE-2015-8325,
>    found by Shayan Sadigh.
> 
> New Features
> ------------
> 
>  * ssh(1): Add a ProxyJump option and corresponding -J command-line
>    flag to allow simplified indirection through a one or more SSH
>    bastions or "jump hosts".
> 
>  * ssh(1): Add an IdentityAgent option to allow specifying specific
>    agent sockets instead of accepting one from the environment.
>     
>  * ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be
>    optionally overridden when using ssh -W. bz#2577
> 
>  * ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as
>    per draft-sgtatham-secsh-iutf8-00.
>     
>  * ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman
>    2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
> 
>  * ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
>    signatures in certificates;
>     
>  * ssh(1): Add an Include directive for ssh_config(5) files.
> 
>  * ssh(1): Permit UTF-8 characters in pre-authentication banners sent
>    from the server. bz#2058
> 
> Bugfixes
> --------
> 
>  * ssh(1), sshd(8): Reduce the syslog level of some relatively common
>    protocol events from LOG_CRIT. bz#2585
> 
>  * sshd(8): Refuse AuthenticationMethods="" in configurations and
>    accept AuthenticationMethods=any for the default behaviour of not
>    requiring multiple authentication. bz#2398
> 
>  * sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
>    ATTEMPT!" message when forward and reverse DNS don't match. bz#2585
> 
>  * ssh(1): Close ControlPersist background process stderr except
>    in debug mode or when logging to syslog. bz#1988
> 
>  * misc: Make PROTOCOL description for direct-streamlocal at openssh.com
>    channel open messages match deployed code. bz#2529
> 
>  * ssh(1): Deduplicate LocalForward and RemoteForward entries to fix
>    failures when both ExitOnForwardFailure and hostname
>    canonicalisation are enabled. bz#2562
> 
>  * sshd(8): Remove fallback from moduli to obsolete "primes" file
>    that was deprecated in 2001. bz#2559.
> 
>  * sshd_config(5): Correct description of UseDNS: it affects ssh
>    hostname processing for authorized_keys, not known_hosts; bz#2554
>     
>  * ssh(1): Fix authentication using lone certificate keys in an agent
>    without corresponding private keys on the filesystem. bz#2550
> 
>  * sshd(8): Send ClientAliveInterval pings when a time-based
>    RekeyLimit is set; previously keepalive packets were not being
>    sent. bz#2252
>     
> Portability
> -----------
> 
>  * ssh(1), sshd(8): Fix compilation by automatically disabling ciphers
>    not supported by OpenSSL. bz#2466
> 
>  * misc: Fix compilation failures on some versions of AIX's compiler
>    related to the definition of the VA_COPY macro. bz#2589
> 
>  * sshd(8): Whitelist more architectures to enable the seccomp-bpf
>    sandbox. bz#2590
> 
>  * ssh-agent(1), sftp-server(8): Disable process tracing on Solaris
>    using setpflags(__PROC_PROTECT, ...). bz#2584
> 
>  * sshd(8): On Solaris, don't call Solaris setproject() with
>    UsePAM=yes it's PAM's responsibility. bz#2425

Thank you for the good news.

Hopefully all BSDes et al will implement.

Any diff files?

All right can we no concentrate on
supporting openssol 1.1 and backwards compability?

FRom openssl

The next beta is 4 Aug

Planned release  26 Aug 

??

My preliminary work indicates we are in
for a major uphill battle to get this done.

INND and Exim have already stated.

Why the delay?

> 
> Checksums:
> ==========
> 
>  - SHA1 (openssh-7.3.tar.gz) = b1641e5265d9ec68a9a19decc3a7edd1203cbd33
>  - SHA256 (openssh-7.3.tar.gz) = vS0X35qrX9OOPBkyDMYhOje/DBwHBVEV7nv5rkzw4vM=
> 
>  - SHA1 (openssh-7.3p1.tar.gz) = bfade84283fcba885e2084343ab19a08c7d123a5
>  - SHA256 (openssh-7.3p1.tar.gz) = P/uYmm3KppWUw7VQ1IVaWi4XGMzd5/XjY4e0JCIPvsw=
> 
> Please note that the SHA256 signatures are base64 encoded and not
> hexadecimal (which is the default for most checksum tools). The PGP
> key used to sign the releases is available as RELEASE_KEY.asc from
> the mirror sites.
> 
> Reporting Bugs:
> ===============
> 
> - Please read http://www.openssh.com/report.html
>   Security bugs should be reported directly to openssh at openssh.com
> 
> OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de
> Raadt, Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre,
> Tim Rice and Ben Lindstrom.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 and 53 on Atheism
Time for the USA to hold a referendum on its republic and vote to dissolve!! 

From jakobw at mit.edu  Tue Aug  2 08:16:30 2016
From: jakobw at mit.edu (Jakob Weisblat)
Date: Mon, 1 Aug 2016 15:16:30 -0700
Subject: PKCS#11 libraries and the SSH Agent
Message-ID: <CAFYA_dqEhjg0Ek3kbF8akDW=UM64tXG3uCtDOGforcSudROEuQ@mail.gmail.com>

Hello,

I have 2 questions/suggestions regarding the behavior of ssh-agent
with PKCS#11 libraries. The first concerns authenticating with a
certificate and a smartcard key.

As far as I can tell, the following is a reasonable and useful
authentication mechanism but not currently implemented in OpenSSH's
agent, but possible with the most recent client version. I'd like to
propose an addition to the agent protocol to allow this authentication
mechanism.

The authentication mechanism: certificate-based authentication
combined with a PIV smartcard for the key. That is, store the private
key in PIV hardware, which is currently supported in the agent for use
with traditional public-key authentication (public key is on server,
private key is in hardware, accessed through PKCS#11 library) with
SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_REMOVE_SMARTCARD_KEY, but
provide a certificate from a certificate authority allowing login with
a given public key for a certain amount of time with certain
usernames, etc.

This is currently allowed by having a certificate on the filesystem
and referencing it with an IdentityFile directive in .ssh/config, but
it breaks with agent forwarding. It's impossible with the status quo
to add a certificate to the agent without the private key - the
protocol doesn't allow it:


    RSA certificates may be added with this request:

        byte            SSH2_AGENTC_ADD_IDENTITY or
                        SSH2_AGENTC_ADD_ID_CONSTRAINED
        string          "ssh-rsa-cert-v00 at openssh.com"
        string          certificate
        mpint           rsa_d
        mpint           rsa_iqmp
        mpint           rsa_p
        mpint           rsa_q
        string          key_comment
        constraint[]    key_constraints

Adding a certificate to the agent requires adding private key material
as well. I'd be willing to implement a new method for adding a
smartcard with associated certificate, or I'd be willing to implement
a mechanism for adding RSA certificates without a corresponding
private key, or am amenable to implementing other proposed solutions,
depending on what feedback I get on this.

-----

My second concern regards the behavior of `ssh-add -D`. Several of my
coworkers and I, as well as others, have been confused by the behavior
of `ssh-add -D`. From the man page:

     -D      Deletes all identities from the agent.

The current behavior of `ssh-add -D` is to send
SSH2_AGENTC_REMOVE_ALL_IDENTITIES and
SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES to the agent, removing all the
keys from the agent, including any keys added via PKCS#11 libraries.
However, the PKCS#11 library is still loaded in the agent, and it
won't be unloaded (and thus fails to be reloaded, with an unhelpful
error) unless SSH_AGENTC_REMOVE_SMARTCARD_KEY is sent, and that takes
a parameter of the specific PKCS#11 library involved.

Is this behavior the intended behavior of `ssh-add -D`? If it is, we'd
be happy to introduce a patch to improve the error message to suggest
trying to remove it first.

If not, I can imagine several solutions, which we'd be happy to
implement, depending on which the community thinks is best:

 - change the behavior of the agent to remove the smartcard in
addition to the corresponding identity when
SSH2_AGENTC_REMOVE_ALL_IDENTITIES is run. This is somewhat inideal in
the case of that identity being used with protocol version 1.
 - add a new agent command SSH_AGENTC_REMOVE_ALL_SMARTCARD_KEYS in
addition to SSH_AGENTC_REMOVE_SMARTCARD_KEY that removes all smartcard
keys, modify the agent to accept it and modify ssh-add to send it in
addition to the other 2 commands on `ssh -D`.
 - somehow get the list of loaded PKCS#11 libraries and send
SSH_AGENT_REMOVE_SMARTCARD_KEY for each one in addition to current
behavior on `ssh-add -D`

Here is a demonstration of current behavior:

[~]$ ssh-add -l
  The agent has no identities.
[~]$ ssh-add -s /usr/local/lib/libykcs11.dylib
  Enter passphrase for PKCS#11:
  Card added: /usr/local/lib/libykcs11.dylib
[~]$ ssh-add -l
  2048 SHA256:cJUGM7tTnFD9a0BpI936ERA3Ay+/MFu3huzB+APPoZs
/usr/local/lib/libykcs11.dylib (RSA)
[~]$ ssh-add -D
  All identities removed.
[~]$ ssh-add -l
  The agent has no identities.
[~]$ ssh-add -s /usr/local/lib/libykcs11.dylib # Add the card back
into the agent, it wasn't unloaded by
  Enter passphrase for PKCS#11:
  Could not add card "/usr/local/lib/libykcs11.dylib": agent refused operation
[~]$ ssh-add -l
  The agent has no identities.
[~]$ ssh-add -e /usr/local/lib/libykcs11.dylib
  Card removed: /usr/local/lib/libykcs11.dylib
[~]$ ssh-add -l
  The agent has no identities.
[~]$ ssh-add -s /usr/local/lib/libykcs11.dylib
  Enter passphrase for PKCS#11:
  Card added: /usr/local/lib/libykcs11.dylib
[~]$ ssh-add -l
  2048 SHA256:cJUGM7tTnFD9a0BpI936ERA3Ay+/MFu3huzB+APPoZs
/usr/local/lib/libykcs11.dylib (RSA)
[~]$


Thanks,

Jakob Weisblat
Paranoid Labs
Yahoo! Inc

From dtucker at zip.com.au  Tue Aug  2 13:44:49 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Tue, 2 Aug 2016 13:44:49 +1000
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
 <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>
 <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
Message-ID: <CALDDTe3A_VwCYVT17s14TzvtiQnAykkdeqzgZ50PP8YS6NFf_A@mail.gmail.com>

On Tue, Aug 2, 2016 at 12:52 AM, Darren Tucker <dtucker at zip.com.au> wrote:
[...]
>> Seems can't. But why? 7.2 does.
>
> Dunno, I can't think of any obvious changes to compiler flags.  Maybe
> try it without setting CFLAGS?

OK, I think I see why it started in 7.3: it was when the wide
character support was added.  In configure.ac:

dnl Wide character support.  Linux man page says it needs _XOPEN_SOURCE.
saved_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -D_XOPEN_SOURCE"
AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
CFLAGS="$saved_CFLAGS"

AC_LINK_IFELSE(
        [AC_LANG_PROGRAM(and
           [[ #include <ctype.h> ]],
           [[ return (isblank('a')); ]])],
        [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
])

before that the mblen test didn't have XOPEN_SOURCE.

The failing condition is "if defined(_STDC_C99) &&
(defined(__XOPEN_OR_POSIX) && !defined(_XPG6))".  The above explains
where the XOPEN came from.  As to why you're seeing it, my guess is
your version of gcc defaults to -std=c99 and mine doesn't.  You can
try adding "-std=c89" to your CFLAGS and see if it builds.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From dtucker at zip.com.au  Tue Aug  2 14:02:55 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Tue, 2 Aug 2016 14:02:55 +1000
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <CALDDTe3A_VwCYVT17s14TzvtiQnAykkdeqzgZ50PP8YS6NFf_A@mail.gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
 <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>
 <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
 <CALDDTe3A_VwCYVT17s14TzvtiQnAykkdeqzgZ50PP8YS6NFf_A@mail.gmail.com>
Message-ID: <CALDDTe2UJfuq=-CEZ1=kN+ogtY5YfeYw2D-cU6fMvpBFk1UNsA@mail.gmail.com>

On Tue, Aug 2, 2016 at 1:44 PM, Darren Tucker <dtucker at zip.com.au> wrote:
[...]
> The failing condition is "if defined(_STDC_C99) &&
> (defined(__XOPEN_OR_POSIX) && !defined(_XPG6))".  The above explains
> where the XOPEN came from.  As to why you're seeing it, my guess is
> your version of gcc defaults to -std=c99 and mine doesn't.  You can
> try adding "-std=c89" to your CFLAGS and see if it builds.

Alternatively, try adding -D_XPG6 to CFLAGS.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From dtucker at zip.com.au  Tue Aug  2 14:06:40 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Tue, 2 Aug 2016 14:06:40 +1000
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <CALDDTe2UJfuq=-CEZ1=kN+ogtY5YfeYw2D-cU6fMvpBFk1UNsA@mail.gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
 <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>
 <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
 <CALDDTe3A_VwCYVT17s14TzvtiQnAykkdeqzgZ50PP8YS6NFf_A@mail.gmail.com>
 <CALDDTe2UJfuq=-CEZ1=kN+ogtY5YfeYw2D-cU6fMvpBFk1UNsA@mail.gmail.com>
Message-ID: <CALDDTe09BRH0aUs7ihfEk-v8HmL5haYVwkcqYWOTv8Zf8kPqCg@mail.gmail.com>

On Tue, Aug 2, 2016 at 2:02 PM, Darren Tucker <dtucker at zip.com.au> wrote:
> On Tue, Aug 2, 2016 at 1:44 PM, Darren Tucker <dtucker at zip.com.au> wrote:
> [...]
>> The failing condition is "if defined(_STDC_C99) &&
>> (defined(__XOPEN_OR_POSIX) && !defined(_XPG6))".  The above explains
>> where the XOPEN came from.  As to why you're seeing it, my guess is
>> your version of gcc defaults to -std=c99 and mine doesn't.  You can
>> try adding "-std=c89" to your CFLAGS and see if it builds.
>
> Alternatively, try adding -D_XPG6 to CFLAGS.

That may not be the right thing.  Looks like this might be a known GCC bug:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=40411

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From dtucker at zip.com.au  Tue Aug  2 14:55:22 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Tue, 2 Aug 2016 14:55:22 +1000
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <005a5df6-2bf4-93ff-c01f-6e0008c6723b@gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
 <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>
 <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
 <005a5df6-2bf4-93ff-c01f-6e0008c6723b@gmail.com>
Message-ID: <20160802045521.GA8658@gate.dtucker.net>

Having read up some more I think this is what I should have done.

If you'd like to try this you will need to run "autoreconf" to rebuild
configure before running ./configure again.

diff --git a/configure.ac b/configure.ac
index 1df3cbf..542bd93 100644
--- a/configure.ac
+++ b/configure.ac
@@ -754,6 +754,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	use_pie=auto
 	check_for_libcrypt_later=1
 	check_for_openpty_ctty_bug=1
+	dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
+	dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
+	CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
 	AC_DEFINE([PAM_TTY_KLUDGE], [1],
 		[Work around problematic Linux PAM modules handling of PAM_TTY])
 	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
@@ -1789,11 +1792,8 @@ AC_CHECK_FUNCS([ \
 	warn \
 ])
 
-dnl Wide character support.  Linux man page says it needs _XOPEN_SOURCE.
-saved_CFLAGS="$CFLAGS"
-CFLAGS="$CFLAGS -D_XOPEN_SOURCE"
+dnl Wide character support.
 AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
-CFLAGS="$saved_CFLAGS"
 
 AC_LINK_IFELSE(
         [AC_LANG_PROGRAM(
-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From yvoinov at gmail.com  Wed Aug  3 04:12:32 2016
From: yvoinov at gmail.com (Yuri Voinov)
Date: Wed, 3 Aug 2016 00:12:32 +0600
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <20160802045521.GA8658@gate.dtucker.net>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
 <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>
 <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
 <005a5df6-2bf4-93ff-c01f-6e0008c6723b@gmail.com>
 <20160802045521.GA8658@gate.dtucker.net>
Message-ID: <1d3657c8-d4ee-bfd3-757d-1fd34e0ae792@gmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
With this change built ok.

But patch must be quite different on my platform (see attached) for
portable version.

And, of course, after autoreconf run.


02.08.2016 10:55, Darren Tucker ?????:
> --- a/configure.ac
> +++ b/configure.ac
> @@ -754,6 +754,9 @@ main() { if (NSVersionOfRunTimeLibrary("System")
>= (60 << 16))
>      use_pie=auto
>      check_for_libcrypt_later=1
>      check_for_openpty_ctty_bug=1
> +    dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
> +    dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
> +    CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE
-D_DEFAULT_SOURCE"
>      AC_DEFINE([PAM_TTY_KLUDGE], [1],
>          [Work around problematic Linux PAM modules handling of PAM_TTY])
>      AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
> @@ -1789,11 +1792,8 @@ AC_CHECK_FUNCS([ \
>      warn \
>  ])
> 
> -dnl Wide character support.  Linux man page says it needs _XOPEN_SOURCE.
> -saved_CFLAGS="$CFLAGS"
> -CFLAGS="$CFLAGS -D_XOPEN_SOURCE"
> +dnl Wide character support.
>  AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
> -CFLAGS="$saved_CFLAGS"
> 
>  AC_LINK_IFELSE(
>          [AC_LANG_PROGRAM(

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXoOKPAAoJENNXIZxhPexGVW0H/31u6MjEkSbE7Zr1hFBh+8q6
EV3IvsZmgQlh+c+mo1/HoT7xKOeQT6kQT9dP/o0sQOE7JBusMi6ggLprwxc1BAPg
rAvihynLOcIJZT+pEmnf9Ov68votwpRa6s1TsiT+g/KYPIwTSFsSAPavxURbmf5o
rIJ0fO4cit37erDD/rfIXd6q1BrhLSbhb2CyWbPJ/WhDTLqUeGAdU2CVAZCJB67o
LgKLdbkvV03WDG6R5FBKmOwI+EJm9DPVgkuMFrQfOY/G60uEF+fi5nwmc6yCyDII
nz/7mzLYAvM8/iGOEnmXlz122qB0hx16n9JX3aIxUTEDjaz6LXIEaO/NAm56Evs=
=sTxS
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 73_solaris10_build_issue.patch
Type: text/x-patch
Size: 831 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160803/a53f8ae2/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160803/a53f8ae2/attachment-0003.bin>

From rainer.laatsch at t-online.de  Wed Aug  3 07:42:42 2016
From: rainer.laatsch at t-online.de (rl)
Date: Tue, 2 Aug 2016 23:42:42 +0200
Subject: Configure option '--with-ssh1' breaks openssh-7.3p1
Message-ID: <dfa3ae58-0189-f91b-951f-5f8a60ebcf11@t-online.de>

My pc runs Scientific Linux release 6.8 (Carbon),
Kernel 2.6.32-642.3.1.el6.i686,
all patches applied.
After unpacking, running   ' -/configure '
(just that, no other params), then
' make; make install DESTDIR=`pwd`/DESTDIR '
and running sshd from there: the call
' DESTDIR/.../bin/ssh host102 '
succeeds ( authentication with id_rsa ; host 102 is localhost
where the new sshd runs).

But running ' ./configure --with-ssh1 ' in a fresh
unpacked openssh-7.3p1 directory,
then the same as above: the sshd starts,
but calling the ssh does not succeed.

I see the following:

sshd:
/Data/openssh-7.3p1/DESTDIR/usr/local/sbin/sshd -p 222   -f \n
DESTDIR/usr/local/etc/sshd_config

ssh:
./ssh -vvv -p 222 -F DESTDIR/usr/local/etc/ssh_config host102

OpenSSH_7.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data DESTDIR/usr/local/etc/ssh_config
debug2: resolving "host102" port 222
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to host102 [192.168.2.102] port 222.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
...
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.3
ssh_exchange_identification: read: Connection reset by peer

/var/log/messages:
Aug  2 17:35:07 host102 sshd[7449]: Server listening on 0.0.0.0 port 222.
Aug  2 17:35:07 host102 sshd[7449]: Server listening on :: port 222.
Aug  2 17:36:03 host102 sshd[7455]: error: buffer_get_bignum_ret: \n
incomplete message
Aug  2 17:36:03 host102 sshd[7455]: fatal: buffer_get_bignum: buffer \n
error


The code after line 1111 in sshd.c (buffer_get_bignum) seems to be not 
adequate any more.
I suppose the error will also show up on Centos.

Best regards
Rainer

From dtucker at zip.com.au  Wed Aug  3 09:26:08 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Wed, 3 Aug 2016 09:26:08 +1000
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <1d3657c8-d4ee-bfd3-757d-1fd34e0ae792@gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
 <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>
 <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
 <005a5df6-2bf4-93ff-c01f-6e0008c6723b@gmail.com>
 <20160802045521.GA8658@gate.dtucker.net>
 <1d3657c8-d4ee-bfd3-757d-1fd34e0ae792@gmail.com>
Message-ID: <CALDDTe0yppd9WZA4YVK9D8adaze-TyRk29gqN=w0u876Sok+4A@mail.gmail.com>

On Wed, Aug 3, 2016 at 4:12 AM, Yuri Voinov <yvoinov at gmail.com> wrote:
> With this change built ok.

Excellent.

> But patch must be quite different on my platform (see attached) for
> portable version.

That attached patch looks exactly like the one I sent other than the
path depth (which can be handled easily with "patch -p1").  What's
different?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From peter at stuge.se  Wed Aug  3 09:44:55 2016
From: peter at stuge.se (Peter Stuge)
Date: Tue, 2 Aug 2016 23:44:55 +0000
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <CALDDTe0yppd9WZA4YVK9D8adaze-TyRk29gqN=w0u876Sok+4A@mail.gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
 <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>
 <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
 <005a5df6-2bf4-93ff-c01f-6e0008c6723b@gmail.com>
 <20160802045521.GA8658@gate.dtucker.net>
 <1d3657c8-d4ee-bfd3-757d-1fd34e0ae792@gmail.com>
 <CALDDTe0yppd9WZA4YVK9D8adaze-TyRk29gqN=w0u876Sok+4A@mail.gmail.com>
Message-ID: <20160802234455.GQ12988@foo.stuge.se>

Darren Tucker wrote:
> What's different?

Line numbers.


//Peter

From dtucker at zip.com.au  Wed Aug  3 10:12:54 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Wed, 3 Aug 2016 10:12:54 +1000
Subject: Configure option '--with-ssh1' breaks openssh-7.3p1
In-Reply-To: <dfa3ae58-0189-f91b-951f-5f8a60ebcf11@t-online.de>
References: <dfa3ae58-0189-f91b-951f-5f8a60ebcf11@t-online.de>
Message-ID: <CALDDTe2REbq7Zhnt1UWDY36mDNJ6Xyuc+GJJ25Ja4fq=3K4u3g@mail.gmail.com>

On Wed, Aug 3, 2016 at 7:42 AM, rl <rainer.laatsch at t-online.de> wrote:
[...]
> /Data/openssh-7.3p1/DESTDIR/usr/local/sbin/sshd -p 222   -f \n
> DESTDIR/usr/local/etc/sshd_config

It looks like you have an embedded newline in the config file name
you're passing to sshd.  If that's the case I'm surprised it starts at
all. Exactly how are you starting sshd?

> Aug  2 17:35:07 host102 sshd[7449]: Server listening on 0.0.0.0 port 222.
> Aug  2 17:35:07 host102 sshd[7449]: Server listening on :: port 222.
> Aug  2 17:36:03 host102 sshd[7455]: error: buffer_get_bignum_ret: \n
> incomplete message

that might be the newline confusing the re-exec protocol although I'm not sure.

Please including complete debug logs for both client and server.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From rainer.laatsch at t-online.de  Wed Aug  3 11:12:52 2016
From: rainer.laatsch at t-online.de (rl)
Date: Wed, 3 Aug 2016 03:12:52 +0200
Subject: Configure option '--with-ssh1' breaks openssh-7.3p1
In-Reply-To: <CALDDTe2REbq7Zhnt1UWDY36mDNJ6Xyuc+GJJ25Ja4fq=3K4u3g@mail.gmail.com>
References: <dfa3ae58-0189-f91b-951f-5f8a60ebcf11@t-online.de>
 <CALDDTe2REbq7Zhnt1UWDY36mDNJ6Xyuc+GJJ25Ja4fq=3K4u3g@mail.gmail.com>
Message-ID: <cec5d800-6984-216f-5bf2-5293b071af7e@t-online.de>



On 08/03/16 02:12, Darren Tucker wrote:
> On Wed, Aug 3, 2016 at 7:42 AM, rl <rainer.laatsch at t-online.de> wrote:
> [...]
>> /Data/openssh-7.3p1/DESTDIR/usr/local/sbin/sshd -p 222   -f \n
>> DESTDIR/usr/local/etc/sshd_config
>
> It looks like you have an embedded newline in the config file name
> you're passing to sshd.  If that's the case I'm surprised it starts at
> all. Exactly how are you starting sshd?
>
>> Aug  2 17:35:07 host102 sshd[7449]: Server listening on 0.0.0.0 port 222.
>> Aug  2 17:35:07 host102 sshd[7449]: Server listening on :: port 222.
>> Aug  2 17:36:03 host102 sshd[7455]: error: buffer_get_bignum_ret: \n
>> incomplete message
>
> that might be the newline confusing the re-exec protocol although I'm not sure.
>
> Please including complete debug logs for both client and server.
>

The newlines are *not* in the real calls, but are all inserted by me 
into the email to indicate that my mail program does a wrap-around at 
these places.
I also started the sshd with flags ' -ddd ' ,but that did not give more 
errors than those I mailed.

This sshd is still running, ps -eaf shows the one-liner (i dont insert 
\n here):
root      7449     1  0 17:35 ?        00:00:00 
/Data/openssh-7.3p1/DESTDIR/usr/local/sbin/sshd -p 222 -f DESTDIR/usr/local
/etc/sshd_config

The current working directory is
/Data/openssh-7-3p1
, so i could abbreviate the names of the config files after the flags
-f resp. -F

I could run all that again with full debug logs again,but the
omissions in my mail indicated by  ' ... ' are in my opinion 
insignificant. Should I?
Best regards, Rainer

From dtucker at zip.com.au  Wed Aug  3 11:19:31 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Wed, 3 Aug 2016 11:19:31 +1000
Subject: Configure option '--with-ssh1' breaks openssh-7.3p1
In-Reply-To: <cec5d800-6984-216f-5bf2-5293b071af7e@t-online.de>
References: <dfa3ae58-0189-f91b-951f-5f8a60ebcf11@t-online.de>
 <CALDDTe2REbq7Zhnt1UWDY36mDNJ6Xyuc+GJJ25Ja4fq=3K4u3g@mail.gmail.com>
 <cec5d800-6984-216f-5bf2-5293b071af7e@t-online.de>
Message-ID: <CALDDTe2hjz8QVMFKet2NVp-jyNvUgfatWBfioAxb2+052pom9w@mail.gmail.com>

On Wed, Aug 3, 2016 at 11:12 AM, rl <rainer.laatsch at t-online.de> wrote:
[...]
> The newlines are *not* in the real calls, but are all inserted by me into
> the email to indicate that my mail program does a wrap-around at these
> places.

If your mailer is corrupting information please open a bug at
bugzilla.mindrot.org and use "add attachment" to attach the
unadulterated logs instead.

[...]
> I could run all that again with full debug logs again,but the
> omissions in my mail indicated by  ' ... ' are in my opinion insignificant.

If you are certain what is and is not significant then you should be
able to figure out the problem on your own.

> Should I?

Yes.  Debugging something on a system you can't interact with is hard
enough without having information withheld.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From rainer.laatsch at t-online.de  Wed Aug  3 12:34:38 2016
From: rainer.laatsch at t-online.de (rl)
Date: Wed, 3 Aug 2016 04:34:38 +0200
Subject: Configure option '--with-ssh1' breaks openssh-7.3p1
In-Reply-To: <CALDDTe2hjz8QVMFKet2NVp-jyNvUgfatWBfioAxb2+052pom9w@mail.gmail.com>
References: <dfa3ae58-0189-f91b-951f-5f8a60ebcf11@t-online.de>
 <CALDDTe2REbq7Zhnt1UWDY36mDNJ6Xyuc+GJJ25Ja4fq=3K4u3g@mail.gmail.com>
 <cec5d800-6984-216f-5bf2-5293b071af7e@t-online.de>
 <CALDDTe2hjz8QVMFKet2NVp-jyNvUgfatWBfioAxb2+052pom9w@mail.gmail.com>
Message-ID: <4a395e32-10c8-0fc5-7f1c-5c0f1105867f@t-online.de>



On 08/03/16 03:19, Darren Tucker wrote:
>
> Yes.  Debugging something on a system you can't interact with is hard
> enough without having information withheld.
>

I'll run again and add the relevant unedited texts as attachments.
There is nothing in /var/log/secure.
Also a diff between the config.h 's without and with --with-ssh1 is 
attached.
I have a centos-6.7 under VirtualBox. I could do the same there to check
if --with-ssh1 also breaks openssh-7.3p1, but not at once now
(my localtime is 04:30 in the morning ...)

I hope the attachments are sufficient; let me know if I could do better.
Darren: I am grateful for your quick responses

Best regards, Rainer
-------------- next part --------------
#	$OpenBSD: sshd_config,v 1.99 2016/07/11 03:19:44 tedu Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rsa_key
#HostKey /usr/local/etc/ssh_host_dsa_key
#HostKey /usr/local/etc/ssh_host_ecdsa_key
#HostKey /usr/local/etc/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/local/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
-------------- next part --------------
#	$OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Protocol 2
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
-------------- next part --------------
/Data/openssh-7.3p1/DESTDIR/usr/local/sbin/sshd -ddd -p 222 -f /Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config
debug2: load_server_config: filename /Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config
debug2: load_server_config: done config len = 285
debug2: parse_server_config: config /Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config len 285
debug3: /Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config:28 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config:29 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config:55 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: /Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config:127 setting Subsystem sftp	/usr/local/libexec/sftp-server
debug1: sshd version OpenSSH_7.3, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: private host key #0: ssh-rsa SHA256:M+fgpKVpb33odQBtZGgXR9XtxfTyrIdcPdget18GIcM
debug1: private host key #1: ssh-dss SHA256:dXrUfLqLygAq+K1UZUgDJvcSTcUMdHgKJ2wGd0bbJp8
debug1: rexec_argv[0]='/Data/openssh-7.3p1/DESTDIR/usr/local/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='222'
debug1: rexec_argv[4]='-f'
debug1: rexec_argv[5]='/Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 222 on 0.0.0.0.
Server listening on 0.0.0.0 port 222.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 222 on ::.
Server listening on :: port 222.


-------------- next part --------------
/Data/openssh-7.3p1/DESTDIR/usr/local/bin/ssh -vvv -p 222 -F /Data/openssh-7.3p1/DESTDIR/usr/local/etc/ssh_config host102
OpenSSH_7.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /Data/openssh-7.3p1/DESTDIR/usr/local/etc/ssh_config
debug2: resolving "host102" port 222
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to host102 [192.168.2.102] port 222.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.3
ssh_exchange_identification: read: Connection reset by peer
root at host102 #  

-------------- next part --------------
/Data/openssh-7.3p1/DESTDIR/usr/local/sbin/sshd -ddd -p 222 -f /Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config
debug2: load_server_config: filename /Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config
debug2: load_server_config: done config len = 285
debug2: parse_server_config: config /Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config len 285
debug3: /Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config:28 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config:29 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config:55 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: /Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config:127 setting Subsystem sftp	/usr/local/libexec/sftp-server
debug1: sshd version OpenSSH_7.3, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: private host key #0: ssh-rsa SHA256:M+fgpKVpb33odQBtZGgXR9XtxfTyrIdcPdget18GIcM
debug1: private host key #1: ssh-dss SHA256:dXrUfLqLygAq+K1UZUgDJvcSTcUMdHgKJ2wGd0bbJp8
debug1: rexec_argv[0]='/Data/openssh-7.3p1/DESTDIR/usr/local/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='222'
debug1: rexec_argv[4]='-f'
debug1: rexec_argv[5]='/Data/openssh-7.3p1/DESTDIR/usr/local/etc/sshd_config'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 222 on 0.0.0.0.
Server listening on 0.0.0.0 port 222.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 222 on ::.
Server listening on :: port 222.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 285
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8

-------------- next part --------------
Aug  3 03:31:56 host102 sshd[7449]: Received signal 15; terminating.
Aug  3 04:03:19 host102 sshd[8897]: error: buffer_get_bignum_ret: incomplete message
Aug  3 04:03:19 host102 sshd[8897]: fatal: buffer_get_bignum: buffer error

-------------- next part --------------
diff ../openssh-7.3p1.nossh1/config.h config.h
1722c1722
< /* #undef WITH_SSH1 */
---
> #define WITH_SSH1 1

From dtucker at zip.com.au  Wed Aug  3 13:03:11 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Wed, 3 Aug 2016 13:03:11 +1000
Subject: Configure option '--with-ssh1' breaks openssh-7.3p1
In-Reply-To: <4a395e32-10c8-0fc5-7f1c-5c0f1105867f@t-online.de>
References: <dfa3ae58-0189-f91b-951f-5f8a60ebcf11@t-online.de>
 <CALDDTe2REbq7Zhnt1UWDY36mDNJ6Xyuc+GJJ25Ja4fq=3K4u3g@mail.gmail.com>
 <cec5d800-6984-216f-5bf2-5293b071af7e@t-online.de>
 <CALDDTe2hjz8QVMFKet2NVp-jyNvUgfatWBfioAxb2+052pom9w@mail.gmail.com>
 <4a395e32-10c8-0fc5-7f1c-5c0f1105867f@t-online.de>
Message-ID: <CALDDTe06iPdu81vJNiZgLK4E_WAEkS-yzu0kipSKT_q4xvbOGw@mail.gmail.com>

On Wed, Aug 3, 2016 at 12:34 PM, rl <rainer.laatsch at t-online.de> wrote:
[...]
> I'll run again and add the relevant unedited texts as attachments.

Thanks.

> There is nothing in /var/log/secure.
> Also a diff between the config.h 's without and with --with-ssh1 is
> attached.
> I have a centos-6.7 under VirtualBox. I could do the same there to check
> if --with-ssh1 also breaks openssh-7.3p1, but not at once now
> (my localtime is 04:30 in the morning ...)
>
> I hope the attachments are sufficient; let me know if I could do better.
> Darren: I am grateful for your quick responses

I'm not sure why but output from sshd is missing everything after the
re-exec.  If you add "-e" to sshd command line to force it to continue
to write to stderr after it re-execs itself.  I don't know why that
happened (I have not been able to reproduce that or the original
problem on a recent Fedora).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From dtucker at zip.com.au  Wed Aug  3 13:38:15 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Wed, 3 Aug 2016 13:38:15 +1000
Subject: Configure option '--with-ssh1' breaks openssh-7.3p1
In-Reply-To: <CALDDTe06iPdu81vJNiZgLK4E_WAEkS-yzu0kipSKT_q4xvbOGw@mail.gmail.com>
References: <dfa3ae58-0189-f91b-951f-5f8a60ebcf11@t-online.de>
 <CALDDTe2REbq7Zhnt1UWDY36mDNJ6Xyuc+GJJ25Ja4fq=3K4u3g@mail.gmail.com>
 <cec5d800-6984-216f-5bf2-5293b071af7e@t-online.de>
 <CALDDTe2hjz8QVMFKet2NVp-jyNvUgfatWBfioAxb2+052pom9w@mail.gmail.com>
 <4a395e32-10c8-0fc5-7f1c-5c0f1105867f@t-online.de>
 <CALDDTe06iPdu81vJNiZgLK4E_WAEkS-yzu0kipSKT_q4xvbOGw@mail.gmail.com>
Message-ID: <CALDDTe3DTmA=0qOgOA8z7_GUPWzcAwVitu38JQL_gc4qww2A1A@mail.gmail.com>

OK, with this additional information I can now reproduce it.

Based on some quick experiments it seems to be triggered when sshd is
built --with-ssh1 and the config does not *load* a Protocol 1 host
key.

Works:
Protocol=1,2 + Hostkey not specified
Protocol=1,2 + Hostkeys for both protocols specified.

Doesn't work:
Protocol=2 + Hostkey not specified.
Protocol=1,2 + Hostkeys specified only for Protocol 2.
Protocol=2 + Hostkeys specified for both protocols.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From dtucker at zip.com.au  Wed Aug  3 13:51:52 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Wed, 3 Aug 2016 13:51:52 +1000
Subject: Configure option '--with-ssh1' breaks openssh-7.3p1
In-Reply-To: <CALDDTe3DTmA=0qOgOA8z7_GUPWzcAwVitu38JQL_gc4qww2A1A@mail.gmail.com>
References: <dfa3ae58-0189-f91b-951f-5f8a60ebcf11@t-online.de>
 <CALDDTe2REbq7Zhnt1UWDY36mDNJ6Xyuc+GJJ25Ja4fq=3K4u3g@mail.gmail.com>
 <cec5d800-6984-216f-5bf2-5293b071af7e@t-online.de>
 <CALDDTe2hjz8QVMFKet2NVp-jyNvUgfatWBfioAxb2+052pom9w@mail.gmail.com>
 <4a395e32-10c8-0fc5-7f1c-5c0f1105867f@t-online.de>
 <CALDDTe06iPdu81vJNiZgLK4E_WAEkS-yzu0kipSKT_q4xvbOGw@mail.gmail.com>
 <CALDDTe3DTmA=0qOgOA8z7_GUPWzcAwVitu38JQL_gc4qww2A1A@mail.gmail.com>
Message-ID: <20160803035152.GA4216@gate.dtucker.net>

On Wed, Aug 03, 2016 at 01:38:15PM +1000, Darren Tucker wrote:
> OK, with this additional information I can now reproduce it.
> 
> Based on some quick experiments it seems to be triggered when sshd is
> built --with-ssh1 and the config does not *load* a Protocol 1 host
> key.

Looks like it was introducted here:
https://anongit.mindrot.org/openssh.git/commit/?id=1a31d02b
wherein

- buffer_put_int(&m, 0);
+ if ((r = sshbuf_put_u32(m, 1)) != 0)

This patch should fix it:

diff --git a/sshd.c b/sshd.c
index 799c771..8f2b322 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf)
 			fatal("%s: buffer error: %s", __func__, ssh_err(r));
 	} else
 #endif
-		if ((r = sshbuf_put_u32(m, 1)) != 0)
+		if ((r = sshbuf_put_u32(m, 0)) != 0)
 			fatal("%s: buffer error: %s", __func__, ssh_err(r));
 
 #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From rainer.laatsch at t-online.de  Wed Aug  3 14:51:17 2016
From: rainer.laatsch at t-online.de (rl)
Date: Wed, 3 Aug 2016 06:51:17 +0200
Subject: Configure option '--with-ssh1' breaks openssh-7.3p1
In-Reply-To: <20160803035152.GA4216@gate.dtucker.net>
References: <dfa3ae58-0189-f91b-951f-5f8a60ebcf11@t-online.de>
 <CALDDTe2REbq7Zhnt1UWDY36mDNJ6Xyuc+GJJ25Ja4fq=3K4u3g@mail.gmail.com>
 <cec5d800-6984-216f-5bf2-5293b071af7e@t-online.de>
 <CALDDTe2hjz8QVMFKet2NVp-jyNvUgfatWBfioAxb2+052pom9w@mail.gmail.com>
 <4a395e32-10c8-0fc5-7f1c-5c0f1105867f@t-online.de>
 <CALDDTe06iPdu81vJNiZgLK4E_WAEkS-yzu0kipSKT_q4xvbOGw@mail.gmail.com>
 <CALDDTe3DTmA=0qOgOA8z7_GUPWzcAwVitu38JQL_gc4qww2A1A@mail.gmail.com>
 <20160803035152.GA4216@gate.dtucker.net>
Message-ID: <b1ed8e01-b1dc-3fd6-2b82-f0d719b91d33@t-online.de>

Darren: your patch worked for me, thanks a lot for your analysis!
Best regards, Rainer

On 08/03/16 05:51, Darren Tucker wrote:
> On Wed, Aug 03, 2016 at 01:38:15PM +1000, Darren Tucker wrote:
>> OK, with this additional information I can now reproduce it.
>>
>> Based on some quick experiments it seems to be triggered when sshd is
>> built --with-ssh1 and the config does not *load* a Protocol 1 host
>> key.
>
> Looks like it was introducted here:
> https://anongit.mindrot.org/openssh.git/commit/?id=1a31d02b
> wherein
>
> - buffer_put_int(&m, 0);
> + if ((r = sshbuf_put_u32(m, 1)) != 0)
>
> This patch should fix it:
>
> diff --git a/sshd.c b/sshd.c
> index 799c771..8f2b322 100644
> --- a/sshd.c
> +++ b/sshd.c
> @@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf)
>  			fatal("%s: buffer error: %s", __func__, ssh_err(r));
>  	} else
>  #endif
> -		if ((r = sshbuf_put_u32(m, 1)) != 0)
> +		if ((r = sshbuf_put_u32(m, 0)) != 0)
>  			fatal("%s: buffer error: %s", __func__, ssh_err(r));
>
>  #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
>

From wieland at purdue.edu  Wed Aug  3 21:23:48 2016
From: wieland at purdue.edu (Jeff Wieland)
Date: Wed, 3 Aug 2016 07:23:48 -0400
Subject: Configure option '--with-ssh1' breaks openssh-7.3p1
In-Reply-To: <b1ed8e01-b1dc-3fd6-2b82-f0d719b91d33@t-online.de>
References: <dfa3ae58-0189-f91b-951f-5f8a60ebcf11@t-online.de>
 <CALDDTe2REbq7Zhnt1UWDY36mDNJ6Xyuc+GJJ25Ja4fq=3K4u3g@mail.gmail.com>
 <cec5d800-6984-216f-5bf2-5293b071af7e@t-online.de>
 <CALDDTe2hjz8QVMFKet2NVp-jyNvUgfatWBfioAxb2+052pom9w@mail.gmail.com>
 <4a395e32-10c8-0fc5-7f1c-5c0f1105867f@t-online.de>
 <CALDDTe06iPdu81vJNiZgLK4E_WAEkS-yzu0kipSKT_q4xvbOGw@mail.gmail.com>
 <CALDDTe3DTmA=0qOgOA8z7_GUPWzcAwVitu38JQL_gc4qww2A1A@mail.gmail.com>
 <20160803035152.GA4216@gate.dtucker.net>
 <b1ed8e01-b1dc-3fd6-2b82-f0d719b91d33@t-online.de>
Message-ID: <57A1D444.6020308@purdue.edu>

rl wrote:
> Darren: your patch worked for me, thanks a lot for your analysis!
> Best regards, Rainer
>
> On 08/03/16 05:51, Darren Tucker wrote:
>> On Wed, Aug 03, 2016 at 01:38:15PM +1000, Darren Tucker wrote:
>>> OK, with this additional information I can now reproduce it.
>>>
>>> Based on some quick experiments it seems to be triggered when sshd is
>>> built --with-ssh1 and the config does not *load* a Protocol 1 host
>>> key.
>>
>> Looks like it was introducted here:
>> https://anongit.mindrot.org/openssh.git/commit/?id=1a31d02b
>> wherein
>>
>> - buffer_put_int(&m, 0);
>> + if ((r = sshbuf_put_u32(m, 1)) != 0)
>>
>> This patch should fix it:
>>
>> diff --git a/sshd.c b/sshd.c
>> index 799c771..8f2b322 100644
>> --- a/sshd.c
>> +++ b/sshd.c
>> @@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf)
>>              fatal("%s: buffer error: %s", __func__, ssh_err(r));
>>      } else
>>  #endif
>> -        if ((r = sshbuf_put_u32(m, 1)) != 0)
>> +        if ((r = sshbuf_put_u32(m, 0)) != 0)
>>              fatal("%s: buffer error: %s", __func__, ssh_err(r));
>>
>>  #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
>>

I was having the same problem, and this fixes it for me as well.
Thanks!

-- 
          Jeff Wieland            |         Purdue University
   Network Systems Administrator  |        ITIS UNIX Platforms
       Voice: (765)496-8234       |        155 S. Grant Street
        FAX: (765)496-1380        |      West Lafayette, IN 47907


From yvoinov at gmail.com  Wed Aug  3 23:59:00 2016
From: yvoinov at gmail.com (Yuri Voinov)
Date: Wed, 3 Aug 2016 19:59:00 +0600
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <CALDDTe0yppd9WZA4YVK9D8adaze-TyRk29gqN=w0u876Sok+4A@mail.gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
 <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>
 <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
 <005a5df6-2bf4-93ff-c01f-6e0008c6723b@gmail.com>
 <20160802045521.GA8658@gate.dtucker.net>
 <1d3657c8-d4ee-bfd3-757d-1fd34e0ae792@gmail.com>
 <CALDDTe0yppd9WZA4YVK9D8adaze-TyRk29gqN=w0u876Sok+4A@mail.gmail.com>
Message-ID: <9f49ea08-454b-6b87-0ece-d36abc3715f7@gmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 


03.08.2016 5:26, Darren Tucker ?????:
> On Wed, Aug 3, 2016 at 4:12 AM, Yuri Voinov <yvoinov at gmail.com> wrote:
>> With this change built ok.
>
> Excellent.
>
>> But patch must be quite different on my platform (see attached) for
>> portable version.
>
> That attached patch looks exactly like the one I sent other than the
> path depth (which can be handled easily with "patch -p1").  What's
> different?
Yep, only patch depth's different.
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXofikAAoJENNXIZxhPexGw6cH/3A5xDOgJ7j7aQRr7CnDRa/T
ZNHX5V8nUFXqlB6/rvpsQyDqU2R7WoD34QLCboR4r+oxgfFOj0fT95OjPD2PkCb5
A8GvoELa2c+/2PztlA2nFGf+BeRWPcjcOicz+G1uQSGrE++3bnJblbJMvn0DFKjR
aAHglanVbRIXr1TknI2eIsNxamyYAs7J7H1M9EA22vp8PUmv+BInvtRKA/URhPNA
7rtPXeVS/sTyfDqHDely2PTuPEzPFrKfUNzw4xRn40XLFwi/m/PlEVa5kDx/1LJi
lNTuvn5rNvYVVzA5+CykGJjE8DA9l4Wooo9DANXdveO7ukEWt8z0NPsq0agYiIM=
=ACYY
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160803/7a9a92b1/attachment-0001.bin>

From yvoinov at gmail.com  Sat Aug  6 00:57:22 2016
From: yvoinov at gmail.com (Yuri Voinov)
Date: Fri, 5 Aug 2016 20:57:22 +0600
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <2744fe78-8010-06f7-0784-3381fcaed2dc@gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
 <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>
 <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
 <005a5df6-2bf4-93ff-c01f-6e0008c6723b@gmail.com>
 <20160802045521.GA8658@gate.dtucker.net>
 <1d3657c8-d4ee-bfd3-757d-1fd34e0ae792@gmail.com>
 <CALDDTe0yppd9WZA4YVK9D8adaze-TyRk29gqN=w0u876Sok+4A@mail.gmail.com>
 <9f49ea08-454b-6b87-0ece-d36abc3715f7@gmail.com>
 <2744fe78-8010-06f7-0784-3381fcaed2dc@gmail.com>
Message-ID: <ac4ce8ea-f9fb-ed21-0ef3-fade683398fa@gmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
05.08.2016 20:54, Yuri Voinov ?????:
> To be continued.
>
> On one of Solaris 10 server, after previous patch apply, another
problem occurs:
>
> root @ fhtagn /patch/openssh-7.3p1 # gmake
> conffile=`echo sshd_config.out | sed 's/.out$//'`; \
> /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
./${conffile} > sshd_config.out
> conffile=`echo ssh_config.out | sed 's/.out$//'`; \
> /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
./${conffile} > ssh_config.out
> conffile=`echo moduli.out | sed 's/.out$//'`; \
> /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
./${conffile} > moduli.out
> if test "man" = "cat"; then \
>         manpage=./`echo moduli.5.out | sed 's/\.[1-9]\.out$/\.0/'`; \
> else \
>         manpage=./`echo moduli.5.out | sed 's/\.out$//'`; \
> fi; \
> if test "man" = "man"; then \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
>             gawk -f ./mdoc2man.awk > moduli.5.out; \
> else \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > moduli.5.out; \
> fi
> if test "man" = "cat"; then \
>         manpage=./`echo scp.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \
> else \
>         manpage=./`echo scp.1.out | sed 's/\.out$//'`; \
> fi; \
> if test "man" = "man"; then \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
>             gawk -f ./mdoc2man.awk > scp.1.out; \
> else \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > scp.1.out; \
> fi
> if test "man" = "cat"; then \
>         manpage=./`echo ssh-add.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \
> else \
>         manpage=./`echo ssh-add.1.out | sed 's/\.out$//'`; \
> fi; \
> if test "man" = "man"; then \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
>             gawk -f ./mdoc2man.awk > ssh-add.1.out; \
> else \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > ssh-add.1.out; \
> fi
> if test "man" = "cat"; then \
>         manpage=./`echo ssh-agent.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \
> else \
>         manpage=./`echo ssh-agent.1.out | sed 's/\.out$//'`; \
> fi; \
> if test "man" = "man"; then \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
>             gawk -f ./mdoc2man.awk > ssh-agent.1.out; \
> else \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > ssh-agent.1.out; \
> fi
> if test "man" = "cat"; then \
>         manpage=./`echo ssh-keygen.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \
> else \
>         manpage=./`echo ssh-keygen.1.out | sed 's/\.out$//'`; \
> fi; \
> if test "man" = "man"; then \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
>             gawk -f ./mdoc2man.awk > ssh-keygen.1.out; \
> else \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > ssh-keygen.1.out; \
> fi
> if test "man" = "cat"; then \
>         manpage=./`echo ssh-keyscan.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \
> else \
>         manpage=./`echo ssh-keyscan.1.out | sed 's/\.out$//'`; \
> fi; \
> if test "man" = "man"; then \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
>             gawk -f ./mdoc2man.awk > ssh-keyscan.1.out; \
> else \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  >
ssh-keyscan.1.out; \
> fi
> if test "man" = "cat"; then \
>         manpage=./`echo ssh.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \
> else \
>         manpage=./`echo ssh.1.out | sed 's/\.out$//'`; \
> fi; \
> if test "man" = "man"; then \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
>             gawk -f ./mdoc2man.awk > ssh.1.out; \
> else \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > ssh.1.out; \
> fi
> if test "man" = "cat"; then \
>         manpage=./`echo sshd.8.out | sed 's/\.[1-9]\.out$/\.0/'`; \
> else \
>         manpage=./`echo sshd.8.out | sed 's/\.out$//'`; \
> fi; \
> if test "man" = "man"; then \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
>             gawk -f ./mdoc2man.awk > sshd.8.out; \
> else \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > sshd.8.out; \
> fi
> if test "man" = "cat"; then \
>         manpage=./`echo sftp-server.8.out | sed 's/\.[1-9]\.out$/\.0/'`; \
> else \
>         manpage=./`echo sftp-server.8.out | sed 's/\.out$//'`; \
> fi; \
> if test "man" = "man"; then \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
>             gawk -f ./mdoc2man.awk > sftp-server.8.out; \
> else \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  >
sftp-server.8.out; \
> fi
> if test "man" = "cat"; then \
>         manpage=./`echo sftp.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \
> else \
>         manpage=./`echo sftp.1.out | sed 's/\.out$//'`; \
> fi; \
> if test "man" = "man"; then \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
>             gawk -f ./mdoc2man.awk > sftp.1.out; \
> else \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > sftp.1.out; \
> fi
> if test "man" = "cat"; then \
>         manpage=./`echo ssh-keysign.8.out | sed 's/\.[1-9]\.out$/\.0/'`; \
> else \
>         manpage=./`echo ssh-keysign.8.out | sed 's/\.out$//'`; \
> fi; \
> if test "man" = "man"; then \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
>             gawk -f ./mdoc2man.awk > ssh-keysign.8.out; \
> else \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  >
ssh-keysign.8.out; \
> fi
> if test "man" = "cat"; then \
>         manpage=./`echo ssh-pkcs11-helper.8.out | sed
's/\.[1-9]\.out$/\.0/'`; \
> else \
>         manpage=./`echo ssh-pkcs11-helper.8.out | sed 's/\.out$//'`; \
> fi; \
> if test "man" = "man"; then \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
>             gawk -f ./mdoc2man.awk > ssh-pkcs11-helper.8.out; \
> else \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  >
ssh-pkcs11-helper.8.out; \
> fi
> if test "man" = "cat"; then \
>         manpage=./`echo sshd_config.5.out | sed 's/\.[1-9]\.out$/\.0/'`; \
> else \
>         manpage=./`echo sshd_config.5.out | sed 's/\.out$//'`; \
> fi; \
> if test "man" = "man"; then \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
>             gawk -f ./mdoc2man.awk > sshd_config.5.out; \
> else \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  >
sshd_config.5.out; \
> fi
> if test "man" = "cat"; then \
>         manpage=./`echo ssh_config.5.out | sed 's/\.[1-9]\.out$/\.0/'`; \
> else \
>         manpage=./`echo ssh_config.5.out | sed 's/\.out$//'`; \
> fi; \
> if test "man" = "man"; then \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  | \
>             gawk -f ./mdoc2man.awk > ssh_config.5.out; \
> else \
>         /opt/csw/gnu/sed -e
's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e
's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e
's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e
's|/usr/libexec|/usr/local/libexec|g' -e
's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e
's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e
's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e
's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e
's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e
's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g'
-e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e
's|/etc/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e
's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e
's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e
's|/var/empty|/var/empty|g' -e
's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed  > ssh_config.5.out; \
> fi
> (cd openbsd-compat && gmake)
> gmake[1]: Entering directory '/patch/openssh-7.3p1/openbsd-compat'
> gcc -O3 -m64 -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c arc4random.c
> gcc -O3 -m64 -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c bsd-asprintf.c
> gcc -O3 -m64 -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c bsd-closefrom.c
> gcc -O3 -m64 -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c bsd-cray.c
> gcc -O3 -m64 -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c bsd-cygwin_util.c
> gcc -O3 -m64 -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c bsd-getpeereid.c
> gcc -O3 -m64 -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c getrrsetbyname-ldns.c
> gcc -O3 -m64 -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c bsd-err.c
> gcc -O3 -m64 -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c bsd-misc.c
> gcc -O3 -m64 -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c bsd-nextstep.c
> gcc -O3 -m64 -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c bsd-openpty.c
> gcc -O3 -m64 -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c bsd-poll.c
> gcc -O3 -m64 -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c bsd-setres_id.c
> gcc -O3 -m64 -pipe -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong
-fPIE  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c bsd-snprintf.c
> In file included from ../includes.h:171:0,
>                  from bsd-snprintf.c:95:
> bsd-snprintf.c: In function 'dopr':
> ../openbsd-compat/openbsd-compat.h:268:38: error: assignment to
expression with array type
>  #   define VA_COPY(dest, src) (dest) = (src)
>                                       ^
> bsd-snprintf.c:194:2: note: in expansion of macro 'VA_COPY'
>   VA_COPY(args, args_in);
>   ^
> gmake[1]: *** [Makefile:26: bsd-snprintf.o] Error 1
> gmake[1]: Leaving directory '/patch/openssh-7.3p1/openbsd-compat'
> gmake: *** [Makefile:156: openbsd-compat/libopenbsd-compat.a] Error 2
>
> Same OS version, same patch level, same libraries and packages. But
can't build.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXpKlRAAoJENNXIZxhPexGUpwH/2JGsNkigaAd7E0SOogC8igS
ClAHs5FZsbkezKVQvcbgmezC5/WamdSPjMfrGola2IIwYGiLZbV0YPte8y29DKd0
hS9eA+on3rkBiMs6oF/4uKSDBfEBV85z7tlmkwei4w1KcJi6POCrjl2tilSPSCL3
JxsNVWYADPQ1SjtUxiJHT6Tv8rfOUDGzhCVbESLZka56Qnco/D/x3sCOxHodwVBZ
1zirSJYVEdWm1WBVyQ837ujUlfwA2N9SabpoDTfOHiouNral3PTHzLIMiZr16NAi
C+15ywMgxifmjjoBAMJVZRBnOl1QN1XaAozL6FgYCTaEEuRx3s/mkLqZjxe4XvE=
=ktNU
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160805/2943cac0/attachment-0001.bin>

From crlb at uvic.ca  Sat Aug  6 01:30:17 2016
From: crlb at uvic.ca (Colin Leavett-Brown)
Date: Fri, 5 Aug 2016 08:30:17 -0700
Subject: Encrypt /decrypta file with ssh keys.
Message-ID: <101a3d92-d46c-3fe6-8799-6e049c53e027@uvic.ca>

Hello,  I needed to share some secret info with one or two specific 
individuals and wrote a short wrapper script to encrypt/decrypt files 
using ssh keys (everyone has at least one pair). In searching, I found 
others wanting this functionality and borrowed heavily from this doc 
"http://www.czeskis.com/random/openssl-encrypt-file.html" in writing the 
script. I am willing to share the code if anyone is interested.

-- 
Colin Leavett-Brown
Physics and Astronomy
University of Victoria
250-472-4085


From alex at alex.org.uk  Sat Aug  6 01:50:58 2016
From: alex at alex.org.uk (Alex Bligh)
Date: Fri, 5 Aug 2016 16:50:58 +0100
Subject: Encrypt /decrypta file with ssh keys.
In-Reply-To: <101a3d92-d46c-3fe6-8799-6e049c53e027@uvic.ca>
References: <101a3d92-d46c-3fe6-8799-6e049c53e027@uvic.ca>
Message-ID: <9C64EA34-899B-44CE-8B02-B2EAF44AF6C2@alex.org.uk>


> On 5 Aug 2016, at 16:30, Colin Leavett-Brown <crlb at uvic.ca> wrote:
> 
> Hello,  I needed to share some secret info with one or two specific individuals and wrote a short wrapper script to encrypt/decrypt files using ssh keys (everyone has at least one pair). In searching, I found others wanting this functionality and borrowed heavily from this doc "http://www.czeskis.com/random/openssl-encrypt-file.html" in writing the script. I am willing to share the code if anyone is interested.

I was asking for this functionality only yesterday. My particular use was to encrypt a file with someone else's public key, to send to them so they could decrypt with their private key.

If ssh (or some accompanying binary) could do this out the box, it would be great.

-- 
Alex Bligh





From crlb at uvic.ca  Sat Aug  6 02:47:38 2016
From: crlb at uvic.ca (Colin Leavett-Brown)
Date: Fri, 5 Aug 2016 09:47:38 -0700
Subject: Fwd: Re: Encrypt /decrypta file with ssh keys.
In-Reply-To: <EC46A5D7-4759-46AB-89D4-46BE1EA8B2FE@alex.org.uk>
References: <EC46A5D7-4759-46AB-89D4-46BE1EA8B2FE@alex.org.uk>
Message-ID: <79f8131d-3647-8d6c-01a1-934769658048@uvic.ca>

As per Alex's suggestion, attached is the proof of concept "sfile" 
script. If there is anyone out there with great C skills who can 
recreate this functionality "out of the box", I think there would be a 
few happy campers (at least two, anyways).



-------- Forwarded Message --------
Subject: 	Re: Encrypt /decrypta file with ssh keys.
Date: 	Fri, 5 Aug 2016 17:24:35 +0100
From: 	Alex Bligh <alex at alex.org.uk>
To: 	Colin Leavett-Brown <crlb at uvic.ca>
CC: 	Alex Bligh <alex at alex.org.uk>



Colin,

> On 5 Aug 2016, at 17:03, Colin Leavett-Brown <crlb at uvic.ca> wrote:
>
> Hi Alex, I think this should be part of Openssh. Do you want to try the wrapper? I've attached the code and it does exactly what you want. Let us know what you think. "sfile" without any parms will tell you how to use it. Colin.

I read the code. Interesting. I suspect you will need to rewrite it in C (without relying on distro specific things like readlink -f) and paying close attention to e.g. minimising temporary files, ensuring they are created with the right modes and deleted on signals etc. in order to get it submitted. I think I might make the magic code longer so it can be more easily detected by 'file' etc. But it's an interesting proof of concept - TBH I'd just post it to the list as such.

Alex

>
>
> On 16-08-05 08:50 AM, Alex Bligh wrote:
>>> On 5 Aug 2016, at 16:30, Colin Leavett-Brown <crlb at uvic.ca> wrote:
>>>
>>> Hello,  I needed to share some secret info with one or two specific individuals and wrote a short wrapper script to encrypt/decrypt files using ssh keys (everyone has at least one pair). In searching, I found others wanting this functionality and borrowed heavily from this doc "http://www.czeskis.com/random/openssl-encrypt-file.html" in writing the script. I am willing to share the code if anyone is interested.
>> I was asking for this functionality only yesterday. My particular use was to encrypt a file with someone else's public key, to send to them so they could decrypt with their private key.
>>
>> If ssh (or some accompanying binary) could do this out the box, it would be great.
>>
>
> --
> Colin Leavett-Brown
> Physics and Astronomy
> University of Victoria
> 250-472-4085
>
> <sfile.txt>

-- 
Alex Bligh





-- 
Colin Leavett-Brown
Physics and Astronomy
University of Victoria
250-472-4085

-------------- next part --------------
#!/bin/bash
  # this is the proof of concept for secure file command.
  # usage: sfile [-e|-d] [-k <pub_private_key>] <file_path>
  # result is written to stdout.
  subcommand='decrypt'
  user_key=''
  user_file=''

  ignore_next='0'
  BASH_ARGV_LEN=$((${#BASH_ARGV}-1))
  for i in `seq $BASH_ARGV_LEN -1 0 `; do
    if [ $ignore_next == '0' ]; then
      if [ "X${BASH_ARGV[$i]}" == 'X-d' ]; then
        subcommand='decrypt'
      elif [ "X${BASH_ARGV[$i]}" == 'X-e' ]; then
        subcommand='encrypt'
      elif [ "X${BASH_ARGV[$i]}" == 'X-h' ]; then
        subcommand='help'
      elif [ "X${BASH_ARGV[$i]}" == 'X-k' ] && [ $i -gt 0 ]; then
        v=$(($i - 1))
        user_key=`readlink -f ${BASH_ARGV[$v]} 2>/dev/null`
        ignore_next='1'
      else
        user_file=`readlink -f ${BASH_ARGV[$i]} 2>/dev/null`
      fi
    else
      ignore_next='0'
    fi
  done
  
  if [ $subcommand == 'help' ] || [ "X$user_file" == 'X' ]; then
    echo 'Usage: sfile [-d|-e|-h] [-k <path_to_key_file>] <path_to_file>'
    echo ''
    echo 'Encrypt a file using an ssh public key and decrypt using the corresponding private'
    echo 'key. The default is to decrypt the specified file using your private key.'
    echo ''
    echo 'Options:'
    echo '  -d - Decrypt specified file. This is the default option.'
    echo '  -e - Encrypt specified file.'
    echo '  -h - Print help messages.'
    echo "  -k <path_to_key_file> - Defaults to '~/.ssh/id_rsa.pub' for encrypt and"
    echo "       '~/.ssh/id_rsa for decrypt'."
    echo ''
    echo 'Note: Result is written to STDOUT.'
    exit 0
  fi

  if [ ! -e $user_file ]; then
    >&2 echo "File '$user_file' does not exist."
    exit 1
  fi

  #
  # Encrypt the specified file.
  #
  if [ $subcommand == 'encrypt' ]; then
    if [ "X$user_key" == 'X' ]; then
      user_key=`readlink -f ~/.ssh/id_rsa.pub`
    fi

    if [ ! -e $user_key ]; then
      >&2 echo "User key file '$user_key' does not exist."
      exit 1
    fi

    key_file=`tempfile`
    openssl rand 64 >$key_file

    pem_file=`tempfile`
    ssh-keygen -f $user_key -e -m PKCS8 >$pem_file

    crypt_key_file=`tempfile`
    openssl rsautl -encrypt -pubin -inkey $pem_file -in $key_file -out $crypt_key_file
    crypt_key_len=`cat $crypt_key_file | wc -c`
    crypt_key_length=$((10000 + $crypt_key_len))

    echo -n `printf '%x%x' 95 $crypt_key_length`
    cat $crypt_key_file
    echo -n `printf '%x' 95`
    openssl enc -aes-256-cbc -salt -pass file:$key_file -in $user_file 

    rm -f $key_file $pem_file $crypt_key_file

  #
  # Decrypt the specified file.
  #
  elif [ $subcommand == 'decrypt' ]; then
    if [ "X$user_key" == 'X' ]; then
      user_key=`readlink -f ~/.ssh/id_rsa`
    fi

    if [ ! -e $user_key ]; then
      >&2 echo "User key file '$user_key' does not exist."
      exit 1
    fi

    hex_data=`dd bs=1 if=$user_file skip=0 count=6 2>/dev/null`
    magic_number=${hex_data:0:2}

    if [ "$magic_number" != '5f' ]; then
      >&2 echo "File '$user_file' is not an ssh public key encrypted file."
      exit 1
    fi

    crypt_key_len=$((16#${hex_data:2:4}-10000))

    skip=$((2+4+$crypt_key_len))
    magic_number=`dd bs=1 if=$user_file skip=$skip count=2 2>/dev/null`
    if [ "$magic_number" != '5f' ]; then
      >&2 echo "File '$user_file' is not an ssh public key encrypted file."
      exit 1
    fi

    crypt_key_file=`tempfile`
    `dd bs=1 if=$user_file of=$crypt_key_file skip=6 count=$crypt_key_len 2>/dev/null`

    key_file=`tempfile`
    `openssl rsautl -decrypt -inkey $user_key -in $crypt_key_file -out $key_file`

    crypt_user_file=`tempfile`
    skip=$((2+4+$crypt_key_len+2+1))
    `tail -c +$skip $user_file >$crypt_user_file 2>/dev/null`

    openssl enc -d -aes-256-cbc -pass file:$key_file -in $crypt_user_file

    rm -f $crypt_key_file $key_file $crypt_user_file
  fi

From james.murphy.debian at gmail.com  Sat Aug  6 03:09:46 2016
From: james.murphy.debian at gmail.com (James Murphy)
Date: Fri, 5 Aug 2016 12:09:46 -0500
Subject: Fwd: Re: Encrypt /decrypta file with ssh keys.
In-Reply-To: <79f8131d-3647-8d6c-01a1-934769658048@uvic.ca>
References: <EC46A5D7-4759-46AB-89D4-46BE1EA8B2FE@alex.org.uk>
 <79f8131d-3647-8d6c-01a1-934769658048@uvic.ca>
Message-ID: <11905aed-89aa-a44f-2af7-fd9e40a076e0@gmail.com>

The more mainstream thing to do is just use gpg, which has this
functionality already built in. Is this not suitable for your use case?

On 08/05/2016 11:47 AM, Colin Leavett-Brown wrote:
> As per Alex's suggestion, attached is the proof of concept "sfile"
> script. If there is anyone out there with great C skills who can
> recreate this functionality "out of the box", I think there would be a
> few happy campers (at least two, anyways).
> 
> 
> 
> -------- Forwarded Message --------
> Subject:     Re: Encrypt /decrypta file with ssh keys.
> Date:     Fri, 5 Aug 2016 17:24:35 +0100
> From:     Alex Bligh <alex at alex.org.uk>
> To:     Colin Leavett-Brown <crlb at uvic.ca>
> CC:     Alex Bligh <alex at alex.org.uk>
> 
> 
> 
> Colin,
> 
>> On 5 Aug 2016, at 17:03, Colin Leavett-Brown <crlb at uvic.ca> wrote:
>>
>> Hi Alex, I think this should be part of Openssh. Do you want to try
>> the wrapper? I've attached the code and it does exactly what you want.
>> Let us know what you think. "sfile" without any parms will tell you
>> how to use it. Colin.
> 
> I read the code. Interesting. I suspect you will need to rewrite it in C
> (without relying on distro specific things like readlink -f) and paying
> close attention to e.g. minimising temporary files, ensuring they are
> created with the right modes and deleted on signals etc. in order to get
> it submitted. I think I might make the magic code longer so it can be
> more easily detected by 'file' etc. But it's an interesting proof of
> concept - TBH I'd just post it to the list as such.
> 
> Alex
> 
>>
>>
>> On 16-08-05 08:50 AM, Alex Bligh wrote:
>>>> On 5 Aug 2016, at 16:30, Colin Leavett-Brown <crlb at uvic.ca> wrote:
>>>>
>>>> Hello,  I needed to share some secret info with one or two specific
>>>> individuals and wrote a short wrapper script to encrypt/decrypt
>>>> files using ssh keys (everyone has at least one pair). In searching,
>>>> I found others wanting this functionality and borrowed heavily from
>>>> this doc "http://www.czeskis.com/random/openssl-encrypt-file.html"
>>>> in writing the script. I am willing to share the code if anyone is
>>>> interested.
>>> I was asking for this functionality only yesterday. My particular use
>>> was to encrypt a file with someone else's public key, to send to them
>>> so they could decrypt with their private key.
>>>
>>> If ssh (or some accompanying binary) could do this out the box, it
>>> would be great.
>>>
>>
>> -- 
>> Colin Leavett-Brown
>> Physics and Astronomy
>> University of Victoria
>> 250-472-4085
>>
>> <sfile.txt>
> 
> 
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 

From brmdamon at hushmail.com  Sat Aug  6 03:19:32 2016
From: brmdamon at hushmail.com (Jack Dodds)
Date: Fri, 05 Aug 2016 17:19:32 -0000
Subject: Fwd: Re: Encrypt /decrypta file with ssh keys.
In-Reply-To: <79f8131d-3647-8d6c-01a1-934769658048@uvic.ca>
References: <79f8131d-3647-8d6c-01a1-934769658048@uvic.ca>
Message-ID: <a0b04fd1a09132277955acade6ae4b5a@smtp.hushmail.com>

Respectful question:

What would be the advantage of this over GPG, which is expressly
designed for encryption/decryption/signing of files?

Jack Dodds

Colin Leavett-Brown <crlb at uvic.ca> wrote:
> As per Alex's suggestion, attached is the proof of concept
> "sfile" script. If there is anyone out there with great C
> skills who can recreate this functionality "out of the box", I
> think there would be a few happy campers (at least two,
> anyways).
> 
> 
> 
> -------- Forwarded Message --------
> Subject: 	Re: Encrypt /decrypta file with ssh keys.
> Date: 	Fri, 5 Aug 2016 17:24:35 +0100
> From: 	Alex Bligh <alex at alex.org.uk>
> To: 	Colin Leavett-Brown <crlb at uvic.ca>
> CC: 	Alex Bligh <alex at alex.org.uk>
> 
> 
> 
> Colin,
> 
> > On 5 Aug 2016, at 17:03, Colin Leavett-Brown <crlb at uvic.ca> wrote:
> >
> > Hi Alex, I think this should be part of Openssh. Do you want to try the wrapper? I've attached the code and it does exactly what you want. Let us know what you think. "sfile" without any parms will tell you how to use it. Colin.
> 
> I read the code. Interesting. I suspect you will need to
> rewrite it in C (without relying on distro specific things like
> readlink -f) and paying close attention to e.g. minimising
> temporary files, ensuring they are created with the right modes
> and deleted on signals etc. in order to get it submitted. I
> think I might make the magic code longer so it can be more
> easily detected by 'file' etc. But it's an interesting proof of
> concept - TBH I'd just post it to the list as such.
> 
> Alex
> 
> >
> >
> > On 16-08-05 08:50 AM, Alex Bligh wrote:
> >>> On 5 Aug 2016, at 16:30, Colin Leavett-Brown <crlb at uvic.ca> wrote:
> >>>
> >>> Hello,  I needed to share some secret info with one or two specific individuals and wrote a short wrapper script to encrypt/decrypt files using ssh keys (everyone has at least one pair). In searching, I found others wanting this functionality and borrowed heavily from this doc "http://www.czeskis.com/random/openssl-encrypt-file.html" in writing the script. I am willing to share the code if anyone is interested.
> >> I was asking for this functionality only yesterday. My particular use was to encrypt a file with someone else's public key, to send to them so they could decrypt with their private key.
> >>
> >> If ssh (or some accompanying binary) could do this out the box, it would be great.
> >>
> >
> > --
> > Colin Leavett-Brown
> > Physics and Astronomy
> > University of Victoria
> > 250-472-4085
> >
> > <sfile.txt>
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Encryption key for Jack Dodds.asc
Type: application/pgp-keys
Size: 1702 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160805/18620f23/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP Digital Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160805/18620f23/attachment-0001.bin>

From crlb at uvic.ca  Sat Aug  6 03:28:52 2016
From: crlb at uvic.ca (Colin Leavett-Brown)
Date: Fri, 5 Aug 2016 10:28:52 -0700
Subject: Fwd: Re: Encrypt /decrypta file with ssh keys.
In-Reply-To: <a0b04fd1a09132277955acade6ae4b5a@smtp.hushmail.com>
References: <79f8131d-3647-8d6c-01a1-934769658048@uvic.ca>
 <a0b04fd1a09132277955acade6ae4b5a@smtp.hushmail.com>
Message-ID: <07d3f849-26ca-c028-ba09-a0c2f898f34c@uvic.ca>

As the encrypter, you can use someone's shared public key knowing that 
only they can decrypt it. If I use GPG, I somehow have to give them the key.


On 16-08-05 10:19 AM, Jack Dodds wrote:
> Respectful question:
>
> What would be the advantage of this over GPG, which is expressly
> designed for encryption/decryption/signing of files?
>
> Jack Dodds
>
> Colin Leavett-Brown <crlb at uvic.ca> wrote:
>> As per Alex's suggestion, attached is the proof of concept
>> "sfile" script. If there is anyone out there with great C
>> skills who can recreate this functionality "out of the box", I
>> think there would be a few happy campers (at least two,
>> anyways).
>>
>>
>>
>> -------- Forwarded Message --------
>> Subject: 	Re: Encrypt /decrypta file with ssh keys.
>> Date: 	Fri, 5 Aug 2016 17:24:35 +0100
>> From: 	Alex Bligh <alex at alex.org.uk>
>> To: 	Colin Leavett-Brown <crlb at uvic.ca>
>> CC: 	Alex Bligh <alex at alex.org.uk>
>>
>>
>>
>> Colin,
>>
>>> On 5 Aug 2016, at 17:03, Colin Leavett-Brown <crlb at uvic.ca> wrote:
>>>
>>> Hi Alex, I think this should be part of Openssh. Do you want to try the wrapper? I've attached the code and it does exactly what you want. Let us know what you think. "sfile" without any parms will tell you how to use it. Colin.
>> I read the code. Interesting. I suspect you will need to
>> rewrite it in C (without relying on distro specific things like
>> readlink -f) and paying close attention to e.g. minimising
>> temporary files, ensuring they are created with the right modes
>> and deleted on signals etc. in order to get it submitted. I
>> think I might make the magic code longer so it can be more
>> easily detected by 'file' etc. But it's an interesting proof of
>> concept - TBH I'd just post it to the list as such.
>>
>> Alex
>>
>>>
>>> On 16-08-05 08:50 AM, Alex Bligh wrote:
>>>>> On 5 Aug 2016, at 16:30, Colin Leavett-Brown <crlb at uvic.ca> wrote:
>>>>>
>>>>> Hello,  I needed to share some secret info with one or two specific individuals and wrote a short wrapper script to encrypt/decrypt files using ssh keys (everyone has at least one pair). In searching, I found others wanting this functionality and borrowed heavily from this doc "http://www.czeskis.com/random/openssl-encrypt-file.html" in writing the script. I am willing to share the code if anyone is interested.
>>>> I was asking for this functionality only yesterday. My particular use was to encrypt a file with someone else's public key, to send to them so they could decrypt with their private key.
>>>>
>>>> If ssh (or some accompanying binary) could do this out the box, it would be great.
>>>>
>>> --
>>> Colin Leavett-Brown
>>> Physics and Astronomy
>>> University of Victoria
>>> 250-472-4085
>>>
>>> <sfile.txt>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
Colin Leavett-Brown
Physics and Astronomy
University of Victoria
250-472-4085


From alex at alex.org.uk  Sat Aug  6 03:31:56 2016
From: alex at alex.org.uk (Alex Bligh)
Date: Fri, 5 Aug 2016 18:31:56 +0100
Subject: Encrypt /decrypta file with ssh keys.
In-Reply-To: <11905aed-89aa-a44f-2af7-fd9e40a076e0@gmail.com>
References: <EC46A5D7-4759-46AB-89D4-46BE1EA8B2FE@alex.org.uk>
 <79f8131d-3647-8d6c-01a1-934769658048@uvic.ca>
 <11905aed-89aa-a44f-2af7-fd9e40a076e0@gmail.com>
Message-ID: <1713A0B0-7B5E-4F71-9D3B-6B5726B1992F@alex.org.uk>


> On 5 Aug 2016, at 18:09, James Murphy <james.murphy.debian at gmail.com> wrote:
> 
> The more mainstream thing to do is just use gpg, which has this
> functionality already built in. Is this not suitable for your use case?

The advantage of Colin's approach is that gpg requires out of band exchange
of gpg keys separately from ssh keys. If you already have ssh keys
distributed (which might be in an automated environment for instance),
it would be very useful.

Of course if you already have gpg keys set up and exchanged, gpg
would be just fine.

-- 
Alex Bligh





From mouring at offwriting.org  Sat Aug  6 03:40:33 2016
From: mouring at offwriting.org (Ben Lindstrom)
Date: Fri, 05 Aug 2016 12:40:33 -0500
Subject: Encrypt /decrypta file with ssh keys.
In-Reply-To: <1713A0B0-7B5E-4F71-9D3B-6B5726B1992F@alex.org.uk>
References: <EC46A5D7-4759-46AB-89D4-46BE1EA8B2FE@alex.org.uk>
 <79f8131d-3647-8d6c-01a1-934769658048@uvic.ca>
 <11905aed-89aa-a44f-2af7-fd9e40a076e0@gmail.com>
 <1713A0B0-7B5E-4F71-9D3B-6B5726B1992F@alex.org.uk>
Message-ID: <57A4CF91.40803@offwriting.org>



Alex Bligh wrote:
>> On 5 Aug 2016, at 18:09, James Murphy<james.murphy.debian at gmail.com>  wrote:
>>
>> The more mainstream thing to do is just use gpg, which has this
>> functionality already built in. Is this not suitable for your use case?
>
> The advantage of Colin's approach is that gpg requires out of band exchange
> of gpg keys separately from ssh keys. If you already have ssh keys
> distributed (which might be in an automated environment for instance),
> it would be very useful.
>
> Of course if you already have gpg keys set up and exchanged, gpg
> would be just fine.
>
The downside to this approach is your using keys created for signing for 
encryption now.  Which
means you've leaked additional information about the key material.  Thus 
slightly weakening the
security of your key.

Which isn't really a smart thing to do.

Ben

From dkg at fifthhorseman.net  Sat Aug  6 03:44:41 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Fri, 05 Aug 2016 13:44:41 -0400
Subject: Encrypt /decrypta file with ssh keys.
In-Reply-To: <101a3d92-d46c-3fe6-8799-6e049c53e027@uvic.ca>
References: <101a3d92-d46c-3fe6-8799-6e049c53e027@uvic.ca>
Message-ID: <87h9az3yba.fsf@alice.fifthhorseman.net>

On Fri 2016-08-05 11:30:17 -0400, Colin Leavett-Brown wrote:
> Hello,  I needed to share some secret info with one or two specific 
> individuals and wrote a short wrapper script to encrypt/decrypt files 
> using ssh keys (everyone has at least one pair). In searching, I found 
> others wanting this functionality and borrowed heavily from this doc 
> "http://www.czeskis.com/random/openssl-encrypt-file.html" in writing the 
> script. I am willing to share the code if anyone is interested.

I'd recommend *not* doing this kind of cross-protocol use of key
material.  There are often attacks that you don't expect when you reuse
keys like this.

For example, consider a variant of the ssh protocol (or a bug in an
implementation) that allows the ssh server to select the message that
the client has to sign in order to authenticate.

an ssh server that gets ahold of an encrypted message of the type you're
proposing might be able to transform the encrypted session key into an
authentication message.  the next time the user goes to log in, in
addition to authenticating, it is effectively offering the server the
secret needed to decrypt the stored message.

I'm not saying this attack works directly with ssh as-implemented.  (i
actually suspect it doesn't, because i believe ssh's authenticatin
mechanism should require contributory behavior from both parties over
the message to be signed, though i haven't reviewed it recently enough
to be sure), but (a) implementation bugs happen, and (b) sometimes
protocols have weaknesses that we don't understand at first glance.

Key reuse across application domains will expose the user to classes of
bug and attack that we really don't understand well and are difficult to
reason about systematically.  It's generally ill-advised.

That said, you can still bind keys together and associate them with
other keys.  OpenPGP is an example of that -- you can bind your SSH key
into your OpenPGP key as a subkey, and then it will be associated with a
bunch of other keys, each of which can be designated for a specific
purpose.

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160805/74312e18/attachment.bin>

From alex at alex.org.uk  Sat Aug  6 03:55:01 2016
From: alex at alex.org.uk (Alex Bligh)
Date: Fri, 5 Aug 2016 18:55:01 +0100
Subject: Encrypt /decrypta file with ssh keys.
In-Reply-To: <57A4CF91.40803@offwriting.org>
References: <EC46A5D7-4759-46AB-89D4-46BE1EA8B2FE@alex.org.uk>
 <79f8131d-3647-8d6c-01a1-934769658048@uvic.ca>
 <11905aed-89aa-a44f-2af7-fd9e40a076e0@gmail.com>
 <1713A0B0-7B5E-4F71-9D3B-6B5726B1992F@alex.org.uk>
 <57A4CF91.40803@offwriting.org>
Message-ID: <3405D7BA-FACD-4930-A8DE-279BA57C9ECF@alex.org.uk>


> On 5 Aug 2016, at 18:40, Ben Lindstrom <mouring at offwriting.org> wrote:
> 
> The downside to this approach is your using keys created for signing for encryption now.  Which
> means you've leaked additional information about the key material.  Thus slightly weakening the
> security of your key.
> 
> Which isn't really a smart thing to do.

I've not looked deeply at Colin's code, but it seems to be creating a random symmetric
key and only encrypting that. It's not (directly) encrypting the files (that's done
with the symmetric key). If that's the case, a plaintext attack etc. is going to
be pretty hard, because the only thing the key is used for is encrypting a large
random number. I think that's actually pretty safe (signing is after all
encrypting the result of a hash function), but no doubt more experienced
cryptographers can comment.

-- 
Alex Bligh





From ronf at timeheart.net  Sat Aug  6 03:56:31 2016
From: ronf at timeheart.net (Ron Frederick)
Date: Fri, 5 Aug 2016 10:56:31 -0700
Subject: Encrypt /decrypta file with ssh keys.
In-Reply-To: <57A4CF91.40803@offwriting.org>
References: <EC46A5D7-4759-46AB-89D4-46BE1EA8B2FE@alex.org.uk>
 <79f8131d-3647-8d6c-01a1-934769658048@uvic.ca>
 <11905aed-89aa-a44f-2af7-fd9e40a076e0@gmail.com>
 <1713A0B0-7B5E-4F71-9D3B-6B5726B1992F@alex.org.uk>
 <57A4CF91.40803@offwriting.org>
Message-ID: <077F9C14-B27E-4B93-AE29-5D807345822E@timeheart.net>

On Aug 5, 2016, at 10:40 AM, Ben Lindstrom <mouring at offwriting.org> wrote:
> Alex Bligh wrote:
>>> On 5 Aug 2016, at 18:09, James Murphy<james.murphy.debian at gmail.com>  wrote:
>>> 
>>> The more mainstream thing to do is just use gpg, which has this
>>> functionality already built in. Is this not suitable for your use case?
>> 
>> The advantage of Colin's approach is that gpg requires out of band exchange
>> of gpg keys separately from ssh keys. If you already have ssh keys
>> distributed (which might be in an automated environment for instance),
>> it would be very useful.
>> 
>> Of course if you already have gpg keys set up and exchanged, gpg
>> would be just fine.
>> 
> The downside to this approach is your using keys created for signing for encryption now.  Which
> means you've leaked additional information about the key material.  Thus slightly weakening the
> security of your key.
> 
> Which isn't really a smart thing to do.


Since public key crypto is being used here, you also can?t encrypt something larger than the key size directly. You?d have to create a symmetric key, encrypt the data with that, and then encrypt the symmetric key with the public key. You?d then need to also define a container format for that. It looks like the ?sfile? code does all that, but at that point why not use ?openssl cms?? It will work with the same public keys used by SSH and already provides a standard format for this encoding.
-- 
Ron Frederick
ronf at timeheart.net




From dtucker at zip.com.au  Sat Aug  6 12:44:17 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Sat, 6 Aug 2016 12:44:17 +1000
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <2744fe78-8010-06f7-0784-3381fcaed2dc@gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
 <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>
 <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
 <005a5df6-2bf4-93ff-c01f-6e0008c6723b@gmail.com>
 <20160802045521.GA8658@gate.dtucker.net>
 <1d3657c8-d4ee-bfd3-757d-1fd34e0ae792@gmail.com>
 <CALDDTe0yppd9WZA4YVK9D8adaze-TyRk29gqN=w0u876Sok+4A@mail.gmail.com>
 <9f49ea08-454b-6b87-0ece-d36abc3715f7@gmail.com>
 <2744fe78-8010-06f7-0784-3381fcaed2dc@gmail.com>
Message-ID: <CALDDTe2pxFWqqt6Ju64ZU-W0STZVYoVqyh+jENmH_Eig7KYysQ@mail.gmail.com>

On Sat, Aug 6, 2016 at 12:54 AM, Yuri Voinov <yvoinov at gmail.com> wrote:
[...]
> In file included from ../includes.h:171:0,
>                  from bsd-snprintf.c:95:
> bsd-snprintf.c: In function 'dopr':
> ../openbsd-compat/openbsd-compat.h:268:38: error: assignment to expression
> with array type
>  #   define VA_COPY(dest, src) (dest) = (src)
>                                       ^
> bsd-snprintf.c:194:2: note: in expansion of macro 'VA_COPY'
>   VA_COPY(args, args_in);

>From the previous config.log, the test for va_copy failed with a linker error:

configure:16477: checking whether va_copy exists
configure:16497: gcc -o conftest -O3 -m64 -mtune=native -pipe -Wall
-Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security
-Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result
-fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset
-fstack-protector-strong -fPIE  -m64 -Wl,-z,now
-fstack-protector-strong -pie conftest.c -lcrypto -lrt -lnsl -lz
-lsocket  >&5
ld: fatal: relocation error: file /var/tmp//cc5Bj3Ow.o: section
[6].rela.text.startup: invalid relocation type: 0x2a
ld: fatal: relocation error: file /var/tmp//cc5Bj3Ow.o: section
[6].rela.text.startup: invalid relocation type: 0x2a

configure then tries to use its own implementation which doesn't work.
  Try adding

#define HAVE_VA_COPY 1
#define HAVE___VA_COPY 1

to config.h, make clean and make again.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From yvoinov at gmail.com  Sun Aug  7 03:23:09 2016
From: yvoinov at gmail.com (Yuri Voinov)
Date: Sat, 6 Aug 2016 23:23:09 +0600
Subject: OpenSSH 7.3p1 can't be build on Solaris 10
In-Reply-To: <CALDDTe2pxFWqqt6Ju64ZU-W0STZVYoVqyh+jENmH_Eig7KYysQ@mail.gmail.com>
References: <7fbd8e3c-f347-6241-f989-e0bad81bc22e@gmail.com>
 <CALDDTe3iR_1Edn2HM+GOKexUhxs4na46Ez-eEAQK==obxCERug@mail.gmail.com>
 <3dde1627-7f05-dfe4-0035-f63f28e97f8c@gmail.com>
 <CALDDTe0HGmXR+3tL-=7feFSfG+EGnM8B2ZfO55eR8EseGXo95Q@mail.gmail.com>
 <005a5df6-2bf4-93ff-c01f-6e0008c6723b@gmail.com>
 <20160802045521.GA8658@gate.dtucker.net>
 <1d3657c8-d4ee-bfd3-757d-1fd34e0ae792@gmail.com>
 <CALDDTe0yppd9WZA4YVK9D8adaze-TyRk29gqN=w0u876Sok+4A@mail.gmail.com>
 <9f49ea08-454b-6b87-0ece-d36abc3715f7@gmail.com>
 <2744fe78-8010-06f7-0784-3381fcaed2dc@gmail.com>
 <CALDDTe2pxFWqqt6Ju64ZU-W0STZVYoVqyh+jENmH_Eig7KYysQ@mail.gmail.com>
Message-ID: <f89c5533-d394-0367-ab76-5e5d90a63acf@gmail.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
This partially helps.

New error during linking occurs:

gcc -o ssh ssh.o readconf.o clientloop.o sshtty.o sshconnect.o
sshconnect1.o sshconnect2.o mux.o -L. -Lopenbsd-compat/ -m64 -Wl,-z,now
-fstack-protector-strong -pie -lssh -lopenbsd-compat  -lresolv -lcrypto
-lrt -lnsl -lz -lsocket
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
ld: fatal: relocation error: file ssh.o: section [2].rela.text: invalid
relocation type: 0x2a
gmake: *** [Makefile:164: ssh] Error 1


06.08.2016 8:44, Darren Tucker ?????:
> #define HAVE_VA_COPY 1
> #define HAVE___VA_COPY 1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXphz7AAoJENNXIZxhPexGgUMIAKCXU+mwMne8+Mn3F17e77Qw
ozDvPKMLR3M5Ept/lIjUwz54uTetSQPdG/UiaWMx0NDZg9Fi8i7e7ovzc1JdvUWD
gyt29FqzyWG+6lCyxlw1Kc9GpPEAgq3ebH653SL23Dku7QdovcxYYgsOTyAgrcWT
S5vtybFCwy52rE6jLC3fTt0/K3kFXkqRqNk8n+KDrYQk98vR4sfLvz3KCUySPlTF
gbvHahjzx3z2VBkkfBd47HG1l/ZbXueMYrTvJSSaZ6UnQh2C0Zr7ghIyXKNQa+ev
YF3cpyapb7lf5eVlsfvZAfPQAVpM2qN0uTUGLL9sLkOcOtS338Ch3OHy7ur+qk0=
=ewFA
-----END PGP SIGNATURE-----


From lidl at FreeBSD.org  Wed Aug  3 23:57:25 2016
From: lidl at FreeBSD.org (Kurt Lidl)
Date: Wed, 3 Aug 2016 09:57:25 -0400
Subject: Fwd: Fix calls to fatal with %m
In-Reply-To: <e412dc1e-7cc3-7224-3e43-f69cc42cd8d1@FreeBSD.org>
References: <e412dc1e-7cc3-7224-3e43-f69cc42cd8d1@FreeBSD.org>
Message-ID: <f25cdca2-ae33-9896-e1b3-609e35c81736@FreeBSD.org>

Greetings all -

It was suggested that I send this diff here.

Looking at the sourcest this morning at:
https://github.com/openssh/openssh-portable/blob/master/sandbox-capsicum.c

It appears this issue is still present in the current
openssh sources.

Thanks.

-Kurt



-------- Forwarded Message --------
Received: from torb.pix.net (torb.pix.net [192.168.16.32]) 
(authenticated bits=0) by hydra.pix.net (8.15.2/8.15.2) with ESMTPA id 
u6SEq3nf099212; Thu, 28 Jul 2016 10:52:03 -0400 (EDT) (envelope-from 
lidl at FreeBSD.org)
Reply-To: lidl at FreeBSD.org
From: Kurt Lidl <lidl at FreeBSD.org>
Subject: Fix calls to fatal with %m
Date: Thu, 28 Jul 2016 10:52:03 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) 
Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
Content-Type: multipart/mixed; 
boundary="------------DCB06C229DDEDAE6995F142E"

When working on the blacklist support patch rework,
I came across the following bug.  Namely, the use
of %m in the messages sent to fatal().  The fatal()
function does not support %m.

Do you approve of this diff, and if so, may I commit it?

-Kurt

-------------- next part --------------
From b3b86d390c662c2e8e52bcd5a844a497d9697cd4 Mon Sep 17 00:00:00 2001
From: Kurt Lidl <lidl at FreeBSD.ORG>
Date: Thu, 28 Jul 2016 10:45:49 -0400
Subject: [PATCH] Fix usages of %m in fatal() function

Unlike syslog(), fatal() does not support a %m modifier.
Do the conversion of the errno to a string via strerror().
---
 crypto/openssh/sandbox-capsicum.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/openssh/sandbox-capsicum.c b/crypto/openssh/sandbox-capsicum.c
index 5f41d52..1782832 100644
--- a/crypto/openssh/sandbox-capsicum.c
+++ b/crypto/openssh/sandbox-capsicum.c
@@ -88,11 +88,11 @@ ssh_sandbox_child(struct ssh_sandbox *box)
 	cap_rights_init(&rights);
 
 	if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS)
-		fatal("can't limit stdin: %m");
+		fatal("can't limit stdin: %s", strerror(errno));
 	if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS)
-		fatal("can't limit stdout: %m");
+		fatal("can't limit stdout: %s", strerror(errno));
 	if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS)
-		fatal("can't limit stderr: %m");
+		fatal("can't limit stderr: %s", strerror(errno));
 
 	cap_rights_init(&rights, CAP_READ, CAP_WRITE);
 	if (cap_rights_limit(box->monitor->m_recvfd, &rights) < 0 &&
-- 
2.9.2


From jjelen at redhat.com  Mon Aug  8 17:24:36 2016
From: jjelen at redhat.com (Jakub Jelen)
Date: Mon, 8 Aug 2016 09:24:36 +0200
Subject: ssh(d) identification string in portable (clarification)
Message-ID: <0e33ff54-1faa-7039-2d33-a546171af9ea@redhat.com>

Hello all,

We got a report [1], that we miss "p1" suffix in the sshd identification 
strings in Fedora. I dig in and found out that it is also missing from 
portable usptream since 2004, when you were rewriting  version.h  header 
file with this information.

Debian somehow patched this information back during the time in some 
places (ssh_api.c is missing).

It does not look like intention to remove the release version 
information [2]. Can you clarify?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1364595
[2] https://github.com/openssh/openssh-portable/commit/2aa6d3cf

Regards,

-- 
Jakub Jelen
Associate Software Engineer
Security Technologies
Red Hat


From dkg at fifthhorseman.net  Tue Aug  9 07:21:55 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 08 Aug 2016 17:21:55 -0400
Subject: ssh(d) identification string in portable (clarification)
In-Reply-To: <0e33ff54-1faa-7039-2d33-a546171af9ea@redhat.com>
References: <0e33ff54-1faa-7039-2d33-a546171af9ea@redhat.com>
Message-ID: <877fbrx8gc.fsf@alice.fifthhorseman.net>

On Mon 2016-08-08 03:24:36 -0400, Jakub Jelen wrote:

> We got a report [1], that we miss "p1" suffix in the sshd identification 
> strings in Fedora. I dig in and found out that it is also missing from 
> portable usptream since 2004, when you were rewriting  version.h  header 
> file with this information.
>
> Debian somehow patched this information back during the time in some 
> places (ssh_api.c is missing).

this is arguably a (very old) bug in debian:

  https://bugs.debian.org/130876
  https://bugs.debian.org/774410

> It does not look like intention to remove the release version 
> information [2]. Can you clarify?
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1364595
> [2] https://github.com/openssh/openssh-portable/commit/2aa6d3cf

The synopsis of that changeset comment (by Damien Miller) is:

    Don't divulge portable version in protocol

That seems like a pretty clear intent.  (and fwiw, i think it's the
right thing to do)

      --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160808/76580947/attachment-0001.bin>

From dtucker at zip.com.au  Tue Aug  9 09:50:04 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Tue, 9 Aug 2016 09:50:04 +1000
Subject: ssh(d) identification string in portable (clarification)
In-Reply-To: <877fbrx8gc.fsf@alice.fifthhorseman.net>
References: <0e33ff54-1faa-7039-2d33-a546171af9ea@redhat.com>
 <877fbrx8gc.fsf@alice.fifthhorseman.net>
Message-ID: <CALDDTe3MU7KR7V8r-Orf2Ng4w-YCmAqX0MvGV4ZmaG9Myt+cRw@mail.gmail.com>

On Tue, Aug 9, 2016 at 7:21 AM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
[...]
> That seems like a pretty clear intent.  (and fwiw, i think it's the
> right thing to do)

There is the VersionAddendum sshd_config option however it prepends a
space.  Perhaps it shouldn't, and anything that actually wants the
space can supply that itself (ie 'VersionAddendum p2' vs
'VersionAddendum
" someotherstring"').

IMO a security tool taking the over-the-wire banner as the
authoritative test about whether a problem does or does not exist
isn't wise.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From dkg at fifthhorseman.net  Tue Aug  9 09:56:46 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon, 08 Aug 2016 19:56:46 -0400
Subject: ssh(d) identification string in portable (clarification)
In-Reply-To: <CALDDTe3MU7KR7V8r-Orf2Ng4w-YCmAqX0MvGV4ZmaG9Myt+cRw@mail.gmail.com>
References: <0e33ff54-1faa-7039-2d33-a546171af9ea@redhat.com>
 <877fbrx8gc.fsf@alice.fifthhorseman.net>
 <CALDDTe3MU7KR7V8r-Orf2Ng4w-YCmAqX0MvGV4ZmaG9Myt+cRw@mail.gmail.com>
Message-ID: <87mvkmx1a9.fsf@alice.fifthhorseman.net>

On Mon 2016-08-08 19:50:04 -0400, Darren Tucker wrote:
> On Tue, Aug 9, 2016 at 7:21 AM, Daniel Kahn Gillmor
> <dkg at fifthhorseman.net> wrote:
> [...]
>> That seems like a pretty clear intent.  (and fwiw, i think it's the
>> right thing to do)
>
> There is the VersionAddendum sshd_config option however it prepends a
> space.  Perhaps it shouldn't, and anything that actually wants the
> space can supply that itself (ie 'VersionAddendum p2' vs
> 'VersionAddendum
> " someotherstring"').

sounds reasonable to me.

> IMO a security tool taking the over-the-wire banner as the
> authoritative test about whether a problem does or does not exist
> isn't wise.

For defensive purposes, i agree that there are far too many ways for
this to go wrong or to be spoofed to try to rely on it.  For offensive
purposes, these sorts of scans are sadly fairly effective at turning up
unpatched software.  iow, if you're looking for certainty that things
are fixed, it's not enough to be sure.  But if you're looking for likely
victims, it's a handy tool. :/

          --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160808/8fd939e7/attachment.bin>

From v at njh.eu  Wed Aug 10 02:18:32 2016
From: v at njh.eu (Volker Diels-Grabsch)
Date: Tue, 9 Aug 2016 18:18:32 +0200
Subject: Equivalent ssh_config setting for "ssh -N"
Message-ID: <20160809161832.GA15153@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>

Dear OpenSSH developers,

Is there an equivalent ssh_config setting for the command line option

    ssh -N ...

?

I want to connect to a server that doesn't provide an interactive
shell but allows for port forwarding only.  I'd love to configure
this into my ~/.ssh/config as follows:

    Host foo
        Hostname ...
        Port ...
        User ...
        LocalForward ...
        LocalForward ...
        LocalForward ...
        SomeSettingEquivalentToDashN yes

so I can call it via "ssh foo" instead of "ssh -N foo".

Are there good reasons not to provide such a setting?
Or, would you accept a patch that introduces such a setting?
If so, how sould this setting be named?


Regards,
Volker

-- 
Volker Diels-Grabsch
----<<<((()))>>>----

From keno at juliacomputing.com  Wed Aug 10 03:04:11 2016
From: keno at juliacomputing.com (Keno Fischer)
Date: Tue, 9 Aug 2016 13:04:11 -0400
Subject: Should partial success reset ->enabled
Message-ID: <CABV8kRy_YnakTtGbA9cW7ktTEJXyOSq_pApsrN+TS=hzUvkgBQ@mail.gmail.com>

Hi folks,

I've been playing with SSH and was a little surprised by the OpenSSH's
client handling of partial
success. In particular, I tried writing a server that does the following:

- If none of the public keys offered by the client succeed, fall back
to keyboard-interactive
- During that session, we figure out if the user should have access to
the machine and if
  so, authorize their key for future accesses.

Now, I was expecting that returning a partial success message from the
second step would
have the client retry publickey authentication (and since the server
authorized the user's key
that should now succeed). However, this doesn't happen, since the
client has disabled all
further publickey authentication.

I was able to fix this with the following patch to input_userauth_failure:

    if (partial != 0) {
        logit("Authenticated with partial success.");
        /* reset state */
        pubkey_cleanup(authctxt);
        pubkey_prepare(authctxt);
+     authmethod_lookup("publickey")->enabled = &options.pubkey_authentication;
    }

Is there a reason that something equivalent isn't there already, or is
that simply an oversight?

Thanks,
Keno

From brmdamon at hushmail.com  Wed Aug 10 05:10:01 2016
From: brmdamon at hushmail.com (Jack Dodds)
Date: Tue, 09 Aug 2016 19:10:01 -0000
Subject: Equivalent ssh_config setting for "ssh -N"
In-Reply-To: <20160809161832.GA15153@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
References: <20160809161832.GA15153@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
Message-ID: <5ff8f116c61ddefbf5d0abf5b460e27a@smtp.hushmail.com>

Hello Volker,

I use 

ForceCommand /bin/false

On my Debian system, /bin/false is a program that does nothing
and returns a non-zero return code (i.e. an error code).

Jack


Volker Diels-Grabsch <v at njh.eu> wrote:
> Dear OpenSSH developers,
> 
> Is there an equivalent ssh_config setting for the command line
> option
> 
>     ssh -N ...
> 
> ?
> 
> I want to connect to a server that doesn't provide an
> interactive shell but allows for port forwarding only. I'd love
> to configure this into my ~/.ssh/config as follows:
> 
>     Host foo
>         Hostname ...
>         Port ...
>         User ...
>         LocalForward ...
>         LocalForward ...
>         LocalForward ...
>         SomeSettingEquivalentToDashN yes
> 
> so I can call it via "ssh foo" instead of "ssh -N foo".
> 
> Are there good reasons not to provide such a setting?
> Or, would you accept a patch that introduces such a setting? If
> so, how sould this setting be named?
> 
> 
> Regards,
> Volker
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Encryption key for Jack Dodds.asc
Type: application/pgp-keys
Size: 1702 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160809/7651ed15/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP Digital Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160809/7651ed15/attachment-0003.bin>

From brmdamon at hushmail.com  Wed Aug 10 05:19:33 2016
From: brmdamon at hushmail.com (Jack Dodds)
Date: Tue, 09 Aug 2016 19:19:33 -0000
Subject: Equivalent ssh_config setting for "ssh -N"
In-Reply-To: <5ff8f116c61ddefbf5d0abf5b460e27a@smtp.hushmail.com>
References: <5ff8f116c61ddefbf5d0abf5b460e27a@smtp.hushmail.com>
Message-ID: <e1bda5c7212862e8e43d4f214035eb34@smtp.hushmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oops.  You wanted an ssh option - not sshd.

Sorry.

Jack Dodds <brmdamon at hushmail.com> wrote:
> Hello Volker,
> 
> I use 
> 
> ForceCommand /bin/false
> 
> On my Debian system, /bin/false is a program that does nothing
> and returns a non-zero return code (i.e. an error code).
> 
> Jack
> 
> 
> Volker Diels-Grabsch <v at njh.eu> wrote:
> > Dear OpenSSH developers,
> > 
> > Is there an equivalent ssh_config setting for the command line
> > option
> > 
> >     ssh -N ...
> > 
> > ?
> > 
> > I want to connect to a server that doesn't provide an
> > interactive shell but allows for port forwarding only. I'd love
> > to configure this into my ~/.ssh/config as follows:
> > 
> >     Host foo
> >         Hostname ...
> >         Port ...
> >         User ...
> >         LocalForward ...
> >         LocalForward ...
> >         LocalForward ...
> >         SomeSettingEquivalentToDashN yes
> > 
> > so I can call it via "ssh foo" instead of "ssh -N foo".
> > 
> > Are there good reasons not to provide such a setting?
> > Or, would you accept a patch that introduces such a setting? If
> > so, how sould this setting be named?
> > 
> > 
> > Regards,
> > Volker
> >

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJXqizPAAoJEChpvIQG4DsHjcsH/ihOfzfqwxAmDNxkZjNkqydo
NFujnzKCPGlHYvYVeN2ruW0CW77q46c6rg8cHde5sK9Y7LmygcaoFWaePCNC+2h3
sN3YNM2biiTeiBhTUUK4CeC+ph3cVdQbQE8wQakATeeh3bzOt9heWT7CqAvGm3CY
u5L+4TEtlbobwym6t/y6dhfBOsHeD5eqO77zYxZLmIE9PjY+SawTxzSO2XhhMMRf
Z9Rzp4EiNTqzO8KJT5RD7OGGA44C2pyvrX0lAG59bFrzn9DGRmhXoGK4WhRUgYWZ
CadhH13Inku7CklceundRoSnmOaui1PICZ/KzZOgZZiIKmPJC1JqAMuHmATSSJs=
=3l3D
-----END PGP SIGNATURE-----

From scott_n at xypro.com  Wed Aug 10 06:03:58 2016
From: scott_n at xypro.com (Scott Neugroschl)
Date: Tue, 9 Aug 2016 20:03:58 +0000
Subject: Equivalent ssh_config setting for "ssh -N"
In-Reply-To: <20160809161832.GA15153@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
References: <20160809161832.GA15153@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
Message-ID: <D358E5B1511A314F8160ADC6F3754987345183DF@XYSVEX02.XYPRO-23.LOCAL>

RequestTTY no

-----Original Message-----
From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On Behalf Of Volker Diels-Grabsch
Sent: Tuesday, August 09, 2016 9:19 AM
To: openssh-unix-dev at mindrot.org
Subject: Equivalent ssh_config setting for "ssh -N"

Dear OpenSSH developers,

Is there an equivalent ssh_config setting for the command line option

    ssh -N ...

?

I want to connect to a server that doesn't provide an interactive shell but allows for port forwarding only.  I'd love to configure this into my ~/.ssh/config as follows:

    Host foo
        Hostname ...
        Port ...
        User ...
        LocalForward ...
        LocalForward ...
        LocalForward ...
        SomeSettingEquivalentToDashN yes

so I can call it via "ssh foo" instead of "ssh -N foo".

Are there good reasons not to provide such a setting?
Or, would you accept a patch that introduces such a setting?
If so, how sould this setting be named?


Regards,
Volker

--
Volker Diels-Grabsch
----<<<((()))>>>----
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

From scott_n at xypro.com  Wed Aug 10 07:40:37 2016
From: scott_n at xypro.com (Scott Neugroschl)
Date: Tue, 9 Aug 2016 21:40:37 +0000
Subject: Equivalent ssh_config setting for "ssh -N"
In-Reply-To: <D358E5B1511A314F8160ADC6F3754987345183DF@XYSVEX02.XYPRO-23.LOCAL>
References: <20160809161832.GA15153@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
 <D358E5B1511A314F8160ADC6F3754987345183DF@XYSVEX02.XYPRO-23.LOCAL>
Message-ID: <D358E5B1511A314F8160ADC6F375498734518402@XYSVEX02.XYPRO-23.LOCAL>

Oops.  That's -T.  From the man page, it doesn't really look like there's an ssh_config option for -N.


-----Original Message-----
From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On Behalf Of Scott Neugroschl
Sent: Tuesday, August 09, 2016 1:04 PM
To: Volker Diels-Grabsch; openssh-unix-dev at mindrot.org
Subject: RE: Equivalent ssh_config setting for "ssh -N"

RequestTTY no

-----Original Message-----
From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On Behalf Of Volker Diels-Grabsch
Sent: Tuesday, August 09, 2016 9:19 AM
To: openssh-unix-dev at mindrot.org
Subject: Equivalent ssh_config setting for "ssh -N"

Dear OpenSSH developers,

Is there an equivalent ssh_config setting for the command line option

    ssh -N ...

?

I want to connect to a server that doesn't provide an interactive shell but allows for port forwarding only.  I'd love to configure this into my ~/.ssh/config as follows:

    Host foo
        Hostname ...
        Port ...
        User ...
        LocalForward ...
        LocalForward ...
        LocalForward ...
        SomeSettingEquivalentToDashN yes

so I can call it via "ssh foo" instead of "ssh -N foo".

Are there good reasons not to provide such a setting?
Or, would you accept a patch that introduces such a setting?
If so, how sould this setting be named?


Regards,
Volker

--
Volker Diels-Grabsch
----<<<((()))>>>----
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

From mancha1 at zoho.com  Wed Aug 10 16:22:42 2016
From: mancha1 at zoho.com (mancha)
Date: Wed, 10 Aug 2016 06:22:42 +0000
Subject: [ANN] OpenSSH 7.3p1 TCP Wrapper support
Message-ID: <20160810062242.GA27744@zoho.com>

Hello.

Patch re-introducing TCP Wrapper (libwrap) support has been updated for
use with OpenSSH 7.3p1:

https://sf.net/projects/mancha/files/misc/openssh-7.3p1-libwrap.diff

Note: don't forget to autoreconf -fiv.

Enjoy.

--mancha 

--
https://twitter.com/mancha140
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160810/bcd3ddd8/attachment.bin>

From jjelen at redhat.com  Wed Aug 10 16:28:53 2016
From: jjelen at redhat.com (Jakub Jelen)
Date: Wed, 10 Aug 2016 08:28:53 +0200
Subject: ssh(d) identification string in portable (clarification)
In-Reply-To: <877fbrx8gc.fsf@alice.fifthhorseman.net>
References: <0e33ff54-1faa-7039-2d33-a546171af9ea@redhat.com>
 <877fbrx8gc.fsf@alice.fifthhorseman.net>
Message-ID: <ab612a9a-67ff-6c6d-aa4a-9993920d7e30@redhat.com>

On 08/08/2016 11:21 PM, Daniel Kahn Gillmor wrote:
> The synopsis of that changeset comment (by Damien Miller) is:
>
>      Don't divulge portable version in protocol
>
> That seems like a pretty clear intent.  (and fwiw, i think it's the
> right thing to do)
Thank you for the answers. It seems like I should improve my English 
vocabulary or at least be more critical to my instinct when coming to a 
new words, especially on Monday morning.

Jakub

From v at njh.eu  Wed Aug 10 18:19:11 2016
From: v at njh.eu (Volker Diels-Grabsch)
Date: Wed, 10 Aug 2016 10:19:11 +0200
Subject: Equivalent ssh_config setting for "ssh -N"
In-Reply-To: <D358E5B1511A314F8160ADC6F375498734518402@XYSVEX02.XYPRO-23.LOCAL>
References: <20160809161832.GA15153@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
 <D358E5B1511A314F8160ADC6F3754987345183DF@XYSVEX02.XYPRO-23.LOCAL>
 <D358E5B1511A314F8160ADC6F375498734518402@XYSVEX02.XYPRO-23.LOCAL>
Message-ID: <20160810081911.GC921@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>

Hi all,

Thanks for the quick responses.  So it seems there is really no
ssh_config option for -N.

So how should such an option be named?  I propose:

    default  ==  ExecRemoteCommand yes
    -N       ==  ExecRemoteCommand no

Does that make sense?


Regards,
Volker


Scott Neugroschl schrieb:
> Oops.  That's -T.  From the man page, it doesn't really look like there's an ssh_config option for -N.
> 
> 
> -----Original Message-----
> From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On Behalf Of Scott Neugroschl
> Sent: Tuesday, August 09, 2016 1:04 PM
> To: Volker Diels-Grabsch; openssh-unix-dev at mindrot.org
> Subject: RE: Equivalent ssh_config setting for "ssh -N"
> 
> RequestTTY no
> 
> -----Original Message-----
> From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On Behalf Of Volker Diels-Grabsch
> Sent: Tuesday, August 09, 2016 9:19 AM
> To: openssh-unix-dev at mindrot.org
> Subject: Equivalent ssh_config setting for "ssh -N"
> 
> Dear OpenSSH developers,
> 
> Is there an equivalent ssh_config setting for the command line option
> 
>     ssh -N ...
> 
> ?
> 
> I want to connect to a server that doesn't provide an interactive shell but allows for port forwarding only.  I'd love to configure this into my ~/.ssh/config as follows:
> 
>     Host foo
>         Hostname ...
>         Port ...
>         User ...
>         LocalForward ...
>         LocalForward ...
>         LocalForward ...
>         SomeSettingEquivalentToDashN yes
> 
> so I can call it via "ssh foo" instead of "ssh -N foo".
> 
> Are there good reasons not to provide such a setting?
> Or, would you accept a patch that introduces such a setting?
> If so, how sould this setting be named?
> 
> 
> Regards,
> Volker
> 
> --
> Volker Diels-Grabsch
> ----<<<((()))>>>----
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
Volker Diels-Grabsch
----<<<((()))>>>----

From arif at mail.nih.gov  Wed Aug 10 22:16:52 2016
From: arif at mail.nih.gov (Anthony R Fletcher)
Date: Wed, 10 Aug 2016 08:16:52 -0400
Subject: Equivalent ssh_config setting for "ssh -N"
In-Reply-To: <20160810081911.GC921@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
References: <20160809161832.GA15153@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
 <D358E5B1511A314F8160ADC6F3754987345183DF@XYSVEX02.XYPRO-23.LOCAL>
 <D358E5B1511A314F8160ADC6F375498734518402@XYSVEX02.XYPRO-23.LOCAL>
 <20160810081911.GC921@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
Message-ID: <20160810121652.GA3747@cosy.cit.nih.gov>

Sound good to me. I've also looked for this ssh_config option
recentlyu so this would be a welcome addition.

		Anthony

On 10 Aug 2016 at 10:19:11, Volker Diels-Grabsch wrote:
> Hi all,
> 
> Thanks for the quick responses.  So it seems there is really no
> ssh_config option for -N.
> 
> So how should such an option be named?  I propose:
> 
>     default  ==  ExecRemoteCommand yes
>     -N       ==  ExecRemoteCommand no
> 
> Does that make sense?
> 
> 
> Regards,
> Volker
> 
> 
> Scott Neugroschl schrieb:
> > Oops.  That's -T.  From the man page, it doesn't really look like there's an ssh_config option for -N.
> > 
> > 
> > -----Original Message-----
> > From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On Behalf Of Scott Neugroschl
> > Sent: Tuesday, August 09, 2016 1:04 PM
> > To: Volker Diels-Grabsch; openssh-unix-dev at mindrot.org
> > Subject: RE: Equivalent ssh_config setting for "ssh -N"
> > 
> > RequestTTY no
> > 
> > -----Original Message-----
> > From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On Behalf Of Volker Diels-Grabsch
> > Sent: Tuesday, August 09, 2016 9:19 AM
> > To: openssh-unix-dev at mindrot.org
> > Subject: Equivalent ssh_config setting for "ssh -N"
> > 
> > Dear OpenSSH developers,
> > 
> > Is there an equivalent ssh_config setting for the command line option
> > 
> >     ssh -N ...
> > 
> > ?
> > 
> > I want to connect to a server that doesn't provide an interactive shell but allows for port forwarding only.  I'd love to configure this into my ~/.ssh/config as follows:
> > 
> >     Host foo
> >         Hostname ...
> >         Port ...
> >         User ...
> >         LocalForward ...
> >         LocalForward ...
> >         LocalForward ...
> >         SomeSettingEquivalentToDashN yes
> > 
> > so I can call it via "ssh foo" instead of "ssh -N foo".
> > 
> > Are there good reasons not to provide such a setting?
> > Or, would you accept a patch that introduces such a setting?
> > If so, how sould this setting be named?
> > 
> > 
> > Regards,
> > Volker
> > 
> > --
> > Volker Diels-Grabsch
> > ----<<<((()))>>>----
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
> -- 
> Volker Diels-Grabsch
> ----<<<((()))>>>----
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
Anthony R Fletcher        
  Room 2033, Building 12A,        http://dcb.cit.nih.gov/~arif
  National Institutes of Health,  arif at mail.nih.gov
  12A South Drive, Bethesda,      Phone: (+1) 301 402 1741.
  MD 20892-5624, USA.

From v at njh.eu  Wed Aug 10 22:30:13 2016
From: v at njh.eu (Volker Diels-Grabsch)
Date: Wed, 10 Aug 2016 14:30:13 +0200
Subject: Equivalent ssh_config setting for "ssh -N"
In-Reply-To: <20160810081911.GC921@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
References: <20160809161832.GA15153@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
 <D358E5B1511A314F8160ADC6F3754987345183DF@XYSVEX02.XYPRO-23.LOCAL>
 <D358E5B1511A314F8160ADC6F375498734518402@XYSVEX02.XYPRO-23.LOCAL>
 <20160810081911.GC921@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
Message-ID: <20160810123013.GA28251@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>

Dear OpenSSH developers,

Volker Diels-Grabsch schrieb:
> So how should such an option be named?  I propose:
> 
>     default  ==  ExecRemoteCommand yes
>     -N       ==  ExecRemoteCommand no
> 
> Does that make sense?


I just went ahead and created a patch for OpenSSH.  It would be great
if somebody could review this.  I took extra care to meet your high
quality standards.

BTW, I wonder whether the folloing save-flags can be removed:

- "oexec_remote_command" (formerly "ono_shell_flag")
- "orequest_tty"

To my understanding, keeping "otty_flag" should be sufficient.


Regards,
Volker

-- 
Volker Diels-Grabsch
----<<<((()))>>>----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-7.3p1_exec_remote_command_v1.patch
Type: text/x-diff
Size: 8148 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160810/fb9be51a/attachment-0001.bin>

From v at njh.eu  Wed Aug 10 22:37:44 2016
From: v at njh.eu (Volker Diels-Grabsch)
Date: Wed, 10 Aug 2016 14:37:44 +0200
Subject: Equivalent ssh_config setting for "ssh -N"
In-Reply-To: <20160810123013.GA28251@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
References: <20160809161832.GA15153@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
 <D358E5B1511A314F8160ADC6F3754987345183DF@XYSVEX02.XYPRO-23.LOCAL>
 <D358E5B1511A314F8160ADC6F375498734518402@XYSVEX02.XYPRO-23.LOCAL>
 <20160810081911.GC921@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
 <20160810123013.GA28251@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
Message-ID: <20160810123744.GB28251@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>

Volker Diels-Grabsch schrieb:
> BTW, I wonder whether the folloing save-flags can be removed:
> 
> - "oexec_remote_command" (formerly "ono_shell_flag")
> - "orequest_tty"
> 
> To my understanding, keeping "otty_flag" should be sufficient.

Forget what I said.  The problem is different here.  The following
flags are saved forControlPersist foreground slave:

- ostdin_null_flag
- ono_shell_flag (after my patch: oexec_remote_command)
- otty_flag
- orequest_tty

However, only the following saved flags are used for restoring in
control_persist_detach():

- ostdin_null_flag
- otty_flag
- orequest_tty

So either the ono_shell_flag (after my patch: oexec_remote_command)
can be savely removed.

Or there is a bug in control_persist_detach().

What do you think?


Regards,
Volker

-- 
Volker Diels-Grabsch
----<<<((()))>>>----

From loganaden at gmail.com  Thu Aug 11 01:29:37 2016
From: loganaden at gmail.com (Loganaden Velvindron)
Date: Wed, 10 Aug 2016 19:29:37 +0400
Subject: Feature request for ssh-add
Message-ID: <CAOp4FwQBBGQj8ss7L8S7BX6usmGS=6bNZvZ9v2pLJ+_KbwBJUQ@mail.gmail.com>

Ajay Ramjatan asks if it would be ok to have:

A config file that contains list of DSA/RSA/ED25519 entries to be
added, when run by default.

Currently According to the man page:
"
Alternative file names can be given on the command line. If any file
requires a passphrase, ssh-add asks for the passphrase from the user.
"

Instead of specifying each key file, a single file such as .config
would contain:
AgentDefaultKey ~/.ssh/client1_rsa.private ~/.ssh/client2_ed25519
~/.ssh/client3_ed25519.

From dkg at fifthhorseman.net  Thu Aug 11 02:37:57 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 10 Aug 2016 12:37:57 -0400
Subject: Feature request for ssh-add
In-Reply-To: <CAOp4FwQBBGQj8ss7L8S7BX6usmGS=6bNZvZ9v2pLJ+_KbwBJUQ@mail.gmail.com>
References: <CAOp4FwQBBGQj8ss7L8S7BX6usmGS=6bNZvZ9v2pLJ+_KbwBJUQ@mail.gmail.com>
Message-ID: <87lh04tw9m.fsf@alice.fifthhorseman.net>

On Wed 2016-08-10 11:29:37 -0400, Loganaden Velvindron wrote:
> Ajay Ramjatan asks if it would be ok to have:
>
> A config file that contains list of DSA/RSA/ED25519 entries to be
> added, when run by default.
>
> Currently According to the man page:
> "
> Alternative file names can be given on the command line. If any file
> requires a passphrase, ssh-add asks for the passphrase from the user.
> "
>
> Instead of specifying each key file, a single file such as .config
> would contain:
> AgentDefaultKey ~/.ssh/client1_rsa.private ~/.ssh/client2_ed25519
> ~/.ssh/client3_ed25519.

Is the goal to modify ssh-add to read this list, or to make it so that
ssh-agent tries to load these keys when it is initialized?

If we're talking about ssh-add, wouldn't it be just as easy to write a
brief shell script or alias to have the same effect?

To express my own tastes: I like the cleanliness of ssh-add's current
interface, and wouldn't want to introduce a new config file to have to
worry about parsing, dealing with errors, etc.

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160810/dab2638e/attachment.bin>

From dtucker at zip.com.au  Thu Aug 11 10:24:26 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Thu, 11 Aug 2016 10:24:26 +1000
Subject: Feature request for ssh-add
In-Reply-To: <CAOp4FwQBBGQj8ss7L8S7BX6usmGS=6bNZvZ9v2pLJ+_KbwBJUQ@mail.gmail.com>
References: <CAOp4FwQBBGQj8ss7L8S7BX6usmGS=6bNZvZ9v2pLJ+_KbwBJUQ@mail.gmail.com>
Message-ID: <CALDDTe1AR5apFPz=M_+j5p28KrgDkXWXUXiwDeNvuKR-uiEmkA@mail.gmail.com>

On Thu, Aug 11, 2016 at 1:29 AM, Loganaden Velvindron
<loganaden at gmail.com> wrote:
[...]
> Instead of specifying each key file, a single file such as .config
> would contain:
> AgentDefaultKey ~/.ssh/client1_rsa.private ~/.ssh/client2_ed25519
> ~/.ssh/client3_ed25519.

You can do that with a trivial shell wrapper:

function ssh-add() { if [ -z "$@" ];then /usr/bin/ssh-add `cat
~/.ssh/keylist`; else /usr/bin/ssh-add $@; fi ; }

then list your keys in ~/.ssh/keylist.  ssh-add does not currently
read a config file and I don't think it should.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From philipp.marek at linbit.com  Fri Aug 12 19:39:24 2016
From: philipp.marek at linbit.com (Philipp Marek)
Date: Fri, 12 Aug 2016 11:39:24 +0200
Subject: ProxyJump in 7.3, depending on location
Message-ID: <20160812093923.tlgj3j6jrilnmfkk@cacao.linbit>

Hi,

I'm very grateful for the new ProxyJump option. It helps tremendously!

One small question I'd like to ask, though: Is there a way to skip
one (mostly the first) jump host if the machine is in some specific 
network?


For example, from home, I (resp. a shell script) need to jump to the 
office's server, a customers' login host, and then to the destination
node; from the office I could skip the first jump.


I'm aware of the "Match" keyword in .ssh/config; but I don't see how
I could use that here, as I cannot check for the locally configured
IP address or network to find out "where" I am.

Interactively I could easily append some marker (like ".office"),
match on that, and hopefully just have a ProxyJump to the office's
server in that stanza; but within scripts that's a bit awful.


Is there a way to get that working?


Thanks for all help, ideas and hints.

From jmknoble at pobox.com  Fri Aug 12 19:52:03 2016
From: jmknoble at pobox.com (Jim Knoble)
Date: Fri, 12 Aug 2016 02:52:03 -0700
Subject: Feature request for ssh-add
In-Reply-To: <CALDDTe1AR5apFPz=M_+j5p28KrgDkXWXUXiwDeNvuKR-uiEmkA@mail.gmail.com>
References: <CAOp4FwQBBGQj8ss7L8S7BX6usmGS=6bNZvZ9v2pLJ+_KbwBJUQ@mail.gmail.com>
 <CALDDTe1AR5apFPz=M_+j5p28KrgDkXWXUXiwDeNvuKR-uiEmkA@mail.gmail.com>
Message-ID: <BD5653AA-B86A-4CC9-AA1A-DA06B80E8884@pobox.com>

On Aug 10, 2016, at 17:24, Darren Tucker <dtucker at zip.com.au> wrote:
> 
> On Thu, Aug 11, 2016 at 1:29 AM, Loganaden Velvindron
> <loganaden at gmail.com> wrote:
> [...]
>> Instead of specifying each key file, a single file such as .config
>> would contain:
>> AgentDefaultKey ~/.ssh/client1_rsa.private ~/.ssh/client2_ed25519
>> ~/.ssh/client3_ed25519.
> 
> You can do that with a trivial shell wrapper:
> 
> function ssh-add() { if [ -z "$@" ];then /usr/bin/ssh-add `cat
> ~/.ssh/keylist`; else /usr/bin/ssh-add $@; fi ; }

This may not do exactly what you mean, depending on the user's shell; there are idiosyncrasies surrounding "$@", among other things. 

This would be more likely to work correctly:

ssh-add() {
  if [ $# -eq 0 ]; then
    /usr/bin/ssh-add `cat "$HOME/.ssh/keylist"`
  else
    /usr/bin/ssh-add "$@"
  fi
}

Basically, "$@" (with double quotes) expands to "$1" "$2" ... "$n". Some shells don't like more than one argument after a -z test.  Some shells also expand "$@" to "" (an empty string) if no arguments are provided, while others (e.g., bash) expand it to nothing (not even an empty string). Using the quoted form after the ssh-add command ensures that arguments containing whitespace are preserved.  Likewise, not all shells like a tilde ('~') for $HOME, and quoting it ensures that home directories containing whitespace work correctly. 

Handling whitespace in the names of key files in ~/.ssh/keyfiles is left as an exercise for the reader, as is handling alternate locations of ssh-add. :)

Otherwise, I concur as well; this should not be first-class functionality of ssh-add. 

-- 
jim knoble


From dtucker at zip.com.au  Fri Aug 12 22:20:13 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Fri, 12 Aug 2016 22:20:13 +1000
Subject: ProxyJump in 7.3, depending on location
In-Reply-To: <20160812093923.tlgj3j6jrilnmfkk@cacao.linbit>
References: <20160812093923.tlgj3j6jrilnmfkk@cacao.linbit>
Message-ID: <CALDDTe2WQLCOAk-77W0H11C5x+e-aDT27Tdz7abD+Qfs=HsfBw@mail.gmail.com>

On Fri, Aug 12, 2016 at 7:39 PM, Philipp Marek <philipp.marek at linbit.com> wrote:
> For example, from home, I (resp. a shell script) need to jump to the
> office's server, a customers' login host, and then to the destination
> node; from the office I could skip the first jump.
>
> I'm aware of the "Match" keyword in .ssh/config; but I don't see how
> I could use that here, as I cannot check for the locally configured
> IP address or network to find out "where" I am.

Match exec, put your detection logic in a script, and have two
ProxyJump config lines?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From philipp.marek at linbit.com  Fri Aug 12 22:23:28 2016
From: philipp.marek at linbit.com (Philipp Marek)
Date: Fri, 12 Aug 2016 14:23:28 +0200
Subject: ProxyJump in 7.3, depending on location
In-Reply-To: <CALDDTe2WQLCOAk-77W0H11C5x+e-aDT27Tdz7abD+Qfs=HsfBw@mail.gmail.com>
References: <20160812093923.tlgj3j6jrilnmfkk@cacao.linbit>
 <CALDDTe2WQLCOAk-77W0H11C5x+e-aDT27Tdz7abD+Qfs=HsfBw@mail.gmail.com>
Message-ID: <20160812122327.5ekjjrn4rw7kfzx5@cacao.linbit>

> > For example, from home, I (resp. a shell script) need to jump to the
> > office's server, a customers' login host, and then to the destination
> > node; from the office I could skip the first jump.
> >
> > I'm aware of the "Match" keyword in .ssh/config; but I don't see how
> > I could use that here, as I cannot check for the locally configured
> > IP address or network to find out "where" I am.
> 
> Match exec, put your detection logic in a script, and have two
> ProxyJump config lines?
Great, thanks.

I seem to have not understood the man page correctly ;/


Thanks a lot!


From naddy at mips.inka.de  Fri Aug 12 22:17:19 2016
From: naddy at mips.inka.de (Christian Weisgerber)
Date: Fri, 12 Aug 2016 12:17:19 +0000 (UTC)
Subject: ProxyJump in 7.3, depending on location
References: <20160812093923.tlgj3j6jrilnmfkk@cacao.linbit>
Message-ID: <slrnnqrfif.a4e.naddy@lorvorc.mips.inka.de>

On 2016-08-12, Philipp Marek <philipp.marek at linbit.com> wrote:

> I'm aware of the "Match" keyword in .ssh/config; but I don't see how
> I could use that here, as I cannot check for the locally configured
> IP address or network to find out "where" I am.

Match exec

  The exec keyword executes the specified command under the user's
  shell.  If the command returns a zero exit status then the condition
  is considered true.  Commands containing whitespace characters
  must be quoted.  The following character sequences in the command
  will be expanded prior to execution: [...]

-- 
Christian "naddy" Weisgerber                          naddy at mips.inka.de

From v at njh.eu  Sat Aug 13 21:40:18 2016
From: v at njh.eu (Volker Diels-Grabsch)
Date: Sat, 13 Aug 2016 13:40:18 +0200
Subject: Equivalent ssh_config setting for "ssh -N"
In-Reply-To: <20160810123013.GA28251@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
References: <20160809161832.GA15153@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
 <D358E5B1511A314F8160ADC6F3754987345183DF@XYSVEX02.XYPRO-23.LOCAL>
 <D358E5B1511A314F8160ADC6F375498734518402@XYSVEX02.XYPRO-23.LOCAL>
 <20160810081911.GC921@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
 <20160810123013.GA28251@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
Message-ID: <20160813114018.GB17554@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>

Dear OpenSSH developers,

Volker Diels-Grabsch schrieb:
> Volker Diels-Grabsch schrieb:
> > So how should such an option be named?  I propose:
> > 
> >     default  ==  ExecRemoteCommand yes
> >     -N       ==  ExecRemoteCommand no
> > 
> > Does that make sense?
> 
> I just went ahead and created a patch for OpenSSH.  It would be great
> if somebody could review this.  I took extra care to meet your high
> quality standards.


Did anybody find some time to have a look at this small patch?
Is there anything I should improve to make it acceptable to you?


Regards,
Volker

-- 
Volker Diels-Grabsch
----<<<((()))>>>----

From ronf at timeheart.net  Sun Aug 14 14:05:52 2016
From: ronf at timeheart.net (Ron Frederick)
Date: Sat, 13 Aug 2016 21:05:52 -0700
Subject: Encrypt /decrypta file with ssh keys.
In-Reply-To: <077F9C14-B27E-4B93-AE29-5D807345822E@timeheart.net>
References: <EC46A5D7-4759-46AB-89D4-46BE1EA8B2FE@alex.org.uk>
 <79f8131d-3647-8d6c-01a1-934769658048@uvic.ca>
 <11905aed-89aa-a44f-2af7-fd9e40a076e0@gmail.com>
 <1713A0B0-7B5E-4F71-9D3B-6B5726B1992F@alex.org.uk>
 <57A4CF91.40803@offwriting.org>
 <077F9C14-B27E-4B93-AE29-5D807345822E@timeheart.net>
Message-ID: <570CA210-E558-4A85-A800-91685AD7852D@timeheart.net>

On Aug 5, 2016, at 10:56 AM, Ron Frederick <ronf at timeheart.net> wrote:
> On Aug 5, 2016, at 10:40 AM, Ben Lindstrom <mouring at offwriting.org> wrote:
>> Alex Bligh wrote:
>>>> On 5 Aug 2016, at 18:09, James Murphy<james.murphy.debian at gmail.com>  wrote:
>>>> 
>>>> The more mainstream thing to do is just use gpg, which has this
>>>> functionality already built in. Is this not suitable for your use case?
>>> 
>>> The advantage of Colin's approach is that gpg requires out of band exchange
>>> of gpg keys separately from ssh keys. If you already have ssh keys
>>> distributed (which might be in an automated environment for instance),
>>> it would be very useful.
>>> 
>>> Of course if you already have gpg keys set up and exchanged, gpg
>>> would be just fine.
>>> 
>> The downside to this approach is your using keys created for signing for encryption now.  Which
>> means you've leaked additional information about the key material.  Thus slightly weakening the
>> security of your key.
>> 
>> Which isn't really a smart thing to do.
> 
> Since public key crypto is being used here, you also can?t encrypt something larger than the key size directly. You?d have to create a symmetric key, encrypt the data with that, and then encrypt the symmetric key with the public key. You?d then need to also define a container format for that. It looks like the ?sfile? code does all that, but at that point why not use ?openssl cms?? It will work with the same public keys used by SSH and already provides a standard format for this encoding.


Following up on my own reply about using OpenSSL?s ?cms? mechanism for this, I looked a little more closely and it appears that the CMS implementation in OpenSSL will only allow you to specify certificates for the recipients of an encrypted CMS message and does not support passing in raw public keys, even though that?s all you?d really need to perform the encryption. It would be straightforward to ask for recipients to send a certificate, though, and it could even be a self-signed certificate if you have some way of verifying the certificate out of band. This certificate could be based on the same key pair used by SSH if you wanted it to, though I agree with the point above that it would be better to use different keys for these two purposes.
-- 
Ron Frederick
ronf at timeheart.net




From djm at mindrot.org  Tue Aug 16 13:27:00 2016
From: djm at mindrot.org (Damien Miller)
Date: Tue, 16 Aug 2016 13:27:00 +1000 (AEST)
Subject: Who uses UseLogin?
Message-ID: <alpine.BSO.2.20.1608161323260.19314@natsu.mindrot.org>

Hi,

Does anyone set sshd's UseLogin=yes? If so, why?

I'd like to remove this option - I've not needed it in the last 15 years
on any platform (making it a very poorly-tested code path) and it breaks
a few things including post-authentication privilege separation.

Can anyone speak in its defence?

-d


From jjelen at redhat.com  Tue Aug 16 17:37:55 2016
From: jjelen at redhat.com (Jakub Jelen)
Date: Tue, 16 Aug 2016 09:37:55 +0200
Subject: Who uses UseLogin?
In-Reply-To: <alpine.BSO.2.20.1608161323260.19314@natsu.mindrot.org>
References: <alpine.BSO.2.20.1608161323260.19314@natsu.mindrot.org>
Message-ID: <11fb690f-fd76-8605-aef1-0f84d64b8c55@redhat.com>

On 08/16/2016 05:27 AM, Damien Miller wrote:
> Hi,
>
> Does anyone set sshd's UseLogin=yes? If so, why?
>
> I'd like to remove this option - I've not needed it in the last 15 years
> on any platform (making it a very poorly-tested code path) and it breaks
> a few things including post-authentication privilege separation.
>
> Can anyone speak in its defence?
No. We recently marked this option as deprecated in Fedora (throws a 
warning in the logs) and removing it sounds like a good idea to me (it 
does not even work with SELinux enforcing). I set UseLogin=yes only for 
rare testing purposes.

Regards,

-- 
Jakub Jelen
Security Technologies
Red Hat


From tomas.kuthan at oracle.com  Tue Aug 16 17:50:55 2016
From: tomas.kuthan at oracle.com (Tomas Kuthan)
Date: Tue, 16 Aug 2016 09:50:55 +0200
Subject: Who uses UseLogin?
In-Reply-To: <alpine.BSO.2.20.1608161323260.19314@natsu.mindrot.org>
References: <alpine.BSO.2.20.1608161323260.19314@natsu.mindrot.org>
Message-ID: <57B2C5DF.4040507@oracle.com>

On 08/16/16 05:27, Damien Miller wrote:
> Hi,
>
> Does anyone set sshd's UseLogin=yes? If so, why?
>
> I'd like to remove this option - I've not needed it in the last 15 years
> on any platform (making it a very poorly-tested code path) and it breaks
> a few things including post-authentication privilege separation.

+1 to remove UseLogin

Tomas

From lists at spuddy.org  Tue Aug 16 23:23:28 2016
From: lists at spuddy.org (Stephen Harris)
Date: Tue, 16 Aug 2016 09:23:28 -0400
Subject: Who uses UseLogin?
In-Reply-To: <alpine.BSO.2.20.1608161323260.19314@natsu.mindrot.org>
References: <alpine.BSO.2.20.1608161323260.19314@natsu.mindrot.org>
Message-ID: <20160816132328.GA17689@mercury7.spuddy.org>

On Tue, Aug 16, 2016 at 01:27:00PM +1000, Damien Miller wrote:
> Does anyone set sshd's UseLogin=yes? If so, why?

I've used it in a vendor hacked version of sshd (boks_sshd, from Fox
Technologies) because that didn't have PAM support (it had its own AAA
subsystem that was more flexible - eg separate rules for SCP, login shell,
non-login remote commands, SFTP and so on).  This meant that things like
pam_limits didn't work; UseLogin was a workaround for the rare cases
where it was needed.  The vendor has since fixed their code to support
PAM "session" so it's not even needed there, any more.

But that's the only place I've needed UseLogin :-)

-- 

rgds
Stephen

From mrkiko.rs at gmail.com  Wed Aug 17 13:30:41 2016
From: mrkiko.rs at gmail.com (Enrico Mioso)
Date: Wed, 17 Aug 2016 05:30:41 +0200 (CEST)
Subject: [Portable OpenSSH] hang up during login after OpenSSH 7.3 upgrade
In-Reply-To: <alpine.LNX.2.20.1608170507530.1226@localhost.localdomain>
References: <alpine.LNX.2.20.1608170507530.1226@localhost.localdomain>
Message-ID: <alpine.LNX.2.20.1608170529390.1283@localhost.localdomain>

Sorry... as a side note: I am not subscribed. So keep me in CC, please.
Thanks again a lot for your work,
Enrico

From mrkiko.rs at gmail.com  Wed Aug 17 13:29:08 2016
From: mrkiko.rs at gmail.com (Enrico Mioso)
Date: Wed, 17 Aug 2016 05:29:08 +0200 (CEST)
Subject: [Portable OpenSSH] hang up during login after OpenSSH 7.3 upgrade
Message-ID: <alpine.LNX.2.20.1608170507530.1226@localhost.localdomain>

Hello to everyone, and thank for your job.


I am reporting here about a problem I am experiencing with portable SSH client, version 7.3p1.
My client is an Archlinux system.
I am connecting to an Ubuntu server, which provides SSH with some patches (see below).
It worked until the upgrade to 7.3p1.

This is the produced debug output.

Command line: ssh -v -v -v -v -v -v username at 10.196.37.5

OpenSSH_7.3p1, OpenSSL 1.0.2h  3 May 2016
debug1: Reading configuration data /home/mrkiko/.ssh/config
debug1: /home/mrkiko/.ssh/config line 4: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/mrkiko/.ssh/controlmasters/ffcb7b290d3be704cb5460c2430449dc7c74f50c" does not exist
debug2: resolving "10.196.37.5" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 10.196.37.5 [10.196.37.5] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Ubuntu-5ubuntu1.4
debug1: match: OpenSSH_6.7p1 Ubuntu-5ubuntu1.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 10.196.37.5:22 as 'username'
debug3: hostkeys_foreach: reading file "/home/mrkiko/.ssh/known_hosts"
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com,zlib
debug2: compression stoc: none,zlib at openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
debug2: MACs ctos: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com
debug2: compression stoc: none,zlib at openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
<hangs here>


But dbclient (from Dropbear) works instead with the same setup (and server), asking me the password as expected.

On the server side, we have an Ubuntu 15.04 Linux sitribution, with ssh reporting as version
OpenSSH_6.7p1 Ubuntu-5ubuntu1.4

The number of patches Ubuntu applies to this package is relatively high I would 
say: and I know this doesn't help. What made me think it's still worth 
reporting, is:
- Openssh 7.2 worked fine with this server
- Dropbear SSH client does work
- the software does wait indefinitely, not reporting any error or message
   (which I think would be desireable).

With SSH client 7.2, the debug output is as follows, when connecting to the same server:

Command line: ssh -v -v -v -v -v -v -v username at 10.196.37.5
OpenSSH_7.2p2, OpenSSL 1.0.2h  3 May 2016
debug1: Reading configuration data /home/mrkiko/.ssh/config
debug1: /home/mrkiko/.ssh/config line 4: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/mrkiko/.ssh/controlmasters/ffcb7b290d3be704cb5460c2430449dc7c74f50c" does not exist
debug2: resolving "10.196.37.5" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 10.196.37.5 [10.196.37.5] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mrkiko/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Ubuntu-5ubuntu1.4
debug1: match: OpenSSH_6.7p1 Ubuntu-5ubuntu1.4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 10.196.37.5:22 as 'username'
debug3: hostkeys_foreach: reading file "/home/mrkiko/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/mrkiko/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 10.196.37.5
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com,zlib
debug2: compression stoc: none,zlib at openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
debug2: MACs ctos: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com
debug2: compression stoc: none,zlib at openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:yo//ykmurZf9IJ/ORTP9Ep3wheYf1u2xXXdV+4uAH6M
debug3: hostkeys_foreach: reading file "/home/mrkiko/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/mrkiko/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 10.196.37.5
debug1: Host '10.196.37.5' is known and matches the ECDSA host key.
debug1: Found key in /home/mrkiko/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug2: key: /home/mrkiko/.ssh/id_rsa ((nil))
debug2: key: /home/mrkiko/.ssh/id_dsa ((nil))
debug2: key: /home/mrkiko/.ssh/id_ecdsa ((nil))
debug2: key: /home/mrkiko/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mrkiko/.ssh/id_rsa
debug3: no such identity: /home/mrkiko/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/mrkiko/.ssh/id_dsa
debug3: no such identity: /home/mrkiko/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/mrkiko/.ssh/id_ecdsa
debug3: no such identity: /home/mrkiko/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/mrkiko/.ssh/id_ed25519
debug3: no such identity: /home/mrkiko/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
username at 10.196.37.5's password: 
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 52
debug1: Authentication succeeded (password).
Authenticated to 10.196.37.5 ([10.196.37.5]:22).
debug1: setting up multiplex master socket
debug3: muxserver_listen: temporary control path /home/mrkiko/.ssh/controlmasters/ffcb7b290d3be704cb5460c2430449dc7c74f50c.UvIEO9zBRNphS1SE
debug2: fd 4 setting O_NONBLOCK
debug3: fd 4 is O_NONBLOCK
debug3: fd 4 is O_NONBLOCK
debug1: channel 0: new [/home/mrkiko/.ssh/controlmasters/ffcb7b290d3be704cb5460c2430449dc7c74f50c]
debug3: muxserver_listen: mux listener channel 0 fd 4
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x08
debug1: control_persist_detach: backgrounding master process
debug2: control_persist_detach: background process is 1259
debug2: fd 4 setting O_NONBLOCK
debug1: forking to background
debug1: Entering interactive session.
debug1: pledge: id
debug2: set_control_persist_exit_time: schedule exit in 60 seconds
debug1: multiplexing control connection
debug2: fd 5 setting O_NONBLOCK
debug3: fd 5 is O_NONBLOCK
debug1: channel 1: new [mux-control]
debug3: channel_post_mux_listener: new mux channel 1 fd 5
debug3: mux_master_read_cb: channel 1: hello sent
debug2: set_control_persist_exit_time: cancel scheduled exit
debug3: mux_master_read_cb: channel 1 packet type 0x00000001 len 4
debug2: process_mux_master_hello: channel 1 slave version 4
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_master_read_cb: channel 1 packet type 0x10000004 len 4
debug2: process_mux_alive_check: channel 1: alive check
debug3: mux_client_request_alive: done pid = 1261
debug3: mux_client_request_session: session request sent
debug3: mux_master_read_cb: channel 1 packet type 0x10000002 len 41
debug2: process_mux_new_session: channel 1: request tty 1, X 0, agent 0, subsys 0, term "linux", cmd "", env 0
debug3: process_mux_new_session: got fds stdin 6, stdout 7, stderr 8
debug1: channel 2: new [client-session]
debug2: process_mux_new_session: channel_new: 2 linked to control channel 1
debug2: channel 2: send open
debug3: send packet: type 90
debug3: receive packet: type 91
debug2: callback start
debug2: client_session2_setup: id 2
debug2: channel 2: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 2: request shell confirm 1
debug3: send packet: type 98
debug3: mux_session_confirm: sending success reply
debug2: callback done
debug2: channel 2: open confirm rwindow 0 rmax 32768
debug1: mux_client_request_session: master session id: 2
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 2
debug2: PTY allocation request accepted on channel 2
debug2: channel 2: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 2
debug2: shell request accepted on channel 2
Welcome to Ubuntu 15.04 (GNU/Linux 3.19.0-65-generic x86_64)

  * Documentation:  https://help.ubuntu.com/

Your Ubuntu release is not supported anymore.
For upgrade information, please visit:
http://www.ubuntu.com/releaseendoflife

New release '15.10' available.
Run 'do-release-upgrade' to upgrade to it.

*** System restart required ***
Last login: Wed Aug 17 05:19:02 2016 from 10.31.0.197
<shell prompt>

debug3: receive packet: type 96
debug2: channel 2: rcvd eof
debug2: channel 2: output open -> drain
debug2: channel 2: obuf empty
debug2: channel 2: close_write
debug2: channel 2: output drain -> closed
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 2 rtype exit-status reply 0
debug3: mux_exit_message: channel 2: exit message, exitval 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 2 rtype eow at openssh.com reply 0
debug2: channel 2: rcvd eow
debug2: channel 2: close_read
debug2: channel 2: input open -> closed
debug3: receive packet: type 97
debug2: channel 2: rcvd close
debug3: channel 2: will not send data after close
debug2: channel 2: send close
debug3: send packet: type 97
debug2: channel 2: is dead
debug2: channel 2: gc: notify user
debug3: mux_master_session_cleanup_cb: entering for channel 2
debug2: channel 1: rcvd close
debug2: channel 1: output open -> drain
debug2: channel 1: close_read
debug2: channel 1: input open -> closed
debug2: channel 2: gc: user detached
debug2: channel 2: is dead
debug2: channel 2: garbage collecting
debug1: channel 2: free: client-session, nchannels 3
debug3: channel 2: status: The following connections are open:
   #2 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)

debug2: channel 1: obuf empty
debug2: channel 1: close_write
debug2: channel 1: output drain -> closed
debug2: channel 1: is dead (local)
debug2: channel 1: gc: notify user
debug3: mux_master_control_cleanup_cb: entering for channel 1
debug2: channel 1: gc: user detached
debug2: channel 1: is dead (local)
debug2: channel 1: garbage collecting
debug1: channel 1: free: mux-control, nchannels 2
debug3: channel 1: status: The following connections are open:

debug2: set_control_persist_exit_time: schedule exit in 60 seconds
debug3: mux_client_read_packet: read header failed: Broken pipe
debug2: Received exit status from master 0
Asking ssh to stop the mux process: ssh -v -v -v -v -v -v -v username at 10.196.37.55 -O stop
OpenSSH_7.2p2, OpenSSL 1.0.2h  3 May 2016
debug1: Reading configuration data /home/mrkiko/.ssh/config
debug1: /home/mrkiko/.ssh/config line 4: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: auto-mux: Trying existing master
debug1: multiplexing control connection
debug2: fd 5 setting O_NONBLOCK
debug3: fd 5 is O_NONBLOCK
debug1: channel 1: new [mux-control]
debug3: channel_post_mux_listener: new mux channel 1 fd 5
debug3: mux_master_read_cb: channel 1: hello sent
debug2: set_control_persist_exit_time: cancel scheduled exit
debug2: fd 3 setting O_NONBLOCK
debug3: mux_master_read_cb: channel 1 packet type 0x00000001 len 4
debug2: process_mux_master_hello: channel 1 slave version 4
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_request_stop_listening: entering
debug3: mux_master_read_cb: channel 1 packet type 0x10000009 len 4
debug1: process_mux_stop_listening: channel 1: stop listening
debug1: channel 0: free: /home/mrkiko/.ssh/controlmasters/ffcb7b290d3be704cb5460c2430449dc7c74f50c, nchannels 2
debug3: channel 0: status: The following connections are open:

Stop listening request sent.
debug2: channel 1: ctl read<=0 rfd 5 len 0
debug2: channel 1: read failed
debug2: channel 1: close_read
debug2: channel 1: input open -> drain
debug2: channel 1: ibuf empty
debug2: channel 1: input drain -> closed
debug2: channel 1: rcvd close
debug2: channel 1: output open -> drain
debug2: channel 1: obuf empty
debug2: channel 1: close_write
debug2: channel 1: output drain -> closed
debug2: channel 1: is dead (local)
debug2: channel 1: gc: notify user
debug3: mux_master_control_cleanup_cb: entering for channel 1
debug2: channel 1: gc: user detached
debug2: channel 1: is dead (local)
debug2: channel 1: garbage collecting
debug1: channel 1: free: mux-control, nchannels 1
debug3: channel 1: status: The following connections are open:

debug3: send packet: type 1
debug3: fd 0 is not O_NONBLOCK
debug3: fd 1 is not O_NONBLOCK
Transferred: sent 2076, received 2200 bytes, in 8.9 seconds
Bytes per second: sent 232.9, received 246.8
debug1: Exit status -1

thanks you a lot guys for your work and help,
Enrico

From dtucker at zip.com.au  Wed Aug 17 14:06:42 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Wed, 17 Aug 2016 14:06:42 +1000
Subject: [Portable OpenSSH] hang up during login after OpenSSH 7.3 upgrade
In-Reply-To: <alpine.LNX.2.20.1608170507530.1226@localhost.localdomain>
References: <alpine.LNX.2.20.1608170507530.1226@localhost.localdomain>
Message-ID: <CALDDTe1NHLg_uEtymnKBUXzwZEx8pJ3Xo2haFZ8ud9n==J2VdA@mail.gmail.com>

On Wed, Aug 17, 2016 at 1:29 PM, Enrico Mioso <mrkiko.rs at gmail.com> wrote:
[....]
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> <hangs here>

Smells like a path MTU black hole.  See
http://www.snailbook.com/faq/mtu-mismatch.auto.html for some
suggestions.

> But dbclient (from Dropbear) works instead with the same setup (and server),
> asking me the password as expected.

dbclient supports fewer algorithms and its network traffic is
correspondingly smaller, which makes it less likely to trip the
threshold (same for older opensshs).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From mrkiko.rs at gmail.com  Wed Aug 17 14:16:19 2016
From: mrkiko.rs at gmail.com (Enrico Mioso)
Date: Wed, 17 Aug 2016 06:16:19 +0200 (CEST)
Subject: [Portable OpenSSH] hang up during login after OpenSSH 7.3 upgrade
In-Reply-To: <CALDDTe1NHLg_uEtymnKBUXzwZEx8pJ3Xo2haFZ8ud9n==J2VdA@mail.gmail.com>
References: <alpine.LNX.2.20.1608170507530.1226@localhost.localdomain>
 <CALDDTe1NHLg_uEtymnKBUXzwZEx8pJ3Xo2haFZ8ud9n==J2VdA@mail.gmail.com>
Message-ID: <alpine.LNX.2.20.1608170615420.1613@localhost.localdomain>

Yeah, I think this can be the reason.
Thank you very much guys.
Enrico

From mrkiko.rs at gmail.com  Wed Aug 17 14:41:23 2016
From: mrkiko.rs at gmail.com (Enrico Mioso)
Date: Wed, 17 Aug 2016 06:41:23 +0200 (CEST)
Subject: [Portable OpenSSH] hang up during login after OpenSSH 7.3 upgrade
In-Reply-To: <CALDDTe1NHLg_uEtymnKBUXzwZEx8pJ3Xo2haFZ8ud9n==J2VdA@mail.gmail.com>
References: <alpine.LNX.2.20.1608170507530.1226@localhost.localdomain>
 <CALDDTe1NHLg_uEtymnKBUXzwZEx8pJ3Xo2haFZ8ud9n==J2VdA@mail.gmail.com>
Message-ID: <alpine.LNX.2.20.1608170640580.2321@localhost.localdomain>

Ok, now it works infact. it was a MTU problem.
Thanks you all again,
Enrico

From keno at juliacomputing.com  Fri Aug 19 04:10:07 2016
From: keno at juliacomputing.com (Keno Fischer)
Date: Thu, 18 Aug 2016 14:10:07 -0400
Subject: Should partial success reset ->enabled
In-Reply-To: <CABV8kRy_YnakTtGbA9cW7ktTEJXyOSq_pApsrN+TS=hzUvkgBQ@mail.gmail.com>
References: <CABV8kRy_YnakTtGbA9cW7ktTEJXyOSq_pApsrN+TS=hzUvkgBQ@mail.gmail.com>
Message-ID: <CABV8kRxnbLYAuZqbOQ2aeT7ztrT+jNzs2kw2MahqODhKMMwpTw@mail.gmail.com>

Any thoughts on this? I don't mind this problem too much, since the
workaround is quite
simple (just ask the user to reconnect), but hey, I'm a perfectionist ;).

On Tue, Aug 9, 2016 at 1:04 PM, Keno Fischer <keno at juliacomputing.com> wrote:
>
> Hi folks,
>
> I've been playing with SSH and was a little surprised by the OpenSSH's
> client handling of partial
> success. In particular, I tried writing a server that does the following:
>
> - If none of the public keys offered by the client succeed, fall back
> to keyboard-interactive
> - During that session, we figure out if the user should have access to
> the machine and if
>   so, authorize their key for future accesses.
>
> Now, I was expecting that returning a partial success message from the
> second step would
> have the client retry publickey authentication (and since the server
> authorized the user's key
> that should now succeed). However, this doesn't happen, since the
> client has disabled all
> further publickey authentication.
>
> I was able to fix this with the following patch to input_userauth_failure:
>
>     if (partial != 0) {
>         logit("Authenticated with partial success.");
>         /* reset state */
>         pubkey_cleanup(authctxt);
>         pubkey_prepare(authctxt);
> +     authmethod_lookup("publickey")->enabled = &options.pubkey_authentication;
>     }
>
> Is there a reason that something equivalent isn't there already, or is
> that simply an oversight?
>
> Thanks,
> Keno

From philipp.marek at linbit.com  Tue Aug 23 02:21:35 2016
From: philipp.marek at linbit.com (Philipp Marek)
Date: Mon, 22 Aug 2016 18:21:35 +0200
Subject: ProxyJump in 7.3, depending on location
In-Reply-To: <CALDDTe2WQLCOAk-77W0H11C5x+e-aDT27Tdz7abD+Qfs=HsfBw@mail.gmail.com>
References: <20160812093923.tlgj3j6jrilnmfkk@cacao.linbit>
 <CALDDTe2WQLCOAk-77W0H11C5x+e-aDT27Tdz7abD+Qfs=HsfBw@mail.gmail.com>
Message-ID: <20160822162134.xz7gfmlkdtkqqbsh@cacao.linbit>

Another question:

How would I define "ControlPersist" for the first ProxyJump host?

Ie. is it possible to get one persistent connection to the jump hosts, and 
to reuse them via ProxyJump?

I tried to use

    Host *.behind.jump.host
        ProxyJump <user>@<first-jump-host>,<next-jump-hop>

    Host <first-jump-host>
        User <user>
        ControlMaster auto
        ControlPersist yes

but it doesn't work that way.


Thank you for all hints!

From naddy at mips.inka.de  Tue Aug 23 05:45:13 2016
From: naddy at mips.inka.de (Christian Weisgerber)
Date: Mon, 22 Aug 2016 21:45:13 +0200
Subject: ProxyJump in 7.3, depending on location
In-Reply-To: <20160822162134.xz7gfmlkdtkqqbsh@cacao.linbit>
References: <20160812093923.tlgj3j6jrilnmfkk@cacao.linbit>
 <CALDDTe2WQLCOAk-77W0H11C5x+e-aDT27Tdz7abD+Qfs=HsfBw@mail.gmail.com>
 <20160822162134.xz7gfmlkdtkqqbsh@cacao.linbit>
Message-ID: <20160822194513.GA58144@lorvorc.mips.inka.de>

Philipp Marek:

> Ie. is it possible to get one persistent connection to the jump hosts, and 
> to reuse them via ProxyJump?

Certainly.

>     Host *.behind.jump.host
>         ProxyJump <user>@<first-jump-host>,<next-jump-hop>
> 
>     Host <first-jump-host>
>         User <user>
>         ControlMaster auto
>         ControlPersist yes

          ControlPath ~/.ssh/ssh-%C

You need to add a ControlPath in order for opportunistic connection
sharing to be used.

-- 
Christian "naddy" Weisgerber                          naddy at mips.inka.de

From jsilverman at impinj.com  Wed Aug 24 06:45:05 2016
From: jsilverman at impinj.com (Jeff Silverman)
Date: Tue, 23 Aug 2016 20:45:05 +0000
Subject: sftp fails with error Received message too long 140013605
Message-ID: <CY1PR06MB1804BEAC579E699EB9AEC330B3EB0@CY1PR06MB1804.namprd06.prod.outlook.com>

Hi.  When I try to sftp to a client, which is an embedded Internet of Thing (IoT) system, I get the following error:

jeff at SQA-ip6-tester:~$ sftp -6 root at SpeedwayR-10-28-25.sqa.impinj.com
Password:
Received message too long 1400136052
jeff at SQA-ip6-tester:~$


The error also occurs with IPv4

jeff at SQA-ip6-tester:~$ sftp -4 root at SpeedwayR-10-28-25.sqa.impinj.com
Warning: Permanently added the ECDSA host key for IP address '172.31.14.164' to the list of known hosts.
Password:
Received message too long 1400136052
jeff at SQA-ip6-tester:~$

I did some googling, and I found http://askubuntu.com/questions/369830/sftp-connection-failed-strange-error-messsage which says that I should look at  http://www.openssh.org/faq.html#2.9), which now 404s. I looked through the wayback machine.  On April 23rd 2016, it did a 302 redirect which failed.  I did find it at https://web.archive.org/web/20160203202936/http://www.openssh.com/faq.html<https://web.archive.org/web/20160203202936/http:/www.openssh.com/faq.html>  I followed the instructions and got some text, which I assume is the source of my problems.

Please bring the FAQ back - it is useful!


Jeff













From aris at badcode.be  Thu Aug 25 03:06:29 2016
From: aris at badcode.be (Aris Adamantiadis)
Date: Wed, 24 Aug 2016 19:06:29 +0200
Subject: kex protocol error: type 7 seq xxx error message
Message-ID: <f35d4b20-71da-b03a-01df-cb9e617640bf@badcode.be>

Hi,

mancha and me debugged a problem with OpenSSH 7.3p1 that was reported on
the #openssh freenode channel. Symptoms were that this message was
popping on the console during a busy X11 session:
kex protocol error: type 7 seq 1234

I managed to reproduce the problem, it is related to the SSH_EXT_INFO
packet that is send by the server every time it is sending an
SSH_NEWKEYS packet, hence after every rekeying. I reproduced it on my
system with OpenSSH 7.3p1 and manually rekeying with escape R
http://pastebin.com/Xk0dF0mc

on the client side:
sshconnect2.c:
void
ssh_userauth2(const char *local_user, const char *server_user, char *host,
    Sensitive *sensitive)
{
...
        ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info);
        ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT,
&input_userauth_service_accept);
        ssh_dispatch_run(ssh, DISPATCH_BLOCK, &authctxt.success,
&authctxt);    /* loop until success */

        pubkey_cleanup(&authctxt);
        ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN,
SSH2_MSG_USERAUTH_MAX, NULL);

        debug("Authentication succeeded (%s).", authctxt.method->name);
}

Is the only place where the dispatch for that packet is set. However in
kex.c:
int
kex_input_ext_info(int type, u_int32_t seq, void *ctxt)
{
...
        debug("SSH2_MSG_EXT_INFO received");
        ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
...
}

Ensuring this packet will only be accepted before authentication.
However the server side is different:
int
kex_send_newkeys(struct ssh *ssh)
{
...
        debug("SSH2_MSG_NEWKEYS sent");
        debug("expecting SSH2_MSG_NEWKEYS");
        ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_input_newkeys);
        if (ssh->kex->ext_info_c)
                if ((r = kex_send_ext_info(ssh)) != 0)
                        return r;
        return 0;
}

There doesn't seem to have any logic in the client side that restricts
sending ext-info-c in the list of kex algorithms after the first key
exchange. However I couldn't find it in my kexinit proposal (even the
first one):
debug2: local client KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms:
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com,zlib
debug2: compression stoc: none,zlib at openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:

Mancha couldn't reproduce the issue, despite running both OpenSSH 7.3p1
client & server from upstream, with an empty configuration file. At this
point I don't know why he's not affected.

This bug is not very important anyway because the packet is simply
dropped with no consequence.

Aris


From mancha1 at zoho.com  Thu Aug 25 05:53:42 2016
From: mancha1 at zoho.com (mancha)
Date: Wed, 24 Aug 2016 19:53:42 +0000
Subject: kex protocol error: type 7 seq xxx error message
In-Reply-To: <f35d4b20-71da-b03a-01df-cb9e617640bf@badcode.be>
References: <f35d4b20-71da-b03a-01df-cb9e617640bf@badcode.be>
Message-ID: <20160824195341.GA17949@zoho.com>

On Wed, Aug 24, 2016 at 07:06:29PM +0200, Aris Adamantiadis wrote:
> Hi,
> 
> mancha and me debugged a problem with OpenSSH 7.3p1 that was reported
> on the #openssh freenode channel. Symptoms were that this message was
> popping on the console during a busy X11 session: kex protocol error:
> type 7 seq 1234
> 
> I managed to reproduce the problem, it is related to the SSH_EXT_INFO
> packet that is send by the server every time it is sending an
> SSH_NEWKEYS packet, hence after every rekeying. I reproduced it on my
> system with OpenSSH 7.3p1 and manually rekeying with escape R
> 
> [SNIP] 
>
> Mancha couldn't reproduce the issue, despite running both OpenSSH
> 7.3p1 client & server from upstream, with an empty configuration file.
> At this point I don't know why he's not affected.

Hello.

I can shed a bit of light on why Aris hit the bug while I didn't when we
both used 7.3p1.

When sshd 7.3 *does* use privilege separation (UsePrivilegeSeparation),
ssh->kex->ext_info_c == 0 on re-keys whether or not the client added
ext-info-c to its kex algos in KEXINIT of first key exchange (setting
ssh->kex->ext_info_c).

When sshd 7.3 *does not* use privilege separation, if a client adds
ext-info-c in KEXINIT for its first key exchange, ssh->kex->ext_info_c
== 1 persists through re-keys and you get a client-side "kex protocol
error: type 7 seq XX" response to the server sending a "server-sig-algs"
SSH2_MSG_EXT_INFO packet after every SSH2_MSG_NEWKEYS.

Operative code: kex.c:kex_send_newkeys()

        if (ssh->kex->ext_info_c)
                if ((r = kex_send_ext_info(ssh)) != 0)
                        return r;

Ref: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c.diff?r1=1.112&r2=1.113

Cheers,

--mancha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160824/6d181f36/attachment.bin>

From aris at 0xbadc0de.be  Thu Aug 25 06:19:12 2016
From: aris at 0xbadc0de.be (Aris Adamantiadis)
Date: Wed, 24 Aug 2016 22:19:12 +0200
Subject: sftp fails with error Received message too long 140013605
In-Reply-To: <CY1PR06MB1804BEAC579E699EB9AEC330B3EB0@CY1PR06MB1804.namprd06.prod.outlook.com>
References: <CY1PR06MB1804BEAC579E699EB9AEC330B3EB0@CY1PR06MB1804.namprd06.prod.outlook.com>
Message-ID: <1e9413b9-e579-947d-cf7e-7343d42d399b@0xbadc0de.be>

Hi Jeff,

>>> hex(1400136052)[2:].decode("hex")
'Stat'

Looks like sftp is sending an error message that starts with "Stat". You
may try to manually reproduce this with ssh -s sftp.

Aris

On 23/08/16 22:45, Jeff Silverman wrote:
> Hi.  When I try to sftp to a client, which is an embedded Internet of Thing (IoT) system, I get the following error:
>
> jeff at SQA-ip6-tester:~$ sftp -6 root at SpeedwayR-10-28-25.sqa.impinj.com
> Password:
> Received message too long 1400136052
> jeff at SQA-ip6-tester:~$
>
>
> The error also occurs with IPv4
>
> jeff at SQA-ip6-tester:~$ sftp -4 root at SpeedwayR-10-28-25.sqa.impinj.com
> Warning: Permanently added the ECDSA host key for IP address '172.31.14.164' to the list of known hosts.
> Password:
> Received message too long 1400136052
> jeff at SQA-ip6-tester:~$
>
> I did some googling, and I found http://askubuntu.com/questions/369830/sftp-connection-failed-strange-error-messsage which says that I should look at  http://www.openssh.org/faq.html#2.9), which now 404s. I looked through the wayback machine.  On April 23rd 2016, it did a 302 redirect which failed.  I did find it at https://web.archive.org/web/20160203202936/http://www.openssh.com/faq.html<https://web.archive.org/web/20160203202936/http:/www.openssh.com/faq.html>  I followed the instructions and got some text, which I assume is the source of my problems.
>
> Please bring the FAQ back - it is useful!
>
>
> Jeff
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


From rainer.laatsch at t-online.de  Fri Aug 26 22:02:57 2016
From: rainer.laatsch at t-online.de (rainer.laatsch)
Date: Fri, 26 Aug 2016 14:02:57 +0200
Subject: krb5support missing in Makefile when configuring
 --with-krb5=<pathtokrb5> required by newer krb5 versions
Message-ID: <b668ade9-a3e3-8ff1-1f8d-e23fb465688b@t-online.de>

See subject. Am I missing here something or is it a bug?

Best regards
Rainer

From dtucker at zip.com.au  Sun Aug 28 08:58:18 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Sun, 28 Aug 2016 08:58:18 +1000
Subject: krb5support missing in Makefile when configuring
 --with-krb5=<pathtokrb5> required by newer krb5 versions
In-Reply-To: <b668ade9-a3e3-8ff1-1f8d-e23fb465688b@t-online.de>
References: <b668ade9-a3e3-8ff1-1f8d-e23fb465688b@t-online.de>
Message-ID: <CALDDTe0Xyq97h6vT_1OmOtMRCEguu7=3g=uVajXoNnFTdNo2Gw@mail.gmail.com>

On Fri, Aug 26, 2016 at 10:02 PM, rainer.laatsch
<rainer.laatsch at t-online.de> wrote:
> See subject. Am I missing here something or is it a bug?

Yes, you are missing any information that would allow someone else to
help figure this out, including OpenSSH version, platform, compiler
version, Kerberos implementation and version, what flags you gave to
configure and what it did or did not do.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From philipp.marek at linbit.com  Mon Aug 29 21:03:55 2016
From: philipp.marek at linbit.com (Philipp Marek)
Date: Mon, 29 Aug 2016 13:03:55 +0200
Subject: [PATCH] Make "ssh" try different configuration filenames
Message-ID: <20160829110354.j4syairaurmqtxwm@cacao.linbit>

To provide a bit more backwards-compatible (which is nice for eg. NFS-
shared /home directories) try a few version-number based names.

Eg., for "OpenSSH_7.3" the strings that are tried after "~/.ssh/config"
are "_7.3", "_7", and "".
---
 ssh.c | 37 ++++++++++++++++++++++++++++++-------
 1 file changed, 30 insertions(+), 7 deletions(-)

diff --git a/ssh.c b/ssh.c
index 03a23fb..25359fe 100644
--- a/ssh.c
+++ b/ssh.c
@@ -464,7 +464,8 @@ static void
 process_config_files(const char *host_arg, struct passwd *pw, int post_canon)
 {
 	char buf[PATH_MAX];
-	int r;
+	char *version_postfix;
+	int r, len;
 
 	if (config != NULL) {
 		if (strcasecmp(config, "none") != 0 &&
@@ -473,12 +474,34 @@ process_config_files(const char *host_arg, struct passwd *pw, int post_canon)
 			fatal("Can't open user config file %.100s: "
 			    "%.100s", config, strerror(errno));
 	} else {
-		r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
-		    _PATH_SSH_USER_CONFFILE);
-		if (r > 0 && (size_t)r < sizeof(buf))
-			(void)read_config_file(buf, pw, host, host_arg,
-			    &options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
-			    (post_canon ? SSHCONF_POSTCANON : 0));
+		version_postfix = strchr(SSH_VERSION, '_');
+		if (!version_postfix)
+			version_postfix = "";
+
+		/* Find the best fitting config file,
+		 * Ie. try "_7.3", "_7", and "". */
+		len = strlen(version_postfix);
+		while (1) {
+			r = snprintf(buf, sizeof buf, "%s/%s%.*s", pw->pw_dir,
+					_PATH_SSH_USER_CONFFILE,
+					len, version_postfix);
+			if (r > 0 && (size_t)r < sizeof(buf))
+				if (read_config_file(buf, pw, host, host_arg,
+							&options, SSHCONF_CHECKPERM | SSHCONF_USERCONF |
+							(post_canon ? SSHCONF_POSTCANON : 0)))
+					break;
+
+			/* Nothing to look at */
+			if (!len)
+				break;
+
+			/* Try a smaller fit; skip last digits, then non-digits. */
+			len--;
+			while (len &&  isdigit(version_postfix[len-1]))
+				len--;
+			while (len && !isdigit(version_postfix[len-1]))
+				len--;
+		}
 
 		/* Read systemwide configuration file after user config. */
 		(void)read_config_file(_PATH_HOST_CONFIG_FILE, pw,
-- 
2.9.3


From rainer.laatsch at t-online.de  Mon Aug 29 22:10:45 2016
From: rainer.laatsch at t-online.de (rl)
Date: Mon, 29 Aug 2016 14:10:45 +0200
Subject: krb5support missing in Makefile when configuring
 --with-krb5=<pathtokrb5> required by newer krb5 versions
In-Reply-To: <CALDDTe0Xyq97h6vT_1OmOtMRCEguu7=3g=uVajXoNnFTdNo2Gw@mail.gmail.com>
References: <b668ade9-a3e3-8ff1-1f8d-e23fb465688b@t-online.de>
 <CALDDTe0Xyq97h6vT_1OmOtMRCEguu7=3g=uVajXoNnFTdNo2Gw@mail.gmail.com>
Message-ID: <d3fe84f1-aedb-47c3-f576-9344500b7a8f@t-online.de>



I reported the missing -lkrb5support in the output of
krb5-config --libs
as a bug to krb5-bugs at mit.edu

with this explanation:

The missing -lkrb5support shows up in trying to compile openssh-7.3p1 
which uses 'krb5-config --libs' in the configure script to get at the 
krb5 libraries. So it does not compile.

On 08/28/16 00:58, Darren Tucker wrote:
> On Fri, Aug 26, 2016 at 10:02 PM, rainer.laatsch
> <rainer.laatsch at t-online.de> wrote:
>> See subject. Am I missing here something or is it a bug?
>
> Yes, you are missing any information that would allow someone else to
> help figure this out, including OpenSSH version, platform, compiler
> version, Kerberos implementation and version, what flags you gave to
> configure and what it did or did not do.
>

Darren, I will send you the full bug report with more information
about versions and flags.

Best regards
Rainer

From djm at mindrot.org  Mon Aug 29 23:29:39 2016
From: djm at mindrot.org (Damien Miller)
Date: Mon, 29 Aug 2016 23:29:39 +1000 (AEST)
Subject: [PATCH] Make "ssh" try different configuration filenames
In-Reply-To: <20160829110354.j4syairaurmqtxwm@cacao.linbit>
References: <20160829110354.j4syairaurmqtxwm@cacao.linbit>
Message-ID: <alpine.BSO.2.20.1608292326050.46085@natsu.mindrot.org>

On Mon, 29 Aug 2016, Philipp Marek wrote:

> To provide a bit more backwards-compatible (which is nice for eg. NFS-
> shared /home directories) try a few version-number based names.

I'm not sure about this. We already have an IgnoreUnknown directive to
skip keywords that aren't supported. Perhaps we could consider adding a
percent_expand() to the include directive or a "localversion" clause to
the "Match" keyword to get this capability in a more general form. E.g.

Match localversion 7.*
  Include ~/.ssh/config/config-7x

-d

From philipp.marek at linbit.com  Mon Aug 29 23:33:05 2016
From: philipp.marek at linbit.com (Philipp Marek)
Date: Mon, 29 Aug 2016 15:33:05 +0200
Subject: [PATCH] Make "ssh" try different configuration filenames
In-Reply-To: <alpine.BSO.2.20.1608292326050.46085@natsu.mindrot.org>
References: <20160829110354.j4syairaurmqtxwm@cacao.linbit>
 <alpine.BSO.2.20.1608292326050.46085@natsu.mindrot.org>
Message-ID: <20160829133305.qfl6h3v6aiycv72d@cacao.linbit>

Hi Damien,


thanks for the quick feedback!


> > To provide a bit more backwards-compatible (which is nice for eg. NFS-
> > shared /home directories) try a few version-number based names.
> 
> I'm not sure about this. We already have an IgnoreUnknown directive to
> skip keywords that aren't supported.
    "Bad configuration option: IgnoreUnknown"


> Perhaps we could consider adding a
> percent_expand() to the include directive or a "localversion" clause to
> the "Match" keyword to get this capability in a more general form. E.g.
> 
> Match localversion 7.*
>   Include ~/.ssh/config/config-7x
That wouldn't help with old versions...
My patch would allow a newer SSH to read "its" config file, which (among 
other things) "Include"s the files for older versions as well...



Thanks for thinking about the merits!

From v at njh.eu  Tue Aug 30 00:33:18 2016
From: v at njh.eu (Volker Diels-Grabsch)
Date: Mon, 29 Aug 2016 16:33:18 +0200
Subject: [PATCH] Add ssh_config option ExecRemoteCommand which is equivalent
 to -N
Message-ID: <20160829143318.GA8435@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>

Dear OpenSSH developers,

I hope you don't mind that I resubmit my patch for OpenSSH.

This patch adds a new ssh_config option "ExecRemoteCommand", which is
the missing equivalent to the "-N" command line option.

For implementation notes, please have a look at the top of the patch.


Regards,
Volker

-- 
Volker Diels-Grabsch
----<<<((()))>>>----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-7.3p1_exec_remote_command_v1.patch
Type: text/x-diff
Size: 8148 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160829/ed1281f0/attachment.bin>

From aris at 0xbadc0de.be  Tue Aug 30 06:27:55 2016
From: aris at 0xbadc0de.be (Aris Adamantiadis)
Date: Mon, 29 Aug 2016 22:27:55 +0200
Subject: kex protocol error: type 7 seq xxx error message
In-Reply-To: <20160824195341.GA17949@zoho.com>
References: <f35d4b20-71da-b03a-01df-cb9e617640bf@badcode.be>
 <20160824195341.GA17949@zoho.com>
Message-ID: <5d3691c8-1363-f2fc-63a4-e29976a6243f@0xbadc0de.be>

I copy the content of the pasetbin because it's about to expire.

Aris

aris at MacBook-Pro-de-Aris[master]:~/git/openssh-portable$ $(which sshd) -p 2222 -Dd -o UsePrivilegeSeparation=no
debug1: sshd version OpenSSH_7.3, OpenSSL 1.0.2h  3 May 2016
debug1: private host key #0: ssh-rsa SHA256:RshcDcsrjxblhEKqY41SVjaknD5Y+5ItWoL0kUZzAto
debug1: private host key #1: ssh-dss SHA256:abOvTYhsvsk1wP8zgmhctRASjh2w/6VT2QYhCetQilo
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:Ub1fnRft89IfzrANU6giRV6o6BxHU9gOOuyT+vyJssw
debug1: private host key #3: ssh-ed25519 SHA256:ZDLir2+iDMnLGLpHz4objxkuIKK2fyOwjlrlr5IvcxE
debug1: setgroups() failed: Operation not permitted
debug1: rexec_argv[0]='/usr/local/sbin/sshd'
debug1: rexec_argv[1]='-p'
debug1: rexec_argv[2]='2222'
debug1: rexec_argv[3]='-Dd'
debug1: rexec_argv[4]='-o'
debug1: rexec_argv[5]='UsePrivilegeSeparation=no'
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: inetd sockets after dupping: 5, 5
Connection from ::1 port 54145 on ::1 port 2222
debug1: Client protocol version 2.0; client software version OpenSSH_7.3
debug1: match: OpenSSH_7.3 pat OpenSSH* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.3
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_INIT
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user aris service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for aris from ::1 port 54145 ssh2
debug1: userauth-request for user aris service ssh-connection method publickey
debug1: attempt 1 failures 0
debug1: userauth_pubkey: test whether pkalg/pkblob are acceptable for RSA SHA256:dKXKoU9kSKpA5JtMuxbu5vUlL2F6YwOvZi6dz9/9XoY
debug1: temporarily_use_uid: 501/20 (e=501/20)
debug1: trying public key file /Users/aris/.ssh/authorized_keys
debug1: fd 6 clearing O_NONBLOCK
debug1: matching key found: file /Users/aris/.ssh/authorized_keys, line 1 RSA SHA256:dKXKoU9kSKpA5JtMuxbu5vUlL2F6YwOvZi6dz9/9XoY
debug1: restore_uid: (unprivileged)
Postponed publickey for aris from ::1 port 54145 ssh2
debug1: userauth-request for user aris service ssh-connection method publickey
debug1: attempt 2 failures 0
debug1: temporarily_use_uid: 501/20 (e=501/20)
debug1: trying public key file /Users/aris/.ssh/authorized_keys
debug1: fd 6 clearing O_NONBLOCK
debug1: matching key found: file /Users/aris/.ssh/authorized_keys, line 1 RSA SHA256:dKXKoU9kSKpA5JtMuxbu5vUlL2F6YwOvZi6dz9/9XoY
debug1: restore_uid: (unprivileged)
Accepted publickey for aris from ::1 port 54145 ssh2: RSA SHA256:dKXKoU9kSKpA5JtMuxbu5vUlL2F6YwOvZi6dz9/9XoY
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype no-more-sessions at openssh.com want_reply 0
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/ttys005
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
Starting session: shell on ttys005 for aris from ::1 port 54145 id 0
debug1: Setting controlling tty using TIOCSCTTY.
debug1: SSH2_MSG_KEXINIT received
debug1: SSH2_MSG_KEXINIT sent
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_INIT
debug1: set_newkeys: rekeying, input 4856 bytes 405 blocks, output 5408 bytes 0 blocks
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: set_newkeys: rekeying, input 4868 bytes 0 blocks, output 5476 bytes 8 blocks
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: Received SSH2_MSG_UNIMPLEMENTED for 43
debug1: SSH2_MSG_KEXINIT received
debug1: SSH2_MSG_KEXINIT sent
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_INIT
debug1: set_newkeys: rekeying, input 6360 bytes 185 blocks, output 6808 bytes 0 blocks
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: set_newkeys: rekeying, input 6372 bytes 0 blocks, output 6876 bytes 8 blocks
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: Received SSH2_MSG_UNIMPLEMENTED for 47
debug1: server_input_global_request: rtype keepalive at openssh.com want_reply 1
debug1: server_input_global_request: rtype keepalive at openssh.com want_reply 1
debug1: server_input_global_request: rtype keepalive at openssh.com want_reply 1





aris at MacBook-Pro-de-Aris[master]:~/git/openssh-portable$ ssh -p 2222 localhost
The authenticity of host '[localhost]:2222 ([::1]:2222)' can't be established.
ECDSA key fingerprint is SHA256:Ub1fnRft89IfzrANU6giRV6o6BxHU9gOOuyT+vyJssw.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
Attempt to write login records by non-root user (aborting)
Last login: Tue Aug 16 17:56:10 2016
Environment:
  USER=aris
  LOGNAME=aris
  HOME=/Users/aris
  PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/Cellar/openssh/7.3p1/bin
  MAIL=/var/mail/aris
  SHELL=/bin/bash
  SSH_CLIENT=::1 50924 2222
  SSH_CONNECTION=::1 50924 ::1 2222
  SSH_TTY=/dev/ttys005
  TERM=xterm-256color
aris at MacBook-Pro-de-Aris:~$ exit
logout
Connection to localhost closed.
aris at MacBook-Pro-de-Aris[master]:~/git/openssh-portable$ man ssh_config
aris at MacBook-Pro-de-Aris[master]:~/git/openssh-portable$ ssh -p 2222 -o EscapeChar=* localhost
ssh: connect to host localhost port 2222: Connection refused
aris at MacBook-Pro-de-Aris[master]:~/git/openssh-portable$ ssh -p 2222 -o EscapeChar=* localhost
Attempt to write login records by non-root user (aborting)
Last login: Tue Aug 16 17:56:10 2016
Environment:
  USER=aris
  LOGNAME=aris
  HOME=/Users/aris
  PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/Cellar/openssh/7.3p1/bin
  MAIL=/var/mail/aris
  SHELL=/bin/bash
  SSH_CLIENT=::1 54145 2222
  SSH_CONNECTION=::1 54145 ::1 2222
  SSH_TTY=/dev/ttys005
  TERM=xterm-256color
aris at MacBook-Pro-de-Aris:~$
aris at MacBook-Pro-de-Aris:~$
aris at MacBook-Pro-de-Aris:~$ *?
Supported escape sequences:
 *.   - terminate connection (and any multiplexed sessions)
 *B   - send a BREAK to the remote system
 *C   - open a command line
 *R   - request rekey
 *V/v - decrease/increase verbosity (LogLevel)
 *^Z  - suspend ssh
 *#   - list forwarded connections
 *&   - background ssh (when waiting for connections to terminate)
 *?   - this message
 **   - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)
kex protocol error: type 7 seq 43
kex protocol error: type 7 seq 47

aris at MacBook-Pro-de-Aris:~$ ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.2h  3 May 2016
aris at MacBook-Pro-de-Aris:~$ exit
logout
Connection to localhost closed.
aris at MacBook-Pro-de-Aris[master]:~/git/openssh-portable$

On 24/08/16 21:53, mancha wrote:
> On Wed, Aug 24, 2016 at 07:06:29PM +0200, Aris Adamantiadis wrote:
>> Hi,
>>
>> mancha and me debugged a problem with OpenSSH 7.3p1 that was reported
>> on the #openssh freenode channel. Symptoms were that this message was
>> popping on the console during a busy X11 session: kex protocol error:
>> type 7 seq 1234
>>
>> I managed to reproduce the problem, it is related to the SSH_EXT_INFO
>> packet that is send by the server every time it is sending an
>> SSH_NEWKEYS packet, hence after every rekeying. I reproduced it on my
>> system with OpenSSH 7.3p1 and manually rekeying with escape R
>>
>> [SNIP] 
>>
>> Mancha couldn't reproduce the issue, despite running both OpenSSH
>> 7.3p1 client & server from upstream, with an empty configuration file.
>> At this point I don't know why he's not affected.
> Hello.
>
> I can shed a bit of light on why Aris hit the bug while I didn't when we
> both used 7.3p1.
>
> When sshd 7.3 *does* use privilege separation (UsePrivilegeSeparation),
> ssh->kex->ext_info_c == 0 on re-keys whether or not the client added
> ext-info-c to its kex algos in KEXINIT of first key exchange (setting
> ssh->kex->ext_info_c).
>
> When sshd 7.3 *does not* use privilege separation, if a client adds
> ext-info-c in KEXINIT for its first key exchange, ssh->kex->ext_info_c
> == 1 persists through re-keys and you get a client-side "kex protocol
> error: type 7 seq XX" response to the server sending a "server-sig-algs"
> SSH2_MSG_EXT_INFO packet after every SSH2_MSG_NEWKEYS.
>
> Operative code: kex.c:kex_send_newkeys()
>
>         if (ssh->kex->ext_info_c)
>                 if ((r = kex_send_ext_info(ssh)) != 0)
>                         return r;
>
> Ref: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/kex.c.diff?r1=1.112&r2=1.113
>
> Cheers,
>
> --mancha
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 859 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160829/04caf3b9/attachment-0001.bin>

From aris at 0xbadc0de.be  Tue Aug 30 07:08:22 2016
From: aris at 0xbadc0de.be (Aris Adamantiadis)
Date: Mon, 29 Aug 2016 23:08:22 +0200
Subject: [PATCH] Add ssh_config option ExecRemoteCommand which is
 equivalent to -N
In-Reply-To: <20160829143318.GA8435@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
References: <20160829143318.GA8435@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
Message-ID: <953a7583-233e-a046-e5dc-9e621253d6df@0xbadc0de.be>

Hi Volker,

Why "ExecRemoteCommand" ? I often use -N with port forwardings which
have nothing to do with executing a remote command.
Why not "NoShell" ?

Aris

On 29/08/16 16:33, Volker Diels-Grabsch wrote:
> Dear OpenSSH developers,
>
> I hope you don't mind that I resubmit my patch for OpenSSH.
>
> This patch adds a new ssh_config option "ExecRemoteCommand", which is
> the missing equivalent to the "-N" command line option.
>
> For implementation notes, please have a look at the top of the patch.
>
>
> Regards,
> Volker
>
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 859 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160829/66e84536/attachment.bin>

From dtucker at zip.com.au  Tue Aug 30 10:08:10 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Tue, 30 Aug 2016 10:08:10 +1000
Subject: [PATCH] Add ssh_config option ExecRemoteCommand which is
 equivalent to -N
In-Reply-To: <953a7583-233e-a046-e5dc-9e621253d6df@0xbadc0de.be>
References: <20160829143318.GA8435@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
 <953a7583-233e-a046-e5dc-9e621253d6df@0xbadc0de.be>
Message-ID: <CALDDTe06dk1qsRCL4H5LmJxHHUX65qzA3FAfsYR9j4zOEjmhBQ@mail.gmail.com>

On Tue, Aug 30, 2016 at 7:08 AM, Aris Adamantiadis <aris at 0xbadc0de.be> wrote:
> Why "ExecRemoteCommand"

Probably defaults to yes with "ExecRemoteCommand no" to act like -N.

If we're going to do this (and I'm not sure about it) then maybe we
could do it via the proposed  RemoteCommand [0] option as
"RemoteCommand none" rather than another option.

[0] https://bugzilla.mindrot.org/show_bug.cgi?id=2103

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From rainer.laatsch at t-online.de  Tue Aug 30 13:57:42 2016
From: rainer.laatsch at t-online.de (rl)
Date: Tue, 30 Aug 2016 05:57:42 +0200
Subject: Fwd: [krbdev.mit.edu #8487] 'krb5-config --libs' does not show
 '-lkrb5support' [Version: krb5-1.14.3]
In-Reply-To: <rt-8487-46391.14.3753655025566@krbdev.mit.edu>
References: <rt-8487-46391.14.3753655025566@krbdev.mit.edu>
Message-ID: <0098cfeb-3e89-2700-5087-133eb6ec0c25@t-online.de>

Concerning the bug report to krbdev.mit.edu #8487 ,
the following answer was given:

-------- Forwarded Message --------
Subject: [krbdev.mit.edu #8487] 'krb5-config --libs' does not show 
'-lkrb5support' [Version: krb5-1.14.3]
Date: Mon, 29 Aug 2016 11:21:56 -0400 (EDT)
From: Greg Hudson via RT <rt-comment at krbdev.mit.edu>
Reply-To: rt-comment at krbdev.mit.edu
To: rainer.laatsch at t-online.de

The --enable-static --disable-shared configure flags for krb5 aren't 
supported, and should probably be removed.  They was added so that we 
could use gcov to measure the code coverage of our test suite, but gcov 
now supports shared libraries.

We definitely don't want to output -lkrb5support for everyone in krb5-
config; that would unnecessarily include libkrb5support in the direct 
library dependencies of programs built against krb5.

From djm at mindrot.org  Tue Aug 30 14:12:16 2016
From: djm at mindrot.org (Damien Miller)
Date: Tue, 30 Aug 2016 14:12:16 +1000 (AEST)
Subject: [PATCH] Add ssh_config option ExecRemoteCommand which is
 equivalent to -N
In-Reply-To: <CALDDTe06dk1qsRCL4H5LmJxHHUX65qzA3FAfsYR9j4zOEjmhBQ@mail.gmail.com>
References: <20160829143318.GA8435@6153f789-1cf1-4ca3-8cea-6fa7ae195a8b.njh.eu>
 <953a7583-233e-a046-e5dc-9e621253d6df@0xbadc0de.be>
 <CALDDTe06dk1qsRCL4H5LmJxHHUX65qzA3FAfsYR9j4zOEjmhBQ@mail.gmail.com>
Message-ID: <alpine.BSO.2.20.1608301410310.46085@natsu.mindrot.org>

On Tue, 30 Aug 2016, Darren Tucker wrote:

> On Tue, Aug 30, 2016 at 7:08 AM, Aris Adamantiadis <aris at 0xbadc0de.be> wrote:
> > Why "ExecRemoteCommand"
> 
> Probably defaults to yes with "ExecRemoteCommand no" to act like -N.
> 
> If we're going to do this (and I'm not sure about it) then maybe we
> could do it via the proposed  RemoteCommand [0] option as
> "RemoteCommand none" rather than another option.

Not sure that would work, as there are three states that are possible:

login:
ssh example.com

command:
ssh example.com command

don't run a command
ssh -N example.com

Maybe a multi-state RemoteCommand $command | none | don't (better name
wanted). But I'm also ambivalent about a RemoteCommand option too...

-d