From mw at moni.msci.memphis.edu Sat Apr 1 03:27:18 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Fri, 31 Mar 2000 11:27:18 -0600 Subject: OpenSSH-1.2.3: More info on ulimit problem In-Reply-To: <20000331050425.A14785@quipu.earth>; from jmknoble@pobox.com on Fri, Mar 31, 2000 at 05:04:25AM -0500 References: <20000330062356.C5614@quipu.earth> <20000331050425.A14785@quipu.earth> Message-ID: <20000331112718.B22322@moni.msci.memphis.edu> On Fri, Mar 31, 2000 at 05:04:25AM -0500, Jim Knoble wrote: > Hmmm ... this is interesting: > > $ sudo which sshd > /usr/sbin/sshd > $ ident /usr/sbin/sshd |grep pam > $ Using the official rpm: ident /usr/sbin/sshd |grep pam $Id: auth-pam.c,v 1.2 2000/01/26 23:55:38 damien Exp $ > > Also interesting: > > $ strings /usr/sbin/sshd |grep pam > libpam.so.0 > $ strings /usr/sbin/sshd |grep pam libpam.so.0 pam_set_item pam_strerror pam_end pam_start pam_acct_mgmt pam_authenticate pam_setcred pam_open_session pam_close_session pam_getenvlist @(#)$Id: auth-pam.c,v 1.2 2000/01/26 23:55:38 damien Exp $ Mate From tech at studsys.mscs.mu.edu Sat Apr 1 03:41:48 2000 From: tech at studsys.mscs.mu.edu (Robert Dubinski) Date: Fri, 31 Mar 2000 11:41:48 -0600 Subject: /etc/urandom and Solaris In-Reply-To: ; from djm@mindrot.org on Wed, Mar 29, 2000 at 02:45:18PM +1000 References: <38E187B6.67156027@boeing.com> Message-ID: <20000331114148.A14977@studsys.mscs.mu.edu> > On Wed, Mar 29, 2000 at 02:45:18PM +1000, Damien Miller wrote: > If you can find a URL from which the package can be downloaded I > would love to include it in the docs. SUNWski is packed in with the SSL-version of the Sun WebServer. It might also come as a larger collection of servers like Netra J. Lastly, it's in patches for the Webserver, such as 105710, 106754, 106755 and 106756. Those patches are only reachable to contract customers, so if you have a contract you're in good shape. Else, call up your local Sun office and ask. Hope this info helps, -Robb -- - Robert S. Dubinski, Comp. Systems Tech for MSCS Dept, Marquette University - - Email me: tech at mscs.mu.edu Home page at: http://www.mscs.mu.edu/~tech - - I can use GPG-encrypted email. My 1024-bit public key is at my website - - GPG Key fingerprint = 6612 1A01 7A93 D79B 4C89 336E 592B DB76 61FB C156 - From bole at falcon.etf.bg.ac.yu Sat Apr 1 05:39:53 2000 From: bole at falcon.etf.bg.ac.yu (Bosko Radivojevic) Date: Fri, 31 Mar 2000 21:39:53 +0200 (CEST) Subject: openssh & wtmp In-Reply-To: Message-ID: Hello I have openssh 1.2.3, openssl 0.9.5 and slackware 4.0, and problem with logging to wtmp. There is nothing in my /var/log/wtmp when I log in using ssh. lastlog is updated ok. Some ideas? Bye From tech at studsys.mscs.mu.edu Sat Apr 1 06:45:29 2000 From: tech at studsys.mscs.mu.edu (Robert Dubinski) Date: Fri, 31 Mar 2000 14:45:29 -0600 Subject: Problems building host keys on some SPARCs In-Reply-To: <20000217110244.A748@studsys.mscs.mu.edu>; from tech@mscs.mu.edu on Thu, Feb 17, 2000 at 11:02:44AM -0600 References: <20000217110244.A748@studsys.mscs.mu.edu> Message-ID: <20000331144529.A173@studsys.mscs.mu.edu> Hey, I get to answer my own question! This is for the list archives should anyone else encounter this problem like I did: On Thu, Feb 17, 2000 at 11:02:44AM -0600, MSCS Technician wrote: > I've compiled openssh 1.2.2 on Solaris 7/SPARC. On most hosts, things > are fine. I get EGD going, compile openssh, and I can then generate > hostkeys as described in the INSTALL file to get things running. > > On a few hosts though, the keygen fails like this: > > root at sylow:/source/USR_LOCAL/OFFICIAL/OPENSSH/ssh_client# ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' > ksh: ssh-keygen: cannot execute > > or fail like this: > > root at sylow:/source/USR_LOCAL/OFFICIAL/OPENSSH/ssh_client# cat build_host_key > /usr/local/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' > root at sylow:/source/USR_LOCAL/OFFICIAL/OPENSSH/ssh_client# sh build_host_key > /usr/local/bin/ssh-keygen: syntax error at line 1: `(' unexpected > > These same invokations work fine on most of our other systems. > > Info on the system above: > root at sylow:/source/USR_LOCAL/OFFICIAL/OPENSSH/ssh_client# uname -a > SunOS sylow 5.7 Generic_106541-07 sun4m sparc SUNW,SPARCstation-20 > > The only thing different I can see here is that the working systems > are Ultra class machines, and the non-working ones are SparcStations. The problem here was the the SSL library wasn't being found. Clean compiles on the affected machine brought this to light. I added the --with-ssl-dir=PATH directive to OpenSSH's configure, but that was no good. I then rebuilt the OpenSSL lib on one of the affected machines, then rebuilt OpenSSH and all is now well. Also for Solaris, I too can verify the /dev/random from the SUNWski package works great, and is much faster than using the EGD entropy pool was. -Robb - Robert S. Dubinski, Comp. Systems Tech for MSCS Dept, Marquette University - - Email me: tech at mscs.mu.edu Home page at: http://www.mscs.mu.edu/~tech - - I can use GPG-encrypted email. My 1024-bit public key is at my website - - GPG Key fingerprint = 6612 1A01 7A93 D79B 4C89 336E 592B DB76 61FB C156 - From nolte at post.rwth-aachen.de Sat Apr 1 07:54:57 2000 From: nolte at post.rwth-aachen.de (Theo Nolte) Date: Fri, 31 Mar 2000 23:54:57 +0200 Subject: [PATCH] empty shell in /etc/passwd Message-ID: <20000331235457.A26027@adsl-nolte1.rz.RWTH-Aachen.DE> The Linux/Unix-port of OpenSSH-1.2.3 in sshd.c:allowed_user() denies Login to users with an empty shell-field in /etc/passwd. According to the docs this is wrong and an empty shell-field should default to /bin/sh. I'm sure that this is what was intended, because code and comment get it right in sshd.c:do_child(): * Get the shell from the password data. An empty shell field is * legal, and means /bin/sh. A patch is attached. Cheers, Theo -------------- next part -------------- diff -Naur openssh-1.2.3-dist/sshd.c openssh-1.2.3/sshd.c --- openssh-1.2.3-dist/sshd.c Fri Mar 31 23:04:10 2000 +++ openssh-1.2.3/sshd.c Fri Mar 31 23:24:21 2000 @@ -1121,6 +1121,7 @@ struct stat st; struct group *grp; int i; + char*shell; #ifdef WITH_AIXAUTHENTICATE char *loginmsg; #endif /* WITH_AIXAUTHENTICATE */ @@ -1129,8 +1130,9 @@ if (!pw) return 0; - /* deny if shell does not exists or is not executable */ - if (stat(pw->pw_shell, &st) != 0) + /* deny if shell is not executable, empty shell defaults to /bin/sh */ + shell = pw->pw_shell[0] ? _PATH_BSHELL : pw->pw_shell; + if (stat(shell, &st) != 0) return 0; if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) return 0; From jeckstei at rutcor.rutgers.edu Sat Apr 1 08:24:01 2000 From: jeckstei at rutcor.rutgers.edu (Jonathan Eckstein) Date: Fri, 31 Mar 2000 17:24:01 -0500 Subject: OpenSSH's ssh daemon and X11 event forwarding Message-ID: <38E52580.3B452F19@rutcor.rutgers.edu> I just installed OpenSSH under Solaris 7. It seems to work. However, when I connect to it using a PC running F-Secure SSH, I notice that the DISPLAY variable is not set, as it is when I use the same PC software to connect to other systems supporting SSH. How do I know whether or not tunneling of X windows traffic through ssh is happening or not? Is there anything special you have to do to get OpenSSH's sshd to handle forwarding of X events? I tried looking at the sshd man page, but it prints as one single, gigantic paragraph, making it a bit hard to find things. Thanks, Jonathan -- Associate Professor Jonathan Eckstein MSIS Department, Faculty of Management, Rutgers University TEACHING ADDRESS RESEARCH ADDRESS +------------------------------+--------------------------------+ | 255 J.H. Levin Building | RUTCOR, Room 148 | | 94 Rockafeller Road | 640 Bartholomew Road | | Livingston Campus | Busch Campus | | Rutgers University | Rutgers University | | Piscataway, NJ 08854 USA | Piscataway, NJ 08854 USA | | (732) 445-0510 | (732) 445-3596 | | FAX (732) 445-6329 | FAX (732) 445-5472 | +------------------------------+--------------------------------+ jeckstei at rutcor.rutgers.edu http://rutcor.rutgers.edu:80/~jeckstei/ From jmknoble at pobox.com Sat Apr 1 08:29:23 2000 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 31 Mar 2000 17:29:23 -0500 Subject: OpenSSH's ssh daemon and X11 event forwarding In-Reply-To: <38E52580.3B452F19@rutcor.rutgers.edu>; from Jonathan Eckstein on Fri, Mar 31, 2000 at 05:24:01PM -0500 References: <38E52580.3B452F19@rutcor.rutgers.edu> Message-ID: <20000331172923.A12264@ntrnet.net> OpenSSH ships with X11 forwarding off in both the server and the client by default, to conform to the security model of 'if you need it, turn it on explicitly'. You can turn X11 forwarding on in the server using: X11Forwarding yes in /etc/ssh/sshd_config. (Note that setting it to 'no' doesn't necessarily improve security, since users can set up their own forwarding.) For the OpenSSH client, you can either start the client with 'ssh -X', or you can put, for example: Host somewhere.example.com *.internal.example.com ForwardX11 yes in ~/.ssh/config. There ought to be preformatted man pages (e.g., sshd.0) included in the OpenSSH-1.2.3 source tarball. -- jim knoble jmknoble at pobox.com P? 2000-Mar-31 klokka 17:24:01 -0500 skrivet Jonathan Eckstein: : I just installed OpenSSH under Solaris 7. It seems to work. However, : when I connect to it using a PC running F-Secure SSH, I notice that the : DISPLAY variable is not set, as it is when I use the same PC software to : connect to other systems supporting SSH. How do I know whether or not : tunneling of X windows traffic through ssh is happening or not? Is : there anything special you have to do to get OpenSSH's sshd to handle : forwarding of X events? I tried looking at the sshd man page, but it : prints as one single, gigantic paragraph, making it a bit hard to find : things. From djm at mindrot.org Sat Apr 1 08:40:10 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 1 Apr 2000 08:40:10 +1000 (EST) Subject: openssh & wtmp In-Reply-To: Message-ID: On Fri, 31 Mar 2000, Bosko Radivojevic wrote: > Hello > > I have openssh 1.2.3, openssl 0.9.5 and slackware 4.0, and problem > with logging to wtmp. There is nothing in my /var/log/wtmp when I > log in using ssh. lastlog is updated ok. wtmp logging has been broken on the older Slackwares for a while, but I have not been able to replicate it. Have a look contrib/README and give liblogin a try. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From nolte at post.rwth-aachen.de Sat Apr 1 09:17:14 2000 From: nolte at post.rwth-aachen.de (Theo Nolte) Date: Sat, 1 Apr 2000 01:17:14 +0200 Subject: [PATCH] Correction empty shell-field patch Message-ID: <20000401011714.A31918@adsl-nolte1.rz.RWTH-Aachen.DE> Sorry - my previous patch was bad. Here is the corrected one. Cheers, Theo -------------- next part -------------- diff -Naur openssh-1.2.3-dist/sshd.c openssh-1.2.3/sshd.c --- openssh-1.2.3-dist/sshd.c Fri Mar 31 23:04:10 2000 +++ openssh-1.2.3/sshd.c Fri Mar 31 23:24:21 2000 @@ -1121,6 +1121,7 @@ struct stat st; struct group *grp; int i; + char*shell; #ifdef WITH_AIXAUTHENTICATE char *loginmsg; #endif /* WITH_AIXAUTHENTICATE */ @@ -1129,8 +1130,9 @@ if (!pw) return 0; - /* deny if shell does not exists or is not executable */ - if (stat(pw->pw_shell, &st) != 0) + /* deny if shell is not executable, empty shell defaults to /bin/sh */ + shell = pw->pw_shell[0] ? pw->pw_shell : _PATH_BSHELL; + if (stat(shell, &st) != 0) return 0; if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) return 0; From mouring at pconline.com Sat Apr 1 10:22:35 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Fri, 31 Mar 2000 18:22:35 -0600 (CST) Subject: [PATCH] Correction empty shell-field patch In-Reply-To: <20000401011714.A31918@adsl-nolte1.rz.RWTH-Aachen.DE> Message-ID: A nice #ifndef _PATH_BSHELL #define _PATH_BSHELL "/bin/sh" #endif would be a nice addition in the defines.h and/or a search in the ./configure script for /bin/sh. Since not all platforms define a _PATH_BSHELL. Lucky for me NeXT's sh is standard and is in /bin/sh =) On Sat, 1 Apr 2000, Theo Nolte wrote: > Sorry - my previous patch was bad. Here is the corrected one. > > Cheers, Theo > From vicki21 at iname.com Sat Apr 1 05:50:47 2000 From: vicki21 at iname.com (vicki21 at iname.com) Date: Sat, 01 Apr 2000 05:50:47 Subject: Expose your business to the Internet References: 0B6622504 Message-ID: PUT EMAIL MARKETING TO WORK FOR YOU... Call NOW and receive 50,000 additional emails with your order for only $100. Thats 40,000 FREE emails!!! WE HAVE OPT-IN LISTS!!!! see below for removal. Special Ends Friday April 7, 2000 MLM'ers, We can build your downline. Imagine having a product or idea and selling it for only $10. Now imagine sending an ad for your product or idea to 25 million people! If you only get a 1/10 of 1% response you have just made $250,000!! You hear about people getting rich off the Internet everyday on TV, now is the perfect time for you to jump in on all the action. FACT. With the introduction of the Internet, one primary KEY to conducting your business successfully is creating massive exposure in a cost effective manner. FACT. The experts agree that email marketing is one of the most cost effective forms of promotion in existence today. Electronic mail has overtaken the telephone as the primary means of business communication.(American Management Association) Of online users 41 percent check their email daily. "A gold mine for those who can take advantage of bulk email programs"- The New York Times "Email is an incredible lead generation tool" -Crains Magazine "Blows away traditional Mailing"-Advertising Age "It's truly arrived. Email is the killer app so far in the online world"-Kate Delhagen, Forrester Research Analyst Why not let a professional company handle your direct email marketing efforts for you? *We will assist you in developing your entire campaign! *We can even create your ad or annoucement for you! *No responses? We resend at no cost! For More Information CALL NOW-702-248-1043 For removal see below. SPECIAL RATES SPECIAL ENDS Friday April 7, 2000 Targeted Rates Upon Request. BONUS!!! Call In and receive 50,000 Extra Emails at No Cost! Call NOW - 702-248-1043 ++++++++++++++++++++++++++++++++++++++++++++++++++ We are terribly sorry if you received this message in error. If you wish to be removed. Please, type "REMOVE" in the subject line: outnow at fiberia.com ++++++++++++++++++++++++++++++++++++++++++++++++++ From bole at falcon.etf.bg.ac.yu Sat Apr 1 23:24:48 2000 From: bole at falcon.etf.bg.ac.yu (Bosko Radivojevic) Date: Sat, 1 Apr 2000 15:24:48 +0200 (CEST) Subject: openssh & wtmp In-Reply-To: Message-ID: On Sat, 1 Apr 2000, Damien Miller wrote: > wtmp logging has been broken on the older Slackwares for a while, but > I have not been able to replicate it. On RedHat 6.1 (for SPARC) wtmp logging is ok. On Slackware 7.0, wtmp logging is also broken. > Have a look contrib/README and give liblogin a try. I will. Thanx. Greetings, Bole From djm at mindrot.org Sun Apr 2 03:56:23 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 2 Apr 2000 03:56:23 +1000 (EST) Subject: Administrivia: spam and non-subscriber submissions Message-ID: I have just disabled posting to the openssh-unix-dev list for non-subscribers due to spam. If you are reading this message from the list then this change should have exactly zero effect on you. Non-members who post to the list will be bounced to me for approval. If I get more than a couple of emails from such people I will authorise them to post. It looks like some scumbag has trawled the webpages recently because all the addresses listed there are getting the same spam messages. IMO spam is still preferable to dead-tree advertising :) -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From alex at forbin.diebold.net Sun Apr 2 19:22:46 2000 From: alex at forbin.diebold.net (Alex) Date: Sun, 2 Apr 2000 05:22:46 -0400 (EDT) Subject: anomalous wtmp logging bug In-Reply-To: Message-ID: On Fri, 31 Mar 2000, Damien Miller wrote: > On Fri, 31 Mar 2000, Alex wrote: > > > > > I've noticed rather strange wtmp logging behavior in sshd. Can anyone > > confirm or solve the following: > > > > Once a user authenticates themself to sshd, sshd among other things > > records the login in the wtmp, which `last` reads. However, sshd > > logs hostnames which are longer than 16 characters instead of IPs > > like normal programs would. As a result, I have useless entries > > such as: > Thanks for the speedy answer. I remember posting before with no reply, I'm glad my cries are finally heard :-) > OpenSSH logs both hostname and IP address if you wtmp supports it. > Under RedHat Linux I can get the IP addresses using "last -i". If > you would prefer IP addresses being logged instead of hostname, > you may want to hack on login.c. grep for ut_host and ut_addr. I forgot to mention the system; It's a FreeBSD system (i've upgraded it to 4.0 from 3.3 recently, but it behaved like this already). I checked the man page for 'last' and there is no option to see the IP. I assume my wtmp logging setup doesn't support dual IP/hostname logging. A suggestion I have is an option to detect that and/or a configure --option to build sshd appropriately. In the mean time, can you suggest what changes should be made to the source to have sshd build so that it doesn't log when Login(1) is used? Either that or have sshd log the IP if the hostname is longer than 16 chars (probably defined in wtmp.h though). A patch would be much more helpful (not to mention appreciated). I dont trust myself with modifying the source enough to post one myself. Thanks. > > -d > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > > From djm at mindrot.org Mon Apr 3 23:14:14 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 3 Apr 2000 23:14:14 +1000 (EST) Subject: Announce: Test release with random collection support Message-ID: I have just uploaded a test release of portable openssh to http://violet.ibs.com.au/openssh/files/test This release includes some major changes picked up from OpenBSD CVS. It also includes inbuilt random number gathering support which should remove the need for EGD on systems that lack /dev/random. This support is very preliminary. Please treat it as alpha and don't use it on production systems. It may break, it may not be secure. You have been warned. The goal of this release is to get these large code changes tested. Please send the output of "ssh -v" to the mailing list if your system lacks /dev/random. I am also interested in more random sources, please have a look through entropy.c at the big table and see if you can suggest that are specific to your system. Good random sources should return a moderate amounts of very unpredictable data and shouldn't take long to execute. Be wary of commands that do implicit DNS lookups which can take ages to complete. Looking forward to your feedback, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From mw at moni.msci.memphis.edu Tue Apr 4 01:45:12 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 3 Apr 2000 10:45:12 -0500 Subject: Expose your business to the Internet In-Reply-To: ; from vicki21@iname.com on Sat, Apr 01, 2000 at 05:50:47AM +0000 References: Message-ID: <20000403104512.D15855@moni.msci.memphis.edu> This message came through an open relay, which is already in the orbs database. While orbs sometimes gives false positives, for a list like this, it may not be bad to use it. Best, Mate From mw at moni.msci.memphis.edu Tue Apr 4 02:15:35 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 3 Apr 2000 11:15:35 -0500 Subject: Administrivia: spam and non-subscriber submissions In-Reply-To: ; from djm@mindrot.org on Sun, Apr 02, 2000 at 03:56:23AM +1000 References: Message-ID: <20000403111535.E15855@moni.msci.memphis.edu> On Sun, Apr 02, 2000 at 03:56:23AM +1000, Damien Miller wrote: > It looks like some scumbag has trawled the webpages recently because > all the addresses listed there are getting the same spam messages. And this is a problem with the list archive too: unfortunately, the From addresses are not hidden by default----I for one started to get spam from the same source, after a 4 month break. Whoever does the archiving: please hide the from headers, and perhaps provide a switch to show it. > IMO spam is still preferable to dead-tree advertising :) My address alone gets over 200 rejected spam/day, and I get 3 ads in the mail/week. The danger in spam is that unprotected servers get easily overwhelmed by them. Once a while, we get desparate people asking for help on the qmail list because their server is completely bogged down by a spammer trying to relay a million message through the server. I do understand your point, though. But I think spammers (like the one the list got) advertise stuff not suitable for service mail advertising. So I would just say: both are bad. Mate From openssh-unix-dev.mindrot.org at marc-haber.de Tue Apr 4 03:39:31 2000 From: openssh-unix-dev.mindrot.org at marc-haber.de (Marc Haber) Date: Mon, 03 Apr 2000 17:39:31 GMT Subject: Selectively allowing port forwards Message-ID: Hi! The current version of sshd allows to restrict keys to issue only specific commands. However, port forwarding can only be forbidden entirely. Given the following situation: A client C uses S as a POP3 server. We want to poll E-Mail via POP3 from S to A via an ssh tunnel without being asked for a password. Thus, we create a passphrase-less key pair on A, transmit the public key to S and insert it into ~account/.ssh/authorized_keys. Only command allowed is "sleep" to keep the connection open while the poll is doing through via a forwarded port. That way, one taking posession of the private key can "only" use S for arbitrary port forwards and do not have shell access to S. I feel it would be desireable to restrict a key to "only do port forwards to localhost:110". Would it be possible to have something like that implemented in a future release? Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From mouring at pconline.com Tue Apr 4 06:05:06 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Mon, 3 Apr 2000 15:05:06 -0500 (CDT) Subject: Announce: Test release with random collection support In-Reply-To: Message-ID: [On NeXT] Ermm.. Where are RAND_add()/RAND_status() suppost to be defined? I don't see them as part of the OpenSSL headers, nor part of the OpenSSH package. -- Compile Error -- [..] cc -o ssh ssh.o sshconnect.o log-client.o readconf.o clientloop.o -L. -L/usr/lo cal/ssl/lib -L/usr/local/ssl -lssh -lz -lcrypto /bin/ld: Undefined symbols: _RAND_add _RAND_status *** Exit 1 Stop. On Mon, 3 Apr 2000, Damien Miller wrote: > > I have just uploaded a test release of portable openssh to > http://violet.ibs.com.au/openssh/files/test > > This release includes some major changes picked up from OpenBSD CVS. > > It also includes inbuilt random number gathering support which should > remove the need for EGD on systems that lack /dev/random. > > This support is very preliminary. Please treat it as alpha and don't > use it on production systems. It may break, it may not be secure. You > have been warned. > > The goal of this release is to get these large code changes tested. > Please send the output of "ssh -v" to the mailing list if your system > lacks /dev/random. > > I am also interested in more random sources, please have a look > through entropy.c at the big table and see if you can suggest that are > specific to your system. > > Good random sources should return a moderate amounts of very > unpredictable data and shouldn't take long to execute. Be wary of > commands that do implicit DNS lookups which can take ages to complete. > > Looking forward to your feedback, > Damien Miller > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > > From carrier at cs.purdue.edu Tue Apr 4 06:41:18 2000 From: carrier at cs.purdue.edu (Brian Carrier) Date: Mon, 3 Apr 2000 15:41:18 -0500 Subject: EGD 0.7 Message-ID: <20000403154117.B26498@lisa.cs.purdue.edu> EGD 0.7 was released this weekend and I would highly recommend that everyone here that uses EGD upgrades. While doing some research last week I found a typo in the add_entropy() function that prevented any new entropy from being introduced into the system (in other words the entropy pool was a recursive hash of 0's). If the commands return in the same order, then the output bits are in the same order every time the daemon is restarted, regardless of the system command results. I emailed the author last week and he fixed it over the weekend. http://www.lothar.com/tech/crypto/ brian CERIAS - Purdue University From mouring at pconline.com Tue Apr 4 09:08:17 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Mon, 3 Apr 2000 18:08:17 -0500 (CDT) Subject: Announce: Test release with random collection support In-Reply-To: Message-ID: Ermm.. Nevermind.. Thanks Brian Carrier. I was still running 0.9.4 on the next box. Compiles and seems to work just fine.. Or at least as well as it did before. On Mon, 3 Apr 2000, Ben Lindstrom wrote: > [On NeXT] > > Ermm.. Where are RAND_add()/RAND_status() suppost to be defined? > > I don't see them as part of the OpenSSL headers, nor part of the OpenSSH > package. > > -- Compile Error -- > [..] > cc -o ssh ssh.o sshconnect.o log-client.o readconf.o clientloop.o -L. > -L/usr/lo > cal/ssl/lib -L/usr/local/ssl -lssh -lz -lcrypto > /bin/ld: Undefined symbols: > _RAND_add > _RAND_status > *** Exit 1 > Stop. > > > > On Mon, 3 Apr 2000, Damien Miller wrote: > > > > > I have just uploaded a test release of portable openssh to > > http://violet.ibs.com.au/openssh/files/test > > > > This release includes some major changes picked up from OpenBSD CVS. > > > > It also includes inbuilt random number gathering support which should > > remove the need for EGD on systems that lack /dev/random. > > > > This support is very preliminary. Please treat it as alpha and don't > > use it on production systems. It may break, it may not be secure. You > > have been warned. > > > > The goal of this release is to get these large code changes tested. > > Please send the output of "ssh -v" to the mailing list if your system > > lacks /dev/random. > > > > I am also interested in more random sources, please have a look > > through entropy.c at the big table and see if you can suggest that are > > specific to your system. > > > > Good random sources should return a moderate amounts of very > > unpredictable data and shouldn't take long to execute. Be wary of > > commands that do implicit DNS lookups which can take ages to complete. > > > > Looking forward to your feedback, > > Damien Miller > > > > -- > > | "Bombay is 250ms from New York in the new world order" - Alan Cox > > | Damien Miller - http://www.mindrot.org/ > > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > > > > > > > > > From djm at mindrot.org Tue Apr 4 09:13:42 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 4 Apr 2000 09:13:42 +1000 (EST) Subject: Announce: Test release with random collection support In-Reply-To: Message-ID: On Mon, 3 Apr 2000, Ben Lindstrom wrote: > [On NeXT] > > Ermm.. Where are RAND_add()/RAND_status() suppost to be defined? > > I don't see them as part of the OpenSSL headers, nor part of the OpenSSH > package. I think that they are recent additions to the OpenSSL API. Somewhere between version 0.9.4a and 0.9.5. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From sen_ml at eccosys.com Tue Apr 4 14:01:20 2000 From: sen_ml at eccosys.com (sen_ml at eccosys.com) Date: Tue, 04 Apr 2000 13:01:20 +0900 Subject: Selectively allowing port forwards In-Reply-To: References: Message-ID: <20000404130120V.1000@eccosys.com> i hope what you suggest gets implemented, as i've been wanting similar functionality for a while now. however, i was under the impression that Damien felt that new features should be added to the "upstream" openbsd version first. please see the following messages for reference: Message-Id: <19991218114559I.1000 at eccosys.com> Message-Id: Message-Id: <20000303172656J.1000 at eccosys.com> Message-ID: i'd send you links, but i haven't been able to find all of the relevant messages at the archive that i know about -- here's one that i did find though: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=94577271606092&w=2 p.s. does anyone know of a different archive for the list? marc> Given the following situation: A client C uses S as a POP3 server. We marc> want to poll E-Mail via POP3 from S to A via an ssh tunnel without marc> being asked for a password. Thus, we create a passphrase-less key pair marc> on A, transmit the public key to S and insert it into marc> ~account/.ssh/authorized_keys. Only command allowed is "sleep" to keep marc> the connection open while the poll is doing through via a forwarded marc> port. marc> That way, one taking posession of the private key can "only" use S for marc> arbitrary port forwards and do not have shell access to S. marc> I feel it would be desireable to restrict a key to "only do port marc> forwards to localhost:110". Would it be possible to have something marc> like that implemented in a future release? From djm at mindrot.org Tue Apr 4 14:10:25 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 4 Apr 2000 14:10:25 +1000 (EST) Subject: Selectively allowing port forwards In-Reply-To: Message-ID: On Mon, 3 Apr 2000, Marc Haber wrote: > Hi! > > The current version of sshd allows to restrict keys to issue only > specific commands. However, port forwarding can only be forbidden > entirely. > > Given the following situation: A client C uses S as a POP3 server. We > want to poll E-Mail via POP3 from S to A via an ssh tunnel without > being asked for a password. Thus, we create a passphrase-less key pair > on A, transmit the public key to S and insert it into > ~account/.ssh/authorized_keys. Only command allowed is "sleep" to keep > the connection open while the poll is doing through via a forwarded > port. > > That way, one taking posession of the private key can "only" use S for > arbitrary port forwards and do not have shell access to S. > > I feel it would be desireable to restrict a key to "only do port > forwards to localhost:110". Would it be possible to have something > like that implemented in a future release? I have been toying with the idea of implementing Keynote[1] policies as a substitute for authorized_keys. Keynote is nice because it solves the delegation problem well, but I couldn't figure out a way to cleanly support forced commands and port forward restrictions with the current Keynote language. -d [1] http://www.cis.upenn.edu/~angelos/keynote.html -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From smang at cs.jhu.edu Thu Apr 6 12:33:05 2000 From: smang at cs.jhu.edu (Stefan Mangard) Date: Wed, 5 Apr 2000 22:33:05 -0400 (EDT) Subject: status of openssh-2 Message-ID: Hi, My name is Stefan Mangard and I plan to implement an extension to ssh as a final project in a cryptography class. Since I want to use an open source of ssh, I decided to use the openssh implementation. I am currently working with openssh-1.2.3, but I'd also like to implement my extension for protocol 2, I wanted to ask you how far the development of the implementation of openssh-2 is. Thanks, Stefan Mangard From paul.l.allen at boeing.com Thu Apr 6 14:13:46 2000 From: paul.l.allen at boeing.com (Paul Allen) Date: Wed, 05 Apr 2000 21:13:46 -0700 Subject: /dev/random is on your Solaris CD Message-ID: <38EC0EFA.D767929E@boeing.com> There was some discussion recently about the Solaris /dev/random support that can be downloaded from Sun's patch archive as part of a patch to the Sun Web Server 1.0 product. The SUNWski package is the interesting bit that purports to provide /dev/random. It was noted that domestic and international versions of the patch existed and that only the international (no encryption) version was downloadable. Nobody stepped forward to verify that the international version actually produced quality random data suitable for using with strong encryption. Well, I was bored, so I started rummaging in my pile of Solaris boxes. In the Solaris 7 (11/99) server box, I found Sun Web Server 2.1, which contains SUNWski. Although this is a newer version of the product, it contains the same 1.0 version of the SUNWski package as does the 105710-01 patch. I've installed both the version of SUNWski from my CD and the one from the patch and computed checksums of all the files. They differ. This could be due to trivial things like timestamps. Or, it could be actual differences in the software. Without sources, who can tell? I think I'm going to get my Solaris /dev/random support from the CD Sun sent me, rather than from a possibly-crippled downloaded version. If anybody knows that the SUNWski that's bundled with Sun Web Server 2.1 is not secure, or if anybody can convince me that egd.pl is superior, I'm all ears. (Absolutely not criticising egd.pl here! It's worked fine in my testing over the last day or so.) Paul Allen -- Paul L. Allen | voice: (425) 865-3297 fax: (425) 865-2964 Unix Technical Support | paul.l.allen at boeing.com Boeing Phantom Works Math & Computing Technology Site Operations, POB 3707 M/S 7L-68, Seattle, WA 98124-2207 From paul.l.allen at boeing.com Thu Apr 6 14:47:42 2000 From: paul.l.allen at boeing.com (Paul Allen) Date: Wed, 05 Apr 2000 21:47:42 -0700 Subject: /dev/random is on your Solaris CD References: <38EC0EFA.D767929E@boeing.com> Message-ID: <38EC16EE.F1BC14E2@boeing.com> Paul Allen wrote: > > [... about SUNWski (/dev/random) being on the Solaris CD's ...] I've convinced myself now that what's on my Solaris 7 CD's is in fact the international version. The US and Canada version has a SUNWssld package containing strong SSL software. My CD only has SUNWssl, the "Global" version of the SSL software. Sun doesn't appear to provide "global" and "US and Canada" versions of SUNWski, so apparently the downloadable version and the one on the CD are equivalent even though their checksums differ. Sorry to raise such a ruckus about this. I'm trying quite hard to avoid accidentally introducing a weak link here. Please feel free to use the downloadable SUNWski, if you have the account to get to it. Secure computing! Paul Allen -- Paul L. Allen | voice: (425) 865-3297 fax: (425) 865-2964 Unix Technical Support | paul.l.allen at boeing.com Boeing Phantom Works Math & Computing Technology Site Operations, POB 3707 M/S 7L-68, Seattle, WA 98124-2207 From markus.friedl at informatik.uni-erlangen.de Thu Apr 6 17:07:00 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 6 Apr 2000 09:07:00 +0200 Subject: status of openssh-2 In-Reply-To: ; from smang@cs.jhu.edu on Wed, Apr 05, 2000 at 10:33:05PM -0400 References: Message-ID: <20000406090700.A17192@folly.informatik.uni-erlangen.de> On Wed, Apr 05, 2000 at 10:33:05PM -0400, Stefan Mangard wrote: > My name is Stefan Mangard and I plan to implement an extension to ssh as a > final project in a cryptography class. what kind of extension? > Since I want to use an open source of ssh, I decided to use > the openssh implementation. cool. > I am currently working with openssh-1.2.3, but I'd also like to implement > my extension for protocol 2, I wanted to ask you how far the development > of the implementation of openssh-2 is. right now i have client+server running on openbsd-current, here is the status: % cat README.openssh2 $Id: README.openssh2,v 1.18 2000/03/28 19:31:19 markus Exp $ works: client + some server basic packet-layer compression: zlib, none encryption: blowfish-cbc, 3des-cbc, arcfour, cast128-cbc mac: hmac-md5, hmac-sha1, (hmac-ripemd160) transport: proposal exchange, i.e. different enc/mac/comp per direction secsh-transport: w/o rekey, for client+server secsh-userauth: passwd only, for client+server secsh-connection : pty+shell or command, flow control works (window adjust) tcp-forwarding: -L works for client/server dss: verification works, key database in ~/.ssh/known_hosts with bits == 0 hack dss: signature works, keygen w/ openssl: $ openssl dsaparam 1024 -out dsa1024.pem $ openssl gendsa -out /etc/ssh_dsa_key dsa1024.pem -rand /dev/arandom server: login works, pty, too. client interops w/ sshd2, lshd server interops w/ ssh2, lsh, ssh.com's Windows client, SecureCRT server supports multiple concurrent sessions (e.g. with SSH.com Windows client) todo: re-keying several secsh-connection features: tcp-forwarding, agent-fwd auth other than passwd: pubkey, keyboard-interactiv config server-auth w/ old host-keys cleanup advanced key storage? keynote sftp -markus $Date: 2000/03/28 19:31:19 $ % cat NOTES OpenSSH2 ======== The SSH2 protocol is specifies in several IETF drafts (draft-ietf-secsh-*). It is composed of three layered protocols: (1) The 'transport layer' provides algorithm negotiation and a key exchange. The key exchange includes server authentication and results in a cryptographically secured connection: it provides integrity, confidentiality and optional compression. (2) The 'user authentication layer' uses the established connection and relies on the services provided by the transport layer. It provides several mechanisms for user authentication. These include traditional password authentication as well as public-key or host-based authentication mechanisms. (3) The 'connection layer' multiplexes many different concurrent channels over the authenticated connection and allows tunneling of login sessions and TCP-forwarding. It provides a flow control service for these channels. Additionally, various channel-specific options can be negotiated. The current state of OpenSSH2: As of today we have both a client and a server with the following basic functionality working: (1) The OpenSSH2 transport layer implementation supports the 'diffie-hellman-group1-sha1' key exchange from the IETF drafts and provides many algorithms for confidentiality (blowfish-cbc, 3des-cbc, arcfour, cast128-cbc) integrity (hmac-md5, hmac-sha1, hmac-ripemd160) and compression (zlib). Different algorithms can be negotiated per direction. (2) Both the client and the server support password authentication only. (3) OpenSSH2 supports basic connection layer functionality: remote shell or command invocation, including pty handling. OpenSSH2's sshd even allows multiple concurrent login sessions over one authenticated connection. There is a minimal support for TCP-forwarding. Interoperability: The OpenSSH2 server interoperates with ssh.com's latest Unix and Windows clients (note that they do not follow the specification from the IETF drafts), SecureCRT and lsh. The OpenSSH2 client interoperates with both ssh.com's server and lshd. The Future: A number of features are missing from OpenSSH2 and need to be added: * TCP-forwarding must be extended both on the client and server side. * Public-key authentication is required by the draft. * re-keying support in the transport layer. Both client and server can initiate re-keying. * keyboard-interactive authentication method is intended for one-time password authentication. Apart from these basic features OpenSSH needs * extended configurability and * some code cleanup, since both SSH1 and SSH2 code are currently tightly integrated. OpenSSH2 support both protocol versions (1.5 and 2.0) in one program. Another mayor milestone is the need for * an advanced key managment system (e.g. keynote policies from RFC 2704 and 2792) and integration of different PKI's like PGP or X509. Perhaps it's even possible to reuse the existing keys from SSH1. * support a SSH2 ssh-agent and agent-forwarding. The protocol used in ssh.com's implementations are not specified. * support for a file-transfer protocol. Again, ssh.com's sftp is not specified. From mouring at pconline.com Thu Apr 6 17:21:39 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 6 Apr 2000 02:21:39 -0500 (CDT) Subject: status of openssh-2 In-Reply-To: <20000406090700.A17192@folly.informatik.uni-erlangen.de> Message-ID: On Thu, 6 Apr 2000, Markus Friedl wrote: [..] > * some code cleanup, since both SSH1 and SSH2 code are currently tightly > integrated. OpenSSH2 support both protocol versions (1.5 and 2.0) > in one program. > Can I assume that OpenBSD/OpenSSH group is still committed to a single source base for 1.5 and 2.0 protocol? Or will we be seeing them split down the road? My hope is they stay as a single source base with maybe a port option of --disable-15 or --disable-20 for those wishing to support either version and not both. My hats off to the OpenSSH group. I'm suprised that 2.0 protocol is coming together this quickly. I was expect to hear this news mid-summer. From markus.friedl at informatik.uni-erlangen.de Thu Apr 6 18:17:44 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 6 Apr 2000 10:17:44 +0200 Subject: status of openssh-2 In-Reply-To: ; from mouring@pconline.com on Thu, Apr 06, 2000 at 02:21:39AM -0500 References: <20000406090700.A17192@folly.informatik.uni-erlangen.de> Message-ID: <20000406101744.B3366@folly.informatik.uni-erlangen.de> On Thu, Apr 06, 2000 at 02:21:39AM -0500, Ben Lindstrom wrote: > Can I assume that OpenBSD/OpenSSH group is still committed to a single > source base for 1.5 and 2.0 protocol? Or will we be seeing them split > down the road? no split. much common code. > My hope is they stay as a single source base with maybe a port option > of --disable-15 or --disable-20 for those wishing to support either > version and not both. something like that. > My hats off to the OpenSSH group. I'm suprised that 2.0 protocol is > coming together this quickly. I was expect to hear this news mid-summer. -markus From a.d.stribblehill at durham.ac.uk Sat Apr 8 00:50:35 2000 From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill) Date: Fri, 7 Apr 2000 15:50:35 +0100 Subject: Question about compiled-in entropy gatherer Message-ID: <20000407155035.B27489@womble.dur.ac.uk> This oddity happened with test2: debug: Got 0.00 bytes of entropy from /usr/bin/who debug: Got 0.05 bytes of entropy from /usr/bin/last debug: Got 0.00 bytes of entropy from debug: Got 0.88 bytes of entropy from /usr/sbin/df debug: Got 0.00 bytes of entropy from /usr/sbin/df debug: Got 0.12 bytes of entropy from /usr/bin/vmstat debug: Got 0.00 bytes of entropy from /usr/bin/uptime I've narrowed it down to a problem with autoconf (plus ca change, eh?!) that seems to have #defined lastlog to be "", rather than leaving it undefined. Nothing untoward seems to have happened due to this but it probably wants sorting. Can someone more qualified in autoconf point me in the direction of the solution? Thanks, Andrew Stribblehill Systems programmer, IT Service, University of Durham, England. From ddulek at fastenal.com Sat Apr 8 08:58:45 2000 From: ddulek at fastenal.com (David Dulek) Date: Fri, 7 Apr 2000 17:58:45 -0500 Subject: DG/UX R4.20MU03 Message-ID: <0004071803370C.28839@penelope> Has anyone had any experience with ssh and DG/UX? I tried the ./configure and it could not determine the hosttype. After that problem was worked-arounded I get a LOT of warnings about declaring functions multiple times and then the compile fails with: packet.c: In function `packet_set_interactive': packet.c:803: `IPTOS_LOWDELAY' undeclared (first use this function) packet.c:803: (Each undeclared identifier is reported only once packet.c:803: for each function it appears in.) packet.c:815: `IPTOS_THROUGHPUT' undeclared (first use this function) suggestions would be nice but I am figuring I will be here awhile figuring this out. -- Dave Dulek System Administration Fastenal Company E-mail: ddulek at fastenal.com Phone: (507) 453-8149 Fax: (507) 453-8333 From mouring at pconline.com Sat Apr 8 09:45:33 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Fri, 7 Apr 2000 18:45:33 -0500 (CDT) Subject: DG/UX R4.20MU03 In-Reply-To: <0004071803370C.28839@penelope> Message-ID: I suspect that DG/UX (it's been ages since I've played on one). Lacks a lot of the 4.4BSD code for getoptsocket() as does NeXT. In the NeXT port I still have IPTOS_LOWDELAY and IPTOS_THROUGHPUT set to '0'. However in order to be portable with older UNIXes I suspect one really need to go into packet.c and see if there is a better way of handling things. (better == more portable) I wish I still had my M88K Dual DG/UX box. =( I really do miss the platform. On Fri, 7 Apr 2000, David Dulek wrote: > Has anyone had any experience with ssh and DG/UX? I tried the ./configure and > it could not determine the hosttype. After that problem was worked-arounded I > get a LOT of warnings about declaring functions multiple times and then the > compile fails with: > > packet.c: In function `packet_set_interactive': > packet.c:803: `IPTOS_LOWDELAY' undeclared (first use this function) > packet.c:803: (Each undeclared identifier is reported only once > packet.c:803: for each function it appears in.) > packet.c:815: `IPTOS_THROUGHPUT' undeclared (first use this function) > > suggestions would be nice but I am figuring I will be here awhile figuring > this out. > > -- > > Dave Dulek > System Administration > Fastenal Company > E-mail: ddulek at fastenal.com > Phone: (507) 453-8149 > Fax: (507) 453-8333 > From speno at isc.upenn.edu Sat Apr 8 11:39:10 2000 From: speno at isc.upenn.edu (John P Speno) Date: Fri, 7 Apr 2000 21:39:10 -0400 Subject: Tru64 UNIX plans? In-Reply-To: <20000118110129.B133698@isc.upenn.edu> References: <20000118110129.B133698@isc.upenn.edu> Message-ID: <20000407213910.A185501@isc.upenn.edu> On Tue, Jan 18, 2000 at 11:01:29AM -0500, John P Speno wrote: > Is anyone currently working on adding support for Tru64 UNIX's enhanced > security to OpenSSH? I got the time and did it myself with the help of the Tom Woodburn @ compaq (who wrote the enhanced security stuff originally in the other ssh). Before I submit the patches, there's one issue that I'd like to get feedback on. Tru64 UNIX's libsecurity uses the log() function from libm and since OpenSSH has its own log() routine, libsecurity cals that instead of the one in libm and sshd will segfault. I'd like to propose that the log() function be renamed. Could that happen? Take care. From djm at mindrot.org Sat Apr 8 17:31:55 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Apr 2000 17:31:55 +1000 (EST) Subject: DG/UX R4.20MU03 In-Reply-To: <0004071803370C.28839@penelope> Message-ID: On Fri, 7 Apr 2000, David Dulek wrote: > Has anyone had any experience with ssh and DG/UX? I tried the > ./configure and it could not determine the hosttype. After that > problem was worked-arounded I get a LOT of warnings about declaring > functions multiple times and then the compile fails with: > > packet.c: In function `packet_set_interactive': > packet.c:803: `IPTOS_LOWDELAY' undeclared (first use this function) > packet.c:803: (Each undeclared identifier is reported only once > packet.c:803: for each function it appears in.) > packet.c:815: `IPTOS_THROUGHPUT' undeclared (first use this function) > > suggestions would be nice but I am figuring I will be here awhile > figuring this out. Just add them manually for now, they are not platform specific: # define IPTOS_LOWDELAY 0x10 # define IPTOS_THROUGHPUT 0x08 # define IPTOS_RELIABILITY 0x04 # define IPTOS_LOWCOST 0x02 # define IPTOS_MINCOST IPTOS_LOWCOST These are being added to defines.h as I type :) -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Apr 8 17:55:11 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Apr 2000 17:55:11 +1000 (EST) Subject: Tru64 UNIX plans? In-Reply-To: <20000407213910.A185501@isc.upenn.edu> Message-ID: On Fri, 7 Apr 2000, John P Speno wrote: > I'd like to propose that the log() function be renamed. > > Could that happen? Unlikely - I don't think that the OpenBSD folks would buy the change and I won't make the change in my tree - it would make merging with their sources a nightmare. Can you work around it with linking order? Does Tru64 libc have _weak symbols? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Apr 8 18:23:50 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 8 Apr 2000 18:23:50 +1000 (EST) Subject: Question about compiled-in entropy gatherer In-Reply-To: <20000407155035.B27489@womble.dur.ac.uk> Message-ID: On Fri, 7 Apr 2000, Andrew Stribblehill wrote: > This oddity happened with test2: > > debug: Got 0.00 bytes of entropy from /usr/bin/who > debug: Got 0.05 bytes of entropy from /usr/bin/last > debug: Got 0.00 bytes of entropy from Fixed, thanks. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From speno at isc.upenn.edu Sat Apr 8 23:37:51 2000 From: speno at isc.upenn.edu (John P Speno) Date: Sat, 8 Apr 2000 09:37:51 -0400 Subject: Tru64 UNIX plans? In-Reply-To: References: <20000407213910.A185501@isc.upenn.edu> Message-ID: <20000408093751.C185501@isc.upenn.edu> > > I'd like to propose that the log() function be renamed. > > > > Could that happen? > > Unlikely - I don't think that the OpenBSD folks would buy the change > and I won't make the change in my tree - it would make merging with > their sources a nightmare. I kinda figured you said that. I could always try to convince them to change it though. :-) > Can you work around it with linking order? Does Tru64 libc have _weak > symbols? I'll look into this and other solutions. Thanks. From mouring at pconline.com Sun Apr 9 09:38:52 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sat, 8 Apr 2000 18:38:52 -0500 (CDT) Subject: DG/UX R4.20MU03 In-Reply-To: Message-ID: Ermm.. I'll try them out on NeXT. Damien, what about "ip_tos" which I'm sure will be the next thing he will run into. On Sat, 8 Apr 2000, Damien Miller wrote: > On Fri, 7 Apr 2000, David Dulek wrote: > > > Has anyone had any experience with ssh and DG/UX? I tried the > > ./configure and it could not determine the hosttype. After that > > problem was worked-arounded I get a LOT of warnings about declaring > > functions multiple times and then the compile fails with: > > > > packet.c: In function `packet_set_interactive': > > packet.c:803: `IPTOS_LOWDELAY' undeclared (first use this function) > > packet.c:803: (Each undeclared identifier is reported only once > > packet.c:803: for each function it appears in.) > > packet.c:815: `IPTOS_THROUGHPUT' undeclared (first use this function) > > > > suggestions would be nice but I am figuring I will be here awhile > > figuring this out. > > Just add them manually for now, they are not platform specific: > > # define IPTOS_LOWDELAY 0x10 > # define IPTOS_THROUGHPUT 0x08 > # define IPTOS_RELIABILITY 0x04 > # define IPTOS_LOWCOST 0x02 > # define IPTOS_MINCOST IPTOS_LOWCOST > > These are being added to defines.h as I type :) > > -d > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > From mouring at pconline.com Sun Apr 9 10:14:32 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sat, 8 Apr 2000 19:14:32 -0500 (CDT) Subject: DG/UX R4.20MU03 In-Reply-To: Message-ID: Oh BTW.. =) root at localhost's password: setsockopt IPTOS_LOWDELAY: Invalid argument Last login: Sat Apr 8 17:38:22 2000 from localhost I knew I tried those numbers before on next. On Sat, 8 Apr 2000, Damien Miller wrote: > On Fri, 7 Apr 2000, David Dulek wrote: > > > Has anyone had any experience with ssh and DG/UX? I tried the > > ./configure and it could not determine the hosttype. After that > > problem was worked-arounded I get a LOT of warnings about declaring > > functions multiple times and then the compile fails with: > > > > packet.c: In function `packet_set_interactive': > > packet.c:803: `IPTOS_LOWDELAY' undeclared (first use this function) > > packet.c:803: (Each undeclared identifier is reported only once > > packet.c:803: for each function it appears in.) > > packet.c:815: `IPTOS_THROUGHPUT' undeclared (first use this function) > > > > suggestions would be nice but I am figuring I will be here awhile > > figuring this out. > > Just add them manually for now, they are not platform specific: > > # define IPTOS_LOWDELAY 0x10 > # define IPTOS_THROUGHPUT 0x08 > # define IPTOS_RELIABILITY 0x04 > # define IPTOS_LOWCOST 0x02 > # define IPTOS_MINCOST IPTOS_LOWCOST > > These are being added to defines.h as I type :) > > -d > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > From djm at mindrot.org Sun Apr 9 12:56:09 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 9 Apr 2000 12:56:09 +1000 (EST) Subject: BOUNCE openssh-unix-dev@mindrot.org: Non-member submission from [Howard Williams ] (fwd) Message-ID: From: Howard Williams Reply-To: howielin at home.com To: openssh-unix-dev at mindrot.org Subject: Can't log in via ssh As far as I can tell, I performed a basic configuration properly, but I get an error I can't understand Can you help? Here's my session: SSH Version OpenSSH-1.2.2, protocol version 1.5. Compiled with SSL. debug: Reading configuration data /root/.ssh/config debug: Applying options for * debug: Reading configuration data /usr/local/openssh/etc/ssh_config debug: Applying options for * debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to 24.9.129.252 [24.9.129.252] port 22. debug: Allocated local port 923. debug: Connection established. debug: Remote protocol version 1.5, remote software version OpenSSH-1.2.2 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host '24.9.129.252' is known and matches the host key. debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication with key 'root at cx332216-a' debug: Received RSA challenge from server. debug: Sending response to host key RSA challenge. debug: Remote: RSA authentication accepted. debug: RSA authentication refused. debug: Trying RSA authentication with key 'root at cx332216-a' debug: Server refused our key. debug: Doing password authentication. Permission denied, please try again. Permission denied, please try again. Permission denied. debug: Calling cleanup 0x8054f8c(0x0) Thanks From djm at mindrot.org Sun Apr 9 12:57:18 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 9 Apr 2000 12:57:18 +1000 (EST) Subject: Non-member submission from [Chris Barker ] (fwd) Message-ID: From: Chris Barker To: openssh-unix-dev at mindrot.org Subject: X forwarding (still) broken on Linux This may be a lack-of-adequate-documentation problem rather than a bug, but I can't get X forwarding to work: localhost$ set | grep DIS DISPLAY=localhost.localdomain:11.0 localhost$ set | grep XA XAUTHORITY=/tmp/ssh-gzg13204/cookies localhost$ ssh -v localhost SSH Version OpenSSH-1.2.3, protocol version 1.5. Compiled with SSL. [snip] debug: Requesting X11 forwarding with authentication spoofing. debug: Requesting authentication agent forwarding. debug: Requesting shell. debug: Entering interactive session. Last login: Sat Apr 8 16:11:00 2000 from localhost localhost$ xeyes debug: Received X11 open request. debug: channel 0: new [X11 connection from localhost port 1502] debug: X11 connection uses different authentication protocol. X11 connection rejected because of wrong authentication. [snip] debug: channel 0: full closed X connection to localhost.localdomain:11.0 broken (explicit kill or server shutd own). localhost$ I'm running a 2.2.13 kernel, XFree86 3.3.5-0, and pam 0.68-10. Examination of X11 packets suggests that my X clients aren't even trying to send a cookie, despite the fact that the XAUTHORITY variable is correctly set. Ssh 2.0.13 used to work just fine... CB From djm at mindrot.org Sun Apr 9 12:57:54 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 9 Apr 2000 12:57:54 +1000 (EST) Subject: Non-member submission from [Keith Baker ] (fwd) Message-ID: From: Keith Baker To: openssh-unix-dev at mindrot.org Subject: Password Login Failing... I am attmepting to install ssh/sshd on my RH6.1 Intel Box. Everything seems to be working (not quite smooth sailing - I had to resort to precompiled RPM for OpenSSL). I did however get it "working." I generated a host key as root and then changed back to joe-user. I created a key for joe-user. I then ssh'd to my own host. I got a prompt for a password and was very excited... except I typed in my password and got rejected. Any ideas? I am using PAM and I believe my passwords are shadowed... I would like to better understand the "To disable tunneled clear text password, change to no here" comment... Is this "clear text" passwords which are then encrypted int he tunnel? and what is an SKey? #syslog Apr 8 22:03:27 fuzzball sshd[27946]: Failed password for joe-user from 192.168.1.3 port 753 Apr 8 22:03:29 fuzzball sshd[27946]: Connection closed by 192.168.1.3 Apr 8 22:03:29 fuzzball sshd[27946]: Cannot close PAM session: System error Apr 8 22:03:29 fuzzball sshd[27946]: Cannot delete credentials: Authentication # This is ssh server systemwide configuration file. Port 22 ListenAddress 0.0.0.0 #ListenAddress :: HostKey /usr/local/etc/ssh_host_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes KeepAlive yes # Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes CheckMail no UseLogin no From ssh at par.dhs.org Sun Apr 9 17:12:31 2000 From: ssh at par.dhs.org (Keith Baker) Date: Sun, 9 Apr 2000 03:12:31 -0400 (EDT) Subject: Password Login Failing... (Not sure this went through) Message-ID: Appologise if this did make it to the list but I just subscribed and didn't see it come back... I am attmepting to install ssh/sshd on my RH6.1 Intel Box. Everything seems to be working (not quite smooth sailing - I had to resort to precompiled RPM for OpenSSL). I did however get it "working." I generated a host key as root and then changed back to joe-user. I created a key for joe-user. I then ssh'd to my own host. I got a prompt for a password and was very excited... except I typed in my password and got rejected. Any ideas? I am using PAM and I believe my passwords are shadowed... I would like to better understand the "To disable tunneled clear text password, change to no here" comment... Is this "clear text" passwords which are then encrypted int he tunnel? and what is an SKey? #syslog Apr 8 22:03:27 fuzzball sshd[27946]: Failed password for joe-user from 192.168.1.3 port 753 Apr 8 22:03:29 fuzzball sshd[27946]: Connection closed by 192.168.1.3 Apr 8 22:03:29 fuzzball sshd[27946]: Cannot close PAM session: System error Apr 8 22:03:29 fuzzball sshd[27946]: Cannot delete credentials: Authentication # This is ssh server systemwide configuration file. Port 22 ListenAddress 0.0.0.0 #ListenAddress :: HostKey /usr/local/etc/ssh_host_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes KeepAlive yes # Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes CheckMail no UseLogin no From jmknoble at pobox.com Sun Apr 9 18:14:01 2000 From: jmknoble at pobox.com (Jim Knoble) Date: Sun, 9 Apr 2000 04:14:01 -0400 Subject: Password Login Failing... (Not sure this went through) In-Reply-To: References: Message-ID: <20000409041401.D16710@quipu.earth> P? 2000-Apr-09 klokka 03:12:31 -0400 skrivet Keith Baker: : I am attmepting to install ssh/sshd on my RH6.1 Intel Box. Everything : seems to be working (not quite smooth sailing - I had to resort to : precompiled RPM for OpenSSL). I did however get it "working." I : generated a host key as root and then changed back to joe-user. I created : a key for joe-user. I then ssh'd to my own host. I got a prompt for a : password and was very excited... except I typed in my password and got : rejected. Any ideas? I am using PAM and I believe my passwords are : shadowed... Did you build with support for TCP wrappers? (You may have done so inadvertently even if you didn't specify --with-tcp-wrappers.) Try allowing access to sshd via /etc/hosts.allow. For example: sshd: ALL: ALLOW Also, try running sshd in 'debug' mode: /path/to/sshd -d -p 4022 and ssh as well: ssh -v -p 4022 remote.example.net Finally, make sure that your ~/.ssh/ directory has mode 0700 (drwx------), since you have StrictModes set in sshd_config. : I would like to better understand the "To disable tunneled clear text : password, change to no here" comment... Is this "clear text" passwords : which are then encrypted int he tunnel? Exactly. : and what is an SKey? http://lheawww.gsfc.nasa.gov/~srr/skey_info.html -- jim knoble jmknoble at pobox.com From ssh at par.dhs.org Mon Apr 10 03:15:29 2000 From: ssh at par.dhs.org (Keith Baker) Date: Sun, 9 Apr 2000 13:15:29 -0400 (EDT) Subject: Password Login Failing... still... In-Reply-To: <20000409041401.D16710@quipu.earth> Message-ID: If I am not mistaken this does not seem to be a tcp-wrapper problem as it does connect to the service... its only in the password verification that it fails... I did however try your suggestions... Is there a way to get sshd to spit out all of the decrypted data it gets? I'd like to see the password after it comes through to see it ifs ssh or PAM thats taking the cake... Do I have to do anything to PAM to allow ssh to use it for authentication? [root at fuzzball t3chie]# /usr/local/sbin/sshd -d -p 4022 debug: sshd version OpenSSH-1.2.3 debug: Bind to port 4022 on 0.0.0.0. Server listening on 0.0.0.0 port 4022. Generating 768 bit RSA key. RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 192.168.1.3 port 1288 debug: Client protocol version 1.5; client software version OpenSSH-1.2.3 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Starting up PAM with username "t3chie" debug: Attempting authentication for t3chie. Failed rsa for t3chie from 192.168.1.3 port 1288 debug: PAM Password authentication for "t3chie" failed: Authentication failure Failed password for t3chie from 192.168.1.3 port 1288 Connection closed by 192.168.1.3 debug: Calling cleanup 0x804ea50(0x0) Cannot close PAM session: System error Cannot delete credentials: Authentication service cannot retrieve user credentials debug: Calling cleanup 0x8056f8c(0x0) [t3chie at fuzzball ~]# /usr/local/bin/ssh -v -p 4022 fuzzball SSH Version OpenSSH-1.2.3, protocol version 1.5. Compiled with SSL. debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: ssh_connect: getuid 500 geteuid 0 anon 0 debug: Connecting to fuzzball.dorm.null [192.168.1.3] port 4022. debug: Connection established. debug: Remote protocol version 1.5, remote software version OpenSSH-1.2.3 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'fuzzball.dorm.null' is known and matches the host key. debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication with key 't3chie at fuzzball.dorm.null' debug: Server refused our key. debug: Doing password authentication. t3chie at fuzzball.dorm.null's password: Permission denied, please try again. From jamest at math.ksu.edu Mon Apr 10 03:25:57 2000 From: jamest at math.ksu.edu (James Thompson) Date: Sun, 9 Apr 2000 12:25:57 -0500 (CDT) Subject: Password Login Failing... still... In-Reply-To: Message-ID: On Sun, 9 Apr 2000, Keith Baker wrote: > password after it comes through to see it ifs ssh or PAM thats taking the > cake... Do I have to do anything to PAM to allow ssh to use it for > authentication? > Yes, it's in the docs of openssh somewhere. You've got to copy a file from the distro to /etc/pam.d/sshd I'd tell you exactly where to find it but I deleted the source tree from my machine. ->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-< James Thompson 138 Cardwell Hall Manhattan, Ks 66506 785-532-0561 Kansas State University Department of Mathematics ->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-< From mw at moni.msci.memphis.edu Mon Apr 10 06:13:09 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Sun, 9 Apr 2000 15:13:09 -0500 Subject: Password Login Failing... (Not sure this went through) In-Reply-To: ; from ssh@par.dhs.org on Sun, Apr 09, 2000 at 03:12:31AM -0400 References: Message-ID: <20000409151309.C25957@moni.msci.memphis.edu> Naturally, the simplest thing would be for you to install the rpms amde by opennsh's Linux port maintainer. Mate On Sun, Apr 09, 2000 at 03:12:31AM -0400, Keith Baker wrote: > Appologise if this did make it to the list but I just subscribed and > didn't see it come back... > > I am attmepting to install ssh/sshd on my RH6.1 Intel Box. Everything > seems to be working (not quite smooth sailing - I had to resort to > precompiled RPM for OpenSSL). I did however get it "working." I > generated a host key as root and then changed back to joe-user. I created > a key for joe-user. I then ssh'd to my own host. I got a prompt for a > password and was very excited... except I typed in my password and got > rejected. Any ideas? I am using PAM and I believe my passwords are > shadowed... > > I would like to better understand the "To disable tunneled clear text > password, change to no here" comment... Is this "clear text" passwords > which are then encrypted int he tunnel? and what is an SKey? > > #syslog > > Apr 8 22:03:27 fuzzball sshd[27946]: Failed password for joe-user from 192.168.1.3 port 753 > Apr 8 22:03:29 fuzzball sshd[27946]: Connection closed by 192.168.1.3 > Apr 8 22:03:29 fuzzball sshd[27946]: Cannot close PAM session: System error > Apr 8 22:03:29 fuzzball sshd[27946]: Cannot delete credentials: Authentication > > # This is ssh server systemwide configuration file. > > Port 22 > ListenAddress 0.0.0.0 > #ListenAddress :: > HostKey /usr/local/etc/ssh_host_key > ServerKeyBits 768 > LoginGraceTime 600 > KeyRegenerationInterval 3600 > PermitRootLogin yes > # > # Don't read ~/.rhosts and ~/.shosts files > IgnoreRhosts yes > # Uncomment if you don't trust ~/.ssh/known_hosts for > RhostsRSAAuthentication > #IgnoreUserKnownHosts yes > StrictModes yes > X11Forwarding no > X11DisplayOffset 10 > PrintMotd yes > KeepAlive yes > > # Logging > SyslogFacility AUTH > LogLevel INFO > #obsoletes QuietMode and FascistLogging > > RhostsAuthentication no > # > # For this to work you will also need host keys in /etc/ssh_known_hosts > RhostsRSAAuthentication no > # > RSAAuthentication yes > > # To disable tunneled clear text passwords, change to no here! > PasswordAuthentication yes > PermitEmptyPasswords no > # Uncomment to disable s/key passwords > #SkeyAuthentication no > > # To change Kerberos options > #KerberosAuthentication no > #KerberosOrLocalPasswd yes > #AFSTokenPassing no > #KerberosTicketCleanup no > > # Kerberos TGT Passing does only work with the AFS kaserver > #KerberosTgtPassing yes > > CheckMail no > UseLogin no > > > > > -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis From djm at mindrot.org Mon Apr 10 14:30:50 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 10 Apr 2000 14:30:50 +1000 (EST) Subject: Windows NT (cygwin) port Message-ID: I just noticed a patch against commercial SSH to allow it to compile with the cygwin tools on Windows NT. ftp://dome.its.uiowa.edu/pub/domestic/sos/ports/ It would be great if someone could adapt this patch to OpenSSH and write a brief HOWTO on getting it going. It would probably never get integrated into the standard tree, but it could be distributed in the contrib/ directory. Any takers? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From ssh at par.dhs.org Mon Apr 10 16:31:12 2000 From: ssh at par.dhs.org (Keith Baker) Date: Mon, 10 Apr 2000 02:31:12 -0400 (EDT) Subject: Password Login Failing... (RPMS) In-Reply-To: <20000409151309.C25957@moni.msci.memphis.edu> Message-ID: > Naturally, the simplest thing would be for you to install the rpms > amde by opennsh's Linux port maintainer. I like to build packages myself rather than use the rpms. I tend to learn more (like I learned about PAM config files this time)... My system now works just fine with a simple message to a mailing list. I'm not much of a fan of the just rpm it additude because you never really know whats going on and things just work without understanding... Thats why I switched to linux... From djm at mindrot.org Mon Apr 10 19:48:22 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 10 Apr 2000 19:48:22 +1000 (EST) Subject: Password Login Failing... (RPMS) In-Reply-To: Message-ID: On Mon, 10 Apr 2000, Keith Baker wrote: > I like to build packages myself rather than use the rpms. I tend > to learn more (like I learned about PAM config files this time)... > My system now works just fine with a simple message to a mailing > list. I'm not much of a fan of the just rpm it additude because > you never really know whats going on and things just work without > understanding... Thats why I switched to linux... Then use the source RPMS. You get all the code you need, plus all the ancillary files as well as a set of instructions (the spec file) which tell you how to get a working system. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From a.d.stribblehill at durham.ac.uk Mon Apr 10 23:44:12 2000 From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill) Date: Mon, 10 Apr 2000 14:44:12 +0100 Subject: ls -alni /var/mail Message-ID: <20000410144412.D27489@womble.dur.ac.uk> Using the trial internal entropy gathering routines Damien so kindly provided, I noticed stuff happening slowly. I think I've traced this to the 'ls -alni /var/mail' taking a long time. Given that this is likely to hurt a few sites similar to mine (large number of users with an NFS-mounted /var/mail directory) is it sensible to put a configure option in to disable this part? I attach a patch to do this. It adds a configure option, --without-lsmail. I'm not terribly happy with its name and I haven't patched any of the docs. Thanks, Andrew Stribblehill Systems Programmer, IT Service, University of Durham, England. -------------- next part -------------- diff --exclude=configure --exclude=config.h.in -c openssh-1.2.3test2/acconfig.h openssh-1.2.3test2+/acconfig.h *** openssh-1.2.3test2/acconfig.h Mon Apr 3 05:50:44 2000 --- openssh-1.2.3test2+/acconfig.h Mon Apr 10 14:09:51 2000 *************** *** 135,140 **** --- 135,143 ---- /* Specify default $PATH */ #undef USER_PATH + /* Define if you want to supress listing of mail dir for entropy gathering */ + #undef DISABLE_LSMAIL + /* Specify location of ssh.pid */ #undef PIDDIR diff --exclude=configure --exclude=config.h.in -c openssh-1.2.3test2/configure.in openssh-1.2.3test2+/configure.in *** openssh-1.2.3test2/configure.in Mon Apr 3 06:57:06 2000 --- openssh-1.2.3test2+/configure.in Mon Apr 10 12:14:29 2000 *************** *** 833,838 **** --- 833,849 ---- ] ) + # Whether to supress listing /var/(spool/)?mail for entropy gathering + AC_ARG_WITH(lsmail, + [ --without-lsmail Supress ls of mail dir ], + [ + if test "x$withval" = "xno" ; then + no_lsmail=1 + AC_DEFINE(DISABLE_LSMAIL) + fi + ] + ) + # Whether to force IPv4 by default (needed on broken glibc Linux) AC_ARG_WITH(ipv4-default, [ --with-ipv4-default Use IPv4 by connections unless '-6' specified], Common subdirectories: openssh-1.2.3test2/contrib and openssh-1.2.3test2+/contrib diff --exclude=configure --exclude=config.h.in -c openssh-1.2.3test2/entropy.c openssh-1.2.3test2+/entropy.c *** openssh-1.2.3test2/entropy.c Mon Apr 3 06:07:32 2000 --- openssh-1.2.3test2+/entropy.c Mon Apr 10 12:15:37 2000 *************** *** 140,147 **** --- 140,149 ---- #ifdef PROG_LS { 0.002, PROG_LS, { "ls", "-alni", "/var/log", NULL } }, { 0.002, PROG_LS, { "ls", "-alni", "/var/adm", NULL } }, + #ifndef DISABLE_LSMAIL { 0.002, PROG_LS, { "ls", "-alni", "/var/mail", NULL } }, { 0.002, PROG_LS, { "ls", "-alni", "/var/spool/mail", NULL } }, + #endif { 0.002, PROG_LS, { "ls", "-alni", "/proc", NULL } }, { 0.002, PROG_LS, { "ls", "-alni", "/tmp", NULL } }, #endif From aforster at br.ibm.com Tue Apr 11 02:11:32 2000 From: aforster at br.ibm.com (Antonio Paulo Salgado Forster) Date: Mon, 10 Apr 2000 13:11:32 -0300 (BRT) Subject: problem with password authentication Message-ID: Hello, First of all, I have already read the archives ;) I have installed openssh 1.2.3 on a linux machine (slackware 7.0) and have that authentication failure problem. Slackware originally doesnt implement PAM, and with these problems with ssh I tried to install it, and it works fine, but ssh keeps complaining about passwords... this is a paste of a debug run of ssh: debug: sshd version OpenSSH-1.2.3 debug: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 127.0.0.1 port 868 debug: Client protocol version 1.5; client software version OpenSSH-1.2.3 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: blowfish debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Starting up PAM with username "aforster" debug: Attempting authentication for aforster. Failed rsa for aforster from 127.0.0.1 port 868 debug: PAM Password authentication for "aforster" failed: Authentication failure Failed password for aforster from 127.0.0.1 port 868 debug: PAM Password authentication for "aforster" failed: Authentication failure Failed password for aforster from 127.0.0.1 port 868 debug: PAM Password authentication for "aforster" failed: Authentication failure Failed password for aforster from 127.0.0.1 port 868 Connection closed by 127.0.0.1 debug: Calling cleanup 0x804ea68(0x0) Cannot close PAM session: System error Cannot delete credentials: Authentication service cannot retrieve user credentials debug: Calling cleanup 0x8056ec4(0x0) I have created ssh entries on pam.conf, but no help. Can someone give me a help on this? Thanks! Forster From ddulek at fastenal.com Tue Apr 11 08:21:50 2000 From: ddulek at fastenal.com (David Dulek) Date: Mon, 10 Apr 2000 17:21:50 -0500 Subject: DG/UX R4.20MU03 Message-ID: <00041017244602.08235@penelope> That did the trick other than all the --with options I got it to work. Thanks. ---------- Forwarded Message ---------- Subject: Re: DG/UX R4.20MU03 Date: Sat, 8 Apr 2000 17:31:55 +1000 (EST) From: Damien Miller On Fri, 7 Apr 2000, David Dulek wrote: > Has anyone had any experience with ssh and DG/UX? I tried the > ./configure and it could not determine the hosttype. After that > problem was worked-arounded I get a LOT of warnings about declaring > functions multiple times and then the compile fails with: > > packet.c: In function `packet_set_interactive': > packet.c:803: `IPTOS_LOWDELAY' undeclared (first use this function) > packet.c:803: (Each undeclared identifier is reported only once > packet.c:803: for each function it appears in.) > packet.c:815: `IPTOS_THROUGHPUT' undeclared (first use this function) > > suggestions would be nice but I am figuring I will be here awhile > figuring this out. Just add them manually for now, they are not platform specific: # define IPTOS_LOWDELAY 0x10 # define IPTOS_THROUGHPUT 0x08 # define IPTOS_RELIABILITY 0x04 # define IPTOS_LOWCOST 0x02 # define IPTOS_MINCOST IPTOS_LOWCOST These are being added to defines.h as I type :) -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) ------------------------------------------------------- -- Dave Dulek System Administration Fastenal Company E-mail: ddulek at fastenal.com Phone: (507) 453-8149 Fax: (507) 453-8333 From djm at mindrot.org Tue Apr 11 09:46:28 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 11 Apr 2000 09:46:28 +1000 (EST) Subject: ls -alni /var/mail In-Reply-To: <20000410144412.D27489@womble.dur.ac.uk> Message-ID: On Mon, 10 Apr 2000, Andrew Stribblehill wrote: > Using the trial internal entropy gathering routines Damien so > kindly provided, I noticed stuff happening slowly. I think I've > traced this to the 'ls -alni /var/mail' taking a long time. The entropy code is pretty peliminary. It could do with some enhancements: - Loading and saving of random seeds (per user and for server) - A read timeout to prevent and errant process hanging ssh[d] - The ability to load which commands to run from a text file - Makefile support to sub the correct paths into the above text file Any help would be greatly welcomed as I am pretty busy with Other Things right now :) -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From smang at cs.jhu.edu Tue Apr 11 10:20:33 2000 From: smang at cs.jhu.edu (Stefan Mangard) Date: Mon, 10 Apr 2000 20:20:33 -0400 (EDT) Subject: DNS lookup Message-ID: Hi, I have a question concerning the linux code of openssh-1.2.3: When I started working with openssh I recognised that openssh stores a hostkey twice if one uses the full hostname and later on only the machine name (for a local machine). for example if one calls: ssh jhunix and later session starts with: ssh jhunix.jhu.edu openssh stores two times the same key in the ssh_known_keys file. Is this intended? If so, why? After looking through the code I found this function call in ssh.c: /* Find canonic host name. */ if (strchr(host, '.') == 0) { struct addrinfo hints; struct addrinfo *ai = NULL; int errgai; memset(&hints, 0, sizeof(hints)); hints.ai_family = IPv4or6; hints.ai_flags = AI_CANONNAME; hints.ai_socktype = SOCK_STREAM; errgai = getaddrinfo(host, NULL, &hints, &ai); if (errgai == 0) { if (ai->ai_canonname != NULL) host = xstrdup(ai->ai_canonname); freeaddrinfo(ai); } } Unfortunately the function getaddrinfo, which is in fake-getaddrinfo.c doesn't return the full hostname as it (at least I think so) should. From domi at saargate.de Tue Apr 11 21:41:43 2000 From: domi at saargate.de (Dominik Brettnacher) Date: Tue, 11 Apr 2000 13:41:43 +0200 (CEST) Subject: X forwarding (still) broken on Linux In-Reply-To: Message-ID: On Sun, 9 Apr 2000, barker at ling.ucsd.edu wrote: > This may be a lack-of-adequate-documentation problem rather than a bug, > but I can't get X forwarding to work: > > localhost$ set | grep DIS > DISPLAY=localhost.localdomain:11.0 > localhost$ set | grep XA > XAUTHORITY=/tmp/ssh-gzg13204/cookies > localhost$ ssh -v localhost > SSH Version OpenSSH-1.2.3, protocol version 1.5. > Compiled with SSL. > [snip] > debug: Requesting X11 forwarding with authentication spoofing. > debug: Requesting authentication agent forwarding. > debug: Requesting shell. > debug: Entering interactive session. > Last login: Sat Apr 8 16:11:00 2000 from localhost > localhost$ xeyes > debug: Received X11 open request. > debug: channel 0: new [X11 connection from localhost port 1502] > debug: X11 connection uses different authentication protocol. > X11 connection rejected because of wrong authentication. > [snip] > debug: channel 0: full closed > X connection to localhost.localdomain:11.0 broken (explicit kill or > server shutd > own). > localhost$ > > I'm running a 2.2.13 kernel, XFree86 3.3.5-0, and pam 0.68-10. > Examination of X11 packets suggests that my X clients aren't even > trying to send a cookie, despite the fact that the XAUTHORITY > variable is correctly set. Ssh 2.0.13 used to work just fine... I am having the same problem on FreeBSD. I haven't got any clue, unfortunately. -- Dominik - http://www.brettnacher.org/users/dominik/ From borrmann at ibm1.ruf.uni-freiburg.de Tue Apr 11 23:43:29 2000 From: borrmann at ibm1.ruf.uni-freiburg.de (H.G.Borrmann) Date: Tue, 11 Apr 2000 15:43:29 +0200 Subject: LDFLAGS of the Makefile Message-ID: <200004111343.PAA22930@ibm1.ruf.uni-freiburg.de> I have compiled and installed OpenSSH 1.2.3 under AIX 4.3.3. The call to configure was: CFLAGS="-I/client/include -L/usr/ruf/lib" \ ./configure --with-egd-pool=/dev/urandom \ --with-afs=/usr/afsws \ --with-kerberos4=/client \ --with-tcp-wrappers \ --with-pid-dir=/etc \ --sysconfdir=/etc \ --with-ipv4-default \ --prefix=/sw/rs_aix433/openssh-1.2.3 The resultant makefile has the line: LDFLAGS=-L. -L/usr/local/lib -L/client/lib As a consequence a dot (the current directory) appears in the PATH of the Loader Section of ssh at the first place! That mean that a local user my replace the shared libraries libc.a, libnsl.a and libz.a by his own versions and manipulate the system as root, because ssh is installed suid root. H.G.Borrmann ._________________________________________________________________________. |H.G.Borrmann |Tel.: (0761) 203-4652 | |Rechenzentrum der Universitaet Freiburg|Fax: (0761) 203-4643 | |Hermann-Herder-Str. 10 |email: | |D79104 FREIBURG |borrmann at ruf.uni-freiburg.de | |_________________________________________________________________________| From barker at ling.ucsd.edu Wed Apr 12 01:27:24 2000 From: barker at ling.ucsd.edu (Chris Barker) Date: Tue, 11 Apr 2000 08:27:24 -0700 Subject: X forwarding (still) broken on Linux In-Reply-To: References: Message-ID: <20000411082724.A1409@ling.ucsd.edu> On Tue, Apr 11, 2000 at 01:41:43PM +0200, Dominik Brettnacher wrote: > I am having the same problem on FreeBSD. I haven't got any clue, > unfortunately. After disecting lots of packets, I have a workaround: the fake cookie must be for the /unix connection type. To try the workaround, use the following line as the relevant .ssh/rc file: if read proto cookie; then echo add $DISPLAY $proto $cookie | perl -n -e 's!:!/unix:!;' -e 'print;' | /usr/X11R6/bin/xauth -q -; fi This simply adds the string "/unix" at the appropriate point before the fake X11 cookie file is loaded with the fake cookie. The cookie file that results from this rc file contains information like: localhost.localdomain/unix:12 MIT-MAGIC-COOKIE-1 41c7fd607a4333e093129faa992aba1c I'm sure it would be easy to modify the code to add a second cookie with /unix speicified. Hope this helps. CB From markus.friedl at informatik.uni-erlangen.de Wed Apr 12 01:11:43 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 11 Apr 2000 17:11:43 +0200 Subject: X forwarding (still) broken on Linux In-Reply-To: ; from domi@saargate.de on Tue, Apr 11, 2000 at 01:41:43PM +0200 References: Message-ID: <20000411171143.A8470@folly.informatik.uni-erlangen.de> On Tue, Apr 11, 2000 at 01:41:43PM +0200, Dominik Brettnacher wrote: > I am having the same problem on FreeBSD. I haven't got any clue, > unfortunately. see attachment. -------------- next part -------------- An embedded message was scrubbed... From: Markus Friedl Subject: Re: Is it securely: `hostname`:10 ? Date: Thu, 2 Mar 2000 12:42:19 +0100 Size: 5992 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000411/5d0d5d42/attachment.mht From stevem at Digital-Integrity.com Wed Apr 12 02:24:17 2000 From: stevem at Digital-Integrity.com (Steve Mertz) Date: Tue, 11 Apr 2000 09:24:17 -0700 (PDT) Subject: scp: command not found. Message-ID: Hey. I found references to my problem 'scp: command not found' in the archives. But I could not find a solution to this problem. Could someone please help me out here? Info: OpenSSH 1.2.3, RedHat 6.1 Thanks! -- Steve From mw at moni.msci.memphis.edu Wed Apr 12 03:48:51 2000 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Tue, 11 Apr 2000 12:48:51 -0500 Subject: scp: command not found. In-Reply-To: ; from stevem@Digital-Integrity.com on Tue, Apr 11, 2000 at 09:24:17AM -0700 References: Message-ID: <20000411124851.A9056@moni.msci.memphis.edu> Where is scp on the remote machine? It has to be in sshd's path. So set --with-default-path to configure appropriately. For some reason, openssh does not include exec prefix in the default path. Mate On Tue, Apr 11, 2000 at 09:24:17AM -0700, Steve Mertz wrote: > > Hey. > > I found references to my problem 'scp: command not found' in the archives. > But I could not find a solution to this problem. Could someone please > help me out here? > > Info: OpenSSH 1.2.3, RedHat 6.1 > > Thanks! > -- Steve > > -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis From djm at mindrot.org Wed Apr 12 09:23:45 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 12 Apr 2000 09:23:45 +1000 (EST) Subject: LDFLAGS of the Makefile In-Reply-To: <200004111343.PAA22930@ibm1.ruf.uni-freiburg.de> Message-ID: On Tue, 11 Apr 2000, H.G.Borrmann wrote: > The resultant makefile has the line: > > LDFLAGS=-L. -L/usr/local/lib -L/client/lib > > As a consequence a dot (the current directory) appears in the PATH of the Loader Section of ssh at the > first place! That mean that a local user my replace the shared libraries libc.a, libnsl.a and libz.a by his own > versions and manipulate the system as root, because ssh is installed suid root. Openssh 1.2.3 has some configure trickery to prevent this particular braindamage. It should set the -blibpath option to the linker specifying an explicit library search path. I would be interested to see why this isn't happening. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Apr 12 09:25:35 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 12 Apr 2000 09:25:35 +1000 (EST) Subject: scp: command not found. In-Reply-To: Message-ID: On Tue, 11 Apr 2000, Steve Mertz wrote: > > Hey. > > I found references to my problem 'scp: command not found' in the archives. > But I could not find a solution to this problem. Could someone please > help me out here? > > Info: OpenSSH 1.2.3, RedHat 6.1 Have you read the UPGRADING file? It contains some pretty explicit instructions. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From ramalho at panther2.amd.com Wed Apr 12 12:47:11 2000 From: ramalho at panther2.amd.com (Glenn S. Ramalho) Date: Tue, 11 Apr 2000 19:47:11 -0700 Subject: scp: command not found. In-Reply-To: Your message of "Tue, 11 Apr 2000 09:24:17 PDT." Message-ID: <200004120247.TAA04294@vulture1.amd.com> In message ,Steve Mert z writes: > >Hey. > >I found references to my problem 'scp: command not found' in the archives. >But I could not find a solution to this problem. Could someone please >help me out here? I could be wrong, but I think I got that exact error too. What happens is when you run scp, the scp command runs an ssh connection to the other system and then runs scp over there. Let's say you type: scp landreth:lei . scp willconnect to landreth and run an scp to grab the file lei. That file is then sent back to your host and stored locally by SSH. The problem with this is when scp connects it needs to be able to find scp. If you run: remsh landreth ls rsh landreth ls ssh landreth ls These commands do not load your .login. CSH and TCSH will run your .cshrc/.tcshrc/whatever. That is it. Your path will then become whatever the default on the system is. If scp is not on that default and you are a KSH user or do not set your path in your .cshrc/.tcshrc then you will not find scp. % remsh dingdong echo \$PATH /usr/bin:/usr/ccs/bin:/usr/bin/X11:/usr/contrib/bin:/usr/local/bin: % You should get your path on the other machine. I recommand you change your default path on the system to include the scp directory (like /usr/local/bin or /usr/local/ssh/bin or whatever it is). Another solution is to add somwthing like this. I use this .tcshrc on the systems I have tcsh. Not everyone allows me to use KSH. :) I noticed this seemed to work for me on HP/UX. It might be different on other systems. I hate setups in CSH/TCSH in which people put everything under the sun in the .cshrc/.tcshrc. This makes every new window dog slow. Plus if your path is set in it by appending stuff to the default path, you soon explode the PATH size by reappending the same stuff. This one is quick and fixes the problem. This is how it works: - If the $DT variable is set, we are in CDE logging in on console. Do nothing. CDE does not care about any of the things in the .cshrc/.tcshrc as it influences CDE. Just aliases and TCSH parameters. - If it is not set, check the $prompt variable. If it is set, this is an interactive shell window like an xterm or a rlogin. Do not reset the PATH or anything else as that stuff is loaded in the system wide startup files that we are supposed to load. That file was already loaded. ssh without a command will run this too. - If the $prompt is not set, this could be a non interactive ssh/scp command or a shell script: - If $term is set, this command was ran from an xterm/dtterm. Definitelly an interactive session. This means that the path was already set. - If you use ssh host command or scp, $term is not set. Set any thing you might need like the path to scp. - The third case is a little tricky. What if you type: ssh host tcshelscript Your .tcshrc is loaded twice. Once by ssh starting the shell and once by the tcsh sctipt. To keep this double reading from happening I set an environment variable flag __REMSH_check to 1. The fist time will load the startup file and set the flag. The tcshell script will then never reload the information as __REMSH_check is set. an xterm, $term will be set but $prompt will not be set. # $Header: tcshrc,v 1.3 98/12/15 17:33:29 ramalho Exp $ # Note: TCSH only sources the .cshrc if there is no .tcshrc. It is then # wiser to name its startup file .tcshrc to not confuse CSH scripts. if ( ! ${?DT} ) then umask 022 if ( $?prompt ) then # shell is interactive. set prompt = "%m %h: " source $HOME/.aliases bindkey -v else # Either a shell script or remsh if ( ! $?term && ! ${?__REMSH_check} ) then setenv __REMSH_check 1 source /usr/local/public/startup/csh.cshrc # Definitelly remsh set path=( /user/ramalho/bin $path ) endif endif endif From ramalho at panther2.amd.com Wed Apr 12 12:54:40 2000 From: ramalho at panther2.amd.com (Glenn S. Ramalho) Date: Tue, 11 Apr 2000 19:54:40 -0700 Subject: scp: command not found. In-Reply-To: Your message of "Tue, 11 Apr 2000 12:48:51 PDT." <20000411124851.A9056@moni.msci.memphis.edu> Message-ID: <200004120254.TAA04319@vulture1.amd.com> In message <20000411124851.A9056 at moni.msci.memphis.edu>,Mate Wierdl writes: >Where is scp on the remote machine? It has to be in sshd's path. >So set > >--with-default-path to configure appropriately. > >For some reason, openssh does not include exec prefix in the default >path. It is a problem if SSH changes location from one machine to another. It is not always easy to get everyone to put the tool in the same place. Mainly between different companies. Some put it in /usr/local/bin others put it in /usr/local/opt/openssh/bin, some go for /opt/openssh/bin others prefer /usr/local/ssh. I have also seen /usr/local/lib/openssh and /usr/local/gnu/bin to kinda gather all the free tools in one place. Just too many possibilities. You best bet, in my suggestion is relly on the paths or use the command line option to tell scp where ssh is on machines where that is not possible. From andre.lucas at dial.pipex.com Wed Apr 12 20:27:02 2000 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Wed, 12 Apr 2000 11:27:02 +0100 Subject: ls -alni /var/mail References: Message-ID: <38F44F76.A4740A55@dial.pipex.com> I don't mind helping out here, I suspect I have some code from earlier prng efforts that may be of use. Anyone else? Have I read the seedfiles thing correctly? There is one seedfile for sshd, and one each per user in the ~/.ssh directory. I think that raises a few questions, IIRC similar to those from the prng discussion before: - How should the sshd seedfile be protected? - Should we consider the fact that we have multiple programs, oblivious to each other, pulling entropy from the same sources? I'm sure there are some other considerations too. -Andre Damien Miller wrote: > > On Mon, 10 Apr 2000, Andrew Stribblehill wrote: > > > Using the trial internal entropy gathering routines Damien so > > kindly provided, I noticed stuff happening slowly. I think I've > > traced this to the 'ls -alni /var/mail' taking a long time. > > The entropy code is pretty peliminary. It could do with some > enhancements: > > - Loading and saving of random seeds (per user and for server) > > - A read timeout to prevent and errant process hanging ssh[d] > > - The ability to load which commands to run from a text file > > - Makefile support to sub the correct paths into the above text file > > Any help would be greatly welcomed as I am pretty busy with Other > Things right now :) > > -d > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Apr 12 23:43:04 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 12 Apr 2000 23:43:04 +1000 (EST) Subject: ls -alni /var/mail In-Reply-To: <38F44F76.A4740A55@dial.pipex.com> Message-ID: On Wed, 12 Apr 2000, Andre Lucas wrote: > I don't mind helping out here, I suspect I have some code from > earlier prng efforts that may be of use. Anyone else? Thanks again. > Have I read the seedfiles thing correctly? There is one seedfile for > sshd, and one each per user in the ~/.ssh directory. Correct. > I think that raises a few questions, IIRC similar to those from the > prng discussion before: > > - How should the sshd seedfile be protected? 1. mode 0600 and some checks to ensure that it is owned by the correct user, etc. 2. RAND_add() it with a zero entropy estimate. The main purpose of the seed file is to offset the problem posed in your next question. > - Should we consider the fact that we have multiple programs, > oblivious to each other, pulling entropy from the same sources? I agree that this is a problem. Part of the solution is ensuring that there is a maximally wide variety of entropy sources and part of it is the random seed mentioned above. In the absence of kernel hooks to get timings, etc from hardware events, the best we can do is rely on secondary sources. I don't see this as much of a step back - EGD does much the same thing. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From borrmann at ibm1.ruf.uni-freiburg.de Thu Apr 13 00:16:20 2000 From: borrmann at ibm1.ruf.uni-freiburg.de (H.G.Borrmann) Date: Wed, 12 Apr 2000 16:16:20 +0200 Subject: LDFLAGS of the Makefile Message-ID: <200004121416.QAA22848@ibm1.ruf.uni-freiburg.de> Hello, > > Openssh 1.2.3 has some configure trickery to prevent this particular > braindamage. It should set the -blibpath option to the linker > specifying an explicit library search path. > > I would be interested to see why this isn't happening. > I attach the output from make. Perhaps this hleps a little bit farther. H.G.Borrmann ._________________________________________________________________________. |H.G.Borrmann |Tel.: (0761) 203-4652 | |Rechenzentrum der Universitaet Freiburg|Fax: (0761) 203-4643 | |Hermann-Herder-Str. 10 |email: | |D79104 FREIBURG |borrmann at ruf.uni-freiburg.de | |_________________________________________________________________________| -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/octet-stream Size: 24267 bytes Desc: log Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000412/b1cd23bb/attachment.obj From djm at mindrot.org Thu Apr 13 00:26:00 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 13 Apr 2000 00:26:00 +1000 (EST) Subject: LDFLAGS of the Makefile In-Reply-To: <200004121416.QAA22848@ibm1.ruf.uni-freiburg.de> Message-ID: On Wed, 12 Apr 2000, H.G.Borrmann wrote: > Hello, > > > > > Openssh 1.2.3 has some configure trickery to prevent this particular > > braindamage. It should set the -blibpath option to the linker > > specifying an explicit library search path. > > > > I would be interested to see why this isn't happening. > > I attach the output from make. Perhaps this hleps a little bit > farther. You are using gcc as your linker. What other linkers are available on your system? xld? Can you verify if executables linked with gcc exhibit the runtime linking bug? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From phil at hands.com Thu Apr 13 03:36:28 2000 From: phil at hands.com (Philip Hands) Date: 12 Apr 2000 18:36:28 +0100 Subject: [Yutaka OIWA ] Bug#61197: ssh: [Compatibility Bug] Option ClearAllForwardings does not exist Message-ID: <87hfd7p6g3.fsf@sheikh.hands.com> Here are a few differences between OpenSSH & ssh-nonfree as reported by one of our (Debian GNU/Linux) users to our bug tracking system (BTS). If you reply to this, please include the Cc: 61197-forwarded at bugs.debian.org so that your mail gets logged by the BTS Cheers, Phil. -------------- next part -------------- An embedded message was scrubbed... From: Yutaka OIWA Subject: Bug#61197: ssh: [Compatibility Bug] Option ClearAllForwardings does not exist Date: Tue, 28 Mar 2000 02:27:27 +0900 Size: 2413 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000412/e383390c/attachment.mht -------------- next part -------------- From nebulous at owlnet.rice.edu Thu Apr 13 08:52:21 2000 From: nebulous at owlnet.rice.edu (Sean Aaron Lisse) Date: Wed, 12 Apr 2000 17:52:21 -0500 (CDT) Subject: Question on port forwarding Message-ID: Hey folks... I'm still working on that automount/nfs/ssh combination. When you use "-L port:host:hostport" to forward a port on the localhost to a port on a remote host, A) What is the origin that the remote system sees for the packets? Is it "port" on localhost, or the source of the messages sent to "port"? B) How connected is this? Can you send a UDP message to "port" and have it work correctly as if you'd sent it to "host:hostport"? What about creating a TCP connection? Thanks, Sean Lisse From listz at reticent.org Fri Apr 14 05:06:05 2000 From: listz at reticent.org (listz at reticent.org) Date: Thu, 13 Apr 2000 14:06:05 -0500 (CDT) Subject: compile error Message-ID: On a freshly installed OpenBSD 2.6 sparc system, I tried to compile openssh1.2.2 _and_ openssh1.2.3. I receive the following error on compile for both versions. The output here is from v1.2.2: cc -o ssh ssh.o sshconnect.o log-client.o readconf.o clientloop.o -lkrb -lkafs -L/usr/src/ssh/ssh/../lib -lssh -lutil -lz -lcrypto sshconnect.o: Undefined symbol `_rresvport_af' referenced from text segment collect2: ld returned 1 exit status *** Error code 1 Stop in /usr/src/ssh/ssh. *** Error code 1 Stop in /usr/src/ssh. I've perused the archives and was unable to find this error discussed elsewhere. Any ideas? Thanks. =====[]===== From phil at hands.com Fri Apr 14 11:16:58 2000 From: phil at hands.com (Philip Hands) Date: 14 Apr 2000 02:16:58 +0100 Subject: 1.2.3-1 package for Debian GNU/Linux released Message-ID: <874s95fpmd.fsf@sheikh.hands.com> Hi, I just got round to releasing 1.2.3 Debian package (which should hopefully make it into the freeze for Debian 2.2, aka potato) It should hit the Debian non-US mirrors soon, but if you cannot wait, it's also here: http://www.hands.com/~phil/debian/openssh/ [ Damien, you might want to check out the patch, its got a few things that should probably go upstream. I'll annotate it if you need me to, so just ask. ] Cheers, Phil. From djm at mindrot.org Fri Apr 14 18:22:47 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 14 Apr 2000 18:22:47 +1000 (EST) Subject: BNon-member submission from [Randy Dunlap ] (fwd) Message-ID: From: Randy Dunlap To: openssh-unix-dev at mindrot.org Subject: using proxy & firewall Hi, (Please cc me on replies. I'm not subscribed.) I'm new to using ssh and I'm having some beginner problems -- I hope. I've having some trouble using openssh thru a firewall to sourceforge.net. I'm using Linux (was RedHat 2.2.x, but now is 2.3.99). openssh is version 1.2.3. ~rdunlap/.ssh/config contains: +++++++++++++++++++++++++++++++++ Host *.sourceforge.net Compression no ProxyCommand ssh proxy.fm.intel.com User rdunlap # end. +++++++++++++++++++++++++++++++ /etc/ssh/ssh_config contains defaults: ++++++++++++++++++++++++++++++ Host * ForwardAgent no ForwardX11 no FallBackToRsh no CheckHostIP yes StrictHostKeyChecking no ++++++++++++++++++++++++++++++++ The networking people told me that I need to get to proxy.fm.intel.com port 1080. Is that what ProxyCommand is doing? Am I using this correctly, incorrectly, anywhere close to correct? I don't quite understand what parameter(s) (string) to use on "ProxyCommand". I run: ssh -v linux-usb.sourceforge.net and get this: [rdunlap at dragon rdunlap]$ ssh -v linux-usb.sourceforge.net SSH Version OpenSSH-1.2.3, protocol version 1.5. Compiled with SSL. debug: Reading configuration data /home/rdunlap/.ssh/config debug: Applying options for *.sourceforge.net debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: ssh_connect: getuid 500 geteuid 0 anon 0 debug: Executing proxy command: ssh proxy.fm.intel.com Pseudo-terminal will not be allocated because stdin is not a terminal. Warning: Permanently added 'proxy.fm.intel.com,132.233.247.4' to the list of known hosts. rdunlap at proxy.fm.intel.com's password: Do I need a userid/password on the proxy (server) system? It asks me for the password for user rdunlap. After 3 bad passwords, it exits (which is OK). The next time that I run the same command, I get this: [rdunlap at dragon rdunlap]$ ssh -v linux-usb.sourceforge.net SSH Version OpenSSH-1.2.3, protocol version 1.5. Compiled with SSL. debug: Reading configuration data /home/rdunlap/.ssh/config debug: Applying options for *.sourceforge.net debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: ssh_connect: getuid 500 geteuid 0 anon 0 debug: Executing proxy command: ssh proxy.fm.intel.com Pseudo-terminal will not be allocated because stdin is not a terminal. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the host key has just been changed. Please contact your system administrator. Add correct host key in /home/rdunlap/.ssh/known_hosts to get rid of this message. Password authentication is disabled to avoid trojan horses. Permission denied. ssh_exchange_identification: Connection closed by remote host debug: Calling cleanup 0x805545c(0x0) [rdunlap at dragon rdunlap]$ Do I have to wait N minutes before I try to login to the proxy server again? (I know, this isn't an ssh problem.) I'd sure appreciate some help or guidance or a howto get started. Thanks, ~Randy -- ___________________________________________________ |Randy Dunlap Intel Corp., DAL Sr. SW Engr.| |randy.dunlap.at.intel.com 503-696-2055| |NOTE: Any views presented here are mine alone | |and may not represent the views of my employer. | |_________________________________________________| From djm at mindrot.org Fri Apr 14 23:51:48 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 14 Apr 2000 23:51:48 +1000 (EST) Subject: 1.2.3-1 package for Debian GNU/Linux released In-Reply-To: <874s95fpmd.fsf@sheikh.hands.com> Message-ID: On 14 Apr 2000, Philip Hands wrote: > Hi, > > I just got round to releasing 1.2.3 Debian package (which should > hopefully make it into the freeze for Debian 2.2, aka potato) > > It should hit the Debian non-US mirrors soon, but if you cannot wait, > it's also here: > > http://www.hands.com/~phil/debian/openssh/ > > [ Damien, you might want to check out the patch, its got a few things > that should probably go upstream. I'll annotate it if you need me > to, so just ask. ] Got it - a couple of questions / comments: 1. I evidently don't speak Makefile jive as well as some - what does the following change do? -all: $(TARGETS) $(MANPAGES) $(CONFIGFILES) +all: $(TARGETS) $(MANPAGES:%=%.out) $(CONFIGFILES:%=%.out) 2. Why the vhangup() in pty.c? What does this fix? 3. Why the excision of the BUF code in scp.c? 4. I would prefer the shadow password checking to occur during password auth - I consider the other forms of auth to be totally seperate, but I can see your reasoning. If you move this code to a seperate function in auth-passwd.c which could be called before or during password auth I will include it. Thanks, Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From rjune at ims1.imagestream-is.com Sat Apr 15 03:07:02 2000 From: rjune at ims1.imagestream-is.com (Richard June) Date: Fri, 14 Apr 2000 12:07:02 -0500 (EST) Subject: More Slack7 heartbreak. Message-ID: All line number are approximate, but most likely w/in 10 lines of the OpenSSH 1.2.3 tarball. I unpacked the tarball, and did a ./configure;make;make install and now I've had some problems. :-) OK, I've tracked down lots of goofy stuff w/ slack7 and OpenSSH I've got a couple of questions. What is /dev/tty and why does ssh try to open it to read the password instead of stdin?(this cause ssh to die w/ "You have no controlling tty. Cannot read passphrase.\n", line 69 of readpass.c, I've made it work by calling password = read_passphrase(prompt, 1); instead of password = read_passphrase(prompt, 0); in sshconnect.c line 940 Second, in sshd.c in the do_exec_no_pty function, line 2017 or so: if (dup2(inout[0], 1) < 0) /* stdout. Note: same socket as stdin. */ perror("dup2 stdout") This seems to cause the forked process to segfault, as a result scp doesn't work, nore does using ssh to send a command. What would the fix be for this? PS to damien: OpenSSH itselfs builds fine on the alpha, but I'm having to argue w/ gnome-askpass a little bit, I think it's just that I have to install some newer libraries.(rh 6.0 is old) From speno at isc.upenn.edu Sat Apr 15 04:06:59 2000 From: speno at isc.upenn.edu (John P Speno) Date: Fri, 14 Apr 2000 14:06:59 -0400 Subject: scp: write stdout: Broken pipe error (Tru64 UNIX) In-Reply-To: <20000327114108.A124292@isc.upenn.edu> References: <20000327114108.A124292@isc.upenn.edu> Message-ID: <20000414140659.A929@isc.upenn.edu> On Mon, Mar 27, 2000 at 11:41:08AM -0500, John P Speno wrote: > I'm working on adding SIA authentication support to OpenSSH for use on > Tru64 UNIX. The authentication bits are working but there's more work to be > done including checking for locked accounts and setting resource limits. > > Anyway, most things seem to be working fine except for scp and I'm looking > for a little help. Here's some output: Just wanted to follow up on this issue because it's gone away. I've no idea what was happening, so I'll blame user headspace error (my own). Take care. From jmknoble at pobox.com Sat Apr 15 05:31:38 2000 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 14 Apr 2000 15:31:38 -0400 Subject: More Slack7 heartbreak. In-Reply-To: ; from Richard June on Fri, Apr 14, 2000 at 12:07:02PM -0500 References: Message-ID: <20000414153138.A8638@ntrnet.net> Circa 2000-Apr-14 12:07:02 -0500 schrieb Richard June: : PS to damien: OpenSSH itselfs builds fine on the alpha, but I'm having to : argue w/ gnome-askpass a little bit, I think it's just that I have to : install some newer libraries.(rh 6.0 is old) Have you tried x11-ssh-askpass? It just uses the regular X11 libraries. I'd be interested to know what happens to it on 64-bit platforms. http://www.jmknoble.cx/software/x11-ssh-askpass/ -- jim knoble jmknoble at pobox.com From rjune at ims1.imagestream-is.com Sat Apr 15 05:39:43 2000 From: rjune at ims1.imagestream-is.com (Richard June) Date: Fri, 14 Apr 2000 14:39:43 -0500 (EST) Subject: No subject Message-ID: : PS to damien: OpenSSH itselfs builds fine on the alpha, but I'm having to : argue w/ gnome-askpass a little bit, I think it's just that I have to : install some newer libraries.(rh 6.0 is old) Have you tried x11-ssh-askpass? It just uses the regular X11 libraries. I'd be interested to know what happens to it on 64-bit platforms. I've never used askpass, I'm currently just doing an rpm -ba openssh.spec.rh and letting it go. I'll have RPMs today. then if you want I'll set you up an account to play with/fix x11-ssh-askpass or you can wait until I figure it out. From vsync at quadium.net Sat Apr 15 10:40:14 2000 From: vsync at quadium.net (vsync) Date: 14 Apr 2000 18:40:14 -0600 Subject: patch in user validation code In-Reply-To: vsync's message of "13 Apr 2000 00:25:33 -0600" Message-ID: <871z486vtd.fsf@quadium.net> I was encountering a strange message about "faked authloop for illegal user". It turned out the allowed_user function was disallowing passwd entries with a blank shell field, which is supposed to be equivalent to "/bin/sh". This patch is based on OpenSSH 1.2.3, and I have tested it on Slackware 7.0. --- sshd.old Wed Apr 12 23:47:04 2000 +++ sshd.c Thu Apr 13 00:35:54 2000 @@ -1121,6 +1121,7 @@ struct stat st; struct group *grp; int i; + char *shell; #ifdef WITH_AIXAUTHENTICATE char *loginmsg; #endif /* WITH_AIXAUTHENTICATE */ @@ -1130,7 +1131,12 @@ return 0; /* deny if shell does not exists or is not executable */ - if (stat(pw->pw_shell, &st) != 0) + /* first make sure that "" == "/bin/sh", as specified in passwd(5) */ + if (!pw->pw_shell || !strlen(pw->pw_shell)) + shell = _PATH_BSHELL; + else + shell = pw->pw_shell; + if (stat(shell, &st) != 0) return 0; if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) return 0; -- vsync http://quadium.net/ Orjner. From phil at hands.com Sat Apr 15 11:24:13 2000 From: phil at hands.com (Philip Hands) Date: 15 Apr 2000 02:24:13 +0100 Subject: 1.2.3-1 package for Debian GNU/Linux released In-Reply-To: (Damien Miller's message of "Fri, 14 Apr 2000 23:51:48 +1000 (EST)") References: <874s95fpmd.fsf@sheikh.hands.com> Message-ID: <87d7ns5f7m.fsf@sheikh.hands.com> Damien Miller writes: > On 14 Apr 2000, Philip Hands wrote: > > > Hi, > > > > I just got round to releasing 1.2.3 Debian package (which should > > hopefully make it into the freeze for Debian 2.2, aka potato) > > > > It should hit the Debian non-US mirrors soon, but if you cannot wait, > > it's also here: > > > > http://www.hands.com/~phil/debian/openssh/ > > > > [ Damien, you might want to check out the patch, its got a few things > > that should probably go upstream. I'll annotate it if you need me > > to, so just ask. ] > > Got it - a couple of questions / comments: > > 1. I evidently don't speak Makefile jive as well as some - what does > the following change do? > > -all: $(TARGETS) $(MANPAGES) $(CONFIGFILES) > +all: $(TARGETS) $(MANPAGES:%=%.out) $(CONFIGFILES:%=%.out) This means tack .out on the end of all the individual file names, so if $(MANPAGES) is ``ssh.1 sshd.8'' then $(MANPAGES:%=%.out) is ``ssh.1.out sshd.8.out'' This means that when they are later generated, it's the target file that you're depending upon, not the source, which makes the dependencies work properly (or that's the way i remember it, it's a while since I wrote it). > 2. Why the vhangup() in pty.c? What does this fix? http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=55379 > 3. Why the excision of the BUF code in scp.c? http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=53697 and http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=52071 > 4. I would prefer the shadow password checking to occur during > password auth - I consider the other forms of auth to be totally > seperate, but I can see your reasoning. Yeah, it's a shame that we need to mix them up, but without this you don't get account expiry, locked accounts etc. which leaves ssh as a loophole. > If you move this code to a seperate function in auth-passwd.c which > could be called before or during password auth I will include it. OK. BTW you might want to quickly scan the (embarrassingly vast) list of bugs reported against Debian ssh: http://www.debian.org/Bugs/db/pa/lssh.html I've been rather busy with the day job lately, so have not been doing much about these. At first glance, many of them are pretty valid upstream problems, so if you want to deal with some of them direct, mail me the numbers and I'll mark them as forwarded (so we don't end up duplicating effort). Cheers, Phil. -- Mind-numbingly stupid UK law alert! Act now to stop it http://www.stand.org.uk/ From markus.friedl at informatik.uni-erlangen.de Sun Apr 16 03:29:53 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 15 Apr 2000 19:29:53 +0200 Subject: More Slack7 heartbreak. In-Reply-To: ; from rjune@ims1.imagestream-is.com on Fri, Apr 14, 2000 at 12:07:02PM -0500 References: Message-ID: <20000415192953.A26674@folly.informatik.uni-erlangen.de> On Fri, Apr 14, 2000 at 12:07:02PM -0500, Richard June wrote: > All line number are approximate, but most likely w/in 10 lines of the > OK, I've tracked down lots of goofy stuff w/ slack7 and OpenSSH > I've got a couple of questions. > What is /dev/tty and why does ssh try to open it to read the password > instead of stdin? openssh reads passwds from the current terminal (/dev/tty), reading from stdin is a bad idea, e.g. stdin might be redirected. some broken distributions ship with /dev/tty unreable. > (this cause ssh to die w/ "You have no controlling tty. > Cannot read passphrase.\n", line 69 of readpass.c, I've made it work by > calling > password = read_passphrase(prompt, 1); instead of > password = read_passphrase(prompt, 0); > in sshconnect.c line 940 -m From markus.friedl at informatik.uni-erlangen.de Sun Apr 16 03:32:34 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 15 Apr 2000 19:32:34 +0200 Subject: 1.2.3-1 package for Debian GNU/Linux released In-Reply-To: <87d7ns5f7m.fsf@sheikh.hands.com>; from phil@hands.com on Sat, Apr 15, 2000 at 02:24:13AM +0100 References: <874s95fpmd.fsf@sheikh.hands.com> <87d7ns5f7m.fsf@sheikh.hands.com> Message-ID: <20000415193234.B26674@folly.informatik.uni-erlangen.de> On Sat, Apr 15, 2000 at 02:24:13AM +0100, Philip Hands wrote: > Yeah, it's a shame that we need to mix them up, but without this you > don't get account expiry, locked accounts etc. which leaves ssh as a > loophole. then it should be moved to allowed_user(). -m From rjune at ims1.imagestream-is.com Sun Apr 16 03:43:16 2000 From: rjune at ims1.imagestream-is.com (Richard June) Date: Sat, 15 Apr 2000 12:43:16 -0500 (EST) Subject: More Slack7 heartbreak. In-Reply-To: <20000415192953.A26674@folly.informatik.uni-erlangen.de> Message-ID: > reading from stdin is a bad idea, e.g. stdin might be redirected. > > some broken distributions ship with /dev/tty unreable. > > > (this cause ssh to die w/ "You have no controlling tty. > > Cannot read passphrase.\n", line 69 of readpass.c, I've made it work by > > calling > > password = read_passphrase(prompt, 1); instead of > > password = read_passphrase(prompt, 0); > > in sshconnect.c line 940 > > -m > From rjune at ims1.imagestream-is.com Sun Apr 16 03:44:05 2000 From: rjune at ims1.imagestream-is.com (Richard June) Date: Sat, 15 Apr 2000 12:44:05 -0500 (EST) Subject: More Slack7 heartbreak. In-Reply-To: <20000415192953.A26674@folly.informatik.uni-erlangen.de> Message-ID: On Sat, 15 Apr 2000, Markus Friedl wrote: > On Fri, Apr 14, 2000 at 12:07:02PM -0500, Richard June wrote: > > All line number are approximate, but most likely w/in 10 lines of the > > OK, I've tracked down lots of goofy stuff w/ slack7 and OpenSSH > > I've got a couple of questions. > > What is /dev/tty and why does ssh try to open it to read the password > > instead of stdin? > > openssh reads passwds from the current terminal (/dev/tty), > reading from stdin is a bad idea, e.g. stdin might be redirected. > > some broken distributions ship with /dev/tty unreable. > > > (this cause ssh to die w/ "You have no controlling tty. > > Cannot read passphrase.\n", line 69 of readpass.c, I've made it work by > > calling > > password = read_passphrase(prompt, 1); instead of > > password = read_passphrase(prompt, 0); > > in sshconnect.c line 940 Sorry about last message, is this simply a permissions problem? or is it something more serious(I don't have access to the machine @ the moment) From djm at ibs.com.au Sun Apr 16 15:47:06 2000 From: djm at ibs.com.au (Damien Miller) Date: Sun, 16 Apr 2000 15:47:06 +1000 Subject: [Fwd: OpenSSH 1.2.3 on AIX 4.3.3] Message-ID: <38F953DA.10689F93@ibs.com.au> Any AIX users to comment? -------------- next part -------------- An embedded message was scrubbed... From: Gert Doering Subject: OpenSSH 1.2.3 on AIX 4.3.3 Date: Tue, 11 Apr 2000 12:13:00 +0200 Size: 6669 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000416/a8f78f4f/attachment.mht From douglas.manton at uk.ibm.com Mon Apr 17 21:17:34 2000 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Mon, 17 Apr 2000 12:17:34 +0100 Subject: OpenSSH-1.2.3 AIX scp failure Message-ID: <802568C4.003E0984.00@d06mta05.portsmouth.uk.ibm.com> Hi, I have successfully compiled the latest UNIX port of OpenSSH under AIX 4.3.3 using both gcc and IBM's C++ compilers. Under both versions I get the following error when "UseLogin" is set to "yes" and I attempt an scp: Executing: host localhost, user me, command scp -v -t test1 SSH Version OpenSSH-1.2.3-G1, protocol version 1.5. // utmp patch applied thanks to Gert (same results without patch) Compiled with SSL. debug: Reading configuration data /usr/etc/ssh_config debug: Applying options for * debug: ssh_connect: getuid 500 geteuid 0 anon 0 debug: Connecting to localhost [127.0.0.1] port 22. debug: Allocated local port 945. debug: Connection established. debug: Remote protocol version 1.5, remote software version OpenSSH-1.2.3-G1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Forcing accepting of host key for loopback/localhost. debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Doing password authentication. me at localhost's password: debug: Sending command: scp -v -t test1 debug: Entering interactive session. TZ=GMT0BST: TZ=GMT0BST: A file or directory in the path name does not exist. debug: Transferred: stdin 0, stdout 77, stderr 0 bytes in 0.1 seconds debug: Bytes per second: stdin 0.0, stdout 918.2, stderr 0.0 debug: Exit status 127 lost connection If I set UseLogin to "no" the error goes and scp works faultlessly. Looks to be a problem initializing the environment. Changing my shell from Bash to ksh or bsh results in a stall right after the "Entering interactive session." SSH works perfectly -- I can't wait to see protocol 2 integrated! Any help would be appreciated. Many thanks, ----------------------------------------------------------------------------- Doug Manton, AT&T Global Network Services - Firewall and Security Solutions ----------------------------------------------------------------------------- From djm at mindrot.org Thu Apr 20 07:49:54 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 20 Apr 2000 07:49:54 +1000 (EST) Subject: Entropy-gathering gizmos for Solaris? (fwd) Message-ID: For those wondering about the Solaris random driver. -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) ---------- Forwarded message ---------- Date: Wed, 19 Apr 2000 16:24:57 -0400 From: Don Davis To: Jeff.Hodges at stanford.edu Cc: cryptography at c2.net, dtd at world.std.com, soley at sun.com Subject: Re: Entropy-gathering gizmos for Solaris? > Ok, now I'm curious about what all entropy-gathering gizmos, ... > might be available for/on Solaris -- anyone know? the solaris security toolkit has a program called cryptorand. about 3-4 years ago, i intensively reviewed and tested crypto- rand for a client. i talked a lot back then with bill soley, the sunsoft engineer who designed and wrote cryptorand, and bill gave me a lot of detail about how the program worked. because i've worked on true RNGs myself, i was very interested in bill's approach. cryptorand is an application program that reads kernel memory pages from kmem, hashes the pages into an entropy pool, and exports the pool's bits via a pseudo-device driver. crypto- rand is careful to skip a page if the page hasn't changed since the last time it was examined. the program also saves its entropy pool to disk on shutdown, so that the program is sure to have a different starting state at every reboot. bill was very conservative about not publushing too many bits, and about rejecting pages that might not have changed. i found that cryptorand could produce kbytes of key-quality bits per second, and that it was pretty efficient. when i pulled bits out as fast as possible, while a web server was answering http requests on the same machine, i saw a ~5% reduction in the web-server's throughput. i concluded that this 5% hit really came not from cpu load, but from memory- bus contention. anyway, the test was perhaps not perfectly realistic, because a server wouldn't need to pull bits out as fast as i did. i also did some statistical testing of cryptorand's output, though this was unnecessary; cryptorand uses md5, which is well-known to produce white noise. finally, i disabled crypto-rand's state-saving feature, and rebooted the machine a few hundred times, saving cryptorand's first few bytes from each reboot. i then checked these initial bytes for entropy and for correlations, and found no problems. here's why i believe it's reasonable to say that cryptorand's output qualifies as true entropy. at boot time, the unix kernel's memory comprises several tables, most of which are set up as linked lists of control structures, waiting to be allocated. in use, these structures are extensively cross- linked to one another with pointer spaghetti. when a table element is freed, it is added to the top of its table's free list, so that the free-list is shuffled by the kernel's activ- ity. since the kernel's activity is strongly i/o-driven, the kernel's history of i/o timing is recorded in the particular tangle of pointer spaghetti, in both the active table struc- tures and in the free-lists. btw, i got bill's permission to send these comments to the list. - don davis, boston http://world.std.com/~dtd - From djm at mindrot.org Thu Apr 20 22:53:43 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 20 Apr 2000 22:53:43 +1000 (EST) Subject: 1.2.3-1 package for Debian GNU/Linux released In-Reply-To: <87d7ns5f7m.fsf@sheikh.hands.com> Message-ID: On 15 Apr 2000, Philip Hands wrote: Attached is the diff that I have applied so far. Executive summary: - You can set the SSH_PAM_SERVICE thru CFLAGS - use vhangup in pty.c - use '+' in ssh-agent getopt > > 3. Why the excision of the BUF code in scp.c? > > http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=53697 Forgive my ignorance, but why should writes larger than PIPE_BUF size cause failures? Is it a problem with atomicity? In any case, I won't merge the removal of all the buffer code as a solution - I would rather add a hack to the allocation routine. Keeping the diff size down is good for quality as well as my own sanity. The OpenBSD team do a great job of auditing and cleaning up the code, I don't want to go fudging that up :) > > 4. I would prefer the shadow password checking to occur during > > password auth - I consider the other forms of auth to be totally > > seperate, but I can see your reasoning. > > Yeah, it's a shame that we need to mix them up, but without this you > don't get account expiry, locked accounts etc. which leaves ssh as a > loophole. > > > If you move this code to a seperate function in auth-passwd.c which > > could be called before or during password auth I will include it. > > OK. You should grab a copy of the test release at http://violet.ibs.com.au/openssh/files/test/ It tracks a few large changes to the OpenBSD tree, including the splitting of auth code into a seperate file. > BTW you might want to quickly scan the (embarrassingly vast) list of > bugs reported against Debian ssh: > > http://www.debian.org/Bugs/db/pa/lssh.html > > I've been rather busy with the day job lately, so have not been doing > much about these. At first glance, many of them are pretty valid > upstream problems, so if you want to deal with some of them direct, > mail me the numbers and I'll mark them as forwarded (so we don't end > up duplicating effort). I too have been pretty busy with Other Things, but I will try to look at these as time permits. It would be appreciated if you could forward any particularly pernicious bugs to me direct, esp any security problems. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -------------- next part -------------- Index: auth-pam.c =================================================================== RCS file: /var/cvs/openssh/auth-pam.c,v retrieving revision 1.2 diff -u -r1.2 auth-pam.c --- auth-pam.c 2000/01/26 23:55:38 1.2 +++ auth-pam.c 2000/04/20 12:40:33 @@ -215,7 +215,8 @@ debug("Starting up PAM with username \"%.200s\"", pw->pw_name); - pam_retval = pam_start("sshd", pw->pw_name, &conv, (pam_handle_t**)&pamh); + pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, + (pam_handle_t**)&pamh); if (pam_retval != PAM_SUCCESS) fatal("PAM initialisation failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); Index: configure.in =================================================================== RCS file: /var/cvs/openssh/configure.in,v retrieving revision 1.109 diff -u -r1.109 configure.in --- configure.in 2000/04/16 02:31:50 1.109 +++ configure.in 2000/04/20 12:40:35 @@ -110,7 +110,7 @@ AC_CHECK_HEADERS(bstring.h endian.h lastlog.h login.h maillock.h netdb.h netgroup.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h util.h utmp.h utmpx.h) # Checks for library functions. -AC_CHECK_FUNCS(arc4random bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt mkdtemp openpty rresvport_af setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf _getpty) +AC_CHECK_FUNCS(arc4random bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt mkdtemp openpty rresvport_af setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf vhangup _getpty) AC_CHECK_FUNC(login, [AC_DEFINE(HAVE_LOGIN)], Index: pty.c =================================================================== RCS file: /var/cvs/openssh/pty.c,v retrieving revision 1.18 diff -u -r1.18 pty.c --- pty.c 2000/04/16 01:18:44 1.18 +++ pty.c 2000/04/20 12:40:36 @@ -201,6 +201,9 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname) { int fd; +#ifdef HAVE_VHANGUP + void *old; +#endif /* HAVE_VHANGUP */ /* First disconnect from the old controlling tty. */ #ifdef TIOCNOTTY @@ -232,12 +235,22 @@ */ ioctl(*ttyfd, TIOCSCTTY, NULL); #endif /* TIOCSCTTY */ +#ifdef HAVE_VHANGUP + old = signal(SIGHUP, SIG_IGN); + vhangup(); + signal(SIGHUP, old); +#endif /* HAVE_VHANGUP */ fd = open(ttyname, O_RDWR); - if (fd < 0) + if (fd < 0) { error("%.100s: %.100s", ttyname, strerror(errno)); - else + } else { +#ifdef HAVE_VHANGUP + close(*ttyfd); + *ttyfd = fd; +#else /* HAVE_VHANGUP */ close(fd); - +#endif /* HAVE_VHANGUP */ + } /* Verify that we now have a controlling tty. */ fd = open("/dev/tty", O_WRONLY); if (fd < 0) Index: ssh-agent.c =================================================================== RCS file: /var/cvs/openssh/ssh-agent.c,v retrieving revision 1.21 diff -u -r1.21 ssh-agent.c --- ssh-agent.c 2000/04/19 21:42:22 1.21 +++ ssh-agent.c 2000/04/20 12:40:37 @@ -511,7 +511,7 @@ __progname); exit(1); } - while ((ch = getopt(ac, av, "cks")) != -1) { + while ((ch = getopt(ac, av, "+cks")) != -1) { switch (ch) { case 'c': if (s_flag) Index: ssh.h =================================================================== RCS file: /var/cvs/openssh/ssh.h,v retrieving revision 1.33 diff -u -r1.33 ssh.h --- ssh.h 2000/04/19 21:42:22 1.33 +++ ssh.h 2000/04/20 12:40:39 @@ -71,6 +71,10 @@ */ #define SSH_SERVICE_NAME "ssh" +#if defined(HAVE_PAM) && !defined(SSHD_PAM_SERVICE) +#define SSHD_PAM_SERVICE "sshd" +#endif + #ifndef ETCDIR #define ETCDIR "/etc" #endif /* ETCDIR */ From jweaver at attens.com Fri Apr 21 06:31:47 2000 From: jweaver at attens.com (John Weaver) Date: Thu, 20 Apr 2000 13:31:47 -0700 Subject: egd.pl 0.7 stops working with Sol8/perl 5.6.0 Message-ID: <4.2.2.20000420132523.00a5aeb0@staff.cerf.net> The usual suspects: Solaris 8 gcc 2.95.2 perl 5.60 egd 0.7 openssl 0.95.a openssh 1.2.3 # egd.pl /etc/entropy --- It works the first few minutes and then just stops working. OpenSSH connections started still work, ssh just hangs with a new connection. I've even tried --bottomless; no joy. 0.6 and Solaris 7 worked great. I'm going to try the /dev/random that was mentioned before. Any ideas? From carrier at cs.purdue.edu Fri Apr 21 08:10:01 2000 From: carrier at cs.purdue.edu (Brian Carrier) Date: Thu, 20 Apr 2000 17:10:01 -0500 Subject: egd.pl 0.7 stops working with Sol8/perl 5.6.0 In-Reply-To: <4.2.2.20000420132523.00a5aeb0@staff.cerf.net>; from John Weaver on Thu, Apr 20, 2000 at 01:31:47PM -0700 References: <4.2.2.20000420132523.00a5aeb0@staff.cerf.net> Message-ID: <20000420171000.A16160@lisa.cs.purdue.edu> John, Did you try: % eg/egc.pl /etc/entropy get or % eg/egc.pl /etc/entropy readb 8 If you have entropy in the pool and readb returns bytes, then I would assume the problem is not with egd. brian On Thu, Apr 20, 2000 at 01:31:47PM -0700, John Weaver wrote: > The usual suspects: > > Solaris 8 > gcc 2.95.2 > perl 5.60 > egd 0.7 > openssl 0.95.a > openssh 1.2.3 > > # egd.pl /etc/entropy > --- > > It works the first few minutes and then just stops working. OpenSSH > connections started still work, ssh just hangs with a new connection. I've > even tried --bottomless; no joy. 0.6 and Solaris 7 worked great. I'm going > to try the /dev/random that was mentioned before. > > Any ideas? From tbert at abac.com Fri Apr 21 23:43:59 2000 From: tbert at abac.com (Tom Bertelson) Date: Fri, 21 Apr 2000 09:43:59 -0400 Subject: OpenSSH 1.2.3 on AIX 4.3.3 Message-ID: <39005B1F.D736E6CB@abac.com> Hmph. I wish I had checked the list before I wasted a half-day on this. Yes, the problem exists under AIX (mine's 4.3.1). Here's the patch I came up with, which may be a little more straightforward than the original. I confirmed that it works under Solaris 2.[67] too. Don't forget to run autoconf. --- bsd-login.c.orig Sat Dec 25 18:21:48 1999 +++ bsd-login.c Thu Apr 20 18:26:41 2000 @@ -65,15 +65,23 @@ struct utmp *utp; #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ { +#if defined(HAVE_PUTUTLINE) + struct utmp *old_utp; +#else #if defined(HAVE_HOST_IN_UTMP) struct utmp old_ut; #endif + int tty; +#endif /* HAVE_PUTUTLINE */ #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) struct utmpx *old_utx; #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ register int fd; - int tty; +#if defined(HAVE_PUTUTLINE) + old_utp = pututline(utp); + endutent(); +#else tty = ttyslot(); if (tty > 0 && (fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644)) >= 0) { @@ -100,6 +108,7 @@ (void)write(fd, utp, sizeof(struct utmp)); (void)close(fd); } +#endif /* HAVE_PUTUTLINE */ if ((fd = open(_PATH_WTMP, O_WRONLY|O_APPEND, 0)) >= 0) { (void)write(fd, utp, sizeof(struct utmp)); (void)close(fd); --- config.h.in.orig Thu Apr 20 18:10:46 2000 +++ config.h.in Fri Apr 21 08:32:55 2000 @@ -187,6 +187,9 @@ /* Define if you have the openpty function. */ #undef HAVE_OPENPTY + +/* Define if you have the pututline function. */ +#undef HAVE_PUTUTLINE /* Define if you have the rresvport_af function. */ #undef HAVE_RRESVPORT_AF --- configure.in.orig Fri Mar 17 07:26:46 2000 +++ configure.in Fri Apr 21 08:23:28 2000 @@ -110,7 +110,7 @@ AC_CHECK_HEADERS(bstring.h endian.h lastlog.h login.h maillock.h netdb.h netgroup.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h util.h utmp.h utmpx.h) # Checks for library functions. -AC_CHECK_FUNCS(arc4random bindresvport_af freeaddrinfo gai_strerror getaddrinfo getnameinfo innetgr md5_crypt mkdtemp openpty rresvport_af setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf _getpty) +AC_CHECK_FUNCS(arc4random bindresvport_af freeaddrinfo gai_strerror getaddrinfo getnameinfo innetgr md5_crypt mkdtemp openpty pututline rresvport_af setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf _getpty) AC_CHECK_FUNC(login, [AC_DEFINE(HAVE_LOGIN)], From jartit at hotmail.com Sat Apr 22 01:16:09 2000 From: jartit at hotmail.com (Artit Jirapatnakul) Date: Fri, 21 Apr 2000 11:16:09 EDT Subject: Password authentication problems Message-ID: <20000421151609.41102.qmail@hotmail.com> I'm having a problem getting OpenSSH to correctly authenticate passwords. I'm doing authentication against a shadow file (/etc/shadow) because I don't have PAM installed. I'm using Slackware 7.0, OpenSSH 1.2.3, OpenSSL 0.95a, and glibc with the crypt addon. Here is the funny thing about it though. I edited the file that has the code for authenication (auth-password.c I think, I'm not sure since I'm in Windows at the moment). I added code to display both the password from the client and then the crypted password from the client. The unencrypted password is correct, so the server is getting the right password. But after it performs a crypt() on it, it gets the WRONG hash! The hash isn't the same as what is in the shadow file, and so the authentication fails. Now I'm not sure what to do from there. This has happened on 3 different machines, all running slack 7. Any ides where to go from here? If you need more info (like the debug output from the server), I'd be happy to provide it. Thanks, Artit J. ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com From lars at larsshack.org Sat Apr 22 01:23:41 2000 From: lars at larsshack.org (Lars Kellogg-Stedman) Date: Fri, 21 Apr 2000 11:23:41 -0400 (EDT) Subject: OpenSSH and Irix? Message-ID: I'd like to install openssh across an Irix cluster where I work, but its dependency on an "entropy pool" like /dev/urandom is making this problematic -- especially because EGD has issues with Irix that making it largely unusable. Obviously, the original ssh relied on its own random number generator. While this may not have provided the same degree of randomness that is provided by the openssh implementation, it had the advantage of being completely self contained. Is there any reason why this can't be added to openssh as an option? Something like --enable-cheap-random-numbers-with-lower-security, or something like that. This would provide at least the same level as security as ssh 1.2.27 (and would actually work, whereas at the moment I've got sshd turned off because of the EGD problems). Any thoughts? I don't have much crypto programming experience, so I've implemented a cheap hack using random/initstate and friends which seems to work, but I'd prefer to see a more "official" solution. Incidentally, the configure script asks for reports on Irix 6.x experience. Once the random number problem is out of the way, openssh appears to work just fine. Thanks, -- Lars -- Lars Kellogg-Stedman --> http://www.larsshack.org/ From rjune at ims1.imagestream-is.com Sat Apr 22 01:37:08 2000 From: rjune at ims1.imagestream-is.com (Richard June) Date: Fri, 21 Apr 2000 10:37:08 -0500 (EST) Subject: Password authentication problems In-Reply-To: <20000421151609.41102.qmail@hotmail.com> Message-ID: I've already solved this. OpenSSL implements crypt on it's own, This crypt uses the standard 2 char salt, libcrypt in Slak uses an 11 char crypt. to make it work edit the OpenSSH Makefile and find the line where it specifies what libraries to link agains. -lcrypto specificly. put -lcrypt in front of this. You will also find some other problems regarding OpenSSH and slak 7 I'll send you a list. On Fri, 21 Apr 2000, Artit Jirapatnakul wrote: > I'm having a problem getting OpenSSH to correctly authenticate passwords. > I'm doing authentication against a shadow file (/etc/shadow) because I don't > have PAM installed. > > I'm using Slackware 7.0, OpenSSH 1.2.3, OpenSSL 0.95a, and glibc with the > crypt addon. > > Here is the funny thing about it though. I edited the file that has the code > for authenication (auth-password.c I think, I'm not sure since I'm in > Windows at the moment). I added code to display both the password from the > client and then the crypted password from the client. > > The unencrypted password is correct, so the server is getting the right > password. But after it performs a crypt() on it, it gets the WRONG hash! The > hash isn't the same as what is in the shadow file, and so the authentication > fails. > > Now I'm not sure what to do from there. This has happened on 3 different > machines, all running slack 7. Any ides where to go from here? > > If you need more info (like the debug output from the server), I'd be happy > to provide it. > > Thanks, > > Artit J. > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > From ueno at unixuser.org Sat Apr 22 03:34:32 2000 From: ueno at unixuser.org (Daiki Ueno) Date: 22 Apr 2000 02:34:32 +0900 Subject: Question about ssh-askpass Message-ID: <877ldrcq8n.fsf@mail.unixuser.org> Hello. I'm new to the list, and I have some questions. I'd like to use ssh as a subprocess, and I'm looking for a generic way of passing passphrase. So far as I know, in SSH Communications' implementation of SSH, ssh invokes ssh-askpass as well as ssh-add does. Lacking of this is just because of security reason? Are there any plans to use some kind of readymade option parsing routine--such as getopt? Thank you, -- Daiki Ueno From djm at mindrot.org Sat Apr 22 15:22:52 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 22 Apr 2000 15:22:52 +1000 (EST) Subject: OpenSSH and Irix? In-Reply-To: Message-ID: On Fri, 21 Apr 2000, Lars Kellogg-Stedman wrote: > I'd like to install openssh across an Irix cluster where I work, > but its dependency on an "entropy pool" like /dev/urandom is making > this problematic -- especially because EGD has issues with Irix that > making it largely unusable. > > Obviously, the original ssh relied on its own random number > generator. While this may not have provided the same degree of > randomness that is provided by the openssh implementation, it had > the advantage of being completely self contained. You might want to try the test release at: http://violet.ibs.com.au/openssh/files/test It has the beginnings of self-contained random collection. Please report the output of "ssh -v somehost". Suggestions for more commands (see the table in entropy.c) to collect randomness would be greatly appreciated. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From pollard at schrodinger.com Sun Apr 23 13:10:58 2000 From: pollard at schrodinger.com (Tom Pollard) Date: Sat, 22 Apr 2000 23:10:58 -0400 (EDT) Subject: strange session failure on linux Message-ID: Hi, We're running an openssh server on a linux box here to give developers access to our machines from outside the firewall. A number of us, using various ssh clients (Mac, Windows and Linux) regularly experience hung sessions. I'm hoping that someone can give me some insight into what's happening here or, at least, some tips for characterizing the problem well enough for it to get fixed. Let me try to describe what happens. I usually have two or three ssh sessions active from my home machine to this server. A few minutes after these are established (sometimes it takes much longer), one of them will suddenly stop responding while the others remain active. If I kill the dead session, it's always possible to open another session immediately. I've discovered that these dead seesions are only dead in one direction. That is, things I type into my dead ssh window continue to get transmitted to the server, but the response from the server isn't transmitted back to my home machine. I know this because (a) I can tell that commands typed blindly into the dead session are properly executed, and (b) running netstat on the server machine reveals that the Send-Q starts growing dramatically for the dead connection. So, both the server and the client consider the connection to be active ("ESTABLISHED"), but nothing is transmitted from the server to the client. Any idea what could possibly be going on here? As I mentioned, people using various different clients have experienced this problem, so it seems clear that it's a server problem of some sort. The Linux system sshd is running on is, unfortunately, a non-standard version based on the 2.0.28 kernel. We're running OpenSSH-1.2.1, protocol version 1.5. Thanks, Tom ------------------------------------------------------------------------- W. Thomas Pollard Schrodinger, Inc. pollard at schrodinger.com http://www.schrodinger.com/ ------------------------------------------------------------------------- From philipp at buehler.de Tue Apr 25 04:07:44 2000 From: philipp at buehler.de (Philipp Buehler) Date: Mon, 24 Apr 2000 14:07:44 -0400 Subject: OpenSSH 1.2.3, HPUX 10.20 [TCB] Message-ID: <39048D6F.E92A544B@buehler.de> Hello, already checked the Mailinglist archive for HPUX Problems, but havent found exact this: ./configure --prefix=/opt --without-pam --with-ssl-dir=/opt/OpenSSL --with-lastlog=/var/adm/wtmp --with-egd-pool=/dev/entropy --with-tcp-wrappers --with-pid-dir=/var/run --sysconfdir=/etc/ssh and get after a make: gcc -O2 -Wall -D_HPUX_SOURCE -I/usr/local/include -I/opt/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/opt/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/opt/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c login.c login.c: In function `get_last_login_time': login.c:57: storage size of `ll' isn't known login.c:57: warning: unused variable `ll' login.c:131: warning: control reaches end of non-void function login.c: In function `record_login': login.c:143: storage size of `ll' isn't known login.c:143: warning: unused variable `ll' *** Error exit code 1 gcc is 2.95.2, but I do not think there is really a problem. TIA, -- Philipp Buehler, aka fIpS | sysfive.com | BOfH | NUCH | %SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time. Artificial Intelligence stands no chance against Natural Stupidity. From philipp at buehler.de Mon Apr 24 23:12:11 2000 From: philipp at buehler.de (Philipp Buehler) Date: Mon, 24 Apr 2000 15:12:11 +0200 Subject: OpenSSH 1.2.3, HPUX 10.20 [TCB] In-Reply-To: <39048D6F.E92A544B@buehler.de>; "Philipp Buehler" on 24.04.2000 @ 20:07:44 METDST References: <39048D6F.E92A544B@buehler.de> Message-ID: <20000424151211.A9609@pohl.fips.de> Philipp Buehler wrote To openssh-unix-dev at mindrot.org: > ./configure --prefix=/opt --without-pam --with-ssl-dir=/opt/OpenSSL > --with-lastlog=/var/adm/wtmp --with-egd-pool=/dev/entropy > --with-tcp-wrappers --with-pid-dir=/var/run --sysconfdir=/etc/ssh compiles smoothly with --without-lastlog .. which is not really nice :} ciao -- Philipp Buehler, aka fIpS | sysfive.com | BOfH | NUCH | %SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time. Artificial Intelligence stands no chance against Natural Stupidity. From philipp at buehler.de Mon Apr 24 23:49:41 2000 From: philipp at buehler.de (Philipp Buehler) Date: Mon, 24 Apr 2000 15:49:41 +0200 Subject: OpenSSH 1.2.3, HPUX 10.20 [TCB] In-Reply-To: <20000424151211.A9609@pohl.fips.de>; "Philipp Buehler" on 24.04.2000 @ 15:12:11 METDST References: <39048D6F.E92A544B@buehler.de> <20000424151211.A9609@pohl.fips.de> Message-ID: <20000424154941.A9696@pohl.fips.de> Philipp Buehler wrote To openssh-unix-dev at mindrot.org: > compiles smoothly with --without-lastlog .. which is not really nice :} And the patch from http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=95155819832022&w=2 fixes the usage of passwords > 8 chars on 10.20/TCB too, thanks Ged Lodder So, reporting: openssh-1.2.3 on HPUX10.20/TCB with longer passwords running w/o lastlog ciao -- Philipp Buehler, aka fIpS | sysfive.com | BOfH | NUCH | %SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time. Artificial Intelligence stands no chance against Natural Stupidity. From simpsons at kom.auc.dk Wed Apr 26 01:23:47 2000 From: simpsons at kom.auc.dk (Thomas Rasmussen) Date: 25 Apr 2000 17:23:47 +0200 Subject: OpenSSH and Xauth Message-ID: <28pu2gqfblo.fsf@lada.kom.auc.dk> Hi... I have tumpled over quite a big problem on my machine. I'm running Debian Potato with OpenSSH-1.2.3 protocol 1.5 installed from the debian packages. When I ssh from any computer (including my own) then I can't get any programs to display X. I have turned ForwardAgent and ForwardX11 on in my ssh_config. When I turn on debugging this is what I get: 17:14 simpsons at lada% ssh -v bart.aalk ~ SSH Version 1.2.26 [sparc-sun-solaris2.6], protocol version 1.5. Standard version. Does not use RSAREF. lada: Reading configuration data /etc/ssh_config lada: ssh_connect: getuid 43750 geteuid 0 anon 0 lada: Connecting to bart.aalk [192.168.74.133] port 22. lada: Allocated local port 1017. lada: Connection established. lada: Remote protocol version 1.5, remote software version OpenSSH-1.2.2 lada: Waiting for server public key. lada: Received server public key (768 bits) and host key (1024 bits). lada: Host 'bart.aalk' is known and matches the host key. lada: Initializing random; seed file /afs/ies.auc.dk/user/simpsons/.ssh/random_seed lada: IDEA not supported, using 3des instead. lada: Encryption type: 3des lada: Sent encrypted session key. lada: Installing crc compensation attack detector. lada: Received encrypted confirmation. lada: No agent. lada: Trying RSA authentication with key 'simpsons at bart' lada: Server refused our key. lada: Doing password authentication. simpsons at bart.aalk's password: lada: Requesting pty. lada: Requesting X11 forwarding with authentication spoofing. lada: Requesting shell. lada: Entering interactive session. Last login: Tue Apr 25 16:48:44 2000 from bart on pts/6 But when trying to execute any X program I get this: 17:15 simpsons at bart% xlogo ~ lada: Received X11 open request. lada: Allocated channel 0 of type 9. lada: Sending open confirmation to the remote host. lada: X11 connection uses different authentication protocol: 'MIT-MAGIC-COOKIE-1' vs. ''. X11 connection rejected because of wrong authentication at Tue Apr 25 17:15:34 2000. a Rejected connection at Tue Apr 25 17:15:34 2000: X11 connection from bart port 1169 lada: Channel 0 closes incoming data stream. lada: Channel 0 closes outgoing data stream. lada: Channel 0 sends oclosed. lada: Channel 0 sends ieof. lada: Channel 0 receives input eof. lada: X problem fix: close the other direction. lada: Channel 0 receives output closed. lada: Channel 0 terminates. X connection to bart:10.0 broken (explicit kill or server shutdown). And this is something I don't understand! I use exactly the same version of Openssh on another machine which is also a debian machine without any problems. The only difference in these two, are that the one I'm having problems with is running Xfree 4.0 and the other is running Xfree 3.3.6, otherwise they are practically identical! Someone please help.... Thanks Thomas -- KOM Network student helper "To alcohol! The cause of - and solution to - all of life's problems!" -- Homer Simpson From speno at isc.upenn.edu Wed Apr 26 06:10:55 2000 From: speno at isc.upenn.edu (John P Speno) Date: Tue, 25 Apr 2000 16:10:55 -0400 Subject: scp: write stdout: Broken pipe error (Tru64 UNIX) In-Reply-To: <20000414140659.A929@isc.upenn.edu> References: <20000327114108.A124292@isc.upenn.edu> <20000414140659.A929@isc.upenn.edu> Message-ID: <20000425161055.A43653@isc.upenn.edu> On Fri, Apr 14, 2000 at 02:06:59PM -0400, John P Speno wrote: > > Just wanted to follow up on this issue because it's gone away. I've no idea > what was happening, so I'll blame user headspace error (my own). And another followup. I'm able to duplicate this at will now and I've tracked it down somewhat. I'll continue to work on finding the exact problem after my headache subsides... Anyway, here's the problem. On the local side, I'm using Openssh 1.2.3 under Tru64 UNIX 5.0. The remote side is Tru64 UNIX 4.0f running ssh 1.2.27. $ scp dax:3test . speno at dax's password: 3test 98% |**************************** | 504 KB 00:00 ETAInterrupted system call $ Write failed flushing stdout buffer. write stdout: Broken pipe And no, my dot files do not produce any output on the remote system. It works when any of the following are true: - stderr or stdout are redirected. - Any descriptor (e.g. FD 6) is redirected to /dev/null. - scp's -q option is used. - The file copied is smaller than 512KB in size. - the scp is run under trace (a truss-like thingy). So, given the error, and the cases where it works, if you've got some ideas on how to fix it, please drop me a line. It'll save me some time. Thanks. From simpsons at kom.auc.dk Wed Apr 26 07:44:22 2000 From: simpsons at kom.auc.dk (Thomas Rasmussen) Date: 25 Apr 2000 23:44:22 +0200 Subject: OpenSSH and Xauth In-Reply-To: Thomas Rasmussen's message of "25 Apr 2000 17:23:47 +0200" References: <28pu2gqfblo.fsf@lada.kom.auc.dk> Message-ID: <28pk8hletzd.fsf@lada.kom.auc.dk> >>>>> "Thomas" == Thomas Rasmussen writes: Well with a little help I found out that the OpenSSH server i used (1.2.2) had a small defect, and I have upgraded to 1.2.3 and now it works... Thomas -- KOM Network student helper "To alcohol! The cause of - and solution to - all of life's problems!" -- Homer Simpson From speno at isc.upenn.edu Thu Apr 27 04:32:38 2000 From: speno at isc.upenn.edu (John P Speno) Date: Wed, 26 Apr 2000 14:32:38 -0400 Subject: scp: write stdout: Broken pipe error (Tru64 UNIX) In-Reply-To: <20000425161055.A43653@isc.upenn.edu> References: <20000327114108.A124292@isc.upenn.edu> <20000414140659.A929@isc.upenn.edu> <20000425161055.A43653@isc.upenn.edu> Message-ID: <20000426143238.A74483@isc.upenn.edu> On Tue, Apr 25, 2000 at 04:10:55PM -0400, John P Speno wrote: > On Fri, Apr 14, 2000 at 02:06:59PM -0400, John P Speno wrote: > > > > Just wanted to follow up on this issue because it's gone away. I've no idea > > what was happening, so I'll blame user headspace error (my own). > > And another followup. I'm able to duplicate this at will now and I've > tracked it down somewhat. I'll continue to work on finding the exact > problem after my headache subsides... I was able to get a system call trace of the problem in action, but I still haven't been able to fix it. The trace is here: http://www.isc-net.upenn.edu/~speno/scp.trace.txt Everything is running just fine until the SIGALRM is raised to let scp know it's time to update the progess meter while in a call to read(). This can be seen towards the end of that trace. I'm mucking around in clientloop.c, trying to handle EINTR in read()s and write()s, but I haven't been able to fix anything that way yet. Thanks to Theo de Raadt for sending some suggestions along. From djm at mindrot.org Thu Apr 27 09:55:56 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 27 Apr 2000 09:55:56 +1000 (EST) Subject: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=95669367427640&w=2 (fwd) Message-ID: -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) ---------- Forwarded message ---------- Date: Tue, 25 Apr 2000 19:55:56 -0600 (MDT) From: Theo de Raadt To: djm at cvs.openbsd.org, markus at cvs.openbsd.org, provos at cvs.openbsd.org, speno at isc.upenn.edu Subject: re: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=95669367427640&w=2 Index: clientloop.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v retrieving revision 1.21 diff -u -r1.21 clientloop.c --- clientloop.c 2000/04/19 07:05:48 1.21 +++ clientloop.c 2000/04/26 01:54:54 @@ -873,6 +873,8 @@ len = write(fileno(stdout), buffer_ptr(&stdout_buffer), buffer_len(&stdout_buffer)); if (len <= 0) { + if (errno == EGAIN) + continue; error("Write failed flushing stdout buffer."); break; } @@ -884,6 +886,8 @@ len = write(fileno(stderr), buffer_ptr(&stderr_buffer), buffer_len(&stderr_buffer)); if (len <= 0) { + if (errno == EGAIN) + continue; error("Write failed flushing stderr buffer."); break; } From logix at foobar.franken.de Thu Apr 27 11:50:50 2000 From: logix at foobar.franken.de (Harold Gutch) Date: Thu, 27 Apr 2000 03:50:50 +0200 Subject: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=95669367427640&w=2 (fwd) In-Reply-To: ; from Damien Miller on Thu, Apr 27, 2000 at 09:55:56AM +1000 References: Message-ID: <20000427035050.D2795@foobar.franken.de> On Thu, Apr 27, 2000 at 09:55:56AM +1000, Damien Miller wrote: > + if (errno == EGAIN) > + continue; Just wondering, as my only OpenBSD box currently is down - shouldn't that be EAGAIN instead of EGAIN? At least I didn't find any reference of EGAIN under FreeBSD 2.2.8 and under Linux 2.2.14 (RedHat something if that matters) just right now... bye, Harold -- Someone should do a study to find out how many human life spans have been lost waiting for NT to reboot. Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc From speno at isc.upenn.edu Thu Apr 27 12:00:17 2000 From: speno at isc.upenn.edu (John P Speno) Date: Wed, 26 Apr 2000 22:00:17 -0400 Subject: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=95669367427640&w=2 (fwd) In-Reply-To: <20000427035050.D2795@foobar.franken.de> References: <20000427035050.D2795@foobar.franken.de> Message-ID: <20000426220017.D78307@isc.upenn.edu> On Thu, Apr 27, 2000 at 03:50:50AM +0200, Harold Gutch wrote: > On Thu, Apr 27, 2000 at 09:55:56AM +1000, Damien Miller wrote: > > + if (errno == EGAIN) > > + continue; > > Just wondering, as my only OpenBSD box currently is down - > shouldn't that be EAGAIN instead of EGAIN? Yes, it should, and that still doesn't fix the problem I'm seeing with scp. My system trace seems to indicate that the problem occurs when a read() is interrupted. From djm at mindrot.org Thu Apr 27 12:23:39 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 27 Apr 2000 12:23:39 +1000 (EST) Subject: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=95669367427640&w=2 (fwd) In-Reply-To: <20000427035050.D2795@foobar.franken.de> Message-ID: On Thu, 27 Apr 2000, Harold Gutch wrote: > On Thu, Apr 27, 2000 at 09:55:56AM +1000, Damien Miller wrote: > > + if (errno == EGAIN) > > + continue; > > Just wondering, as my only OpenBSD box currently is down - > shouldn't that be EAGAIN instead of EGAIN? Quite right -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From morgan at transmeta.com Thu Apr 27 13:54:19 2000 From: morgan at transmeta.com (Andrew Morgan) Date: Wed, 26 Apr 2000 20:54:19 -0700 Subject: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=95669367427640&w=2 (fwd) References: <20000427035050.D2795@foobar.franken.de> <20000426220017.D78307@isc.upenn.edu> Message-ID: <3907B9EB.88913290@transmeta.com> In situations like this, its usual that you would check for EINTR and retry the read if that's what you got. (EAGAIN is what you get when you do non-blocking IO and there was nothing to read.) Cheers Andrew John P Speno wrote: > > On Thu, Apr 27, 2000 at 03:50:50AM +0200, Harold Gutch wrote: > > On Thu, Apr 27, 2000 at 09:55:56AM +1000, Damien Miller wrote: > > > + if (errno == EGAIN) > > > + continue; > > > > Just wondering, as my only OpenBSD box currently is down - > > shouldn't that be EAGAIN instead of EGAIN? > > Yes, it should, and that still doesn't fix the problem I'm seeing with scp. > My system trace seems to indicate that the problem occurs when a read() is > interrupted. From egagnon at j-meg.com Fri Apr 28 01:45:38 2000 From: egagnon at j-meg.com (Etienne M. Gagnon) Date: Thu, 27 Apr 2000 11:45:38 -0400 Subject: Patch for supporting "-L" option in scp Message-ID: <390860A2.BB462755@j-meg.com> Hi! I am running Debian with the following package version: Package: ssh Version: 1:1.2.3-1 Severity: normal The "-L" option, to use a non-privileged port, is missing in "scp". Here is a simple patch that implements this option. Etienne -- ---------------------------------------------------------------------- Etienne M. Gagnon, M.Sc. e-mail: egagnon at j-meg.com Author of SableCC: http://www.sable.mcgill.ca/sablecc/ ---------------------------------------------------------------------- Index: 0.1/scp.c --- scp.c +++ scp.c @@ -103,6 +103,10 @@ /* This is the port to use in contacting the remote site (is non-NULL). */ char *port = NULL; +/* This is set to non-zero if non-privileged local port is desired. */ +int use_non_privileged_port = 0; + + /* * This function executes the given command as the specified user on the * given host. This returns < 0 if execution fails, and >= 0 otherwise. This @@ -178,6 +182,8 @@ args[i++] = "-l"; args[i++] = remuser; } + if (use_non_privileged_port) + args[i++] = "-P"; args[i++] = host; args[i++] = cmd; args[i++] = NULL; @@ -247,7 +253,7 @@ extern int optind; fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46")) != EOF) + while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:qL46")) != EOF) switch (ch) { /* User-visible flags. */ case '4': @@ -295,6 +301,9 @@ case 'q': showprogress = 0; break; + case 'L': + use_non_privileged_port = 1; + break; case '?': default: usage(); @@ -931,7 +940,7 @@ usage() { (void) fprintf(stderr, - "usage: scp [-pqrvC46] [-P port] [-c cipher] [-i identity] f1 f2; or:\n scp [options] f1 ... fn directory\n"); + "usage: scp [-pqrvCL46] [-P port] [-c cipher] [-i identity] f1 f2; or:\n scp [options] f1 ... fn directory\n"); exit(1); } -- System Information Debian Release: 2.2 Kernel Version: Linux www 2.2.13 #1 Tue Nov 30 19:54:46 EST 1999 i586 unknown Versions of the packages ssh depends on: ii libc6 2.1.3-8 GNU C Library: Shared libraries and Timezone data ii libpam-modules 0.72-7 Pluggable Authentication Modules for PAM ii libpam0g 0.72-7 Pluggable Authentication Modules library ii libssl09 0.9.4-5 SSL shared libraries ii libwrap0 7.6-4 Wietse Venema's TCP wrappers library ii zlib1g 1.1.3-5 compression library - runtime ^^^ (Provides virtual package libz1) From ishikawa at yk.rim.or.jp Fri Apr 28 05:08:59 2000 From: ishikawa at yk.rim.or.jp (Ishikawa) Date: Fri, 28 Apr 2000 04:08:59 +0900 Subject: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=95669367427640&w=2 (fwd) References: <20000427035050.D2795@foobar.franken.de> <20000426220017.D78307@isc.upenn.edu> Message-ID: <3908904B.2159CAD2@yk.rim.or.jp> John P Speno wrote: > On Thu, Apr 27, 2000 at 03:50:50AM +0200, Harold Gutch wrote: > > On Thu, Apr 27, 2000 at 09:55:56AM +1000, Damien Miller wrote: > > > + if (errno == EGAIN) > > > + continue; > > > > Just wondering, as my only OpenBSD box currently is down - > > shouldn't that be EAGAIN instead of EGAIN? > > Yes, it should, and that still doesn't fix the problem I'm seeing with scp. > My system trace seems to indicate that the problem occurs when a read() is > interrupted. I am curious about this thread: Why don't relevant references to read/write use atomicio() in atomicio.c? The usage should be clear. result = read(fd, buf, num) becomes result = atomicio(read, fd, buf, num) I have been bitten with similar interrupted system calls before. To avoid these problems, read/write ought to be wrapped in something like atomicio(). Most network read/write fall under this category. One more tip I can think of. Although openssh/scp doesn't use ferror() at all, if we ever use ferror() [if we use (FILE *), that is by assigning buffered I/O data structure to the file descriptor], clearerr() needs to be called in order to clear incorrectly raised error status due to the interrupted system call (!) This is true for at least Solaris 2.5.1, and Solaris 7, etc.. This is so counter-intuitive and some well known code failed to operate as the original authors intended for a long time due to this `feature', but people assumed the broken behavior for granted! Happy Hacking, Ishikawa From fandrei at mail.rds.ro Fri Apr 28 19:40:15 2000 From: fandrei at mail.rds.ro (Florin Andrei) Date: Fri, 28 Apr 2000 12:40:15 +0300 Subject: port forwarding Message-ID: <39095C7F.1C1072C1@rds.ro> Ok, so this is not a users-list, but i really don't know where to ask. Maybe a future openssh-unix-users at mindrot.org will take this kind of problems... :-) So, i'm trying to forward a POP3 connection over a SSH tunnel, using openssh-1.2.3 both on server and on client. My host is atlanta.rds.ro and the mailserver is mail.rds.ro. I did like this: ssh -L 110:mail.rds.ro:110 mail.rds.ro After authenticating myself on mail.rds.ro, the 110 port appeared as open on localhost, but it forwarded requests to mail.rds.ro - this was ok. The sniffer revealed that the traffic was done between my host and mail.rds.ro:22 - this meaning that POP-over-SSH was actually working. Ok 'till now... After that, i tryed this: ssh -L 110:mail.rds.ro:110 localhost 110 was opened again on my machine, forwarding the requests to mail.rds.ro. Ok again. But... after sniffing the interface, i saw that, this time, the packets were sent to mail.rds.ro:110, not to mail.rds.ro:22 so this wasn't actually POP3 over SSH! The only difference was that, this time, i wasn't authenticated on the mail server itself, but on localhost. The problem is that i want to forward POP3 over SSH, but not authenticate myself into a shell account on the mailserver. I don't wanna this, because we have here very strict shell policy, and we don't wanna leave accounts with shell access enabled. How can i obtain a true pop-over-ssh connection without using shell access on the server? Sorry if i was too off-topic. Regards, -- Florin Andrei mailto:florin at linuxstart.com http://members.linuxstart.com/~florin/ tel: +40-93-261162 From markus.friedl at informatik.uni-erlangen.de Fri Apr 28 20:23:09 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 28 Apr 2000 12:23:09 +0200 Subject: port forwarding In-Reply-To: <39095C7F.1C1072C1@rds.ro>; from fandrei@mail.rds.ro on Fri, Apr 28, 2000 at 12:40:15PM +0300 References: <39095C7F.1C1072C1@rds.ro> Message-ID: <20000428122309.A5583@folly.informatik.uni-erlangen.de> On Fri, Apr 28, 2000 at 12:40:15PM +0300, Florin Andrei wrote: > ssh -L 110:mail.rds.ro:110 localhost > > 110 was opened again on my machine, forwarding the requests to > mail.rds.ro. Ok again. > But... after sniffing the interface, i saw that, this time, the packets > were sent to mail.rds.ro:110, not to mail.rds.ro:22 so this wasn't actually > POP3 over SSH! The only difference was that, this time, i wasn't > authenticated on the mail server itself, but on localhost. this is what you specified. these two are equivalent: % ssh -L 110:mail.rds.ro:110 mail.rds.ro % ssh -L 110:localhost:110 mail.rds.ro but not this one: % ssh -L 110:mail.rds.ro:110 localhost as the ssh connection is from localhost to localhost > The problem is that i want to forward POP3 over SSH, but not authenticate > myself into a shell account on the mailserver. I don't wanna this, because > we have here very strict shell policy, and we don't wanna leave accounts > with shell access enabled. you need to start a shell if portforwarding should work. you could give a way a shell that just sleeps for say 60 seconds. > How can i obtain a true pop-over-ssh connection without using shell access > on the server? openssh2 could do this, but it's not ready. From rjune at ims1.imagestream-is.com Sat Apr 29 03:22:49 2000 From: rjune at ims1.imagestream-is.com (Richard June) Date: Fri, 28 Apr 2000 12:22:49 -0500 (EST) Subject: OpenSSH for RedHat/Sparc and RedHat/Alpha Message-ID: I have RPMs for RedHat/[Alpha|Sparc] where would I upload them?? ftp://ftp.c-60.org/pub/openssh/ is the URL for the Sparc RPMs http://alpha.bravegnuworld.com/openssh is the URL for the Alpha RPMs From guym at guymcarthur.com Sat Apr 29 05:35:47 2000 From: guym at guymcarthur.com (Guy McArthur) Date: Fri, 28 Apr 2000 12:35:47 -0700 (MST) Subject: problem need help Message-ID: I've installed the openss* rpm's from metalab.unc.edu/pub/Linux/distributions/redhat/contrib/libc6/i386 on a redhat 6.2 system. sshd is running but refuses all connections from all hosts including localhost. The client reports debug: Connection established. ssh_exchange_identification: Connection closed by remote host debug: Calling cleanup 0x8056160(0x0) I can't slogin as myself on localhost, can't login as root (even though I've generated a key pair, and put it in root's .ssh/authorized_keys). What gives? -- Guy "Smiley" McArthur [email] guym at guymcarthur.com [home#] 520.326.4555 [work#] 520.881.8101 From rjune at ims1.imagestream-is.com Sat Apr 29 05:45:15 2000 From: rjune at ims1.imagestream-is.com (Richard June) Date: Fri, 28 Apr 2000 14:45:15 -0500 (EST) Subject: problem need help In-Reply-To: Message-ID: I think ssh adheres to /etc/hosts.allow and /etc/hosts.deny On Fri, 28 Apr 2000, Guy McArthur wrote: > I've installed the openss* rpm's from > metalab.unc.edu/pub/Linux/distributions/redhat/contrib/libc6/i386 > on a redhat 6.2 system. > > sshd is running but refuses all connections from all hosts including > localhost. The client reports debug: Connection established. > ssh_exchange_identification: Connection closed by remote host > debug: Calling cleanup 0x8056160(0x0) > > I can't slogin as myself on localhost, can't login as root (even though > I've generated a key pair, and put it in root's .ssh/authorized_keys). > > What gives? > -- > Guy "Smiley" McArthur > [email] guym at guymcarthur.com [home#] 520.326.4555 [work#] 520.881.8101 > > > From guym at guymcarthur.com Sat Apr 29 05:46:56 2000 From: guym at guymcarthur.com (Guy McArthur) Date: Fri, 28 Apr 2000 12:46:56 -0700 (MST) Subject: problem need help In-Reply-To: Message-ID: > I think ssh adheres to /etc/hosts.allow and /etc/hosts.deny > Okay, thanks a lot. Usually, only inetd spawned daemons use tcp wrappers, right? -- Guy "Smiley" McArthur [email] guym at guymcarthur.com [home#] 520.326.4555 [work#] 520.881.8101 From aforster at br.ibm.com Sat Apr 29 05:49:02 2000 From: aforster at br.ibm.com (Antonio Paulo Salgado Forster) Date: Fri, 28 Apr 2000 16:49:02 -0300 (BRT) Subject: problem need help In-Reply-To: Message-ID: No, you can compile them with libwrap.a regards, Forster //Date: Fri, 28 Apr 2000 12:46:56 -0700 (MST) //From: Guy McArthur //To: Richard June //Cc: openssh-unix-dev at mindrot.org //Subject: Re: problem need help // //> I think ssh adheres to /etc/hosts.allow and /etc/hosts.deny //> //Okay, thanks a lot. Usually, only inetd spawned daemons use tcp wrappers, //right? //-- //Guy "Smiley" McArthur //[email] guym at guymcarthur.com [home#] 520.326.4555 [work#] 520.881.8101 // // // From jmknoble at pint-stowp.cx Sat Apr 29 05:52:06 2000 From: jmknoble at pint-stowp.cx (Jim Knoble) Date: Fri, 28 Apr 2000 15:52:06 -0400 Subject: problem need help In-Reply-To: ; from Guy McArthur on Fri, Apr 28, 2000 at 12:46:56PM -0700 References: Message-ID: <20000428155206.F30164@ntrnet.net> Circa 2000-Apr-28 12:46:56 -0700 schrieb Guy McArthur: : > I think ssh adheres to /etc/hosts.allow and /etc/hosts.deny : > : Okay, thanks a lot. Usually, only inetd spawned daemons use tcp wrappers, : right? Actually, anything that's built with tcp-wrappers support also uses it. For example, under many Linux distributions, the portmap daemon and rpc.mountd have historically used tcp-wrappers. Exim (a mail transport agent), ssh.com's ssh v1, and OpenSSH all can be built with support for tcp-wrappers as well. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From rjune at ims1.imagestream-is.com Sat Apr 29 06:11:50 2000 From: rjune at ims1.imagestream-is.com (Richard June) Date: Fri, 28 Apr 2000 15:11:50 -0500 (EST) Subject: problem need help In-Reply-To: Message-ID: no.. inetd uses TCPWrappers, so any program spawned by inetd gets that ability. On Fri, 28 Apr 2000, Guy McArthur wrote: > > I think ssh adheres to /etc/hosts.allow and /etc/hosts.deny > > > Okay, thanks a lot. Usually, only inetd spawned daemons use tcp wrappers, > right? > -- > Guy "Smiley" McArthur > [email] guym at guymcarthur.com [home#] 520.326.4555 [work#] 520.881.8101 > From cjc5 at po.cwru.edu Sat Apr 29 07:47:40 2000 From: cjc5 at po.cwru.edu (Craig J Copi) Date: Fri, 28 Apr 2000 17:47:40 -0400 Subject: openssh bug? Message-ID: <200004282147.RAA21045@boss.phys.cwru.edu> On a RH6.0 box, openssh compiled by me: openssh 1.2.2 with openssl 0.9.4 without rsaref worked fine openssh 1.2.3 with openssl 0.9.5a with rsaref gives me the error rsa_public_encrypt() failed to only SOME (ssh-1.2.2x) hosts, but not all. I have traced this to the fact that they were run with -b 1024 instead of the default 768. I have switched most of these back to the default so they work now. Is this expected behavior? I have not searched through the code to find out why it happens or if it should. Craig From yuri at iqnest.com Sat Apr 29 11:59:24 2000 From: yuri at iqnest.com (Yuri Litvin) Date: Fri, 28 Apr 2000 18:59:24 -0700 Subject: OpenSSH and IRIX? Message-ID: <013c01bfb17e$8ab88f50$1d0a0a0a@main.iqnest.com> Hey guys :-) I'm trying to set up Openssh 1.2.3 on the IRIX 6.5.6. I wasn't successful so far :-( I've compiled latest openssl (the one that is on the same ftp site as openssh), and it goes to /usr/local/ssl , but then openssh's ./configure fails with the "Could not find working SSLeay / OpenSSL libraries, please install". So i do ./configure --with-ssl-dir=/usr/local/ssl/lib/ -doesn't, then the same with /usr/local/ssl/include, /usr/local/ssl ---- still the same result. Which compiler should i use? I've tried to compile openssl with mips-cc , with gcc 2.81 , still the same error. Am i doing smth really stupid and wrong, but can't get it 'cuz it's Friday? ;-) Any tips or suggestions are greatly appreciated. Thanx a lot for your reply :-) From djm at mindrot.org Sat Apr 29 18:23:22 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 29 Apr 2000 18:23:22 +1000 (EST) Subject: Password authentication problems In-Reply-To: <20000421151609.41102.qmail@hotmail.com> Message-ID: On Fri, 21 Apr 2000, Artit Jirapatnakul wrote: > I'm having a problem getting OpenSSH to correctly authenticate > passwords. I'm doing authentication against a shadow file > (/etc/shadow) because I don't have PAM installed. > > I'm using Slackware 7.0, OpenSSH 1.2.3, OpenSSL 0.95a, and glibc > with the crypt addon. Did you compile with --with-md5-passwords? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Apr 29 18:25:54 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 29 Apr 2000 18:25:54 +1000 (EST) Subject: Question about ssh-askpass In-Reply-To: <877ldrcq8n.fsf@mail.unixuser.org> Message-ID: On 22 Apr 2000, Daiki Ueno wrote: > Hello. > > I'm new to the list, and I have some questions. > > I'd like to use ssh as a subprocess, and I'm looking for a generic way > of passing passphrase. So far as I know, in SSH Communications' > implementation of SSH, ssh invokes ssh-askpass as well as > ssh-add does. Lacking of this is just because of security reason? > > Are there any plans to use some kind of readymade option parsing > routine--such as getopt? No. If passwords were passed in on the command line, then they would show up to everyone else on the system in a "ps". You could either use ssh-agent or create key files without passphrases. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From preed at sigkill.com Sat Apr 29 21:25:45 2000 From: preed at sigkill.com (J. Paul Reed) Date: Sat, 29 Apr 2000 04:25:45 -0700 (PDT) Subject: BUG: ssh-agent memory leak Message-ID: Hey all! I've been using OpenSSH on Linux since version 1.2.2; great work... There is, however, a pretty noticable memory leak in ssh-agent. I use ssh-agent to provide RSA authorization to automatically open an ssh connection to download POP mail every three minutes. When I was using the standard ssh-agent from 1.2.27 (not OpenSSH), I could leave ssh-agent running for the entire uptime of my machine (typically around 50 days at a time), and the process would take up about 500k, and stay at that amount of memory usage. OpenSSH's ssh-agent, however, will start at around that size, and then while it's running, balloon in size. By 3 to 4 days of usage, the process is sitting at around 10 megs; I actually forgot about the leak, and didn't restart the daemon for about 10 days, and it was using about 35 megs up. This was the case with both 1.2.2p1 and 1.2.3. I'm not familiar with the source code, but I'd be happy to help in any way that I can...memory stats or whatever...I figure there's probably some obvious free() that's not being done somewhere... TIA. Later, Paul ------------------------------------------------------------------------ J. Paul Reed preed at sigkill.com || www.sigkill.com/preed I used to be with it, but then they changed what "it" was. Now, what I'm with isn't it, and what's "it" seems weird and scary to me. --Grandpa Simpson From djm at mindrot.org Sun Apr 30 00:17:18 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 30 Apr 2000 00:17:18 +1000 (EST) Subject: OpenSSH on HP-UX 11 with TCB In-Reply-To: <38B79FDD.5268FEAB@yacc.com.au> Message-ID: On Sat, 26 Feb 2000, Ged Lodder wrote: > Hi, > > an updated and more civilized post (to my one and only previous one) > on getting OpenSSH to work on HP-UX 11 using the TCB. I used the HP > ANSI C compiler. Attached is the patch that I have applied. It will be in the openssh-2.0 test release (either tonight or tomorrow). Thanks for the fixes! Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Apr 30 00:22:36 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 30 Apr 2000 00:22:36 +1000 (EST) Subject: scp problems In-Reply-To: <3908904B.2159CAD2@yk.rim.or.jp> Message-ID: On Fri, 28 Apr 2000, Ishikawa wrote: > I am curious about this thread: > > Why don't relevant references to read/write use atomicio() in > atomicio.c? I agree. Anyone who has been experiencing problems with scp, please try the attached patch. It replaces all plain read() and write() calls with atomicio() reads and writes(). Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -------------- next part -------------- Index: scp.c =================================================================== RCS file: /var/cvs/openssh/scp.c,v retrieving revision 1.20 diff -u -r1.20 scp.c --- scp.c 2000/04/19 06:26:14 1.20 +++ scp.c 2000/04/29 14:19:33 @@ -543,7 +543,7 @@ (void) sprintf(buf, "T%lu 0 %lu 0\n", (unsigned long) stb.st_mtime, (unsigned long) stb.st_atime); - (void) write(remout, buf, strlen(buf)); + (void) atomicio(write, remout, buf, strlen(buf)); if (response() < 0) goto next; } @@ -556,7 +556,7 @@ fprintf(stderr, "Sending file modes: %s", buf); fflush(stderr); } - (void) write(remout, buf, strlen(buf)); + (void) atomicio(write, remout, buf, strlen(buf)); if (response() < 0) goto next; if ((bp = allocbuf(&buffer, fd, 2048)) == NULL) { @@ -573,12 +573,12 @@ if (i + amt > stb.st_size) amt = stb.st_size - i; if (!haderr) { - result = read(fd, bp->buf, amt); + result = atomicio(read, fd, bp->buf, amt); if (result != amt) haderr = result >= 0 ? EIO : errno; } if (haderr) - (void) write(remout, bp->buf, amt); + (void) atomicio(write, remout, bp->buf, amt); else { result = atomicio(write, remout, bp->buf, amt); if (result != amt) @@ -592,7 +592,7 @@ if (close(fd) < 0 && !haderr) haderr = errno; if (!haderr) - (void) write(remout, "", 1); + (void) atomicio(write, remout, "", 1); else run_err("%s: %s", name, strerror(haderr)); (void) response(); @@ -621,7 +621,7 @@ (void) sprintf(path, "T%lu 0 %lu 0\n", (unsigned long) statp->st_mtime, (unsigned long) statp->st_atime); - (void) write(remout, path, strlen(path)); + (void) atomicio(write, remout, path, strlen(path)); if (response() < 0) { closedir(dirp); return; @@ -632,7 +632,7 @@ 0, last); if (verbose_mode) fprintf(stderr, "Entering directory: %s", path); - (void) write(remout, path, strlen(path)); + (void) atomicio(write, remout, path, strlen(path)); if (response() < 0) { closedir(dirp); return; @@ -651,7 +651,7 @@ source(1, vect); } (void) closedir(dirp); - (void) write(remout, "E\n", 2); + (void) atomicio(write, remout, "E\n", 2); (void) response(); } @@ -687,17 +687,17 @@ if (targetshouldbedirectory) verifydir(targ); - (void) write(remout, "", 1); + (void) atomicio(write, remout, "", 1); if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode)) targisdir = 1; for (first = 1;; first = 0) { cp = buf; - if (read(remin, cp, 1) <= 0) + if (atomicio(read, remin, cp, 1) <= 0) return; if (*cp++ == '\n') SCREWUP("unexpected "); do { - if (read(remin, &ch, sizeof(ch)) != sizeof(ch)) + if (atomicio(read, remin, &ch, sizeof(ch)) != sizeof(ch)) SCREWUP("lost connection"); *cp++ = ch; } while (cp < &buf[sizeof(buf) - 1] && ch != '\n'); @@ -705,7 +705,7 @@ if (buf[0] == '\01' || buf[0] == '\02') { if (iamremote == 0) - (void) write(STDERR_FILENO, + (void) atomicio(write, STDERR_FILENO, buf + 1, strlen(buf + 1)); if (buf[0] == '\02') exit(1); @@ -713,7 +713,7 @@ continue; } if (buf[0] == 'E') { - (void) write(remout, "", 1); + (void) atomicio(write, remout, "", 1); return; } if (ch == '\n') @@ -737,7 +737,7 @@ getnum(dummy_usec); if (*cp++ != '\0') SCREWUP("atime.usec not delimited"); - (void) write(remout, "", 1); + (void) atomicio(write, remout, "", 1); continue; } if (*cp != 'C' && *cp != 'D') { @@ -816,7 +816,7 @@ bad: run_err("%s: %s", np, strerror(errno)); continue; } - (void) write(remout, "", 1); + (void) atomicio(write, remout, "", 1); if ((bp = allocbuf(&buffer, ofd, 4096)) == NULL) { (void) close(ofd); continue; @@ -835,7 +835,7 @@ amt = size - i; count += amt; do { - j = read(remin, cp, amt); + j = atomicio(read, remin, cp, amt); if (j <= 0) { run_err("%s", j ? strerror(errno) : "dropped connection"); @@ -848,7 +848,7 @@ if (count == bp->cnt) { /* Keep reading so we stay sync'd up. */ if (wrerr == NO) { - j = write(ofd, bp->buf, count); + j = atomicio(write, ofd, bp->buf, count); if (j != count) { wrerr = YES; wrerrno = j >= 0 ? EIO : errno; @@ -861,7 +861,7 @@ if (showprogress) progressmeter(1); if (count != 0 && wrerr == NO && - (j = write(ofd, bp->buf, count)) != count) { + (j = atomicio(write, ofd, bp->buf, count)) != count) { wrerr = YES; wrerrno = j >= 0 ? EIO : errno; } @@ -897,7 +897,7 @@ run_err("%s: %s", np, strerror(wrerrno)); break; case NO: - (void) write(remout, "", 1); + (void) atomicio(write, remout, "", 1); break; case DISPLAYED: break; @@ -913,7 +913,7 @@ { char ch, *cp, resp, rbuf[2048]; - if (read(remin, &resp, sizeof(resp)) != sizeof(resp)) + if (atomicio(read, remin, &resp, sizeof(resp)) != sizeof(resp)) lostconn(0); cp = rbuf; @@ -926,13 +926,13 @@ case 1: /* error, followed by error msg */ case 2: /* fatal error, "" */ do { - if (read(remin, &ch, sizeof(ch)) != sizeof(ch)) + if (atomicio(read, remin, &ch, sizeof(ch)) != sizeof(ch)) lostconn(0); *cp++ = ch; } while (cp < &rbuf[sizeof(rbuf) - 1] && ch != '\n'); if (!iamremote) - (void) write(STDERR_FILENO, rbuf, cp - rbuf); + (void) atomicio(write, STDERR_FILENO, rbuf, cp - rbuf); ++errs; if (resp == 1) return (-1); @@ -1240,7 +1240,7 @@ alarmtimer(1); } else if (flag == 1) { alarmtimer(0); - write(fileno(stdout), "\n", 1); + atomicio(write, fileno(stdout), "\n", 1); statbytes = 0; } } From djm at mindrot.org Sun Apr 30 00:23:15 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 30 Apr 2000 00:23:15 +1000 (EST) Subject: OpenSSH on HP-UX 11 with TCB In-Reply-To: Message-ID: On Sun, 30 Apr 2000, Damien Miller wrote: This email even has the patch attached. > On Sat, 26 Feb 2000, Ged Lodder wrote: > > > Hi, > > > > an updated and more civilized post (to my one and only previous one) > > on getting OpenSSH to work on HP-UX 11 using the TCB. I used the HP > > ANSI C compiler. > > Attached is the patch that I have applied. It will be in the > openssh-2.0 test release (either tonight or tomorrow). > > Thanks for the fixes! > > Damien > > -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -------------- next part -------------- ? hpsux-tcb.txt Index: CREDITS =================================================================== RCS file: /var/cvs/openssh/CREDITS,v retrieving revision 1.20 diff -u -r1.20 CREDITS --- CREDITS 2000/04/23 01:14:01 1.20 +++ CREDITS 2000/04/29 14:15:52 @@ -21,6 +21,7 @@ David Hesprich - Configure fixes David Rankin - libwrap, AIX, NetBSD fixes Gary E. Miller - SCO support +Ged Lodder - HPUX fixes and enhancements HARUYAMA Seigo - Translations & doc fixes Hideaki YOSHIFUJI - IPv6 fixes Hiroshi Takekawa - Configure fixes Index: ChangeLog =================================================================== RCS file: /var/cvs/openssh/ChangeLog,v retrieving revision 1.270 diff -u -r1.270 ChangeLog --- ChangeLog 2000/04/29 13:57:08 1.270 +++ ChangeLog 2000/04/29 14:15:58 @@ -1,3 +1,7 @@ +20000430 + - Merge HP-UX fixes and TCB support from Ged Lodder + - + 20000429 - Merge big update to OpenSSH-2.0 from OpenBSD CVS [README.openssh2] Index: auth-pam.c =================================================================== RCS file: /var/cvs/openssh/auth-pam.c,v retrieving revision 1.3 diff -u -r1.3 auth-pam.c --- auth-pam.c 2000/04/20 13:12:58 1.3 +++ auth-pam.c 2000/04/29 14:16:00 @@ -226,7 +226,11 @@ /* Return list of PAM enviornment strings */ char **fetch_pam_environment(void) { +#ifdef HAVE_PAM_GETENVLIST return(pam_getenvlist((pam_handle_t *)pamh)); +#else /* HAVE_PAM_GETENVLIST */ + return(NULL); +#endif /* HAVE_PAM_GETENVLIST */ } /* Print any messages that have been generated during authentication */ Index: auth-passwd.c =================================================================== RCS file: /var/cvs/openssh/auth-passwd.c,v retrieving revision 1.18 diff -u -r1.18 auth-passwd.c --- auth-passwd.c 2000/04/16 02:31:49 1.18 +++ auth-passwd.c 2000/04/29 14:16:00 @@ -19,9 +19,12 @@ #include "xmalloc.h" #ifdef WITH_AIXAUTHENTICATE -#include +# include #endif - +#ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW +# include +# include +#endif #ifdef HAVE_SHADOW_H # include #endif @@ -108,7 +111,11 @@ else encrypted_password = crypt(password, salt); #else /* HAVE_MD5_PASSWORDS */ +# ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW + encrypted_password = bigcrypt(password, salt); +# else encrypted_password = crypt(password, salt); +# endif /* HAVE_HPUX_TRUSTED_SYSTEM_PW */ #endif /* HAVE_MD5_PASSWORDS */ /* Authentication is accepted if the encrypted passwords are identical. */ Index: configure.in =================================================================== RCS file: /var/cvs/openssh/configure.in,v retrieving revision 1.111 diff -u -r1.111 configure.in --- configure.in 2000/04/23 01:14:02 1.111 +++ configure.in 2000/04/29 14:16:00 @@ -56,6 +56,28 @@ MANTYPE='$(CATMAN)' mansubdir=cat ;; +*-*-hpux11*) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -Ae" + fi + CFLAGS="$CFLAGS -D_HPUX_SOURCE" + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib" + AC_DEFINE(IPADDR_IN_DISPLAY) + AC_DEFINE(USE_UTMPX) + AC_MSG_CHECKING(for HPUX trusted system password database) + if test -f /tcb/files/auth/system/default; then + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_HPUX_TRUSTED_SYSTEM_PW) + LIBS="$LIBS -lsec" + AC_MSG_WARN([This configuration is untested]) + else + AC_MSG_RESULT(no) + AC_DEFINE(DISABLE_SHADOW) + fi + MANTYPE='$(CATMAN)' + mansubdir=cat + ;; *-*-irix5*) CFLAGS="$CFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" @@ -139,6 +161,8 @@ if test -z "$no_pam" -a "x$ac_cv_header_security_pam_appl_h" = "xyes" ; then AC_CHECK_LIB(dl, dlopen, , ) LIBS="$LIBS -lpam" + + AC_CHECK_FUNC(pam_getenvlist) # Check PAM strerror arguments (old PAM) AC_MSG_CHECKING([whether pam_strerror takes only one argument]) From djm at mindrot.org Sun Apr 30 00:27:19 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 30 Apr 2000 00:27:19 +1000 (EST) Subject: OpenSSH and IRIX? In-Reply-To: <013c01bfb17e$8ab88f50$1d0a0a0a@main.iqnest.com> Message-ID: On Fri, 28 Apr 2000, Yuri Litvin wrote: > Hey guys :-) > I'm trying to set up Openssh 1.2.3 on the IRIX 6.5.6. I wasn't > successful so far :-( I've compiled latest openssl (the one that > is on the same ftp site as openssh), and it goes to /usr/local/ssl > , but then openssh's ./configure fails with the "Could not find > working SSLeay / OpenSSL libraries, please install". So i do > ./configure --with-ssl-dir=/usr/local/ssl/lib/ -doesn't, then the > same with /usr/local/ssl/include, /usr/local/ssl ---- still the same > result. Is OpenSSL compiled with the same compiler as OpenSSH? I have had problems on Irix with libraries compiled with different compilers. Have a look at config.log (send it to me if you like). There should be a few compilation failure messages at the end when it was trying to search for openssl - they should tell you more. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Apr 30 00:43:06 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 30 Apr 2000 00:43:06 +1000 (EST) Subject: BUG: ssh-agent memory leak In-Reply-To: Message-ID: On Sat, 29 Apr 2000, J. Paul Reed wrote: > > Hey all! > > I've been using OpenSSH on Linux since version 1.2.2; great work... > > There is, however, a pretty noticable memory leak in ssh-agent. Found and fixed in the next version. Here's a patch for now: --- ssh-agent.c 2000/04/16 02:31:52 1.20 +++ ssh-agent.c 2000/04/21 05:55:21 1.23 @@ -440,6 +440,8 @@ shutdown(sockets[i].fd, SHUT_RDWR); close(sockets[i].fd); sockets[i].type = AUTH_UNUSED; + buffer_free(&sockets[i].input); + buffer_free(&sockets[i].output); break; } buffer_consume(&sockets[i].output, len); @@ -450,6 +452,8 @@ shutdown(sockets[i].fd, SHUT_RDWR); close(sockets[i].fd); sockets[i].type = AUTH_UNUSED; + buffer_free(&sockets[i].input); + buffer_free(&sockets[i].output); break; } buffer_append(&sockets[i].input, buf, len); -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From patrick at whetstonelogic.com Sun Apr 30 10:17:59 2000 From: patrick at whetstonelogic.com (Patrick Gardella) Date: Sat, 29 Apr 2000 20:17:59 -0400 Subject: OpenSSH ssh-keygen on Solaris8 x86 Message-ID: <390B7BB7.824163FC@whetstonelogic.com> I'm having a bit of trouble generating a host key on an x86 Solaris 8 system. I've gotten the following built and installed: egd-0.7 openssl-0.9.5a openssh-1.2.3 My perl version is 5.005_03. egd is running, and tests fine the egd "make test" and with: #./egd.pl /etc/entropy get 22 sources found forking into background... server starting But when I go to "make host-key", it just sits there. Tracking it down, the place it stops is in random.c (line 99): c = atomicio(write, random_pool, egd_message, sizeof(egd_message)); if (c == -1) fatal("Couldn't write to EGD socket \"%s\": %s", RANDOM_POOL, st rerror(errno)); c = atomicio(read, random_pool, buf, len); <--------- HERE It's this last line it never completes (line 99) I noticed from the list archives that egd-0.7 is fairly new. There was some talk on 4/20 about a similar problem ( John Weaver & Brian Carrier), but I don't see any conclusion. Any thoughts? Patrick ---------- Patrick Gardella patrick at whetstonelogic.com VP-Technology patrick at freebsd.org Whetstone Logic, Inc. This space intentionally left blank. From hein at acm.org Sun Apr 30 07:17:29 2000 From: hein at acm.org (Hein Roehrig) Date: Sat, 29 Apr 2000 23:17:29 +0200 Subject: PAM support, OPIE Message-ID: Hello, on my Debian woody system, I tried to get sshd to accept OPIE (one time password) authorization through PAM. This currently fails because there is no way to permit the OPIE challenge to be displayed at the password prompt. Starting from the patch at http://www.debian.org/Bugs/db/61/61906.html I managed to get OPIE working. However, the patch above is not very clean in that it replaces password authentication by TIS authentication. A related issue is that it is a priori not clear which of ssh's authentication mechanisms should be handled by PAM... password, TIS, s/key? Therefore my question: Is anybody working on cleaning up and extending the PAM code? Otherwise, I would be ready to spend some effort on that. -Hein From carrier at cs.purdue.edu Sun Apr 30 07:24:31 2000 From: carrier at cs.purdue.edu (Brian Carrier) Date: Sat, 29 Apr 2000 16:24:31 -0500 Subject: OpenSSH ssh-keygen on Solaris8 x86 In-Reply-To: <390B7BB7.824163FC@whetstonelogic.com>; from Patrick Gardella on Sat, Apr 29, 2000 at 08:17:59PM -0400 References: <390B7BB7.824163FC@whetstonelogic.com> Message-ID: <20000429162430.A19514@lisa.cs.purdue.edu> Patrick, I haven't actually used OpenSSH with EGD, but I've been using EGD for some research and have had 0.7 running on Solaris. The only thing I can recommend is to run the client program: # eg/egc.pl /etc/entropy get and # eg/egc.pl /etc/entropy readb 256 The first tells you how much entropy EGD has collected and the second does a blocking read (equivalent to the statement in random.c). You can also run egd with --debug-client and it will display info on the requests it gets, so it will tell you when you run 'make host-key' if there is enough entropy for your request. If the readb command returns data, then I would assume the problem is somewhere in OpenSSH. If it doesn't return data, then EGD is not collecting any entropy from the system commands. At that point, you can do a --debug-gather in egd.pl and it will display when the system commands return and with how much entropy. I don't believe 'make test' does much except test the SHA installation. hope this helps, brian On Sat, Apr 29, 2000 at 08:17:59PM -0400, Patrick Gardella wrote: > I'm having a bit of trouble generating a host key on an x86 Solaris 8 > system. > I've gotten the following built and installed: > egd-0.7 > openssl-0.9.5a > openssh-1.2.3 > > My perl version is 5.005_03. > > egd is running, and tests fine the egd "make test" and with: > #./egd.pl /etc/entropy get > 22 sources found > forking into background... > server starting > > But when I go to "make host-key", it just sits there. Tracking it down, > the place it stops is in random.c (line 99): > > c = atomicio(write, random_pool, egd_message, > sizeof(egd_message)); > if (c == -1) > fatal("Couldn't write to EGD socket \"%s\": %s", > RANDOM_POOL, st > rerror(errno)); > > c = atomicio(read, random_pool, buf, len); <--------- HERE > > It's this last line it never completes (line 99) > > I noticed from the list archives that egd-0.7 is fairly new. There was > some talk on 4/20 about a similar problem ( John Weaver & Brian > Carrier), but I don't see any conclusion. > > Any thoughts? > > Patrick > ---------- > Patrick Gardella patrick at whetstonelogic.com > VP-Technology patrick at freebsd.org > Whetstone Logic, Inc. This space intentionally left blank. From preed at sigkill.com Sun Apr 30 09:17:04 2000 From: preed at sigkill.com (J. Paul Reed) Date: Sat, 29 Apr 2000 16:17:04 -0700 (PDT) Subject: BUG: ssh-agent memory leak In-Reply-To: Message-ID: On Sun, 30 Apr 2000, Damien Miller wrote: > Found and fixed in the next version. Here's a patch for now: Ahh...the beauty of open source... Thanks! Later, Paul ------------------------------------------------------------------------ J. Paul Reed preed at sigkill.com || www.sigkill.com/preed I used to be with it, but then they changed what "it" was. Now, what I'm with isn't it, and what's "it" seems weird and scary to me. --Grandpa Simpson From openssh-unix-dev.mindrot.org at marc-haber.de Sun Apr 30 19:30:42 2000 From: openssh-unix-dev.mindrot.org at marc-haber.de (Marc Haber) Date: Sun, 30 Apr 2000 09:30:42 GMT Subject: Feature request: scp not overwriting existing files Message-ID: Hi, I would like to have an option to have scp refrain from overwriting target files if they already exist. Default behavior needs to be unchanged to maintain compatibility, but an option to stop scp from clobbering existing files would definetely be nice. If a file cannot be written, scp should have another option to continue with the next file instead of aborting. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From speno at isc.upenn.edu Sun Apr 30 23:59:16 2000 From: speno at isc.upenn.edu (John P Speno) Date: Sun, 30 Apr 2000 09:59:16 -0400 Subject: scp problems In-Reply-To: References: <3908904B.2159CAD2@yk.rim.or.jp> Message-ID: <20000430095916.A86613@isc.upenn.edu> > Anyone who has been experiencing problems with scp, please try the > attached patch. It replaces all plain read() and write() calls with > atomicio() reads and writes(). It's working! It's working! Thanks Damien.