From djm at mindrot.org Fri Nov 12 14:06:18 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 12 Nov 1999 14:06:18 +1100 (EST) Subject: test Message-ID: testing 1..2..3.. -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From torake at hotmail.com Sat Nov 13 02:43:00 1999 From: torake at hotmail.com (Tor-Ake Fransson) Date: Fri, 12 Nov 1999 15:43:00 GMT Subject: AIX 4.3.2 Patch -- quick&dirty Message-ID: <19991112154300.34492.qmail@hotmail.com> Hi all, I have just joined the list. I compiled openssh-1.2-pre11 on AIX 4.3.2 just now. The quick and dirty patch is attached as reference. It works, to the extent of letting root in, with the identity.pub->authorized_keys scheme (RSA Authentication) Since we use DCE for authentication on this system, i cannot test much else. :/ What i know is broken offhand is this: -lastlog/utmp/wtmp support -scp progress indication Other notes: GNU make egcs-1.1.2 openssl-0.9.4 AIX diff Best Regards, //Tor-?ke Fransson ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-1.2pre11-linux-aix.diff.gz Type: application/octet-stream Size: 2275 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991112/2c1cf5b9/attachment.obj From provos at citi.umich.edu Mon Nov 15 12:16:09 1999 From: provos at citi.umich.edu (Niels Provos) Date: Sun, 14 Nov 1999 20:16:09 -0500 Subject: agenda Message-ID: <199911150116.UAA30421@india.citi.umich.edu> Hi, what is the agenda of this list? I was surprised to find out about an OpenSSH developers mailing list without the developers of OpenSSH knowing about this. Strange, Niels. From damien at ibs.com.au Mon Nov 15 13:15:35 1999 From: damien at ibs.com.au (Damien Miller) Date: Mon, 15 Nov 1999 13:15:35 +1100 Subject: agenda References: <199911150116.UAA30421@india.citi.umich.edu> Message-ID: <382F6CC7.37EEBA83@ibs.com.au> Niels Provos wrote: > > Hi, > > what is the agenda of this list? I was surprised to find out about an > OpenSSH developers mailing list without the developers of OpenSSH > knowing about this. Just to discuss patches to extend portability to other unicies. I should make this more clear in the documentation. Regards, Damien Miller From damien at ibs.com.au Mon Nov 15 13:16:41 1999 From: damien at ibs.com.au (Damien Miller) Date: Mon, 15 Nov 1999 13:16:41 +1100 Subject: agenda References: <199911150116.UAA30421@india.citi.umich.edu> Message-ID: <382F6D09.4A8CC119@ibs.com.au> Niels Provos wrote: > > Hi, > > what is the agenda of this list? I was surprised to find out about an > OpenSSH developers mailing list without the developers of OpenSSH > knowing about this. OK the README now states: There is now a mailing list for this port of OpenSSH. To subscribe, send a message consisting of the word 'SUBSCRIBE' to openssh-unix-dev-request at mindrot.org. This mailing list is intended for developers who wish to improve on this port or extend it to other Unices. No offense or exclusionary behaviour intended. Regards, Damien Miller From damien at ibs.com.au Mon Nov 15 17:43:32 1999 From: damien at ibs.com.au (Damien Miller) Date: Mon, 15 Nov 1999 17:43:32 +1100 Subject: ANNOUNCE: openssh-1.2pre12 Message-ID: <382FAB94.4165B037@ibs.com.au> openssh-1.2pre12 is available at http://violet.ibs.com.au/openssh/ Changes: Merged many OpenBSD changes Cleanup of askpass support More solaris support Shadow password support Build fixes RPM spec file fixes RPM init script fixes Detailed changelog: 19991115 - Merged OpenBSD CVS changes: - [ssh-add.c] change passphrase loop logic and remove ref to $DISPLAY, ok niels - Changed to ssh-add.c broke askpass support. Revised it to be a little more modular. - Revised autoconf support for enabling/disabling askpass support. - Merged more OpenBSD CVS changes: [auth-krb4.c] - disconnect if getpeername() fails - missing xfree(*client) [canohost.c] - disconnect if getpeername() fails - fix comment: we _do_ disconnect if ip-options are set [sshd.c] - disconnect if getpeername() fails - move checking of remote port to central place [auth-rhosts.c] move checking of remote port to central place [log-server.c] avoid extra fd per sshd, from millert@ [readconf.c] print _all_ bad config-options in ssh(1), too [readconf.h] print _all_ bad config-options in ssh(1), too [ssh.c] print _all_ bad config-options in ssh(1), too [sshconnect.c] disconnect if getpeername() fails - OpenBSD's changes to sshd.c broke the PAM stuff, re-merged it. - Various small cleanups to bring diff (against OpenBSD) size down. - Merged more Solaris compability from Marc G. Fournier - Wrote autoconf tests for __progname symbol - RPM spec file fixes from Jim Knoble 19991114 - Solaris compilation fixes (still imcomplete) 19991113 - Build patch from Niels Kristian Bech Jensen - Don't install config files if they already exist - Fix inclusion of additional preprocessor directives from acconfig.h - Removed redundant inclusions of config.h - Added 'Obsoletes' lines to RPM spec file - Merged OpenBSD CVS changes: - [bufaux.c] save a view malloc/memcpy/memset/free's, ok niels - [scp.c] fix overflow reported by damien at ibs.com.au: off_t totalsize, ok niels,aaron - Delay fork (-f option) in ssh until after port forwarded connections have been initialised. Patch from Jani Hakala - Added shadow password patch from Thomas Neumann - Added ifdefs to auth-passwd.c to exclude it when PAM is enabled - Tidied default config file some more - Revised Redhat initscript to fix bug: sshd (re)start would fail if executed from inside a ssh login. Regards, Damien Miller From mhw at wittsend.com Tue Nov 16 02:55:30 1999 From: mhw at wittsend.com (Michael H. Warfield) Date: Mon, 15 Nov 1999 10:55:30 -0500 Subject: Upgrading from ssh to openssh (1.2pre12)... Message-ID: <19991115105530.D12683@alcove.wittsend.com> Hello all, I've just tried my first attempt at migrating from ssh (1.2.27) to openssh. I got 1.2pre12 to compile and install from the source RPM's. Just ran into one royal pain of a problem. Sshd won't start! It doesn't seem to like my old host keys. I get the following error in syslog: Nov 15 10:45:38 alcove sshd[21731]: fatal: cipher_set_key: unknown cipher: 1 It does start up if I generate new keys for the host, but then all of the clients that connect are going to bitch to high heavens that the host key has changed and may not connecting to who they think they are. Now... What's wrong and how do I fix it? The logistics of blowing away everybodies ssh_known_hosts files for hosts and individuals makes regening keys impractical. Potentially, the number of hosts which would end up with new host keys are several dozen. The number of individuals who would have the subsequent "host keys has changed" error inflicted upon them could be several hundred. I couldn't find anything in any of the readme files regarding migration problems or solutions. Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From provos at citi.umich.edu Tue Nov 16 02:11:49 1999 From: provos at citi.umich.edu (Niels Provos) Date: Mon, 15 Nov 1999 10:11:49 -0500 Subject: Upgrading from ssh to openssh (1.2pre12)... In-Reply-To: "Michael H. Warfield", Mon, 15 Nov 1999 10:55:30 EST Message-ID: <199911151511.KAA27273@india.citi.umich.edu> In message <19991115105530.D12683 at alcove.wittsend.com>, "Michael H. Warfield" w rites: >Nov 15 10:45:38 alcove sshd[21731]: fatal: cipher_set_key: unknown cipher: 1 We do not use IDEA in OpenSSH anymore, it is patented in most countries. Your private key is encrypted with it, change the passphrase with the old ssh to nothing, then change the passphrase with OpenSSH to someting new, that should get you going along. Niels. From mhw at wittsend.com Tue Nov 16 03:23:51 1999 From: mhw at wittsend.com (Michael H. Warfield) Date: Mon, 15 Nov 1999 11:23:51 -0500 Subject: Upgrading from ssh to openssh (1.2pre12)... Solved... In-Reply-To: <19991115105530.D12683@alcove.wittsend.com> References: <19991115105530.D12683@alcove.wittsend.com> Message-ID: <19991115112351.E12683@alcove.wittsend.com> Never mind... Solved the problem myself... On Mon, Nov 15, 1999 at 10:55:30AM -0500, Michael H. Warfield wrote: > Hello all, > I've just tried my first attempt at migrating from ssh (1.2.27) > to openssh. I got 1.2pre12 to compile and install from the source RPM's. > Just ran into one royal pain of a problem. Sshd won't start! It doesn't > seem to like my old host keys. > I get the following error in syslog: > Nov 15 10:45:38 alcove sshd[21731]: fatal: cipher_set_key: unknown cipher: 1 Problem was that the host key was encrypted with idea (old method) and idea isn't supported at this time in openssh. > Now... What's wrong and how do I fix it? The logistics of blowing > away everybodies ssh_known_hosts files for hosts and individuals makes > regening keys impractical. Potentially, the number of hosts which would > end up with new host keys are several dozen. The number of individuals > who would have the subsequent "host keys has changed" error inflicted > upon them could be several hundred. The key in question was pre 1.2.8 (yes, I've worked with ssh back that far - that's why you find me listed in the README.Ylonen file in "ACKNOWLEDGEMENTS"). I just had to run the OLD ssh-keygen with the -u option to update the key from idea encryption to 3des encryption. Fortunately, the old ssh-keygen program was still sitting in /usr/local/bin and hadn't been clobbered when I installed from the RPMs. :-) The old key was working fine with ssh 1.2.27 because it had idea support compiled in, even though all new keys since 1.2.8 were encrypted with 3des. > I couldn't find anything in any of the readme files regarding > migration problems or solutions. You might want to note this little "gotcha" in the README files. The rpm upgrade prep process should also probably check for ssh_* and sshd_* files in /etc/ instead of /etc/ssh/ to help ease the upgrade pain. The new ssh-keygen also can not upgrade the keys because it also does not support idea! If you experience the misfortune of blowing away the old ssh-keygen program, you will have to go back to ssh-1.2.27 and rebuild an ssh-keygen binary from that in order to upgrade the key. Would it be too much to ask or too much of a patent violation to add the ability to decrypt the old files for purposes of upgrading? No encryption, just decrypt idea in ssh-keygen would be nice. That could, at least, avoid the catch-22 with really old keys. Now I just have to write a magic script to run around running "ssh-keygen -u" for the host keys on all my servers, before begining the openssh upgrade process. Sigh... User identity files are going to be another matter, but I don't think that there are too many of them that predate 1.2.8, fortunately... :-) > Mike > -- > Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com > (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ > NIC whois: MHW9 | An optimist believes we live in the best of all > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From mhw at wittsend.com Tue Nov 16 03:32:48 1999 From: mhw at wittsend.com (Michael H. Warfield) Date: Mon, 15 Nov 1999 11:32:48 -0500 Subject: Upgrading from ssh to openssh (1.2pre12)... In-Reply-To: <199911151511.KAA27273@india.citi.umich.edu> References: <199911151511.KAA27273@india.citi.umich.edu> Message-ID: <19991115113248.F12683@alcove.wittsend.com> On Mon, Nov 15, 1999 at 10:11:49AM -0500, Niels Provos wrote: > In message <19991115105530.D12683 at alcove.wittsend.com>, "Michael H. Warfield" w > rites: > >Nov 15 10:45:38 alcove sshd[21731]: fatal: cipher_set_key: unknown cipher: 1 > We do not use IDEA in OpenSSH anymore, it is patented in most > countries. Your private key is encrypted with it, change the > passphrase with the old ssh to nothing, then change the passphrase with > OpenSSH to someting new, that should get you going along. Actually, it's not necessary to go to quite that much trouble. The key to the problem was in a remark I saw in Tatu's ChangeLog around 1.8 about the key format change. You merely have to run the 1.2.27 ssh-keygen program with the -u option to update the encryption from idea to 3des. Tatu recognized the problem a long time ago, changed the default encryption, and added the -u option. I've just got a lot of servers that do go back that far and have host keys (which don't have passwords anyways, BTW) which are still encrypted with idea. I've just got to march through the lot with a script to make sure they are all up to date before I update ssh. Some of them would result in a loss of ability to update them (gee, I updated ssh and can no longer access that server on that other country). > Niels. Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From djm at mindrot.org Tue Nov 16 08:02:00 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 16 Nov 1999 08:02:00 +1100 (EST) Subject: UPGRADING text Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks to Michael H. Warfield for reminding me of the need for upgrade instructions. The following text will be included in the UPGRADING file in the next release: Niels & Markus - have I missed anything? Feel free to adapt this for your own purposes if you so desire. Regards, Damien Miller - ---------- OpenSSH is almost completely compatible with the commercial SSH 1.2.x. There are, however, a few exceptions that you will need to bear in mind while upgrading: 1. OpenSSH does not support any patented transport algorithms. Only 3DES and Blowfish can be selected. This difference may manifest itself in the ssh command refusing to read its config files. Solution: Edit ssh_config and select a different "Cipher" option ("3des" or "blowfish"). "3des" is the default and is considered the most secure, "blowfish" is significantly faster. 2. Old versions of commercial SSH encrypt host keys with IDEA The old versions of SSH used a patented algorithm to encrypt their ssh_host_key files. This problem will manifest as sshd not being able to read its host key. Solution: You will need to run the *commercial* version of ssh-keygen over the host's private key: ssh-keygen -u /path/to/ssh_host_key 3. Incompatible changes to sshd_config format. OpenSSH extends the sshd_config file format in a number of ways. There is currently one change which is incompatible. Commercial SSH controlled logging using the "QuietMode" and "FascistLogging" directives. OpenSSH introduces a more general set of logging options "SyslogFacility" and "LogLevel". See the sshd manual page for details. - ---------- - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4MHTQormJ9RG1dI8RAjW4AJ489xMeoSZOinUyfueqdbcnlE4N0wCg1PGY XeJUTxVhdufdu79iQxm7lx4= =4yJn -----END PGP SIGNATURE----- From provos at citi.umich.edu Wed Nov 17 02:18:33 1999 From: provos at citi.umich.edu (Niels Provos) Date: Tue, 16 Nov 1999 10:18:33 -0500 Subject: UPGRADING text In-Reply-To: Damien Miller, Tue, 16 Nov 1999 08:02:00 +1100 Message-ID: <199911161518.KAA08575@india.citi.umich.edu> In message , Dami en Miller writes: >Niels & Markus - have I missed anything? Feel free to adapt this for >your own purposes if you so desire. yes, the upgrading.txt is good information. We will probably use it for the FAQ. Niels. From gweeks at geocities.com Fri Nov 19 07:03:06 1999 From: gweeks at geocities.com (Greg Weeks) Date: Thu, 18 Nov 1999 14:03:06 -0600 (CST) Subject: problems on slackware Message-ID: It looks like there is a bit of a problem with slackware distributions. I've tried this on a 3.6 and a 4.0 install with the same results. The first thing is the autoconf doesn't check for the sys/select.h file and it's not present on my systems. The autoconf for 1.2.26 does this check. The second thing I bumped into is: gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o servconf.o serverloop.o libssh.a -ldl -lz -lcrypto -L/usr/local/ssl/lib -lssl -lcrypto sshd.o: In function `main': /share/usr/src/openssh-1.2pre12/sshd.c:525: undefined reference to `daemon' login.o: In function `record_login': /share/usr/src/openssh-1.2pre12/login.c:92: undefined reference to `login' make: *** [sshd] Error 1 I hope this is useful to someone. Unfortunately I'm NOT going to any development work on this. Bug reporting is on the edge of where I'm willing to go. Greg Weeks -- http://durendal.tzo.com/greg/ From Marc.Haber-usenet-9910 at gmx.de Fri Nov 19 08:49:44 1999 From: Marc.Haber-usenet-9910 at gmx.de (Marc Haber) Date: Thu, 18 Nov 1999 21:49:44 GMT Subject: scp from 1.2pre12 buglet in progress bar Message-ID: Hi! Look: |mh at q[4/504]:/mnt/sd04-p7/masterbackup$ scp * torres.ka0.marc-haber.de:~mh/q/ |Enter passphrase for RSA key 'mh at q': |raid0.tar.bz2 15% |**** | 99864 KB 00:00 ETA |root.tar.bz 100% |*****************************| 5406 KB 00:00 ETA |mh at q[7/507]:/mnt/sd04-p7/masterbackup$ ls -al `which scp` |lrwxrwxrwx 1 root root 31 Nov 16 22:06 /usr/local/bin/scp -> ../stow/openssh1.2pre12/bin/scp* |mh at q[8/508]:/mnt/sd04-p7/masterbackup$ ls -al |total 105691 |drwxr-xr-x 2 root root 1024 Nov 18 21:38 ./ |drwxr-xr-x 20 root root 1024 Nov 18 21:27 ../ |-rw-r--r-- 1 root root 102260941 Nov 18 22:16 raid0.tar.bz2 |-rw-r--r-- 1 root root 5536719 Nov 18 21:32 root.tar.bz |mh at q[9/509]:/mnt/sd04-p7/masterbackup$ The large file arrived intact. However, the progress bar stopped at 15 %. I didn't watch it, so I can't say if it ever exceeded the 15 % mark. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From provos at outguess.org Fri Nov 19 10:40:41 1999 From: provos at outguess.org (Niels Provos) Date: Thu, 18 Nov 1999 18:40:41 -0500 (EST) Subject: Fwd: Re: status of openssh for solaris? Message-ID: <199911182340.SAA30225@india.citi.umich.edu> >From USENET, can somebody comment? Newsgroups: comp.security.ssh Subject: Re: status of openssh for solaris? Date: 18 Nov 1999 18:31:47 -0500 Message-ID: Reinier Post writes: > It looks as if OpenSSH (http://www.openssh.com/) is available for > Solaris. Can anybody comment on its maturity? I dunno about that. It compiles on Solaris 2.6 but when I run it, it dies with: Couldn't open random pool "/tmp/random": Operation not supported on transport endpoint when it tries to open the EGD socket. I get a similar error on Digital Unix 4.0D: Couldn't open random pool "/tmp/random": Operation not supported on socket Anyone have any clues for me? -- Joel Gallun http://www.tux.org/~joel From drankin at bohemians.lexington.ky.us Fri Nov 19 12:06:38 1999 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Thu, 18 Nov 1999 20:06:38 -0500 Subject: Request for change in ssh-askpass location after pre12 Message-ID: <19991118200638.D9819@rumpole.bohemians.lexington.ky.us> I've been working on a NetBSD package for openssl-1.2pre12, and I've noticed that Makefile.in installs ssh-askpass in $prefix/lib/ssh ($libdir) instead of $libexecdir/ssh. Since it is an executable, IMHO it should be in the latter spot. In the patch below, I've fixed this, as well as made ASKPASS_PROGRAM used during the install so that it's easier to maintain. Thanks, David --- Makefile.in.orig Thu Nov 18 20:02:51 1999 +++ Makefile.in Thu Nov 18 20:04:42 1999 @@ -7,7 +7,7 @@ sysconfdir=@sysconfdir@ SSH_PROGRAM=@bindir@/ssh -ASKPASS_PROGRAM=@libdir@/ssh/ssh-askpass +ASKPASS_PROGRAM=@libexecdir@/ssh/ssh-askpass CC=@CC@ PATHS=-DETCDIR=\"$(sysconfdir)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DASKPASS_PROGRAM=\"$(ASKPASS_PROGRAM)\" @@ -81,12 +81,11 @@ ln -sf ssh.1 $(mandir)/man1/slogin.1 if [ "x at INSTALL_ASKPASS@" = "xyes" ] ; then \ - install -d $(libdir) ; \ - install -d $(libdir)/ssh ; \ + install -d $(libexecdir)/ssh ; \ if [ -z "@GNOME_ASKPASS@" ] ; then \ - install -m755 -c ssh-askpass $(libdir)/ssh/ssh-askpass; \ + install -m755 -c ssh-askpass ${ASKPASS_PROGRAM}; \ else \ - install -m755 -c gnome-ssh-askpass $(libdir)/ssh/ssh-askpass; \ + install -m755 -c gnome-ssh-askpass ${ASKPASS_PROGRAM}; \ fi ; \ fi From torake at hotmail.com Fri Nov 19 20:32:39 1999 From: torake at hotmail.com (Tor-Ake Fransson) Date: Fri, 19 Nov 1999 09:32:39 GMT Subject: problems on slackware Message-ID: <19991119093239.19055.qmail@hotmail.com> Those are afaik, glibc features. 'daemon()' and 'login()' does not exist on AIX 4.3.2 either, see my dirty patch from a few days ago. I have been meaning to fix this in a proper way, but i am not yet sanctioned to work on it. //T-? >From: Greg Weeks >To: openssh-unix-dev at ilogic.com.au >Subject: problems on slackware >Date: Thu, 18 Nov 1999 14:03:06 -0600 (CST) > > >It looks like there is a bit of a problem with slackware distributions. >I've tried this on a 3.6 and a 4.0 install with the same results. > >The first thing is the autoconf doesn't check for the sys/select.h file >and it's not present on my systems. The autoconf for 1.2.26 does this >check. > >The second thing I bumped into is: > >gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o >pty.o log-server.o login.o servconf.o serverloop.o libssh.a -ldl -lz >-lcrypto -L/usr/local/ssl/lib -lssl -lcrypto >sshd.o: In function `main': >/share/usr/src/openssh-1.2pre12/sshd.c:525: undefined reference to >`daemon' >login.o: In function `record_login': >/share/usr/src/openssh-1.2pre12/login.c:92: undefined reference to `login' >make: *** [sshd] Error 1 > >I hope this is useful to someone. Unfortunately I'm NOT going to any >development work on this. Bug reporting is on the edge of where I'm >willing to go. > >Greg Weeks >-- >http://durendal.tzo.com/greg/ > > > ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From torake at hotmail.com Fri Nov 19 20:39:16 1999 From: torake at hotmail.com (Tor-Ake Fransson) Date: Fri, 19 Nov 1999 09:39:16 GMT Subject: Fwd: Re: status of openssh for solaris? Message-ID: <19991119093916.63891.qmail@hotmail.com> Regarding /tmp/random: Someone has made the same quick&dirty fix as my AIX compile fix, for a lack of /dev/urandom. ssh expects some random bytes to be available in that file. I, or someone else should probably create a more portable way of generating entropy. ;) //Tor-?ke >From: Niels Provos >To: openssh-unix-dev at mindrot.org >Subject: Fwd: Re: status of openssh for solaris? >Date: Thu, 18 Nov 1999 18:40:41 -0500 (EST) > >From USENET, can somebody comment? > >Newsgroups: comp.security.ssh >Subject: Re: status of openssh for solaris? >Date: 18 Nov 1999 18:31:47 -0500 >Message-ID: > >Reinier Post writes: > > > It looks as if OpenSSH (http://www.openssh.com/) is available for > > Solaris. Can anybody comment on its maturity? > >I dunno about that. It compiles on Solaris 2.6 but when I run it, it >dies with: > > Couldn't open random pool "/tmp/random": > Operation not supported on transport endpoint > >when it tries to open the EGD socket. > >I get a similar error on Digital Unix 4.0D: > > Couldn't open random pool "/tmp/random": > Operation not supported on socket > >Anyone have any clues for me? > >-- >Joel Gallun >http://www.tux.org/~joel > ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From djm at mindrot.org Fri Nov 19 20:53:29 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 19 Nov 1999 20:53:29 +1100 (EST) Subject: problems on slackware In-Reply-To: <19991119093239.19055.qmail@hotmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 19 Nov 1999, Tor-Ake Fransson wrote: > Those are afaik, glibc features. 'daemon()' and 'login()' does not > exist on AIX 4.3.2 either, see my dirty patch from a few days ago. > > I have been meaning to fix this in a proper way, but i am not yet > sanctioned to work on it. A fix for this is in 1.2pre13 which should be out very soon. Autoconf now looks for daemon() in libc and libbsd, and failing that includes OpenBSD's own version (chosen because I can trust it and for license compatibility). Similar checks happen for login() Regards, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4NR4gormJ9RG1dI8RAkcvAKC2mgU4UCPbsnDGaNS6gekG1X3hGwCgg0cy xUXBmZw+eBCELud0ZW0WSck= =j23N -----END PGP SIGNATURE----- From djm at mindrot.org Fri Nov 19 20:55:34 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 19 Nov 1999 20:55:34 +1100 (EST) Subject: Fwd: Re: status of openssh for solaris? In-Reply-To: <19991119093916.63891.qmail@hotmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 19 Nov 1999, Tor-Ake Fransson wrote: > Regarding /tmp/random: > > Someone has made the same quick&dirty fix as my AIX compile fix, for > a lack of /dev/urandom. > > ssh expects some random bytes to be available in that file. I, > or someone else should probably create a more portable way of > generating entropy. ;) This one was my stupidity - EGD uses an AF_UNIX socket and not a named pipe, so simply open()ing the endpoint is not sufficient. This too is fixed in 1.2pre13. The EGD code and operation on Solaris still need a lot of testing. Unfortunatly I have to rely on other people to do that as I do not have access to a Solaris box. Regards, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4NR6ZormJ9RG1dI8RAmTwAJ4wrQawq4Pwai69kUNSShsSVlsMFwCeJR/V 5+1iDpwVjOa+/q1th+8wo2Q= =vPg3 -----END PGP SIGNATURE----- From djm at mindrot.org Fri Nov 19 21:06:01 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 19 Nov 1999 21:06:01 +1100 (EST) Subject: ANNOUNCE: openssh-1.2pre13 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just uploaded 1.2pre13 to http://violet.ibs.com.au/openssh/ Imporant changes: - - Fixes a single-byte buffer overrun in the PAM code. - - Quite a bit more Solaris support. EGD should work now (please test). - - Lots more autoconf options to enable Kerberos, AFS, TCP Wrappers and S/Key (all untested). - - MD5 passwords for Slackware Linux and other non-PAM MD5 platforms. - - Portability fixes, including replacements for BSD functions. - - ssh-askpass now lives in ${libexecdir}. This makes a lot more sense. - - Heaps of OpenBSD CVS changes merged. Full changelog: 19991119 - Merged PAM buffer overrun patch from Chip Salzenberg - Merged OpenBSD CVS changes - [auth-rhosts.c auth-rsa.c ssh-agent.c sshconnect.c sshd.c] more %d vs. %s in fmt-strings - [authfd.c] Integers should not be printed with %s - EGD uses a socket, not a named pipe. Duh. - Fix includes in fingerprint.c - Fix scp progress bar bug again. - Move scp from ${libdir}/ssh to ${libexecdir}/ssh at request of David Rankin - Added autoconf option to enable Kerberos 4 support (untested) - Added autoconf option to enable AFS support (untested) - Added autoconf option to enable S/Key support (untested) - Added autoconf option to enable TCP wrappers support (compiles OK) - Renamed BSD helper function files to bsd-* - Added tests for login and daemon and enable OpenBSD replacements for when they are absent. - Added non-PAM MD5 password support patch from Tudor Bosman 19991118 - Merged OpenBSD CVS changes - [scp.c] foregroundproc() in scp - [sshconnect.h] include fingerprint.h - [sshd.c] bugfix: the log() for passwd-auth escaped during logging changes. - [ssh.1] Spell my name right. - Added openssh.com info to README 19991117 - Merged OpenBSD CVS changes - [ChangeLog.Ylonen] noone needs this anymore - [authfd.c] close-on-exec for auth-socket, ok deraadt - [hostfile.c] in known_hosts key lookup the entry for the bits does not need to match, all the information is contained in n and e. This solves the problem with buggy servers announcing the wrong modulus length. markus and me. - [serverloop.c] bugfix: check for space if child has terminated, from: iedowse at maths.tcd.ie - [ssh-add.1 ssh-add.c ssh-keygen.1 ssh-keygen.c sshconnect.c] [fingerprint.c fingerprint.h] rsa key fingerprints, idea from Bjoern Groenvall - [ssh-agent.1] typo - [ssh.1] add OpenSSH information to AUTHOR section. okay markus@ - [sshd.c] force logging to stderr while loading private key file (lost while converting to new log-levels) 19991116 - Fix some Linux libc5 problems reported by Miles Wilson - Merged OpenBSD CVS changes: - [auth-rh-rsa.c auth-rsa.c authfd.c authfd.h hostfile.c mpaux.c] [mpaux.h ssh-add.c ssh-agent.c ssh.h ssh.c sshd.c] the keysize of rsa-parameter 'n' is passed implizit, a few more checks and warnings about 'pretended' keysizes. - [cipher.c cipher.h packet.c packet.h sshd.c] remove support for cipher RC4 - [ssh.c] a note for legay systems about secuity issues with permanently_set_uid(), the private hostkey and ptrace() - [sshconnect.c] more detailed messages about adding and checking hostkeys Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4NSEOormJ9RG1dI8RApQ7AKCIk4uJSvFSUBmiBkkJbqw6vVAzSgCgrcLI mrRbt27UKvNqewCJLHolahw= =evRz -----END PGP SIGNATURE----- From Harald at iki.fi Fri Nov 19 21:28:09 1999 From: Harald at iki.fi (Harald Hannelius) Date: Fri, 19 Nov 1999 12:28:09 +0200 (EET) Subject: ANNOUNCE: openssh-1.2pre13 In-Reply-To: Message-ID: Ok, ssh and sshd compiles, but I get this on slackware-4.0, egcs-1.1.2: $ make gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c scp.c -o scp.o scp.c: In function `progressmeter': scp.c:1177: `quad_t' undeclared (first use in this function) scp.c:1177: (Each undeclared identifier is reported only once scp.c:1177: for each function it appears in.) scp.c:1177: parse error before `abbrevsize' scp.c:1180: warning: implicit declaration of function `timersub' make: *** [scp.o] Error 1 ssh seems to work ok! Keep up the good work!! =========================================================== Harald H Hannelius | Harald at iki.fi | GSM +358405470870 =========================================================== From djm at mindrot.org Fri Nov 19 21:28:48 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 19 Nov 1999 21:28:48 +1100 (EST) Subject: ANNOUNCE: openssh-1.2pre13 In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 19 Nov 1999, Harald Hannelius wrote: > > Ok, ssh and sshd compiles, but I get this on slackware-4.0, egcs-1.1.2: > > scp.c:1177: `quad_t' undeclared (first use in this function) !!! Does Slackware lack the definition of int64_t? If not, can you point me to the include file where it is defined? Thanks, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4NSZjormJ9RG1dI8RAibxAJ9y/02xndlC5vOyOHwrGxY4uczfnACgsv5Y ELaIdjN2A9mUk283HHGDVKo= =KKkF -----END PGP SIGNATURE----- From Harald at iki.fi Fri Nov 19 21:46:14 1999 From: Harald at iki.fi (Harald Hannelius) Date: Fri, 19 Nov 1999 12:46:14 +0200 (EET) Subject: ANNOUNCE: openssh-1.2pre13 In-Reply-To: Message-ID: On Fri, 19 Nov 1999, Damien Miller wrote: > !!! Does Slackware lack the definition of int64_t? If not, can you > point me to the include file where it is defined? $ find /usr/include -type f -exec grep -l int64_t {} \; /usr/include/db.h /usr/include/_G_config.h /usr/include/sys/bitypes.h $ grep -n int64_t /usr/include/db.h /usr/include/_G_config.h /usr/include/sys/bitypes.h /usr/include/db.h:61:typedef long long int64_t; /usr/include/db.h:62:typedef unsigned long long u_int64_t; /usr/include/_G_config.h:56:typedef int _G_int64_t __attribute__((__mode__(__DI__))); /usr/include/_G_config.h:57:typedef unsigned int _G_uint64_t __attribute__((__mode__(__DI__))); /usr/include/sys/bitypes.h:88: typedef long long int64_t; /usr/include/sys/bitypes.h:89: typedef unsigned long long u_int64_t; =========================================================== Harald H Hannelius | Harald at iki.fi | GSM +358405470870 =========================================================== From djm at mindrot.org Fri Nov 19 21:45:02 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 19 Nov 1999 21:45:02 +1100 (EST) Subject: ANNOUNCE: openssh-1.2pre13 In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 19 Nov 1999, Harald Hannelius wrote: > > On Fri, 19 Nov 1999, Damien Miller wrote: > > !!! Does Slackware lack the definition of int64_t? If not, can you > > point me to the include file where it is defined? > > $ find /usr/include -type f -exec grep -l int64_t {} \; > /usr/include/sys/bitypes.h As a temporary fix, add "#include " to the start of config.h I will add a better fix to the next version. Damien -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4NSo2ormJ9RG1dI8RAvBSAJ4hbOT4nnWzyQ92Ts8eHyZveoGo+QCgndCU WhnhGx/64Fwm1WOfaBJMLzw= =pQhI -----END PGP SIGNATURE----- From Harald at iki.fi Fri Nov 19 21:58:59 1999 From: Harald at iki.fi (Harald Hannelius) Date: Fri, 19 Nov 1999 12:58:59 +0200 (EET) Subject: ANNOUNCE: openssh-1.2pre13 In-Reply-To: Message-ID: On Fri, 19 Nov 1999, Damien Miller wrote: > As a temporary fix, add "#include " to the start > of config.h Ok, _lots_ of warnings: /usr/include/linux/types.h:90: warning: redefinition of `u_int64_t' /usr/include/sys/bitypes.h:89: warning: `u_int64_t' previously declared here /usr/include/linux/types.h:91: warning: redefinition of `int64_t' /usr/include/sys/bitypes.h:88: warning: `int64_t' previously declared here And then compiling of scp: (drums rolling) gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c scp.c -o scp.o In file included from /usr/include/sys/types.h:4, from config.h:118, from includes.h:22, from scp.c:48: /usr/include/linux/types.h:90: warning: redefinition of `u_int64_t' /usr/include/sys/bitypes.h:89: warning: `u_int64_t' previously declared here /usr/include/linux/types.h:91: warning: redefinition of `int64_t' /usr/include/sys/bitypes.h:88: warning: `int64_t' previously declared here scp.c: In function `progressmeter': scp.c:1177: `quad_t' undeclared (first use in this function) scp.c:1177: (Each undeclared identifier is reported only once scp.c:1177: for each function it appears in.) scp.c:1177: parse error before `abbrevsize' scp.c:1180: warning: implicit declaration of function `timersub' make: *** [scp.o] Error 1 =========================================================== Harald H Hannelius | Harald at iki.fi | GSM +358405470870 =========================================================== From phil at hands.com Fri Nov 19 23:25:09 1999 From: phil at hands.com (Philip Hands) Date: 19 Nov 1999 12:25:09 +0000 Subject: ANNOUNCE: openssh-1.2pre13 In-Reply-To: (Damien Miller's message of "Fri, 19 Nov 1999 21:06:01 +1100 (EST)") References: Message-ID: <87yabu8y8q.fsf@sheikh.hands.com> Damien Miller writes: > I have just uploaded 1.2pre13 to http://violet.ibs.com.au/openssh/ Hi Damien, It looks like you've fixed a load of recently reported Debian bugs :-) Am I right in thinking that you've been keeping an eye on the bug reports page? If so, could you tell me the numbers of the bugs you reckon you have fixed, so that I can close them with impunity. Otherwise, I may end up assuming that you've fixed something that you actually didn't know about. If it is the case that you are keeping an eye on the Debian BTS, and fixing bug found, please could you put some reference to the bug number in your changelog in future to make my life easy (if it's not too much effort. If you're not, I'll start forwarding the ones I think are upstream problems to you, but I didn't want to clog up your mailbox if you're seeing them all anyway. BTW, this is all looking really good --- now that the 1023/1024 bug's gone I think I can get rid of most of the warnings regarding upgrades from ssh-nonfree, and leave just a FYI note. Cheers, Phil From provos at citi.umich.edu Sat Nov 20 00:26:13 1999 From: provos at citi.umich.edu (Niels Provos) Date: Fri, 19 Nov 1999 08:26:13 -0500 Subject: ANNOUNCE: openssh-1.2pre13 In-Reply-To: Philip Hands, 19 Nov 1999 12:25:09 GMT Message-ID: <19991119132706.C186025279@toad.ilogic.com.au> In message <87yabu8y8q.fsf at sheikh.hands.com>, Philip Hands writes: >BTW, this is all looking really good --- now that the 1023/1024 bug's >gone I think I can get rid of most of the warnings regarding upgrades >from ssh-nonfree, and leave just a FYI note. Yes, it also was a really easy fix. I wonder what took Markus and me so long to fix it correctly. Though, OpenSSH will still print warnings about incorrect bit sizes in the known_hosts files in the hope that that will help to move towards correct known_hosts files. Niels. From ETARDIEU at CPR.FR Sat Nov 20 00:28:53 1999 From: ETARDIEU at CPR.FR (TARDIEU Emmanuel) Date: Fri, 19 Nov 1999 14:28:53 +0100 Subject: solaris compiling woes Message-ID: <5BF932D2CD05D211B54800805FE60FEB05AA9312@serv-hermes.systeme.cpr.fr> Hi, I have a problem compiling openssh pre 1.12 on solaris 2.5.1 platform with gnu gcc 2.95.2 u_int32_t is missing somehow and i cannot find any includes which define it. gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/local/lib/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c authfile.c authfile.c: In function `save_private_key': authfile.c:50: parse error before `rand' authfile.c:63: invalid lvalue in assignment authfile.c:64: invalid operands to binary & authfile.c:65: invalid operands to binary >> *** Error code 1 Thanks, Emmanuel Tardieu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991119/21b1373e/attachment.html From marc.fournier at acadiau.ca Sat Nov 20 04:06:56 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Fri, 19 Nov 1999 13:06:56 -0400 (AST) Subject: Fwd: Re: status of openssh for solaris? In-Reply-To: <199911182340.SAA30225@india.citi.umich.edu> Message-ID: I've been working on the Solaris patches, and that is one bug that I've yet to be able to fix :( I've been working on getting everything to compile cleanly on Solaris 7/x86, and will be tackling the EGD issue next, unless someone else has a clue :) On Thu, 18 Nov 1999, Niels Provos wrote: > From USENET, can somebody comment? > > Newsgroups: comp.security.ssh > Subject: Re: status of openssh for solaris? > Date: 18 Nov 1999 18:31:47 -0500 > Message-ID: > > Reinier Post writes: > > > It looks as if OpenSSH (http://www.openssh.com/) is available for > > Solaris. Can anybody comment on its maturity? > > I dunno about that. It compiles on Solaris 2.6 but when I run it, it > dies with: > > Couldn't open random pool "/tmp/random": > Operation not supported on transport endpoint > > when it tries to open the EGD socket. > > I get a similar error on Digital Unix 4.0D: > > Couldn't open random pool "/tmp/random": > Operation not supported on socket > > Anyone have any clues for me? > > -- > Joel Gallun > http://www.tux.org/~joel > > Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From marc.fournier at acadiau.ca Sat Nov 20 04:08:56 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Fri, 19 Nov 1999 13:08:56 -0400 (AST) Subject: solaris compiling woes In-Reply-To: <5BF932D2CD05D211B54800805FE60FEB05AA9312@serv-hermes.systeme.cpr.fr> Message-ID: should be fixed in pre13...I sent Damien patches to better determine the value of an unsigned 32bit int and 16bit int... On Fri, 19 Nov 1999, TARDIEU Emmanuel wrote: > Hi, > > I have a problem compiling openssh pre 1.12 on solaris 2.5.1 platform with > gnu gcc 2.95.2 > > u_int32_t is missing somehow and i cannot find any includes which define it. > > gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" > -DSSH_PROGRAM=\"/usr/local/bin/ssh\" > -DASKPASS_PROGRAM=\"/usr/local/lib/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c > authfile.c > authfile.c: In function `save_private_key': > authfile.c:50: parse error before `rand' > authfile.c:63: invalid lvalue in assignment > authfile.c:64: invalid operands to binary & > authfile.c:65: invalid operands to binary >> > *** Error code 1 > > Thanks, > Emmanuel Tardieu > Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From marc.fournier at acadiau.ca Sat Nov 20 05:12:09 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Fri, 19 Nov 1999 14:12:09 -0400 (AST) Subject: [openssh-1.2pre13] patch for solaris 7 ... Message-ID: The attached patch contains fixes for: 1. the fact that solaris 7 has no u_int32_t/u_int16_t defined, but they do define uint32_t/uint16_t...this chances the define in config.h.in, which doesn't work, to a properly configure test, and define in config.h.in 2. fixes a bug in config.h.in where paths.h is included, yet HAVE_PATHS_H is undefined 3. fixes a bug in bsd-daemon.c where paths.h is included, yet HAVE_PATHS_H is undefined 4. add config.h to bsd-login.h, which is required to define UTMP_PATH 5. adds a define for _PATH_DEVNULL to be /dev/null, since Solaris doesn't define that path *anywhere* ... Thsi patch requires autoconf to be run, as there are changes to configure.in in here... expect a few more patches to be forthcoming... Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-1.2pre13.patch1.gz Type: application/octet-stream Size: 2992 bytes Desc: Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991119/013027ea/attachment.obj From marc.fournier at acadiau.ca Sat Nov 20 05:26:12 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Fri, 19 Nov 1999 14:26:12 -0400 (AST) Subject: [patch2, 1.2pre13] solaris 7 patch for bsd-login.c Message-ID: Solaris 7 doesn't have a ut_host element in utmp...patch let's bsd-login.c compile with this knowledge: *** openssh-1.2pre13.orig/bsd-login.c Fri Nov 19 00:32:34 1999 --- openssh-1.2pre13/bsd-login.c Fri Nov 19 14:23:49 1999 *************** *** 40,45 **** --- 40,46 ---- static char *rcsid = "$Id: bsd-login.c,v 1.1 1999/11/19 04:32:34 damien Exp $"; #endif /* LIBC_SCCS and not lint */ + #include #include *************** *** 48,53 **** --- 49,56 ---- #include #include + #include "config.h" + void login(utp) struct utmp *utp; *************** *** 58,63 **** --- 61,67 ---- tty = ttyslot(); if (tty > 0 && (fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644)) >= 0) { + #ifdef HAVE_HOST_IN_UTMP (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); /* * Prevent luser from zero'ing out ut_host. *************** *** 70,75 **** --- 74,80 ---- strncmp(old_ut.ut_line, utp->ut_line, UT_LINESIZE) == 0 && strncmp(old_ut.ut_name, utp->ut_name, UT_NAMESIZE) == 0) (void)memcpy(utp->ut_host, old_ut.ut_host, UT_HOSTSIZE); + #endif (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); (void)write(fd, utp, sizeof(struct utmp)); (void)close(fd); Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From marc.fournier at acadiau.ca Sat Nov 20 05:45:07 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Fri, 19 Nov 1999 14:45:07 -0400 (AST) Subject: [solaris 7 patch] resubmit and extended ... Message-ID: Okay, everything as the first large one I sent today, with a few extra mods. _PATH_MAILDIR is only used in sshd.c, that I can see, so moved the #ifdef from config.h.in to there. several files had __progname defined in the middle of the code, as well as at the top of the code, so cleaned those out. all the fixes for u_int32_t -> uint32_t and u_int16_t -> uint16_t, plus added appropriate tests to configure.in to determine which one to use. If another OS uses a third method, this is *easily* extended. fix to bsd-login.c due to ut_host not being part of the utmp struct in solaris 7 This gets me to the point that OpenSSH under Solaris 7/x86 compiles as far as ssh-agent ... I'm stuck right now on a lack of setenv() in solaris 7, but next patch will be based off of the above, not instead of, unless a pre14 comes out that includes all this? Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-1.2pre13.patch2.gz Type: application/octet-stream Size: 3683 bytes Desc: Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991119/133383d6/attachment.obj From marc.fournier at acadiau.ca Sat Nov 20 05:55:43 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Fri, 19 Nov 1999 14:55:43 -0400 (AST) Subject: EGD socket problem ... Message-ID: Just tried out ssh in pre13, and still get the EGD problem? :( new-relay:/usr/slocal/src/openssh-1.2pre13> ./ssh -l marc atelier The authenticity of host 'atelier.acadiau.ca' can't be established. Key fingerprint is 1024 ef:36:b5:f8:a3:bb:14:4d:a9:4b:f2:90:9a:bd:bb:00. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'atelier.acadiau.ca,131.162.138.223' to the list of known hosts. Couldn't connect to EGD socket "/var/run/random": Socket operation on non-socket This is under Solaris 7/x86, with HAVE_EGD defined...not good with sockets without my bible in front of me, so can't play with this until at least Sunday :( The problem appears to be, in here, with the error generated by the 'fatal:' result when connect() is tested: char egd_message[2] = { 0x02, 0x00 }; struct sockaddr_un addr; int addr_len; memset(&addr, '\0', sizeof(addr)); addr.sun_family = AF_UNIX; /* FIXME: compile time check? */ if (sizeof(RANDOM_POOL) > sizeof(addr.sun_path)) fatal("Random pool path is too long"); strncpy(addr.sun_path, RANDOM_POOL, sizeof(addr.sun_path - 1)); addr.sun_path[sizeof(addr.sun_path - 1)] = '\0'; addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(RANDOM_POOL); random_pool = socket(AF_UNIX, SOCK_STREAM, 0); if (random_pool == -1) fatal("Couldn't create AF_UNIX socket: %s", strerror(errno)); if (connect(random_pool, (struct sockaddr*)&addr, addr_len) == -1) fatal("Couldn't connect to EGD socket \"%s\": %s", RANDOM_POOL, strerror(errno)); if (len > 255) fatal("Too many bytes to read from EGD"); /* Send blocking read request to EGD */ egd_message[1] = len; c = write(random_pool, egd_message, sizeof(egd_message)); if (c == -1) fatal("Couldn't write to EGD socket \"%s\": %s", RANDOM_POOL, strerror(errno)); Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From djm at mindrot.org Sat Nov 20 10:52:54 1999 From: djm at mindrot.org (Damien Miller) Date: Sat, 20 Nov 1999 10:52:54 +1100 (EST) Subject: Autoconf and u_intXX_t types Message-ID: I am having a bad day with autoconf. It seems that AC_CHECK_SIZEOF(uint32_t) won't work, because the macro does not include sys/types.h before making the test. Can anyone think of any way to test for the existance of these types in autoconf? a #ifdef isn't good enough as the type may have been created using typedef rather than #define. Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Nov 20 12:22:46 1999 From: djm at mindrot.org (Damien Miller) Date: Sat, 20 Nov 1999 12:22:46 +1100 (EST) Subject: [solaris 7 patch] resubmit and extended ... In-Reply-To: Message-ID: On Fri, 19 Nov 1999, Marc G. Fournier wrote: I have merged most of you changes, and included autoconf support for detecting and automatically defining u_intXX_t. Can you try out the attached patch to see if it helps. Regards, Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -------------- next part -------------- Index: ChangeLog =================================================================== RCS file: /var/cvs/openssh/ChangeLog,v retrieving revision 1.58 retrieving revision 1.59 diff -u -u -r1.58 -r1.59 --- ChangeLog 1999/11/19 04:53:20 1.58 +++ ChangeLog 1999/11/20 01:18:40 1.59 @@ -1,3 +1,9 @@ +19991120 + - Merged more Solaris support from Marc G. Fournier + + - Wrote autoconf tests for integer bit-types + - Fixed enabling kerberos support + 19991119 - Merged PAM buffer overrun patch from Chip Salzenberg - Merged OpenBSD CVS changes Index: TODO =================================================================== RCS file: /var/cvs/openssh/TODO,v retrieving revision 1.3 retrieving revision 1.4 diff -u -u -r1.3 -r1.4 --- TODO 1999/11/12 03:35:58 1.3 +++ TODO 1999/11/20 01:18:40 1.4 @@ -8,6 +8,8 @@ - Fix paths in manpages using autoconf -- Enable libwrap support using autoconf switch - - Better testing on non-PAM systems + +- Replace the horror in acconfig.h which tries to comphensate for the + lack of u_intXX_t types. There must be a better way. + Index: acconfig.h =================================================================== RCS file: /var/cvs/openssh/acconfig.h,v retrieving revision 1.13 retrieving revision 1.14 diff -u -u -r1.13 -r1.14 --- acconfig.h 1999/11/19 04:53:20 1.13 +++ acconfig.h 1999/11/20 01:18:40 1.14 @@ -6,6 +6,9 @@ /* Location of lastlog file */ #undef LASTLOG_LOCATION +/* If lastlog is a directory */ +#undef LASTLOG_IS_DIR + /* Location of random number pool */ #undef RANDOM_POOL @@ -51,13 +54,22 @@ /* Define if you want to allow MD5 passwords */ #undef HAVE_MD5_PASSWORDS +/* Data types */ +#undef HAVE_QUAD_T +#undef HAVE_INTXX_T +#undef HAVE_U_INTXX_T +#undef HAVE_UINTXX_T + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ + +# include /* For u_intXX_t */ +# include /* For SHUT_XXXX */ -#include /* For u_intXX_t */ -#include /* For SHUT_XXXX */ -#include /* For _PATH_XXX */ +#ifdef HAVE_PATHS_H +# include /* For _PATH_XXX */ +#endif #ifndef SHUT_RDWR enum @@ -71,16 +83,63 @@ }; #endif -#if !defined(u_int32_t) && defined(uint32_t) -#define u_int32_t uint32_t +/* If sys/types.h does not supply intXX_t, supply them ourselves */ +/* (or die trying) */ +#ifndef HAVE_INTXX_T +# if (SIZEOF_SHORT_INT == 2) +# define int16_t short int +# else +# error "16 bit int type not found." +# endif +# if (SIZEOF_INT == 4) +# define int32_t int +# else +# error "32 bit int type not found." +# endif +# if (SIZEOF_LONG_INT == 8) +# define int64_t long int +# else +# if (SIZEOF_LONG_LONG_INT == 8) +# define int64_t long long int +# else +# error "64 bit int type not found." +# endif +# endif #endif -#if !defined(u_int16_t) && defined(uint16_t) -#define u_int16_t uint16_t +/* If sys/types.h does not supply u_intXX_t, supply them ourselves */ +#ifndef HAVE_U_INTXX_T +# ifdef HAVE_UINTXX_T +# define u_int16_t uint16_t +# define u_int32_t uint32_t +# define u_int64_t uint64_t +# else +# if (SIZEOF_SHORT_INT == 2) +# define u_int16_t unsigned short int +# else +# error "16 bit int type not found." +# endif +# if (SIZEOF_INT == 4) +# define u_int32_t unsigned int +# else +# error "32 bit int type not found." +# endif +# if (SIZEOF_LONG_INT == 8) +# define u_int64_t unsigned long int +# else +# if (SIZEOF_LONG_LONG_INT == 8) +# define u_int64_t unsigned long long int +# else +# error "64 bit int type not found." +# endif +# endif +# endif #endif -#if !defined(quad_t) && defined(int64_t) -#define quad_t int64_t +/* If quad_t is not supplied, then supply it now. We can rely on int64_t */ +/* being defined by the above */ +#ifndef HAVE_QUAD_T +# define quad_t int64_t #endif #ifndef _PATH_LASTLOG Index: bsd-daemon.c =================================================================== RCS file: /var/cvs/openssh/bsd-daemon.c,v retrieving revision 1.1 retrieving revision 1.2 diff -u -u -r1.1 -r1.2 --- bsd-daemon.c 1999/11/19 04:32:34 1.1 +++ bsd-daemon.c 1999/11/20 01:18:40 1.2 @@ -40,8 +40,11 @@ #endif /* LIBC_SCCS and not lint */ #include -#include #include + +#ifdef HAVE_PATHS_H +# include +#endif int daemon(nochdir, noclose) Index: bsd-login.c =================================================================== RCS file: /var/cvs/openssh/bsd-login.c,v retrieving revision 1.1 retrieving revision 1.2 diff -u -u -r1.1 -r1.2 --- bsd-login.c 1999/11/19 04:32:34 1.1 +++ bsd-login.c 1999/11/20 01:18:40 1.2 @@ -37,7 +37,7 @@ #if defined(LIBC_SCCS) && !defined(lint) /* from: static char sccsid[] = "@(#)login.c 8.1 (Berkeley) 6/4/93"; */ -static char *rcsid = "$Id: bsd-login.c,v 1.1 1999/11/19 04:32:34 damien Exp $"; +static char *rcsid = "$Id: bsd-login.c,v 1.2 1999/11/20 01:18:40 damien Exp $"; #endif /* LIBC_SCCS and not lint */ #include @@ -58,6 +58,7 @@ tty = ttyslot(); if (tty > 0 && (fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644)) >= 0) { +#ifdef HAVE_HOST_IN_UTMP (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); /* * Prevent luser from zero'ing out ut_host. @@ -70,6 +71,7 @@ strncmp(old_ut.ut_line, utp->ut_line, UT_LINESIZE) == 0 && strncmp(old_ut.ut_name, utp->ut_name, UT_NAMESIZE) == 0) (void)memcpy(utp->ut_host, old_ut.ut_host, UT_HOSTSIZE); +#endif /* HAVE_HOST_IN_UTMP */ (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); (void)write(fd, utp, sizeof(struct utmp)); (void)close(fd); Index: configure.in =================================================================== RCS file: /var/cvs/openssh/configure.in,v retrieving revision 1.21 retrieving revision 1.22 diff -u -u -r1.21 -r1.22 --- configure.in 1999/11/19 08:14:04 1.21 +++ configure.in 1999/11/20 01:18:40 1.22 @@ -70,6 +70,57 @@ [AC_CHECK_LIB(bsd, daemon, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])] ) +dnl Checks for data types +AC_CHECK_SIZEOF(short int, 2) +AC_CHECK_SIZEOF(int, 4) +AC_CHECK_SIZEOF(long int, 4) +AC_CHECK_SIZEOF(long long int, 8) + +dnl More checks for data types +AC_MSG_CHECKING([For quad_t]) +AC_TRY_COMPILE( + [#include ], + [quad_t a; a = 1235;], + [ + AC_DEFINE(HAVE_QUAD_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([For intXX_t types]) +AC_TRY_COMPILE( + [#include ], + [int16_t a; int32_t b; a = 1235; b = 1235;], + [ + AC_DEFINE(HAVE_INTXX_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([For u_intXX_t types]) +AC_TRY_COMPILE( + [#include ], + [u_int16_t c; u_int32_t d; c = 1235; d = 1235;], + [ + AC_DEFINE(HAVE_U_INTXX_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + +AC_MSG_CHECKING([For uintXX_t types]) +AC_TRY_COMPILE( + [#include ], + [uint16_t c; uint32_t d; c = 1235; d = 1235;], + [ + AC_DEFINE(HAVE_UINTXX_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + dnl Check whether use wants to disable the external ssh-askpass INSTALL_ASKPASS="yes" AC_MSG_CHECKING([whether to enable external ssh-askpass support]) @@ -158,14 +209,23 @@ AC_MSG_CHECKING([location of lastlog file]) for lastlog in /var/log/lastlog /var/adm/lastlog /etc/security/lastlog ; do if test -f $lastlog ; then - gotlastlog="yes" - AC_MSG_RESULT($lastlog) - AC_DEFINE_UNQUOTED(LASTLOG_LOCATION, "$lastlog") + gotlastlog="file" + break + fi + if test -d $lastlog ; then + gotlastlog="dir" break fi done if test -z "$gotlastlog" ; then AC_MSG_ERROR([*** Cannot find lastlog ***]) +else + if test "x$gotlastlog" = "xdir" ; then + AC_DEFINE(LASTLOG_IS_DIR) + AC_MSG_ERROR([*** Directory-based lastlogs are not yet supported ***]) + fi + AC_MSG_RESULT($lastlog) + AC_DEFINE_UNQUOTED(LASTLOG_LOCATION, "$lastlog") fi AC_MSG_CHECKING([whether libc defines __progname]) @@ -191,7 +251,7 @@ ) dnl Check whether user wants AFS support -AC_ARG_WITH(kerberos4, +AC_ARG_WITH(afs, [ --with-afs Enable AFS support], [ AC_DEFINE(AFS) From djm at mindrot.org Sat Nov 20 16:49:32 1999 From: djm at mindrot.org (Damien Miller) Date: Sat, 20 Nov 1999 16:49:32 +1100 (EST) Subject: segfault in openssh-1.2pre13 In-Reply-To: <199911191616.SAA07388@jhb.ucs.co.za> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 19 Nov 1999, Berend De Schouwer wrote: > RH6.0, Intel, openssh-1.2pre13 > > If I generate /etc/ssh_host_key, it works, if I generate > /root/.ssh/identity it segfaults. Every time. Fixed. There was a buffer overrun in the filename handling. Please try the attached patch. Regards, Damien Miller > # ssh-keygen > Generating RSA keys: Key generation complete. > Enter file in which to save the key (/root/.ssh/identity): > Enter passphrase (empty for no passphrase): > Enter same passphrase again: > Your identification has been saved in /root/.ssh/identity. > Your public key is: > 1024 35 120157590 ...... 3660088497 root at bongw3.bonus.co.za > Segmentation fault (core dumped) > > # ssh-keygen > Generating RSA keys: Key generation complete. > Enter file in which to save the key (/root/.ssh/identity): /etc/ssh_host_key > Enter passphrase (empty for no passphrase): > Enter same passphrase again: > Your identification has been saved in /etc/ssh_host_key. > Your public key is: > 1024 35 167064111 ...... 49601307 root at bongw3.bonus.co.za > Your public key has been saved in /etc/ssh_host_key.pub > > (keys shortened for mail) > > Following is from a backtrace: > # gdb ssh-keygen /root/core > GNU gdb 4.17.0.11 with Linux support > Copyright 1998 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you are > welcome to change it and/or distribute copies of it under certain conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for details. > This GDB was configured as "i386-redhat-linux"... > Core was generated by `ssh-keygen'. > Program terminated with signal 11, Segmentation fault. > Reading symbols from /lib/libpam.so.0...done. > Reading symbols from /lib/libdl.so.2...done. > Reading symbols from /lib/libnsl.so.1...done. > Reading symbols from /usr/lib/libz.so.1...done. > Reading symbols from /lib/libutil.so.1...done. > Reading symbols from /lib/libc.so.6...done. > Reading symbols from /lib/ld-linux.so.2...done. > Reading symbols from /lib/libnss_files.so.2...done. > #0 chunk_alloc (ar_ptr=0x40132580, nb=184) at malloc.c:2723 > malloc.c:2723: No such file or directory. > (gdb) bt > #0 chunk_alloc (ar_ptr=0x40132580, nb=184) at malloc.c:2723 > #1 0x400a1b8a in __libc_malloc (bytes=176) at malloc.c:2616 > #2 0x4009ae5b in _IO_new_fopen (filename=0x8068e80 "/root/.ssh/identity.?", > mode=0x805f6e3 "w") at iofopen.c:42 > #3 0x804a14f in main (ac=1, av=0xbffffd64) at ssh-keygen.c:574 > #4 0x40061cb3 in __libc_start_main (main=0x8049b44
, argc=1, > argv=0xbffffd64, init=0x8048e10 <_init>, fini=0x805f43c <_fini>, > rtld_fini=0x4000a350 <_dl_fini>, stack_end=0xbffffd5c) > at ../sysdeps/generic/libc-start.c:78 > (gdb) > > > Funny filename "/root/.ssh/identity.?" > > -- > Kind regards, > Berend > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Berend De Schouwer, +27-11-712-1435, UCS > > - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4NjZvormJ9RG1dI8RAqweAKCIdcMsIn9Vvuv7XOC+c4q6VwSpJACfRCo6 OOgqwWcT9PLydyNVNNDFONo= =XjB/ -----END PGP SIGNATURE----- -------------- next part -------------- Index: ssh-keygen.c =================================================================== RCS file: /var/cvs/openssh/ssh-keygen.c,v retrieving revision 1.5 diff -u -r1.5 ssh-keygen.c --- ssh-keygen.c 1999/11/17 06:29:08 1.5 +++ ssh-keygen.c 1999/11/20 05:45:49 @@ -570,6 +570,7 @@ /* Save the public key in text format in a file with the same name but .pub appended. */ + file = xrealloc(file, strlen(file) + 5); strcat(file, ".pub"); f = fopen(file, "w"); if (!f) From dmiller at vitnet.com.sg Sun Nov 21 00:19:12 1999 From: dmiller at vitnet.com.sg (Damien Miller) Date: Sat, 20 Nov 1999 21:19:12 +0800 (SGT) Subject: Test message Message-ID: <19991120131912.3D5ED4002@bb.vitnet.com.sg> Test message. Please ignore From cjc5 at po.cwru.edu Sun Nov 21 04:24:57 1999 From: cjc5 at po.cwru.edu (Craig J Copi) Date: Sat, 20 Nov 1999 12:24:57 -0500 Subject: openssh and DOS Message-ID: <199911201724.MAA14850@styx.net.copi> It appears that openssh has inherited the dos attack that ssh is susceptible to. This has been discussed on Bugtraq (see http://securityportal.com/list-archive/bugtraq/1999/Sep/0124.html for the thread). There does not appear to be an official for ssh. Attached below is a simple, proof of concept, patch that adds a MaxConnections to sshd_config that sets the maximum number of simultaneous connections sshd will allow. I was not careful to verify that the changes don't have any side effects. I am posting this here in the hopes that a good solution can be found that can be passed on to the openbsd people. There is a related problem I noticed when doing this. If I open a bunch of connections to ssh (say in a perl script) and then close them all at once only some of the children get reaped on the server. The reason for this seems to be that in the SIGCHLD handler, main_sigchld_handler, uses a wait call to reap one child. If you have multiple children dying at roughly the same time some do not get caught by the handler and thus not reaped. They remain as zombies until sshd is restarted (at which time the get reaped). To circumvent this I have replaced the wait call with a loop over waitpid to reap all the children we can each time we hit the handler. Again, there may be a better solution. Craig ------------------------------------------------------------ --- openssh-1.2pre13/servconf.c.orig Fri Nov 19 23:30:33 1999 +++ openssh-1.2pre13/servconf.c Fri Nov 19 23:36:56 1999 @@ -62,6 +62,7 @@ options->num_deny_users = 0; options->num_allow_groups = 0; options->num_deny_groups = 0; + options->max_connections = -1; } void fill_default_server_options(ServerOptions *options) @@ -161,7 +162,7 @@ sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, - sIgnoreUserKnownHosts + sIgnoreUserKnownHosts, sMaxConnections } ServerOpCodes; /* Textual representation of the tokens. */ @@ -211,6 +212,7 @@ { "denyusers", sDenyUsers }, { "allowgroups", sAllowGroups }, { "denygroups", sDenyGroups }, + { "maxconnections", sMaxConnections }, { NULL, 0 } }; @@ -587,6 +589,10 @@ options->deny_groups[options->num_deny_groups++] = xstrdup(cp); } break; + + case sMaxConnections: + intptr = &options->max_connections; + goto parse_int; default: fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n", --- openssh-1.2pre13/servconf.h.orig Fri Nov 19 23:31:16 1999 +++ openssh-1.2pre13/servconf.h Fri Nov 19 23:32:08 1999 @@ -70,6 +70,7 @@ char *allow_groups[MAX_ALLOW_GROUPS]; unsigned int num_deny_groups; char *deny_groups[MAX_DENY_GROUPS]; + int max_connections; /* Maximum number of simultaneous connections. */ } ServerOptions; /* Initializes the server options to special values that indicate that they --- openssh-1.2pre13/sshd.c.orig Fri Nov 19 21:00:51 1999 +++ openssh-1.2pre13/sshd.c Sat Nov 20 00:01:48 1999 @@ -117,6 +117,9 @@ the private key. */ RSA *public_key; +/* Number of connections open at present. */ +int current_connections = 0; + /* Prototypes for various functions defined later in this file. */ void do_connection(); void do_authentication(char *user); @@ -316,7 +319,12 @@ { int save_errno = errno; int status; - wait(&status); + + /* Reap all the children that are dead. */ + while (waitpid (0, &status, WNOHANG) > 0) { + if (current_connections > 0) --current_connections; + } + signal(SIGCHLD, main_sigchld_handler); errno = save_errno; } @@ -687,27 +695,36 @@ } else { - /* Normal production daemon. Fork, and have the child process - the connection. The parent continues listening. */ - if ((pid = fork()) == 0) - { - /* Child. Close the listening socket, and start using - the accepted socket. Reinitialize logging (since our - pid has changed). We break out of the loop to handle - the connection. */ - close(listen_sock); - sock_in = newsock; - sock_out = newsock; - log_init(av0, options.log_level, options.log_facility, log_stderr); - break; + /* Make sure we don't have too many connections. */ + if (options.max_connections > 0 + && current_connections >= options.max_connections) + error ("Maximum number of connections (%d) reached", + options.max_connections); + else { + /* Normal production daemon. Fork, and have the child process + the connection. The parent continues listening. */ + if ((pid = fork()) == 0) + { + /* Child. Close the listening socket, and start using + the accepted socket. Reinitialize logging (since our + pid has changed). We break out of the loop to handle + the connection. */ + close(listen_sock); + sock_in = newsock; + sock_out = newsock; + log_init(av0, options.log_level, options.log_facility, log_stderr); + break; + } + + /* Parent. Stay in the loop. */ + if (pid < 0) + error("fork: %.100s", strerror(errno)); + else { + debug("Forked child %d.", pid); + ++current_connections; } + } } - - /* Parent. Stay in the loop. */ - if (pid < 0) - error("fork: %.100s", strerror(errno)); - else - debug("Forked child %d.", pid); /* Mark that the key has been used (it was "given" to the child). */ key_used = 1; From cjc5 at po.cwru.edu Sun Nov 21 04:37:54 1999 From: cjc5 at po.cwru.edu (Craig J Copi) Date: Sat, 20 Nov 1999 12:37:54 -0500 Subject: Trivial configure.in patch Message-ID: <199911201737.MAA15581@styx.net.copi> This trivial patch is needed so that --with-tcp-wrappers gets setup correctly in configure. Craig ------------------------------------------------------------ --- configure.in.orig Sat Nov 20 12:33:49 1999 +++ configure.in Sat Nov 20 12:34:02 1999 @@ -209,7 +209,7 @@ ) dnl Check whether user wants TCP wrappers support -AC_ARG_WITH(skey, +AC_ARG_WITH(tcp-wrappers, [ --with-tcp-wrappers Enable tcpwrappers support], [ AC_DEFINE(LIBWRAP) From phil at hands.com Sun Nov 21 06:14:27 1999 From: phil at hands.com (Philip Hands) Date: 20 Nov 1999 19:14:27 +0000 Subject: Debian 1.2pre13 package available Message-ID: <87ln7tc6wc.fsf@sheikh.hands.com> Hi, It's been uploaded to non-us.debian.org, but if you're in a hurry, you can grab it here: http://www.hands.com/~phil/debian/openssh/ Things from the debian patch that might be worth taking upstream: configure.in: . The tcp-wrappers patch (mentioned here recently) Makefile: . Put OPT_FLAGS back in so I can set options in debian/rules . Install ssh with SUID bit set sshd.c: . use macro for PAM service name, so I can change it to ``ssh'' in debian/rules . disable motd & lastlogin messages if HAVE_PAM sshd.pam . Apparently this one works well, but I don't know how widespread pam_unix.o is, so perhaps offering it as an alternative, or as comments in the file sshd_config: . enable ForwardX11. I cannot see a reason to have this disabled on the server, and it's a pain having to switch it back on all the time. ssh-copy-id & ssh-copy-id.1 . A script that uses ssh to install one's identity into a remote authorized_keys, and makes sure that the permissions at the other end are likely to work afterwards. It's quite handy, but could probably do with a few options to control where it gets the keys from. and in several files: . Change defaults for ForwardX11 & ForwardAgent to be ``off'' for security BTW the diff is here: http://www.hands.com/~phil/debian/openssh/openssh_1.2pre13-1.diff.gz and also contains a load of debian specific packaging files under the debian directory, that you can safely ignore Cheers, Phil. From provos at citi.umich.edu Sun Nov 21 07:50:26 1999 From: provos at citi.umich.edu (Niels Provos) Date: Sat, 20 Nov 1999 15:50:26 -0500 Subject: openssh and DOS In-Reply-To: "Craig J Copi", Sat, 20 Nov 1999 12:24:57 EST Message-ID: <19991120205108.661CE25279@toad.ilogic.com.au> we committed the following patch for that problem > Index: sshd.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/sshd.c,v > retrieving revision 1.59 > diff -u -r1.59 sshd.c > --- sshd.c 1999/11/19 19:58:18 1.59 > +++ sshd.c 1999/11/20 19:43:46 > @@ -170,7 +170,10 @@ > { > int save_errno = errno; > int status; > - wait(&status); > + > + while (waitpid(-1, &status, WNOHANG) > 0) > + ; > + > signal(SIGCHLD, main_sigchld_handler); > errno = save_errno; > } greetings, niels. From dugsong at monkey.org Sun Nov 21 09:20:48 1999 From: dugsong at monkey.org (Dug Song) Date: Sat, 20 Nov 1999 17:20:48 -0500 (EST) Subject: OpenSSH & Kerberos 5? In-Reply-To: Message-ID: On Thu, 18 Nov 1999, Peter Losher wrote: > Has anyone gotten OpenSSH (v1.2) to work with KRB5? I have > defined Kerberos by typing 'make KERBEROS=YES' and it defaults to > KerberosIV as such in /usr/ports/security/openssh/: OpenSSH currently only supports Kerberos v4. sorry. :-( the Kerberos v5 support that was integrated into the original SSH was based on my earlier Kerberos v4 patch - but it was implemented using the same SSH auth protocol message types, so support for the two versions are currently mutually exclusive. :-( there may be some magic we can do to auto-detect/negotiate the version of Kerberos being spoken, but i don't have any spare cycles to work on it right now. any other Kerberos ppl willing to help? > If there is a OpenSSH mailing list that this would be better > served in, let me know (I couldn't find one on the OpenSSH web site). Damien Miller is hosting one, at least until openssh.org is transferred to the OpenSSH project. see http://violet.ibs.com.au/openssh/list.html -d. --- http://www.monkey.org/~dugsong/ From djm at mindrot.org Sun Nov 21 19:13:37 1999 From: djm at mindrot.org (Damien Miller) Date: Sun, 21 Nov 1999 19:13:37 +1100 (EST) Subject: ANNOUNCE: openssh-1.2pre13 In-Reply-To: <87yabu8y8q.fsf@sheikh.hands.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 19 Nov 1999, Philip Hands wrote: > It looks like you've fixed a load of recently reported Debian bugs :-) > > Am I right in thinking that you've been keeping an eye on the bug > reports page? Not as often as a I should :( The buffer overrun was reported to me by Dane Brosemer, all the other bugfixes were coincidences :) If there are critical bugs in the future (such as the overrun), would it be possible for yourself or someone else to email me direct? > If it is the case that you are keeping an eye on the Debian BTS, and > fixing bug found, please could you put some reference to the bug > number in your changelog in future to make my life easy (if it's not > too much effort. If you're not, I'll start forwarding the ones I > think are upstream problems to you, but I didn't want to clog up your > mailbox if you're seeing them all anyway. I will try to check the Debian bugs page more often, and will try to include bug numbers on fixes that close them. BTW where can I find the ssh package under debian-non-US, I want to provide a pointer to it on the webpage. Thanks, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4N6m0ormJ9RG1dI8RAn6WAKDE+c+yHV9ePoPtmjGztaSkxNbqSQCfUEil lNqPQSoRTfxTJYlXgkm6qkI= =KlPb -----END PGP SIGNATURE----- From djm at mindrot.org Mon Nov 22 00:24:06 1999 From: djm at mindrot.org (Damien Miller) Date: Mon, 22 Nov 1999 00:24:06 +1100 (EST) Subject: test please ignore Message-ID: <19991121132406.9B5B526EEB@toad.mindrot.org> Another silly test From djm at mindrot.org Mon Nov 22 00:42:14 1999 From: djm at mindrot.org (Damien Miller) Date: Mon, 22 Nov 1999 00:42:14 +1100 (EST) Subject: test please ignore Message-ID: <19991121134214.225F026EB3@toad.mindrot.org> Another silly test From djm at mindrot.org Mon Nov 22 00:44:18 1999 From: djm at mindrot.org (Damien Miller) Date: Mon, 22 Nov 1999 00:44:18 +1100 (EST) Subject: test please ignore Message-ID: <19991121134418.01DE026EB3@toad.mindrot.org> Another silly test From bds at ucs.co.za Mon Nov 22 01:01:09 1999 From: bds at ucs.co.za (Berend De Schouwer) Date: Sun, 21 Nov 1999 16:01:09 +0200 (SAST) Subject: openssh 1.2pre13 on Linux/i386 RH4.2 problems Message-ID: <199911211407.QAA30243@jhb.ucs.co.za> Can't compile sshd.c because of pam errors. The errors are attached below, and I apologize for the >75 chars a line. RH4.2, with the latest updates, runs pam-0.57-5. I could upgrade PAM from source, but I'd probably break other programs. gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c sshd.c -o sshd.o sshd.c: In function `pam_cleanup_proc': sshd.c:224: warning: passing arg 1 of `pam_strerror' makes integer from pointer without a cast sshd.c:224: too many arguments to function `pam_strerror' sshd.c:231: warning: passing arg 1 of `pam_strerror' makes integer from pointer without a cast sshd.c:231: too many arguments to function `pam_strerror' ... more of these... make: *** [sshd.o] Error 1 >From the 4.2 box: grep pam_strerror _pam_types.h extern const char *pam_strerror(int errnum); >From a 5.2 box: grep pam_strerror _pam_types.h extern const char *pam_strerror(pam_handle_t *pamh, int errnum); If I do the obvious patch of just removing the pam_handle parameter in sshd.c, there are still non-pam warnings, and compilation breaks: gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c sshd.c -o sshd.o sshd.c: In function `main': sshd.c:518: warning: implicit declaration of function `daemon' sshd.c: In function `do_fake_authloop': sshd.c:1526: warning: unused variable `type' sshd.c: In function `do_child': sshd.c:2373: warning: initialization from incompatible pointer type gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c scp.c -o scp.o scp.c: In function `progressmeter': scp.c:1177: `quad_t' undeclared (first use this function) scp.c:1177: (Each undeclared identifier is reported only once scp.c:1177: for each function it appears in.) scp.c:1177: parse error before `abbrevsize' scp.c:1180: warning: implicit declaration of function `timersub' Now, I am probably going to upgrade this box (for other reasons), but I do wonder if anyone else has similar problems, and if anyone is interested in fixes. -- Kind regards, Berend -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS From morgan at transmeta.com Mon Nov 22 02:42:33 1999 From: morgan at transmeta.com (Andrew Morgan) Date: Sun, 21 Nov 1999 07:42:33 -0800 Subject: openssh 1.2pre13 on Linux/i386 RH4.2 problems References: <199911211407.QAA30243@jhb.ucs.co.za> Message-ID: <383812E9.B991DBB8@transmeta.com> Berend De Schouwer wrote: > > Can't compile sshd.c because of pam errors. The errors are attached > below, and I apologize for the >75 chars a line. RH4.2, with the > latest updates, runs pam-0.57-5. I could upgrade PAM from source, but > I'd probably break other programs. Yes, the original RFC for PAM from SunSoft said that pam_strerror() should have the RH4.x behavior, but then when Sun released their own version of PAM (in Solaris 2.6) it had the RH5.x behavior. Although it pained me to break backward compatibility, everyone agreed that it was the right thing to do in this case. [It had positive implications for being able to add internationalization support to PAM, and is why Sun had done what they did.] > From the 4.2 box: > grep pam_strerror _pam_types.h > extern const char *pam_strerror(int errnum); > > From a 5.2 box: > grep pam_strerror _pam_types.h > extern const char *pam_strerror(pam_handle_t *pamh, int errnum); It won't change again. Cheers Andrew From rhardy at webcon.net Mon Nov 22 14:33:47 1999 From: rhardy at webcon.net (Robert Hardy) Date: Sun, 21 Nov 1999 22:33:47 -0500 (EST) Subject: 3 Bugs to Report: OpenSSH V1.2pre13 Message-ID: Three possibly related bugs to report. N.B. The test machines in question are in peak form (with the exception of different kernel versions) and were working 100% under the old ssh 1.2.x. The two clients we tested from are machines running 2.2.13 & 2.2.14preX Linux kernels. The server where the problems appeared is running 2.2.12. 1. sshd dies periodically. The crash occurred just after a connect immediately followed by a hang-up. It is unclear if that is relevant. It could be coincidental. I have only examined the logs for this one failure (there have been 2-3 others but we just restarted the daemon). This failure was seen after BB (Big Brother) has been probing ssh for several days. BB probes sshd to see if it responds and when it does it promptly hangs up without negotiating a connection. In response to this rude hang-up sshd usually logs a warning and goes back to waiting... For some reason every couple of days it decides to die. I grabbed the log except below at the last crash. /dev/urandom is in use by other things on the system without difficulties (to my knowledge anyways...). Nov 21 20:59:20 aserver sshd[4059]: Connection from x.x.x.170 port 2222 Nov 21 20:59:20 aserver sshd[4059]: fatal: Bad protocol version identification: quit Nov 21 20:59:56 aserver sshd[4047]: Closing connection to x.x.x.18 Nov 21 21:04:28 aserver sshd[4092]: Connection from x.x.x.170 port 2258 Nov 21 21:04:28 aserver sshd[4092]: fatal: Bad protocol version identification: quit Nov 21 21:04:28 aserver sshd[24736]: fatal: Couldn't read from random pool "/dev/urandom":Interrupted system call ^^ After this we get a page from BB indicating ssh has given up the ghost... 2. sshd will sometimes hang when disconnecting from a server. -ssh host -we do some work -we hit CTRL-D to disconnect -we logout on remote system -ssh does not disconnect from remote system and will stay hung indefinitely (an ps -axuww shows an sshd process still running on the pty.) 3. For no rhyme or reason, we occasionally get an warning message just before we get a shell prompt when connecting to some of our servers through openssh. All our test servers are running the same software build (distribution) and the same version of openssh yet only some of them occasionally see the problem. This is the message we get: chan_shutdown_read failed for #0/fd4: Transport endpoint is not connected It is not clear what relation the warning message may have to the other 2 bugs. The warning message does not seem to indicate that shell will either hang or kill the parent sshd. I am willing to test various things to try and help isolate the problem(s). I'm open to suggestions... Regards, Rob -- ----------------"Linux the choice of a GNU Generation!"----------------- Robert Hardy C.E.O. Webcon Inc. rhardy at webcon.net PGP Key available by finger (613) 276-6206 From rhardy at webcon.net Mon Nov 22 14:38:05 1999 From: rhardy at webcon.net (Robert Hardy) Date: Sun, 21 Nov 1999 22:38:05 -0500 (EST) Subject: 3 Bugs to Report: OpenSSH V1.2pre13 In-Reply-To: Message-ID: I neglected to mention in my previous email that all machines are running our own distribution which is basically a customized version of Redhat 6.0 with alot of updates & patches. Regards, Rob -- ----------------"Linux the choice of a GNU Generation!"----------------- Robert Hardy C.E.O. Webcon Inc. rhardy at webcon.net PGP Key available by finger (613) 276-6206 From djm at mindrot.org Mon Nov 22 15:05:42 1999 From: djm at mindrot.org (Damien Miller) Date: Mon, 22 Nov 1999 15:05:42 +1100 (EST) Subject: 3 Bugs to Report: OpenSSH V1.2pre13 In-Reply-To: Message-ID: On Sun, 21 Nov 1999, Robert Hardy wrote: > Three possibly related bugs to report. N.B. The test machines in question > are in peak form (with the exception of different kernel versions) and were > working 100% under the old ssh 1.2.x. The two clients we tested from are > machines running 2.2.13 & 2.2.14preX Linux kernels. The server where the > problems appeared is running 2.2.12. > > 1. sshd dies periodically. The crash occurred just after a connect Can you try the following patch and tell me if it makes a difference? Index: helper.c =================================================================== RCS file: /var/cvs/openssh/helper.c,v retrieving revision 1.6 diff -u -r1.6 helper.c --- helper.c 1999/11/22 02:55:36 1.6 +++ helper.c 1999/11/22 03:59:24 @@ -130,9 +129,12 @@ #endif /* HAVE_EGD */ - c = read(random_pool, buf, len); - if (c == -1) - fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); + do { + c = read(random_pool, buf, len); + + if ((c == -1) && (errno != EINTR)) + fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); + } while (c == -1); if (c != len) fatal("Short read from random pool \"%s\"", RANDOM_POOL); > 2. sshd will sometimes hang when disconnecting from a server. > -ssh host > -we do some work > -we hit CTRL-D to disconnect > -we logout on remote system > -ssh does not disconnect from remote system and will stay hung indefinitely > (an ps -axuww shows an sshd process still running on the pty.) Any ideas on how to trigger the hang? > I am willing to test various things to try and help isolate the problem(s). > I'm open to suggestions... If you can be bothered, a gdb trace of problem #2 from the client and server would be a godsend. Regards, Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Mon Nov 22 18:58:41 1999 From: djm at mindrot.org (Damien Miller) Date: Mon, 22 Nov 1999 18:58:41 +1100 (EST) Subject: ANNOUNCE: 1.2pre14 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just released 1.2pre14 at: http://violet.ibs.com.au/openssh/ Changes: Attempt to make close gnome-ssh-askpass. This works OK when gnome-ssh-askpass is run from the commandline, but doesn't work when it is run from ssh-add. Further investigation is required. Lots of portability fixes. The ssh client now appears to run on Solaris. openssh should now also compile on Slackware linux and systems with older PAM libraries. Lots more OpenBSD CVS merges. These fix the segfault in ssh-keygen, among other things. Changelog: 19991122 - Make close gnome-ssh-askpass (Debian bug #50299) - OpenBSD CVS Changes - [ssh-keygen.c] don't create ~/.ssh only if the user wants to store the private key there. show fingerprint instead of public-key after keygeneration. ok niels@ - Added OpenBSD bsd-strlcat.c, created bsd-strlcat.h - Added timersub() macro - Tidy RCSIDs of bsd-*.c - Added autoconf test and macro to deal with old PAM libraries pam_strerror definition (one arg vs two). - Fix EGD problems (Thanks to Ben Taylor ) - Retry /dev/urandom reads interrupted by signal (report from Robert Hardy ) - Added a setenv replacement for systems which lack it - Only display public key comment when presenting ssh-askpass dialog - Released 1.2pre14 19991121 - OpenBSD CVS Changes: - [channels.c] make this compile, bad markus - [log.c readconf.c servconf.c ssh.h] bugfix: loglevels are per host in clientconfig, factor out common log-level parsing code. - [servconf.c] remove unused index (-Wall) - [ssh-agent.c] only one 'extern char *__progname' - [sshd.8] document SIGHUP, -Q to synopsis - [sshconnect.c serverloop.c sshd.c packet.c packet.h] [channels.c clientloop.c] SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ [hope this time my ISP stays alive during commit] - [OVERVIEW README] typos; green at freebsd - [ssh-keygen.c] replace xstrdup+strcat with strlcat+fixed buffer, fixes OF (bad me) exit if writing the key fails (no infinit loop) print usage() everytime we get bad options - [ssh-keygen.c] overflow, djm at mindrot.org - [sshd.c] fix sigchld race; cjc5 at po.cwru.edu 19991120 - Merged more Solaris support from Marc G. Fournier - Wrote autoconf tests for integer bit-types - Fixed enabling kerberos support - Fix segfault in ssh-keygen caused by buffer overrun in filename handling. Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4OPe1ormJ9RG1dI8RAhhMAJ9r0hxkT9Dy8KMdKS66fSlTMtpJvACeP27W dl5IcWON/MwZjLFbHugibO8= =wW/4 -----END PGP SIGNATURE----- From nkbj at image.dk Mon Nov 22 20:05:40 1999 From: nkbj at image.dk (Niels Kristian Bech Jensen) Date: Mon, 22 Nov 1999 10:05:40 +0100 (CET) Subject: [PATCH] A couple of small fixes for 1.2pre14. Message-ID: Hi, This patch fixes a couple of small items in 1.2.pre14: 1. It's ssh-askpass, not scp that was moved to $(libexecdir)/ssh. 2. Make sure that $(libexecdir) exists. --- openssh-1.2pre14/ChangeLog~ Mon Nov 22 08:11:23 1999 +++ openssh-1.2pre14/ChangeLog Mon Nov 22 09:48:15 1999 @@ -60,7 +60,7 @@ - EGD uses a socket, not a named pipe. Duh. - Fix includes in fingerprint.c - Fix scp progress bar bug again. - - Move scp from ${libdir}/ssh to ${libexecdir}/ssh at request of + - Move ssh-askpass from ${libdir}/ssh to ${libexecdir}/ssh at request of David Rankin - Added autoconf option to enable Kerberos 4 support (untested) - Added autoconf option to enable AFS support (untested) --- openssh-1.2pre14/Makefile.in~ Mon Nov 22 03:57:07 1999 +++ openssh-1.2pre14/Makefile.in Mon Nov 22 09:46:51 1999 @@ -2,7 +2,6 @@ exec_prefix=@exec_prefix@ bindir=@bindir@ sbindir=@sbindir@ -libdir=@libdir@ libexecdir=@libexecdir@ mandir=@mandir@ sysconfdir=@sysconfdir@ @@ -83,7 +82,7 @@ ln -sf ssh.1 $(mandir)/man1/slogin.1 if [ "x at INSTALL_ASKPASS@" = "xyes" ] ; then \ - install -d $(libdir) ; \ + install -d $(libexecdir) ; \ install -d $(libexecdir)/ssh ; \ if [ -z "@GNOME_ASKPASS@" ] ; then \ install -m755 -c ssh-askpass ${ASKPASS_PROGRAM}; \ -- Niels Kristian Bech Jensen -- nkbj at image.dk -- http://www.image.dk/~nkbj/ ----------->> Stop software piracy --- use free software! <<----------- From djm at mindrot.org Mon Nov 22 23:00:11 1999 From: djm at mindrot.org (Damien Miller) Date: Mon, 22 Nov 1999 23:00:11 +1100 (EST) Subject: [PATCH] A couple of small fixes for 1.2pre14. In-Reply-To: Message-ID: On Mon, 22 Nov 1999, Niels Kristian Bech Jensen wrote: > Hi, > This patch fixes a couple of small items in 1.2.pre14: > > 1. It's ssh-askpass, not scp that was moved to $(libexecdir)/ssh. > 2. Make sure that $(libexecdir) exists. Thanks for that, I have applied it. Regards, Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From rhardy at webcon.net Tue Nov 23 02:58:19 1999 From: rhardy at webcon.net (Robert Hardy) Date: Mon, 22 Nov 1999 10:58:19 -0500 (EST) Subject: 3 Bugs to Report: OpenSSH V1.2pre13 In-Reply-To: Message-ID: On Mon, 22 Nov 1999, Damien Miller wrote: > On Sun, 21 Nov 1999, Robert Hardy wrote: > > 1. sshd dies periodically. The crash occurred just after a connect > > Can you try the following patch and tell me if it makes a difference? > > Index: helper.c > =================================================================== > RCS file: /var/cvs/openssh/helper.c,v > retrieving revision 1.6 > diff -u -r1.6 helper.c > --- helper.c 1999/11/22 02:55:36 1.6 > +++ helper.c 1999/11/22 03:59:24 > @@ -130,9 +129,12 @@ > [snip] I have installed pre14 which contains the patch. I will let you know if it dies again. The problem was only occurring every few days, so it may take some time before we know if the patch solved the problem... > > 2. sshd will sometimes hang when disconnecting from a server. > > -ssh host > > -we do some work > > -we hit CTRL-D to disconnect > > -we logout on remote system > > -ssh does not disconnect from remote system and will stay hung indefinitely > > (an ps -axuww shows an sshd process still running on the pty.) > > Any ideas on how to trigger the hang? Unfortunately no. I haven't seen any pattern to the hangs nor any causal factors... I realize that makes debugging difficult.... > > I am willing to test various things to try and help isolate the problem(s). > > I'm open to suggestions... > > If you can be bothered, a gdb trace of problem #2 from the client and > server would be a godsend. Ouch... That would mean running gdb on every connection pretty well 24/7 for a week... Well OK if you tell me how to do it... I've used strace some but my familiarity with gdb is very limited. (I'm a sysadmin/perl hacker...) I don't think I could catch this with strace on the server as the problem is after a fork (I think so anyways)... So how do I use gdb to debug the forked server process? Regards, Rob -- ----------------"Linux the choice of a GNU Generation!"----------------- Robert Hardy C.E.O. Webcon Inc. rhardy at webcon.net PGP Key available by finger (613) 276-6206 From provos at citi.umich.edu Tue Nov 23 03:33:44 1999 From: provos at citi.umich.edu (Niels Provos) Date: Mon, 22 Nov 1999 11:33:44 -0500 Subject: status of openssh for solaris? In-Reply-To: Willard Dawson, Mon, 22 Nov 1999 11:08:26 EST Message-ID: <19991122163509.C4B1626EF4@toad.mindrot.org> In message <19991122110826.A23851 at wdawson-sun.sbs.siemens.com>, Willard Dawson writes: >I just tried to compile, this time with openssh-1.2pre14, openssl-0.9.4 >and egd-0.6. I get considerably further along, but still not completely >compiled. Here are the last bits: > >gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PR >OGRAM=\"/usr/local/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/local/libexec/ssh/ssh-as >kpass\" -DHAVE_CONFIG_H -c bsd-daemon.c >bsd-daemon.c: In function `daemon': >bsd-daemon.c:70: `_PATH_DEVNULL' undeclared (first use in this function) >bsd-daemon.c:70: (Each undeclared identifier is reported only once >bsd-daemon.c:70: for each function it appears in.) >*** Error code 1 >make: Fatal error: Command failed for target `bsd-daemon.o' > >I cannot find any reference to DEVNULL in /usr/include or .../sys. This >must be a bsd-ism, not supported under native Solaris, I guess. Okay, I cc'ed this to the openssh-unix-dev mailing list. It should just be like this: /usr/include/paths.h:#define _PATH_DEVNULL "/dev/null" Niels. From provos at citi.umich.edu Tue Nov 23 03:35:40 1999 From: provos at citi.umich.edu (Niels Provos) Date: Mon, 22 Nov 1999 11:35:40 -0500 Subject: status of openssh for solaris? In-Reply-To: Willard Dawson, Mon, 22 Nov 1999 11:25:13 EST Message-ID: <19991122163608.488EE26EF5@toad.mindrot.org> In message <19991122112513.A24003 at wdawson-sun.sbs.siemens.com>, Willard Dawson writes: >Should I forward this to you, or go the mailing list? For compiling problems, the mailing list is probably the best place. I cc'ed it again ;) Niels. >I proceeded further, after modifying _PATH_DEVNULL with the actual >path string for "/dev/null", to find similar errors due to _PATH_UTMP >and _PATH_WTMP in bsd-login.c. So, after using "/var/adm/utmp" and >"/var/adm/wtmp", respectively, I did proceed further. > >I see some additional potential problems: > >gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PR >OGRAM=\"/usr/local/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/local/libexec/ssh/ssh-as >kpass\" -DHAVE_CONFIG_H -c canohost.c >canohost.c: In function `get_remote_hostname': >canohost.c:60: warning: subscript has type `char' > >gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PR >OGRAM=\"/usr/local/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/local/libexec/ssh/ssh-as >kpass\" -DHAVE_CONFIG_H -c channels.c >channels.c: In function `x11_create_display_inet': >channels.c:1087: warning: `sock' might be used uninitialized in this function > >gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PR >OGRAM=\"/usr/local/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/local/libexec/ssh/ssh-as >kpass\" -DHAVE_CONFIG_H -c hostfile.c >hostfile.c: In function `match_hostname': >hostfile.c:136: warning: subscript has type `char' > >gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PR >OGRAM=\"/usr/local/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/local/libexec/ssh/ssh-as >kpass\" -DHAVE_CONFIG_H -c login.c >login.c: In function `record_login': >login.c:92: warning: implicit declaration of function `login' > >gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PR >OGRAM=\"/usr/local/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/local/libexec/ssh/ssh-as >kpass\" -DHAVE_CONFIG_H -c sshconnect.c >sshconnect.c: In function `ssh_login': >sshconnect.c:1047: warning: subscript has type `char' > >gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PR >OGRAM=\"/usr/local/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/local/libexec/ssh/ssh-as >kpass\" -DHAVE_CONFIG_H -c bsd-mktemp.c >bsd-mktemp.c: In function `_gettemp': >bsd-mktemp.c:173: warning: subscript has type `char' > >gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PR >OGRAM=\"/usr/local/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/local/libexec/ssh/ssh-as >kpass\" -DHAVE_CONFIG_H -c bsd-login.c >bsd-login.c: In function `login': >bsd-login.c:55: warning: unused variable `old_ut' > > >Finally, at the very end, it does not compile: > >gcc -o ssh -lpam -ldl -lsocket -lnsl -lz -lcrypto -L/usr/local/ssl/lib -lss >l -lcrypto >Undefined first referenced > symbol in file >main /usr/local/lib/gcc-lib/sparc-sun-solaris2. >7/2.95/crt1.o >ld: fatal: Symbol referencing errors. No output written to ssh >collect2: ld returned 1 exit status >*** Error code 1 >make: Fatal error: Command failed for target `ssh' From markus.friedl at informatik.uni-erlangen.de Tue Nov 23 03:57:45 1999 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 22 Nov 1999 17:57:45 +0100 Subject: 3 Bugs to Report: OpenSSH V1.2pre13 In-Reply-To: References: Message-ID: <19991122175745.B22778@folly.informatik.uni-erlangen.de> hi, who says this? client? sever? can you provide debugging output from 'ssh -v' and/or 'sshd -d'? these messages are related to port/agent/x11-forwarding, please provide more info. On Sun, Nov 21, 1999 at 10:33:47PM -0500, Robert Hardy wrote: > 3. For no rhyme or reason, we occasionally get an warning message just > before we get a shell prompt when connecting to some of our servers > through openssh. All our test servers are running the same software build > (distribution) and the same version of openssh yet only some of them > occasionally see the problem. This is the message we get: > chan_shutdown_read failed for #0/fd4: Transport endpoint is not connected > > It is not clear what relation the warning message may have to the other 2 > bugs. The warning message does not seem to indicate that shell will > either hang or kill the parent sshd. From marc.fournier at acadiau.ca Tue Nov 23 04:33:18 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Mon, 22 Nov 1999 13:33:18 -0400 (AST) Subject: Solaris 7 and /dev/null ... Message-ID: As far as I can tell, it isn't defined anywhere, so bsd-login.c fails: bsd-daemon.c: In function `daemon': bsd-daemon.c:70: `_PATH_DEVNULL' undeclared (first use in this function) bsd-daemon.c:70: (Each undeclared identifier is reported only once bsd-daemon.c:70: for each function it appears in.) I dont' know if anyone actually puts /dev/null in a different place...is there a reason why _PATH_DEVNULL isn't just changed to /dev/null in bsd-login.c? Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From willard.dawson at sbs.siemens.com Tue Nov 23 04:34:30 1999 From: willard.dawson at sbs.siemens.com (Willard Dawson) Date: Mon, 22 Nov 1999 12:34:30 -0500 Subject: status of openssh for solaris? In-Reply-To: <199911221636.LAA21242@ns0.sbs.siemens.com> References: <199911221636.LAA21242@ns0.sbs.siemens.com> Message-ID: <19991122123430.A24709@wdawson-sun.sbs.siemens.com> Thanks Niels. From hereon, I'll just send my comments to the mailing list. On Mon, Nov 22, 1999 at 11:35:40AM -0500, Niels Provos wrote: > In message <19991122112513.A24003 at wdawson-sun.sbs.siemens.com>, Willard Dawson > writes: > >Should I forward this to you, or go the mailing list? > For compiling problems, the mailing list is probably the best place. > I cc'ed it again ;) > > Niels. > > >I proceeded further, after modifying _PATH_DEVNULL with the actual > >path string for "/dev/null", to find similar errors due to _PATH_UTMP > >and _PATH_WTMP in bsd-login.c. So, after using "/var/adm/utmp" and > >"/var/adm/wtmp", respectively, I did proceed further. It seems that some real effort to make a Solaris-clean version minus any remnant of paths.h is still needed. > >I see some additional potential problems: ... which I'm willing to ignore for a moment... > >gcc -o ssh -lpam -ldl -lsocket -lnsl -lz -lcrypto -L/usr/local/ssl/lib -lss > >l -lcrypto > >Undefined first referenced > > symbol in file > >main /usr/local/lib/gcc-lib/sparc-sun-solaris2. > >7/2.95/crt1.o > >ld: fatal: Symbol referencing errors. No output written to ssh > >collect2: ld returned 1 exit status > >*** Error code 1 > >make: Fatal error: Command failed for target `ssh' Ok, so it's been a while since I did real work. Trying gmake, instead, gets me further along: gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c ssh-add.c -o ssh-add.o ssh-add.c: In function `main': ssh-add.c:187: conflicting types for `__progname' ssh-add.c:32: previous declaration of `__progname' gmake: *** [ssh-add.o] Error 1 That one's easy enough to work around by simply copying the same ifdef's into the next declaration. Similar problem in ssh-keygen.c. After all that, I finally got it to compile. *whew* Now, to see if it runs... -- Willard Francis Otto Dawson +1 770 814 5099 / +1 770 814 5202 FAX Siemens Business Services, ENS mailto:willard.dawson at sbs.siemens.com 4570 River Green Pkwy, Ste 140 http://www.sbs.siemens.com/ Duluth, GA 30096-2564 Standard disclaimer applies. From marc.fournier at acadiau.ca Tue Nov 23 04:37:17 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Mon, 22 Nov 1999 13:37:17 -0400 (AST) Subject: Solaris 7 and sshd.c / HAVE_MAILLOCK_H Message-ID: maillock.h defines MAILDIR, MAILDIR is needed in config.h, and config.h needs to be included after maillock.h... #ifdef HAVE_MAILLOCK_H # include # include "config.h" #endif In order to get _PATH_MAILDIR defined properly... Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From marc.fournier at acadiau.ca Tue Nov 23 04:38:11 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Mon, 22 Nov 1999 13:38:11 -0400 (AST) Subject: send define of progname in ssh-add.c ... Message-ID: ... needs to be removed ... creates a conflicting define ... Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From marc.fournier at acadiau.ca Tue Nov 23 05:04:05 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Mon, 22 Nov 1999 14:04:05 -0400 (AST) Subject: status of openssh for solaris? In-Reply-To: <19991122123430.A24709@wdawson-sun.sbs.siemens.com> Message-ID: On Mon, 22 Nov 1999, Willard Dawson wrote: > Thanks Niels. From hereon, I'll just send my comments to the mailing > list. > > On Mon, Nov 22, 1999 at 11:35:40AM -0500, Niels Provos wrote: > > In message <19991122112513.A24003 at wdawson-sun.sbs.siemens.com>, Willard Dawson > > writes: > > >Should I forward this to you, or go the mailing list? > > For compiling problems, the mailing list is probably the best place. > > I cc'ed it again ;) > > > > Niels. > > > > >I proceeded further, after modifying _PATH_DEVNULL with the actual > > >path string for "/dev/null", to find similar errors due to _PATH_UTMP > > >and _PATH_WTMP in bsd-login.c. So, after using "/var/adm/utmp" and > > >"/var/adm/wtmp", respectively, I did proceed further. > > It seems that some real effort to make a Solaris-clean version minus any > remnant of paths.h is still needed. actually, in some of these cases, its just a mis-organization of include/header files...the UTMP/WTMP problems are all fixed in config.h.in, just not in the respective .c files ... > gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DASKPASS_PROGRAM=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c ssh-add.c -o ssh-add.o > ssh-add.c: In function `main': > ssh-add.c:187: conflicting types for `__progname' > ssh-add.c:32: previous declaration of `__progname' > gmake: *** [ssh-add.o] Error 1 this one is work that Damien did to get around problems where an OS doesn't define __progname, but missed a few occurances further in the C files...basically, delete line 187 and you'll be fine... Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From marc.fournier at acadiau.ca Tue Nov 23 05:10:12 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Mon, 22 Nov 1999 14:10:12 -0400 (AST) Subject: [solaris 7] compiles, runs but won't let me login ... Message-ID: ssh -l marc new-relay marc at new-relay's password: Connection closed by remote host. in /var/log/sshd: new-relay:/usr/slocal/setup> tail /var/log/sshd Nov 22 14:08:02 new-relay sshd[11533]: Connection from 131.162.200.78 port 1021 Nov 22 14:08:04 new-relay sshd[11533]: PAM Password authentication accepted for user "marc" No other errors anywhere, and no core's that I can find so far... Am debugging further, if anyone has any suggestions though, or has seen this already? Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From marc.fournier at acadiau.ca Tue Nov 23 05:54:11 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Mon, 22 Nov 1999 14:54:11 -0400 (AST) Subject: OpenSSH 1.2pre14 fails on pam_open_session() ... Message-ID: Anyone out there know more about PAM under Solaris 7/x86 then I do, that can maybe tackle this, and/or suggestion a route to take to fix? After doing some debugging, it looks like the problem is a seg fault at: sshd.c:void pam_cleanup_proc(void *context) =========================================== debug("PAM_retval(open_session) about to run"); pam_retval = pam_open_session((pam_handle_t *)pamh, 0); debug("PAM_retval(open_session) successful"); if (pam_retval != PAM_SUCCESS) { log("PAM session setup failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); do_fake_authloop(username); } ========================================== PAM Password authentication accepted for user "marc" debug: PAM setting rhost to "atelier.acadiau.ca" debug: PAM_retval(remote_host) successful debug: PAM_retval(acct_mgmt) successful debug: PAM_retval(open_session) about to run Segmentation fault =========================================== so, its looking like I'm authenticated properly, but when trying to set up the whole environment, its failing...? anyone know how I should go about debugging this? thanks... Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From csaia at wtower.com Tue Nov 23 06:00:24 1999 From: csaia at wtower.com (Chris Saia) Date: 22 Nov 1999 14:00:24 -0500 Subject: tcp-wrappers not being used even w/ --with-tcp-wrappers Message-ID: Howdy, It seems that even when specifying the --with-tcp-wrappers configure flag, the LIBWRAP define in config.h never gets #define'd and -lwrap never gets added to LIBS in the Makefile. To make sure I wasn't dealing with a stale configure file, I ran autoconf on configure.in to roll a new configure. I also don't see anything wrong with the --with-tcp-wrappers defined in configure.in. No luck so far. I'll continue poking at the source to try to solve it, but in the meantime, if someone comes up with the solution, please post it to the list. Thanks, -- =============================================================================== csaia at wtower.com, WTnet IRC Administrator - http://www.wtower.com/~csaia/ GNU Privacy Guard Public Key information is available at the above URL. =============================================================================== From marc.fournier at acadiau.ca Tue Nov 23 06:13:34 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Mon, 22 Nov 1999 15:13:34 -0400 (AST) Subject: [s-x86] OpenSSH 1.2pre14 fails on pam_open_session() ... In-Reply-To: <199911221903.LAA10577@shell3.ba.best.com> Message-ID: On Mon, 22 Nov 1999, Philip Brown wrote: > [ Marc G. Fournier writes ] > > debug("PAM_retval(open_session) about to run"); > > pam_retval = pam_open_session((pam_handle_t *)pamh, 0); > > > > > =========================================== > > > > so, its looking like I'm authenticated properly, but when trying to set up > > the whole environment, its failing...? anyone know how I should go about > > debugging this? > > well its obviously blowing up on pam_open_session, so you need to validate > your "pamh" handle somehow. thank you, and how would one do this? considering that my 'pamh' handle is being used three times prior to that, in: pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host); pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); all in the same function, I would have thought that this would have been okay...all of the above go through successfully... my only real "reference" for PAM is wu-ftpd, in which the pam authentication stuff all works, but the pam_* functions that wu-ftpd uses doesn't appear to be even close to what is used in sshd.c :( Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From nkbj at image.dk Tue Nov 23 06:15:14 1999 From: nkbj at image.dk (Niels Kristian Bech Jensen) Date: Mon, 22 Nov 1999 20:15:14 +0100 (CET) Subject: tcp-wrappers not being used even w/ --with-tcp-wrappers In-Reply-To: Message-ID: On 22 Nov 1999, Chris Saia wrote: > Howdy, > > It seems that even when specifying the --with-tcp-wrappers configure > flag, the LIBWRAP define in config.h never gets #define'd and -lwrap > never gets added to LIBS in the Makefile. To make sure I wasn't > dealing with a stale configure file, I ran autoconf on configure.in > to roll a new configure. I also don't see anything wrong with the > --with-tcp-wrappers defined in configure.in. No luck so far. > > I'll continue poking at the source to try to solve it, but in the > meantime, if someone comes up with the solution, please post it to > the list. > This patch should fix the problem: --- openssh-1.2pre14/configure.in~ Mon Nov 22 06:11:05 1999 +++ openssh-1.2pre14/configure.in Mon Nov 22 20:13:15 1999 @@ -284,7 +284,7 @@ ) dnl Check whether user wants TCP wrappers support -AC_ARG_WITH(skey, +AC_ARG_WITH(tcp-wrappers, [ --with-tcp-wrappers Enable tcpwrappers support], [ AC_DEFINE(LIBWRAP) -- Niels Kristian Bech Jensen -- nkbj at image.dk -- http://www.image.dk/~nkbj/ ----------->> Stop software piracy --- use free software! <<----------- From csaia at wtower.com Tue Nov 23 06:24:44 1999 From: csaia at wtower.com (Chris Saia) Date: 22 Nov 1999 14:24:44 -0500 Subject: tcp-wrappers not being used even w/ --with-tcp-wrappers In-Reply-To: Niels Kristian Bech Jensen's message of "Mon, 22 Nov 1999 20:15:14 +0100 (CET)" References: Message-ID: Niels Kristian Bech Jensen writes: > -AC_ARG_WITH(skey, > +AC_ARG_WITH(tcp-wrappers, D'oh! I can't believe I overlooked something that simple. Thanks. -- =============================================================================== csaia at wtower.com, WTnet IRC Administrator - http://www.wtower.com/~csaia/ GNU Privacy Guard Public Key information is available at the above URL. =============================================================================== From nkbj at image.dk Tue Nov 23 06:26:25 1999 From: nkbj at image.dk (Niels Kristian Bech Jensen) Date: Mon, 22 Nov 1999 20:26:25 +0100 (CET) Subject: [PATCH] Fixing a couple of glitches in configure.in (1.2.pre14.) Message-ID: Hi, After fixing the --with-tcp-wrappers problem I decided to look closer at configure.in and found that --with-md5-passwords didn't work either. This patch fixes both problems (remember to run autoconf.) diff -ur openssh-1.2pre14.orig/configure.in openssh-1.2pre14/configure.in --- openssh-1.2pre14.orig/configure.in Mon Nov 22 06:11:05 1999 +++ openssh-1.2pre14/configure.in Mon Nov 22 20:21:53 1999 @@ -284,7 +284,7 @@ ) dnl Check whether user wants TCP wrappers support -AC_ARG_WITH(skey, +AC_ARG_WITH(tcp-wrappers, [ --with-tcp-wrappers Enable tcpwrappers support], [ AC_DEFINE(LIBWRAP) @@ -293,7 +293,7 @@ ) dnl Check whether to enable MD5 passwords -AC_ARG_WITH(md5passwords, +AC_ARG_WITH(md5-passwords, [ --with-md5-passwords Enable use of MD5 passwords], [AC_DEFINE(HAVE_MD5_PASSWORDS)] ) -- Niels Kristian Bech Jensen -- nkbj at image.dk -- http://www.image.dk/~nkbj/ ----------->> Stop software piracy --- use free software! <<----------- From rhardy at webcon.net Tue Nov 23 08:17:24 1999 From: rhardy at webcon.net (Robert Hardy) Date: Mon, 22 Nov 1999 16:17:24 -0500 (EST) Subject: 3 Bugs to Report: OpenSSH V1.2pre13 In-Reply-To: <19991122175745.B22778@folly.informatik.uni-erlangen.de> Message-ID: On Mon, 22 Nov 1999, Markus Friedl wrote: > hi, who says this? client? sever? can you provide > debugging output from 'ssh -v' and/or 'sshd -d'? > these messages are related to port/agent/x11-forwarding, > please provide more info. I do the following: ssh hostname I get: Last login: Mon Nov 22 16:11:09 1999 from xxx.xxx.webcon.net Webcon SRP vx.x.x chan_shutdown_read failed for #0/fd4: Transport endpoint is not connected xxx 4:11pm {0}[~] That would be the client. The next time it does it I will try to get more debugging information. I haven't seen it recently... Regards, Rob -- ----------------"Linux the choice of a GNU Generation!"----------------- Robert Hardy C.E.O. Webcon Inc. rhardy at webcon.net PGP Key available by finger (613) 276-6206 > On Sun, Nov 21, 1999 at 10:33:47PM -0500, Robert Hardy wrote: > > 3. For no rhyme or reason, we occasionally get an warning message just > > before we get a shell prompt when connecting to some of our servers > > through openssh. All our test servers are running the same software build > > (distribution) and the same version of openssh yet only some of them > > occasionally see the problem. This is the message we get: > > chan_shutdown_read failed for #0/fd4: Transport endpoint is not connected > > > > It is not clear what relation the warning message may have to the other 2 > > bugs. The warning message does not seem to indicate that shell will > > either hang or kill the parent sshd. > From djm at mindrot.org Tue Nov 23 10:45:00 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Nov 1999 10:45:00 +1100 (EST) Subject: 3 Bugs to Report: OpenSSH V1.2pre13 In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 22 Nov 1999, Robert Hardy wrote: > > If you can be bothered, a gdb trace of problem #2 from the client and > > server would be a godsend. > > Ouch... That would mean running gdb on every connection pretty well 24/7 > for a week... Well OK if you tell me how to do it... You wouldn't have to do that! Just rebuild OpenSSH with debugging enabled (CFLAGS=-g ./configure) and kill it with a SIGBUS when it hangs. This should leave a corefile which you can extract a trace from using: echo "bt" | gdb /path/to/program /path/to/core - From the directory where the source is installed. Also handy would be an strace of the process: strace -o trace.file -p PID (replace PID with the pid of the client or server). Either of these would be great. Thanks, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4OdWCormJ9RG1dI8RAg8cAJ9i/Lx4sciFju6GzAkvE+P6VwwLMACg01eb thlppnng3uH8NiP3lkU1tbE= =LQ9P -----END PGP SIGNATURE----- From djm at mindrot.org Tue Nov 23 11:17:09 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Nov 1999 11:17:09 +1100 (EST) Subject: status of openssh for solaris? In-Reply-To: <19991122163509.C4B1626EF4@toad.mindrot.org> Message-ID: On Mon, 22 Nov 1999, Niels Provos wrote: > >I cannot find any reference to DEVNULL in /usr/include or .../sys. This > >must be a bsd-ism, not supported under native Solaris, I guess. > Okay, I cc'ed this to the openssh-unix-dev mailing list. > > It should just be like this: > > /usr/include/paths.h:#define _PATH_DEVNULL "/dev/null" Fixed in my tree. Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Nov 23 11:19:51 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Nov 1999 11:19:51 +1100 (EST) Subject: status of openssh for solaris? In-Reply-To: <19991122123430.A24709@wdawson-sun.sbs.siemens.com> Message-ID: On Mon, 22 Nov 1999, Willard Dawson wrote: > That one's easy enough to work around by simply copying the same ifdef's > into the next declaration. Similar problem in ssh-keygen.c. Fixed in my tree. Thanks, Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Nov 23 11:22:56 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Nov 1999 11:22:56 +1100 (EST) Subject: tcp-wrappers not being used even w/ --with-tcp-wrappers In-Reply-To: Message-ID: On 22 Nov 1999, Chris Saia wrote: > Niels Kristian Bech Jensen writes: > > > -AC_ARG_WITH(skey, > > +AC_ARG_WITH(tcp-wrappers, > > D'oh! I can't believe I overlooked something that simple. Thanks. I can't believe that I did, twice :( Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From csaia at wtower.com Tue Nov 23 11:49:58 1999 From: csaia at wtower.com (Chris Saia) Date: 22 Nov 1999 19:49:58 -0500 Subject: status of Solaris build Message-ID: Howdy, Well, I finally made it through a complete build of OpenSSH on Solaris 7/x86. I've included a few notes below. Most of them are either simple enough or too complex (i.e. I'm not sure how to do it without breaking other platforms) to generate patches for here. 1) _PATH_DEVNULL, _PATH_UTMP and _PATH_WTMP aren't defined anywhere, since Solaris doesn't appear to have a paths.h include. When the compile bailed, I dropped in a literal string and reran the make. 1a) There are some conflicting declarations of __progname in the application *.c files (sshd.c, ssh-add.c, etc.). If __progname wasn't found, these files declare it as a const char *. Later in code blocks, it is redeclared as an extern char *. C compilers won't like this. I simply commented out the conflicting declarations further down in the code and reran the make. 2) The Makefile.in (and consequently the generated Makefile) assume a BSD-style install program. Unfortunately, Solaris's bundled install will not play nice with the install portion of the Makefile, and there's no easy way to make it work with both, since arguments on Solaris install have to be processed in a specific order, and Solaris install also uses "-s" to indicate silence on an install rather than stripping the binaries. I decided at this point to simply do some serious Makefile hacking to get `make install' to run without heed for Makefile.in. I've seen packages that have included a "bsdinstall" command. That may be necessary here. Now, the adventure will be in RUNNING the daemon to see what happens. :) Tally ho, -- =============================================================================== csaia at wtower.com, WTnet IRC Administrator - http://www.wtower.com/~csaia/ GNU Privacy Guard Public Key information is available at the above URL. =============================================================================== From djm at mindrot.org Tue Nov 23 12:31:41 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Nov 1999 12:31:41 +1100 (EST) Subject: Fixes for Solaris Message-ID: Attached is a small patch that should fix most of the problems reported. I am adding a recommendation to use GNU make to the INSTALL document. Regards, Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -------------- next part -------------- Index: ChangeLog =================================================================== RCS file: /var/cvs/openssh/ChangeLog,v retrieving revision 1.69 retrieving revision 1.72 diff -u -r1.69 -r1.72 --- ChangeLog 1999/11/22 07:11:23 1.69 +++ ChangeLog 1999/11/23 00:24:32 1.72 @@ -1,3 +1,9 @@ +19991123 + - Added SuSE package files from Chris Saia + - Restructured package-related files under packages/* + - Added generic PAM config + - Numerous little Solaris fixes + 19991122 - Make close gnome-ssh-askpass (Debian bug #50299) - OpenBSD CVS Changes @@ -17,6 +23,9 @@ - Only display public key comment when presenting ssh-askpass dialog - Released 1.2pre14 + - Configure, Make and changelog corrections from Tudor Bosman + and Niels Kristian Bech Jensen + 19991121 - OpenBSD CVS Changes: - [channels.c] @@ -60,7 +69,7 @@ - EGD uses a socket, not a named pipe. Duh. - Fix includes in fingerprint.c - Fix scp progress bar bug again. - - Move scp from ${libdir}/ssh to ${libexecdir}/ssh at request of + - Move ssh-askpass from ${libdir}/ssh to ${libexecdir}/ssh at request of David Rankin - Added autoconf option to enable Kerberos 4 support (untested) - Added autoconf option to enable AFS support (untested) Index: INSTALL =================================================================== RCS file: /var/cvs/openssh/INSTALL,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- INSTALL 1999/11/22 05:12:31 1.5 +++ INSTALL 1999/11/22 23:11:29 1.6 @@ -57,9 +57,10 @@ This will install the binaries in /opt/{bin,lib,sbin}, but will place the configuration files in /etc/ssh. -If you are using PAM, you will need to manually install the sshd.pam -control file as "/etc/pam.d/sshd". This file is customised for Redhat -Linux, you may need to edit it before using it on your system. +If you are using PAM, you will need to manually install a PAM control +file as "/etc/pam.d/sshd" (or wherever your system prefers to keep +them). A generic PAM configuration is included as "sshd.pam.generic", +you may need to edit it before using it on your system. There are a few other options to the configure script: Index: Makefile.in =================================================================== RCS file: /var/cvs/openssh/Makefile.in,v retrieving revision 1.29 retrieving revision 1.30 diff -u -r1.29 -r1.30 --- Makefile.in 1999/11/22 02:57:07 1.29 +++ Makefile.in 1999/11/22 11:31:49 1.30 @@ -2,7 +2,6 @@ exec_prefix=@exec_prefix@ bindir=@bindir@ sbindir=@sbindir@ -libdir=@libdir@ libexecdir=@libexecdir@ mandir=@mandir@ sysconfdir=@sysconfdir@ @@ -83,7 +82,7 @@ ln -sf ssh.1 $(mandir)/man1/slogin.1 if [ "x at INSTALL_ASKPASS@" = "xyes" ] ; then \ - install -d $(libdir) ; \ + install -d $(libexecdir) ; \ install -d $(libexecdir)/ssh ; \ if [ -z "@GNOME_ASKPASS@" ] ; then \ install -m755 -c ssh-askpass ${ASKPASS_PROGRAM}; \ Index: README =================================================================== RCS file: /var/cvs/openssh/README,v retrieving revision 1.25 retrieving revision 1.26 diff -u -r1.25 -r1.26 --- README 1999/11/22 04:24:35 1.25 +++ README 1999/11/22 23:11:29 1.26 @@ -54,6 +54,7 @@ 'jonchen' - the original author of PAM support of SSH Ben Taylor - Solaris debugging and fixes Chip Salzenberg - Assorted patches +Chris Saia - SuSE packaging Dan Brosemer - Autoconf and build fixes & Debian scripts Jim Knoble - RPM spec file fixes Marc G. Fournier - Solaris patches Index: acconfig.h =================================================================== RCS file: /var/cvs/openssh/acconfig.h,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- acconfig.h 1999/11/22 03:27:24 1.16 +++ acconfig.h 1999/11/23 00:24:32 1.17 @@ -68,17 +68,25 @@ /* ******************* Shouldn't need to edit below this line ************** */ -# include /* For u_intXX_t */ -# include /* For SHUT_XXXX */ +#include /* For u_intXX_t */ +#include /* For SHUT_XXXX */ #ifdef HAVE_PATHS_H # include /* For _PATH_XXX */ #endif +#ifdef HAVE_UTMP_H +# include /* For _PATH_XXX */ +#endif + #ifdef HAVE_SYS_TIME_H # include /* For timersub */ #endif +#ifdef HAVE_MAILLOCK_H +#include +#endif + #ifndef SHUT_RDWR enum { @@ -174,6 +182,10 @@ #ifndef _PATH_STDPATH # define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin:" +#endif + +#ifndef _PATH_DEVNULL +# define _PATH_DEVNULL "/dev/null" #endif #ifndef _PATH_MAILDIR Index: configure.in =================================================================== RCS file: /var/cvs/openssh/configure.in,v retrieving revision 1.25 retrieving revision 1.27 diff -u -r1.25 -r1.27 --- configure.in 1999/11/22 05:11:05 1.25 +++ configure.in 1999/11/23 00:24:32 1.27 @@ -55,7 +55,7 @@ AC_CHECK_LIB(pam, pam_authenticate, , ) dnl Checks for header files. -AC_CHECK_HEADERS(pty.h endian.h paths.h lastlog.h shadow.h netgroup.h maillock.h sys/select.h sys/time.h) +AC_CHECK_HEADERS(pty.h endian.h paths.h lastlog.h shadow.h netgroup.h maillock.h utmp.h sys/select.h sys/time.h) dnl Checks for library functions. AC_CHECK_FUNCS(openpty strlcpy strlcat mkdtemp arc4random setproctitle setlogin setenv) @@ -284,7 +284,7 @@ ) dnl Check whether user wants TCP wrappers support -AC_ARG_WITH(skey, +AC_ARG_WITH(tcp-wrappers, [ --with-tcp-wrappers Enable tcpwrappers support], [ AC_DEFINE(LIBWRAP) @@ -293,7 +293,7 @@ ) dnl Check whether to enable MD5 passwords -AC_ARG_WITH(md5passwords, +AC_ARG_WITH(md5-passwords, [ --with-md5-passwords Enable use of MD5 passwords], [AC_DEFINE(HAVE_MD5_PASSWORDS)] ) Index: gnome-ssh-askpass.c =================================================================== RCS file: /var/cvs/openssh/gnome-ssh-askpass.c,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- gnome-ssh-askpass.c 1999/11/22 01:51:42 1.3 +++ gnome-ssh-askpass.c 1999/11/22 11:42:17 1.4 @@ -117,7 +117,7 @@ if (passphrase_dialog(&passphrase, message)) { - printf("%s\n", passphrase); + puts(passphrase); memset(passphrase, '\0', strlen(passphrase)); } Index: ssh-add.c =================================================================== RCS file: /var/cvs/openssh/ssh-add.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- ssh-add.c 1999/11/22 07:11:23 1.11 +++ ssh-add.c 1999/11/23 00:24:32 1.12 @@ -184,8 +184,6 @@ /* check if RSA support exists */ if (rsa_alive() == 0) { - extern char *__progname; - fprintf(stderr, "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", __progname); Index: sshd.c =================================================================== RCS file: /var/cvs/openssh/sshd.c,v retrieving revision 1.28 retrieving revision 1.29 diff -u -r1.28 -r1.29 --- sshd.c 1999/11/22 03:27:24 1.28 +++ sshd.c 1999/11/23 00:24:32 1.29 @@ -32,10 +32,6 @@ #include "uidswap.h" #include "compat.h" -#ifdef HAVE_MAILLOCK_H -# include -#endif - #ifdef LIBWRAP #include #include From bent at clark.net Tue Nov 23 16:34:47 1999 From: bent at clark.net (Ben Taylor) Date: Tue, 23 Nov 1999 00:34:47 -0500 (EST) Subject: problems with pam on Solaris. Message-ID: I'm working with the latest code (pre14) with some patches I've made to get a clean compile. Running the sshd I get a segfault inside of pam_open_session. Figured I'd get a look at the data structures. I can't find them. There's a #typedef struct pam_handle pam_handle_t; in security/pam_appl.h, but I can't find a reference for pam_handle. Am I on drugs? Also, has anyone tried turning off pam for testing. Oh, is that ugly. It works, and I get a connection, but there's problems in the pty mapping that I couldn't get fixed with an stty command. Ben From rbickers at logicetc.com Tue Nov 23 17:03:06 1999 From: rbickers at logicetc.com (Ron Bickers) Date: Tue, 23 Nov 1999 01:03:06 -0500 Subject: Packet integrity error. (29) Message-ID: <007201bf3578$6921e580$0200a8c0@logicetc.com> I'm using SecureCRT (http://www.vandyke.com/) to connect to OpenSSH (1.2pre14 built from source RPMs) running on RedHat Linux 6.1. When I forward a local port using SecureCRT to a port on the server and try to connect, I get the error message "Packet integrity error. (29)" on the server and the session is disconnected. This forwarding setup works with the not-so-free sshd just fine. Any ideas? Thanks! _______________________ Ron Bickers From nkbj at image.dk Tue Nov 23 20:46:58 1999 From: nkbj at image.dk (Niels Kristian Bech Jensen) Date: Tue, 23 Nov 1999 10:46:58 +0100 (CET) Subject: [PATCH] Adding BSD compatible install script to 1.2pre14. Message-ID: Hi, This patch adds a BSD compatible install script (copied from gcc-2.95.2) to 1.2pre14. The script has a X-style license. The script will be used if configure doesn't find a proper install program on the system. Remember to run autoconf and set execute (755) permissions for install-sh when the patch has been applied. -- Niels Kristian Bech Jensen -- nkbj at image.dk -- http://www.image.dk/~nkbj/ ----------->> Stop software piracy --- use free software! <<----------- -------------- next part -------------- diff -urN openssh-1.2pre14.orig/Makefile.in openssh-1.2pre14/Makefile.in --- openssh-1.2pre14.orig/Makefile.in Tue Nov 23 10:43:16 1999 +++ openssh-1.2pre14/Makefile.in Tue Nov 23 10:42:07 1999 @@ -17,6 +17,7 @@ LIBS=@LIBS@ AR=@AR@ RANLIB=@RANLIB@ +INSTALL=@INSTALL@ GNOME_CFLAGS=`gnome-config --cflags gnome gnomeui` GNOME_LIBS=`gnome-config --libs gnome gnomeui` @@ -61,40 +62,40 @@ rm -f *.o core $(TARGETS) config.status config.cache config.log install: all - install -d $(bindir) - install -d $(sbindir) - install -d $(mandir) - install -d $(mandir)/man1 - install -d $(mandir)/man8 - install -s -c ssh $(bindir)/ssh - install -s -c scp $(bindir)/scp - install -s -c ssh-add $(bindir)/ssh-add - install -s -c ssh-agent $(bindir)/ssh-agent - install -s -c ssh-keygen $(bindir)/ssh-keygen - install -s -c sshd $(sbindir)/sshd - install -m644 -c ssh.1 $(mandir)/man1/ssh.1 - install -m644 -c scp.1 $(mandir)/man1/scp.1 - install -m644 -c ssh-add.1 $(mandir)/man1/ssh-add.1 - install -m644 -c ssh-agent.1 $(mandir)/man1/ssh-agent.1 - install -m644 -c ssh-keygen.1 $(mandir)/man1/ssh-keygen.1 - install -m644 -c sshd.8 $(mandir)/man8/sshd.8 + $(INSTALL) -d $(bindir) + $(INSTALL) -d $(sbindir) + $(INSTALL) -d $(mandir) + $(INSTALL) -d $(mandir)/man1 + $(INSTALL) -d $(mandir)/man8 + $(INSTALL) -s ssh $(bindir)/ssh + $(INSTALL) -s scp $(bindir)/scp + $(INSTALL) -s ssh-add $(bindir)/ssh-add + $(INSTALL) -s ssh-agent $(bindir)/ssh-agent + $(INSTALL) -s ssh-keygen $(bindir)/ssh-keygen + $(INSTALL) -s sshd $(sbindir)/sshd + $(INSTALL) -m644 ssh.1 $(mandir)/man1/ssh.1 + $(INSTALL) -m644 scp.1 $(mandir)/man1/scp.1 + $(INSTALL) -m644 ssh-add.1 $(mandir)/man1/ssh-add.1 + $(INSTALL) -m644 ssh-agent.1 $(mandir)/man1/ssh-agent.1 + $(INSTALL) -m644 ssh-keygen.1 $(mandir)/man1/ssh-keygen.1 + $(INSTALL) -m644 sshd.8 $(mandir)/man8/sshd.8 ln -sf ssh $(bindir)/slogin ln -sf ssh.1 $(mandir)/man1/slogin.1 if [ "x at INSTALL_ASKPASS@" = "xyes" ] ; then \ - install -d $(libexecdir) ; \ - install -d $(libexecdir)/ssh ; \ + $(INSTALL) -d $(libexecdir) ; \ + $(INSTALL) -d $(libexecdir)/ssh ; \ if [ -z "@GNOME_ASKPASS@" ] ; then \ - install -m755 -c ssh-askpass ${ASKPASS_PROGRAM}; \ + $(INSTALL) -m755 ssh-askpass ${ASKPASS_PROGRAM}; \ else \ - install -m755 -c gnome-ssh-askpass ${ASKPASS_PROGRAM}; \ + $(INSTALL) -m755 gnome-ssh-askpass ${ASKPASS_PROGRAM}; \ fi ; \ fi if [ ! -f $(sysconfdir)/ssh_config -a ! -f $(sysconfdir)/sshd_config ]; then \ - install -d $(sysconfdir); \ - install -m644 ssh_config $(sysconfdir)/ssh_config; \ - install -m644 sshd_config $(sysconfdir)/sshd_config; \ + $(INSTALL) -d $(sysconfdir); \ + $(INSTALL) -m644 ssh_config $(sysconfdir)/ssh_config; \ + $(INSTALL) -m644 sshd_config $(sysconfdir)/sshd_config; \ fi distclean: clean diff -urN openssh-1.2pre14.orig/configure.in openssh-1.2pre14/configure.in --- openssh-1.2pre14.orig/configure.in Mon Nov 22 06:11:05 1999 +++ openssh-1.2pre14/configure.in Tue Nov 23 10:38:55 1999 @@ -6,6 +6,7 @@ AC_PROG_CC AC_PROG_CPP AC_PROG_RANLIB +AC_PROG_INSTALL AC_CHECK_PROG(AR, ar, ar) if test "$GCC" = "yes"; then CFLAGS="$CFLAGS -Wall"; fi diff -urN openssh-1.2pre14.orig/install-sh openssh-1.2pre14/install-sh --- openssh-1.2pre14.orig/install-sh Thu Jan 1 01:00:00 1970 +++ openssh-1.2pre14/install-sh Mon Oct 12 12:44:57 1998 @@ -0,0 +1,251 @@ +#!/bin/sh +# +# install - install a program, script, or datafile +# This comes from X11R5 (mit/util/scripts/install.sh). +# +# Copyright 1991 by the Massachusetts Institute of Technology +# +# Permission to use, copy, modify, distribute, and sell this software and its +# documentation for any purpose is hereby granted without fee, provided that +# the above copyright notice appear in all copies and that both that +# copyright notice and this permission notice appear in supporting +# documentation, and that the name of M.I.T. not be used in advertising or +# publicity pertaining to distribution of the software without specific, +# written prior permission. M.I.T. makes no representations about the +# suitability of this software for any purpose. It is provided "as is" +# without express or implied warranty. +# +# Calling this script install-sh is preferred over install.sh, to prevent +# `make' implicit rules from creating a file called install from it +# when there is no Makefile. +# +# This script is compatible with the BSD install script, but was written +# from scratch. It can only install one file at a time, a restriction +# shared with many OS's install programs. + + +# set DOITPROG to echo to test this script + +# Don't use :- since 4.3BSD and earlier shells don't like it. +doit="${DOITPROG-}" + + +# put in absolute paths if you don't have them in your path; or use env. vars. + +mvprog="${MVPROG-mv}" +cpprog="${CPPROG-cp}" +chmodprog="${CHMODPROG-chmod}" +chownprog="${CHOWNPROG-chown}" +chgrpprog="${CHGRPPROG-chgrp}" +stripprog="${STRIPPROG-strip}" +rmprog="${RMPROG-rm}" +mkdirprog="${MKDIRPROG-mkdir}" + +transformbasename="" +transform_arg="" +instcmd="$mvprog" +chmodcmd="$chmodprog 0755" +chowncmd="" +chgrpcmd="" +stripcmd="" +rmcmd="$rmprog -f" +mvcmd="$mvprog" +src="" +dst="" +dir_arg="" + +while [ x"$1" != x ]; do + case $1 in + -c) instcmd="$cpprog" + shift + continue;; + + -d) dir_arg=true + shift + continue;; + + -m) chmodcmd="$chmodprog $2" + shift + shift + continue;; + + -o) chowncmd="$chownprog $2" + shift + shift + continue;; + + -g) chgrpcmd="$chgrpprog $2" + shift + shift + continue;; + + -s) stripcmd="$stripprog" + shift + continue;; + + -t=*) transformarg=`echo $1 | sed 's/-t=//'` + shift + continue;; + + -b=*) transformbasename=`echo $1 | sed 's/-b=//'` + shift + continue;; + + *) if [ x"$src" = x ] + then + src=$1 + else + # this colon is to work around a 386BSD /bin/sh bug + : + dst=$1 + fi + shift + continue;; + esac +done + +if [ x"$src" = x ] +then + echo "install: no input file specified" + exit 1 +else + true +fi + +if [ x"$dir_arg" != x ]; then + dst=$src + src="" + + if [ -d $dst ]; then + instcmd=: + chmodcmd="" + else + instcmd=mkdir + fi +else + +# Waiting for this to be detected by the "$instcmd $src $dsttmp" command +# might cause directories to be created, which would be especially bad +# if $src (and thus $dsttmp) contains '*'. + + if [ -f $src -o -d $src ] + then + true + else + echo "install: $src does not exist" + exit 1 + fi + + if [ x"$dst" = x ] + then + echo "install: no destination specified" + exit 1 + else + true + fi + +# If destination is a directory, append the input filename; if your system +# does not like double slashes in filenames, you may need to add some logic + + if [ -d $dst ] + then + dst="$dst"/`basename $src` + else + true + fi +fi + +## this sed command emulates the dirname command +dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` + +# Make sure that the destination directory exists. +# this part is taken from Noah Friedman's mkinstalldirs script + +# Skip lots of stat calls in the usual case. +if [ ! -d "$dstdir" ]; then +defaultIFS=' +' +IFS="${IFS-${defaultIFS}}" + +oIFS="${IFS}" +# Some sh's can't handle IFS=/ for some reason. +IFS='%' +set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` +IFS="${oIFS}" + +pathcomp='' + +while [ $# -ne 0 ] ; do + pathcomp="${pathcomp}${1}" + shift + + if [ ! -d "${pathcomp}" ] ; + then + $mkdirprog "${pathcomp}" + else + true + fi + + pathcomp="${pathcomp}/" +done +fi + +if [ x"$dir_arg" != x ] +then + $doit $instcmd $dst && + + if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && + if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && + if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && + if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi +else + +# If we're going to rename the final executable, determine the name now. + + if [ x"$transformarg" = x ] + then + dstfile=`basename $dst` + else + dstfile=`basename $dst $transformbasename | + sed $transformarg`$transformbasename + fi + +# don't allow the sed command to completely eliminate the filename + + if [ x"$dstfile" = x ] + then + dstfile=`basename $dst` + else + true + fi + +# Make a temp file name in the proper directory. + + dsttmp=$dstdir/#inst.$$# + +# Move or copy the file name to the temp name + + $doit $instcmd $src $dsttmp && + + trap "rm -f ${dsttmp}" 0 && + +# and set any options; do chmod last to preserve setuid bits + +# If any of these fail, we abort the whole thing. If we want to +# ignore errors from any of these, just make sure not to ignore +# errors from the above "$doit $instcmd $src $dsttmp" command. + + if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && + if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && + if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && + if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && + +# Now rename the file to the real destination. + + $doit $rmcmd -f $dstdir/$dstfile && + $doit $mvcmd $dsttmp $dstdir/$dstfile + +fi && + + +exit 0 From marc.fournier at acadiau.ca Tue Nov 23 23:56:32 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Tue, 23 Nov 1999 08:56:32 -0400 (AST) Subject: Fixes for Solaris In-Reply-To: Message-ID: with patch applied: ==================== bsd-daemon.c: In function `daemon': bsd-daemon.c:70: `_PATH_DEVNULL' undeclared (first use in this function) bsd-daemon.c:70: (Each undeclared identifier is reported only once bsd-daemon.c:70: for each function it appears in.) make: *** [bsd-daemon.o] Error 1 new-relay:/usr/slocal/src/openssh-1.2pre14> grep DEV config.h =================== bsd-login.c: In function `login': bsd-login.c:60: `_PATH_UTMP' undeclared (first use in this function) bsd-login.c:60: (Each undeclared identifier is reported only once bsd-login.c:60: for each function it appears in.) bsd-login.c:79: `_PATH_WTMP' undeclared (first use in this function) bsd-login.c:55: warning: unused variable `old_ut' make: *** [bsd-login.o] Error 1 =================== sshd.c:2313: `_PATH_MAILDIR' undeclared (first use in this function) sshd.c:2313: (Each undeclared identifier is reported only once sshd.c:2313: for each function it appears in.) make: *** [sshd.o] Error 1 =================== ssh-keygen.c:67: conflicting types for `__progname' ssh-keygen.c:27: previous declaration of `__progname' make: *** [ssh-keygen.o] Error 1 =================== ssh-keygen.c: In function `main': ssh-keygen.c:377: conflicting types for `__progname' ssh-keygen.c:27: previous declaration of `__progname' =================== new-relay:/usr/slocal/src/openssh-1.2pre14> /usr/slocal/sbin/sshd -d debug: sshd version OpenSSH-1.2 Server listening on port 22. Generating 768 bit RSA key. RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 131.162.138.223 port 677 debug: Client protocol version 1.5; client software version 1.2.26 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Starting up PAM with username "marc" debug: Attempting authentication for marc. PAM Password authentication accepted for user "marc" debug: PAM setting rhost to "atelier.acadiau.ca" Segmentation fault ===================== On Tue, 23 Nov 1999, Damien Miller wrote: > > Attached is a small patch that should fix most of the problems > reported. > > I am adding a recommendation to use GNU make to the INSTALL > document. > > Regards, > Damien > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From torake at hotmail.com Wed Nov 24 03:47:17 1999 From: torake at hotmail.com (Tor-Ake Fransson) Date: Tue, 23 Nov 1999 16:47:17 GMT Subject: [PATCH] AIX 4.3.2 compile fixes Message-ID: <19991123164718.45566.qmail@hotmail.com> Hi all. It's nice to see that AIX support (unintentionally?) is getting better and better. :) Attached is a patch against pre14 that fixes AIX support. All that is left, basically, is a replacement for the /dev/urandom way of getting entropy. ... A completely different thing... how about DCE support? I was thinking of adding some dce code to sshd that: 1. Attaches credentials based on principal name and password (already done with ssh-1.2.20) 2. Store password in a keytab file, to enable attaching DCE credentials even when using RSA authentication. What is the general feeling on that? Regards, Tor-?ke Fransson ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-1.2pre14-aix.diff.gz Type: application/octet-stream Size: 1310 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991123/d4f7d5b7/attachment.obj From csaia at wtower.com Wed Nov 24 04:11:33 1999 From: csaia at wtower.com (Chris Saia) Date: 23 Nov 1999 12:11:33 -0500 Subject: [PATCH] AIX 4.3.2 compile fixes In-Reply-To: "Tor-Ake Fransson"'s message of "Tue, 23 Nov 1999 16:47:17 GMT" References: <19991123164718.45566.qmail@hotmail.com> Message-ID: "Tor-Ake Fransson" writes: > Attached is a patch against pre14 that fixes AIX support. All that > is left, basically, is a replacement for the /dev/urandom way of > getting entropy. You should be able to use the EGD (Entropy Gathering Daemon), a Perl script. When configuring OpenSSH, use the --with-egd-pool=filename to specify the name of the entropy file you configured your EGD to use. More info on EGD is available at http://www.lothar.com/tech/crypto/. (NOTE: This page is actually linked off Damien's OpenSSH page located at http://violet.ibs.com.au/openssh/.) -- =============================================================================== csaia at wtower.com, WTnet IRC Administrator - http://www.wtower.com/~csaia/ GNU Privacy Guard Public Key information is available at the above URL. =============================================================================== From rhardy at webcon.net Wed Nov 24 07:23:04 1999 From: rhardy at webcon.net (Robert Hardy) Date: Tue, 23 Nov 1999 15:23:04 -0500 (EST) Subject: 3 Bugs to Report: OpenSSH V1.2pre13 In-Reply-To: Message-ID: On Tue, 23 Nov 1999, Damien Miller wrote: > [...] rebuild OpenSSH with debugging enabled (CFLAGS=-g ./configure) and > kill it with a SIGBUS when it hangs. > > This should leave a corefile which you can extract a trace from using: > echo "bt" | gdb /path/to/program /path/to/core > - From the directory where the source is installed. > > Also handy would be an strace of the process: > strace -o trace.file -p PID > (replace PID with the pid of the client or server). > > Either of these would be great. I haven't yet had a chance to recompile the openssh 1.2pre14 with the debugging flags... However it did hang after logout today for about 30-60 seconds (I am certain we have seen it hang for longer that this.) I managed to get an strace of it. I believe this is useful even if debugging is turned off.. The program is currently still compiled with -O2... It seems to repeatedly timeout on a select, take a look for yourself... Regards, Rob -- ----------------"Linux the choice of a GNU Generation!"----------------- Robert Hardy C.E.O. Webcon Inc. rhardy at webcon.net PGP Key available by finger (613) 276-6206 -------------- next part -------------- A non-text attachment was scrubbed... Name: opensshhang_trace.gz Type: application/octet-stream Size: 2309 bytes Desc: Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991123/e22a35b3/attachment.obj From djm at mindrot.org Wed Nov 24 09:10:07 1999 From: djm at mindrot.org (Damien Miller) Date: Wed, 24 Nov 1999 09:10:07 +1100 (EST) Subject: Fixes for Solaris In-Reply-To: Message-ID: On Tue, 23 Nov 1999, Marc G. Fournier wrote: > > with patch applied: The patch does not update config.h.in or configure, you have to rerun autoheader and autoconf to regenerate those. I should have been more clear. Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From phil at hands.com Wed Nov 24 10:47:47 1999 From: phil at hands.com (Philip Hands) Date: 23 Nov 1999 23:47:47 +0000 Subject: locking accounts when non-password authentication In-Reply-To: <87ln7tc6wc.fsf@sheikh.hands.com> (Philip Hands's message of "20 Nov 1999 19:14:27 +0000") Message-ID: <871z9gojmk.fsf@sheikh.hands.com> Hi, Its been pointed out to me that the old non-free ssh took notice of locked accounts, in that it checked for passwords that started with ``*LK*'' and prevented RSA authenticated logins if that was the case. It strikes me that there ought to be a way of checking this using PAM, but I've failed to find it. Failing that, it looks like we need to put some code in sshd.c or some of the auth-*.c files to deal with /etc/shadow passwords, and check them to see if they start with ``*LK*''. Cheers, Phil. From Henry.Liao at trw.com Wed Nov 24 13:24:38 1999 From: Henry.Liao at trw.com (Henry Liao) Date: Wed, 24 Nov 1999 02:24:38 +0000 Subject: snprintf on solaris Message-ID: <383B4C66.E92ADC25@trw.com> Hello, I've managed to get around the undefined paths in openssh-1.2pre14 on solaris, but now I'm stuck without an implementation of snprintf and vsnprintf. Is there a library I can download or a way to #define the functions into compatibility? Thanks, --Henry From djm at mindrot.org Wed Nov 24 13:25:50 1999 From: djm at mindrot.org (Damien Miller) Date: Wed, 24 Nov 1999 13:25:50 +1100 (EST) Subject: snprintf on solaris In-Reply-To: <383B4C66.E92ADC25@trw.com> Message-ID: On Wed, 24 Nov 1999, Henry Liao wrote: > Hello, > > I've managed to get around the undefined paths in openssh-1.2pre14 on > solaris, but now I'm stuck without an implementation of snprintf and > vsnprintf. Is there a library I can download or a way to #define the > functions into compatibility? What version of Solaris are you using? I can include replacement code in the next release. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From marc.fournier at acadiau.ca Wed Nov 24 13:37:37 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Tue, 23 Nov 1999 22:37:37 -0400 (AST) Subject: snprintf on solaris In-Reply-To: <383B4C66.E92ADC25@trw.com> Message-ID: what version of solaris are you using? Both 2.6 and 7 do have it...you have even older then that? *raised eyebrow* On Wed, 24 Nov 1999, Henry Liao wrote: > Hello, > > I've managed to get around the undefined paths in openssh-1.2pre14 on > solaris, but now I'm stuck without an implementation of snprintf and > vsnprintf. Is there a library I can download or a way to #define the > functions into compatibility? > > Thanks, > --Henry > > Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From phil at hands.com Wed Nov 24 20:39:47 1999 From: phil at hands.com (Philip Hands) Date: 24 Nov 1999 09:39:47 +0000 Subject: [Jason Gunthorpe ] Global RSA hosts patch Message-ID: <87u2mckz30.fsf@sheikh.hands.com> Here's a patch from Jason Gunthorpe that looks generally useful. It's actually aimed at the Debian LDAP setup, so we can have a file generated from everyone's ssh_identity data, and still only allow each person to log in as themselves. Cheers, Phil. P.S. I hope the MIME inclusion survives, if not I'll put a copy here: http://www.hands.com/~phil/debian/openssh/ --[[message/rfc822]] Date: Wed, 24 Nov 1999 00:42:00 -0700 (MST) From: Jason Gunthorpe To: bcollins at debian.org, ssh at packages.debian.org Subject: Global RSA hosts patch Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-1744382920-943429320=:2155" This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime at docserver.cac.washington.edu for more info. --8323328-1744382920-943429320=:2155 Content-Type: TEXT/PLAIN; charset=US-ASCII Hi all, I ported my patch to openssh, could you possibly review it for inclusion in the official package + upstream? What it does is create a new configuration option 'GlobalRSAFile' that can specify a global file of RSA public keys. Each line in the file is prefixed by ':' to key the key to the proper user, it is used as part of a wider global login scheme :> Thanks, Jason --8323328-1744382920-943429320=:2155 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="openssh1.patch" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: T25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogTWFrZWZpbGUNCk9ubHkg aW4gb3BlbnNzaC0xLjJwcmUxMytqZ2c6IGF1dGgtcGFzc3dkLm8NCk9ubHkg aW4gb3BlbnNzaC0xLjJwcmUxMytqZ2c6IGF1dGgtcmgtcnNhLm8NCk9ubHkg aW4gb3BlbnNzaC0xLjJwcmUxMytqZ2c6IGF1dGgtcmhvc3RzLm8NCmRpZmYg LXUgb3BlbnNzaC0xLjJwcmUxMy9hdXRoLXJzYS5jIG9wZW5zc2gtMS4ycHJl MTMramdnL2F1dGgtcnNhLmMNCi0tLSBvcGVuc3NoLTEuMnByZTEzL2F1dGgt cnNhLmMJVGh1IE5vdiAxOCAxNDoyNTo0OCAxOTk5DQorKysgb3BlbnNzaC0x LjJwcmUxMytqZ2cvYXV0aC1yc2EuYwlXZWQgTm92IDI0IDAwOjM5OjM4IDE5 OTkNCkBAIC0xMzUsNyArMTM1LDcgQEANCiAgICBzdWNjZXNzZnVsLiAgVGhp cyBtYXkgZXhpdCBpZiB0aGVyZSBpcyBhIHNlcmlvdXMgcHJvdG9jb2wgdmlv bGF0aW9uLiAqLw0KIA0KIGludA0KLWF1dGhfcnNhKHN0cnVjdCBwYXNzd2Qg KnB3LCBCSUdOVU0gKmNsaWVudF9uKQ0KK2F1dGhfcnNhKHN0cnVjdCBwYXNz d2QgKnB3LCBCSUdOVU0gKmNsaWVudF9uLGludCBnbG9iYWwpDQogew0KICAg ZXh0ZXJuIFNlcnZlck9wdGlvbnMgb3B0aW9uczsNCiAgIGNoYXIgbGluZVs4 MTkyXSwgZmlsZVsxMDI0XTsNCkBAIC0xNTAsOSArMTUwLDE5IEBADQogICB0 ZW1wb3JhcmlseV91c2VfdWlkKHB3LT5wd191aWQpOw0KIA0KICAgLyogVGhl IGF1dGhvcml6ZWQga2V5cy4gKi8NCi0gIHNucHJpbnRmKGZpbGUsIHNpemVv ZiBmaWxlLCAiJS41MDBzLyUuMTAwcyIsIHB3LT5wd19kaXIsDQotICAgIFNT SF9VU0VSX1BFUk1JVFRFRF9LRVlTKTsNCi0gIA0KKyAgaWYgKGdsb2JhbCA9 PSAwKQ0KKyAgICAgIHNucHJpbnRmKGZpbGUsIHNpemVvZiBmaWxlLCAiJS41 MDBzLyUuMTAwcyIsIHB3LT5wd19kaXIsDQorCSAgICAgICBTU0hfVVNFUl9Q RVJNSVRURURfS0VZUyk7DQorICBlbHNlDQorICB7ICAgIA0KKyAgICAgIGlm IChvcHRpb25zLmdsb2JhbF9yc2FfZmlsZSA9PSAwKQ0KKyAgICAgIHsNCisg ICAgICAgICByZXN0b3JlX3VpZCgpOw0KKwkgcmV0dXJuIDA7DQorICAgICAg fSAgIA0KKyAgICAgIHNucHJpbnRmKGZpbGUsIHNpemVvZiBmaWxlLCAiJS41 MDBzIixvcHRpb25zLmdsb2JhbF9yc2FfZmlsZSk7DQorICB9DQorDQogICAv KiBGYWlsIHF1aWV0bHkgaWYgZmlsZSBkb2VzIG5vdCBleGlzdCAqLw0KICAg aWYgKHN0YXQoZmlsZSwgJnN0KSA8IDApDQogICAgIHsNCkBAIC0xODgsNyAr MTk4LDcgQEANCiAgICAgICBzdGF0aWMgY29uc3QgY2hhciAqY2hlY2tbXSA9 IHsNCiAgICAgICAgICAgICAiIiwgU1NIX1VTRVJfRElSLCBOVUxMDQogICAg ICAgfTsNCi0gICAgICBmb3IgKGk9MDsgY2hlY2tbaV07IGkrKykgew0KKyAg ICAgIGZvciAoaT0wOyBjaGVja1tpXSAmJiBnbG9iYWwgPT0gMDsgaSsrKSB7 DQogICAgICAgICBzbnByaW50ZihsaW5lLCBzaXplb2YgbGluZSwgIiUuNTAw cy8lLjEwMHMiLCBwdy0+cHdfZGlyLCBjaGVja1tpXSk7DQogICAgICAgICBp ZiAoc3RhdChsaW5lLCAmc3QpIDwgMCB8fA0KICAgICAgICAgICAgIChzdC5z dF91aWQgIT0gMCAmJiBzdC5zdF91aWQgIT0gcHctPnB3X3VpZCkgfHwNCkBA IC0yMzIsNiArMjQyLDI3IEBADQogICAgICAgLyogU2tpcCBlbXB0eSBhbmQg Y29tbWVudCBsaW5lcy4gKi8NCiAgICAgICBpZiAoISpjcCB8fCAqY3AgPT0g J1xuJyB8fCAqY3AgPT0gJyMnKQ0KIAljb250aW51ZTsNCisgICAgICAgDQor ICAgICAgLyogVmVyaWZ5IHRoYXQgdGhpcyBsaW5lIGlzIGZvciB0aGUgY29y cmVjdCB1c2VyIGlmIHdlIGFyZSByZWFkaW5nIHRoZSBnbG9iYWwNCisgICAg ICAgCSBSU0Ega2V5ZmlsZSAqLw0KKyAgICAgIGlmIChnbG9iYWwgIT0gMCkN CisgICAgICB7DQorCSAvKiBNYWtlIHN1cmUgdGhhdCB0aGVyZSBpcyBlbm91 Z2ggdGV4dCB0byBldmVuIGJlIGEgdXNlciBuYW1lICovDQorCSBpZiAoc3Ry bGVuKGNwKSA8PSBzdHJsZW4ocHctPnB3X25hbWUpICsgMikNCisJICAgIGNv bnRpbnVlOw0KKwkgDQorCSAvKiBNYWtlIHN1cmUgdGhlIHVzZXIgbmFtZSBp cyB0ZXJtaW5hdGVkIHdpdGggYSA6ICovDQorCSBpZiAoY3Bbc3RybGVuKHB3 LT5wd19uYW1lKV0gIT0gJzonKQ0KKwkgICAgY29udGludWU7DQorCSANCisJ IC8qIE1ha2Ugc3VyZSB0aGF0IHRoZSB1c2VyIG5hbWUgaXMgdGhlIG9uZSB3 ZSBhcmUgbG9va2luZyBmb3IgKi8NCisJIGlmIChzdHJuY21wKGNwLHB3LT5w d19uYW1lLHN0cmxlbihwdy0+cHdfbmFtZSkpICE9IDApDQorCSAgICBjb250 aW51ZTsNCisJIA0KKwkgLyogR290IGl0LCBhZHZhbmNlIGNwLCB0aGUgcmVz dCBvZiB0aGUgc3RyaW5nICsgcm91dGluZSBhcmUganVzdCBhcyBpZiBpdA0K KwkgICAgY2FtZSBmcm9tIHRoZSB1c2VycyBhdXRob3JpemVzX2tleXMgKi8N CisJIGNwICs9IHN0cmxlbihwdy0+cHdfbmFtZSkgKyAxOw0KKyAgICAgIH0N CiANCiAgICAgICAvKiBDaGVjayBpZiB0aGVyZSBhcmUgb3B0aW9ucyBmb3Ig dGhpcyBrZXksIGFuZCBpZiBzbywgc2F2ZSB0aGVpciANCiAJIHN0YXJ0aW5n IGFkZHJlc3MgYW5kIHNraXAgdGhlIG9wdGlvbiBwYXJ0IGZvciBub3cuICBJ ZiB0aGVyZSBhcmUgbm8gDQpAQCAtMjU4LDcgKzI4OSw3IEBADQogCSAgZGVi dWcoIiUuMTAwcywgbGluZSAlbHU6IGJhZCBrZXkgc3ludGF4IiwgDQogCQlT U0hfVVNFUl9QRVJNSVRURURfS0VZUywgbGluZW51bSk7DQogCSAgcGFja2V0 X3NlbmRfZGVidWcoIiUuMTAwcywgbGluZSAlbHU6IGJhZCBrZXkgc3ludGF4 IiwgDQotCQkJICAgIFNTSF9VU0VSX1BFUk1JVFRFRF9LRVlTLCBsaW5lbnVt KTsNCisJCQkgICAgZmlsZSwgbGluZW51bSk7DQogCSAgY29udGludWU7DQog CX0NCiAgICAgICAvKiBjcCBub3cgcG9pbnRzIHRvIHRoZSBjb21tZW50IHBh cnQuICovDQpAQCAtMzQ5LDkgKzM4MCw5IEBADQogCQkgIGlmICghKm9wdGlv bnMpDQogCQkgICAgew0KIAkJICAgICAgZGVidWcoIiUuMTAwcywgbGluZSAl bHU6IG1pc3NpbmcgZW5kIHF1b3RlIiwNCi0JCQkgICAgU1NIX1VTRVJfUEVS TUlUVEVEX0tFWVMsIGxpbmVudW0pOw0KKwkJCSAgICBmaWxlLCBsaW5lbnVt KTsNCiAJCSAgICAgIHBhY2tldF9zZW5kX2RlYnVnKCIlLjEwMHMsIGxpbmUg JWx1OiBtaXNzaW5nIGVuZCBxdW90ZSIsDQotCQkJCQlTU0hfVVNFUl9QRVJN SVRURURfS0VZUywgbGluZW51bSk7DQorCQkJCQlmaWxlLCBsaW5lbnVtKTsN CiAJCSAgICAgIGNvbnRpbnVlOw0KIAkJICAgIH0NCiAJCSAgZm9yY2VkX2Nv bW1hbmRbaV0gPSAwOw0KQEAgLTM4Myw5ICs0MTQsOSBAQA0KIAkJICBpZiAo ISpvcHRpb25zKQ0KIAkJICAgIHsNCiAJCSAgICAgIGRlYnVnKCIlLjEwMHMs IGxpbmUgJWx1OiBtaXNzaW5nIGVuZCBxdW90ZSIsDQotCQkJICAgIFNTSF9V U0VSX1BFUk1JVFRFRF9LRVlTLCBsaW5lbnVtKTsNCisJCQkgICAgZmlsZSwg bGluZW51bSk7DQogCQkgICAgICBwYWNrZXRfc2VuZF9kZWJ1ZygiJS4xMDBz LCBsaW5lICVsdTogbWlzc2luZyBlbmQgcXVvdGUiLA0KLQkJCQkJU1NIX1VT RVJfUEVSTUlUVEVEX0tFWVMsIGxpbmVudW0pOw0KKwkJCQkJZmlsZSwgbGlu ZW51bSk7DQogCQkgICAgICBjb250aW51ZTsNCiAJCSAgICB9DQogCQkgIHNb aV0gPSAwOw0KQEAgLTQyMCw5ICs0NTEsOSBAQA0KIAkJICBpZiAoISpvcHRp b25zKQ0KIAkJICAgIHsNCiAJCSAgICAgIGRlYnVnKCIlLjEwMHMsIGxpbmUg JWx1OiBtaXNzaW5nIGVuZCBxdW90ZSIsDQotCQkJICAgIFNTSF9VU0VSX1BF Uk1JVFRFRF9LRVlTLCBsaW5lbnVtKTsNCisJCQkgICAgZmlsZSwgbGluZW51 bSk7DQogCQkgICAgICBwYWNrZXRfc2VuZF9kZWJ1ZygiJS4xMDBzLCBsaW5l ICVsdTogbWlzc2luZyBlbmQgcXVvdGUiLA0KLQkJCQkJU1NIX1VTRVJfUEVS TUlUVEVEX0tFWVMsIGxpbmVudW0pOw0KKwkJCQkJZmlsZSwgbGluZW51bSk7 DQogCQkgICAgICBjb250aW51ZTsNCiAJCSAgICB9DQogCQkgIHBhdHRlcm5z W2ldID0gMDsNCkBAIC00NDgsOSArNDc5LDkgQEANCiAJICAgIGJhZF9vcHRp b246DQogCSAgICAgIC8qIFVua25vd24gb3B0aW9uLiAqLw0KIAkgICAgICBs b2coIkJhZCBvcHRpb25zIGluICUuMTAwcyBmaWxlLCBsaW5lICVsdTogJS41 MHMiLA0KLQkJICBTU0hfVVNFUl9QRVJNSVRURURfS0VZUywgbGluZW51bSwg b3B0aW9ucyk7DQorCQkgIGZpbGUsIGxpbmVudW0sIG9wdGlvbnMpOw0KIAkg ICAgICBwYWNrZXRfc2VuZF9kZWJ1ZygiQmFkIG9wdGlvbnMgaW4gJS4xMDBz IGZpbGUsIGxpbmUgJWx1OiAlLjUwcyIsDQotCQkJCVNTSF9VU0VSX1BFUk1J VFRFRF9LRVlTLCBsaW5lbnVtLCBvcHRpb25zKTsNCisJCQkJZmlsZSwgbGlu ZW51bSwgb3B0aW9ucyk7DQogCSAgICAgIGF1dGhlbnRpY2F0ZWQgPSAwOw0K IAkgICAgICBicmVhazsNCiANCk9ubHkgaW4gb3BlbnNzaC0xLjJwcmUxMytq Z2c6IGF1dGgtcnNhLm8NCk9ubHkgaW4gb3BlbnNzaC0xLjJwcmUxMytqZ2c6 IGF1dGgtc2tleS5vDQpPbmx5IGluIG9wZW5zc2gtMS4ycHJlMTMramdnOiBh dXRoZmQubw0KT25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogYXV0aGZp bGUubw0KT25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogYnNkLWRhZW1v bi5vDQpPbmx5IGluIG9wZW5zc2gtMS4ycHJlMTMramdnOiBic2QtbG9naW4u bw0KT25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogYnNkLW1rdGVtcC5v DQpPbmx5IGluIG9wZW5zc2gtMS4ycHJlMTMramdnOiBic2Qtc3RybGNweS5v DQpPbmx5IGluIG9wZW5zc2gtMS4ycHJlMTMramdnOiBidWZhdXgubw0KT25s eSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogYnVmZmVyLm8NCk9ubHkgaW4g b3BlbnNzaC0xLjJwcmUxMytqZ2c6IGJ1aWxkLXN0YW1wDQpPbmx5IGluIG9w ZW5zc2gtMS4ycHJlMTMramdnOiBjYW5vaG9zdC5vDQpPbmx5IGluIG9wZW5z c2gtMS4ycHJlMTMramdnOiBjaGFubmVscy5vDQpPbmx5IGluIG9wZW5zc2gt MS4ycHJlMTMramdnOiBjaXBoZXIubw0KT25seSBpbiBvcGVuc3NoLTEuMnBy ZTEzK2pnZzogY2xpZW50bG9vcC5vDQpPbmx5IGluIG9wZW5zc2gtMS4ycHJl MTMramdnOiBjb21wYXQubw0KT25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pn ZzogY29tcHJlc3Mubw0KT25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzog Y29uZmlnLmNhY2hlDQpPbmx5IGluIG9wZW5zc2gtMS4ycHJlMTMramdnOiBj b25maWcuaA0KT25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogY29uZmln LmxvZw0KT25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogY29uZmlnLnN0 YXR1cw0KT25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogY3JjMzIubw0K T25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogZGVhdHRhY2subw0KQ29t bW9uIHN1YmRpcmVjdG9yaWVzOiBvcGVuc3NoLTEuMnByZTEzL2RlYmlhbiBh bmQgb3BlbnNzaC0xLjJwcmUxMytqZ2cvZGViaWFuDQpPbmx5IGluIG9wZW5z c2gtMS4ycHJlMTMramdnOiBmaW5nZXJwcmludC5vDQpPbmx5IGluIG9wZW5z c2gtMS4ycHJlMTMramdnOiBoZWxwZXIubw0KT25seSBpbiBvcGVuc3NoLTEu MnByZTEzK2pnZzogaG9zdGZpbGUubw0KT25seSBpbiBvcGVuc3NoLTEuMnBy ZTEzK2pnZzogbGlic3NoLmENCk9ubHkgaW4gb3BlbnNzaC0xLjJwcmUxMytq Z2c6IGxvZy1jbGllbnQubw0KT25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pn ZzogbG9nLXNlcnZlci5vDQpPbmx5IGluIG9wZW5zc2gtMS4ycHJlMTMramdn OiBsb2cubw0KT25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogbG9naW4u bw0KT25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogbWF0Y2gubw0KT25s eSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogbWQ1Y3J5cHQubw0KT25seSBp biBvcGVuc3NoLTEuMnByZTEzK2pnZzogbXBhdXgubw0KT25seSBpbiBvcGVu c3NoLTEuMnByZTEzK2pnZzogbmNoYW4ubw0KT25seSBpbiBvcGVuc3NoLTEu MnByZTEzK2pnZzogcGFja2V0Lm8NCk9ubHkgaW4gb3BlbnNzaC0xLjJwcmUx MytqZ2c6IHB0eS5vDQpPbmx5IGluIG9wZW5zc2gtMS4ycHJlMTMramdnOiBy YzQubw0KT25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogcmVhZGNvbmYu bw0KT25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogcmVhZHBhc3Mubw0K T25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogcnNhLm8NCk9ubHkgaW4g b3BlbnNzaC0xLjJwcmUxMytqZ2c6IHNjcA0KT25seSBpbiBvcGVuc3NoLTEu MnByZTEzK2pnZzogc2NwLm8NCmRpZmYgLXUgb3BlbnNzaC0xLjJwcmUxMy9z ZXJ2Y29uZi5jIG9wZW5zc2gtMS4ycHJlMTMramdnL3NlcnZjb25mLmMNCi0t LSBvcGVuc3NoLTEuMnByZTEzL3NlcnZjb25mLmMJVGh1IE5vdiAxMSAyMTox OToyNyAxOTk5DQorKysgb3BlbnNzaC0xLjJwcmUxMytqZ2cvc2VydmNvbmYu YwlXZWQgTm92IDI0IDAwOjE3OjIxIDE5OTkNCkBAIC0yNiw2ICsyNiw3IEBA DQogICBvcHRpb25zLT5wb3J0ID0gLTE7DQogICBvcHRpb25zLT5saXN0ZW5f YWRkci5zX2FkZHIgPSBodG9ubChJTkFERFJfQU5ZKTsNCiAgIG9wdGlvbnMt Pmhvc3Rfa2V5X2ZpbGUgPSBOVUxMOw0KKyAgb3B0aW9ucy0+Z2xvYmFsX3Jz YV9maWxlID0gTlVMTDsNCiAgIG9wdGlvbnMtPnNlcnZlcl9rZXlfYml0cyA9 IC0xOw0KICAgb3B0aW9ucy0+bG9naW5fZ3JhY2VfdGltZSA9IC0xOw0KICAg b3B0aW9ucy0+a2V5X3JlZ2VuZXJhdGlvbl90aW1lID0gLTE7DQpAQCAtMTYx LDcgKzE2Miw3IEBADQogICBzUHJpbnRNb3RkLCBzSWdub3JlUmhvc3RzLCBz WDExRm9yd2FyZGluZywgc1gxMURpc3BsYXlPZmZzZXQsDQogICBzU3RyaWN0 TW9kZXMsIHNFbXB0eVBhc3N3ZCwgc1JhbmRvbVNlZWRGaWxlLCBzS2VlcEFs aXZlcywgc0NoZWNrTWFpbCwNCiAgIHNVc2VMb2dpbiwgc0FsbG93VXNlcnMs IHNEZW55VXNlcnMsIHNBbGxvd0dyb3Vwcywgc0RlbnlHcm91cHMsDQotICBz SWdub3JlVXNlcktub3duSG9zdHMNCisgIHNJZ25vcmVVc2VyS25vd25Ib3N0 cywgc0dsb2JhbFJTQUZpbGUNCiB9IFNlcnZlck9wQ29kZXM7DQogDQogLyog VGV4dHVhbCByZXByZXNlbnRhdGlvbiBvZiB0aGUgdG9rZW5zLiAqLw0KQEAg LTE3NCw2ICsxNzUsNyBAQA0KICAgeyAicG9ydCIsIHNQb3J0IH0sDQogICB7 ICJob3N0a2V5Iiwgc0hvc3RLZXlGaWxlIH0sDQogICB7ICJzZXJ2ZXJrZXli aXRzIiwgc1NlcnZlcktleUJpdHMgfSwNCisgIHsgImdsb2JhbHJzYWZpbGUi LCBzR2xvYmFsUlNBRmlsZSB9LA0KICAgeyAibG9naW5ncmFjZXRpbWUiLCBz TG9naW5HcmFjZVRpbWUgfSwNCiAgIHsgImtleXJlZ2VuZXJhdGlvbmludGVy dmFsIiwgc0tleVJlZ2VuZXJhdGlvblRpbWUgfSwNCiAgIHsgInBlcm1pdHJv b3Rsb2dpbiIsIHNQZXJtaXRSb290TG9naW4gfSwNCkBAIC0zNDUsNiArMzQ3 LDE5IEBADQogDQogCWNhc2Ugc0hvc3RLZXlGaWxlOg0KIAkgIGNoYXJwdHIg PSAmb3B0aW9ucy0+aG9zdF9rZXlfZmlsZTsNCisJICBjcCA9IHN0cnRvayhO VUxMLCBXSElURVNQQUNFKTsNCisJICBpZiAoIWNwKQ0KKwkgICAgew0KKwkg ICAgICBmcHJpbnRmKHN0ZGVyciwgIiVzIGxpbmUgJWQ6IG1pc3NpbmcgZmls ZSBuYW1lLlxuIiwNCisJCSAgICAgIGZpbGVuYW1lLCBsaW5lbnVtKTsNCisJ ICAgICAgZXhpdCgxKTsNCisJICAgIH0NCisJICBpZiAoKmNoYXJwdHIgPT0g TlVMTCkNCisJICAgICpjaGFycHRyID0gdGlsZGVfZXhwYW5kX2ZpbGVuYW1l KGNwLCBnZXR1aWQoKSk7DQorCSAgYnJlYWs7DQorDQorCWNhc2Ugc0dsb2Jh bFJTQUZpbGU6DQorCSAgY2hhcnB0ciA9ICZvcHRpb25zLT5nbG9iYWxfcnNh X2ZpbGU7DQogCSAgY3AgPSBzdHJ0b2soTlVMTCwgV0hJVEVTUEFDRSk7DQog CSAgaWYgKCFjcCkNCiAJICAgIHsNCmRpZmYgLXUgb3BlbnNzaC0xLjJwcmUx My9zZXJ2Y29uZi5oIG9wZW5zc2gtMS4ycHJlMTMramdnL3NlcnZjb25mLmgN Ci0tLSBvcGVuc3NoLTEuMnByZTEzL3NlcnZjb25mLmgJVGh1IE5vdiAxMSAx NzozMzowNCAxOTk5DQorKysgb3BlbnNzaC0xLjJwcmUxMytqZ2cvc2VydmNv bmYuaAlXZWQgTm92IDI0IDAwOjE3OjQ2IDE5OTkNCkBAIC0yOCw2ICsyOCw3 IEBADQogICBpbnQgcG9ydDsJCQkvKiBQb3J0IG51bWJlciB0byBsaXN0ZW4g b24uICovDQogICBzdHJ1Y3QgaW5fYWRkciBsaXN0ZW5fYWRkcjsJLyogQWRk cmVzcyBvbiB3aGljaCB0aGUgc2VydmVyIGxpc3RlbnMuICovDQogICBjaGFy ICpob3N0X2tleV9maWxlOwkJLyogRmlsZSBjb250YWluaW5nIGhvc3Qga2V5 LiAqLw0KKyAgY2hhciAqZ2xvYmFsX3JzYV9maWxlOyAgICAgICAgLyogRmls ZSBjb250YWluaW5nIGEgZ2xvYmFsIHNldCBvZiBSU0Ega2V5cyAqLw0KICAg aW50IHNlcnZlcl9rZXlfYml0czsJCS8qIFNpemUgb2YgdGhlIHNlcnZlciBr ZXkuICovDQogICBpbnQgbG9naW5fZ3JhY2VfdGltZTsJCS8qIERpc2Nvbm5l Y3QgaWYgbm8gYXV0aCBpbiB0aGlzIHRpbWUgKHNlYykuICovDQogICBpbnQg a2V5X3JlZ2VuZXJhdGlvbl90aW1lOwkvKiBTZXJ2ZXIga2V5IGxpZmV0aW1l IChzZWNvbmRzKS4gKi8NCk9ubHkgaW4gb3BlbnNzaC0xLjJwcmUxMytqZ2c6 IHNlcnZjb25mLm8NCk9ubHkgaW4gb3BlbnNzaC0xLjJwcmUxMytqZ2c6IHNl cnZlcmxvb3Aubw0KT25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogc3No DQpPbmx5IGluIG9wZW5zc2gtMS4ycHJlMTMramdnOiBzc2gtYWRkDQpPbmx5 IGluIG9wZW5zc2gtMS4ycHJlMTMramdnOiBzc2gtYWRkLm8NCk9ubHkgaW4g b3BlbnNzaC0xLjJwcmUxMytqZ2c6IHNzaC1hZ2VudA0KT25seSBpbiBvcGVu c3NoLTEuMnByZTEzK2pnZzogc3NoLWFnZW50Lm8NCk9ubHkgaW4gb3BlbnNz aC0xLjJwcmUxMytqZ2c6IHNzaC1rZXlnZW4NCk9ubHkgaW4gb3BlbnNzaC0x LjJwcmUxMytqZ2c6IHNzaC1rZXlnZW4ubw0KZGlmZiAtdSBvcGVuc3NoLTEu MnByZTEzL3NzaC5oIG9wZW5zc2gtMS4ycHJlMTMramdnL3NzaC5oDQotLS0g b3BlbnNzaC0xLjJwcmUxMy9zc2guaAlXZWQgTm92IDI0IDAwOjM2OjQxIDE5 OTkNCisrKyBvcGVuc3NoLTEuMnByZTEzK2pnZy9zc2guaAlXZWQgTm92IDI0 IDAwOjAzOjMxIDE5OTkNCkBAIC0yODYsNyArMjg2LDcgQEANCiAvKiBQZXJm b3JtcyB0aGUgUlNBIGF1dGhlbnRpY2F0aW9uIGRpYWxvZyB3aXRoIHRoZSBj bGllbnQuICBUaGlzIHJldHVybnMNCiAgICAwIGlmIHRoZSBjbGllbnQgY291 bGQgbm90IGJlIGF1dGhlbnRpY2F0ZWQsIGFuZCAxIGlmIGF1dGhlbnRpY2F0 aW9uIHdhcw0KICAgIHN1Y2Nlc3NmdWwuICBUaGlzIG1heSBleGl0IGlmIHRo ZXJlIGlzIGEgc2VyaW91cyBwcm90b2NvbCB2aW9sYXRpb24uICovDQotaW50 IGF1dGhfcnNhKHN0cnVjdCBwYXNzd2QgKnB3LCBCSUdOVU0gKmNsaWVudF9u KTsNCitpbnQgYXV0aF9yc2Eoc3RydWN0IHBhc3N3ZCAqcHcsIEJJR05VTSAq Y2xpZW50X24saW50IGdsb2JhbCk7DQogDQogLyogUGFyc2VzIGFuIFJTQSBr ZXkgKG51bWJlciBvZiBiaXRzLCBlLCBuKSBmcm9tIGEgc3RyaW5nLiAgTW92 ZXMgdGhlIHBvaW50ZXINCiAgICBvdmVyIHRoZSBrZXkuICBTa2lwcyBhbnkg d2hpdGVzcGFjZSBhdCB0aGUgYmVnaW5uaW5nIGFuZCBhdCBlbmQuICovDQpP bmx5IGluIG9wZW5zc2gtMS4ycHJlMTMramdnOiBzc2gubw0KT25seSBpbiBv cGVuc3NoLTEuMnByZTEzK2pnZzogc3NoY29ubmVjdC5vDQpPbmx5IGluIG9w ZW5zc2gtMS4ycHJlMTMramdnOiBzc2hkDQpkaWZmIC11IG9wZW5zc2gtMS4y cHJlMTMvc3NoZC5jIG9wZW5zc2gtMS4ycHJlMTMramdnL3NzaGQuYw0KLS0t IG9wZW5zc2gtMS4ycHJlMTMvc3NoZC5jCVdlZCBOb3YgMjQgMDA6MzY6NDEg MTk5OQ0KKysrIG9wZW5zc2gtMS4ycHJlMTMramdnL3NzaGQuYwlXZWQgTm92 IDI0IDAwOjA0OjMwIDE5OTkNCkBAIC0xNDIxLDcgKzE0MjEsNyBAQA0KIAlw YWNrZXRfZ2V0X2JpZ251bShuLCAmbmxlbik7DQogCXBhY2tldF9pbnRlZ3Jp dHlfY2hlY2socGxlbiwgbmxlbiwgdHlwZSk7DQogDQotCWF1dGhlbnRpY2F0 ZWQgPSBhdXRoX3JzYShwdywgbik7DQorCWF1dGhlbnRpY2F0ZWQgPSBhdXRo X3JzYShwdywgbiwwKSB8fCBhdXRoX3JzYShwdyxuLDEpOw0KIAlsb2coIlJT QSBhdXRoZW50aWNhdGlvbiAlcyBmb3IgJS4xMDBzLiIsDQogCSAgICBhdXRo ZW50aWNhdGVkID8gImFjY2VwdGVkIiA6ICJmYWlsZWQiLA0KIAkgICAgcHct PnB3X25hbWUpOw0KT25seSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogc3No ZC5vDQpPbmx5IGluIG9wZW5zc2gtMS4ycHJlMTMramdnOiB0aWxkZXhwYW5k Lm8NCk9ubHkgaW4gb3BlbnNzaC0xLjJwcmUxMytqZ2c6IHR0eW1vZGVzLm8N Ck9ubHkgaW4gb3BlbnNzaC0xLjJwcmUxMytqZ2c6IHVpZHN3YXAubw0KT25s eSBpbiBvcGVuc3NoLTEuMnByZTEzK2pnZzogeG1hbGxvYy5vDQo= --8323328-1744382920-943429320=:2155-- --[[text/plain]] From drankin at bohemians.lexington.ky.us Thu Nov 25 00:54:00 1999 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Wed, 24 Nov 1999 08:54:00 -0500 Subject: Release 1.2pre15 coming soon? Message-ID: <19991124085400.A3811@rumpole.bohemians.lexington.ky.us> Given that we've had several major patches of late, is there any chance that pre15 could get released within the next couple of days? Thanks, David -- David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin. Email: drankin at bohemians.lexington.ky.us Address/Phone Number: Ask me. "It is no great thing to be humble when you are brought low; but to be humble when you are praised is a great and rare accomplishment." St. Bernard From Markus.Friedl at informatik.uni-erlangen.de Thu Nov 25 01:21:13 1999 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 24 Nov 1999 15:21:13 +0100 Subject: locking accounts when non-password authentication In-Reply-To: <871z9gojmk.fsf@sheikh.hands.com>; from phil@hands.com on Tue, Nov 23, 1999 at 11:47:47PM +0000 References: <87ln7tc6wc.fsf@sheikh.hands.com> <871z9gojmk.fsf@sheikh.hands.com> Message-ID: <19991124152111.A22720@faui01.informatik.uni-erlangen.de> On Tue, Nov 23, 1999 at 11:47:47PM +0000, Philip Hands wrote: > Failing that, it looks like we need to put some code in sshd.c or some > of the auth-*.c files to deal with /etc/shadow passwords, and check > them to see if they start with ``*LK*''. don't mess with auth-*.c, sshd.c:allowed_user() is the place to add things like this. From djm at mindrot.org Thu Nov 25 09:20:26 1999 From: djm at mindrot.org (Damien Miller) Date: Thu, 25 Nov 1999 09:20:26 +1100 (EST) Subject: Release 1.2pre15 coming soon? In-Reply-To: <19991124085400.A3811@rumpole.bohemians.lexington.ky.us> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 24 Nov 1999, David Rankin wrote: > Given that we've had several major patches of late, is there any chance > that pre15 could get released within the next couple of days? Yes, but it may not include all the patches on the mailing list. The OpenBSD folks have just completed a bulk reformatting of the source, which has required a manual merge and reformat of all my changes as well. IMO anyone who uses space characters for source indentation should be lobotomized. I don't _think_ I broke anything doing so, but I want to do a pre15 with the merge and a few little compile fixes to see. Later today perhaps. Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4PGSuormJ9RG1dI8RAvJ3AJ4pc9GPhPYDU+nofNiAhWEh8fim2QCfQCcX HfFvp5N9wE7kNs2/363eJyo= =PUOF -----END PGP SIGNATURE----- From djm at mindrot.org Thu Nov 25 14:24:22 1999 From: djm at mindrot.org (Damien Miller) Date: Thu, 25 Nov 1999 14:24:22 +1100 (EST) Subject: ANNOUNCE: openssh-1.2pre15 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just uploaded openssh-1.2pre15 to http://violet.ibs.com.au/openssh/ Changes: - Merged big source cleanup from OpenBSD CVS. All the source now conforms to: http://www.openbsd.org/cgi-bin/man.cgi?query=style&apropos=0&sektion=9&manpath=OpenBSD+Current&format=html - Added BSD compatible install program - More Solaris fixes - Added new sshd.pam.generic which should work better on non-Redhat systems. - Beginnings of AIX support - SuSE RPM spec file and .src.rpm package - Build system bugfixes - Lots of bugfixes included from OpenBSD CVS. - Cleaner ssh-askpass support (please read ssh-add.1 for new syntax) - Instantly reusable forwarding ports - No more zombie children - SecureCRT fixes. Outstanding issues: - Getting sshd working on Solaris Full ChangeLog: 19991125 - More reformatting merged from OpenBSD CVS - Merged OpenBSD CVS changes: - [channels.c] fix packet_integrity_check() for !have_hostname_in_open. report from mrwizard at psu.edu via djm at ibs.com.au - [channels.c] set SO_REUSEADDR and SO_LINGER for forwarded ports. chip at valinux.com via damien at ibs.com.au - [nchan.c] it's not an error() if shutdown_write failes in nchan. - [readconf.c] remove dead #ifdef-0-code - [readconf.c servconf.c] strcasecmp instead of tolower - [scp.c] progress meter overflow fix from damien at ibs.com.au - [ssh-add.1 ssh-add.c] SSH_ASKPASS support - [ssh.1 ssh.c] postpone fork_after_authentication until command execution, request/patch from jahakala at cc.jyu.fi via damien at ibs.com.au plus: use daemon() for backgrounding - Added BSD compatible install program and autoconf test, thanks to Niels Kristian Bech Jensen - Solaris fixing, thanks to Ben Taylor - Merged beginnings of AIX support from Tor-Ake Fransson - Release 1.2pre15 19991124 - Merged very large OpenBSD source code reformat - OpenBSD CVS updates - [channels.c cipher.c compat.c log-client.c scp.c serverloop.c] [ssh.h sshd.8 sshd.c] syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE - [readconf.c readconf.h ssh.1 ssh.h sshconnect.c sshd.c] tranfer s/key challenge/response data in SSH_SMSG_AUTH_TIS_CHALLENGE messages. allows use of s/key in windows (ttssh, securecrt) and ssh-1.2.27 clients without 'ssh -v', ok: niels@ - [sshd.8] -V, for fallback to openssh in SSH2 compatibility mode - [sshd.c] fix sigchld race; cjc5 at po.cwru.edu 19991123 - Added SuSE package files from Chris Saia - Restructured package-related files under packages/* - Added generic PAM config - Numerous little Solaris fixes - Add recommendation to use GNU make to INSTALL document 19991122 - Configure, Make and changelog corrections from Tudor Bosman and Niels Kristian Bech Jensen - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4PKvqormJ9RG1dI8RAm9hAJ9O8h8d95ixWdOpnBU9oOvAy5vssACfca8F 0o6VtjZ32/HeTlH7GyBiLFI= =lJlX -----END PGP SIGNATURE----- From rbickers at logicetc.com Thu Nov 25 15:50:30 1999 From: rbickers at logicetc.com (Ron Bickers) Date: Wed, 24 Nov 1999 23:50:30 -0500 Subject: Packet integrity error. (29) - fixed by pre15 Message-ID: <00a501bf3700$997829e0$0200a8c0@logicetc.com> I just installed the 1.2pre15 RPMs and, as hinted in the announcement, it fixed this problem. Thank you! _______________________ Ron Bickers ===== ORIGINAL POST ===== I'm using SecureCRT (http://www.vandyke.com/) to connect to OpenSSH (1.2pre14 built from source RPMs) running on RedHat Linux 6.1. When I forward a local port using SecureCRT to a port on the server and try to connect, I get the error message "Packet integrity error. (29)" on the server and the session is disconnected. This forwarding setup works with the not-so-free sshd just fine. Any ideas? Thanks! _______________________ Ron Bickers From csaia at wtower.com Thu Nov 25 18:03:24 1999 From: csaia at wtower.com (Chris Saia) Date: 25 Nov 1999 02:03:24 -0500 Subject: suse/kde and the new ssh-add/ssh-askpass Message-ID: Howdy, It seems that as of 1.2pre15, ssh-add no longer looks for ssh-askpass in the usual place. (I noticed this both in the source code, ssh-add.c, and to some degree in the ChangeLog.) If you're like me and keep ssh-add in your Autostart folder in KDE, chances are upgrading to 1.2pre15 will result in no longer getting the nice Gnome widget we've come to know and love when starting up. To fix this, simply add the following two lines to your ~/.profile: SSH_ASKPASS=/usr/libexec/ssh/ssh-askpass export SSH_ASKPASS Now, the reason I post this to the unix-dev mailing list is that I'd like to request that ssh-add will default to the ssh-askpass built with the rest of the programs (i.e. /usr/libexec/ssh/...) unless overridden by SSH_ASKPASS. Secondly, I'm now making available the spec file that I (and now consequently Damien) uses to build SuSE (S)RPMS of OpenSSH. In addition to mailing these to him for building the various releases, I'll probably update the spec file and post it in my web tree so that others can grab the file without waiting for a new prerelease. See http://www.wtower.com/~csaia/openssh.spec. Cheers, -- =============================================================================== csaia at wtower.com, WTnet IRC Administrator - http://www.wtower.com/~csaia/ GNU Privacy Guard Public Key information is available at the above URL. =============================================================================== From nkbj at image.dk Thu Nov 25 18:39:55 1999 From: nkbj at image.dk (Niels Kristian Bech Jensen) Date: Thu, 25 Nov 1999 08:39:55 +0100 (CET) Subject: [PATCH] Only make $(libexec)/ssh when needed (1.2.pre15). Message-ID: Hi, This patch ensures that $(libexecdir)/ssh is only made when needed (no need to make empty directories): --- openssh-1.2pre15/Makefile.in~ Thu Nov 25 03:40:22 1999 +++ openssh-1.2pre15/Makefile.in Thu Nov 25 08:35:55 1999 @@ -83,9 +83,9 @@ ln -sf ssh $(bindir)/slogin ln -sf ssh.1 $(mandir)/man1/slogin.1 - $(INSTALL) -d $(libexecdir) ; - $(INSTALL) -d $(libexecdir)/ssh ; - if [ ! -z "@GNOME_ASKPASS@" ] ; then \ + if [ -n "@GNOME_ASKPASS@" ] ; then \ + $(INSTALL) -d $(libexecdir) ; \ + $(INSTALL) -d $(libexecdir)/ssh ; \ $(INSTALL) -s @GNOME_ASKPASS@ ${ASKPASS_PROGRAM} ; \ fi -- Niels Kristian Bech Jensen -- nkbj at image.dk -- http://www.image.dk/~nkbj/ ----------->> Stop software piracy --- use free software! <<----------- From phil at hands.com Thu Nov 25 21:37:23 1999 From: phil at hands.com (Philip Hands) Date: 25 Nov 1999 10:37:23 +0000 Subject: locking accounts when non-password authentication In-Reply-To: <19991124152111.A22720@faui01.informatik.uni-erlangen.de> (Markus Friedl's message of "Wed, 24 Nov 1999 15:21:13 +0100") References: <87ln7tc6wc.fsf@sheikh.hands.com> <871z9gojmk.fsf@sheikh.hands.com> <19991124152111.A22720@faui01.informatik.uni-erlangen.de> Message-ID: <87903mj1r0.fsf@sheikh.hands.com> Markus Friedl writes: > On Tue, Nov 23, 1999 at 11:47:47PM +0000, Philip Hands wrote: > > Failing that, it looks like we need to put some code in sshd.c or some > > of the auth-*.c files to deal with /etc/shadow passwords, and check > > them to see if they start with ``*LK*''. > > don't mess with auth-*.c, sshd.c:allowed_user() is the place to add > things like this. I thought that was probably be the case, in which case this patch seems to do the trick: --- openssh-1.2pre14.orig/sshd.c +++ openssh-1.2pre14/sshd.c @@ -36,6 +36,10 @@ # include #endif +#ifdef HAVE_SHADOW_H +#include +#endif /* HAVE_SHADOW_H */ + #ifdef LIBWRAP #include #include @@ -1100,13 +1104,49 @@ { struct group *grp; int i; +#ifdef HAVE_SHADOW_H + struct spwd *spw = NULL; +#endif /* HAVE_SHADOW_H */ /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw) return 0; +#ifdef HAVE_SHADOW_H + if (!strcmp(pw->pw_passwd, "x")) { + spw = getspnam(pw->pw_name); + } + if (spw != NULL) { /* we have a shadow entry, let's check it */ + /* perhaps we should be checking all the expired acount stuff here, + but I'd have thought that only applies to the password. + I wonder how an admin is supposed to expire an RSA key... */ + + /* check for either of the symptoms of a locked account */ + if (spw->sp_pwdp[0] == '!' || !strncmp(spw->sp_pwdp, "*LK*", 4)) { + debug("account for \"%.200s\" locked by admin, bailing out", + pw->pw_name); + return 0; + } + } else { +#endif /* HAVE_SHADOW_H */ + /* In the case of shadow passwords, this is checked only if the shadow + * entry doesn't exist. Without shadow passwords, we simply check it + * all the time. + */ + if (pw->pw_passwd[0] == '!' || !strncmp(pw->pw_passwd, "*LK*", 4)) { + debug("account for \"%.200s\" locked by admin, bailing out", + pw->pw_name); + return 0; + } +#ifdef HAVE_SHADOW_H + } + debug("completed shadow checks in allowed_user"); + +#endif /* HAVE_SHADOW_H */ + /* XXX Should check for valid login shell */ + /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { =-=-=-=-=-=-=- The only problem with this is that it makes RSA authentication fall back to password authentication, which seems a bit pointless to me, given that they are all going to fail as well. Cheers, Phil. From torake at hotmail.com Fri Nov 26 05:03:26 1999 From: torake at hotmail.com (Tor-Ake Fransson) Date: Thu, 25 Nov 1999 18:03:26 GMT Subject: DCE Patch Message-ID: <19991125180327.49621.qmail@hotmail.com> Hi all. I am submitting a patch that adds DCE authentication and credential attaching. Fully legit, no ugly hacks ;) I looked (some) at Paul Henson's patch for ssh-1.2.20 while coding. The patch [attached] is against pre14, but DCE and AIX patches for pre15 will follow shortly. I threw in this patch just to prove i'm working on it. :) Happy Hacking, //T-? ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From torake at hotmail.com Fri Nov 26 05:06:50 1999 From: torake at hotmail.com (Tor-Ake Fransson) Date: Thu, 25 Nov 1999 18:06:50 GMT Subject: DCE Patch (forgot the attachment. Grr) Message-ID: <19991125180650.49850.qmail@hotmail.com> Hmm... i think it's time to go home now... forgot attachment. //T-? >Hi all. > >I am submitting a patch that adds DCE authentication and credential > >attaching. Fully legit, no ugly hacks ;) > >I looked (some) at Paul Henson's patch for ssh-1.2.20 >while coding. > >The patch [attached] is against pre14, but DCE and AIX patches for >pre15 >will follow shortly. I threw in this patch just to prove i'm >working on >it. :) > > >Happy Hacking, >//T-? ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-1.2pre14-DCE.diff Type: application/octet-stream Size: 14169 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991125/dd3d641e/attachment.obj From marc.fournier at acadiau.ca Fri Nov 26 07:12:24 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Thu, 25 Nov 1999 16:12:24 -0400 (AST) Subject: pre15 & Solaris 7 ... rsa.h problem ... Message-ID: I don't remember what we did to fix this last time, and I've had to rebuild my system completely from scratch over the past few days, so dont' have past patches to work from ... new-relay:/usr/slocal/src/openssh-1.2pre15> make gcc -g -O2 -Wall -I/usr/slocal/include -DETCDIR=\"/usr/local/etc/ssh\" -DSSH_PROGRAM=\"/usr/slocal/bin/ssh\" -DHAVE_CONFIG_H -c authfd.c -o authfd.o In file included from ssh.h:25, from authfd.c:19: rsa.h:40: parse error before `__P' rsa.h:42: parse error before `__P' rsa.h:44: parse error before `__P' rsa.h:45: parse error before `__P' make: *** [authfd.o] Error 1 Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From Markus.Friedl at informatik.uni-erlangen.de Fri Nov 26 07:57:55 1999 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 25 Nov 1999 21:57:55 +0100 Subject: pre15 & Solaris 7 ... rsa.h problem ... In-Reply-To: ; from marc.fournier@acadiau.ca on Thu, Nov 25, 1999 at 04:12:24PM -0400 References: Message-ID: <19991125215755.A18026@faui01.informatik.uni-erlangen.de> add #define __P(protos) protos /* full-blown ANSI C */ or #define __P(protos) () /* traditional C preprocessor */ On Thu, Nov 25, 1999 at 04:12:24PM -0400, Marc G. Fournier wrote: > > I don't remember what we did to fix this last time, and I've had to > rebuild my system completely from scratch over the past few days, so dont' > have past patches to work from ... > > new-relay:/usr/slocal/src/openssh-1.2pre15> make > gcc -g -O2 -Wall -I/usr/slocal/include -DETCDIR=\"/usr/local/etc/ssh\" -DSSH_PROGRAM=\"/usr/slocal/bin/ssh\" -DHAVE_CONFIG_H -c authfd.c -o authfd.o > In file included from ssh.h:25, > from authfd.c:19: > rsa.h:40: parse error before `__P' > rsa.h:42: parse error before `__P' > rsa.h:44: parse error before `__P' > rsa.h:45: parse error before `__P' > make: *** [authfd.o] Error 1 > > > Marc G. Fournier marc.fournier at acadiau.ca > Senior Systems Administrator Acadia University > > "These are my opinions, which are not necessarily shared by my employer" > From damien at ibs.com.au Fri Nov 26 09:38:47 1999 From: damien at ibs.com.au (Damien Miller) Date: Fri, 26 Nov 1999 09:38:47 +1100 Subject: pre15 & Solaris 7 ... rsa.h problem ... References: Message-ID: <383DBA77.743C5BCE@ibs.com.au> "Marc G. Fournier" wrote: > > I don't remember what we did to fix this last time, and I've had to > rebuild my system completely from scratch over the past few days, so dont' > have past patches to work from ... Damn - I must have picked these up with the formatting change. Add the following to the end of config.h.in and re-reun configure: #ifndef __P # define __P(x) x #endif and tell me how it goes. Thanks, Damien From damien at ibs.com.au Fri Nov 26 12:00:02 1999 From: damien at ibs.com.au (Damien Miller) Date: Fri, 26 Nov 1999 12:00:02 +1100 Subject: [Fwd: openssh bugreport] Message-ID: <383DDB92.F496BFD9@ibs.com.au> -------------- next part -------------- An embedded message was scrubbed... From: Sven Geggus Subject: openssh bugreport Date: Thu, 25 Nov 1999 17:43:37 +0100 Size: 1675 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991126/b56c5f0b/attachment.mht From nkbj at image.dk Fri Nov 26 16:15:20 1999 From: nkbj at image.dk (Niels Kristian Bech Jensen) Date: Fri, 26 Nov 1999 06:15:20 +0100 (CET) Subject: pre15 & Solaris 7 ... rsa.h problem ... In-Reply-To: <383DBA77.743C5BCE@ibs.com.au> Message-ID: On Fri, 26 Nov 1999, Damien Miller wrote: > Damn - I must have picked these up with the formatting change. Add the > following to the end of config.h.in and re-reun configure: ^^^^^^^^^^^ Shouldn't it be acconfig.h ? > > #ifndef __P > # define __P(x) x > #endif > -- Niels Kristian Bech Jensen -- nkbj at image.dk -- http://www.image.dk/~nkbj/ ----------->> Stop software piracy --- use free software! <<----------- From djm at mindrot.org Fri Nov 26 20:22:47 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 26 Nov 1999 20:22:47 +1100 (EST) Subject: pre15 & Solaris 7 ... rsa.h problem ... In-Reply-To: Message-ID: On Fri, 26 Nov 1999, Niels Kristian Bech Jensen wrote: > On Fri, 26 Nov 1999, Damien Miller wrote: > > > Damn - I must have picked these up with the formatting change. Add the > > following to the end of config.h.in and re-reun configure: > ^^^^^^^^^^^ > Shouldn't it be acconfig.h ? That is what I have done, but I sent the manual change for the benefit of those without autoconf. Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From ETARDIEU at CPR.FR Fri Nov 26 20:03:48 1999 From: ETARDIEU at CPR.FR (TARDIEU Emmanuel) Date: Fri, 26 Nov 1999 10:03:48 +0100 Subject: solaris 2.5.1 Message-ID: <5BF932D2CD05D211B54800805FE60FEB05AA9338@serv-hermes.systeme.cpr.fr> Hi, Here's what I get (pre15 with __P(x) x fix) : ar rv libssh.a ranlib libssh.a gcc -o ssh -ldl -lsocket -lnsl -lz -lcrypto -L/usr/local/ssl/lib -lssl -lcrypto Undefined first referenced symbol in file main /usr/local/lib/gcc-lib/sparc-sun-solaris2.5.1/2.95.2/crt1.o ld: fatal: Symbol referencing errors. No output written to ssh collect2: ld returned 1 exit status *** Error code 1 make: Fatal error: Command failed for target `ssh' Is this some local compilation problem ? Sorry for not including any fixes ;-) Cheers Emmanuel Tardieu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991126/5d6f12eb/attachment.html From bent at clark.net Sat Nov 27 01:27:00 1999 From: bent at clark.net (Ben Taylor) Date: Fri, 26 Nov 1999 09:27:00 -0500 (EST) Subject: solaris 2.5.1 In-Reply-To: <5BF932D2CD05D211B54800805FE60FEB05AA9338@serv-hermes.systeme.cpr.fr> Message-ID: On Fri, 26 Nov 1999, TARDIEU Emmanuel wrote: > Hi, use gnu make. > > Here's what I get (pre15 with __P(x) x fix) : > > ar rv libssh.a > ranlib libssh.a > gcc -o ssh -ldl -lsocket -lnsl -lz -lcrypto -L/usr/local/ssl/lib -lssl > -lcrypto > Undefined first referenced > symbol in file > main > /usr/local/lib/gcc-lib/sparc-sun-solaris2.5.1/2.95.2/crt1.o > ld: fatal: Symbol referencing errors. No output written to ssh > collect2: ld returned 1 exit status > *** Error code 1 > make: Fatal error: Command failed for target `ssh' > > Is this some local compilation problem ? > Sorry for not including any fixes ;-) > > Cheers > Emmanuel Tardieu > From sprout at dok.org Sat Nov 27 08:53:08 1999 From: sprout at dok.org (Chris Green) Date: 26 Nov 1999 21:53:08 -0000 Subject: openssh & XEmacs gnuclient issue Message-ID: <19991126215308.12699.qmail@ghostplanet.dok.org> In switching to openssh from ssh-1.2.27, I have encountered the following problem with the way openssh handles its XAUTHORITY files separately from ~/.Xauthority. XEmacs has a gnuserv process that runs and allows commands to be issued to a remote XEmacs process. The trouble is when the command is to make a new frame ( window ) on a different X display, it fails because the Xauth cookie is not in .Xauthority and the user's process on the remote machine is not. I think XEmacs is one of the few programs in common use to handle multiple displays. What advantage is it to separate the ssh cookie into a separate file aside from making it easier to nuke cookies when closing a connection? Would it be possible to switch to use the user's ~/.Xauthority? Cheers, Chris -- Chris Green Logic, my dear Zoe, merely enables one to be wrong with authority. - Doctor Who, "The Wheel in Space" From dugsong at monkey.org Sat Nov 27 12:43:22 1999 From: dugsong at monkey.org (Dug Song) Date: Fri, 26 Nov 1999 20:43:22 -0500 (EST) Subject: openssh & XEmacs gnuclient issue In-Reply-To: <19991126215308.12699.qmail@ghostplanet.dok.org> Message-ID: On 26 Nov 1999, Chris Green wrote: > The trouble is when the command is to make a new frame ( window ) on a > different X display, it fails because the Xauth cookie is not in > .Xauthority and the user's process on the remote machine is not. it doesn't honor the XAUTHORITY environment variable? hrm. :-/ > What advantage is it to separate the ssh cookie into a separate file > aside from making it easier to nuke cookies when closing a connection? specifically, it protects the file's contents when the user's home directory is in NFS, or AFS. by using a local file, it prevents passive network sniffing of the Xauth credentials - see Ulrich Flegel's paper on SSH X11 vulnerabilities for details: http://rootshell.connectnet.com/docs/ssh-x11.ps.gz -d. --- http://www.monkey.org/~dugsong/ From sprout at dok.org Sat Nov 27 13:44:58 1999 From: sprout at dok.org (Chris Green) Date: 26 Nov 1999 20:44:58 -0600 Subject: openssh & XEmacs gnuclient issue In-Reply-To: Dug Song's message of "Fri, 26 Nov 1999 20:43:22 -0500 (EST)" References: Message-ID: Dug Song writes: > it doesn't honor the XAUTHORITY environment variable? hrm. :-/ Its not that XEmacs doesn't honor XAUTHORITY, its that the XEmacs process has one XAUTHORITY set ( on the original display's .Xauthority ) where as the ssh display does not update XEmacs as to where its credentials are. the gnuclient program does not use it's Xauthority, it communicates to the XEmacs process to open a window on the new display as well (multiple display version of netscape's remote commands ). A kludge of a workaround is to merge the two ( and let the user shoot himself in the foot to attacks via NFS/AFS ). Now that I understand the problem from both ends. > specifically, it protects the file's contents when the user's home > directory is in NFS, or AFS. by using a local file, it prevents passive > network sniffing of the Xauth credentials - see Ulrich Flegel's paper on > SSH X11 vulnerabilities for details: > > http://rootshell.connectnet.com/docs/ssh-x11.ps.gz Thank you for the paper link. I hadn't thought about trying to protect against people grabbing the cookie via nfs. I'm going to have to do a good bit more research before I'd venture to stick my foot in my mouth and argue that protecting the key from that style attack is a pointless. My gut feeling is they could probably impersonate the file server, replace an ls alias or something to that effect and gain access another way. I would however grant that type of attack would be more difficult to achieve than simply snarfing a 80 char string and is worth shielding, even though its not the only possible route of attack. By this logic, I've convinced myself to find another work around other than patching openssh's xauth. Thanks, Chris -- Chris Green A good pun is its own reword. From dugsong at monkey.org Sat Nov 27 13:52:03 1999 From: dugsong at monkey.org (Dug Song) Date: Fri, 26 Nov 1999 21:52:03 -0500 (EST) Subject: openssh & XEmacs gnuclient issue In-Reply-To: Message-ID: On 26 Nov 1999, Chris Green wrote: > By this logic, I've convinced myself to find another work around other > than patching openssh's xauth. let us know if you find a good workaround, so we can document it. :-) -d. --- http://www.monkey.org/~dugsong/ From rhardy at webcon.net Sun Nov 28 01:44:55 1999 From: rhardy at webcon.net (Robert Hardy) Date: Sat, 27 Nov 1999 09:44:55 -0500 (EST) Subject: Openssh 1.2pre15: Command terminated on sig. 11 Message-ID: A bug has found its way into Openssh-1.2pre15. It has forced us to downgrade to pre14. Our test hosts are connected with regular Ethernet and by an internal VPN. With that in mind, any given host has two IP addresses. Starting with pre15 we get the fatal error message below every time we connect to the EXTERNAL ip address (eth0). For some reason, we continue to be able to connect to the INTERNAL ip address (eth1 & sl0). That, of course, is of limited use to us as we already have secure connectivity to machines in our VPN. The problem always happens just as we are about to get a shell prompt after SSH has requested our password and we have supplied it and hit return. This is what shows up in the server logs: sshd[3195]: fatal: Disconnecting: Command terminated on signal 11. A full session is as follows: sshd[3195]: Connection from x.x.x.x port 1023 sshd[3195]: Failed rhosts-rsa for x from x.x.x.x port 1023 ruser x PAM_pwdb[3195]: (sshd) session opened for user x by (uid=x) sshd[3195]: PAM Password authentication accepted for user "x" sshd[3195]: Accepted password for x from x.x.x.x port 1023 PAM_pwdb[3195]: (sshd) session opened for user x by (uid=x) sshd[3195]: fatal: Disconnecting: Command terminated on signal 11. PAM_pwdb[3195]: (sshd) session closed for user x I don't remember what the ssh client reported, though something about the signal 11 was in there too. I have attached an strace of the server which was turned on while sshd was sitting at the password prompt. Regards, Rob -- ----------------"Linux the choice of a GNU Generation!"----------------- Robert Hardy C.E.O. Webcon Inc. rhardy at webcon.net PGP Key available by finger (613) 276-6206 -------------- next part -------------- A non-text attachment was scrubbed... Name: sshtrace.gz Type: application/octet-stream Size: 4461 bytes Desc: Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991127/f681c174/attachment.obj From sprout at dok.org Sun Nov 28 16:04:06 1999 From: sprout at dok.org (Chris Green) Date: 27 Nov 1999 23:04:06 -0600 Subject: openssh & XEmacs gnuclient issue In-Reply-To: Dug Song's message of "Fri, 26 Nov 1999 21:52:03 -0500 (EST)" References: Message-ID: Dug Song writes: > > let us know if you find a good workaround, so we can document it. :-) > This is the cleanest solution I could think of. Just tell XEmacs to merge the new cookie file into the xauth its currently using. If you are using a local-only credentials setup, the new credentials will also stay local. If you're credentials are laying around in ~, your new display is just as secure as your XEmacs process is. This is a modified version of the editclient.sh that ships w/ XEmacs. #!/bin/sh # editclient.sh if gnuclient -batch -eval t >/dev/null 2>&1 then if [ $XAUTHORITY != "" ]; then gnuclient -batch -f "shell-command \"xauth merge $XAUTHORITY\"" \ >/dev/null 2>&1 fi exec gnuclient -q ${1+"$@"} else xemacs -unmapped -f gnuserv-start & until gnuclient -batch -eval t >/dev/null 2>&1 do sleep 1 done exec gnuclient -q ${1+"$@"} fi -- Chris Green Let not the sands of time get in your lunch. From vroonhof at math.ethz.ch Mon Nov 29 05:16:29 1999 From: vroonhof at math.ethz.ch (Jan Vroonhof) Date: 28 Nov 1999 19:16:29 +0100 Subject: gnuclient X11 & openssh In-Reply-To: Chris Green's message of "Sun, 28 Nov 1999 17:24:57 GMT" References: The following message is a courtesy copy of an article that has been posted to comp.emacs.xemacs as well. [This message has been CC'ed to the OpenSSH list in a plea to at least consider supporting more advanced usages of Xauth] Chris Green writes: > Its not configurable behavior. It always generates a new random file > in /tmp. Then they should probably change that so that the user can specify a file to use. I need several programs to cooperate so I need a fairly central repository of cookies. It doesn't help if everybody starts using their own files for that. > possible cookies, or some unamed solution. If gnuclient passes the > creditials back to XEmacs via a unix socket everything is happy. My > solution doesn't work if gnuclient is being launched and expecting to > connect to XEmacs over an unencrypted tcp socket between machines. The problem is that gnuclient possibly uses tcp sockets to connect to the local machine too. Figuring out reliably whether an address is local is something I would rather not get into. > > Does openssh at the very least copy the other cookies from the old > > authority file, so that gnuclients's own auth cookie will be found? > > I'm not sure I follow here. The other DISPLAY's Xauth stuff is in its > own indepedant file and I don't believe there is anyway for openssh to > find out what the user's main XAUTHORITY is. They've designed openssh > to be used in conjuntion with local displays that also keep local > cookies. I think the gnuclient / XEmacs communication is the only way > one display can find out about the other. The problem here is that gnuclient itself also uses Xauth cookies to authenticate remote links. (It works by looking up the cookie for server-address:99). Consider the following scenario (which I use all the time) Open ssh tunnel from machine H to a machine A on the other network. Use gnuclient on A to tell an XEmacs running on B to connect to the A:10 fake display. For that gnuclient first needs the B:99 cookie to connect to gnuserver however it cannot find it because the cookie is actually in ~/.Xauthority.. It is no use trying to pass the A:10 cookie in the gnuserv session when you cannot connect to gnuserv in the first place/ Jan From torake at hotmail.com Tue Nov 30 00:21:46 1999 From: torake at hotmail.com (Tor-Ake Fransson) Date: Mon, 29 Nov 1999 13:21:46 GMT Subject: openssh-1.2pre15 on AIX Message-ID: <19991129132147.51381.qmail@hotmail.com> Hi. Pre15 compiles out-of-the-box on AIX 4.3.2 ...almost. No patch included this time, but the following were the gotchas: - The __P() prototyping doesn't work (as discussed earlier) - bsd-daemon.o wasn't linked into libssh.a (though configure seemed to detect the need for it) DCE patch will follow shortly. Regards, Tor-?ke ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From markus at openbsd.org Tue Nov 30 02:04:47 1999 From: markus at openbsd.org (Markus Friedl) Date: Mon, 29 Nov 1999 16:04:47 +0100 Subject: gnuclient X11 & openssh In-Reply-To: ; from vroonhof@math.ethz.ch on Sun, Nov 28, 1999 at 07:16:29PM +0100 References: Message-ID: <19991129160447.A21395@faui01.informatik.uni-erlangen.de> On Sun, Nov 28, 1999 at 07:16:29PM +0100, Jan Vroonhof wrote: > [This message has been CC'ed to the OpenSSH list in a plea to at least > consider supporting more advanced usages of Xauth] You also wrote: > I don't like a solution that forces involvement of editclient.sh. > gnuclient should work on its own. The reason I don't like openssh > mucking around with the xauthority stuff so much is that the cleanest > solution would be for gnuclient to pass the cookie from its > environment to XEmacs, however that could also be along a nonencrypted > connection which is worse than over the file system. > > Does openssh at the very least copy the other cookies from the old > authority file, so that gnuclients's own auth cookie will be found? openssh does not _muck_ around with the xauthority stuff. the openssh-server create a fake cookie and places this fake cookie in /tmp/XauthXXXX. if a x11-client is started on this machine the cookie is read from the file, the x11-request sent to the sshd, sshd forwards the request to the ssh-client, the ssh-client replaces the fake-cookie with the real cookie and sends the request to the x11-server. the game with the fake-cookie is played in order to make the cookie saved on the server short-lived. so it makes no sense copying the long-lived cookies to the ssh-sever. can you provide detailed information on 'how' gnuclient works? other than this, you can overwrite the behaviour with your own ~/.ssh/environment, see sshd(8). ?markus From Nigel.Metheringham at VData.co.uk Tue Nov 30 02:29:37 1999 From: Nigel.Metheringham at VData.co.uk (Nigel Metheringham) Date: Mon, 29 Nov 1999 15:29:37 +0000 Subject: ssh/openssh and X authentication Message-ID: I've currently got a couple of boxes which obtain their IP address via DHCP, and as a consequence do not have a mapping in /etc/hosts for their own IP/name... but helpfully (!) they have their name mapping to 127.0.0.1 This breaks X authentication... - openssh (and also ssh) makes an apparently valid xauth entry, but all attempts to start clients gives "X11 connection rejected because of wrong authentication." Hacking the DISPLAY & xauth entries to use the real IP address of the box, or even 127.0.0.2 works fine, so it appears that something (maybe outside ssh) is special casing 127.0.0.1 Would it be possible to make sshd use the IP address of the local socket rather than the hostname to give to xauth? Alternatively is there some good reason as to why 127.0.0.1 is not working? I can do the coding on this - however I want to find out if there is a good reason for current behaviour before making patches that get rejected (!). Nigel. -- [ - Opinions expressed are personal and may not be shared by VData - ] [ Nigel Metheringham Nigel.Metheringham at VData.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] From vroonhof at math.ethz.ch Tue Nov 30 04:03:54 1999 From: vroonhof at math.ethz.ch (Jan Vroonhof) Date: Mon, 29 Nov 1999 18:03:54 +0100 Subject: gnuclient X11 & openssh In-Reply-To: <19991129160447.A21395@faui01.informatik.uni-erlangen.de>; from Markus Friedl on Mon, Nov 29, 1999 at 04:04:47PM +0100 References: > openssh does not _muck_ around with the xauthority stuff. > the openssh-server create a fake cookie and places this fake cookie > in /tmp/XauthXXXX. And it sets the XAUTHORITY variable to point there. The cookies file is a database where there are multiple cookies stored. The normal ssh adds its cookie to this database. What openssh seems to do is to create a new database in /tmp/XauthXXXX and then point all the programs there through the XAUTHORITY environment variable. This works OK in normal situations where you only connect to one display and thus need the one cookie, but it is wrong in case one connects to multiple diplays (and for this purpose the gnuserv program is just another display) > the cookie saved on the server short-lived. so it makes no sense copying > the long-lived cookies to the ssh-sever. No I meant other cookies that could already exist on the server side. > can you provide detailed information on 'how' gnuclient works? There are two setups. A: Unix domain sockets 1. XEmacs is started with gnuserver and normally with a frame open on a display , say A:0 2. gnuclient is started on the same machine. It reads its value of display, say A:10 and passes this down the socket. 3. XEmacs looks up the cookie for A:0 and opens the display This fails in step 3 because OpenSSH has used its own cookie file and thus the value of XAUTHORITY is different in 2. from that when XEmacs was startup in 1. B: TCP/IP sockets 1. XEmacs is started with gnuserver and normally with a frame open on a display , say A:0. If this is on host H then gnuserv looks up the cookie for H:99 and starts listening on a specific port. 2. gnuclient is started (possibly on another machine). It looks up the value of H:99 and opens a socket to gnuserv at H and sends the cookie for H:99 down the sockets. 3. Gnuserv at H compares the cookie it got from the client with its own value and if they match allows the connection. 4. Gnuclient reads its value of display, say B:10 and passes this down the socket. 5. XEmacs looks up the cookie for B:10 and opens the display This fails at two points. i. The cookie for H:99 will not be int /tmp/authXXXX if sshd didn't copy it and thus gnuserv will refuse the connection. ii. As before XEmacs will not be able to find the cookie for the B:10 display because it is not in the cookie file it sees. Basically the fundamental problem is that openssh's default using the Xauth file as a file with a single cookie instead of a database. There are also other cases (not involving gnuclient) where this causes problems. Openssh is braking a fundamental property the Xauth mechanism. The cases where this causes problems might be rare and the cause (enhanced security by default) may be good but should you a. be aware that you are breaking it and b. it should be documented/ > other than this, you can overwrite the behaviour with your own > ~/.ssh/environment, see sshd(8). I looked at the manpage from www.openssh.org, but there 1. The specific behaviour of openssh isn't documented at all. 2. It isn't clear from the manpage that setting ~/.ssh/environment will work. If I set XAUTHORITY there, will sshd respect that? 3. From the manpage I get the impression that ~/.ssh/rc should be used instead. Jan From torake at hotmail.com Tue Nov 30 04:19:25 1999 From: torake at hotmail.com (Tor-Ake Fransson) Date: Mon, 29 Nov 1999 17:19:25 GMT Subject: [PATCH] DCE for pre15 Message-ID: <19991129171925.11737.qmail@hotmail.com> As promised, here's the DCE patch for pre15. (and this time i didn't forget the attachment ;) It enables ssh to authenticate, set groups and attach network credentials. It's a clean implementation (i left out the credential-move-hack). This one adds the --with-dce option to configure Some notes have rised: The for loop 3->64 closing fd's... is it really needed? Is it solaris endgrent() that leave fd's? I get a hang on closing fd 12 and 16. I'm using sec_des_generate_random_block() to create entropy, so if you have DCE, you don't need EGD. Thoughts on that? Regards, Tor-?ke ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-1.2pre15-DCE.diff.gz Type: application/octet-stream Size: 9967 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991129/896bf2f2/attachment.obj From mfisk at lanl.gov Tue Nov 30 04:45:49 1999 From: mfisk at lanl.gov (Mike Fisk) Date: Mon, 29 Nov 1999 17:45:49 +0000 (GMT) Subject: Food for thought regarding PAM Message-ID: I'm new to this list, so please forgive me if this has been discussed before. It appears that one of the (commendable) design goals of OpenSSH is to re-use existing open-source libraries wherever possible in order to simplify the OpenSSH code and hopefully improve security in the process. As exhibited by the current, non-open SSH, supporting all of the nuances of authentication and logins on multiple platforms creates a lot of cases to be handled by the code. Would it not be more productive in the long run to create PAM modules that support all the various forms of authentication and logins? Then you can keep the SSH code simple, re-use existing vendor and open-source modules, and contribute to the set of open-source modules? It is true that PAM is not present on many platforms, but I presume that PAM could be ported to any system that supports dynamic linking and, if necessary, could even be statically linked if necessary. Again, it may not be the quickest path, but it might be more productive in the long run. ===================================================================== Mike Fisk | (505)667-5119 | MS B255 Network Engineering (CIC-5) | | Los Alamos National Lab mfisk at lanl.gov | FAX: 665-7793 | Los Alamos, NM 87545 From bent at clark.net Tue Nov 30 05:44:02 1999 From: bent at clark.net (Ben Taylor) Date: Mon, 29 Nov 1999 13:44:02 -0500 (EST) Subject: [PATCH] DCE for pre15 In-Reply-To: <19991129171925.11737.qmail@hotmail.com> Message-ID: On Mon, 29 Nov 1999, Tor-Ake Fransson wrote: > Some notes have rised: > > The for loop 3->64 closing fd's... is it really needed? Is it solaris > endgrent() that leave fd's? I get a hang on closing fd 12 and 16. Actually, if you're going to close all the file descriptors, you should probably use getrlimit for the number of file descriptors, and loop with that value. The number of file descriptors is a totally configurable number. Ben From patrick.novak at po.state.ct.us Tue Nov 30 07:23:53 1999 From: patrick.novak at po.state.ct.us (patrick.novak at po.state.ct.us) Date: Mon, 29 Nov 1999 15:23:53 -0500 Subject: [s-x86] Re: OpenSSH 1.2pre14 fails on pam_open_session() ... In-Reply-To: <199911221903.LAA10577@shell3.ba.best.com> On Mon, 22 Nov 1999, Philip Brown wrote: > [ Marc G. Fournier writes ] > > debug("PAM_retval(open_session) about to run"); > > pam_retval = pam_open_session((pam_handle_t *)pamh, 0); > > > > > =========================================== > > > > so, its looking like I'm authenticated properly, but when trying to set up > > the whole environment, its failing...? anyone know how I should go about > > debugging this? > > well its obviously blowing up on pam_open_session, so you need to validate > your "pamh" handle somehow. thank you, and how would one do this? considering that my 'pamh' handle is being used three times prior to that, in: pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, remote_host); pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); all in the same function, I would have thought that this would have been okay...all of the above go through successfully... my only real "reference" for PAM is wu-ftpd, in which the pam authentication stuff all works, but the pam_* functions that wu-ftpd uses doesn't appear to be even close to what is used in sshd.c :( Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" ------------------------------------------------------------------------ Looking for the lowest rate for your mortgage? GetSmart.com can help. We'll help you find the loan you need quick, easy, and FREE click here at http://clickhere.egroups.com/click/1276 -- Create a poll/survey for your group! -- http://www.egroups.com/vote?listname=solarisonintel&m=1 From torake at hotmail.com Tue Nov 30 09:35:59 1999 From: torake at hotmail.com (Tor-Ake Fransson) Date: Mon, 29 Nov 1999 22:35:59 GMT Subject: Food for thought regarding PAM Message-ID: <19991129223559.35089.qmail@hotmail.com> Despite the fact that i have written pam modules, i am not sure about how it really works, and how it would work in this case. ;) I like the idea of modularizing the authentication, though. But... what happens in the special case where you have to pass some strange data, like a login context? Example: DCE on AIX logging in algorithm: 1) authenticate, certify and validate. This gives you a login context 2) from the login context apprehended in 1), extract group information and set groups 3) throw away the login context apprehended in 1) 3) set uid 4) authenticate with new uid to get a login context. Attach this login context to the process to get network credentials. 5) set up the environment (kerberos ticket data access is in the environment) 6) exec() the shell And even worse, doing an RSA authentication: 1) Somehow transfer your local credentials to the server to enable accessing the public key (can be done with ugly hack at least, i haven't investigated further yet -- i know one thing, machine root usually doesn't (and shouldn't!) automatically have access to user's files) 2) Try RSA authentication 3) set uid while retaining credentials 4) exec() the shell Unless I suffer from total misconception conception, i think we (at least I) would end up with plowing down work in a number of pam modules of virtually no use to the community. Just my $0.02. Regards, Tor-?ke Fransson CAE Systems, Scania CV >From: Mike Fisk >To: openssh-unix-dev at mindrot.org >Subject: Food for thought regarding PAM >Date: Mon, 29 Nov 1999 17:45:49 +0000 (GMT) > > >I'm new to this list, so please forgive me if this has been discussed >before. > >It appears that one of the (commendable) design goals of OpenSSH is to >re-use existing open-source libraries wherever possible in order to >simplify the OpenSSH code and hopefully improve security in the process. > >As exhibited by the current, non-open SSH, supporting all of the nuances >of authentication and logins on multiple platforms creates a lot of cases >to be handled by the code. > >Would it not be more productive in the long run to create PAM modules that >support all the various forms of authentication and logins? Then you can >keep the SSH code simple, re-use existing vendor and open-source modules, >and contribute to the set of open-source modules? > >It is true that PAM is not present on many platforms, but I presume >that PAM could be ported to any system that supports dynamic >linking and, if necessary, could even be statically linked if >necessary. > >Again, it may not be the quickest path, but it might be more productive in >the long run. > >===================================================================== >Mike Fisk | (505)667-5119 | MS B255 >Network Engineering (CIC-5) | | Los Alamos National Lab >mfisk at lanl.gov | FAX: 665-7793 | Los Alamos, NM 87545 > > ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From djm at mindrot.org Tue Nov 30 10:12:12 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 30 Nov 1999 10:12:12 +1100 (EST) Subject: openssh-1.2pre15 on AIX In-Reply-To: <19991129132147.51381.qmail@hotmail.com> Message-ID: On Mon, 29 Nov 1999, Tor-Ake Fransson wrote: > Hi. > > Pre15 compiles out-of-the-box on AIX 4.3.2 ...almost. > > No patch included this time, but the following were the gotchas: > > - The __P() prototyping doesn't work (as discussed earlier) > - bsd-daemon.o wasn't linked into libssh.a (though configure seemed to > detect the need for it) These are both fixed in the next release. For now, add: #ifndef __P # define __P(x) x #endif to the end of config.h.in and add 'bsd-daemon.o' to the 'libssh.a:' line of Makefile.in and re-run configure. > DCE patch will follow shortly. Can you explain this to a DCE-illiterate (me!)? Thanks, Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From bent at clark.net Tue Nov 30 10:12:22 1999 From: bent at clark.net (Ben Taylor) Date: Mon, 29 Nov 1999 18:12:22 -0500 (EST) Subject: [s-x86] Re: OpenSSH 1.2pre14 fails on pam_open_session() ... In-Reply-To: <199911292030.PAA04085@smtp-gw.vma.verio.net> Message-ID: On Mon, 29 Nov 1999 patrick.novak at po.state.ct.us wrote: > On Mon, 22 Nov 1999, Philip Brown wrote: > > > [ Marc G. Fournier writes ] > > > debug("PAM_retval(open_session) about to run"); > > > pam_retval = pam_open_session((pam_handle_t *)pamh, 0); > > > > > > > > =========================================== > > > > > > so, its looking like I'm authenticated properly, but when trying to set up > > > the whole environment, its failing...? anyone know how I should go about > > > debugging this? > > > > well its obviously blowing up on pam_open_session, so you need to > validate > > your "pamh" handle somehow. > > thank you, and how would one do this? considering that my 'pamh' handle > is being used three times prior to that, in: > > pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, > remote_host); > pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, > remote_user); > pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); > > all in the same function, I would have thought that this would have been > okay...all of the above go through successfully... I did a whole lot of reading on PAM, on how Sun managed to ignore the DCE standard for PAM (see the error message as an example), the configuration files, the libraries, the works. Got some really funky cores when I handed the config file a line about 10 lines long. I'm pretty comfortable about what the issue is, and it's Sun. I don't think anything is using the session manager, but they are using auth, account and password. The fact that the code is so similar and executed the same way indicates a problem in the library. I tried using some of the other libraries and did not get a seg fault, so it has to be pam_open_session in pam_unix.so.1. I opened a support call with Sun today, and boy wasn't that fun. I finally told the support guy all I wanted was a debug version of pam_unix.so.1. I'll see what they do with that. Anyone know how to get sshd to actually produce a core file? I know it's not supposed to, but it should probably do so during a debug session. > my only real "reference" for PAM is wu-ftpd, in which the pam > authentication stuff all works, but the pam_* functions that wu-ftpd uses > doesn't appear to be even close to what is used in sshd.c :( The difference is the session management. It's not properly being handled. Did anyone notice that pam_close_session is a null function, at least according to Sun's documentation. Ben From markus at openbsd.org Tue Nov 30 10:12:38 1999 From: markus at openbsd.org (Markus Friedl) Date: Tue, 30 Nov 1999 00:12:38 +0100 Subject: Food for thought regarding PAM In-Reply-To: References: Message-ID: <19991130001238.A2942@folly.informatik.uni-erlangen.de> On Mon, Nov 29, 1999 at 05:45:49PM +0000, Mike Fisk wrote: > Would it not be more productive in the long run to create PAM modules that > support all the various forms of authentication and logins? Then you can > keep the SSH code simple, re-use existing vendor and open-source modules, > and contribute to the set of open-source modules? fyi, there are different opinions on PAM. this is from the lsh-distribution: ------------------------------------------------------------------------- NO PAM SUPPORT I spent a day reading the PAM documentation. My conclusion was that PAM is not at all suited for handling ssh user authentication. There are three main problems, the first two of which would be show-stoppers for any SSH server, while the last is a problem that affects servers like lshd which doesn't fork() for each connection. (i) The design of PAM is to hide all details about the actual authentication methods used, and that the application should never know anything about that. However, ssh user authentication is about particular authentication methods. When the client asks which authentication methods can be used, the server should be able to tell it, for example, whether or not password authentication is acceptable. When the client tries the password authentication method, no other method should be invoked. But PAM won't let the server know or control such details. This problem excludes using PAM for anything but simple password authentication. (ii) PAM wants to talk directly to the user, to ask for passwords, request password changes, etc. These messages are not abstracted *at* *all*, PAM gives the application a string and some display hints, and expects a string back as the users response. This mode of operation doesn't fit with the ssh user-authentication protocol. If PAM would tell the ssh server that it wanted the user to chose a new password, for instance, the server could the appropriate message, SSH_SSH_MSG_USERAUTH_PASSWD_CHANGEREQ, to the client, and pass any response back to PAM. But PAM refuses to tell the application what it really wants the user to do, and therefore there's no way the server can map PAM's messages to the appropriate SSH packets. This problem excludes using PAM for password authentication. (iii) The PAM conversation function expects the server to ask the user some question, block until a response is received, and then return the result to PAM. That is very unfriendly to a server using a select() loop to manage many simultaneous tasks. This problem by itself does not exclude using PAM for a traditional accept(); fork()-style server, but it is completely unacceptable for lshd. From mfisk at lanl.gov Tue Nov 30 10:18:19 1999 From: mfisk at lanl.gov (Mike Fisk) Date: Mon, 29 Nov 1999 23:18:19 +0000 (GMT) Subject: Food for thought regarding PAM In-Reply-To: <19991129223559.35089.qmail@hotmail.com> Message-ID: I'm only now delving into issues such as ticket passing with PAM. There is a mentioned but undocumented part of the PAM conversation mechanism in the current Linux-PAM documentation that mentions PAM_BINARY_PROMPT and PAM_BINARY_MSG for this kind of problem. The following note in the pam-list archives says that it was developed by Andrew Morgan and Andrey Vladimirovich with SSH in mind. Andrew's patches to SSH are at: http://www.kernel.org/pub/linux/libs/pam/pre/applications/ssh-patch-0.90.tar.gz Unfortunately, those patches aren't compatible with the existing SSH protocol messages for Kerberos, RSA, etc. Even if we can't find a nice way to do credential-based authentication, it would still be useful for password based authentications (all the junk in auth-passwd.c) and the platform-specific login code in sshd.c. On Mon, 29 Nov 1999, Tor-Ake Fransson wrote: > Despite the fact that i have written pam modules, i am not sure about how it > really works, and how it would work in this case. ;) > > I like the idea of modularizing the authentication, though. > > But... what happens in the special case where you have to pass some strange > data, like a login context? > > Example: DCE on AIX logging in algorithm: ===================================================================== Mike Fisk | (505)667-5119 | MS B255 Network Engineering (CIC-5) | | Los Alamos National Lab mfisk at lanl.gov | FAX: 665-7793 | Los Alamos, NM 87545 From patrick.novak at po.state.ct.us Tue Nov 30 07:23:50 1999 From: patrick.novak at po.state.ct.us (patrick.novak at po.state.ct.us) Date: Mon, 29 Nov 1999 15:23:50 -0500 Subject: [s-x86] Re: [solaris 7 patch] resubmit and extended ... In-Reply-To: On Fri, 19 Nov 1999, Marc G. Fournier wrote: I have merged most of you changes, and included autoconf support for detecting and automatically defining u_intXX_t. Can you try out the attached patch to see if it helps. Regards, Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) ------------------------------------------------------------------------ Looking for the lowest rate for your mortgage? GetSmart.com can help. We'll help you find the loan you need quick, easy, and FREE click here at http://clickhere.egroups.com/click/1276 -- Talk to your group with your own voice! -- http://www.egroups.com/VoiceChatPage?listName=solarisonintel&m=1 (See attached file: openssh-1.2pre13.diff) -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-1.2pre13.diff Type: application/octet-stream Size: 8484 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991129/da390709/attachment.obj From djm at mindrot.org Tue Nov 30 11:23:34 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 30 Nov 1999 11:23:34 +1100 (EST) Subject: Openssh 1.2pre15: Command terminated on sig. 11 In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 27 Nov 1999, Robert Hardy wrote: > A bug has found its way into Openssh-1.2pre15. It has forced us to downgrade > to pre14. I haven't been able to replicate this bug yet. > This is what shows up in the server logs: > sshd[3195]: fatal: Disconnecting: Command terminated on signal 11. This message is the exit status of the child program run by the server (usually a user's shell). > I have attached an strace of the server which was turned on while sshd > was sitting at the password prompt. sshd appears to behave normally here - it might however be doing something to upset the child. Are you attempting to log in or attempting to execute a specific program? Can you enable "LogLevel debug" in both the server and the client and execute "ssh brokenhost 'wait 10'"? Thanks, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4QxkKormJ9RG1dI8RAgzsAJ47t6/U+b9epkMKBeqMTcLw5CtVbACfSx4h G6lzRwuhDUnHawFg8tLALf4= =1IVE -----END PGP SIGNATURE----- From torake at hotmail.com Tue Nov 30 21:53:05 1999 From: torake at hotmail.com (Tor-Ake Fransson) Date: Tue, 30 Nov 1999 10:53:05 GMT Subject: openssh-1.2pre15 on AIX Message-ID: <19991130105306.78901.qmail@hotmail.com> Damien, As you probably realize, i solved those problems in order to be able to create a new DCE patch. I kept those changes out of the DCE patch though. An explanation on what needs to be done to log on to DCE was included in my response to 'Food for thought regarding PAM'. Some background to why you need special actions for DCE: On systems where you use DCE and DFS, you replace the whole authentication system with DCE. The authentication is kerberos 5 based, with some extra whohah. Local users are just local users, and have no credentials what-so-ever to access DFS (distributed filesystem) For establishing a working login you need a thing called network credentials. Those are established by fetching a TGT (ticket granting ticket) from a security server, who holds all account information, and validates your password. Holding the TGT you can aquire a credential ticket, giving you network credentials (access to the local machine, and access to DFS) All the network traffic is encrypted, and the whole thing is hidden in the dce runtime libraries. All you have to do in an application is call some DCE runtime routines and take care of the login context this gives you. The login context is invisibly attached to your process, until you either purge it or do a setuid(). For more information, see e.g the online DCE documentation at http://www.tks.buffalo.edu/dce/Trandocs/online-doc/dce/ Feel free to forward this to the mailinglist if you think there are people that might find interest in this. Regards, Tor-?ke >From: Damien Miller >To: Tor-Ake Fransson >CC: openssh-unix-dev at mindrot.org >Subject: Re: openssh-1.2pre15 on AIX >Date: Tue, 30 Nov 1999 10:12:12 +1100 (EST) > >On Mon, 29 Nov 1999, Tor-Ake Fransson wrote: > > > Hi. > > > > Pre15 compiles out-of-the-box on AIX 4.3.2 ...almost. > > > > No patch included this time, but the following were the gotchas: > > > > - The __P() prototyping doesn't work (as discussed earlier) > > - bsd-daemon.o wasn't linked into libssh.a (though configure seemed to > > detect the need for it) > >These are both fixed in the next release. For now, add: > >#ifndef __P ># define __P(x) x >#endif > >to the end of config.h.in and add 'bsd-daemon.o' to the 'libssh.a:' line >of Makefile.in and re-run configure. > > > DCE patch will follow shortly. > >Can you explain this to a DCE-illiterate (me!)? > >Thanks, >Damien > >-- >| "Bombay is 250ms from New York in the new world order" - Alan Cox >| Damien Miller - http://www.mindrot.org/ >| Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com