From cjwatson at debian.org Sun Jan 1 00:32:03 2017 From: cjwatson at debian.org (Colin Watson) Date: Sat, 31 Dec 2016 13:32:03 +0000 Subject: Baffling regress/forwarding.sh failure, new in 7.4p1 In-Reply-To: <20161231125552.GB17564@riva.ucam.org> References: <20161231125552.GB17564@riva.ucam.org> Message-ID: <20161231133203.GC17564@riva.ucam.org> On Sat, Dec 31, 2016 at 12:55:52PM +0000, Colin Watson wrote: > In this case I have a new failure in 7.4p1 that didn't occur in 7.3p1. > I'm seeing it on Debian amd64 and Ubuntu s390x, so from context I think > it's specific to the case where we're using autopkgtest's LXC > virtualisation mode. I can run the tests locally, but so far haven't > managed to reproduce this failure that way. > > I arranged to run all tests under TEST_SHELL='sh -x' and to dump > failed-{regress,ssh,sshd}.log on failures. Can anyone make anything out > of this? Oh, I should add that I already tried changing base=33 to base=34 in the hope that it was just a port in use somewhere. That made no difference. (Unfortunately forwarding.sh doesn't emit any verbose messages as it goes along, and I only added 'sh -x' output in the most recent run, so I suppose it's possible that it failed at some different point instead.) Since some tests in that file succeed and it only starts failing once it gets to the tests designated "config file:", it doesn't feel like a port-in-use problem anyway. -- Colin Watson [cjwatson at debian.org] From jjelen at redhat.com Tue Jan 3 20:39:20 2017 From: jjelen at redhat.com (Jakub Jelen) Date: Tue, 3 Jan 2017 10:39:20 +0100 Subject: DEFAULT_PKCS11_WHITELIST on 64-bit Linux systems In-Reply-To: References: <20161228223532.GA3634@linux124.nas.nasa.gov> Message-ID: On 12/30/2016 02:40 AM, Damien Miller wrote: > On Wed, 28 Dec 2016, Iain Morgan wrote: > >> Hello, >> >> On RHEL 6/amd64, the stock value for DEFAULT_PKCS11_WHITELIST is not >> very useful. On such systems, /usr/lib64/* would need to be added to the >> pattern list. Although users can specify the -P option every time they >> launch ssh-agent, it might be nice to provide a means to specify a >> default whitelist at build-time. >> >> It's tempting to suggest that configure should automatically supply a >> reasonable value for the whitelist based on the platform, but supporting >> an option to configure would seem to be the simpler and safer solution. >> >> % ./configure --with-default-pkcs11-whitelist="/usr/lib64/*' > Sounds eminently reasonable. Maybe we could make the portable default > "/usr/lib*/*,/usr/local/lib*/*" too? Please do, these paths look sane. In RHEL/Fedora, all the pkcs11 libraries are under /usr/lib64/pkcs11/ on x86_64. Not sure, where else they can be on other systems, but your wildcard matches all of them. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat From cjwatson at debian.org Wed Jan 4 04:24:58 2017 From: cjwatson at debian.org (Colin Watson) Date: Tue, 3 Jan 2017 17:24:58 +0000 Subject: Baffling regress/forwarding.sh failure, new in 7.4p1 In-Reply-To: <20161231133203.GC17564@riva.ucam.org> References: <20161231125552.GB17564@riva.ucam.org> <20161231133203.GC17564@riva.ucam.org> Message-ID: <20170103172458.GA1410@riva.ucam.org> On Sat, Dec 31, 2016 at 01:32:03PM +0000, Colin Watson wrote: > Since some tests in that file succeed and it only starts failing once it > gets to the tests designated "config file:", it doesn't feel like a > port-in-use problem anyway. OK, much debugging later and I *think* this is all accounted for by these two patches: https://bugzilla.mindrot.org/show_bug.cgi?id=2659 https://bugzilla.mindrot.org/show_bug.cgi?id=2660 I haven't had final results yet with the second of those, but I'll update the bug once I have. -- Colin Watson [cjwatson at debian.org] From imorgan at nas.nasa.gov Wed Jan 4 09:14:27 2017 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Tue, 3 Jan 2017 14:14:27 -0800 Subject: DEFAULT_PKCS11_WHITELIST on 64-bit Linux systems In-Reply-To: References: <20161228223532.GA3634@linux124.nas.nasa.gov> Message-ID: <20170103221427.GA5525@linux124.nas.nasa.gov> On Tue, Jan 03, 2017 at 10:39:20 +0100, Jakub Jelen wrote: > On 12/30/2016 02:40 AM, Damien Miller wrote: > >On Wed, 28 Dec 2016, Iain Morgan wrote: > > > >>Hello, > >> > >>On RHEL 6/amd64, the stock value for DEFAULT_PKCS11_WHITELIST is not > >>very useful. On such systems, /usr/lib64/* would need to be added to the > >>pattern list. Although users can specify the -P option every time they > >>launch ssh-agent, it might be nice to provide a means to specify a > >>default whitelist at build-time. > >> > >>It's tempting to suggest that configure should automatically supply a > >>reasonable value for the whitelist based on the platform, but supporting > >>an option to configure would seem to be the simpler and safer solution. > >> > >>% ./configure --with-default-pkcs11-whitelist="/usr/lib64/*' > >Sounds eminently reasonable. Maybe we could make the portable default > >"/usr/lib*/*,/usr/local/lib*/*" too? > Please do, > these paths look sane. In RHEL/Fedora, all the pkcs11 libraries are > under /usr/lib64/pkcs11/ on x86_64. Not sure, where else they can be > on other systems, but your wildcard matches all of them. > > Regards, > Damien's proposed change would address the issue that I encountered. While Jakob is correct that the various libraries exist under /usr/lib64/pkcs11 on RHEL, adding /usr/lib64/pkcs11/* to the whitelist did not work for me. That was because opensc-pkcs11.so is actually under /usr/lib64 and is a symlink in /usr/lib64/pkcs11. -- Iain Morgan From dfong at dfong.org Wed Jan 4 09:42:09 2017 From: dfong at dfong.org (Don Fong) Date: Tue, 3 Jan 2017 14:42:09 -0800 Subject: bugzilla.mindrot.org certificate expired Message-ID: <58f2e528-cc7d-ea69-f9c5-78ca336787ee@dfong.org> when i click on my bugzilla link, https://bugzilla.mindrot.org/show_bug.cgi?id=2651 i get this message from firefox: ``` bugzilla.mindrot.org uses an invalid security certificate. The certificate expired on January 3, 2017 at 12:12. The current time is January 3, 2017 at 14:36. Error code: SEC_ERROR_EXPIRED_CERTIFICATE ''' From dtucker at zip.com.au Wed Jan 4 10:52:51 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 4 Jan 2017 10:52:51 +1100 Subject: bugzilla.mindrot.org certificate expired In-Reply-To: <58f2e528-cc7d-ea69-f9c5-78ca336787ee@dfong.org> References: <58f2e528-cc7d-ea69-f9c5-78ca336787ee@dfong.org> Message-ID: On Wed, Jan 4, 2017 at 9:42 AM, Don Fong wrote: [...] > Error code: SEC_ERROR_EXPIRED_CERTIFICATE Thanks for letting us know, this will be looked at shortly. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From martin at oneiros.de Wed Jan 4 11:05:26 2017 From: martin at oneiros.de (=?UTF-8?Q?Martin_Schr=C3=B6der?=) Date: Wed, 4 Jan 2017 01:05:26 +0100 Subject: bugzilla.mindrot.org certificate expired In-Reply-To: References: <58f2e528-cc7d-ea69-f9c5-78ca336787ee@dfong.org> Message-ID: 2017-01-04 0:52 GMT+01:00 Darren Tucker : > Thanks for letting us know, this will be looked at shortly. https://www.ssllabs.com/ssltest/analyze.html?d=bugzilla.mindrot.org May I suggest that you also fix the other issues reported there, e.g. weak DH parameters? Best Martin From djm at mindrot.org Wed Jan 4 13:23:17 2017 From: djm at mindrot.org (Damien Miller) Date: Wed, 4 Jan 2017 13:23:17 +1100 (AEDT) Subject: DEFAULT_PKCS11_WHITELIST on 64-bit Linux systems In-Reply-To: <20170103221427.GA5525@linux124.nas.nasa.gov> References: <20161228223532.GA3634@linux124.nas.nasa.gov> <20170103221427.GA5525@linux124.nas.nasa.gov> Message-ID: On Tue, 3 Jan 2017, Iain Morgan wrote: > Damien's proposed change would address the issue that I encountered. > > While Jakob is correct that the various libraries exist under > /usr/lib64/pkcs11 on RHEL, adding /usr/lib64/pkcs11/* to the whitelist > did not work for me. That was because opensc-pkcs11.so is actually under > /usr/lib64 and is a symlink in /usr/lib64/pkcs11.s I've committed the fix to relax the whitelist - thanks. From djm at mindrot.org Wed Jan 4 17:27:02 2017 From: djm at mindrot.org (Damien Miller) Date: Wed, 4 Jan 2017 17:27:02 +1100 (AEDT) Subject: Call for testing: OpenSSH 7.4 In-Reply-To: References: <20161214010925.GA75127@doctor.nl2k.ab.ca> <20161214012241.GA84711@doctor.nl2k.ab.ca> <7105282d-6ac9-dada-d112-8e002c61fa5a@redhat.com> <244ccd2d-d245-d8e1-492d-aaf88b37c57a@redhat.com> Message-ID: On Tue, 20 Dec 2016, Jakub Jelen wrote: > > Further investigation so far showed, that the multiplex is failing to create > > the remote port forward socket: > > > > mux_client_forward: forwarding request failed: remote port forwarding failed > > for listen path /root/openssh/regress/unix-3.fwd > This is obviously related to the commit (fix for CVE-2016-10010): > > https://github.com/openssh/openssh-portable/commit/b737e4 > > preventing running the multiplex.sh test (remote port forwarding is failing) > with root permissions (stops using privilege separation at > > https://github.com/openssh/openssh-portable/blob/master/sshd.c#L640 Thanks, I committed a fix to allow root to do Unix socket forwarding. -d From johannes at kyriasis.com Wed Jan 4 20:57:33 2017 From: johannes at kyriasis.com (=?UTF-8?q?Johannes=20L=C3=B6thberg?=) Date: Wed, 4 Jan 2017 10:57:33 +0100 Subject: [PATCH] Set KRB5PRINCIPAL in user environment Message-ID: <20170104095733.8246-1-johannes@kyriasis.com> Signed-off-by: Johannes L?thberg --- gss-serv-krb5.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index 795992d9..a12bb244 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -106,6 +106,11 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) } else retval = 0; +#ifdef USE_PAM + if (options.use_pam) + do_pam_putenv("KRB5PRINCIPAL", (char *)client->displayname.value); +#endif + krb5_free_principal(krb_context, princ); return retval; } -- 2.11.0 From jjelen at redhat.com Fri Jan 6 00:54:05 2017 From: jjelen at redhat.com (Jakub Jelen) Date: Thu, 5 Jan 2017 14:54:05 +0100 Subject: [PATCH] Set KRB5PRINCIPAL in user environment In-Reply-To: <20170104095733.8246-1-johannes@kyriasis.com> References: <20170104095733.8246-1-johannes@kyriasis.com> Message-ID: On 01/04/2017 10:57 AM, Johannes L?thberg wrote: > Signed-off-by: Johannes L?thberg > --- > gss-serv-krb5.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c > index 795992d9..a12bb244 100644 > --- a/gss-serv-krb5.c > +++ b/gss-serv-krb5.c > @@ -106,6 +106,11 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) > } else > retval = 0; > > +#ifdef USE_PAM > + if (options.use_pam) > + do_pam_putenv("KRB5PRINCIPAL", (char *)client->displayname.value); > +#endif > + > krb5_free_principal(krb_context, princ); > return retval; > } Hello, this change request is already tracked as a bug #2063 [1] (with the related configuration option). Having this working in future releases would be very nice. [1] https://bugzilla.mindrot.org/show_bug.cgi?id=2063 Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat From mindrot at hda3.com Fri Jan 6 02:03:50 2017 From: mindrot at hda3.com (Peter Moody) Date: Thu, 5 Jan 2017 07:03:50 -0800 Subject: proposed change to ssh_connect_direct() Message-ID: if the remote hostname has multiple ip addresses, ssh_connect_direct will currently loop and try each address in sequence until one works. I'm interested in making ssh tries each address concurrently and return success on the first one that connects. in the land of host certs and ssh bastions, this can be incredibly effective. are there any objects to me working up a patch to implement this? Cheers, peter From johannes at kyriasis.com Fri Jan 6 12:34:43 2017 From: johannes at kyriasis.com (Johannes =?utf-8?B?TMO2dGhiZXJn?=) Date: Fri, 6 Jan 2017 02:34:43 +0100 Subject: [PATCH] Set KRB5PRINCIPAL in user environment In-Reply-To: References: <20170104095733.8246-1-johannes@kyriasis.com> Message-ID: <20170106013443.fstnbjyjvgbp4l7a@zorg.kyriasis.com> Hey, On 05/01, Jakub Jelen wrote: >On 01/04/2017 10:57 AM, Johannes L?thberg wrote: >>Signed-off-by: Johannes L?thberg >>--- >> gss-serv-krb5.c | 5 +++++ >> 1 file changed, 5 insertions(+) >> >>diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c >>index 795992d9..a12bb244 100644 >>--- a/gss-serv-krb5.c >>+++ b/gss-serv-krb5.c >>@@ -106,6 +106,11 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) >> } else >> retval = 0; >>+#ifdef USE_PAM >>+ if (options.use_pam) >>+ do_pam_putenv("KRB5PRINCIPAL", (char *)client->displayname.value); >>+#endif >>+ >> krb5_free_principal(krb_context, princ); >> return retval; >> } >Hello, > >this change request is already tracked as a bug #2063 [1] (with the >related configuration option). Having this working in future releases >would be very nice. > >[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2063 > Ah, hadn't seen that. Would be nice with some maintainer insight into this. -- Sincerely, Johannes L?thberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1796 bytes Desc: not available URL: From mindrot at hda3.com Sat Jan 7 14:30:23 2017 From: mindrot at hda3.com (Peter Moody) Date: Fri, 6 Jan 2017 19:30:23 -0800 Subject: proposed change to ssh_connect_direct() In-Reply-To: References: Message-ID: so I spent a bit of time looking at this and it seems like the only way to go, at least if I want to keep it in ssh_connect_direct(), is to use pthreads. further, it seems like getting that accepted is something of a long shot: https://github.com/openssh/openssh-portable/commit/328118aa798878a68398b92ba85adfb630bc5434 :) so, approaching this from a different angle, what if I wanted to have something else establish the tcp connection and then fork/dup2/exec ssh and pass off the fd's for the network connection? This is how I *sort of* understand -W to work, but that's the sshd code path, not the client. is something like this acceptable, at least in theory? Cheers, peter On Thu, Jan 5, 2017 at 7:03 AM, Peter Moody wrote: > if the remote hostname has multiple ip addresses, ssh_connect_direct > will currently loop and try each address in sequence until one works. > > I'm interested in making ssh tries each address concurrently and > return success on the first one that connects. in the land of host > certs and ssh bastions, this can be incredibly effective. > > are there any objects to me working up a patch to implement this? > > Cheers, > peter From mail at quitesimple.org Sat Jan 7 22:44:03 2017 From: mail at quitesimple.org (Albert S.) Date: Sat, 7 Jan 2017 12:44:03 +0100 Subject: [PATCH] Potential leak of memory in ssh_packet_read_seqnr() Message-ID: Currently there is a case where ssh_packet_read_seqnr returns without calling free(setp). This patch ensures that free gets called before returning. diff --git a/packet.c b/packet.c index ad1f6b49..47a1b951 100644 --- a/packet.c +++ b/packet.c @@ -1447,8 +1447,10 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) break; } } - if (r == 0) - return SSH_ERR_CONN_TIMEOUT; + if (r == 0) { + r = SSH_ERR_CONN_TIMEOUT; + goto out; + } /* Read data from the socket. */ len = read(state->connection_in, buf, sizeof(buf)); if (len == 0) { From dagershman at dagertech.net Mon Jan 9 08:54:48 2017 From: dagershman at dagertech.net (David A. Gershman) Date: Sun, 8 Jan 2017 13:54:48 -0800 Subject: OpenSSH Hangs After Successful Authentication Message-ID: Greetings... ** Short Description / Abstract ** Using my _internal_ WiFi card, OpenSSH succeeds to local (internal) LAN hosts, but hangs after authentication to external LAN hosts; however PuTTY works for all hosts. Using an _external_ WiFi card, OpenSSH does succeed to all LAN hosts (as did PuTTY, still, as well). ** Longer Description and Details ** *** HW Description *** I have a laptop with Debian 8 (Jessie) installed from the 8.6 XFCE .iso. Native WiFi Device is: - Broadcom BCM43602 (PCI ID 14e4:43ba) using brcmfmac43602-pcie.bin drivers (see https://wiki.debian.org/brcmfmac) - To get the Native WiFi device to work, I needed to install a backported kernel (from "http.debian.net/debian"), specifically, /uname -a/ returns: Linux myhost 4.8.0-0.bpo.2-amd64 #1 SMP Debian 4.8.11-1-bpo8+1 \ (2016-12-14) x86_64 GNU/Linux External WiFi Device is: - Penguin Wireless N USB Adapter (TPE-N150USB; Atheros AR9271) using Atheros drivers (see https://wiki.debian.org/ath9k) All packages (except for Wifi drivers) were installed from repos (including PuTTY)...I've not compiled anything. *** Problem Description *** While using the Broadcom WiFi, PuTTY connects fine to any host. However, OpenSSH only succeeds connection for hosts on the local LAN (same subnet, 192.168.1.x). "Success" meaning I ultimately get a shell on the remote system. (Note: no firewall is currently enabled; all tables are currently default ACCEPT) When I disable the Broadcom device (remove firmware driver files and reboot) and use the TPE-N150SUSB Device, both OpenSSH and PuTTY work fine. When hanging, OpenSSH hangs after successful authentication. Here is a snippet where OpenSSH hangs after issuing "ssh -vvv uname at host.com" ``` {cut for brevity...} debug3: sign_and_send_pubkey: XXXXXX \ xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx debug1: Authentication succeeded (publickey). Authenticated to somehost.com ([nnn.nnn.nnn.nnn]:22). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug2: callback start debug2: fd 3 setting TCP_NODELAY debug3: packet_set_tos: set IP_TOS 0x10 debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug1: Sending environment. debug3: Ignored env XDG_VTNR debug3: Ignored env SSH_AGENT_PID debug3: Ignored env XDG_SESSION_ID debug3: Ignored env XDG_GREETER_DATA_DIR debug3: Ignored env GPG_AGENT_INFO debug3: Ignored env GLADE_PIXMAP_PATH debug3: Ignored env TERM debug3: Ignored env SHELL debug3: Ignored env XDG_MENU_PREFIX debug3: Ignored env WINDOWID debug3: Ignored env USER debug3: Ignored env LS_COLORS debug3: Ignored env XDG_SESSION_PATH debug3: Ignored env GLADE_MODULE_PATH debug3: Ignored env XDG_SEAT_PATH debug3: Ignored env SSH_AUTH_SOCK debug3: Ignored env SESSION_MANAGER debug3: Ignored env XDG_CONFIG_DIRS debug3: Ignored env PATH debug3: Ignored env DESKTOP_SESSION debug3: Ignored env PWD debug3: Ignored env EDITOR debug1: Sending env LANG = en_US.utf8 debug2: channel 0: request env confirm 0 debug3: Ignored env GDMSESSION debug3: Ignored env SHLVL debug3: Ignored env XDG_SEAT debug3: Ignored env HOME debug3: Ignored env LOGNAME debug3: Ignored env XDG_DATA_DIRS debug3: Ignored env DBUS_SESSION_BUS_ADDRESS debug3: Ignored env XDG_RUNTIME_DIR debug3: Ignored env DISPLAY debug3: Ignored env GLADE_CATALOG_PATH debug3: Ignored env XDG_CURRENT_DESKTOP debug3: Ignored env COLORTERM debug3: Ignored env XAUTHORITY debug3: Ignored env _ debug2: channel 0: request shell confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 ``` ...and then the system hangs. I can *not* C-c out or use OpenSSH's "~." sequence to kill the session. The entire terminal is unresponsive until 15-16 minutes later when I get "write error: broken pipe" and the terminal comes back. During that time, both client and server /netstat -ant/ show the connection as "established". Also, side note, no apparent issues occur with web surfing. Email is not setup so I've not tested it. Based on research already done and some various testing, I can not conclusively determine if the problem is with the Broadcom drivers with PuTTY somehow compensating for an issue, or the problem is with OpenSSH (perhaps OpenSSH just not "compensating" for a driver issue). I'm leaning toward the drivers since my other systems w/Debian 8 all work just fine; they all have the same versions of "openssh-client", but only the problematic laptop has a backported kernel. I'm sending this inquiry to both the OpenSSH mailing list and the Linux-Wireless list (in separate emails) in hopes I can sort out which side is having the issue. Any ideas on how to further test/investigate or, hopefully rectify, this matter would be greatly appreciated! Thank you! David A. Gershman gershman at dagertech.net From dtucker at zip.com.au Mon Jan 9 09:20:37 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 9 Jan 2017 09:20:37 +1100 Subject: OpenSSH Hangs After Successful Authentication In-Reply-To: References: Message-ID: On Mon, Jan 9, 2017 at 8:54 AM, David A. Gershman wrote: > Using my _internal_ WiFi card, OpenSSH succeeds to local (internal) LAN > hosts, but hangs after authentication to external LAN hosts; however > PuTTY works for all hosts. Two possibilities I can think of: 1) MTU black hole. Check the "send-q" column on both client and server in netstat when it's in the hung state, compare MTUs between working and not working interfaces and try "ifconfig wlan0 mtu 576" before starting the ssh connection. 2) ssh(1) sets the IP type of service bits around the time of your observed hang. In the past we have had reports of stateful devices not coping with the QoS of an established connection changing. Try "ssh -o 'IPQos lowdelay lowdelay' yourserver". My bet is on #1, and my guess is the default MTU is different between your interfaces. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dagershman at dagertech.net Mon Jan 9 10:24:50 2017 From: dagershman at dagertech.net (David A. Gershman) Date: Sun, 8 Jan 2017 15:24:50 -0800 Subject: OpenSSH Hangs After Successful Authentication In-Reply-To: References: Message-ID: <16f171fb-583f-bc5f-6e9d-f7bf1a43c120@dagertech.net> On 01/08/2017 02:20 PM, Darren Tucker wrote: > On Mon, Jan 9, 2017 at 8:54 AM, David A. Gershman > wrote: >> Using my _internal_ WiFi card, OpenSSH succeeds to local (internal) LAN >> hosts, but hangs after authentication to external LAN hosts; however >> PuTTY works for all hosts. > > Two possibilities I can think of: > > 1) MTU black hole. Check the "send-q" column on both client and > server in netstat when it's in the hung state, compare MTUs between > working and not working interfaces and try "ifconfig wlan0 mtu 576" > before starting the ssh connection. I've tried setting the MTU as stated (found that hint on another email online)...no luck. With MTU @ either setting, the Send-Q column on the server indicated 40 while the client is at 424. > > 2) ssh(1) sets the IP type of service bits around the time of your > observed hang. In the past we have had reports of stateful devices > not coping with the QoS of an established connection changing. Try > "ssh -o 'IPQos lowdelay lowdelay' yourserver". Also no luck. After a check on whether 'lowdelay' or a value was needed (wasn't sure, so I checked), neither: ssh -o IPQoS="lowdelay lowdelay" myserver or ssh -o "IPQoS lowdelay lowdelay" myserver worked. > > My bet is on #1, and my guess is the default MTU is different between > your interfaces. The default MTU on both my native Wifi and TPE device are both 1500 as is the server and my other systems. Since my other systems don't have any problem, I'm presuming the access point isn't the issue either (w.r.t. MTU). So far, MTU doesn't seem to have an effect. --dag From ethan.rahn at gmail.com Tue Jan 10 11:34:34 2017 From: ethan.rahn at gmail.com (Ethan Rahn) Date: Mon, 9 Jan 2017 16:34:34 -0800 Subject: Any interest in a patch for setting the syslog facility for the ssh client? Message-ID: Hello, I recently made a change to the openssh ssh client code to allow configuring the client syslog facility to use. I made the change in openssh-6.6p1. If there is interest I can port the change to the openssh portable github. Cheers, Ethan From dtucker at zip.com.au Tue Jan 10 12:15:22 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 10 Jan 2017 12:15:22 +1100 Subject: Any interest in a patch for setting the syslog facility for the ssh client? In-Reply-To: References: Message-ID: On Tue, Jan 10, 2017 at 11:34 AM, Ethan Rahn wrote: > I recently made a change to the openssh ssh client code to allow > configuring the client syslog facility to use. I made the change in > openssh-6.6p1. If there is interest I can port the change to the openssh > portable github. Sounds reasonable. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Jan 12 13:49:29 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 12 Jan 2017 13:49:29 +1100 Subject: proposed change to ssh_connect_direct() In-Reply-To: References: Message-ID: On Sat, Jan 7, 2017 at 2:30 PM, Peter Moody wrote: > so I spent a bit of time looking at this and it seems like the only > way to go, at least if I want to keep it in ssh_connect_direct(), is > to use pthreads. further, it seems like getting that accepted is > something of a long shot: Sorry, pthreads is a non-starter. I would have thought that using non-blocking connect (ie set O_NONBLOCK on the fds, initiate the connections then select on the set until one succeeds) would be feasible, though. > so, approaching this from a different angle, what if I wanted to have > something else establish the tcp connection and then fork/dup2/exec > ssh and pass off the fd's for the network connection? That's how ProxyComand and ProxyUseFdpass work. Your dialler is a separate program so it can do whatever you like, including use pthreads if that's your thing. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Jan 12 16:52:05 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 12 Jan 2017 16:52:05 +1100 Subject: proposed change to ssh_connect_direct() In-Reply-To: References: Message-ID: <20170112055205.GA18430@gate.dtucker.net> On Thu, Jan 12, 2017 at 01:49:29PM +1100, Darren Tucker wrote: [...] > I would have thought that using non-blocking connect (ie set > O_NONBLOCK on the fds, initiate the connections then select on the set > until one succeeds) would be feasible, though. In fact most of the required pieces are already there. Below is a rough, barely tested patch that nonetheless does seem to sort of work. So, it's at least feasible. I'm still not sure it's worth doing, though. I can see some downsides: it'll spam server logs with "Did not receive identification string" and consume MaxStartups connections. Maybe best to leave it to a custom ProxyCommand for people who really want the functionality. diff --git a/sshconnect.c b/sshconnect.c index 96b91ce..bb8b6ee 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -328,89 +328,6 @@ ssh_create_socket(int privileged, struct addrinfo *ai) return sock; } -static int -timeout_connect(int sockfd, const struct sockaddr *serv_addr, - socklen_t addrlen, int *timeoutp) -{ - fd_set *fdset; - struct timeval tv, t_start; - socklen_t optlen; - int optval, rc, result = -1; - - gettimeofday(&t_start, NULL); - - if (*timeoutp <= 0) { - result = connect(sockfd, serv_addr, addrlen); - goto done; - } - - set_nonblock(sockfd); - rc = connect(sockfd, serv_addr, addrlen); - if (rc == 0) { - unset_nonblock(sockfd); - result = 0; - goto done; - } - if (errno != EINPROGRESS) { - result = -1; - goto done; - } - - fdset = xcalloc(howmany(sockfd + 1, NFDBITS), - sizeof(fd_mask)); - FD_SET(sockfd, fdset); - ms_to_timeval(&tv, *timeoutp); - - for (;;) { - rc = select(sockfd + 1, NULL, fdset, NULL, &tv); - if (rc != -1 || errno != EINTR) - break; - } - - switch (rc) { - case 0: - /* Timed out */ - errno = ETIMEDOUT; - break; - case -1: - /* Select error */ - debug("select: %s", strerror(errno)); - break; - case 1: - /* Completed or failed */ - optval = 0; - optlen = sizeof(optval); - if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, - &optlen) == -1) { - debug("getsockopt: %s", strerror(errno)); - break; - } - if (optval != 0) { - errno = optval; - break; - } - result = 0; - unset_nonblock(sockfd); - break; - default: - /* Should not occur */ - fatal("Bogus return (%d) from select()", rc); - } - - free(fdset); - - done: - if (result == 0 && *timeoutp > 0) { - ms_subtract_diff(&t_start, timeoutp); - if (*timeoutp <= 0) { - errno = ETIMEDOUT; - result = -1; - } - } - - return (result); -} - /* * Opens a TCP/IP connection to the remote server on the given host. * The address of the remote host will be returned in hostaddr. @@ -427,15 +344,25 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop, struct sockaddr_storage *hostaddr, u_short port, int family, int connection_attempts, int *timeout_ms, int want_keepalive, int needpriv) { - int on = 1; - int sock = -1, attempt; + int i, on = 1, rc, inprogress = 0; + int sock = -1, connected_sock = -1, attempt, fdmax; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; struct addrinfo *ai; + struct timeval tv, t_start; + fd_set fdset; + socklen_t rlen; +#define MAXCONNECT 16 + int inprogress_fd[MAXCONNECT]; + void *ai_addr[MAXCONNECT]; + size_t ai_len[MAXCONNECT]; debug2("%s: needpriv %d", __func__, needpriv); memset(ntop, 0, sizeof(ntop)); memset(strport, 0, sizeof(strport)); + FD_ZERO(&fdset); + gettimeofday(&t_start, NULL); + for (attempt = 0; attempt < connection_attempts; attempt++) { if (attempt > 0) { /* Sleep a moment before retrying. */ @@ -443,10 +370,11 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop, debug("Trying again..."); } /* - * Loop through addresses for this host, and try each one in - * sequence until the connection succeeds. + * Loop through addresses for this host, initiate a nonblocking + * connnection then see which one succeeds. */ - for (ai = aitop; ai; ai = ai->ai_next) { + for (ai = aitop; ai != NULL && inprogress < MAXCONNECT && + connected_sock == -1; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) continue; @@ -465,24 +393,56 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop, /* Any error is already output */ continue; - if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen, - timeout_ms) >= 0) { - /* Successful connection. */ - memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); + set_nonblock(sock); + if (connect(sock, ai->ai_addr, ai->ai_addrlen) == 0) { + debug("connection established immediately"); + connected_sock = sock; + } else if (errno == EINPROGRESS) + debug("nonblocking connect fd %d", sock); + else + continue; + inprogress_fd[inprogress] = sock; + ai_len[inprogress] = ai->ai_addrlen; + ai_addr[inprogress] = ai->ai_addr; + inprogress++; + } + } + + for (i = 0; i < inprogress; i++) + unset_nonblock(inprogress_fd[i]); + + ms_to_timeval(&tv, *timeout_ms); + while (connected_sock == -1 && timeout_ms > 0) { + FD_ZERO(&fdset); + fdmax = 0; + for (i = 0; i < inprogress; i++) { + FD_SET(inprogress_fd[i], &fdset); + fdmax = MAX(fdmax, inprogress_fd[i]); + } + rc = select(fdmax + 1, NULL, &fdset, NULL, &tv); + ms_subtract_diff(&t_start, timeout_ms); + rlen = sizeof(rc); + for (i = 0; i < fdmax; i++) { + if (!FD_ISSET(i, &fdset)) + continue; + if (getsockopt(i, SOL_SOCKET, SO_ERROR, &rc, &rlen) + == 0 && rc == 0) { + debug("connected to fd %d", i); + connected_sock = i; break; - } else { - debug("connect to address %s port %s: %s", - ntop, strport, strerror(errno)); - close(sock); - sock = -1; } } - if (sock != -1) - break; /* Successful connection. */ + } + + for (i = 0; i < inprogress; i++) { + if (connected_sock == inprogress_fd[i]) + memcpy(hostaddr, ai_addr[i], ai_len[i]); + else + close(inprogress_fd[i]); } /* Return failure if we didn't get a successful connection. */ - if (sock == -1) { + if (connected_sock == -1) { error("ssh: connect to host %s port %s: %s", host, strport, strerror(errno)); return (-1); @@ -492,12 +452,12 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop, /* Set SO_KEEPALIVE if requested. */ if (want_keepalive && - setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on, + setsockopt(connected_sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on, sizeof(on)) < 0) error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); /* Set the connection. */ - packet_set_connection(sock, sock); + packet_set_connection(connected_sock, connected_sock); return 0; } -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Jan 12 20:49:44 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 12 Jan 2017 20:49:44 +1100 Subject: proposed change to ssh_connect_direct() In-Reply-To: <20170112055205.GA18430@gate.dtucker.net> References: <20170112055205.GA18430@gate.dtucker.net> Message-ID: <20170112094944.GA8890@gate.dtucker.net> On Thu, Jan 12, 2017 at 04:52:05PM +1100, Darren Tucker wrote: > On Thu, Jan 12, 2017 at 01:49:29PM +1100, Darren Tucker wrote: > [...] > > I would have thought that using non-blocking connect (ie set > > O_NONBLOCK on the fds, initiate the connections then select on the set > > until one succeeds) would be feasible, though. > > In fact most of the required pieces are already there. Below is a > rough, barely tested patch that nonetheless does seem to sort of work. > > So, it's at least feasible. I'm still not sure it's worth doing, though. > I can see some downsides: it'll spam server logs with "Did not receive > identification string" and consume MaxStartups connections. Maybe best > to leave it to a custom ProxyCommand for people who really want the > functionality. Tested it a bit, found it didn't handle failed connections. diff --git a/sshconnect.c b/sshconnect.c index 96b91ce..8c1f54d 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -328,89 +328,6 @@ ssh_create_socket(int privileged, struct addrinfo *ai) return sock; } -static int -timeout_connect(int sockfd, const struct sockaddr *serv_addr, - socklen_t addrlen, int *timeoutp) -{ - fd_set *fdset; - struct timeval tv, t_start; - socklen_t optlen; - int optval, rc, result = -1; - - gettimeofday(&t_start, NULL); - - if (*timeoutp <= 0) { - result = connect(sockfd, serv_addr, addrlen); - goto done; - } - - set_nonblock(sockfd); - rc = connect(sockfd, serv_addr, addrlen); - if (rc == 0) { - unset_nonblock(sockfd); - result = 0; - goto done; - } - if (errno != EINPROGRESS) { - result = -1; - goto done; - } - - fdset = xcalloc(howmany(sockfd + 1, NFDBITS), - sizeof(fd_mask)); - FD_SET(sockfd, fdset); - ms_to_timeval(&tv, *timeoutp); - - for (;;) { - rc = select(sockfd + 1, NULL, fdset, NULL, &tv); - if (rc != -1 || errno != EINTR) - break; - } - - switch (rc) { - case 0: - /* Timed out */ - errno = ETIMEDOUT; - break; - case -1: - /* Select error */ - debug("select: %s", strerror(errno)); - break; - case 1: - /* Completed or failed */ - optval = 0; - optlen = sizeof(optval); - if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, - &optlen) == -1) { - debug("getsockopt: %s", strerror(errno)); - break; - } - if (optval != 0) { - errno = optval; - break; - } - result = 0; - unset_nonblock(sockfd); - break; - default: - /* Should not occur */ - fatal("Bogus return (%d) from select()", rc); - } - - free(fdset); - - done: - if (result == 0 && *timeoutp > 0) { - ms_subtract_diff(&t_start, timeoutp); - if (*timeoutp <= 0) { - errno = ETIMEDOUT; - result = -1; - } - } - - return (result); -} - /* * Opens a TCP/IP connection to the remote server on the given host. * The address of the remote host will be returned in hostaddr. @@ -427,15 +344,25 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop, struct sockaddr_storage *hostaddr, u_short port, int family, int connection_attempts, int *timeout_ms, int want_keepalive, int needpriv) { - int on = 1; - int sock = -1, attempt; + int i, j, on = 1, rc, inprogress = 0, lasterr = 0, fds = -1; + int sock = -1, connected_sock = -1, attempt, fdmax; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; struct addrinfo *ai; + struct timeval tv, t_start; + fd_set fdset; + socklen_t rlen = sizeof(rc); +#define MAXCONNECT 16 + int inprogress_fd[MAXCONNECT]; + void *ai_addr[MAXCONNECT]; + size_t ai_len[MAXCONNECT]; debug2("%s: needpriv %d", __func__, needpriv); memset(ntop, 0, sizeof(ntop)); memset(strport, 0, sizeof(strport)); + FD_ZERO(&fdset); + gettimeofday(&t_start, NULL); + for (attempt = 0; attempt < connection_attempts; attempt++) { if (attempt > 0) { /* Sleep a moment before retrying. */ @@ -443,10 +370,11 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop, debug("Trying again..."); } /* - * Loop through addresses for this host, and try each one in - * sequence until the connection succeeds. + * Loop through addresses for this host, initiate a nonblocking + * connnection then see which one succeeds. */ - for (ai = aitop; ai; ai = ai->ai_next) { + for (ai = aitop; ai != NULL && inprogress < MAXCONNECT && + connected_sock == -1; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) continue; @@ -465,26 +393,72 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop, /* Any error is already output */ continue; - if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen, - timeout_ms) >= 0) { - /* Successful connection. */ - memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); - break; - } else { - debug("connect to address %s port %s: %s", - ntop, strport, strerror(errno)); - close(sock); - sock = -1; + set_nonblock(sock); + if (connect(sock, ai->ai_addr, ai->ai_addrlen) == 0) { + debug("connection established immediately"); + connected_sock = sock; + } else if (errno == EINPROGRESS) + debug("nonblocking connect fd %d", sock); + else + continue; + inprogress_fd[inprogress] = sock; + ai_len[inprogress] = ai->ai_addrlen; + ai_addr[inprogress] = ai->ai_addr; + inprogress++; + } + } + + ms_to_timeval(&tv, *timeout_ms); + while (connected_sock == -1 && timeout_ms > 0) { + FD_ZERO(&fdset); + fds = fdmax = 0; + for (i = 0; i < inprogress; i++) { + if (inprogress_fd[i] == -1) + continue; + FD_SET(inprogress_fd[i], &fdset); + fdmax = MAX(fdmax, inprogress_fd[i]); + fds++; + } + if (fds == 0) /* no descriptors left */ + break; + rc = select(fdmax + 1, NULL, &fdset, NULL, &tv); + ms_subtract_diff(&t_start, timeout_ms); + for (i = 0; i <= fdmax; i++) { + if (!FD_ISSET(i, &fdset)) + continue; + if (getsockopt(i, SOL_SOCKET, SO_ERROR, &rc, &rlen) + == 0) { + if (rc == EINPROGRESS) { + ; + } else if (rc == 0) { + debug("connected to fd %d", i); + connected_sock = i; + unset_nonblock(connected_sock); + break; + } else { + debug("fd %d error %d (%s)", i, rc, + strerror(rc)); + lasterr = rc; + close(i); + for (j = 0; j < inprogress; j++) + if (inprogress_fd[j] == i) + inprogress_fd[j] = -1; + } } } - if (sock != -1) - break; /* Successful connection. */ + } + + for (i = 0; i < inprogress; i++) { + if (connected_sock == inprogress_fd[i]) + memcpy(hostaddr, ai_addr[i], ai_len[i]); + else + close(inprogress_fd[i]); } /* Return failure if we didn't get a successful connection. */ - if (sock == -1) { + if (connected_sock == -1) { error("ssh: connect to host %s port %s: %s", - host, strport, strerror(errno)); + host, strport, strerror(lasterr)); return (-1); } @@ -492,12 +466,12 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop, /* Set SO_KEEPALIVE if requested. */ if (want_keepalive && - setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on, + setsockopt(connected_sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on, sizeof(on)) < 0) error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); /* Set the connection. */ - packet_set_connection(sock, sock); + packet_set_connection(connected_sock, connected_sock); return 0; } -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mindrot at hda3.com Fri Jan 13 02:07:21 2017 From: mindrot at hda3.com (Peter Moody) Date: Thu, 12 Jan 2017 07:07:21 -0800 Subject: proposed change to ssh_connect_direct() In-Reply-To: References: Message-ID: On Wed, Jan 11, 2017 at 6:49 PM, Darren Tucker wrote: > On Sat, Jan 7, 2017 at 2:30 PM, Peter Moody wrote: >> so I spent a bit of time looking at this and it seems like the only >> way to go, at least if I want to keep it in ssh_connect_direct(), is >> to use pthreads. further, it seems like getting that accepted is >> something of a long shot: > > Sorry, pthreads is a non-starter. > > I would have thought that using non-blocking connect (ie set > O_NONBLOCK on the fds, initiate the connections then select on the set > until one succeeds) would be feasible, though. d'oh, you're absolutely right. I've spent so much time in golang over the last 18 months that I'd completely forgotten about O_NONBLOCK. >> so, approaching this from a different angle, what if I wanted to have >> something else establish the tcp connection and then fork/dup2/exec >> ssh and pass off the fd's for the network connection? > > That's how ProxyComand and ProxyUseFdpass work. Your dialler is a > separate program so it can do whatever you like, oh man, I think this is exactly what I want. I searched the manpage for FD and fd, missed Fd I'll let you know if this doesn't work but I suspect this is perfect for my use-case. Thanks! > including use > pthreads if that's your thing. you take that back right now :) > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From yvoinov at gmail.com Mon Jan 16 02:34:23 2017 From: yvoinov at gmail.com (Yuri Voinov) Date: Sun, 15 Jan 2017 21:34:23 +0600 Subject: OpenSSH 7.4 p1 still can't be build without patch on Solaris 10 Message-ID: <84df953b-f31f-6a15-f14d-86ca85549247@gmail.com> Hi, OpenSSH 7.4 p1 still can't be build without patch on Solaris 10 (attached). Pls, may be possible to add conditional compilation/configuration to avoid manual actions before build? May be, in portable version? Otherwise seems OpenSSH stops be portable on all platforms. Thank you, WBR, Yuri. -- What is the fundamental difference between the programmer and by a fag? Fag never become five times to free the memory of one object. Fag will not use two almost identical string libraries in the same project. Fag will never write to a mixture of C and C ++. Fag will never pass objects by pointer. Now you know why these two categories so often mentioned together, and one of them is worse :) -------------- next part -------------- A non-text attachment was scrubbed... Name: 7.4_solaris10_build_issue.patch Type: text/x-patch Size: 864 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x613DEC46.asc Type: application/pgp-keys Size: 2437 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From dtucker at zip.com.au Mon Jan 16 09:03:38 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 16 Jan 2017 09:03:38 +1100 Subject: OpenSSH 7.4 p1 still can't be build without patch on Solaris 10 In-Reply-To: <84df953b-f31f-6a15-f14d-86ca85549247@gmail.com> References: <84df953b-f31f-6a15-f14d-86ca85549247@gmail.com> Message-ID: On Mon, Jan 16, 2017 at 2:34 AM, Yuri Voinov wrote: > OpenSSH 7.4 p1 still can't be build without patch on Solaris 10 (attached). What does it do (or not)? We test on an x86 Solaris 10 VM an it built on that. > -dnl Wide character support. Linux man page says it needs _XOPEN_SOURCE. > -saved_CFLAGS="$CFLAGS" > -CFLAGS="$CFLAGS -D_XOPEN_SOURCE" > +dnl Wide character support. > AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth]) > -CFLAGS="$saved_CFLAGS" That will break wide character detection on Linux. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From gershman at dagertech.net Mon Jan 16 16:16:46 2017 From: gershman at dagertech.net (David A. Gershman) Date: Sun, 15 Jan 2017 21:16:46 -0800 Subject: OpenSSH Hangs After Successful Authentication In-Reply-To: References: Message-ID: <26c42f09-9afe-9150-de3e-7429162e3bff@dagertech.net> So it may help others, I found a forum post with the following note: /A problem can arise when you are trying to connect from behind a NAT router using OpenSSH. During session setup, after the password has been given, OpenSSH sets the TOS (type of service) field in the IP datagram. Some routers are known to choke on this. The effect is that your session hangs indefinitely after you gave your password./ As such, the post suggests using NetCat as a proxy: ssh -o "ProxyCommand nc %h %p" {user-name}@host.com which worked for me. I don't see this as a fix as, again, PuTTY and OpenSSH on the MacOS side of my laptop work fine as does OpenSSH with my TP-LINK USB device. Good Luck! On 01/08/2017 02:20 PM, Darren Tucker wrote: > On Mon, Jan 9, 2017 at 8:54 AM, David A. Gershman > wrote: >> Using my _internal_ WiFi card, OpenSSH succeeds to local (internal) LAN >> hosts, but hangs after authentication to external LAN hosts; however >> PuTTY works for all hosts. > Two possibilities I can think of: > > 1) MTU black hole. Check the "send-q" column on both client and > server in netstat when it's in the hung state, compare MTUs between > working and not working interfaces and try "ifconfig wlan0 mtu 576" > before starting the ssh connection. > > 2) ssh(1) sets the IP type of service bits around the time of your > observed hang. In the past we have had reports of stateful devices > not coping with the QoS of an established connection changing. Try > "ssh -o 'IPQos lowdelay lowdelay' yourserver". > > My bet is on #1, and my guess is the default MTU is different between > your interfaces. > From wieland at purdue.edu Mon Jan 16 17:36:37 2017 From: wieland at purdue.edu (Jeff Wieland) Date: Mon, 16 Jan 2017 01:36:37 -0500 Subject: OpenSSH 7.4 p1 still can't be build without patch on Solaris 10 In-Reply-To: References: <84df953b-f31f-6a15-f14d-86ca85549247@gmail.com> Message-ID: <4dd62a75-92b6-bea2-f758-f58677654ada@purdue.edu> Darren Tucker wrote: > On Mon, Jan 16, 2017 at 2:34 AM, Yuri Voinov wrote: >> OpenSSH 7.4 p1 still can't be build without patch on Solaris 10 (attached). > What does it do (or not)? We test on an x86 Solaris 10 VM an it built on that. > >> -dnl Wide character support. Linux man page says it needs _XOPEN_SOURCE. >> -saved_CFLAGS="$CFLAGS" >> -CFLAGS="$CFLAGS -D_XOPEN_SOURCE" >> +dnl Wide character support. >> AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth]) >> -CFLAGS="$saved_CFLAGS" > That will break wide character detection on Linux. > It builds (and works) fine on Solaris 10 for SPARC as well. -- Jeff Wieland, UNIX/Network Systems Administrator Purdue University IT Infrastructure Services UNIX Platforms From yvoinov at gmail.com Mon Jan 16 22:12:33 2017 From: yvoinov at gmail.com (Yuri) Date: Mon, 16 Jan 2017 17:12:33 +0600 Subject: OpenSSH 7.4 p1 still can't be build without patch on Solaris 10 In-Reply-To: <4dd62a75-92b6-bea2-f758-f58677654ada@purdue.edu> References: <84df953b-f31f-6a15-f14d-86ca85549247@gmail.com> <4dd62a75-92b6-bea2-f758-f58677654ada@purdue.edu> Message-ID: No. Try to configure openssh with -m64. In 64 bit. Both on x86 and SPARC. 16.01.2017 12:36, Jeff Wieland ?????: > Darren Tucker wrote: >> On Mon, Jan 16, 2017 at 2:34 AM, Yuri Voinov wrote: >>> OpenSSH 7.4 p1 still can't be build without patch on Solaris 10 >>> (attached). >> What does it do (or not)? We test on an x86 Solaris 10 VM an it >> built on that. >> >>> -dnl Wide character support. Linux man page says it needs >>> _XOPEN_SOURCE. >>> -saved_CFLAGS="$CFLAGS" >>> -CFLAGS="$CFLAGS -D_XOPEN_SOURCE" >>> +dnl Wide character support. >>> AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth]) >>> -CFLAGS="$saved_CFLAGS" >> That will break wide character detection on Linux. >> > It builds (and works) fine on Solaris 10 for SPARC as well. > > -- > Jeff Wieland, UNIX/Network Systems Administrator > Purdue University IT Infrastructure Services UNIX Platforms > From yvoinov at gmail.com Mon Jan 16 22:18:51 2017 From: yvoinov at gmail.com (Yuri) Date: Mon, 16 Jan 2017 17:18:51 +0600 Subject: OpenSSH 7.4 p1 still can't be build without patch on Solaris 10 In-Reply-To: References: <84df953b-f31f-6a15-f14d-86ca85549247@gmail.com> Message-ID: <30702df7-316e-fb9e-4767-5ccc277a43e8@gmail.com> 16.01.2017 4:03, Darren Tucker ?????: > On Mon, Jan 16, 2017 at 2:34 AM, Yuri Voinov wrote: >> OpenSSH 7.4 p1 still can't be build without patch on Solaris 10 (attached). > What does it do (or not)? We test on an x86 Solaris 10 VM an it built on that. With -m64. To produce 64 bit binaries. Try to build 64 bit. On 64-bit OSes we're always build 64-bit binaries, right? > >> -dnl Wide character support. Linux man page says it needs _XOPEN_SOURCE. >> -saved_CFLAGS="$CFLAGS" >> -CFLAGS="$CFLAGS -D_XOPEN_SOURCE" >> +dnl Wide character support. >> AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth]) >> -CFLAGS="$saved_CFLAGS" That will break wide character detection on Linux. Well, is it too diffucult to differentiate OS and kernel? From yvoinov at gmail.com Mon Jan 16 22:30:04 2017 From: yvoinov at gmail.com (Yuri) Date: Mon, 16 Jan 2017 17:30:04 +0600 Subject: OpenSSH 7.4 p1 still can't be build without patch on Solaris 10 In-Reply-To: <4dd62a75-92b6-bea2-f758-f58677654ada@purdue.edu> References: <84df953b-f31f-6a15-f14d-86ca85549247@gmail.com> <4dd62a75-92b6-bea2-f758-f58677654ada@purdue.edu> Message-ID: Bug reproduction is easy: root @ lemanruss /patch/openssh-7.4p1 # ./configure 'CFLAGS=-m64 -mtune=native -pipe' LDFLAGS=-m64 checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking build system type... sparc-sun-solaris2.10 checking host system type... sparc-sun-solaris2.10 checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /opt/csw/gnu/grep checking for egrep... /opt/csw/gnu/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking whether byte ordering is bigendian... yes checking for gawk... gawk checking how to run the C preprocessor... gcc -E checking for ranlib... ranlib checking for a BSD-compatible install... /opt/csw/gnu/install -c checking for egrep... (cached) /opt/csw/gnu/grep -E checking for ar... ar checking for cat... /opt/csw/gnu/cat checking for kill... /opt/csw/gnu/kill checking for perl5... no checking for perl... /opt/csw/bin/perl checking for sed... /opt/csw/gnu/sed checking for ent... no checking for bash... /opt/csw/bin/bash checking for ksh... (cached) /opt/csw/bin/bash checking for sh... (cached) /opt/csw/bin/bash checking for sh... /bin/sh checking for groff... no checking for nroff... /bin/nroff checking for mandoc... no checking for groupadd... /usr/sbin/groupadd checking for useradd... /usr/sbin/useradd checking for pkgmk... yes checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... no checking for passwd... /bin/passwd checking for inline... inline checking whether LLONG_MAX is declared... yes checking whether SYSTR_POLICY_KILL is declared... no checking whether RLIMIT_NPROC is declared... no checking whether PR_SET_NO_NEW_PRIVS is declared... no checking whether OpenSSL will be used for cryptography... yes checking whether SSH protocol 1 support is enabled... no checking if gcc supports -Werror... yes checking if gcc supports compile flag -Qunused-arguments... no checking if gcc supports compile flag -Wunknown-warning-option... no checking if gcc supports compile flag -Wall... yes checking if gcc supports compile flag -Wpointer-arith... yes checking if gcc supports compile flag -Wuninitialized... yes checking if gcc supports compile flag -Wsign-compare... yes checking if gcc supports compile flag -Wformat-security... yes checking if gcc supports compile flag -Wsizeof-pointer-memaccess... yes checking if gcc supports compile flag -Wpointer-sign... yes checking if gcc supports compile flag -Wunused-result... yes checking if gcc supports compile flag -fno-strict-aliasing... yes checking if gcc supports compile flag -D_FORTIFY_SOURCE=2... yes checking if gcc supports link flag -Wl,-z,relro... no checking if gcc supports link flag -Wl,-z,now... yes checking if gcc supports link flag -Wl,-z,noexecstack... no checking if gcc supports compile flag -ftrapv and linking succeeds... yes checking gcc version... 5.2.0 checking if gcc accepts -fno-builtin-memset... yes checking if gcc supports -fstack-protector-strong... yes checking if -fstack-protector-strong works... yes checking if compiler allows __attribute__ on return types... yes checking blf.h usability... no checking blf.h presence... no checking for blf.h... no checking bstring.h usability... no checking bstring.h presence... no checking for bstring.h... no checking crypt.h usability... yes checking crypt.h presence... yes checking for crypt.h... yes checking crypto/sha2.h usability... no checking crypto/sha2.h presence... no checking for crypto/sha2.h... no checking dirent.h usability... yes checking dirent.h presence... yes checking for dirent.h... yes checking endian.h usability... no checking endian.h presence... no checking for endian.h... no checking elf.h usability... yes checking elf.h presence... yes checking for elf.h... yes checking err.h usability... no checking err.h presence... no checking for err.h... no checking features.h usability... no checking features.h presence... no checking for features.h... no checking fcntl.h usability... yes checking fcntl.h presence... yes checking for fcntl.h... yes checking floatingpoint.h usability... yes checking floatingpoint.h presence... yes checking for floatingpoint.h... yes checking getopt.h usability... yes checking getopt.h presence... yes checking for getopt.h... yes checking glob.h usability... yes checking glob.h presence... yes checking for glob.h... yes checking ia.h usability... no checking ia.h presence... no checking for ia.h... no checking iaf.h usability... no checking iaf.h presence... no checking for iaf.h... no checking for inttypes.h... (cached) yes checking langinfo.h usability... yes checking langinfo.h presence... yes checking for langinfo.h... yes checking limits.h usability... yes checking limits.h presence... yes checking for limits.h... yes checking locale.h usability... yes checking locale.h presence... yes checking for locale.h... yes checking login.h usability... no checking login.h presence... no checking for login.h... no checking maillock.h usability... yes checking maillock.h presence... yes checking for maillock.h... yes checking ndir.h usability... no checking ndir.h presence... no checking for ndir.h... no checking net/if_tun.h usability... no checking net/if_tun.h presence... no checking for net/if_tun.h... no checking netdb.h usability... yes checking netdb.h presence... yes checking for netdb.h... yes checking netgroup.h usability... no checking netgroup.h presence... no checking for netgroup.h... no checking pam/pam_appl.h usability... no checking pam/pam_appl.h presence... no checking for pam/pam_appl.h... no checking paths.h usability... no checking paths.h presence... no checking for paths.h... no checking poll.h usability... yes checking poll.h presence... yes checking for poll.h... yes checking pty.h usability... no checking pty.h presence... no checking for pty.h... no checking readpassphrase.h usability... no checking readpassphrase.h presence... no checking for readpassphrase.h... no checking rpc/types.h usability... yes checking rpc/types.h presence... yes checking for rpc/types.h... yes checking security/pam_appl.h usability... yes checking security/pam_appl.h presence... yes checking for security/pam_appl.h... yes checking sha2.h usability... yes checking sha2.h presence... yes checking for sha2.h... yes checking shadow.h usability... yes checking shadow.h presence... yes checking for shadow.h... yes checking stddef.h usability... yes checking stddef.h presence... yes checking for stddef.h... yes checking for stdint.h... (cached) yes checking for string.h... (cached) yes checking for strings.h... (cached) yes checking sys/audit.h usability... no checking sys/audit.h presence... no checking for sys/audit.h... no checking sys/bitypes.h usability... no checking sys/bitypes.h presence... no checking for sys/bitypes.h... no checking sys/bsdtty.h usability... no checking sys/bsdtty.h presence... no checking for sys/bsdtty.h... no checking sys/capability.h usability... no checking sys/capability.h presence... no checking for sys/capability.h... no checking sys/cdefs.h usability... no checking sys/cdefs.h presence... no checking for sys/cdefs.h... no checking sys/dir.h usability... no checking sys/dir.h presence... no checking for sys/dir.h... no checking sys/mman.h usability... yes checking sys/mman.h presence... yes checking for sys/mman.h... yes checking sys/ndir.h usability... no checking sys/ndir.h presence... no checking for sys/ndir.h... no checking sys/poll.h usability... yes checking sys/poll.h presence... yes checking for sys/poll.h... yes checking sys/prctl.h usability... no checking sys/prctl.h presence... no checking for sys/prctl.h... no checking sys/pstat.h usability... no checking sys/pstat.h presence... no checking for sys/pstat.h... no checking sys/ptrace.h usability... no checking sys/ptrace.h presence... no checking for sys/ptrace.h... no checking sys/select.h usability... yes checking sys/select.h presence... yes checking for sys/select.h... yes checking for sys/stat.h... (cached) yes checking sys/stream.h usability... yes checking sys/stream.h presence... yes checking for sys/stream.h... yes checking sys/stropts.h usability... yes checking sys/stropts.h presence... yes checking for sys/stropts.h... yes checking sys/strtio.h usability... no checking sys/strtio.h presence... no checking for sys/strtio.h... no checking sys/statvfs.h usability... yes checking sys/statvfs.h presence... yes checking for sys/statvfs.h... yes checking sys/sysmacros.h usability... yes checking sys/sysmacros.h presence... yes checking for sys/sysmacros.h... yes checking sys/time.h usability... yes checking sys/time.h presence... yes checking for sys/time.h... yes checking sys/timers.h usability... no checking sys/timers.h presence... no checking for sys/timers.h... no checking time.h usability... yes checking time.h presence... yes checking for time.h... yes checking tmpdir.h usability... no checking tmpdir.h presence... no checking for tmpdir.h... no checking ttyent.h usability... no checking ttyent.h presence... no checking for ttyent.h... no checking ucred.h usability... yes checking ucred.h presence... yes checking for ucred.h... yes checking for unistd.h... (cached) yes checking usersec.h usability... no checking usersec.h presence... no checking for usersec.h... no checking util.h usability... no checking util.h presence... no checking for util.h... no checking utime.h usability... yes checking utime.h presence... yes checking for utime.h... yes checking utmp.h usability... yes checking utmp.h presence... yes checking for utmp.h... yes checking utmpx.h usability... yes checking utmpx.h presence... yes checking for utmpx.h... yes checking vis.h usability... no checking vis.h presence... no checking for vis.h... no checking wchar.h usability... yes checking wchar.h presence... yes checking for wchar.h... yes checking for lastlog.h... yes checking for sys/ptms.h... yes checking for login_cap.h... no checking for sys/mount.h... yes checking for sys/un.h... yes checking for obsolete utmp and wtmp in solaris2.x... yes checking for setpflags... yes checking for setppriv... yes checking for priv_basicset... no checking priv.h usability... yes checking priv.h presence... yes checking for priv.h... yes checking compiler and flags for sanity... yes checking for setsockopt... no checking for setsockopt in -lsocket... yes checking for dirname... yes checking libgen.h usability... yes checking libgen.h presence... yes checking for libgen.h... yes checking for getspnam... yes checking for library containing basename... none required checking zlib.h usability... yes checking zlib.h presence... yes checking for zlib.h... yes checking for deflate in -lz... yes checking for possibly buggy zlib... no checking for strcasecmp... yes checking for utimes... yes checking bsd/libutil.h usability... no checking bsd/libutil.h presence... no checking for bsd/libutil.h... no checking libutil.h usability... no checking libutil.h presence... no checking for libutil.h... no checking for library containing fmt_scaled... no checking for library containing scan_scaled... no checking for library containing login... no checking for library containing logout... no checking for library containing logwtmp... no checking for library containing openpty... no checking for library containing updwtmp... none required checking for fmt_scaled... no checking for scan_scaled... no checking for login... no checking for logout... no checking for openpty... no checking for updwtmp... yes checking for logwtmp... no checking for library containing inet_ntop... -lnsl checking for library containing gethostbyname... none required checking for strftime... yes checking for GLOB_ALTDIRFUNC support... no checking for gl_matchc field in glob_t... no checking for gl_statv and GLOB_KEEPSTAT extensions for glob... no checking whether GLOB_NOMATCH is declared... yes checking whether VIS_ALL is declared... no checking whether struct dirent allocates space for d_name... no checking for /proc/pid/fd directory... yes checking for Blowfish_initstate... no checking for Blowfish_expandstate... no checking for Blowfish_expand0state... no checking for Blowfish_stream2word... no checking for asprintf... yes checking for b64_ntop... no checking for __b64_ntop... no checking for b64_pton... no checking for __b64_pton... no checking for bcopy... yes checking for bcrypt_pbkdf... no checking for bindresvport_sa... no checking for blf_enc... no checking for cap_rights_limit... no checking for clock... yes checking for closefrom... yes checking for dirfd... no checking for endgrent... yes checking for err... no checking for errx... no checking for explicit_bzero... no checking for fchmod... yes checking for fchown... yes checking for freeaddrinfo... yes checking for fstatfs... yes checking for fstatvfs... yes checking for futimes... no checking for getaddrinfo... yes checking for getcwd... yes checking for getgrouplist... no checking for getnameinfo... yes checking for getopt... yes checking for getpeereid... no checking for getpeerucred... yes checking for getpgid... yes checking for getpgrp... yes checking for _getpty... no checking for getrlimit... yes checking for getttyent... no checking for glob... yes checking for group_from_gid... no checking for inet_aton... yes checking for inet_ntoa... yes checking for inet_ntop... yes checking for innetgr... yes checking for login_getcapbool... no checking for md5_crypt... no checking for memmove... yes checking for memset_s... no checking for mkdtemp... yes checking for ngetaddrinfo... no checking for nsleep... no checking for ogetaddrinfo... no checking for openlog_r... no checking for pledge... no checking for poll... yes checking for prctl... no checking for pstat... no checking for readpassphrase... no checking for reallocarray... no checking for recvmsg... yes checking for rresvport_af... yes checking for sendmsg... yes checking for setdtablesize... no checking for setegid... yes checking for setenv... yes checking for seteuid... yes checking for setgroupent... no checking for setgroups... yes checking for setlinebuf... yes checking for setlogin... no checking for setpassent... no checking for setpcred... no checking for setproctitle... no checking for setregid... yes checking for setreuid... yes checking for setrlimit... yes checking for setsid... yes checking for setvbuf... yes checking for sigaction... yes checking for sigvec... no checking for snprintf... yes checking for socketpair... yes checking for statfs... yes checking for statvfs... yes checking for strcasestr... no checking for strdup... yes checking for strerror... yes checking for strlcat... yes checking for strlcpy... yes checking for strmode... no checking for strnlen... no checking for strnvis... no checking for strptime... yes checking for strtonum... no checking for strtoll... yes checking for strtoul... yes checking for strtoull... yes checking for swap32... no checking for sysconf... yes checking for tcgetpgrp... yes checking for timingsafe_bcmp... no checking for truncate... yes checking for unsetenv... yes checking for updwtmpx... yes checking for user_from_uid... no checking for usleep... yes checking for vasprintf... yes checking for vsnprintf... yes checking for waitpid... yes checking for warn... no checking for mblen... no checking for mbtowc... no checking for nl_langinfo... no checking for wcwidth... no checking for utf8 locale support... yes checking for library containing dlopen... none required checking for gai_strerror... yes checking for library containing nanosleep... -lrt checking for library containing clock_gettime... none required checking whether getrusage is declared... no checking whether strsep is declared... no checking whether tcsendbreak is declared... yes checking whether h_errno is declared... yes checking whether SHUT_RD is declared... yes checking whether O_NONBLOCK is declared... yes checking whether writev is declared... yes checking whether MAXSYMLINKS is declared... yes checking whether offsetof is declared... yes checking whether howmany is declared... yes checking whether NFDBITS is declared... yes checking for fd_mask... yes checking for setresuid... no checking for setresgid... no checking for realpath... yes checking if realpath works with non-existent files... no checking for gettimeofday... yes checking for time... yes checking for endutent... yes checking for getutent... yes checking for getutid... yes checking for getutline... yes checking for pututline... yes checking for setutent... yes checking for utmpname... yes checking for endutxent... yes checking for getutxent... yes checking for getutxid... yes checking for getutxline... yes checking for getutxuser... no checking for pututxline... yes checking for setutxdb... no checking for setutxent... yes checking for utmpxname... yes checking for getlastlogxbyname... no checking for daemon... no checking for daemon in -lbsd... no checking for getpagesize... yes checking whether snprintf correctly terminates long strings... yes checking whether vsnprintf returns correct values on overflow... yes checking whether snprintf can declare const char *fmt... yes checking for (overly) strict mkstemp... no checking whether AI_NUMERICSERV is declared... yes checking whether getpgrp requires zero arguments... yes checking OpenSSL header version... 1000115f (OpenSSL 1.0.1u 22 Sep 2016) checking OpenSSL library version... 1000115f (OpenSSL 1.0.1u 22 Sep 2016) checking whether OpenSSL's headers match the library... yes checking if programs using OpenSSL functions will link... yes checking for BN_is_prime_ex... yes checking for DSA_generate_parameters_ex... yes checking for EVP_DigestInit_ex... yes checking for EVP_DigestFinal_ex... yes checking for EVP_MD_CTX_init... yes checking for EVP_MD_CTX_cleanup... yes checking for EVP_MD_CTX_copy_ex... yes checking for HMAC_CTX_init... yes checking for RSA_generate_key_ex... yes checking for RSA_get_default_method... yes checking whether OpenSSL has crippled AES support... no checking whether OpenSSL has AES CTR via EVP... yes checking whether OpenSSL has AES GCM via EVP... yes checking for library containing EVP_CIPHER_CTX_ctrl... none required checking if EVP_DigestUpdate returns an int... yes checking for crypt... yes checking for DES_crypt... yes checking for SHA256_Update... yes checking for EVP_sha256... yes checking for EVP_ripemd160... yes checking whether OpenSSL has NID_X9_62_prime256v1... yes checking whether OpenSSL has NID_secp384r1... yes checking whether OpenSSL has NID_secp521r1... yes checking if OpenSSL's NID_secp521r1 is functional... yes checking for arc4random... no checking for arc4random_buf... no checking for arc4random_stir... no checking for arc4random_uniform... no checking for ia_openinfo in -liaf... no checking whether OpenSSL's PRNG is internally seeded... yes checking if select works with descriptor rlimit... no checking if setrlimit(RLIMIT_NOFILE,{0,0}) works... yes checking if setrlimit RLIMIT_FSIZE works... yes checking for long long... yes checking for unsigned long long... yes checking for long double... yes checking size of short int... 2 checking size of int... 4 checking size of long int... 8 checking size of long long int... 8 checking for u_int type... yes checking for intXX_t types... yes checking for int64_t type... yes checking for u_intXX_t types... no checking for u_intXX_t types in sys/socket.h... no checking for u_int64_t types... no checking for uintXX_t types... yes checking for uintXX_t types in stdint.h... yes checking for uintXX_t types in inttypes.h... yes checking for u_char... yes checking for intmax_t... yes checking for uintmax_t... yes checking for socklen_t... yes checking for sig_atomic_t... yes checking for fsblkcnt_t... yes checking for fsfilcnt_t... yes checking for in_addr_t... yes checking for in_port_t... yes checking for size_t... yes checking for ssize_t... yes checking for clock_t... yes checking for sa_family_t... yes checking for pid_t... yes checking for mode_t... yes checking for struct sockaddr_storage... yes checking for struct sockaddr_in6... yes checking for struct in6_addr... yes checking for struct sockaddr_in6.sin6_scope_id... yes checking for struct addrinfo... yes checking for struct timeval... yes checking for struct timespec... yes checking for ut_host field in utmp.h... no checking for ut_host field in utmpx.h... yes checking for syslen field in utmpx.h... yes checking for ut_pid field in utmp.h... yes checking for ut_type field in utmp.h... yes checking for ut_type field in utmpx.h... yes checking for ut_tv field in utmp.h... no checking for ut_id field in utmp.h... yes checking for ut_id field in utmpx.h... yes checking for ut_addr field in utmp.h... no checking for ut_addr field in utmpx.h... no checking for ut_addr_v6 field in utmp.h... no checking for ut_addr_v6 field in utmpx.h... no checking for ut_exit field in utmp.h... yes checking for ut_time field in utmp.h... yes checking for ut_time field in utmpx.h... yes checking for ut_tv field in utmpx.h... yes checking for struct stat.st_blksize... yes checking for struct passwd.pw_gecos... yes checking for struct passwd.pw_class... no checking for struct passwd.pw_change... no checking for struct passwd.pw_expire... no checking for struct __res_state.retrans... yes checking for ss_family field in struct sockaddr_storage... yes checking for __ss_family field in struct sockaddr_storage... no checking for msg_accrights field in struct msghdr... yes checking if struct statvfs.f_fsid is integral type... yes checking for msg_control field in struct msghdr... no checking if libc defines __progname... no checking whether gcc implements __FUNCTION__... yes checking whether gcc implements __func__... yes checking whether va_copy exists... yes checking whether __va_copy exists... yes checking whether getopt has optreset support... no checking if libc defines sys_errlist... no checking if libc defines sys_nerr... no checking for library containing getrrsetbyname... no checking for library containing res_query... -lresolv checking for library containing dn_expand... none required checking if res_query will link... yes checking for _getshort... yes checking for _getlong... yes checking whether _getshort is declared... no checking whether _getlong is declared... no checking for HEADER.ad... no checking if struct __res_state _res is an extern... yes checking for xauth... /usr/X/bin/xauth checking Discovering system mail directory... Using: /var/mail from MAILDIR checking for "/dev/ptmx"... yes checking for "/dev/ptc"... no checking for nroff... (cached) /bin/nroff checking if the systems has expire shadow information... yes checking for "/etc/default/login"... yes configure: WARNING: If PATH is defined in /etc/default/login, ensure the path to scp is included, otherwise scp will not work. Adding /usr/local/bin to USER_PATH so scp will work checking if we need to convert IPv4 in IPv6-mapped addresses... no (default) checking if your system defines LASTLOG_FILE... no checking if your system defines _PATH_LASTLOG... no checking if your system defines UTMP_FILE... yes checking if your system defines WTMP_FILE... yes checking if your system defines WTMPX_FILE... yes checking for struct lastlog.ll_line... yes checking for struct utmp.ut_line... yes checking whether BROKEN_GETADDRINFO is declared... no configure: creating ./config.status config.status: creating Makefile config.status: creating buildpkg.sh config.status: creating opensshd.init config.status: creating openssh.xml config.status: creating openbsd-compat/Makefile config.status: creating openbsd-compat/regress/Makefile config.status: creating survey.sh config.status: creating config.h OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin (If PATH is set in /etc/default/login it will be used instead. If used, ensure the path to scp is present, otherwise scp will not work.) Manpage format: man PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no Solaris privilege support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: none Host: sparc-sun-solaris2.10 Compiler: gcc Compiler flags: -m64 -mtune=native -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong Preprocessor flags: Linker flags: -m64 -Wl,-z,now -fstack-protector-strong Libraries: -lresolv -lcrypto -lrt -lnsl -lz -lsocket SVR4 style packages are supported with "make package" root @ lemanruss /patch/openssh-7.4p1 # gmake conffile=`echo sshd_config.out | sed 's/.out$//'`; \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ./${conffile} > sshd_config.out conffile=`echo ssh_config.out | sed 's/.out$//'`; \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ./${conffile} > ssh_config.out conffile=`echo moduli.out | sed 's/.out$//'`; \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ./${conffile} > moduli.out if test "man" = "cat"; then \ manpage=./`echo moduli.5.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo moduli.5.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > moduli.5.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > moduli.5.out; \ fi if test "man" = "cat"; then \ manpage=./`echo scp.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo scp.1.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > scp.1.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > scp.1.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh-add.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh-add.1.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh-add.1.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh-add.1.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh-agent.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh-agent.1.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh-agent.1.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh-agent.1.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh-keygen.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh-keygen.1.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh-keygen.1.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh-keygen.1.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh-keyscan.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh-keyscan.1.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh-keyscan.1.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh-keyscan.1.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh.1.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh.1.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh.1.out; \ fi if test "man" = "cat"; then \ manpage=./`echo sshd.8.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo sshd.8.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > sshd.8.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > sshd.8.out; \ fi if test "man" = "cat"; then \ manpage=./`echo sftp-server.8.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo sftp-server.8.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > sftp-server.8.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > sftp-server.8.out; \ fi if test "man" = "cat"; then \ manpage=./`echo sftp.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo sftp.1.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > sftp.1.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > sftp.1.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh-keysign.8.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh-keysign.8.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh-keysign.8.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh-keysign.8.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh-pkcs11-helper.8.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh-pkcs11-helper.8.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh-pkcs11-helper.8.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh-pkcs11-helper.8.out; \ fi if test "man" = "cat"; then \ manpage=./`echo sshd_config.5.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo sshd_config.5.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > sshd_config.5.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > sshd_config.5.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh_config.5.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh_config.5.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh_config.5.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh_config.5.out; \ fi (cd openbsd-compat && gmake) gmake[1]: Entering directory '/patch/openssh-7.4p1/openbsd-compat' gcc -m64 -mtune=native -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -I. -I.. -I. -I./.. -DHAVE_CONFIG_H -c arc4random.c In file included from ../includes.h:171:0, from arc4random.c:27: ../openbsd-compat/openbsd-compat.h:230:23: error: expected identifier or '(' before numeric constant # define mblen(x, y) (1) ^ gmake[1]: *** [Makefile:26: arc4random.o] Error 1 gmake[1]: Leaving directory '/patch/openssh-7.4p1/openbsd-compat' gmake: *** [Makefile:156: openbsd-compat/libopenbsd-compat.a] Error 2 root @ lemanruss /patch/openssh-7.4p1 # uname -a SunOS lemanruss 5.10 Generic_150400-44 sun4u sparc SUNW,Sun-Fire-V490 Solaris 16.01.2017 12:36, Jeff Wieland ?????: > Darren Tucker wrote: >> On Mon, Jan 16, 2017 at 2:34 AM, Yuri Voinov wrote: >>> OpenSSH 7.4 p1 still can't be build without patch on Solaris 10 >>> (attached). >> What does it do (or not)? We test on an x86 Solaris 10 VM an it >> built on that. >> >>> -dnl Wide character support. Linux man page says it needs >>> _XOPEN_SOURCE. >>> -saved_CFLAGS="$CFLAGS" >>> -CFLAGS="$CFLAGS -D_XOPEN_SOURCE" >>> +dnl Wide character support. >>> AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth]) >>> -CFLAGS="$saved_CFLAGS" >> That will break wide character detection on Linux. >> > It builds (and works) fine on Solaris 10 for SPARC as well. > > -- > Jeff Wieland, UNIX/Network Systems Administrator > Purdue University IT Infrastructure Services UNIX Platforms > From yvoinov at gmail.com Mon Jan 16 22:37:19 2017 From: yvoinov at gmail.com (Yuri) Date: Mon, 16 Jan 2017 17:37:19 +0600 Subject: OpenSSH 7.4 p1 still can't be build without patch on Solaris 10 In-Reply-To: <4dd62a75-92b6-bea2-f758-f58677654ada@purdue.edu> References: <84df953b-f31f-6a15-f14d-86ca85549247@gmail.com> <4dd62a75-92b6-bea2-f758-f58677654ada@purdue.edu> Message-ID: <7fecc1b5-e17d-efad-d3db-0231f0049a49@gmail.com> Same shame and easy to reproduce on x86_64: root @ khorne /patch/tmp/openssh-7.4p1 # ./configure --with-ssl-dir=/usr/local 'CFLAGS=-m64 -mtune=native -pipe' LDFLAGS=-m64 .... checking sys/stropts.h presence... yes checking for sys/stropts.h... yes checking sys/strtio.h usability... no checking sys/strtio.h presence... no checking for sys/strtio.h... no checking sys/statvfs.h usability... yes checking sys/statvfs.h presence... yes checking for sys/statvfs.h... yes checking sys/sysmacros.h usability... yes checking sys/sysmacros.h presence... yes checking for sys/sysmacros.h... yes checking sys/time.h usability... yes checking sys/time.h presence... yes checking for sys/time.h... yes checking sys/timers.h usability... no checking sys/timers.h presence... no checking for sys/timers.h... no checking time.h usability... yes checking time.h presence... yes checking for time.h... yes checking tmpdir.h usability... no checking tmpdir.h presence... no checking for tmpdir.h... no checking ttyent.h usability... no checking ttyent.h presence... no checking for ttyent.h... no checking ucred.h usability... yes checking ucred.h presence... yes checking for ucred.h... yes checking for unistd.h... (cached) yes checking usersec.h usability... no checking usersec.h presence... no checking for usersec.h... no checking util.h usability... no checking util.h presence... no checking for util.h... no checking utime.h usability... yes checking utime.h presence... yes checking for utime.h... yes checking utmp.h usability... yes checking utmp.h presence... yes checking for utmp.h... yes checking utmpx.h usability... yes checking utmpx.h presence... yes checking for utmpx.h... yes checking vis.h usability... no checking vis.h presence... no checking for vis.h... no checking wchar.h usability... yes checking wchar.h presence... yes checking for wchar.h... yes checking for lastlog.h... yes checking for sys/ptms.h... yes checking for login_cap.h... no checking for sys/mount.h... yes checking for sys/un.h... yes checking for obsolete utmp and wtmp in solaris2.x... yes checking for setpflags... yes checking for setppriv... yes checking for priv_basicset... no checking priv.h usability... yes checking priv.h presence... yes checking for priv.h... yes checking compiler and flags for sanity... yes checking for setsockopt... no checking for setsockopt in -lsocket... yes checking for dirname... yes checking libgen.h usability... yes checking libgen.h presence... yes checking for libgen.h... yes checking for getspnam... yes checking for library containing basename... none required checking zlib.h usability... yes checking zlib.h presence... yes checking for zlib.h... yes checking for deflate in -lz... yes checking for possibly buggy zlib... no checking for strcasecmp... yes checking for utimes... yes checking bsd/libutil.h usability... no checking bsd/libutil.h presence... no checking for bsd/libutil.h... no checking libutil.h usability... no checking libutil.h presence... no checking for libutil.h... no checking for library containing fmt_scaled... no checking for library containing scan_scaled... no checking for library containing login... no checking for library containing logout... no checking for library containing logwtmp... no checking for library containing openpty... no checking for library containing updwtmp... none required checking for fmt_scaled... no checking for scan_scaled... no checking for login... no checking for logout... no checking for openpty... no checking for updwtmp... yes checking for logwtmp... no checking for library containing inet_ntop... -lnsl checking for library containing gethostbyname... none required checking for strftime... yes checking for GLOB_ALTDIRFUNC support... no checking for gl_matchc field in glob_t... no checking for gl_statv and GLOB_KEEPSTAT extensions for glob... no checking whether GLOB_NOMATCH is declared... yes checking whether VIS_ALL is declared... no checking whether struct dirent allocates space for d_name... no checking for /proc/pid/fd directory... yes checking for Blowfish_initstate... no checking for Blowfish_expandstate... no checking for Blowfish_expand0state... no checking for Blowfish_stream2word... no checking for asprintf... yes checking for b64_ntop... no checking for __b64_ntop... no checking for b64_pton... no checking for __b64_pton... no checking for bcopy... yes checking for bcrypt_pbkdf... no checking for bindresvport_sa... no checking for blf_enc... no checking for cap_rights_limit... no checking for clock... yes checking for closefrom... yes checking for dirfd... no checking for endgrent... yes checking for err... no checking for errx... no checking for explicit_bzero... no checking for fchmod... yes checking for fchown... yes checking for freeaddrinfo... yes checking for fstatfs... yes checking for fstatvfs... yes checking for futimes... no checking for getaddrinfo... yes checking for getcwd... yes checking for getgrouplist... no checking for getnameinfo... yes checking for getopt... yes checking for getpeereid... no checking for getpeerucred... yes checking for getpgid... yes checking for getpgrp... yes checking for _getpty... no checking for getrlimit... yes checking for getttyent... no checking for glob... yes checking for group_from_gid... no checking for inet_aton... yes checking for inet_ntoa... yes checking for inet_ntop... yes checking for innetgr... yes checking for login_getcapbool... no checking for md5_crypt... no checking for memmove... yes checking for memset_s... no checking for mkdtemp... yes checking for ngetaddrinfo... no checking for nsleep... no checking for ogetaddrinfo... no checking for openlog_r... no checking for pledge... no checking for poll... yes checking for prctl... no checking for pstat... no checking for readpassphrase... no checking for reallocarray... no checking for recvmsg... yes checking for rresvport_af... yes checking for sendmsg... yes checking for setdtablesize... no checking for setegid... yes checking for setenv... yes checking for seteuid... yes checking for setgroupent... no checking for setgroups... yes checking for setlinebuf... yes checking for setlogin... no checking for setpassent... no checking for setpcred... no checking for setproctitle... no checking for setregid... yes checking for setreuid... yes checking for setrlimit... yes checking for setsid... yes checking for setvbuf... yes checking for sigaction... yes checking for sigvec... no checking for snprintf... yes checking for socketpair... yes checking for statfs... yes checking for statvfs... yes checking for strcasestr... no checking for strdup... yes checking for strerror... yes checking for strlcat... yes checking for strlcpy... yes checking for strmode... no checking for strnlen... no checking for strnvis... no checking for strptime... yes checking for strtonum... no checking for strtoll... yes checking for strtoul... yes checking for strtoull... yes checking for swap32... no checking for sysconf... yes checking for tcgetpgrp... yes checking for timingsafe_bcmp... no checking for truncate... yes checking for unsetenv... yes checking for updwtmpx... yes checking for user_from_uid... no checking for usleep... yes checking for vasprintf... yes checking for vsnprintf... yes checking for waitpid... yes checking for warn... no checking for mblen... no checking for mbtowc... no checking for nl_langinfo... no checking for wcwidth... no checking for utf8 locale support... yes checking for library containing dlopen... none required checking for gai_strerror... yes checking for library containing nanosleep... -lrt checking for library containing clock_gettime... none required checking whether getrusage is declared... no checking whether strsep is declared... no checking whether tcsendbreak is declared... yes checking whether h_errno is declared... yes checking whether SHUT_RD is declared... yes checking whether O_NONBLOCK is declared... yes checking whether writev is declared... yes checking whether MAXSYMLINKS is declared... yes checking whether offsetof is declared... yes checking whether howmany is declared... yes checking whether NFDBITS is declared... yes checking for fd_mask... yes checking for setresuid... no checking for setresgid... no checking for realpath... yes checking if realpath works with non-existent files... no checking for gettimeofday... yes checking for time... yes checking for endutent... yes checking for getutent... yes checking for getutid... yes checking for getutline... yes checking for pututline... yes checking for setutent... yes checking for utmpname... yes checking for endutxent... yes checking for getutxent... yes checking for getutxid... yes checking for getutxline... yes checking for getutxuser... no checking for pututxline... yes checking for setutxdb... no checking for setutxent... yes checking for utmpxname... yes checking for getlastlogxbyname... no checking for daemon... no checking for daemon in -lbsd... no checking for getpagesize... yes checking whether snprintf correctly terminates long strings... yes checking whether vsnprintf returns correct values on overflow... yes checking whether snprintf can declare const char *fmt... yes checking for (overly) strict mkstemp... no checking whether AI_NUMERICSERV is declared... yes checking whether getpgrp requires zero arguments... yes checking OpenSSL header version... 20000000 (LibreSSL 2.4.4) checking OpenSSL library version... 20000000 (LibreSSL 2.4.4) checking whether OpenSSL's headers match the library... yes checking if programs using OpenSSL functions will link... yes checking for BN_is_prime_ex... yes checking for DSA_generate_parameters_ex... yes checking for EVP_DigestInit_ex... yes checking for EVP_DigestFinal_ex... yes checking for EVP_MD_CTX_init... yes checking for EVP_MD_CTX_cleanup... yes checking for EVP_MD_CTX_copy_ex... yes checking for HMAC_CTX_init... yes checking for RSA_generate_key_ex... yes checking for RSA_get_default_method... yes checking whether OpenSSL has crippled AES support... no checking whether OpenSSL has AES CTR via EVP... yes checking whether OpenSSL has AES GCM via EVP... yes checking for library containing EVP_CIPHER_CTX_ctrl... none required checking if EVP_DigestUpdate returns an int... yes checking for crypt... yes checking for DES_crypt... yes checking for SHA256_Update... yes checking for EVP_sha256... yes checking for EVP_ripemd160... yes checking whether OpenSSL has NID_X9_62_prime256v1... yes checking whether OpenSSL has NID_secp384r1... yes checking whether OpenSSL has NID_secp521r1... yes checking if OpenSSL's NID_secp521r1 is functional... yes checking for arc4random... yes checking for arc4random_buf... yes checking for arc4random_stir... no checking for arc4random_uniform... yes checking for ia_openinfo in -liaf... no checking whether OpenSSL's PRNG is internally seeded... yes checking if select works with descriptor rlimit... no checking if setrlimit(RLIMIT_NOFILE,{0,0}) works... yes checking if setrlimit RLIMIT_FSIZE works... yes checking for long long... yes checking for unsigned long long... yes checking for long double... yes checking size of short int... 2 checking size of int... 4 checking size of long int... 8 checking size of long long int... 8 checking for u_int type... yes checking for intXX_t types... yes checking for int64_t type... yes checking for u_intXX_t types... no checking for u_intXX_t types in sys/socket.h... no checking for u_int64_t types... no checking for uintXX_t types... yes checking for uintXX_t types in stdint.h... yes checking for uintXX_t types in inttypes.h... yes checking for u_char... yes checking for intmax_t... yes checking for uintmax_t... yes checking for socklen_t... yes checking for sig_atomic_t... yes checking for fsblkcnt_t... yes checking for fsfilcnt_t... yes checking for in_addr_t... yes checking for in_port_t... yes checking for size_t... yes checking for ssize_t... yes checking for clock_t... yes checking for sa_family_t... yes checking for pid_t... yes checking for mode_t... yes checking for struct sockaddr_storage... yes checking for struct sockaddr_in6... yes checking for struct in6_addr... yes checking for struct sockaddr_in6.sin6_scope_id... yes checking for struct addrinfo... yes checking for struct timeval... yes checking for struct timespec... yes checking for ut_host field in utmp.h... no checking for ut_host field in utmpx.h... yes checking for syslen field in utmpx.h... yes checking for ut_pid field in utmp.h... yes checking for ut_type field in utmp.h... yes checking for ut_type field in utmpx.h... yes checking for ut_tv field in utmp.h... no checking for ut_id field in utmp.h... yes checking for ut_id field in utmpx.h... yes checking for ut_addr field in utmp.h... no checking for ut_addr field in utmpx.h... no checking for ut_addr_v6 field in utmp.h... no checking for ut_addr_v6 field in utmpx.h... no checking for ut_exit field in utmp.h... yes checking for ut_time field in utmp.h... yes checking for ut_time field in utmpx.h... yes checking for ut_tv field in utmpx.h... yes checking for struct stat.st_blksize... yes checking for struct passwd.pw_gecos... yes checking for struct passwd.pw_class... no checking for struct passwd.pw_change... no checking for struct passwd.pw_expire... no checking for struct __res_state.retrans... yes checking for ss_family field in struct sockaddr_storage... yes checking for __ss_family field in struct sockaddr_storage... no checking for msg_accrights field in struct msghdr... yes checking if struct statvfs.f_fsid is integral type... yes checking for msg_control field in struct msghdr... no checking if libc defines __progname... no checking whether gcc implements __FUNCTION__... yes checking whether gcc implements __func__... yes checking whether va_copy exists... yes checking whether __va_copy exists... yes checking whether getopt has optreset support... no checking if libc defines sys_errlist... no checking if libc defines sys_nerr... no checking for library containing getrrsetbyname... no checking for library containing res_query... -lresolv checking for library containing dn_expand... none required checking if res_query will link... yes checking for _getshort... yes checking for _getlong... yes checking whether _getshort is declared... no checking whether _getlong is declared... no checking for HEADER.ad... no checking if struct __res_state _res is an extern... yes checking for xauth... /usr/X/bin/xauth checking Discovering system mail directory... Using: /var/mail from MAILDIR checking for "/dev/ptmx"... yes checking for "/dev/ptc"... no checking for nroff... (cached) /bin/nroff checking if the systems has expire shadow information... yes checking for "/etc/default/login"... yes configure: WARNING: If PATH is defined in /etc/default/login, ensure the path to scp is included, otherwise scp will not work. Adding /usr/local/bin to USER_PATH so scp will work checking if we need to convert IPv4 in IPv6-mapped addresses... no (default) checking if your system defines LASTLOG_FILE... no checking if your system defines _PATH_LASTLOG... no checking if your system defines UTMP_FILE... yes checking if your system defines WTMP_FILE... yes checking if your system defines WTMPX_FILE... yes checking for struct lastlog.ll_line... yes checking for struct utmp.ut_line... yes checking whether BROKEN_GETADDRINFO is declared... no configure: creating ./config.status config.status: creating Makefile config.status: creating buildpkg.sh config.status: creating opensshd.init config.status: creating openssh.xml config.status: creating openbsd-compat/Makefile config.status: creating openbsd-compat/regress/Makefile config.status: creating survey.sh config.status: creating config.h OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin (If PATH is set in /etc/default/login it will be used instead. If used, ensure the path to scp is present, otherwise scp will not work.) Manpage format: man PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no Solaris privilege support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: none Host: i386-pc-solaris2.10 Compiler: gcc Compiler flags: -m64 -mtune=native -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong Preprocessor flags: -I/usr/local/include Linker flags: -L/usr/local/lib -R/usr/local/lib -m64 -Wl,-z,now -fstack-protector-strong Libraries: -lresolv -lcrypto -lrt -lnsl -lz -lsocket SVR4 style packages are supported with "make package" root @ khorne /patch/tmp/openssh-7.4p1 # gmake conffile=`echo sshd_config.out | sed 's/.out$//'`; \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ./${conffile} > sshd_config.out conffile=`echo ssh_config.out | sed 's/.out$//'`; \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ./${conffile} > ssh_config.out conffile=`echo moduli.out | sed 's/.out$//'`; \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ./${conffile} > moduli.out if test "man" = "cat"; then \ manpage=./`echo moduli.5.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo moduli.5.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > moduli.5.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > moduli.5.out; \ fi if test "man" = "cat"; then \ manpage=./`echo scp.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo scp.1.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > scp.1.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > scp.1.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh-add.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh-add.1.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh-add.1.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh-add.1.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh-agent.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh-agent.1.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh-agent.1.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh-agent.1.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh-keygen.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh-keygen.1.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh-keygen.1.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh-keygen.1.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh-keyscan.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh-keyscan.1.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh-keyscan.1.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh-keyscan.1.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh.1.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh.1.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh.1.out; \ fi if test "man" = "cat"; then \ manpage=./`echo sshd.8.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo sshd.8.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > sshd.8.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > sshd.8.out; \ fi if test "man" = "cat"; then \ manpage=./`echo sftp-server.8.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo sftp-server.8.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > sftp-server.8.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > sftp-server.8.out; \ fi if test "man" = "cat"; then \ manpage=./`echo sftp.1.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo sftp.1.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > sftp.1.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > sftp.1.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh-keysign.8.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh-keysign.8.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh-keysign.8.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh-keysign.8.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh-pkcs11-helper.8.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh-pkcs11-helper.8.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh-pkcs11-helper.8.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh-pkcs11-helper.8.out; \ fi if test "man" = "cat"; then \ manpage=./`echo sshd_config.5.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo sshd_config.5.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > sshd_config.5.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > sshd_config.5.out; \ fi if test "man" = "cat"; then \ manpage=./`echo ssh_config.5.out | sed 's/\.[1-9]\.out$/\.0/'`; \ else \ manpage=./`echo ssh_config.5.out | sed 's/\.out$//'`; \ fi; \ if test "man" = "man"; then \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed | \ gawk -f ./mdoc2man.awk > ssh_config.5.out; \ else \ /opt/csw/gnu/sed -e 's|/etc/ssh/ssh_config|/usr/local/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/etc/sshd_config|g' -e 's|/usr/libexec|/usr/local/libexec|g' -e 's|/etc/shosts.equiv|/usr/local/etc/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/usr/local/etc/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/usr/local/etc/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/usr/local/etc/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/usr/local/etc/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/usr/local/etc/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/moduli|/usr/local/etc/moduli|g' -e 's|/etc/ssh/sshrc|/usr/local/etc/sshrc|g' -e 's|/usr/X11R6/bin/xauth|/usr/openwin/bin/xauth|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g' ${manpage} | /bin/sh ./fixalgorithms /opt/csw/gnu/sed > ssh_config.5.out; \ fi (cd openbsd-compat && gmake) gmake[1]: Entering directory '/patch/tmp/openssh-7.4p1/openbsd-compat' gcc -m64 -mtune=native -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -I. -I.. -I. -I./.. -I/usr/local/include -DHAVE_CONFIG_H -c arc4random.c In file included from ../includes.h:171:0, from arc4random.c:27: ../openbsd-compat/openbsd-compat.h:230:23: error: expected identifier or '(' before numeric constant # define mblen(x, y) (1) ^ gmake[1]: *** [Makefile:26: arc4random.o] Error 1 gmake[1]: Leaving directory '/patch/tmp/openssh-7.4p1/openbsd-compat' gmake: *** [Makefile:156: openbsd-compat/libopenbsd-compat.a] Error 2 root @ khorne /patch/tmp/openssh-7.4p1 # uname -a SunOS khorne 5.10 Generic_150401-44 i86pc i386 i86pc Solaris 16.01.2017 12:36, Jeff Wieland ?????: > Darren Tucker wrote: >> On Mon, Jan 16, 2017 at 2:34 AM, Yuri Voinov wrote: >>> OpenSSH 7.4 p1 still can't be build without patch on Solaris 10 >>> (attached). >> What does it do (or not)? We test on an x86 Solaris 10 VM an it >> built on that. >> >>> -dnl Wide character support. Linux man page says it needs >>> _XOPEN_SOURCE. >>> -saved_CFLAGS="$CFLAGS" >>> -CFLAGS="$CFLAGS -D_XOPEN_SOURCE" >>> +dnl Wide character support. >>> AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth]) >>> -CFLAGS="$saved_CFLAGS" >> That will break wide character detection on Linux. >> > It builds (and works) fine on Solaris 10 for SPARC as well. > > -- > Jeff Wieland, UNIX/Network Systems Administrator > Purdue University IT Infrastructure Services UNIX Platforms > From rom at rom1v.com Tue Jan 17 01:30:46 2017 From: rom at rom1v.com (Romain Vimont) Date: Mon, 16 Jan 2017 15:30:46 +0100 Subject: SOCKS5 and UDP Message-ID: <20170116143046.GA25151@romgm> Hi, Currently, OpenSSH only accepts the SOCKS5 command "CONNECT": The RFC also specifies the commands "BIND" and "UDP ASSOCIATE": As a consequence, in particular, a SOCKS5 server started with "ssh -D" cannot proxify UDP packets. Are there deep reasons why OpenSSH does not implement them (security, or whatever)? Thank you. Regards, ?om From sudarshan12s at gmail.com Tue Jan 17 05:04:54 2017 From: sudarshan12s at gmail.com (Sudarshan Soma) Date: Mon, 16 Jan 2017 23:34:54 +0530 Subject: ^C doesnt work on ssh session Message-ID: Hi , when i connect to sshd , the session doesnt allow me to issue ^C ^Z, it doesnt work. Please let me know if there are any settings to control it. telnet works fine. my settings, version: OpenSSH_6.6p1, OpenSSL 1.0.1h 5 Jun 2014 stty -a speed 38400 baud; rows 24; columns 80; line = 0; intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = ; eol2 = ; swtch = ; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; flush = ^O; min = 1; time = 0; -parenb -parodd cs8 -hupcl -cstopb cread -clocal -crtscts -ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel -iutf8 opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0 isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke another query i had was on hiding arguments passed to ssh. I have a requirement to spawn some ssh command like (ssh ip -o password=221 ip ) which has password in arguments. can we hide this in listing from ps , /proc outputs. Please suggest. Regards, Grover. Regards, Sudarshan From mouring at eviladmin.org Tue Jan 17 06:34:43 2017 From: mouring at eviladmin.org (Ben Lindstrom) Date: Mon, 16 Jan 2017 13:34:43 -0600 Subject: ^C doesnt work on ssh session In-Reply-To: References: Message-ID: <587D2053.7090605@eviladmin.org> What platform are you on, and whose OpenSSH? Because clearly this isn't stock: $ ssh localhost -o password=foo command-line: line 0: Bad configuration option: password I don't ever remember -o password=XXX ever being a thing. Ben Sudarshan Soma wrote: > Hi , > when i connect to sshd , the session doesnt allow me to issue ^C ^Z, it > doesnt work. Please let me know if there are any settings to control it. > telnet works fine. > > my settings, version: > > OpenSSH_6.6p1, OpenSSL 1.0.1h 5 Jun 2014 > > stty -a > speed 38400 baud; rows 24; columns 80; line = 0; > intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol =; > eol2 =; swtch =; start = ^Q; stop = ^S; susp = ^Z; rprnt = > ^R; > werase = ^W; lnext = ^V; flush = ^O; min = 1; time = 0; > -parenb -parodd cs8 -hupcl -cstopb cread -clocal -crtscts > -ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon > -ixoff > -iuclc -ixany -imaxbel -iutf8 > opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 > ff0 > isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt > echoctl echoke > > > > another query i had was on hiding arguments passed to ssh. I have a > requirement to spawn some ssh command like (ssh ip -o password=221 ip ) > which has password in arguments. can we hide this in listing from ps , > /proc outputs. Please suggest. > > Regards, > Grover. > > Regards, > Sudarshan > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From ronf at timeheart.net Tue Jan 17 07:09:33 2017 From: ronf at timeheart.net (Ron Frederick) Date: Mon, 16 Jan 2017 12:09:33 -0800 Subject: Question on Kerberos (GSSAPI) auth Message-ID: <966FA366-C69E-4B25-8189-051A21CF7179@timeheart.net> I?m working on an implementation of ?gssapi-with-mic? authentication for my AsyncSSH package and trying to get it to interoperate with OpenSSH. I?ve gotten it working, but there seems to be a discrepancy between the OpenSSH implementation and RFC 4462. Specifically, RFC 4462 says the following in section 3.4: Since the user authentication process by its nature authenticates only the client, the setting of mutual_req_flag is not needed for this process. This flag SHOULD be set to "false". However, when I try to have my implementation not set this flag and just send a GSSAPI_TOKEN message immediately followed by a GSSAPI_MIC message without waiting for a server token (since the authentication is complete as soon as the client token is sent when mutual auth is disabled), I get a failure from OpenSSH: Failed gssapi-with-mic for ronf from 74.93.13.193 port 64645 ssh2 If I turn on mutual authentication in my client context (going against the recommendation in the RFC) and wait for a token to come back from the server before I send the GSSAPI_MIC message, the authentication succeeds. Looking at the OpenSSH source code, I see that it always unconditionally enables mutual authentication in the client contexts it allocates. In ssh_gssapi_init_ctx, it does the following: ctx->major = gss_init_sec_context(&ctx->minor, GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid, GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 0, NULL, recv_tok, NULL, send_tok, flags, NULL); I don?t see anything in the RFC 4462 errata about this recommendation having changed. Does anyone know why OpenSSH enables this? It makes sense for GSSAPI key exchange (which OpenSSH doesn?t seem to implement), but not for GSSAPI authentication. -- Ron Frederick ronf at timeheart.net From dtucker at zip.com.au Tue Jan 17 09:20:52 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 17 Jan 2017 09:20:52 +1100 Subject: SOCKS5 and UDP In-Reply-To: <20170116143046.GA25151@romgm> References: <20170116143046.GA25151@romgm> Message-ID: On Tue, Jan 17, 2017 at 1:30 AM, Romain Vimont wrote: [...] > As a consequence, in particular, a SOCKS5 server started with "ssh -D" > cannot proxify UDP packets. > > Are there deep reasons why OpenSSH does not implement them (security, or > whatever)? ssh -D accepts SOCKS CONNECT requests and maps them to SSH "direct-tcpip" requests (see RFC4254 section 7.2). These are only defined for TCP, there's no equivalent for UDP. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From rom at rom1v.com Tue Jan 17 20:05:24 2017 From: rom at rom1v.com (Romain Vimont) Date: Tue, 17 Jan 2017 10:05:24 +0100 Subject: SOCKS5 and UDP In-Reply-To: References: <20170116143046.GA25151@romgm> Message-ID: <20170117090524.GA3698@romgm> Le mardi 17 janvier 2017 ? 9:20 +1100, Darren Tucker a ?crit : > On Tue, Jan 17, 2017 at 1:30 AM, Romain Vimont wrote: > [...] > > As a consequence, in particular, a SOCKS5 server started with "ssh -D" > > cannot proxify UDP packets. > > > > Are there deep reasons why OpenSSH does not implement them (security, or > > whatever)? > > ssh -D accepts SOCKS CONNECT requests and maps them to SSH > "direct-tcpip" requests (see RFC4254 section 7.2). These are only > defined for TCP, there's no equivalent for UDP. Thank you for your answer. So if I understand correctly, making "ssh -D" create a "full" SOCKS5 server, including UDP relay?, would require to add a new SSH request type (like "relay-udp")? Here is some context: I would like to provide a reverse tethering tool for Android that redirects all the packets to a SOCKS5 server. Since "ssh -D" is the simplest way to create a SOCKS5 server (and everyone has an ssh client), starting a reverse tethering would have been easy. Unfortunately, if UDP packets are not relayed, it does not work. An alternative would be to use a tun device on the host and forward the packets (what SimpleRT? does), but this requires root access on the host. Regards, ?om ? ? From dtucker at zip.com.au Tue Jan 17 20:37:42 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 17 Jan 2017 20:37:42 +1100 Subject: SOCKS5 and UDP In-Reply-To: <20170117090524.GA3698@romgm> References: <20170116143046.GA25151@romgm> <20170117090524.GA3698@romgm> Message-ID: On Tue, Jan 17, 2017 at 8:05 PM, Romain Vimont wrote: [..] > So if I understand correctly, making "ssh -D" create a "full" SOCKS5 > server, including UDP relay?, would require to add a new SSH request > type (like "relay-udp")? Right. SSH has an extension mechanism: message types with an @somedomain.com are "vendor extensions" that do not require IETF standardization so it'd be relay-udp@$something. It'd need some kind of association tracking for UDP host/port pairs to replace the stuff the kernel does for us with TCP, so it'd probably more complicated to implement than the existing SOCKS/direct-tcpip support. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From ronf at timeheart.net Wed Jan 18 02:42:50 2017 From: ronf at timeheart.net (Ron Frederick) Date: Tue, 17 Jan 2017 07:42:50 -0800 Subject: SOCKS5 and UDP In-Reply-To: References: <20170116143046.GA25151@romgm> <20170117090524.GA3698@romgm> Message-ID: <9CA1C80A-0B66-40FC-BF33-8F9EC3DB5E0B@timeheart.net> On Jan 17, 2017, at 1:37 AM, Darren Tucker wrote: > On Tue, Jan 17, 2017 at 8:05 PM, Romain Vimont wrote: > [..] >> So if I understand correctly, making "ssh -D" create a "full" SOCKS5 >> server, including UDP relay?, would require to add a new SSH request >> type (like "relay-udp")? > > Right. SSH has an extension mechanism: message types with an > @somedomain.com are "vendor extensions" that do not require IETF > standardization so it'd be relay-udp@$something. It'd need some kind > of association tracking for UDP host/port pairs to replace the stuff > the kernel does for us with TCP, so it'd probably more complicated to > implement than the existing SOCKS/direct-tcpip support. One thing that makes UDP over SOCKS more complicated for SSH is that SOCKS normally keeps the UDP packets it forwards as UDPl, just adding a small header to each packet. If you want to get the benefit of the SSH encryption here, though, you?d need to open an SSH channel to carry these packets, converting them from UDP to being carried within the existing SSH TCP connection (much like what SSH already does in the SOCKS TCP case) and then converting back to UDP on the other side. It might be worth looking into where SSH tunnel device forwarding would be helpful here (the ?-w? option in OpenSSH). It?s already designed to tunnel datagrams, and should have no trouble carrying UDP packets. It doesn?t use SOCKS as the way to get the data to the SSH client, though. Instead, it relies on the ability to create a network tunnel device. See the ?SSH-BASED VIRTUAL PRIVATE NETWORKS? section of the SSH man page for details. -- Ron Frederick ronf at timeheart.net From deengert at gmail.com Wed Jan 18 04:57:41 2017 From: deengert at gmail.com (Douglas E Engert) Date: Tue, 17 Jan 2017 11:57:41 -0600 Subject: Question on Kerberos (GSSAPI) auth In-Reply-To: <966FA366-C69E-4B25-8189-051A21CF7179@timeheart.net> References: <966FA366-C69E-4B25-8189-051A21CF7179@timeheart.net> Message-ID: On 1/16/2017 2:09 PM, Ron Frederick wrote: > I?m working on an implementation of ?gssapi-with-mic? authentication for my AsyncSSH package and trying to get it to interoperate with OpenSSH. I?ve gotten it working, but there seems to be a discrepancy between the OpenSSH implementation and RFC 4462. Specifically, RFC 4462 says the following in section 3.4: > > Since the user authentication process by its nature authenticates > only the client, the setting of mutual_req_flag is not needed for > this process. This flag SHOULD be set to "false". Note it says "SHOULD" not "MUST". Previous versions of SSH clients and mods to OpenSSH have always set mutual_req_flag. > > However, when I try to have my implementation not set this flag and just send a GSSAPI_TOKEN message immediately followed by a GSSAPI_MIC message without waiting for a server token (since the authentication is complete as soon as the client token is sent when mutual auth is disabled), I get a failure from OpenSSH: > From the above comment, you are assuming that there will be no other tokens exchanged. After the gss_init_sec_context, you need to send any token from gss_init_sec_context and if the status in not complete (or not an error) wait to receive the next token and call gss_init_sec_context in a loop. GSS is not Kerberos specific and some other gss mechanisms will exchange multiple tokens. > Failed gssapi-with-mic for ronf from 74.93.13.193 port 64645 ssh2 > > If I turn on mutual authentication in my client context (going against the recommendation in the RFC) and wait for a token to come back from the server before I send the GSSAPI_MIC message, the authentication succeeds. > > Looking at the OpenSSH source code, I see that it always unconditionally enables mutual authentication in the client contexts it allocates. In ssh_gssapi_init_ctx, it does the following: > > ctx->major = gss_init_sec_context(&ctx->minor, > GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid, > GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, > 0, NULL, recv_tok, NULL, send_tok, flags, NULL); > > I don?t see anything in the RFC 4462 errata about this recommendation having changed. Does anyone know why OpenSSH enables this? It makes sense for GSSAPI key exchange (which OpenSSH doesn?t seem to implement), but not for GSSAPI authentication. > -- Douglas E. Engert From sudarshan12s at gmail.com Wed Jan 18 05:10:14 2017 From: sudarshan12s at gmail.com (Sudarshan Soma) Date: Tue, 17 Jan 2017 23:40:14 +0530 Subject: ^C doesnt work on ssh session In-Reply-To: <587D2053.7090605@eviladmin.org> References: <587D2053.7090605@eviladmin.org> Message-ID: Thanks Ben. i am checking in linux. I do have this command working: ssh localhost -o password=abc123 SSH started with password Could not create directory '/root/.ssh'. Permission denied, please try again. Permission denied, please try again. Permission denied (publickey,password,keyboard-interactive). will try to getback on openssh used. But is it possible to show some pointers for my queries, avoid arguments in ps or /proc and other one was on ^C not working on my ssh sessions. Thanks On Tue, Jan 17, 2017 at 1:04 AM, Ben Lindstrom wrote: > > What platform are you on, and whose OpenSSH? Because clearly this isn't > stock: > > $ ssh localhost -o password=foo > command-line: line 0: Bad configuration option: password > > I don't ever remember -o password=XXX ever being a thing. > > Ben > > > Sudarshan Soma wrote: > >> Hi , >> when i connect to sshd , the session doesnt allow me to issue ^C ^Z, it >> doesnt work. Please let me know if there are any settings to control it. >> telnet works fine. >> >> my settings, version: >> >> OpenSSH_6.6p1, OpenSSL 1.0.1h 5 Jun 2014 >> >> stty -a >> speed 38400 baud; rows 24; columns 80; line = 0; >> intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol =; >> eol2 =; swtch =; start = ^Q; stop = ^S; susp = ^Z; rprnt = >> ^R; >> werase = ^W; lnext = ^V; flush = ^O; min = 1; time = 0; >> -parenb -parodd cs8 -hupcl -cstopb cread -clocal -crtscts >> -ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon >> -ixoff >> -iuclc -ixany -imaxbel -iutf8 >> opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 >> vt0 >> ff0 >> isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop >> -echoprt >> echoctl echoke >> >> >> >> another query i had was on hiding arguments passed to ssh. I have a >> requirement to spawn some ssh command like (ssh ip -o password=221 ip ) >> which has password in arguments. can we hide this in listing from ps , >> /proc outputs. Please suggest. >> >> Regards, >> Grover. >> >> Regards, >> Sudarshan >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > > From twimmers at cs.stonybrook.edu Wed Jan 18 06:55:05 2017 From: twimmers at cs.stonybrook.edu (Thomas Wimmers) Date: Tue, 17 Jan 2017 14:55:05 -0500 Subject: Testing if OpenSSH Server is installed Message-ID: Hi, I'm trying to deploy OpenSSH remotely and I only want the client to be installed. I've been using the command "setupssh-7.4p1-1.exe /S /clientonly=1" and it seems to be working but I'm trying to verify that the server hasn't been installed. Is there any easy way to test this? Thanks Tom Wimmers From ronf at timeheart.net Wed Jan 18 08:18:13 2017 From: ronf at timeheart.net (Ron Frederick) Date: Tue, 17 Jan 2017 13:18:13 -0800 Subject: Question on Kerberos (GSSAPI) auth In-Reply-To: References: <966FA366-C69E-4B25-8189-051A21CF7179@timeheart.net> Message-ID: <3A43088E-F553-4643-BB58-2AB01721127B@timeheart.net> On Jan 17, 2017, at 9:57 AM, Douglas E Engert wrote: > On 1/16/2017 2:09 PM, Ron Frederick wrote: >> I?m working on an implementation of ?gssapi-with-mic? authentication for my AsyncSSH package and trying to get it to interoperate with OpenSSH. I?ve gotten it working, but there seems to be a discrepancy between the OpenSSH implementation and RFC 4462. Specifically, RFC 4462 says the following in section 3.4: >> >> Since the user authentication process by its nature authenticates >> only the client, the setting of mutual_req_flag is not needed for >> this process. This flag SHOULD be set to "false". > > Note it says "SHOULD" not "MUST". Previous versions of SSH clients and mods to OpenSSH > have always set mutual_req_flag. [Ron] Thanks - I did see that, but shouldn't that mean it should work correctly when my client is connecting to sshd whether or not I set the mutual auth flag? That doesn?t appear to be the case. Are you saying that OpenSSH?s sshd is intentionally rejecting the request when it sees the mutual_auth flag is not set? I see some code in OpenSSH which suggests it might be trying to do that, but I?m never actually getting an auth failure here. The connection just hangs. When tracing it, it looks like OpenSSH?s sshd feeds the token I send into its accepting context and gets back no token to send (which would be correct), but then it never seems to complete the rest of the state machine when I send the final message from the client. The issue may be the way the code is structured: /* Now, if we're complete and we have the right flags, then * we flag the user as also having been authenticated */ if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) && (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) { if (ssh_gssapi_getclient(ctx, &gssapi_client)) fatal("Couldn't convert client name"); } return (status); The fatal() call there only happens when ssh_gssapi_getclient() fails, but not when one of the outer conditions fails. Normally, when the state is not complete, just returning here would be fine, but if the context is already complete and it?s just the flags that are wrong, no error is returned. I would still expect some reaction when it later received the follow-on message from the client, though. >> However, when I try to have my implementation not set this flag and just send a GSSAPI_TOKEN message immediately followed by a GSSAPI_MIC message without waiting for a server token (since the authentication is complete as soon as the client token is sent when mutual auth is disabled), I get a failure from OpenSSH: >> > > From the above comment, you are assuming that there will be no other tokens exchanged. > > After the gss_init_sec_context, you need to send any token from gss_init_sec_context > and if the status in not complete (or not an error) wait to receive the next token and call gss_init_sec_context > in a loop. > > GSS is not Kerberos specific and some other gss mechanisms will exchange multiple tokens. [Ron] Understood. However, when I don?t set the mutual_auth flag, my client context initialized with gss_init_sec_context() sets the ?complete? flag immediately after I create it and get the first outbound token out of it. It does not return the ?continue? result indicating that it wants a token back from the server. So, the only thing the code can do at that point is to send either MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE or MSG_USERAUTH_GSSAPI_MIC, depending on whether the integrity flag ends up set in the completed context, and that doesn?t work with OpenSSH?s sshd. I?m only able to get it to work if I set the mutual_auth flag. In that case, I get the outbound token and a ?continue? result to wait for sshd?s token, which I do and then feed to the context. After that, both sides return ?complete? and I?m able to send MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE or MSG_USERAUTH_GSSAPI_MIC to finish the authentication. Perhaps there's something else I?m missing when I create my client security context. However, if that?s the case, I haven?t figured out what it is. When creating the client context, I?m also setting the integrity flag and have an option to set the delegate_creds flag (and it works both with & without that, properly forwarding the creds when it is set), and I?m also explicitly setting the mechanism to the Kerberos OID. -- Ron Frederick ronf at timeheart.net From dtucker at zip.com.au Wed Jan 18 08:25:47 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 18 Jan 2017 08:25:47 +1100 Subject: Testing if OpenSSH Server is installed In-Reply-To: References: Message-ID: On Wed, Jan 18, 2017 at 6:55 AM, Thomas Wimmers wrote: > Hi, > I'm trying to deploy OpenSSH remotely and I only want the client to be > installed. I've been using the command "setupssh-7.4p1-1.exe /S > /clientonly=1" and it seems to be working but I'm trying to verify that > the server hasn't been installed. Is there any easy way to test this? The OpenSSH team does not supply Windows binaries nor packages so you probably need to ask whoever made those. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Jan 18 08:39:28 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 18 Jan 2017 08:39:28 +1100 Subject: ^C doesnt work on ssh session In-Reply-To: References: <587D2053.7090605@eviladmin.org> Message-ID: On Wed, Jan 18, 2017 at 5:10 AM, Sudarshan Soma wrote: > Thanks Ben. i am checking in linux. > I do have this command working: > ssh localhost -o password=abc123 That's definitely a modified ssh binary. > will try to getback on openssh used. But is it possible to show some > pointers for my queries, avoid arguments in ps or /proc I don't think you reliably can. You can add a call to setproctitle() to ssh but I don't think that affects all sets of options to ps, and even if it did there's still a race between when the process starts and when you call setproctitle during which the password is exposed. So don't do that, instead use public-key, or if you must use a password read it from a suitably locked down file. You can (with some difficulty) get ssh to read a password via an $SSH_ASKPASS program. > and other one was on ^C not working on my ssh sessions. just a guess but check the permissions on /dev/tty on the server. They should look like: crw-rw-rw- 1 root tty 5, 0 Jan 17 19:34 /dev/tty Failing that please post the debug output of ssh -vvv and sshd -ddd from an unmodified (ie as available from openssh.com) client and server pair. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Jan 18 08:55:16 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 18 Jan 2017 08:55:16 +1100 Subject: SOCKS5 and UDP In-Reply-To: <9CA1C80A-0B66-40FC-BF33-8F9EC3DB5E0B@timeheart.net> References: <20170116143046.GA25151@romgm> <20170117090524.GA3698@romgm> <9CA1C80A-0B66-40FC-BF33-8F9EC3DB5E0B@timeheart.net> Message-ID: <20170117215516.GA19713@gate.dtucker.net> On Tue, Jan 17, 2017 at 07:42:50AM -0800, Ron Frederick wrote: [...] > One thing that makes UDP over SOCKS more complicated for SSH is that > SOCKS normally keeps the UDP packets it forwards as UDPl, just adding > a small header to each packet. If you want to get the benefit of the > SSH encryption here, though, you'd need to open an SSH channel to > carry these packets, converting them from UDP to being carried within > the existing SSH TCP connection (much like what SSH already does in the > SOCKS TCP case) and then converting back to UDP on the other side. Yeah, I alluded to that with my reference to message types earlier. If you didn't forward it over the ssh channel otherwise whole exercise would be pointless since you could acheive the same result with a separate process that handled UDP on the client. Anyway it seems like a lot of work for little benefit, and even if it was done it'd still have an interoperability problem. > It might be worth looking into where SSH tunnel device forwarding > would be helpful here (the -w option in OpenSSH). It's already > designed to tunnel datagrams, and should have no trouble carrying UDP > packets. It doesn't use SOCKS as the way to get the data to the SSH > client, though. Instead, it relies on the ability to create a network > tunnel device. See the SSH-BASED VIRTUAL PRIVATE NETWORKS section > of the SSH man page for details. I think the problem for this use case is that it requires root-equivalent access on both client and server to set up and open the tunnel devices. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From deengert at gmail.com Wed Jan 18 13:01:31 2017 From: deengert at gmail.com (Douglas E Engert) Date: Tue, 17 Jan 2017 20:01:31 -0600 Subject: Question on Kerberos (GSSAPI) auth In-Reply-To: <3A43088E-F553-4643-BB58-2AB01721127B@timeheart.net> References: <966FA366-C69E-4B25-8189-051A21CF7179@timeheart.net> <3A43088E-F553-4643-BB58-2AB01721127B@timeheart.net> Message-ID: <306f2965-d69f-208b-59c2-c16e2722f914@gmail.com> On 1/17/2017 3:18 PM, Ron Frederick wrote: > On Jan 17, 2017, at 9:57 AM, Douglas E Engert > wrote: >> On 1/16/2017 2:09 PM, Ron Frederick wrote: >>> I?m working on an implementation of ?gssapi-with-mic? authentication for my AsyncSSH package and trying to get it to interoperate with OpenSSH. I?ve gotten it working, but there seems to be a >>> discrepancy between the OpenSSH implementation and RFC 4462. Specifically, RFC 4462 says the following in section 3.4: >>> >>> Since the user authentication process by its nature authenticates >>> only the client, the setting of mutual_req_flag is not needed for >>> this process. This flag SHOULD be set to "false". >> >> Note it says "SHOULD" not "MUST". Previous versions of SSH clients and mods to OpenSSH >> have always set mutual_req_flag. > > [Ron] Thanks - I did see that, but shouldn't that mean it should work correctly when my client is connecting to sshd whether or not I set the mutual auth flag? That doesn?t appear to be the case. > > Are you saying that OpenSSH?s sshd is intentionally rejecting the request when it sees the mutual_auth flag is not set? I see some code in OpenSSH which suggests it might be trying to do that, but I?m > never actually getting an auth failure here. The connection just hangs. > > When tracing it, it looks like OpenSSH?s sshd feeds the token I send into its accepting context and gets back no token to send (which would be correct), but then it never seems to complete the rest of > the state machine when I send the final message from the client. It may have a token to send, input_gssapi_token() calls ssh_gssapi_accept_ctx(...,&send_tok,...) then later in 2 places if (send_tok.length != 0) it sends a packet with the token. The code is also setup to handle multiple tokens being exchanged. > > The issue may be the way the code is structured: > > /* Now, if we're complete and we have the right flags, then > * we flag the user as also having been authenticated > */ > > if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) && > (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) { > if (ssh_gssapi_getclient(ctx, &gssapi_client)) > fatal("Couldn't convert client name"); > } > > return (status); Yes it looks like it requires GSS_C_MUTUAL_FLAG and GSS_C_INTEG_FLAG and if its not, then it never calls ssh_gssapi_getclient and does not give an error message either so the connection hangs. I think you have uncovered a bug. So I would recommend you have your client set GSS_C_MUTUAL_FLAG to avoid the issue. > > The fatal() call there only happens when ssh_gssapi_getclient() fails, but not when one of the outer conditions fails. Normally, when the state is not complete, just returning here would be fine, but > if the context is already complete and it?s just the flags that are wrong, no error is returned. I would still expect some reaction when it later received the follow-on message from the client, though. > > >>> However, when I try to have my implementation not set this flag and just send a GSSAPI_TOKEN message immediately followed by a GSSAPI_MIC message without waiting for a server token (since the >>> authentication is complete as soon as the client token is sent when mutual auth is disabled), I get a failure from OpenSSH: >>> >> >> From the above comment, you are assuming that there will be no other tokens exchanged. >> >> After the gss_init_sec_context, you need to send any token from gss_init_sec_context >> and if the status in not complete (or not an error) wait to receive the next token and call gss_init_sec_context >> in a loop. >> >> GSS is not Kerberos specific and some other gss mechanisms will exchange multiple tokens. > > [Ron] Understood. However, when I don?t set the mutual_auth flag, my client context initialized with gss_init_sec_context() sets the ?complete? flag immediately after I create it and get the first > outbound token out of it. It does not return the ?continue? result indicating that it wants a token back from the server. So, the only thing the code can do at that point is to send > either MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE or MSG_USERAUTH_GSSAPI_MIC, depending on whether the integrity flag ends up set in the completed context, and that doesn?t work with OpenSSH?s sshd. I?m > only able to get it to work if I set the mutual_auth flag. In that case, I get the outbound token and a ?continue? result to wait for sshd?s token, which I do and then feed to the context. After that, > both sides return ?complete? and I?m able to send MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE or MSG_USERAUTH_GSSAPI_MIC to finish the authentication. > > Perhaps there's something else I?m missing when I create my client security context. However, if that?s the case, I haven?t figured out what it is. > > When creating the client context, I?m also setting the integrity flag and have an option to set the delegate_creds flag (and it works both with & without that, properly forwarding the creds when it is > set), and I?m also explicitly setting the mechanism to the Kerberos OID. > -- > Ron Frederick > ronf at timeheart.net > > > -- Douglas E. Engert From ronf at timeheart.net Wed Jan 18 17:08:59 2017 From: ronf at timeheart.net (Ron Frederick) Date: Tue, 17 Jan 2017 22:08:59 -0800 Subject: Question on Kerberos (GSSAPI) auth In-Reply-To: <306f2965-d69f-208b-59c2-c16e2722f914@gmail.com> References: <966FA366-C69E-4B25-8189-051A21CF7179@timeheart.net> <3A43088E-F553-4643-BB58-2AB01721127B@timeheart.net> <306f2965-d69f-208b-59c2-c16e2722f914@gmail.com> Message-ID: <12772775-0673-4B85-ADA8-56EBCDD8B2AE@timeheart.net> On Jan 17, 2017, at 6:01 PM, Douglas E Engert wrote: > On 1/17/2017 3:18 PM, Ron Frederick wrote: >> On Jan 17, 2017, at 9:57 AM, Douglas E Engert > wrote: >>> On 1/16/2017 2:09 PM, Ron Frederick wrote: >>>> I?m working on an implementation of ?gssapi-with-mic? authentication for my AsyncSSH package and trying to get it to interoperate with OpenSSH. I?ve gotten it working, but there seems to be a >>>> discrepancy between the OpenSSH implementation and RFC 4462. Specifically, RFC 4462 says the following in section 3.4: >>>> >>>> Since the user authentication process by its nature authenticates >>>> only the client, the setting of mutual_req_flag is not needed for >>>> this process. This flag SHOULD be set to "false". >>> >>> Note it says "SHOULD" not "MUST". Previous versions of SSH clients and mods to OpenSSH >>> have always set mutual_req_flag. >> >> [Ron] Thanks - I did see that, but shouldn't that mean it should work correctly when my client is connecting to sshd whether or not I set the mutual auth flag? That doesn?t appear to be the case. >> >> Are you saying that OpenSSH?s sshd is intentionally rejecting the request when it sees the mutual_auth flag is not set? I see some code in OpenSSH which suggests it might be trying to do that, but I?m >> never actually getting an auth failure here. The connection just hangs. >> >> When tracing it, it looks like OpenSSH?s sshd feeds the token I send into its accepting context and gets back no token to send (which would be correct), but then it never seems to complete the rest of >> the state machine when I send the final message from the client. > > It may have a token to send, input_gssapi_token() calls ssh_gssapi_accept_ctx(...,&send_tok,...) > then later in 2 places if (send_tok.length != 0) it sends a packet with the token. > The code is also setup to handle multiple tokens being exchanged. Right - when I set mutual_auth, it does have a token to send in this case, and after that both sides are complete. I agree that the code appears like it would handle multiple tokens on both sides as well, which might be useful if this code is ever used with something other than Kerberos. My implementation also supports this. > The issue may be the way the code is structured: >> >> /* Now, if we're complete and we have the right flags, then >> * we flag the user as also having been authenticated >> */ >> >> if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) && >> (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) { >> if (ssh_gssapi_getclient(ctx, &gssapi_client)) >> fatal("Couldn't convert client name"); >> } >> >> return (status); > > Yes it looks like it requires GSS_C_MUTUAL_FLAG and GSS_C_INTEG_FLAG > and if its not, then it never calls ssh_gssapi_getclient and does not give an error message either > so the connection hangs. I think you have uncovered a bug. Thanks for confirming this! > So I would recommend you have your client set GSS_C_MUTUAL_FLAG to avoid the issue. Yes - this is working fine, and I may just leave it that way, but I wanted to get to the bottom of the issue. Now that I have both client-side and server-side GSSAPI auth working in AsyncSSH, I was able to confirm that my own implementation can correctly handle mutual_auth being disabled, and it?s still able to properly complete the authentication of the client and get a proper client principal name in the server to validate with only the single token passing from the client to the server and no token in response. I also tested my code with integrity disabled where it sends an EXCHANGE_COMPLETE message instead of the MIC message, and confirmed that this works when I connect to myself. Unfortunately, there?s no way to get OpenSSH to handle this at the moment, either as a client or as a server. The integrity check seems like a good thing to have, so I?ll probably leave that enabled on my client in all cases for now. However, I have made my server code work in both cases, in case there are clients out there that request this authentication without the integrity check. I?ll do the same for mutual_auth, enabling it in my client to make sure I can interoperate with OpenSSH, but allowing other clients to disable it when connecting to my server code. -- Ron Frederick ronf at timeheart.net From rom at rom1v.com Wed Jan 18 20:41:51 2017 From: rom at rom1v.com (Romain Vimont) Date: Wed, 18 Jan 2017 10:41:51 +0100 Subject: SOCKS5 and UDP In-Reply-To: <20170117215516.GA19713@gate.dtucker.net> References: <20170116143046.GA25151@romgm> <20170117090524.GA3698@romgm> <9CA1C80A-0B66-40FC-BF33-8F9EC3DB5E0B@timeheart.net> <20170117215516.GA19713@gate.dtucker.net> Message-ID: <20170118094151.GA5164@romgm> Le mercredi 18 janvier 2017 ? 8:55 +1100, Darren Tucker a ?crit : > On Tue, Jan 17, 2017 at 07:42:50AM -0800, Ron Frederick wrote: Thank you for your answers. > [...] > > One thing that makes UDP over SOCKS more complicated for SSH is that > > SOCKS normally keeps the UDP packets it forwards as UDPl, just adding > > a small header to each packet. If you want to get the benefit of the > > SSH encryption here, though, you'd need to open an SSH channel to > > carry these packets, converting them from UDP to being carried within > > the existing SSH TCP connection (much like what SSH already does in the > > SOCKS TCP case) and then converting back to UDP on the other side. > > Yeah, I alluded to that with my reference to message types earlier. > If you didn't forward it over the ssh channel otherwise whole exercise > would be pointless since you could acheive the same result with a separate > process that handled UDP on the client. Even with a separate process handling UDP packets, the "UDP association" must be handled by the SOCKS server over TCP (so the SSH server would still require changes in that case). Anyway, I wanted to start a SOCKS5 server on the computer, a SOCKS5 client on Android, and communicating over adb (thanks to "adb forward" / "adb reverse"). Unfortunately, adb forwarding does not support UDP packets either, so using SOCKS5 for this purpose won't work anyway. Why SOCKS5 requires to transfer UDP packets-to-relay over UDP (instead of using the existant TCP connection) is a mystery for me. > Anyway it seems like a lot of work for little benefit It would provide a full SOCKS5 server, able to redirect all IP packets. > > It might be worth looking into where SSH tunnel device forwarding > > would be helpful here (the -w option in OpenSSH). It's already > > designed to tunnel datagrams, and should have no trouble carrying UDP > > packets. It doesn't use SOCKS as the way to get the data to the SSH > > client, though. Instead, it relies on the ability to create a network > > tunnel device. See the SSH-BASED VIRTUAL PRIVATE NETWORKS section > > of the SSH man page for details. > > I think the problem for this use case is that it requires root-equivalent > access on both client and server to set up and open the tunnel devices. Yes, it would require root access on the server. It would be quite equivalent to what SimpleRT does, by creating a tun device manually. Regards, ?om From dtucker at zip.com.au Wed Jan 18 22:10:39 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 18 Jan 2017 22:10:39 +1100 Subject: SOCKS5 and UDP In-Reply-To: <20170118094151.GA5164@romgm> References: <20170116143046.GA25151@romgm> <20170117090524.GA3698@romgm> <9CA1C80A-0B66-40FC-BF33-8F9EC3DB5E0B@timeheart.net> <20170117215516.GA19713@gate.dtucker.net> <20170118094151.GA5164@romgm> Message-ID: On Wed, Jan 18, 2017 at 8:41 PM, Romain Vimont wrote: > Le mercredi 18 janvier 2017 ? 8:55 +1100, Darren Tucker a ?crit : [...] >> Anyway it seems like a lot of work for little benefit > > It would provide a full SOCKS5 server, able to redirect all IP packets. nitpick: It'd be able to redirect 2 (6 and 17, ie TCP and UDP) of 255 possible types[1] of IPv4 packets. The tunnel-based solutions would be able to handle the other types too. [1] https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Wed Jan 18 22:29:04 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 18 Jan 2017 22:29:04 +1100 Subject: SOCKS5 and UDP In-Reply-To: <20170118094151.GA5164@romgm> References: <20170116143046.GA25151@romgm> <20170117090524.GA3698@romgm> <9CA1C80A-0B66-40FC-BF33-8F9EC3DB5E0B@timeheart.net> <20170117215516.GA19713@gate.dtucker.net> <20170118094151.GA5164@romgm> Message-ID: On Wed, Jan 18, 2017 at 8:41 PM, Romain Vimont wrote: [...] > Even with a separate process handling UDP packets, the "UDP association" > must be handled by the SOCKS server over TCP (so the SSH server would > still require changes in that case). A SOCKS server running on the client could handle UDP association requests locally then forward TCP connection requests to the ssh client acting as a SOCKS server. Not trivial (and doesn't handle the case you describe, and doesn't do UDP over SSH) but at least possible. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From deengert at gmail.com Thu Jan 19 02:25:06 2017 From: deengert at gmail.com (Douglas E Engert) Date: Wed, 18 Jan 2017 09:25:06 -0600 Subject: Question on Kerberos (GSSAPI) auth In-Reply-To: <12772775-0673-4B85-ADA8-56EBCDD8B2AE@timeheart.net> References: <966FA366-C69E-4B25-8189-051A21CF7179@timeheart.net> <3A43088E-F553-4643-BB58-2AB01721127B@timeheart.net> <306f2965-d69f-208b-59c2-c16e2722f914@gmail.com> <12772775-0673-4B85-ADA8-56EBCDD8B2AE@timeheart.net> Message-ID: On 1/18/2017 12:08 AM, Ron Frederick wrote: > > Right - when I set mutual_auth, it does have a token to send in this case, and after that both sides are complete. I agree that the code appears like it would handle multiple tokens on both sides as well, which might be useful if this code is ever used with something other than Kerberos. My implementation also supports this. > Well, there are other SSH mods to work with other GSS-API implementations. The mods are mostly for handling the delegated credentials. http://toolkit.globus.org/toolkit/docs/5.0/5.0.4/security/openssh/pi/ https://github.com/globus/gsi-openssh uses X509 via TLS and delegates X509 proxy certificates. -- Douglas E. Engert From rom at rom1v.com Thu Jan 19 08:16:52 2017 From: rom at rom1v.com (Romain Vimont) Date: Wed, 18 Jan 2017 22:16:52 +0100 Subject: SOCKS5 and UDP In-Reply-To: References: <20170116143046.GA25151@romgm> <20170117090524.GA3698@romgm> <9CA1C80A-0B66-40FC-BF33-8F9EC3DB5E0B@timeheart.net> <20170117215516.GA19713@gate.dtucker.net> <20170118094151.GA5164@romgm> Message-ID: <20170118211652.GA14866@romlap> Le mercredi 18 janvier 2017 ? 22:10 +1100, Darren Tucker a ?crit : > On Wed, Jan 18, 2017 at 8:41 PM, Romain Vimont wrote: > > > It would provide a full SOCKS5 server, able to redirect all IP packets. > > nitpick: It'd be able to redirect 2 (6 and 17, ie TCP and UDP) of 255 > possible types[1] of IPv4 packets. The tunnel-based solutions would > be able to handle the other types too. > > [1] https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers ;-) From neale at sinenomine.net Fri Jan 20 02:49:48 2017 From: neale at sinenomine.net (Neale Ferguson) Date: Thu, 19 Jan 2017 15:49:48 +0000 Subject: Client fails kex after c38ea634893a1975dbbec798fb968c9488013f4a Message-ID: I have a Putty variant that works well with openSSH up until 7.4. After git bisecting I found that after the application of c38ea634893a1975dbbec798fb968c9488013f4a the client fails with host key mismatch. The commit in question appears to remove vestiges of ssh-1 support but my client is using 2.0. I am trying to work out what in that commit would lead to the symptoms. I have been through the patch and it appears to be remove the ssh-1 option processing (-b etc.) but nothing directly relating to key exchange processing. I have verified that if I reverse the patch the client works and when I put it back on it fails. I assume it is a flow-on affect of something but I am struggling to connect the dots. Any suggestions of what to look at? The comment for this commit is: Remove more SSH1 server code: * Drop sshd's -k option. * Retire configuration keywords that only apply to protocol 1, as well as the "protocol" keyword. * Remove some related vestiges of protocol 1 support. Thanks, Neale From sudarshan12s at gmail.com Fri Jan 20 03:51:46 2017 From: sudarshan12s at gmail.com (Sudarshan Soma) Date: Thu, 19 Jan 2017 22:21:46 +0530 Subject: Force sshd to prompt username Message-ID: Hi, Can I send ssh request to sshd to prompt for username along with password. Ex: cogan at localhost$ ssh myserver Login:xyz password: Login is automatically taken as cogan, wanted to ignore this and instead prompt login and take it from user, Please suggest. Best Regards, From ziirish at ziirish.info Fri Jan 20 03:56:41 2017 From: ziirish at ziirish.info (Ziirish) Date: Thu, 19 Jan 2017 17:56:41 +0100 Subject: Force sshd to prompt username In-Reply-To: References: Message-ID: <20170119165640.GM2095@mail.ziirish.info> Hi, Can't you just use the user at server syntax or even the -l flag? cogan at localhost$ ssh xyz at myserver cogan at localhost$ ssh -l xyz myserver * On Thursday, January 19, 2017 at 10:21 PM +0530, Sudarshan Soma wrote: > Hi, Can I send ssh request to sshd to prompt for username along with > password. > > Ex: > > cogan at localhost$ ssh myserver > > Login:xyz > password: > > > Login is automatically taken as cogan, wanted to ignore this and > > instead prompt login and take it from user, Please suggest. > > > Best Regards, From sudarshan12s at gmail.com Fri Jan 20 04:16:59 2017 From: sudarshan12s at gmail.com (Sudarshan Soma) Date: Thu, 19 Jan 2017 22:46:59 +0530 Subject: Force sshd to prompt username In-Reply-To: <20170119165640.GM2095@mail.ziirish.info> References: <20170119165640.GM2095@mail.ziirish.info> Message-ID: No. I am trying to invoke ssh command from my code something like system("ssh ip -p ") as custom action and would want the sshd to handle Login screens (prompting user/passwd., etc) . Best Regards, On Thu, Jan 19, 2017 at 10:26 PM, Ziirish wrote: > Hi, > > Can't you just use the user at server syntax or even the -l flag? > > cogan at localhost$ ssh xyz at myserver > cogan at localhost$ ssh -l xyz myserver > > * On Thursday, January 19, 2017 at 10:21 PM +0530, Sudarshan Soma < > sudarshan12s at gmail.com> wrote: > > Hi, Can I send ssh request to sshd to prompt for username along with > > password. > > > > Ex: > > > > cogan at localhost$ ssh myserver > > > > Login:xyz > > password: > > > > > > Login is automatically taken as cogan, wanted to ignore this and > > > > instead prompt login and take it from user, Please suggest. > > > > > > Best Regards, > From ziirish at ziirish.info Fri Jan 20 04:21:46 2017 From: ziirish at ziirish.info (Ziirish) Date: Thu, 19 Jan 2017 18:21:46 +0100 Subject: Force sshd to prompt username In-Reply-To: References: <20170119165640.GM2095@mail.ziirish.info> Message-ID: <20170119172143.GN2095@mail.ziirish.info> * On Thursday, January 19, 2017 at 10:46 PM +0530, Sudarshan Soma wrote: > No. I am trying to invoke ssh command from my code something like > system("ssh ip -p ") as custom action and would want the sshd to > handle Login screens (prompting user/passwd., etc) . Well then just write a wrapper script around SSH like this: 8<----------------------------------------------------------------------------- #!/bin/bash read -p "Username: " RUSER ssh -l $RUSER myserver 8<----------------------------------------------------------------------------- From dtucker at zip.com.au Fri Jan 20 09:18:01 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 20 Jan 2017 09:18:01 +1100 Subject: Client fails kex after c38ea634893a1975dbbec798fb968c9488013f4a In-Reply-To: References: Message-ID: On Fri, Jan 20, 2017 at 2:49 AM, Neale Ferguson wrote: > I have a Putty variant that works well with openSSH up until 7.4. After > git bisecting I found that after the application of > c38ea634893a1975dbbec798fb968c9488013f4a the client fails with host key > mismatch. The commit in question appears to remove vestiges of ssh-1 > support but my client is using 2.0. I am trying to work out what in that > commit would lead to the symptoms. I have been through the patch and it > appears to be remove the ssh-1 option processing (-b etc.) but nothing > directly relating to key exchange processing. > > I have verified that if I reverse the patch the client works and when I > put it back on it fails. > > I assume it is a flow-on affect of something but I am struggling to > connect the dots. Any suggestions of what to look at? Could you post the server-side debug logs (sshd -ddd) from before and after the suspect commit? Comparing them would give some indication of what's different. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Jan 20 09:32:19 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 20 Jan 2017 09:32:19 +1100 Subject: Force sshd to prompt username In-Reply-To: References: Message-ID: On Fri, Jan 20, 2017 at 3:51 AM, Sudarshan Soma wrote: > Hi, Can I send ssh request to sshd to prompt for username along with > password. This is purely a function of the client not the server. It is possible within the protocol (PuTTY for example does it) but OpenSSH's client doesn't support it. You can trivially script it as noted elsewhere in this thread, though. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Jan 20 10:58:09 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 20 Jan 2017 10:58:09 +1100 Subject: Client fails kex after c38ea634893a1975dbbec798fb968c9488013f4a In-Reply-To: References: Message-ID: On Fri, Jan 20, 2017 at 9:18 AM, Darren Tucker wrote: [...] > Could you post the server-side debug logs (sshd -ddd) from before and > after the suspect commit? Comparing them would give some indication > of what's different. Also, what is the server config? In particular, do you have HostKey specifications? -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From sudarshan12s at gmail.com Fri Jan 20 14:37:08 2017 From: sudarshan12s at gmail.com (Sudarshan Soma) Date: Fri, 20 Jan 2017 09:07:08 +0530 Subject: Force sshd to prompt username In-Reply-To: References: Message-ID: Thanks so much. It helps. On Fri, Jan 20, 2017 at 4:02 AM, Darren Tucker wrote: > On Fri, Jan 20, 2017 at 3:51 AM, Sudarshan Soma > wrote: > > Hi, Can I send ssh request to sshd to prompt for username along with > > password. > > This is purely a function of the client not the server. It is > possible within the protocol (PuTTY for example does it) but OpenSSH's > client doesn't support it. You can trivially script it as noted > elsewhere in this thread, though. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > From neale at sinenomine.net Fri Jan 20 14:52:07 2017 From: neale at sinenomine.net (Neale Ferguson) Date: Fri, 20 Jan 2017 03:52:07 +0000 Subject: Client fails kex after c38ea634893a1975dbbec798fb968c9488013f4a In-Reply-To: References: Message-ID: Thanks for the response. Here is the diff between the bad and good instances. Apart from the order of some exchanges and stuff that should be different between sessions nothing really stands out: @@ -83,20 ?,26 @@ debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug3: receive packet: type 30 [preauth] debug3: mm_key_sign entering [preauth] debug3: mm_request_send entering: type 6 [preauth] -debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth] -debug3: mm_request_receive_expect entering: type 7 [preauth] -debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_sign -debug3: mm_answer_sign: hostkey proof signature 0x55b482415130(83) ??: mm_answer_sign: hostkey proof signature 0x55e304423390(83) debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now ??: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth] ??: mm_request_receive_expect entering: type 7 [preauth] ??: mm_request_receive entering [preauth] debug3: send packet: type 31 [preauth] debug3: send packet: type 21 [preauth] debug2: set_newkeys: mode 1 [preauth] debug1: rekey after 4294967296 blocks [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] On 1/19/17, 5:18 PM, "dtucker at dtucker.net on behalf of Darren Tucker" wrote: >Could you post the server-side debug logs (sshd -ddd) from before and >after the suspect commit? Comparing them would give some indication >of what's different. From neale at sinenomine.net Fri Jan 20 15:04:06 2017 From: neale at sinenomine.net (Neale Ferguson) Date: Fri, 20 Jan 2017 04:04:06 +0000 Subject: Client fails kex after c38ea634893a1975dbbec798fb968c9488013f4a In-Reply-To: References: , Message-ID: <3c08df8ffead457084b023c4fa1b6093@sinenomine.net> F*ck I hate MacOS Outlook Client and the way if stuffs around with plus signs. See if this works. Thanks for the response. Here is the diff between the bad and good instances. Apart from the order of some exchanges and stuff that should be different between sessions nothing really stands out: @@ -83,20 +83,26 @@ ?debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha2-256 compression: none [preauth] ?debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] ?debug3: receive packet: type 30 [preauth] ?debug3: mm_key_sign entering [preauth] ?debug3: mm_request_send entering: type 6 [preauth] -debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth] -debug3: mm_request_receive_expect entering: type 7 [preauth] -debug3: mm_request_receive entering [preauth] ?debug3: mm_request_receive entering ?debug3: monitor_read: checking request 6 ?debug3: mm_answer_sign -debug3: mm_answer_sign: hostkey proof signature 0x55b482415130(83) +debug3: mm_answer_sign: hostkey proof signature 0x55e304423390(83) ?debug3: mm_request_send entering: type 7 ?debug2: monitor_read: 6 used once, disabling now +debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth] +debug3: mm_request_receive_expect entering: type 7 [preauth] +debug3: mm_request_receive entering [preauth] ?debug3: send packet: type 31 [preauth] ?debug3: send packet: type 21 [preauth] ?debug2: set_newkeys: mode 1 [preauth] ?debug1: rekey after 4294967296 blocks [preauth] ?debug1: SSH2_MSG_NEWKEYS sent [preauth] ?debug1: expecting SSH2_MSG_NEWKEYS [preauth] From sudarshan12s at gmail.com Fri Jan 20 17:27:21 2017 From: sudarshan12s at gmail.com (Sudarshan Soma) Date: Fri, 20 Jan 2017 11:57:21 +0530 Subject: ^C doesnt work on ssh session In-Reply-To: References: <587D2053.7090605@eviladmin.org> Message-ID: Thanks Darren, will check on your response. I am attaching sshd, ssh logs with debug flags. Please see if it gives any hint: when I press ^C in ssh session, no log gets printed in both server/client side. Best Regards, On Wed, Jan 18, 2017 at 3:09 AM, Darren Tucker wrote: > On Wed, Jan 18, 2017 at 5:10 AM, Sudarshan Soma > wrote: > > Thanks Ben. i am checking in linux. > > I do have this command working: > > ssh localhost -o password=abc123 > > That's definitely a modified ssh binary. > > > will try to getback on openssh used. But is it possible to show some > > pointers for my queries, avoid arguments in ps or /proc > > I don't think you reliably can. > > You can add a call to setproctitle() to ssh but I don't think that > affects all sets of options to ps, and even if it did there's still a > race between when the process starts and when you call setproctitle > during which the password is exposed. > > So don't do that, instead use public-key, or if you must use a > password read it from a suitably locked down file. You can (with some > difficulty) get ssh to read a password via an $SSH_ASKPASS program. > > > and other one was on ^C not working on my ssh sessions. > > just a guess but check the permissions on /dev/tty on the server. > They should look like: > crw-rw-rw- 1 root tty 5, 0 Jan 17 19:34 /dev/tty > > Failing that please post the debug output of ssh -vvv and sshd -ddd > from an unmodified (ie as available from openssh.com) client and > server pair. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > -------------- next part -------------- tmp # sshd -ddd -f /etc/ssh/ssshd_config -h /etc/ssh_key debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 986 debug2: parse_server_config: config /etc/ssh/sshd_config len 986 debug3: /etc/ssh/sshd_config:2 setting Port 22 debug3: /etc/ssh/sshd_config:3 setting Protocol 2 debug3: /etc/ssh/sshd_config:4 setting PubkeyAuthentication no debug3: /etc/ssh/sshd_config:5 setting RhostsRSAAuthentication no debug3: /etc/ssh/sshd_config:6 setting HostbasedAuthentication no debug3: /etc/ssh/sshd_config:7 setting PasswordAuthentication yes debug3: /etc/ssh/sshd_config:8 setting PermitEmptyPasswords yes debug3: /etc/ssh/sshd_config:9 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config:10 setting AllowTcpForwarding yes debug3: /etc/ssh/sshd_config:11 setting UsePrivilegeSeparation no debug3: /etc/ssh/sshd_config:12 setting PidFile /tmp/sshd.pid debug3: /etc/ssh/sshd_config:13 setting TCPKeepAlive yes debug3: /etc/ssh/sshd_config:14 setting ClientAliveInterval 600 debug3: /etc/ssh/sshd_config:15 setting ClientAliveCountMax 3 debug3: /etc/ssh/sshd_config:16 setting MaxStartups 25 debug3: /etc/ssh/sshd_config:17 setting Ciphers aes256-ctr,aes192-ctr,aes128-ctr,chacha20-poly1305 at openssh.com,aes128-gcm at openssh.com,aes256-gcm at openssh.com debug3: ciphers ok: [aes256-ctr,aes192-ctr,aes128-ctr,chacha20-poly1305 at openssh.com,aes128-gcm at openssh.com,aes256-gcm at openssh.com] debug3: /etc/ssh/sshd_config:18 setting MACs hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha1,hmac-sha1-etm at openssh.com debug3: macs ok: [hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha1,hmac-sha1-etm at openssh.com] debug3: /etc/ssh/sshd_config:19 setting GatewayPorts no debug3: /etc/ssh/sshd_config:20 setting X11Forwarding no debug3: /etc/ssh/sshd_config:21 setting AllowAgentForwarding no debug3: /etc/ssh/sshd_config:22 setting PermitTunnel no debug3: /etc/ssh/sshd_config:23 setting AllowUsers root guest debug3: /etc/ssh/sshd_config:24 setting IgnoreRhosts yes debug1: sshd version OpenSSH_6.6, OpenSSL 1.0.1h 5 Jun 2014 debug3: Incorrect RSA1 identifier debug1: key_parse_private2: missing begin marker debug1: read PEM private key done: type RSA debug3: Incorrect RSA1 identifier debug3: Could not load "/etc/ssh_key" as a RSA1 public key debug1: private host key: #0 type 1 RSA debug1: rexec_argv[0]='sshd' debug1: rexec_argv[1]='-ddd' debug1: rexec_argv[2]='-f' debug1: rexec_argv[3]='/etc/ssh/sshd_config' debug1: rexec_argv[4]='-h' debug1: rexec_argv[5]='/etc/ssh_key' debug3: oom_adjust_setup Set /proc/self/oom_score_adj from 0 to -1000 debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug2: fd 4 setting O_NONBLOCK debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY debug1: Bind to port 22 on ::. Server listening on :: port 22. tmp # ssh -vvv localhost OpenSSH_6.6, OpenSSL 1.0.1h 5 Jun 2014 debug2: ssh_connect: needpriv 0 debug1: Connecting to localhost [::1] port 22. debug1: Connection established. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: permanently_set_uid: 0/0 debug3: send_rexec_state: entering fd = 8 config len 986 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: identity file /tmp/.ssh/id_rsa type -1 debug1: identity file /tmp/.ssh/id_rsa-cert type -1 debug1: identity file /tmp/.ssh/id_dsa type -1 debug1: identity file /tmp/.ssh/id_dsa-cert type -1 debug1: identity file /tmp/.ssh/id_ecdsa type -1 debug1: identity file /tmp/.ssh/id_ecdsa-cert type -1 debug1: identity file /tmp/.ssh/id_ed25519 type -1 debug1: identity file /tmp/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6 debug1: inetd sockets after dupping: 3, 3 Connection from ::1 port 35252 on ::1 port 22 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6 debug1: match: OpenSSH_6.6 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Client protocol version 2.0; client software version OpenSSH_6.6 debug1: match: OpenSSH_6.6 pat OpenSSH* compat 0x04000000 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6 debug2: fd 3 setting O_NONBLOCK debug1: list_hostkey_types: ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa debug2: kex_parse_kexinit: aes256-ctr,aes192-ctr,aes128-ctr,chacha20-poly1305 at openssh.com,aes128-gcm at openssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: aes256-ctr,aes192-ctr,aes128-ctr,chacha20-poly1305 at openssh.com,aes128-gcm at openssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha1,hmac-sha1-etm at openssh.com debug2: kex_parse_kexinit: hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha1,hmac-sha1-etm at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: mac_setup: setup hmac-sha1-etm at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug1: kex: client->server aes128-ctr hmac-sha1-etm at openssh.com none debug2: kex_parse_kexinit: debug2: mac_setup: setup hmac-sha1-etm at openssh.com debug2: kex_parse_kexinit: debug1: kex: server->client aes128-ctr hmac-sha1-etm at openssh.com none debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa debug2: kex_parse_kexinit: aes256-ctr,aes192-ctr,aes128-ctr,chacha20-poly1305 at openssh.com,aes128-gcm at openssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: aes256-ctr,aes192-ctr,aes128-ctr,chacha20-poly1305 at openssh.com,aes128-gcm at openssh.com,aes256-gcm at openssh.com debug2: kex_parse_kexinit: hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha1,hmac-sha1-etm at openssh.com debug1: expecting SSH2_MSG_KEX_ECDH_INIT debug2: kex_parse_kexinit: hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha1,hmac-sha1-etm at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: setup hmac-sha1-etm at openssh.com debug1: kex: server->client aes128-ctr hmac-sha1-etm at openssh.com none debug2: mac_setup: setup hmac-sha1-etm at openssh.com debug1: kex: client->server aes128-ctr hmac-sha1-etm at openssh.com none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: Server host key: RSA c2:2c:fc:dd:62:86:0e:04:4f:46:75:4c:37:3f:e5:30 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /tmp/.ssh/id_rsa ((nil)), debug2: key: /tmp/.ssh/id_dsa ((nil)), debug2: key: /tmp/.ssh/id_ecdsa ((nil)), debug2: key: /tmp/.ssh/id_ed25519 ((nil)), debug1: userauth-request for user root service ssh-connection method none debug1: attempt 0 failures 0 debug3: Trying to reverse map address ::1. debug2: parse_server_config: config reprocess config len 986 debug3: auth_shadow_acctexpired: today 17185 sp_expire -1 days left -17186 debug3: account expiration disabled debug2: input_userauth_request: setting up authctxt for root debug2: input_userauth_request: try method none debug3: auth_shadow_pwexpired: today 17185 sp_lstchg 17183 sp_max 0 debug3: password expiration disabled Failed none for root from ::1 port 35252 ssh2 debug3: userauth_finish: failure partial=0 next methods="password" debug1: Authentications that can continue: password debug3: start over, passed a different list password debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup password debug3: remaining preferred: ,keyboard-interactive,password debug3: authmethod_is_enabled password debug1: Next authentication method: password root at localhost's password: debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: userauth-request for user root service ssh-connection method password debug1: attempt 1 failures 0 debug2: input_userauth_request: try method password Accepted password for root from ::1 port 35252 ssh2 debug1: Entering interactive session for SSH2. debug1: Authentication succeeded (password). debug2: fd 4 setting O_NONBLOCK Authenticated to localhost ([::1]:22). debug2: fd 5 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_global_request: rtype no-more-sessions at openssh.com want_reply 0 debug2: callback start debug2: fd 3 setting TCP_NODELAY debug3: packet_set_tos: set IPV6_TCLASS 0x10 debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug2: channel 0: request shell confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug1: server_input_channel_req: channel 0 request pty-req reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/pts/0 debug1: server_input_channel_req: channel 0 request shell reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell Starting session: shell on pts/0 for root from ::1 port 35252 debug2: fd 3 setting TCP_NODELAY debug3: packet_set_tos: set IPV6_TCLASS 0x10 debug2: channel 0: rfd 8 isatty debug2: fd 8 setting O_NONBLOCK debug3: fd 6 is O_NONBLOCK debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 Last login: Thu Jan 19 21:37:56 2017 from localhost.localdomain debug1: permanently_set_uid: 0/0 Environment: USER=root LOGNAME=root HOME=/tmp PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin MAIL=/var/mail/root SHELL=/bin/sh TZ=UTC SSH_CLIENT=::1 35252 22 SSH_CONNECTION=::1 35252 ::1 22 SSH_TTY=/dev/pts/0 TERM=linux -sh: no job control in this shell file setup_env.sh found... tmp # ls -ltr /dev/pts/0 crw--w---- 1 root tty 136, 0 Jan 19 21:40 /dev/pts/0 tmp # From neale at sinenomine.net Sat Jan 21 02:35:05 2017 From: neale at sinenomine.net (Neale Ferguson) Date: Fri, 20 Jan 2017 15:35:05 +0000 Subject: Client fails kex after c38ea634893a1975dbbec798fb968c9488013f4a In-Reply-To: References: Message-ID: I found the problem. I was scanning for CRLF in the version string coming back from SSHD. It changed to just a CR. From ag_shah at hotmail.com Tue Jan 24 06:53:49 2017 From: ag_shah at hotmail.com (Ashish Shah) Date: Mon, 23 Jan 2017 19:53:49 +0000 Subject: Open SSH public key setup not working on windows 2012 Message-ID: Hi, I downloaded setupssh-7.3p1-2.exe for Windows x64. I created private public keys and set it up accordingly. After entering the passphrase, I see authentication succeeded message but then the connection to the remote host gets closed immediately. Some of the Client output: ************************ ... Enter passphrase for key '/home/user2/.ssh/id_rsa': debug1: Authentication succeeded (publickey). Authenticated to machine2 ([10.39.69.139]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: channel 0: free: client-session, nchannels 1 Connection to machine2 closed by remote host. Connection to machine2 closed. Transferred: sent 2336, received 2880 bytes, in 0.0 seconds Bytes per second: sent 1167945.4, received 1439932.7 debug1: Exit status -1 *************************** Some of the output from remote host OpenSSHD.log. It says "seteuid 1084961: Operation not permitted" as seen below at the end. ********************* ... debug1: kex: algorithm: curve25519-sha256 at libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp521 debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: compression: none debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: compression: none debug1: expecting SSH2_MSG_KEX_ECDH_INIT debug2: set_newkeys: mode 1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user agshah service ssh-connection method none debug1: attempt 0 failures 0 debug2: parse_server_config: config reprocess config len 561 debug2: input_userauth_request: setting up authctxt for agshah debug1: userauth_send_banner: sent debug2: input_userauth_request: try method none Failed none for user2 from 10.109.136.24 port 28409 ssh2 debug1: userauth-request for user user2 service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: temporarily_use_uid: 1084961/1049089 (e=18/18) seteuid 1084961: Operation not permitted debug1: do_cleanup ********************* thanks, Ash From vicchi.cit at gmail.com Tue Jan 24 16:17:50 2017 From: vicchi.cit at gmail.com (Vishwanath KC) Date: Tue, 24 Jan 2017 10:47:50 +0530 Subject: Need information to bypass the preauth in openssh Message-ID: Hi, I am Vishwanath, I got one requirement from our clients regarding remote authentication. In which all users info present in remote user database. Currently using openssh for SSH connections. To open a new remote session via SSH, the openssh will look into the /etc/passwd file. If user present then it will allow to login using password or key authentication. But in my case all user info is present in remote database and authentication is form remote using tacacs+ server. Due to this I am facing error message as below 2017 Jan 13 10:45:51 : switch : sshd : Invalid user test from 10.12.16.16 2017 Jan 13 10:45:51 : switch : input_userauth_request: invalid user test [preauth] Please give some inputs on how to handle this scenario. Regards, Vishwanath KC +918892599848. From dtucker at zip.com.au Tue Jan 24 16:46:32 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 24 Jan 2017 16:46:32 +1100 Subject: Need information to bypass the preauth in openssh In-Reply-To: References: Message-ID: On Tue, Jan 24, 2017 at 4:17 PM, Vishwanath KC wrote: [...] > But in my case all user info is present in remote database and > authentication is form remote using tacacs+ server. What platform is this? You probably want a NSS module or the equivalent for your platform so that getpwnam(3) knows about those users (including things like uid/gid, home directory and shell). I'm not sure TACACS can provide the required details, though. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From vicchi.cit at gmail.com Tue Jan 24 16:54:36 2017 From: vicchi.cit at gmail.com (Vishwanath KC) Date: Tue, 24 Jan 2017 11:24:36 +0530 Subject: Need information to bypass the preauth in openssh In-Reply-To: References: Message-ID: Hi, Thanks for the replay. This is the platform which we are using. Distributor ID: Debian Description: Debian GNU/Linux 8.2 (jessie) Release: 8.2 Codename: jessie Regards, Vishwanath KC +918892599848. On Tue, Jan 24, 2017 at 11:16 AM, Darren Tucker wrote: > On Tue, Jan 24, 2017 at 4:17 PM, Vishwanath KC > wrote: > [...] > > But in my case all user info is present in remote database and > > authentication is form remote using tacacs+ server. > > What platform is this? You probably want a NSS module or the > equivalent for your platform so that getpwnam(3) knows about those > users (including things like uid/gid, home directory and shell). I'm > not sure TACACS can provide the required details, though. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > From dtucker at zip.com.au Tue Jan 24 17:01:12 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 24 Jan 2017 17:01:12 +1100 Subject: Need information to bypass the preauth in openssh In-Reply-To: References: Message-ID: On Tue, Jan 24, 2017 at 4:54 PM, Vishwanath KC wrote: [...] > Distributor ID: Debian > Description: Debian GNU/Linux 8.2 (jessie) As you've seen, sshd requires that the system's getpwnam() function knows the user, without which it does not know, for example, what userid to run processes as should you manage to successfully authenticate. You will need to either arrange for your system's NSS to know about your users somehow or modify sshd. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From alex at alex.org.uk Tue Jan 24 17:53:19 2017 From: alex at alex.org.uk (Alex Bligh) Date: Tue, 24 Jan 2017 06:53:19 +0000 Subject: Need information to bypass the preauth in openssh In-Reply-To: References: Message-ID: > On 24 Jan 2017, at 06:01, Darren Tucker wrote: > > On Tue, Jan 24, 2017 at 4:54 PM, Vishwanath KC wrote: > [...] >> Distributor ID: Debian >> Description: Debian GNU/Linux 8.2 (jessie) > > As you've seen, sshd requires that the system's getpwnam() function > knows the user, without which it does not know, for example, what > userid to run processes as should you manage to successfully > authenticate. > > You will need to either arrange for your system's NSS to know about > your users somehow or modify sshd. From memory, last time I got this working, we used NSS LDAP and PAM LDAP, and got public keys over LDAP too. It required some fiddling. -- Alex Bligh From alex at alex.org.uk Tue Jan 24 17:56:44 2017 From: alex at alex.org.uk (Alex Bligh) Date: Tue, 24 Jan 2017 06:56:44 +0000 Subject: Need information to bypass the preauth in openssh In-Reply-To: References: Message-ID: > On 24 Jan 2017, at 06:53, Alex Bligh wrote: > > From memory, last time I got this working, we used NSS LDAP and > PAM LDAP, and got public keys over LDAP too. It required some > fiddling. With apologies for the quick followup, I think what we did was roughly this: https://shellpower.wordpress.com/2015/05/26/ssh-public-key-authentication-with-ldap-on-ubuntu/ -- Alex Bligh From vicchi.cit at gmail.com Wed Jan 25 17:58:57 2017 From: vicchi.cit at gmail.com (Vishwanath KC) Date: Wed, 25 Jan 2017 12:28:57 +0530 Subject: Need information to bypass the preauth in openssh In-Reply-To: References: Message-ID: Hi, Unfortunately we are not using NSS and LDAP. We are using only Tacacs server. The authentication needs to be done only via password. So please let me know how i can proceed on this. Regards, Vishwanath KC +918892599848. On Tue, Jan 24, 2017 at 12:26 PM, Alex Bligh wrote: > > > On 24 Jan 2017, at 06:53, Alex Bligh wrote: > > > > From memory, last time I got this working, we used NSS LDAP and > > PAM LDAP, and got public keys over LDAP too. It required some > > fiddling. > > With apologies for the quick followup, I think what we did was > roughly this: > > https://shellpower.wordpress.com/2015/05/26/ssh-public-key- > authentication-with-ldap-on-ubuntu/ > > -- > Alex Bligh > > > > > From deengert at gmail.com Thu Jan 26 00:23:54 2017 From: deengert at gmail.com (Douglas E Engert) Date: Wed, 25 Jan 2017 07:23:54 -0600 Subject: Need information to bypass the preauth in openssh In-Reply-To: References: Message-ID: On 1/25/2017 12:58 AM, Vishwanath KC wrote: > Hi, > > Unfortunately we are not using NSS and LDAP. We are using only Tacacs > server. > The authentication needs to be done only via password. > So please let me know how i can proceed on this. The NSS people are referring to is not the Mozilla NSS, but the linux nssswitch functionality. Googling for combinations of: TACCS+ SSH NSS PAM indicates others over the years have asked similar questions with mixed results. Thee might be helpful: https://github.com/jeroennijhof/pam_tacplus/ https://github.com/benschumacher/nss_tacplus http://ftp.thinklogical.com/ftp/SCS/doc/pam_tacacs/nss-tacplus-HOWTO https://docs.cumulusnetworks.com/display/DOCS/TACACS+Plus > > Regards, > Vishwanath KC > +918892599848. > > On Tue, Jan 24, 2017 at 12:26 PM, Alex Bligh wrote: > >> >>> On 24 Jan 2017, at 06:53, Alex Bligh wrote: >>> >>> From memory, last time I got this working, we used NSS LDAP and >>> PAM LDAP, and got public keys over LDAP too. It required some >>> fiddling. >> >> With apologies for the quick followup, I think what we did was >> roughly this: >> >> https://shellpower.wordpress.com/2015/05/26/ssh-public-key- >> authentication-with-ldap-on-ubuntu/ >> >> -- >> Alex Bligh >> >> >> >> >> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Douglas E. Engert From ag_shah at hotmail.com Thu Jan 26 06:51:11 2017 From: ag_shah at hotmail.com (Ashish Shah) Date: Wed, 25 Jan 2017 19:51:11 +0000 Subject: Open SSH public key setup not working on windows 2012 In-Reply-To: References: Message-ID: Hi, Any help on this is much appreciated. thanks, Ash ________________________________ From: Ashish Shah Sent: Monday, January 23, 2017 11:53 AM To: openssh-unix-dev at mindrot.org Subject: Open SSH public key setup not working on windows 2012 Hi, I downloaded setupssh-7.3p1-2.exe for Windows x64. I created private public keys and set it up accordingly. After entering the passphrase, I see authentication succeeded message but then the connection to the remote host gets closed immediately. Some of the Client output: ************************ ... Enter passphrase for key '/home/user2/.ssh/id_rsa': debug1: Authentication succeeded (publickey). Authenticated to machine2 ([10.39.69.139]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug1: pledge: network debug1: channel 0: free: client-session, nchannels 1 Connection to machine2 closed by remote host. Connection to machine2 closed. Transferred: sent 2336, received 2880 bytes, in 0.0 seconds Bytes per second: sent 1167945.4, received 1439932.7 debug1: Exit status -1 *************************** Some of the output from remote host OpenSSHD.log. It says "seteuid 1084961: Operation not permitted" as seen below at the end. ********************* ... debug1: kex: algorithm: curve25519-sha256 at libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp521 debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: compression: none debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: compression: none debug1: expecting SSH2_MSG_KEX_ECDH_INIT debug2: set_newkeys: mode 1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user agshah service ssh-connection method none debug1: attempt 0 failures 0 debug2: parse_server_config: config reprocess config len 561 debug2: input_userauth_request: setting up authctxt for agshah debug1: userauth_send_banner: sent debug2: input_userauth_request: try method none Failed none for user2 from 10.109.136.24 port 28409 ssh2 debug1: userauth-request for user user2 service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: temporarily_use_uid: 1084961/1049089 (e=18/18) seteuid 1084961: Operation not permitted debug1: do_cleanup ********************* thanks, Ash From Zube at stat.colostate.edu Thu Jan 26 10:49:06 2017 From: Zube at stat.colostate.edu (Zube) Date: Wed, 25 Jan 2017 16:49:06 -0700 Subject: sshd 7.4p1 with ssl 1.0.2j seg faults, MacOSX 10.12.2/3, clang-800.0.42.1 Message-ID: <20170125234906.GA52441@quantum.stat.colostate.edu> Never had much trouble building on the Mac until this round. Trying to build 7.4p1 with openssl 1.0.2j on a MacOSX 10.12.2/3 machine. gcc --version returns clang-800.0.42.1. This is the latest Xcode. Builds fine. Upon running sshd, it seg faults with this in the logs: assertion failed 16C67: libsystem_trace.dynlib+76912 [5BD4ECD4-75CA-38EA-AF5C-B481C15955F8]: 0x0 If I run the tests, it fails in: test_utf8 regress/unittests/utf8/tests.c: 51 test #9 "utf8_inv_badbyt" ASSERT_INT_EQ (len, wantlen) failed: len = 2 wantlen = 5 /bin/sh: line 1: 739 Abort trap: 6. Thank you for your time and for any clues. Cheers, Zube From dtucker at zip.com.au Thu Jan 26 11:17:01 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 26 Jan 2017 11:17:01 +1100 Subject: Open SSH public key setup not working on windows 2012 In-Reply-To: References: Message-ID: On Thu, Jan 26, 2017 at 6:51 AM, Ashish Shah wrote: > Any help on this is much appreciated. The OpenSSH team does not provide Windows binaries or installers, and it is very likely that no one on this list even knows what's in that package or what it does when installed. You need to contact the supplier of the package for help. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Jan 26 11:41:50 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 26 Jan 2017 11:41:50 +1100 Subject: sshd 7.4p1 with ssl 1.0.2j seg faults, MacOSX 10.12.2/3, clang-800.0.42.1 In-Reply-To: <20170125234906.GA52441@quantum.stat.colostate.edu> References: <20170125234906.GA52441@quantum.stat.colostate.edu> Message-ID: On Thu, Jan 26, 2017 at 10:49 AM, Zube wrote: [...] > regress/unittests/utf8/tests.c: 51 > test #9 "utf8_inv_badbyt" > > ASSERT_INT_EQ (len, wantlen) failed: > len = 2 > wantlen = 5 That's not a segfault, it's an assertion failure in a UTF8 unit test, most likely because it's not escaping something that the tests think should be. You can skip these tests by setting the environment variable TEST_SSH_UTF8=no to see if there are other problems. The test in question is: one("inv_badbyte", "\377x", -2, -2, -2, "\\377x"); which passes it through OpenSSH's snmprintf which passes it through a handful of multibyte and wide character functions, so it's not immediately obvious what's going on. It passes here on a mac mini running 11.4.2, though, so it'd be interesting to see what's different between them. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From macmikeal at me.com Fri Jan 27 05:39:26 2017 From: macmikeal at me.com (Dr. Mikeal Hughes) Date: Thu, 26 Jan 2017 12:39:26 -0600 Subject: Can't SSH into my server Message-ID: <92A3A438-9E28-4719-8D39-3F82E7C3D53B@me.com> Hi I have an Ubuntu 16.04 LTS server. Trying to set up openssh. I have installed openssh-server and openssh-client. When I try to login via a terminal i receive an Alert that says Unable to connect with server, please try again later. Any ideas what I might need to do? Mikeal Hughes, N9GI GROL, Comptia A+, Comptia Network+, MOS Mikeal Hughes & Associates macmikeal at me.com Cell: 815-546-1867 From dfong at dfong.org Fri Jan 27 06:15:33 2017 From: dfong at dfong.org (Don Fong) Date: Thu, 26 Jan 2017 11:15:33 -0800 Subject: config file line length limit In-Reply-To: References: Message-ID: <0bfab499-e999-35f8-523c-eeda23f0b72f@dfong.org> so, i submitted the bug, i added a patch for the code (and man page), and another patch for a regression test. is there anything else i can do to help move this along? will there be a code review process to give me feedback on the code change? how long does it typically take for a simple change to get merged? https://bugzilla.mindrot.org/show_bug.cgi?id=2651 On 12/19/16 9:59, Don Fong wrote: > Damien, thanks for your answer. any comments on ancillary issues? > > * should the limit be documented, or removed? or should the limit > just be increased? > > * is there any mechanism to keep the code in libopenssh in sync with > the corresponding code in openssh-portable? i would think that as a > philosophical matter, openssh-portable should be using the same code > as libopenssh where possible. particularly for things like readconf.c . > (in fact, as a newcomer to this project, i am wondering why > openssh-portable couldn't simply link in libopenssh as a library? > why are they two separate github repos, instead of one repo that > can build both the executable and the library?) > > * is there a missing assignment to active (*activep) in the > openssh version of readconf.c, is the comment incorrect, or? > > > > > On 12/18/16 19:52, Damien Miller wrote: >> Hi, >> >> This does look like a bug, so it would be great if you could file it on >> bugzilla. >> >> Thanks, >> Damien >> >> On Sun, 18 Dec 2016, Don Fong wrote: >> >>> To all, >>> >>> i think i've found a minor bug in openssh. i'm writing to the list >>> toget input on whether it's really a bug, or an undocumented limit, >>> or maybe it's even documented somewhere (although i didn't see >>> it documented in ssh_config(5)). if there is a consensus that this >>> is indeed a bug, i'll file it in bugzilla. i would also like to >>> submit the fix. >>> >>> the bug is that ssh barfs if my .ssh/config file contains a very >>> long comment line. basically it tries to parse anything beyond >>> the 1022-th char as regular input, not a comment. >>> >>> i discovered this behavior by accident. i have an ansible script >>> that spins up new AWS instances. it creates an ssh config stanza >>> for eachnew instance. at the start of the stanza, the script puts >>> a commentline containing amazon's JSON description of the instance. >>> dueto recent changes made by amazon, the description is longer than >>> it used to be, making the comment longer. then ssh started failing. >>> >>> example (using the attached config file verylong.config): >>> >>> $ ssh -F verylong.config whatever >>> verylong.config: line 9: Bad configuration option: ABCDEFG >>> verylong.config: terminating, 1 bad configuration options >>> >>> i decided to take a look at the ssh source code. i think it is >>> pretty clear what is going wrong. >>> >>> ----- readconf.c: >>> 1703 char line[1024]; >>> ... >>> 1730 while (fgets(line, sizeof(line), f)) { >>> 1731 /* Update line number counter. */ >>> 1732 linenum++; >>> 1733 if (process_config_line_depth(options, pw, host, >>> original_host, >>> 1734 line, filename, linenum, activep, flags, depth) >>> != 0) >>> 1735 bad_options++; >>> 1736 } >>> >>> if fgets() runs across a very long input line, whatever won't fit in >>> the given buffer (sizeof line) is left unread on the input stream, >>> to be picked up by later reads. this is the documented behavior of >>> fgets(). how long is too long? the buffer is sized at 1024 chars. >>> one char is needed for the null terminator, another one for the >>> newline. so anything longer than 1024-2 = 1022 bytes is too big. >>> >>> unf readconf.c as written just naively assumes that fgets() returns the >>> entire line. it makes no attempt to deal with the case where the line >>> didn't entirely fit. so basically, a long line is treated as multiple >>> lines. this is true whether the line was a comment or something else. >>> it's just that the behavior stands out more for a comment line, which >>> "should" be completely ignored. besides, there's not much reason for >>> any other type of line to be that long, in the config file. >>> >>> i see basically the same problem in the libopenssh version of readconf.c. >>> >>> IMHO this is a bug. some might consider it to be a reasonable limit >>> on the line length, but in that case it should be documented in >>> ssh_config(5). and in either case, i think line[] should be declared >>> using a symbolic constant for the length. >>> >>> or, get rid of the fixed-length buffer, and implement a dynamically >>> sized buffer instead. since i've only begun to look at this code, >>> i'm not sure this would be a safe thing to do. is there any other >>> code that implicitly assumes that the line length is less than 1024? >>> >>> incidentally, i see a strange discrepancy between the openssh-portable >>> version and the libopenssh version. before the while-fgets loop, >>> there is this comment (both versions): >>> >>> 1095 /* >>> 1096 * Mark that we are now processing the options. This flag >>> is turned >>> 1097 * on/off by Host specifications. >>> 1098 */ >>> 1099 active = 1; >>> >>> but the "active=1" (line 1099) appears only in the libopenssh version, >>> not the openssh-portable version. >>> >>> >>> >>> >>> >>> >>> >>> > From deengert at gmail.com Fri Jan 27 06:54:27 2017 From: deengert at gmail.com (Douglas E Engert) Date: Thu, 26 Jan 2017 13:54:27 -0600 Subject: Can't SSH into my server In-Reply-To: <92A3A438-9E28-4719-8D39-3F82E7C3D53B@me.com> References: <92A3A438-9E28-4719-8D39-3F82E7C3D53B@me.com> Message-ID: <3ce52459-bd39-ce00-ecc0-653165e4a72b@gmail.com> https://linuxconfig.org/how-to-install-ssh-server-on-ubuntu-16-04-xenial-linux https://help.ubuntu.com/lts/serverguide/openssh-server.html http://ubuntuhandbook.org/index.php/2016/04/enable-ssh-ubuntu-16-04-lts/ all hint that you may need to start/restart the service: sudo service ssh start sudo service ssh restart Could be a firewall issue. On 1/26/2017 12:39 PM, Dr. Mikeal Hughes wrote: > Hi I have an Ubuntu 16.04 LTS server. Trying to set up openssh. I have installed openssh-server and openssh-client. When I try to login via a terminal i receive an Alert that says Unable to connect with server, please try again later. Any ideas what I might need to do? > > Mikeal Hughes, N9GI > GROL, Comptia A+, Comptia Network+, MOS > Mikeal Hughes & Associates > macmikeal at me.com > Cell: 815-546-1867 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Douglas E. Engert From nunojpg at gmail.com Fri Jan 27 07:01:53 2017 From: nunojpg at gmail.com (=?UTF-8?Q?Nuno_Gon=C3=A7alves?=) Date: Thu, 26 Jan 2017 21:01:53 +0100 Subject: Server accepts key: pkalg rsa-sha2-512 vs ssh-rsa Message-ID: Hi, I'm doing some test with a pkcs11 token that can only sign short messages. When connecting to one server, that reports pkalg rsa-sha2-512 blen 151, it fails to sign the pubkey because it is 83 bytes long. (sshd: OpenSSH_7.3p1) A older server that reports pkalg ssh-rsa blen 151, works perfectly as the pubkey signature required is only 35 bytes long. (sshd: OpenSSH_6.7p1) I am not sure where does this pkalg fit in the process, and all my attempts to downgrade the algorithm have failed. Even looking at identity_sign_encode at sshconnect2.c, doesn't help me at all, as ssh-rsa is not one option. So very simply, was this deprecated completely, does the new implementation not allow the client to downgrade it, or is there any option for it? Thanks, Nuno From btmckee9 at gmail.com Sun Jan 29 06:15:54 2017 From: btmckee9 at gmail.com (Brian McKee) Date: Sat, 28 Jan 2017 11:15:54 -0800 Subject: known_hosts question for Ubuntu Server 14.04 and 16.04 LTS Message-ID: Hello & thanks for reading. I'm having a problem configuring known_hosts from scripts so an accept key yes/no prompt doesn't appear. I'm using this command to detect if the server is known and add it to known_hosts: if ! ssh-keygen -F ${IP_ADDR} -f ~/.ssh/known_hosts > /dev/null 2>&1; t hen ssh-keyscan -p ${PORT} ${IP_ADDR} >> ~/.ssh/known_hosts; fi This works fine for the machine that has only one port (22) in sshd_config, but for a machine that is being accessed on a non-standard port (they happen to be different versions of Ubuntu as well, I don't think that's the difference), the code has to be changed to this: if ! ssh-keygen -F [${IP_ADDR}]:${PORT} -f ~/.ssh/known_hosts > /dev/null 2>&1; then ssh-keyscan -p ${PORT} ${IP_ADDR} >> ~/.ssh/known_hosts; fi And, as suggested for security, if I add -H to the ssh-keyscan, then the IP addresses are hashed and the if statement fails every time, no matter what so the keys are added over and over again. I figure I'm doing something wrong. Is there a generic way to cause ssh to generate keys for known_hosts consistently across multiple configurations with a hash? Thanks, Brian From nkadel at gmail.com Sun Jan 29 10:36:19 2017 From: nkadel at gmail.com (Nico Kadel-Garcia) Date: Sat, 28 Jan 2017 18:36:19 -0500 Subject: known_hosts question for Ubuntu Server 14.04 and 16.04 LTS In-Reply-To: References: Message-ID: On Sat, Jan 28, 2017 at 2:15 PM, Brian McKee wrote: > Hello & thanks for reading. > > I'm having a problem configuring known_hosts from scripts so an accept > key yes/no prompt doesn't appear. I'd suggest that you *stop using it*. Unless you have a well-defined set of stable hosts, whose SSH host keys are not likely to change, there hasn't been a point to relying on known_hosts in *years*. There's no good signature structure for it to verify the authenticity of published host keys, and too many environments simply re-assign IP addresses for changing back end hosts, and or alternatively the hosts are rebuilt with alternative SSH hostkeys with no announcement to users. Maintaining and relying on a known_hosts has traditionally broken more automated scripting and forced far more dangerous hacks and workaounds than it has benefited security. The relevant options to disable the use of known_hosts are well explained in an article at http://linuxcommando.blogspot.com/2008/10/how-to-disable-ssh-host-key-checking.html, and are: * StrictHostKeyChecking no # this gets the questions to stop being asked for new connections * UserKnownHostsFile=/dev/null # This prevents the client from retaining old, mismatched known_hosts entries that will screw up new connections Additionally, it can be specified in your script or your .ssh/config on a host-by-host basis, so that if you really *want*, you can use it. > I'm using this command to detect if the server is known and add it to > known_hosts: > > if ! ssh-keygen -F ${IP_ADDR} -f ~/.ssh/known_hosts > /dev/null 2>&1; then \ > ssh-keyscan -p ${PORT} ${IP_ADDR} >> ~/.ssh/known_hosts; fi The "~/", or "$HOME/", is not set for various shell environments. This is especially true for cron jobs run from /etc/cron.d, for which $HOME is always set to "/" by default > > This works fine for the machine that has only one port (22) in > sshd_config, but for a machine that is being accessed on a > non-standard port (they happen to be different versions of Ubuntu as > well, I don't think that's the difference), the code has to be changed > to this: > > if ! ssh-keygen -F [${IP_ADDR}]:${PORT} -f ~/.ssh/known_hosts > /dev/null 2>&1; > then ssh-keyscan -p ${PORT} ${IP_ADDR} >> ~/.ssh/known_hosts; fi > > And, as suggested for security, if I add -H to the ssh-keyscan, then > the IP addresses are hashed and the if statement fails every time, no > matter what so the keys are added over and over again. > > I figure I'm doing something wrong. Is there a generic way to cause > ssh to generate keys for known_hosts consistently across multiple > configurations with a hash? Probably. But it's typically not worth the effort, because if the same IP address is re-assigned to a different host with a different key, your saved known_hosts file is going to *break*. And in many environments where hosts re built from images without host keys, and create keys at boot time, and the new hosts re being cycled quickly in a limited address space, well, the results are not going to be pretty. There is no automatic setup in your script to *clear* mismatched hostkeys, and frankly, they're a common problem. They're even a problem when visiting new sites were both site happen to use the same non-routable address space, such as 192.168.1.0/24. Been there, done that, had to explain to people churning through address spaces for VM's and CICD that this was a problem. From btmckee9 at gmail.com Sun Jan 29 11:32:22 2017 From: btmckee9 at gmail.com (Brian T. McKee) Date: Sat, 28 Jan 2017 16:32:22 -0800 Subject: known_hosts question for Ubuntu Server 14.04 and 16.04 LTS In-Reply-To: References: Message-ID: Thanks for replying Nico. I do have stable hosts, one in the cloud and one local. My options are to rely on known_hosts or disable host key checking ( StrictHostKeyChecking no), which opens ssh to man in the middle attacks. I have no idea if they are common, but I'd prefer to keep people from being able to do it. I understand your points about the location of known_hosts. I was using what works for the servers I'm on and realize that it may not be as portable as it should be, but I do have control over the OSes on these machines so I should be relatively safe from change. I am using RSA keys to enable the machines to ssh to each other without passwords from specific accounts, so perhaps the host keys aren't as important? I wonder what other's think about "StrictHostKeyChecking no". Everything I've read online indicates that's a dangerous thing to do. Brian On 01/28/17 15:36, Nico Kadel-Garcia wrote: > On Sat, Jan 28, 2017 at 2:15 PM, Brian McKee wrote: >> Hello & thanks for reading. >> >> I'm having a problem configuring known_hosts from scripts so an accept >> key yes/no prompt doesn't appear. > I'd suggest that you *stop using it*. Unless you have a well-defined > set of stable hosts, whose SSH host keys are not likely to change, > there hasn't been a point to relying on known_hosts in *years*. > There's no good signature structure for it to verify the authenticity > of published host keys, and too many environments simply re-assign IP > addresses for changing back end hosts, and or alternatively the hosts > are rebuilt with alternative SSH hostkeys with no announcement to > users. Maintaining and relying on a known_hosts has traditionally > broken more automated scripting and forced far more dangerous hacks > and workaounds than it has benefited security. > > The relevant options to disable the use of known_hosts are well > explained in an article at > http://linuxcommando.blogspot.com/2008/10/how-to-disable-ssh-host-key-checking.html, > and are: > > * StrictHostKeyChecking no # this gets the questions to stop being > asked for new connections > * UserKnownHostsFile=/dev/null # This prevents the client from > retaining old, mismatched known_hosts entries that will screw up new > connections > > Additionally, it can be specified in your script or your .ssh/config > on a host-by-host basis, so that if you really *want*, you can use it. > >> I'm using this command to detect if the server is known and add it to >> known_hosts: >> >> if ! ssh-keygen -F ${IP_ADDR} -f ~/.ssh/known_hosts > /dev/null 2>&1; then \ >> ssh-keyscan -p ${PORT} ${IP_ADDR} >> ~/.ssh/known_hosts; fi > The "~/", or "$HOME/", is not set for various shell environments. This > is especially true for cron jobs run from /etc/cron.d, for which $HOME > is always set to "/" by default > >> This works fine for the machine that has only one port (22) in >> sshd_config, but for a machine that is being accessed on a >> non-standard port (they happen to be different versions of Ubuntu as >> well, I don't think that's the difference), the code has to be changed >> to this: >> >> if ! ssh-keygen -F [${IP_ADDR}]:${PORT} -f ~/.ssh/known_hosts > /dev/null 2>&1; >> then ssh-keyscan -p ${PORT} ${IP_ADDR} >> ~/.ssh/known_hosts; fi >> >> And, as suggested for security, if I add -H to the ssh-keyscan, then >> the IP addresses are hashed and the if statement fails every time, no >> matter what so the keys are added over and over again. >> >> I figure I'm doing something wrong. Is there a generic way to cause >> ssh to generate keys for known_hosts consistently across multiple >> configurations with a hash? > Probably. But it's typically not worth the effort, because if the same > IP address is re-assigned to a different host with a different key, > your saved known_hosts file is going to *break*. And in many > environments where hosts re built from images without host keys, and > create keys at boot time, and the new hosts re being cycled quickly in > a limited address space, well, the results are not going to be pretty. > There is no automatic setup in your script to *clear* mismatched > hostkeys, and frankly, they're a common problem. They're even a > problem when visiting new sites were both site happen to use the same > non-routable address space, such as 192.168.1.0/24. Been there, done > that, had to explain to people churning through address spaces for > VM's and CICD that this was a problem. From mindrot at hda3.com Sun Jan 29 11:41:35 2017 From: mindrot at hda3.com (Peter Moody) Date: Sat, 28 Jan 2017 16:41:35 -0800 Subject: known_hosts question for Ubuntu Server 14.04 and 16.04 LTS In-Reply-To: References: Message-ID: What about using host certificates rather than host keys? You still have a known_host file, but the key has a @cert-authority marker and, assuming your servers have host certs signed by that key, you get no prompt. I set this up at work and we now use it extensively On Jan 28, 2017 4:37 PM, "Brian T. McKee" wrote: Thanks for replying Nico. I do have stable hosts, one in the cloud and one local. My options are to rely on known_hosts or disable host key checking ( StrictHostKeyChecking no), which opens ssh to man in the middle attacks. I have no idea if they are common, but I'd prefer to keep people from being able to do it. I understand your points about the location of known_hosts. I was using what works for the servers I'm on and realize that it may not be as portable as it should be, but I do have control over the OSes on these machines so I should be relatively safe from change. I am using RSA keys to enable the machines to ssh to each other without passwords from specific accounts, so perhaps the host keys aren't as important? I wonder what other's think about "StrictHostKeyChecking no". Everything I've read online indicates that's a dangerous thing to do. Brian On 01/28/17 15:36, Nico Kadel-Garcia wrote: > On Sat, Jan 28, 2017 at 2:15 PM, Brian McKee wrote: >> Hello & thanks for reading. >> >> I'm having a problem configuring known_hosts from scripts so an accept >> key yes/no prompt doesn't appear. > I'd suggest that you *stop using it*. Unless you have a well-defined > set of stable hosts, whose SSH host keys are not likely to change, > there hasn't been a point to relying on known_hosts in *years*. > There's no good signature structure for it to verify the authenticity > of published host keys, and too many environments simply re-assign IP > addresses for changing back end hosts, and or alternatively the hosts > are rebuilt with alternative SSH hostkeys with no announcement to > users. Maintaining and relying on a known_hosts has traditionally > broken more automated scripting and forced far more dangerous hacks > and workaounds than it has benefited security. > > The relevant options to disable the use of known_hosts are well > explained in an article at > http://linuxcommando.blogspot.com/2008/10/how-to-disable- ssh-host-key-checking.html, > and are: > > * StrictHostKeyChecking no # this gets the questions to stop being > asked for new connections > * UserKnownHostsFile=/dev/null # This prevents the client from > retaining old, mismatched known_hosts entries that will screw up new > connections > > Additionally, it can be specified in your script or your .ssh/config > on a host-by-host basis, so that if you really *want*, you can use it. > >> I'm using this command to detect if the server is known and add it to >> known_hosts: >> >> if ! ssh-keygen -F ${IP_ADDR} -f ~/.ssh/known_hosts > /dev/null 2>&1; then \ >> ssh-keyscan -p ${PORT} ${IP_ADDR} >> ~/.ssh/known_hosts; fi > The "~/", or "$HOME/", is not set for various shell environments. This > is especially true for cron jobs run from /etc/cron.d, for which $HOME > is always set to "/" by default > >> This works fine for the machine that has only one port (22) in >> sshd_config, but for a machine that is being accessed on a >> non-standard port (they happen to be different versions of Ubuntu as >> well, I don't think that's the difference), the code has to be changed >> to this: >> >> if ! ssh-keygen -F [${IP_ADDR}]:${PORT} -f ~/.ssh/known_hosts > /dev/null 2>&1; >> then ssh-keyscan -p ${PORT} ${IP_ADDR} >> ~/.ssh/known_hosts; fi >> >> And, as suggested for security, if I add -H to the ssh-keyscan, then >> the IP addresses are hashed and the if statement fails every time, no >> matter what so the keys are added over and over again. >> >> I figure I'm doing something wrong. Is there a generic way to cause >> ssh to generate keys for known_hosts consistently across multiple >> configurations with a hash? > Probably. But it's typically not worth the effort, because if the same > IP address is re-assigned to a different host with a different key, > your saved known_hosts file is going to *break*. And in many > environments where hosts re built from images without host keys, and > create keys at boot time, and the new hosts re being cycled quickly in > a limited address space, well, the results are not going to be pretty. > There is no automatic setup in your script to *clear* mismatched > hostkeys, and frankly, they're a common problem. They're even a > problem when visiting new sites were both site happen to use the same > non-routable address space, such as 192.168.1.0/24. Been there, done > that, had to explain to people churning through address spaces for > VM's and CICD that this was a problem. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From Michael.Grauvogl at klinik.uni-regensburg.de Mon Jan 30 00:00:21 2017 From: Michael.Grauvogl at klinik.uni-regensburg.de (Michael Grauvogl) Date: Sun, 29 Jan 2017 14:00:21 +0100 Subject: [PATCH] Bug 2150: Recursive upload expects target directory to already exist Message-ID: <6aaaadcc-2360-62ea-8b9f-4fac435e02a7@klinik.uni-regensburg.de> Hi, below is a patch for bug 2150 (Recursive upload expects target directory to already exist, https://bugzilla.mindrot.org/show_bug.cgi?id=2150). The problem is that function upload_dir calls do_realpath which will fail if the destination directory does not already exist and therefore upload_dir_internal never gets called. I used some code from upload_dir_internal to create the destination directory if it does not already exist. Cheers, Michael diff --git a/sftp-client.c b/sftp-client.c index d47be0e..f02ecd7 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1869,6 +1869,33 @@ upload_dir(struct sftp_conn *conn, const char *src, const char *dst, { char *dst_canon; int ret; + struct stat sb; + Attrib a, *dirattrib; + + /* check if dst exists */ + if (stat(src, &sb) == -1) { + error("Couldn't stat directory \"%s\": %s", + src, strerror(errno)); + return -1; + } + + attrib_clear(&a); + stat_to_attrib(&sb, &a); + a.flags &= ~SSH2_FILEXFER_ATTR_SIZE; + a.flags &= ~SSH2_FILEXFER_ATTR_UIDGID; + a.perm &= 01777; + if (!preserve_flag) + a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME; + + /* + * sftp lacks a portable status value to match errno EEXIST, + * so if we get a failure back then we must check whether + * the path already existed and is a directory. + */ + if (do_mkdir(conn, dst, &a, 0) != 0) { + if ((dirattrib = do_stat(conn, dst, 0)) == NULL) + return -1; + } if ((dst_canon = do_realpath(conn, dst)) == NULL) { error("Unable to canonicalize path \"%s\"", dst); From jjelen at redhat.com Mon Jan 30 20:58:01 2017 From: jjelen at redhat.com (Jakub Jelen) Date: Mon, 30 Jan 2017 10:58:01 +0100 Subject: Server accepts key: pkalg rsa-sha2-512 vs ssh-rsa In-Reply-To: References: Message-ID: <53cb818d-e72e-78fe-7216-c1a56ef73f6f@redhat.com> On 01/26/2017 09:01 PM, Nuno Gon?alves wrote: > Hi, > > I'm doing some test with a pkcs11 token that can only sign short messages. > > When connecting to one server, that reports pkalg rsa-sha2-512 blen > 151, it fails to sign the pubkey because it is 83 bytes long. (sshd: > OpenSSH_7.3p1) > > A older server that reports pkalg ssh-rsa blen 151, works perfectly as > the pubkey signature required is only 35 bytes long. (sshd: > OpenSSH_6.7p1) > > I am not sure where does this pkalg fit in the process, and all my > attempts to downgrade the algorithm have failed. Even looking at > identity_sign_encode at sshconnect2.c, doesn't help me at all, as > ssh-rsa is not one option. > > So very simply, was this deprecated completely, does the new > implementation not allow the client to downgrade it, or is there any > option for it? > > Thanks, > Nuno This is part of deprecation SHA1 for signatures, which were hardcoded into the core RFCs. The different hashes were introduced in OpenSSH 7.2 [1] and are negotiated using the protocol extension. I don't think there are configuration options to control this behavior, but the new algorithms have higher priority for new OpenSSH versions. [1] http://www.openssh.com/txt/release-7.2 Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat From sudarshan12s at gmail.com Tue Jan 31 05:03:20 2017 From: sudarshan12s at gmail.com (Sudarshan Soma) Date: Mon, 30 Jan 2017 23:33:20 +0530 Subject: sshd custom shell script for specifc user Message-ID: + added subject On Mon, Jan 30, 2017 at 11:32 PM, Sudarshan Soma wrote: > Hi, > I am trying to give access to sshd port 22 to connect to different port > 1023 by differentiating with special user, customuser. Following is how i > tried, but it doesnt work, please suggest. > > outside, user issues command > ssh customuser at ip, it fails > > > inside sshd_config, i wrote the following: > > > Match user customuser > ForceCommand . /etc/myscript > > inside myscript, I do the following: > read -p "Username: " RUSER > ssh $RUSER at 127.0.0.1 -p 1023 > > > > with this setting, i find these: > > If i run sshd in debug mode, password is asked in the server window, > prints go to client window: > > server terminal: > sshd -d -f /etc/ssh/sshd_config -h /etc/ssh/ssh_key > > Starting session: forced-command (config) '. /etc/myscript' on pts/3 for > customuser from 10.102.12.12 port 41622 > admin at 127.0.0.1's password: > > > client terminal: > ssh customuser at 10.220.167.18 > Username: admin > > > If i run sshd in non interactive mode: > it doesnt ask for password at all > > server logs: > > Jan 30 17:22:18 Linux auth.info sshd[5229]: WARNING: > /usr/local/etc/moduli does not exist, using fixed modulus > Jan 30 17:22:18 Linux auth.err sshd[5229]: error: Could not get shadow > information for customuser > Jan 30 17:22:18 Linux auth.info sshd[5229]: Accepted none for customuser > from 10.220.82.17 port 41645 ssh2 > Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't > stat /var/log/lastlog: No such file or directory > Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't > stat /var/log/lastlog: No such file or directory > > > client logs: > > ssh customuser at 10.220.167.184 > Username: admin > Permission denied, please try again. > Permission denied, please try again. > Permission denied (publickey,password). > Connection to 10.220.167.184 closed. > From sudarshan12s at gmail.com Tue Jan 31 05:02:26 2017 From: sudarshan12s at gmail.com (Sudarshan Soma) Date: Mon, 30 Jan 2017 23:32:26 +0530 Subject: No subject Message-ID: Hi, I am trying to give access to sshd port 22 to connect to different port 1023 by differentiating with special user, customuser. Following is how i tried, but it doesnt work, please suggest. outside, user issues command ssh customuser at ip, it fails inside sshd_config, i wrote the following: Match user customuser ForceCommand . /etc/myscript inside myscript, I do the following: read -p "Username: " RUSER ssh $RUSER at 127.0.0.1 -p 1023 with this setting, i find these: If i run sshd in debug mode, password is asked in the server window, prints go to client window: server terminal: sshd -d -f /etc/ssh/sshd_config -h /etc/ssh/ssh_key Starting session: forced-command (config) '. /etc/myscript' on pts/3 for customuser from 10.102.12.12 port 41622 admin at 127.0.0.1's password: client terminal: ssh customuser at 10.220.167.18 Username: admin If i run sshd in non interactive mode: it doesnt ask for password at all server logs: Jan 30 17:22:18 Linux auth.info sshd[5229]: WARNING: /usr/local/etc/moduli does not exist, using fixed modulus Jan 30 17:22:18 Linux auth.err sshd[5229]: error: Could not get shadow information for customuser Jan 30 17:22:18 Linux auth.info sshd[5229]: Accepted none for customuser from 10.220.82.17 port 41645 ssh2 Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory client logs: ssh customuser at 10.220.167.184 Username: admin Permission denied, please try again. Permission denied, please try again. Permission denied (publickey,password). Connection to 10.220.167.184 closed. From smallm at sdf.org Tue Jan 31 08:25:37 2017 From: smallm at sdf.org (Mike Small) Date: Mon, 30 Jan 2017 21:25:37 +0000 Subject: typo in sshd.8 SSH_KNOWN_HOSTS FILE FORMAT section? Message-ID: I was confused today reading in sshd.8, section SSH_KNOWN_HOSTS FILE FORMAT, "whenever the user connects from an unknown host, its key is added to the per-user file." That should read, "to an unknown host," shouldn't it? Looking back there was a patch sent to this list a couple years ago by someone who thought the same: https://marc.info/?l=openssh-unix-dev&m=137238159508849&w=2 It looks to still be this way as of revision 1.287: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd.8?rev=1.287&content-type=text/x-cvsweb-markup -- Mike Small smallm at sdf.org From dtucker at zip.com.au Tue Jan 31 10:28:36 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 31 Jan 2017 10:28:36 +1100 Subject: typo in sshd.8 SSH_KNOWN_HOSTS FILE FORMAT section? In-Reply-To: References: Message-ID: On Tue, Jan 31, 2017 at 8:25 AM, Mike Small wrote: > I was confused today reading in sshd.8, section SSH_KNOWN_HOSTS FILE > FORMAT, "whenever the user connects from an unknown host, its key is > added to the per-user file." That should read, "to an unknown host," You're right. I don't remember seeing the previous message you pointed out but I've just committed the fix. Thanks. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Tue Jan 31 10:40:04 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 31 Jan 2017 10:40:04 +1100 Subject: sshd custom shell script for specifc user In-Reply-To: References: Message-ID: On Tue, Jan 31, 2017 at 5:03 AM, Sudarshan Soma wrote: > + added subject > > On Mon, Jan 30, 2017 at 11:32 PM, Sudarshan Soma > wrote: [...] >> I am trying to give access to sshd port 22 to connect to different port >> 1023 by differentiating with special user, customuser. Following is how i >> tried, but it doesnt work, please suggest. What is the objective of this exercise? >> If i run sshd in debug mode, password is asked in the server window, >> prints go to client window: I think what's happening is that ssh will open the process' controlling terminal to ask for a password, and that happens to be sshd's when run in debug mode and not present when run normally. Try forcing ssh to request a tty ("ssh -tt ..."). If that doesn't work please post the complete server and client debug logs (using "/path/to/sshd -o loglevel=debug3 -e" should get you the debug logs for the doesn't-ask case). -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From nkadel at gmail.com Tue Jan 31 15:49:37 2017 From: nkadel at gmail.com (Nico Kadel-Garcia) Date: Mon, 30 Jan 2017 23:49:37 -0500 Subject: No subject In-Reply-To: References: Message-ID: On Mon, Jan 30, 2017 at 1:02 PM, Sudarshan Soma wrote: > Hi, > I am trying to give access to sshd port 22 to connect to different port > 1023 by differentiating with special user, customuser. Following is how i > tried, but it doesnt work, please suggest. The easiest way to do this is, typically, to run a *separate* sshd on port 1023 with the characterists set to allow *only* that alternative user access. Take a look at setting up another daemon with another "sshd_config" file to do this. That way, you can leave your internal default SSH the heck alone and block it at your firewalls as appropriate. > > outside, user issues command > ssh customuser at ip, it fails > > > inside sshd_config, i wrote the following: > > > Match user customuser > ForceCommand . /etc/myscript > > inside myscript, I do the following: > read -p "Username: " RUSER > ssh $RUSER at 127.0.0.1 -p 1023 > > > > with this setting, i find these: > > If i run sshd in debug mode, password is asked in the server window, prints > go to client window: > > server terminal: > sshd -d -f /etc/ssh/sshd_config -h /etc/ssh/ssh_key > > Starting session: forced-command (config) '. /etc/myscript' on pts/3 for > customuser from 10.102.12.12 port 41622 > admin at 127.0.0.1's password: > > > client terminal: > ssh customuser at 10.220.167.18 > Username: admin > > > If i run sshd in non interactive mode: > it doesnt ask for password at all > > server logs: > > Jan 30 17:22:18 Linux auth.info sshd[5229]: WARNING: /usr/local/etc/moduli > does not exist, using fixed modulus > Jan 30 17:22:18 Linux auth.err sshd[5229]: error: Could not get shadow > information for customuser > Jan 30 17:22:18 Linux auth.info sshd[5229]: Accepted none for customuser > from 10.220.82.17 port 41645 ssh2 > Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't stat > /var/log/lastlog: No such file or directory > Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't stat > /var/log/lastlog: No such file or directory > > > client logs: > > ssh customuser at 10.220.167.184 > Username: admin > Permission denied, please try again. > Permission denied, please try again. > Permission denied (publickey,password). > Connection to 10.220.167.184 closed. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From sudarshan12s at gmail.com Tue Jan 31 15:55:16 2017 From: sudarshan12s at gmail.com (Sudarshan Soma) Date: Tue, 31 Jan 2017 10:25:16 +0530 Subject: sshd custom shell script for specifc user In-Reply-To: References: Message-ID: Thanks Darren, the intention to do this : allow users to access my own shell/CLI(including authentication) on port 22. their firewall settings doesnt allow anything other than port 22, so I would internally redirect to port 1023 when customuser is provided. I will try enabling logs, thanks. On Tue, Jan 31, 2017 at 5:10 AM, Darren Tucker wrote: > On Tue, Jan 31, 2017 at 5:03 AM, Sudarshan Soma > wrote: > > + added subject > > > > On Mon, Jan 30, 2017 at 11:32 PM, Sudarshan Soma > > > wrote: > [...] > >> I am trying to give access to sshd port 22 to connect to different port > >> 1023 by differentiating with special user, customuser. Following is how > i > >> tried, but it doesnt work, please suggest. > > What is the objective of this exercise? > > >> If i run sshd in debug mode, password is asked in the server window, > >> prints go to client window: > > I think what's happening is that ssh will open the process' > controlling terminal to ask for a password, and that happens to be > sshd's when run in debug mode and not present when run normally. Try > forcing ssh to request a tty ("ssh -tt ..."). > > If that doesn't work please post the complete server and client debug > logs (using "/path/to/sshd -o loglevel=debug3 -e" should get you the > debug logs for the doesn't-ask case). > > -- > Darren Tucker (dtucker at zip.com.au) > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > From sudarshan12s at gmail.com Tue Jan 31 15:57:27 2017 From: sudarshan12s at gmail.com (Sudarshan Soma) Date: Tue, 31 Jan 2017 10:27:27 +0530 Subject: No subject In-Reply-To: References: Message-ID: Thanks for suggestion. the customer firewall settings doesnt allow access to 1023, hence i was doing it from inside. So external access to port 1023 is dropped, but from loopback(inside), it would be allowed. please share your thoughts/comments. On Tue, Jan 31, 2017 at 10:19 AM, Nico Kadel-Garcia wrote: > On Mon, Jan 30, 2017 at 1:02 PM, Sudarshan Soma > wrote: > > Hi, > > I am trying to give access to sshd port 22 to connect to different port > > 1023 by differentiating with special user, customuser. Following is how i > > tried, but it doesnt work, please suggest. > > The easiest way to do this is, typically, to run a *separate* sshd on > port 1023 with the characterists set to allow *only* that alternative > user access. Take a look at setting up another daemon with another > "sshd_config" file to do this. That way, you can leave your internal > default SSH the heck alone and block it at your firewalls as > appropriate. > > > > > outside, user issues command > > ssh customuser at ip, it fails > > > > > > inside sshd_config, i wrote the following: > > > > > > Match user customuser > > ForceCommand . /etc/myscript > > > > inside myscript, I do the following: > > read -p "Username: " RUSER > > ssh $RUSER at 127.0.0.1 -p 1023 > > > > > > > > with this setting, i find these: > > > > If i run sshd in debug mode, password is asked in the server window, > prints > > go to client window: > > > > server terminal: > > sshd -d -f /etc/ssh/sshd_config -h /etc/ssh/ssh_key > > > > Starting session: forced-command (config) '. /etc/myscript' on pts/3 for > > customuser from 10.102.12.12 port 41622 > > admin at 127.0.0.1's password: > > > > > > client terminal: > > ssh customuser at 10.220.167.18 > > Username: admin > > > > > > If i run sshd in non interactive mode: > > it doesnt ask for password at all > > > > server logs: > > > > Jan 30 17:22:18 Linux auth.info sshd[5229]: WARNING: > /usr/local/etc/moduli > > does not exist, using fixed modulus > > Jan 30 17:22:18 Linux auth.err sshd[5229]: error: Could not get shadow > > information for customuser > > Jan 30 17:22:18 Linux auth.info sshd[5229]: Accepted none for customuser > > from 10.220.82.17 port 41645 ssh2 > > Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't > stat > > /var/log/lastlog: No such file or directory > > Jan 30 17:22:18 Linux auth.info sshd[5230]: lastlog_openseek: Couldn't > stat > > /var/log/lastlog: No such file or directory > > > > > > client logs: > > > > ssh customuser at 10.220.167.184 > > Username: admin > > Permission denied, please try again. > > Permission denied, please try again. > > Permission denied (publickey,password). > > Connection to 10.220.167.184 closed. > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Tue Jan 31 16:23:01 2017 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 31 Jan 2017 16:23:01 +1100 Subject: sshd custom shell script for specifc user In-Reply-To: References: Message-ID: On Tue, Jan 31, 2017 at 3:55 PM, Sudarshan Soma wrote: > Thanks Darren, the intention to do this : > allow users to access my own shell/CLI(including authentication) on port 22. > their firewall settings doesnt allow anything other than port 22, so I would > internally redirect to port 1023 when customuser is provided. If the clients are openssh you could use it in "stdio forwarding" mode to establish an end-to-end connection to the sshd on port 1023. You'd configure the server something like this in the main sshd's config: Match user customuser MaxSessions 0 PermitOpen localhost:1023 then in the client's config Host yourapplication ProxyCommand ssh -W localhost:1023 customuser at yourgateway which should allow "ssh admin at yourapplication" to work. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From sanumesh at in.ibm.com Tue Jan 31 17:14:31 2017 From: sanumesh at in.ibm.com (Sandeep Umesh) Date: Tue, 31 Jan 2017 11:44:31 +0530 Subject: How to track vulnerability fixes Message-ID: Hi, In 7.3 release notes: https://www.openssh.com/txt/release-7.3 We have 5 security related fixes, however CVE # has been assigned to only 2 of them (CVE-2016-6210 and CVE-2015-8325). Does that mean the other 3 are non security related fixes ? When does a security fix qualify to be a assigned a CVE # ? Thanks Regards Sandeep From ilesterg at archlinux.info Tue Jan 31 20:19:36 2017 From: ilesterg at archlinux.info (Lester Guerzon) Date: Tue, 31 Jan 2017 17:19:36 +0800 Subject: 2661 | ssh-client | Request for a informational output to user instead of just password prompt Message-ID: <708f43ec14b4fcc3f6bafcdf6b0f2277@archlinux.info> Good day! Request: More informational error/warning/info text displayed to user instead of being dropped at the password prompt. Notes from testing: Affected openssh version - All tested (ex. 7.2p2, OpenSSH_5.3p1) Affected OS - All tested (OpenSUSE Leap 42.2, Arch Linux, SLES 11 SP4, HP/UX) Hence, submitting this upstream. Concern: When a private key (ex. key1) is used and there's a public key with the same file name+pub extension (ex. key1.pub) in the same directory, the automatic login will fail and will drop the user to the password prompt. Sample openssh version: santi at osuse:~> rpm -qi openssh Name : openssh Version : 7.2p2 Release : 6.1 Architecture: x86_64 Install Date: Wed 04 Jan 2017 10:01:31 AM PHT Group : Productivity/Networking/SSH Size : 5576705 License : BSD-2-Clause and MIT Signature : RSA/SHA256, Tue 18 Oct 2016 09:01:48 PM PHT, Key ID b88b2fd43dbdc284 Source RPM : openssh-7.2p2-6.1.src.rpm Build Date : Tue 18 Oct 2016 09:01:15 PM PHT Build Host : cloud103 Relocations : (not relocatable) Packager : http://bugs.opensuse.org Vendor : openSUSE URL : http://www.openssh.com/ Summary : Secure Shell Client and Server (Remote Login Program) Description : SSH (Secure Shell) is a program for logging into and executing commands on a remote machine. It is intended to replace rsh (rlogin and rsh) and provides openssl (secure encrypted communication) between two untrusted hosts over an insecure network. xorg-x11 (X Window System) connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. Distribution: openSUSE Leap 42.2 santi at osuse:~> Observation: Output will display the key as type 1 (debug1) and an address in debug2. debug1: identity file key1 type 1 .. debug2: key: key1 (0x55c14718c180), explicit -- Regards, Lester. From doug at commodityvectors.com Tue Jan 31 22:35:21 2017 From: doug at commodityvectors.com (Douglas Temple) Date: Tue, 31 Jan 2017 11:35:21 +0000 Subject: [PATCH] Function to dump revoked keys from KRL Message-ID: Hello, I am currently using the KRL functionality of OpenSSH, and have written a convenience function for getting the set of revoked keys (in whatever format they have been stored) in the KRL. The patch, with the openssh-portable commit ID b109ce92aae0ca0376dce9513d953be60e449ae1 as the reference, is inline because I'm not sure if the list server accepts x-patch MIME type (so apologies for the long email). I would be happy to modify this if there are standards that I have failed to follow. This is my first time contributing to a OpenBSD project, so things may not be completely up to scratch on my end. I would also be happy to answer any questions about this. Thanks, Doug diff --git a/krl.c b/krl.c index e271a193..9fa03e68 100644 --- a/krl.c +++ b/krl.c @@ -28,6 +28,7 @@ #include #include #include +#include #include "sshbuf.h" #include "ssherr.h" @@ -37,6 +38,7 @@ #include "log.h" #include "digest.h" #include "bitmap.h" +#include "uuencode.h" #include "krl.h" @@ -185,6 +187,50 @@ ssh_krl_free(struct ssh_krl *krl) } void +ssh_krl_dump(struct ssh_krl *krl) +{ + struct revoked_certs *rc, *trc; + struct revoked_key_id *rki, *tki; + struct revoked_serial *rs, *trs; + struct revoked_blob *rb, *trb; + struct sshbuf *sect; + int retval; + + if (krl == NULL) + return; + + TAILQ_FOREACH_SAFE(rc, &krl->revoked_certs, entry, trc) { + RB_FOREACH_SAFE(rki, revoked_key_id_tree, &rc->revoked_key_ids, tki) { + KRL_DBG(("%s: Key ID %s", __func__, rki->key_id)); + printf("Key ID: %s\n", rki->key_id); + } + RB_FOREACH_SAFE(rs, revoked_serial_tree, &rc->revoked_serials, trs) { + KRL_DBG(("%s: serial range %zu-%zu\n", __func__, rs->lo, rs->hi)); + if(rs->lo == rs->hi) { + printf("Serial Number: %zu\n", rs->lo); + } + else { + printf("Serial Range: %zu-%zu\n", rs->lo, rs->hi); + } + } + } + if ((sect = sshbuf_new()) == NULL) + fatal("Error allocating buffer"); + RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_sha1s, trb) { + retval = 0; + /* binary -> base64 will always be less than twice the size of the binary repr */ + retval = uuencode(rb->blob, rb->len, sshbuf_mutable_ptr(sect), 2 * rb->len); + if (retval == -1) { + fatal("Error encoding SHA1 blob"); + } + KRL_DBG(("%s: SHA1 %s\n", __func__, rb->blob)); + printf("SHA1 Digest: %s\n", sshbuf_ptr(sect)); + sshbuf_reset(sect); + } + sshbuf_free(sect); +} + +void ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version) { krl->krl_version = version; diff --git a/krl.h b/krl.h index 675496cc..bf5b7e3f 100644 --- a/krl.h +++ b/krl.h @@ -59,6 +59,7 @@ int ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, const struct sshkey **sign_ca_keys, size_t nsign_ca_keys); int ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key); int ssh_krl_file_contains_key(const char *path, const struct sshkey *key); +void ssh_krl_dump(struct ssh_krl *krl); #endif /* _KRL_H */ diff --git a/ssh-keygen.1 b/ssh-keygen.1 index ce2213c7..17c873d5 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -134,7 +134,7 @@ .Nm ssh-keygen .Fl Q .Fl f Ar krl_file -.Ar +.Op Ar .Ek .Sh DESCRIPTION .Nm @@ -494,7 +494,7 @@ The program will prompt for the file containing the private key, for the old passphrase, and twice for the new passphrase. .It Fl Q -Test whether keys have been revoked in a KRL. +Test whether keys have been revoked, or display all revoked keys stored, in a KRL. .It Fl q Silence .Nm ssh-keygen . @@ -793,6 +793,8 @@ then .Nm will exit with a non-zero exit status. A zero exit status will only be returned if no key was revoked. +If no keys are provided, then all revoked keys stored in the KRL are printed. +The format of the output depends on how each of the revoked keys were stored. .Sh FILES .Bl -tag -width Ds -compact .It Pa ~/.ssh/identity diff --git a/ssh-keygen.c b/ssh-keygen.c index 2a7939bf..233f7025 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -2199,6 +2199,9 @@ do_check_krl(struct passwd *pw, int argc, char **argv) sshkey_free(k); free(comment); } + if (argc == 0) { + ssh_krl_dump(krl); + } ssh_krl_free(krl); exit(ret); }